Today I met an individual who asked what I did for a living. I was somewhat distracted and mumbled the word “risk management.” As I regained my focus this gentleman said “Oh, you’re a risk manager. I’ve had trouble with my Workers’ Compensation…” and he began to talk about insurance.

This was a prime example of the perception surrounding the terms “risk management” and “risk manager,” and how they’ve been equated solely to insurance coverage and insurance professionals in the past.   I’ve witnessed this misrepresentation of the terms so many times that I felt not just inspired, but a public obligation, to write this article and help clear the confusion with the terminology that began long ago.

PASSING THE SMELL TEST

In the early 1960’s, two professors, Robert Mehr and Bob Hedges, developed the concept of Enterprise Risk Management. These two could easily be called the Godfathers of Risk Management. They published the first text to fully address the subject of business risk, “Risk Management in the Business Enterprise.”  The book introduced how risk management of an entire business could maximize efficiency, which would result in greater productivity. The basic premise was that all business risks should be managed, not simply those that could be “insured.”

Suffice it to say that over time, the term “risk management” began to take on a more limited meaning, referring just to insurable risks (for a slightly more elaborate outline see history of enterprise risk management). Now, some 45 years later, many large public firms are finally returning to the original roots of risk management. The Risk Managers of these firms manage the risk exposures of the entire business, not just those risks that are insurable. Mehr and Hedges would be very happy about this if they were here with us today. And, I might add, this helps put my mind at ease as well.

You see, having been heavily involved in construction for much of my lifetime and having witnessed many different construction business failures, it became evident to me that the causes for each failure all boiled down to risk. However, it never seemed to make sense that insurance brokers and agents called themselves risk managers, especially since they only provided a form of management that addressed insurable risk. It just never sat right with me. First of all, they really didn’t address anywhere close to all of the business risks that exist. Second, out of all the business failures I had witnessed, none were the result of having too little insurance or poor loss control procedures. When I finally came to understand how risk management evolved over the years it was somewhat of an awakening.

THE ENTERPRISE RISK MANAGEMENT PROCESS

Robert Mehr and Bob Hedges came up with the steps for the risk management process, and the basic form is still in practice to this day:

• Risk Identification (Identify all the risk factors; all the possible causes for loss in a typical company)
• Risk Analysis (Analyze the risk; assess and measure the potential for loss in the company to be examined)
• Risk Response (Determine what to do; either assume, transfer or reduce the risk)
• Risk Control (Implement internal controls to reduce or transfer the risk)
• Risk Monitoring (Select a method for monitoring results and put it in practice)

As originally intended, risk management would encompass management of the entire business enterprise; hence, the field became known as Enterprise Risk Management (ERM for short). ERM requires examination of all risks that an organization faces and applies directly to four distinct types of risk: Operational Risk, Financial Risk, Strategic Risk, and Hazard Risk.

For the most part, only hazard risks are insurable.  Thus, insurance brokers should have called themselves hazard risk managers instead of just “risk managers”.  Now, with the reemergence of ERM, traditional insurance-based “risk managers” are being pushed into a wider arena of risk management, one that incorporates all other areas of business risk, many new forms of risk analysis, and a wider array of risk control mechanisms.

The primary challenge of expanding risk management across the enterprise is that, because it involves so many different aspects of an organization’s operations, traditional insurance-based risk managers (who focus only on hazard risk) are simply not qualified as enterprise risk managers. They simply don’t have the experience or expertise necessary to have a firm grasp of all aspects of a business, and there are already signs they are losing their hold on the “risk manager” title. In fact, the fastest growing position in the business world today is that of Chief Risk Officer (CRO). As ERM continues to filter down from public companies to smaller and smaller private companies, you can expect a CRO type individual to become part of every management team. After all, the adoption rate of the ERM process has already reached 40% in public firms.

In order for risk managers to evolve from insurance minded professionals to ones who understand the risks of an entire business enterprise, they will have to learn the language and the approach of each business area, either alone or as a team. If they are to act as a team, the team leader will need to have a basic understanding of all the steps involved in the entire process of risk management and the methodology used in each business area. Clearly, traditional risk managers will need to obtain additional skills to be involved with enterprise risk management.

