06 August 2009
Published in: Risk governance
“Risk appetite, not risk management, was at root of crisis”
Aon has appointed Grant Foster to be head of enterprise risk management (ERM) for the UK and to "further integrate the UK into Aon's pan-EMEA and global risk management for world-wide businesses", according to the company.
Foster, previously with Det Norske Veritas, has strong views on ERM and thinks its role in the present crisis has been misunderstood.
"Sometimes people think that risk management is about the absolute removal of risk and actually that's not entirely the case," he explains. "Everybody is in business to take a risk and profit from risk. People always seem to point at poor risk management when something fails, however often the risk is well known and understood, but tolerated. That's not necessarily a symptom of a bad ERM system, it's a result of setting your risk appetite wrongly.
"In the banking case, the roots of the crisis started with risk appetite," he continues. "Somehow people started to care less about the details and got much happier about taking bigger risks, particularly where a lot of potentially risky loans were packaged up into things that looked much safer."
Foster has an impressively broad background. He's a chartered engineer, with PhD in the field of distributed systems modelling and a BSc in cybernetics and mathematics. At Aon he and his team have three main areas of focus. The first is to help clients assess and implement ERM frameworks, a task linked to compliance with rating agency and regulatory requirements. While compliance is a major driver behind ERM - "it makes a company do something about it" - companies should be looking to ERM to improve their business performance rather than just for the sake of compliance or for a credit rating, he thinks.
His team also helps clients with business interruption and business continuity management, an area Foster describes as "low probability/high impact". And the third area is specific risks surrounding information technology, which the team is looking to expand in coming years. "As technology has progressed, most of the systems that generate value for a company are based in IT and cyber-issues so we're looking at that in some detail. It's where technology meets business management."
While recession has altered many companies' priorities, risk management remains a key concern. "People's top 10 risks are changing," notes Foster. "Obviously with the current economic climate people are a lot more interested in risks that are symptomatic of a recession, for example, maintaining services with a lower headcount, a functional supply chain and in things like trade credit agreements."
He believes ERM will continue to mature over the next few years. The next step will be to move beyond the use of ERM frameworks as a means of catching and managing just downside risk. Companies can discover opportunities where they least expect it. Pandemic preparedness has helped some companies discover they can operate effectively with staff working remotely. Others have discovered routes to additional production capacity by exploring downside risks in their supply chain. Such overcapacity could come in useful should they consider future expansion.
"In the coming years," he explains "the next phase of the ERM evolution will have to be a change in focus into risk as an opportunity rather than a threat -- to look at upside risks a lot more, because that's where the value of risk management really is."