Risk Managers’ Forum
By Kyle Drawdy, CIC, ARM
FIGHTING THE RISK CULTURE “CREEP”: IS YOUR CLIENT’S ERM BECOMING A TRM?
Actions to take if your client’s ERM is trending back toward traditional viewpoints
Enterprise risk management (ERM) is a buzzword/concept that has become popular over the last 10 to 15 years and is generally considered to be the most effective way to manage risk. Organizations of all sizes have used ERM to define their risk culture. Risk managers integrate ERM into their titles, and companies specify knowledge of ERM as a requirement in the risk manager’s position description. It is even possible to earn a designation in ERM.
When your clients integrated ERM into their operations, chances are they experienced some challenges along the way.
It is important for your clients to remember why they implemented ERM and to appreciate its advantages compared to a traditional risk management (TRM) program. TRM is focused on a functional, siloed view of risk that typically deals with the pure aspects of risk management (chance of loss or no loss, no chance of gain). The risk management department in a TRM environment is responsible for “hazard” exposures and relies heavily on transfer (insurance) as a control technique. Conversely, the ERM environment provides a cross-functional view of risks that affect all areas of the organization. ERM embraces speculative risks (chance of loss or no loss, or chance of gain) such as potential disruptors and can provide invaluable insight when management is setting business objectives.
A true ERM program is not static; it is constantly evolving and needs to be reviewed regularly.
ERM programs originally were instituted with the objective of revolutionizing the way risk is viewed in the organization and to leverage risk so that corporate strategic and operational objectives can be fulfilled. In some instances ERM is a requirement of a contract or a credit/bond rating. Your client’s organization might refer to ERM as holistic, integrated, or strategic risk management.
Regardless of the name, the enterprise approach to handling risk is implemented for one or more of these reasons:
- Identifying threats and opportunities related to an organization’s strategic plan
- Linking an organization’s business, operational, and strategic objectives
- Providing a common language for communicating about risks and opportunities
- Allowing for the use of performance metrics to improve decision making
- Safeguarding the organization’s brand and reputation
- Capitalizing on opportunities to increase shareholder value
One of the greatest strengths of an ERM program is the diversity it brings to the identification, financing, and control stages of the risk management process. Each department and employee that participates in the process brings a different view of risk to the table and is directly responsible for the success of the overall program.
It can take months if not years to set up an effective ERM program and only a few key moments for it to turn back into a familiar TRM program. Your client may notice that the risk advisory committee is meeting less frequently or has stopped meeting entirely. Have risk management decisions become the sole responsibility of the risk manager? Does the risk management department find out about new products or services after they have already been approved by the board of directors or chief executive officer? Did an accident or incident arise from an exposure of which the risk manager was unaware? If your client answers yes to any of those questions, its ERM program might be slipping back into a TRM modality.
Several factors can cause an ERM program to break down and start to creep back into a TRM mindset. The first is simply time; organizations shift their priorities, and the ERM philosophy may no longer be one of them. This unwanted shift also may be the result of employee turnover and new leadership that has not been introduced to the ERM risk management culture and the importance of managing risk throughout the organization. A new director, or even a resistant current one, might not be open to a cross-functional communication process that exposes possible flaws or risks in his or her department.
Complacency is another reason; leadership might believe that once the program framework is established and implemented, it is no longer necessary to repeat any part of the process. They lose sight of the long-term goals of ERM and do not take into account emerging risks and changes in the internal and external organizational environment. A true ERM program is not static; it is constantly evolving and needs to be reviewed regularly.
Sometimes expectations for what an ERM program is—and more important what it is not—were poorly expressed or managed incorrectly during the design and implementation stages. ERM can highlight risks and opportunities, but it does not eliminate all risk. Simply appointing a chief risk officer is not enough; ERM must be applied at every level of the organization. Remember, under the ERM approach, Everyone is a Risk Manager.
If you notice that your client’s risk management philosophy is trending back toward a traditional view, you can suggest that the client take a number of steps. The first step toward reestablishing ERM is to reexamine the organization’s risk culture. Has it changed since ERM was established, or has a new C-suite executive been hired? The risk culture of an organization is established by the tone at the top, and it may be necessary once again to obtain key leadership buy-in. This step might take time, but it is the cornerstone of the entire process. Once the leadership is back on board, the risk advisory committee meetings need to be reinstated. These meetings are a crucial part of the risk identification process and are another way to ensure that risk management is integrated into all divisions in the organization.
Encourage your client to reinstate risk into the decision-making process and highlight ERM’s competitive opportunities and advantages. ERM shines when it is used to identify the strategic and operational exposures that can affect an organization.
Most important, be a champion for a mindful risk culture and encourage your client to celebrate any successes that can be directly attributed to the organization’s ERM program.
Kyle Drawdy is the risk management education program director for The National Alliance for Insurance Education & Research. Previously he was an enterprise risk manager for the Florida College System Risk Management Consortium (FCSRMC). Kyle began his insurance career with Brown & Brown Insurance in 2005 after serving four years in the Army.