TYPES OF RISK MANAGERS

There is no doubt Enterprise Risk Management is making its way from large public firms to firms in the private arena. It is being dictated by credit providers of large public firms as a result of Sarbanes-Oxley and, given the current credit environment, may soon be expected of private firms too. It may not be long until ERM becomes an expected and necessary way for all companies to operate.

Since risk management has expanded to cover risk across the entire enterprise, one of the largest challenges has been finding individuals capable of understanding and managing such risk. Since insurance agents or brokers who only provide insurance advice to their clients do not fit the bill, corporate decision makers only have a couple options:

1. Salaried employees who can learn to manage a wider scope of risk for their company than traditional risk managers (often chief financial officers or treasurers); and
2. Independent consultants who provide comprehensive Enterprise Risk Management services.

Individuals who perform at this level are called CRO’s. They are in very high demand today and typically are drawing salaries even higher than the CFO. As time progresses, I expect that there will be a lot of CRO’s working on a consultancy basis since smaller firms won’t be able to find, much less afford individuals qualified to identify, assess, and control all of the risks in a business enterprise. Obviously, such individuals must be very specialized in a particular industry to serve their clients well.

To choose the best type of risk manager for their companies, corporate decision makers must now consider the potential increase in profits that the adoption of the Enterprise Risk Management process can bring. For those early adopters, employing an experienced professional in Enterprise Risk Management is the key to real benefit. If that person is a consultant, he can be used as the de facto enterprise risk manager who can be relied upon to retrain traditional risk managers already on staff so they can gain the full knowledge of how to control risk across the enterprise. As time will tell, the true risk manager will not be the traditional insurance professional who addresses Hazard risk, but will be the individual who can address Operational, Financial, and Strategic risk as well. That is how risk management is evolving and what is expected of a risk manager in many companies today.

Thus, will the real risk manager, please stand up!

By:  David F. Druml, ERM Specialist a My Risk Control, LLC

Excerpts from “Journal of Risk Management of Korea Volume 12, Number 1” D’Arcy, Stephen P., Professor of Finance, University of Illinois at Urbana-Champaign, May 30, 2001

The certificate of insurance description box must read: “Jake’s General Contracting is named as general liability additional insured.”

Top of page 1

THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW.

Top of page 2

If the certificate holder is an ADDITIONAL INSURED,  the policy(ies) must be endorsed. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s).

A few days ago I met a fellow after doing laps in the pool, ala Michael Phelps! (I’d like to think we know as much about construction as Michael knows about swimming.) We began talking and sure enough he was the proud owner of a thriving construction company… but it wasn’t always that way. In fact, he shared with me the trials and tribulations he had experienced in the construction business. We laughed about the scrutiny his work received when doing custom mansions for the very wealthy and how the Irish side of him loves whiskey. And then we talked more seriously about a dramatic change in his career. You see, this strong willed Irishman was a victim of a key risk factor: Mismanagement of cash flow.

He shared with me how cash flow had put him out of the construction business. His claim to fame was the installation of high end custom wood work in plush offices and homes. As he became bigger, he just was not prepared for the cash flow crunch that he would experience. He shared with me his frustrations at getting paid from General Contractors who always had an excuse for not paying, and he used a few choice words. It was obvious that he had experienced what has put so many companies out of business, a cash shortage. He indicated he was making good money, and I believe that because custom millwork brings a good margin and there is not a lot of competition for highly specialized woodwork. He had different types of wood shipped in from all over the world and he shared with me how even though he was profitable, when he pursued the bigger work, cash flow became too much of an issue and he was forced to reinvent himself. This certainly is a familiar story.

(more…)

Credit underwriting decisions are a cornerstone of any economy. Made wisely, they can assist entrepreneurship, promote economic growth, and generally ensure that capital is allocated to its highest and best use. On the other hand, poor credit underwriting decisions can negatively impact an industry or the economy as a whole.  Recent troubles in the U.S. economy are directly tied to the poor credit decisions of lenders to support prospective home owners who had little money and provided little information about their financial strength in an over-inflated housing environment. Recent failures of banks such as IndyMac are partly tied to poor credit underwriting decisions and over-leveraging.  The failure of banks to consider the full range of construction risk is leaving many banks high and dry due to the recent spate of construction business failures, with many more to come. The five consecutive years of recent losses in the surety industry was directly related to poor credit underwriting decisions. With all of these losses you have to wonder what is going wrong. The answer is twofold: an unusually high tolerance for risk and credit decisions based upon insufficient data.

