ERM Adoption
July 10th, 2008 by David MahlerPricewaterhouseCoopers put out an interesting study entitled “‘Does ERM Matter? Enterprise Risk Management in the Insurance Industry 2008.’” In commenting on the article, Continuity Central discusses some of the difficulty found in implementing Enterprise Risk Management within financial institutions:
“Against the background of an ever tougher risk environment and growing demands from investors, regulators and rating agencies, PricewaterhouseCoopers says that many insurers and other financial services organisations are asking questions about the effectiveness of enterprise risk management and its ability to deliver a return on investment or meet the expectations of stakeholders.”
The article is worth reading. One of the key points made is:
“…the study found that enterprise risk management is, in many cases, neither relevant to nor clearly understood by business teams. It is not fully embedded into strategic decisions and its integration into day-to-day decision making and frontline risk taking within many insurance companies remains limited, potentially undermining its ability to deal with a more complex risk environment and more exacting stakeholder expectations”
This article mainly addresses ERM within financial institutions. These companies have a very real need for ERM, especially with a broad range of exposures to interest rates, natural disasters, and general economic turmoil.
That said, the takeaways apply to all business enterprises. In essence, ERM adoption can be held back due to it’s complexity and the inability of current practitioners to properly teach the marketplace about its proper use. Many look to Enterprise Risk Management as a holy grail that will lead to zero losses, and soaring profits. Unfortunately, this ideal can be quite damaging, especially for those expecting quick results and not fully realizing the amount of work and effort that is actually necessary to make real, lasting change.
Since the topic of Enterprise Risk Management can be quite overwhelming, it’s important that practitioners work to translate it’s implementation into actionable items that can be performed by individuals with no prior experience. By doing so, everyone in an enterprise can be involved and take ownership in the process, helping create a risk management culture, rather than a dictatorial risk management approach that almost always fails.
Tags: Business, Decision making, Enterprise Risk Management, Financial Services, Insurance, Risk, Risk management
July 13th, 2008 at 3:53 pm
It’s important to note that effective ERM causes businesses to run very smoothly, which actually lessens the perceived value of the ERM implementation. We call this the Success Paradox; it will be the subject of a future post.
July 16th, 2008 at 10:49 am
I did a search on Success Paradox and was not able to find any information on it. Please direct me to a site that discusses it. I have interest.
July 16th, 2008 at 11:13 am
There are several uses of the term “Success Paradox” online. For instance, the term has been used to refer to individuals that are economically successfully not being as happy as those less economically well-off, to the increased vulnerability of developed countries to diseases such as measles, and to the concept that an enterprise, such as a poverty NGO, puts itself out of business if it is successful.
All these are useful, but our use of the term is specifically in reference to situations where a risk is present and successful mitigation of that risk, in hindsight, reduces the risk’s perceived importance. One great example is the Y2K problem. Since there were no major catastrophes related to Y2K, there is a tendency for people to assume that is was not really a problem in the first place. However, the fact that no catastrophes occurred might also be attributable to the excellent risk mitigation efforts of thousands of companies and individuals working diligently to fix the exposure.
July 17th, 2008 at 11:12 pm
I understand your response, however I feel that the term does not adequately describe the paradox as it relates to Enterprise Risk Management. Surely there is a paradox. However, a company can be successful whether or not risk controls are in place. In fact, in the construction industry, many companies have been highly successful for years without prudent risk controls in place. Ultimately, the purpose of Enterprise Risk Management is to implement controls that mitigate risk, but not the risk of success. Most people in the business world think of a successful company as one that consistently makes a profit, and companies without important risk controls in place routinely meet this test. A better term for the tendency of management to underestimate the impact of risk controls is the “Profit Paradox”. This is because any risk exposure that is worthy of control is one that can impact profitability, either in the short term or long term. The paradox is that management might think risk controls are unimportant because their company is consistently profitable. However, if some risk controls are not in place, the company would likely be less profitable, and if all of the controls are in place, the company would likely be more profitable. There is just no way to provide proof without a long-term trend analysis. So, there is no question that ERM takes buy in. But there is also no question that the process improves profitability and long-term financial strength. Since the purpose of Enterprise Risk Management at its core is to maximize profitability, I vote for the term “Profit Paradox”.
July 18th, 2008 at 9:55 am
Hi Dave,
Thanks for your response. I think your confusion stems from the fact that there are actually two distinct situations each of us is describing:
1) A company has proper risk controls in place and is successful/profitable
2) A company does not have proper risk controls in place and is successful/profitable
The first situation can be described by the Success Paradox, which I have elaborated upon earlier. In this situation, the perceived importance of the risk controls is diminished due to success, just as Y2K controls were downplayed after a relatively uneventful Jan. 1, 2000.
The second situation, however, is slightly different in that it deals with chance/luck. It is analogous to Russian Roulette; it would be like a player assuming there is no danger to the game because no damage occurred from his “turn”. In a sense, he is still successful/profitable, but that does not mean his actions were risk free, or that he made the right decision to play. He just got lucky, which is the operative word; he could very well have died. I don’t believe this situation is a paradox.
July 27th, 2008 at 10:27 pm
With respect to ERM Adoption, I always like to look at things in a simple manner. The value of ERM is really just the systematic process. When it gets right down to it, the controls are simply an improvement upon business conditions, processes and management methods. Any qualified consultant can deliver those improvements. The ERM process simply establishes a framework for examining the status of controls presently in place and sets forth a way to identify weaknesses that may impact profitability. Although it is just that simple, the value of the ERM process should not be understated. This is because to improve upon the many controls within a company, a random unstructured approach just doesn’t work well. With a random approach, management’s attention is drawn to the problem of the week and controls are implemented on the fly. Once the focus is taken off the problem, the control usually doesn’t last. Using a structured process such as ERM, assures that all potential problems are examined, that controls are implemented, and that status of those controls is monitored. The process simply provides a systematic way of improving a company.