30 November 2022

"Enterprise risk" management? Or enterprise "risk management"?

Ari Moskowitz, group chief risk officer at Everest, explains why both approaches are critical and how to tie them together seamlessly, so businesses can see both the wood and the trees

We work in a constantly shifting risk environment. Climate, pandemic, food and energy supply, geopolitics, inflation...they have all recently brought disruption. Changes in the risk environment have always been the case but, between globalisation and information sharing, the world seems to have become riskier at an increasing pace.

Ari MoskowitzWhether this is an actual change in the risk environment or just a change in our awareness of it, enterprise risk management (ERM) is an important practice that helps keep company leaders informed. Now more than ever is an important time for companies to be vigilant with ERM, and the insurance industry overall has continued to mature their risk frameworks due to this.

This expanding need for robust ERM practices has also drawn a certain intrigue from many industry practitioners. The idea of "enterprise risk" connotes an elevated view of the industry that draws in desk underwriters with the appeal of portfolio management. It provides a challenge for actuaries and modellers through implementing advanced analytics and model development that can inform corporate strategy. Big picture thinking is another exciting incentive for operations teams to focus on company-wide processes.

While all this appeal certainly is rooted in the practicing reality of ERM, there's also much more that must occur for a successful ERM framework to be robust enough to help protect a company.

There is the tried-and-true practice of "risk management" which doesn't always have the same appeal to non-practitioners: environment scanning, risk assessment, mitigation plans, controls testing, risk committee reporting and recommendations, and implementation monitoring. This is rigorous, yet ever-important, work for ERM to be successful.

Emphasis in the words can change the story here: does ERM mean "enterprise risk" management or is it enterprise "risk management"?

The former highlights the need to manage any large, systemic risks to the company while the latter is a practice of reviewing all risks that the enterprise is faced with. Ultimately, both approaches are critical and in a mature framework they should tie together seamlessly.

There are three key practices to include within an ERM framework to help make this happen:

     1. Execution management: Many ERM frameworks focus on critical accumulation assessments such as catastrophe probable maximum loss (PML) management and investment portfolio stress testing. These are examples of focusing on the large, systemic perils via stated risk appetites to determine when a company needs to step on the brakes as it gets too close to the limit. This is all included under the headline of "exposure management" and is extremely important to protect any franchise. However, exposure management might fall short as reported information may be untimely and may only keep a line of sight into the risks which are already known to be highly material.

An ERM framework that also maintains line of sight into the day-to-day business planning and execution could help management see around the bend and better manage risks which have not yet hit a threshold of materiality. This would be included under an alternate headline: "execution management". The combination of the two is a powerful view into the metaphorical forest and the trees of our risk environment which enhances timely responses and preparedness.

     2. Risk funneling: Assessing every risk across the company is a daunting task. Even once complete via a strong ERM team, an executive management team focused on decision- making in the face of these risks can't properly account for every single one. There needs to be a process by which the risk managers can properly elevate areas of concern to get onto management's radar. Formal reporting channels, crisp communications, and clear elevation criteria will help funnel information to business leaders.

Within this bottom-up process, ERM practitioners can also better identify if there are smaller risks which are reported by multiple functions within the company. While each risk may not be deemed material unto themselves, they do accumulate to something riskier. Further, ERM practitioners can also identify early warning signs as risks start elevating from the bottom level. A bottom-up approach of funneling risks to management ultimately places a ranking on risks and tracking shifts in the rankings can help identify future concerns.

      3. Coffee and lunch: Simply, network often. Sometimes employees view ERM like they view audit...as a policing function. That sentiment couldn't be more wrong for both ERM and audit. The goal is to protect the franchise through enhancing informed decision making, which is ultimately the same goal of every member on the business front lines. Nonetheless, some people may be hesitant to report an elevating risk too early when going through formal channels. This can ultimately lead to delays in reporting, which can be detrimental to controlling and mitigating the impact. Coffees and lunches are great ways for ERM practitioners to maintain a quick and timely pulse on the risk profile of the company by hearing business leaders' concerns without the pressure of a rigorous assessment.

The re/insurance industry is unique as its purpose is to assume risk. The goal isn't to remove risk from the equation; the goal is to simply be paid appropriately for the risk assumed through diligent underwriting and actuarial practices.

Similarly, ERM plays an important role across all industries but has an elevated importance within the re/insurance industry since we don't shy away from risk. Risk is our opportunity set and a robust ERM framework seeks to better manage that through awareness and understanding.