Creditors

In the case of mortgages that went bad, because loans could be packaged and resold, an anything goes atmosphere developed and many risk management practices were thrown out the window. Many loans were provided based on simple applications that provided minimal financial information. The fallout of this lending environment is showcased on Mortgage Lender Implode-o-Meter. In the case of IndyMac, a large portfolio of non-performing Alt-A loans, sometimes called liar loans, and risky construction and land development lending, left the bank with very little cushion in a falling housing market. Other banks impacted by losses only relied on financial data, failing to consider all the risks of lending to high risk industries such as construction and auto dealerships.

(more…)

Companies usually find themselves in one of four quadrants of the ERM/Business Success matrix:

1. A company has proper risk controls in place and is successful/profitable
2. A company does not have proper risk controls in place and is successful/profitable
3. A company has proper risk controls in place and is unsuccessful/unprofitable
4. A company does not have proper risk controls in place and is unsuccessful/unprofitable

The Success Paradox

The term “Success Paradox” has been used to refer, among other things, to individuals that are economically successful not being as happy as those less economically well-off, to the increased vulnerability of developed countries to diseases such as measles, and to the concept that an enterprise, such as a poverty NGO, can put itself out of business if it is successful.

(more…)

Effective Enterprise Risk Management is not rocket science.  In fact, most risk controls turn out to be very simple policies or procedures that will prevent adverse shocks to a business.  Oftentimes, though, it’s hard to cut right to the core of a problem and separate the effects from the root cause.  In Construction Positions and Responsibilities, one of our advisers discusses drilling down to determine the root cause for the difficulty a client was experiencing trying to grow its business.

The topic of Enterprise Risk Management can seem quite confusing, especially since there is a good deal of misinformation floating around.  In “The Top 10 Enterprise Risk-Management Myths,” Gordon Burnes of NewsFactor.com discusses some of the most common myths of Enterprise Risk Management.  The article is a good read for those interested in ERM, although we should point out that it is (like most information on ERM) still heavily IT/Financial focused.  A couple of the myths speak directly to the premise behind MyRiskControl.com:

Myth Number 7: You Can Manage Risk Only from the Center

No one is likely to argue that strong, central risk management is a bad thing. Unfortunately, many organizations make the mistake of investing only in a centralized function because it’s too difficult to federate, and they don’t know how to push risk management to lower levels of responsibility in the organization. It’s a classic issue of consistency vs. quality of information.

But, accurate information lies at the business line level. Organizations must augment their centralized risk management efforts with localized, distributed data, and the only way to reliably and cost-effectively do that is to invest in automated technology solutions.

Along this line of thinking, he continues:

ERM needs to be deployed bottom-up so that business managers are the first-line managers of risk, embedding enterprise risk management within the day-to-day business processes of the firm. They must understand the risk/reward trade-offs involved in their own decision-making. Risk management should create a bias for action, surfacing problems as they arise and empowering the entire organization to be risk managers. (more…)

PricewaterhouseCoopers put out an interesting study entitled “‘Does ERM Matter? Enterprise Risk Management in the Insurance Industry 2008.’”  In commenting on the article, Continuity Central discusses some of the difficulty found in implementing Enterprise Risk Management within financial institutions:

“Against the background of an ever tougher risk environment and growing demands from investors, regulators and rating agencies, PricewaterhouseCoopers says that many insurers and other financial services organisations are asking questions about the effectiveness of enterprise risk management and its ability to deliver a return on investment or meet the expectations of stakeholders.”

The article is worth reading.  One of the key points made is:

“…the study found that enterprise risk management is, in many cases, neither relevant to nor clearly understood by business teams. It is not fully embedded into strategic decisions and its integration into day-to-day decision making and frontline risk taking within many insurance companies remains limited, potentially undermining its ability to deal with a more complex risk environment and more exacting stakeholder expectations”

This article mainly addresses ERM within financial institutions.  These companies have a very real need for ERM, especially with a broad range of exposures to interest rates, natural disasters, and general economic turmoil. (more…)