The document summarizes a presentation on enterprise risk management (ERM). It discusses the evolution of risk management from 1993 to 2013, highlighting increasing engagement from executive management and a shift from compliance-driven to value-driven approaches. It identifies top risks facing global companies and the 10 hallmarks of best practice risk management. The presentation examines how insurance can support ERM and areas where risk managers can improve. A maturity index is presented, showing most organizations have developing risk management capabilities.
2. Speakers
Edwin Meyer – General Manager Risk & Insurance, ArcelorMittal
Dr Grant Foster – Head of Enterprise Risk Management, Aon
Risk Solutions
Mark Harman – CEO Continental Europe, Middle East & Africa,
Crawford & Company
3. Agenda
Evolution of risk management
What risks are facing global companies facing?
10 Hallmarks of Best Practice in Risk Management
What skills does insurance bring to ERM?
What should Risk Managers be better at?
Where are we on the journey to risk maturity?
Can we identify value?
4. Risk Management 1993
Executive management barely thinking about it
Finance as “the conscience of the business”
Non-executive directors – the great and the good,
informal
Auditors focused only on financial statements
In house insurance manager focuses on procuring
insurance
Legal department reactive
Overall – low importance, disparate, trusting
5. Risk Management 2003
Post Enron, Sox – executive management climate of fear
Finance – louder voice, more centralised control
More professional NEDs with formal roles – audit committees
Requirement to report on risk and controls
Auditors signing off on controls
More internal audit, big increase in certification
Insurance manager morphing into risk manager – better trained,
focus extended to uninsured risks, more linkage to other functions
More widespread use of ERM models and risk maps
Overall – higher profile, more joined up, less trust, focus on
compliance
6. Risk Management 2013
Executive management ownership and engagement
Embedded within governance structures and processes
Linked to strategy
Risk managers – higher calibre, central role, at top table
Board of Directors driving governance
Compliance embedded and now BAU
Auditors and internal audit becoming risk consultants
Overall – moving from compliance driven to value driven
7. ERM – A basic business principle
Business
HSE
Product /
Service /
Operations
Compliance
ERM
Market
Finance
Insurance
8. Results from the 2013 Aon Global Risk Management Survey
What Are Companies Worried About?
1
Economic
slowdown / slow
recovery
Insurance is a
useful tool… but
business risk is
much wider
2
4
Regulatory /
Legislative changes
5
3
Increasing
competition
Damage to
reputation / brand
6
7
8
9
Business
interruption
Commodity price
risk
Cash flow /
liquidity risk
13
14
15
Failure to attract or Failure to innovate/
retain top talent
meet customer
needs
10
Increasing
competition
17
Property damage
11
Exchange rate
fluctuation
18
19
Computer crime / Growing burden &
hacking /viruses / consequences of
malicious codes Corp. Governance /
12
Technology failure Third-party liability
Distribution or
Capital availability
/ system failure
supply chain failure
/credit risk
20
21
22
Counter party
credit risk
Lack of technology /
infrastructure to
support business
Inadequate
succession
planning
23
16
Weather / natural
disasters
24
Failure of disaster
Crime / theft /
recovery plan /
fraud / employee
business continuity
dishonesty
25
Injury to workers
9. Aon Risk Maturity Index
All Organizations (870+Participants Globally)
•
Developing capabilities to identify, assess and prioritize risks across the organization
•
Developing capabilities to analyze risk consistently, but approach may be primarily
qualitative
•
Developing capabilities for monitoring existing risk exposure across the organization
•
Informal and inconsistent consideration of risk and risk management information in
decision making
•
Developing understanding of Enterprise Risk Management (ERM) and its application
Professional Services Industry Average (35 Participants Globally)
•
Inconsistency in risk management practices or approaches across the organization (i.e.,
“silos”)
•
Limited capabilities for monitoring existing risk exposure across the organization
•
Informal and inconsistent consideration of risk and risk management information in
decision making
•
Current Aon Risk Maturity Index Dataset
(September 2013)
Developing capabilities to identify, assess and prioritize risks across the organization
•
Developing understanding of Enterprise Risk Management (ERM) and its application
CILENT X Risk Maturity Rating
Organizations Represented: 650+
Countries Represented: 20
Industries Represented: 30+
The Index will continue to capture global data
throughout 2013 and beyond
•
Developed capabilities to identify, assess and prioritize risks across the organization
•
Developing capabilities to analyze risk consistently, using qualitative and quantitative
techniques
•
•
•
•
Developing set of loss and / or tolerance guidelines for key risks
•
Developed capabilities for monitoring existing risk exposure across the organization
•
Explicit consideration of risk and risk management information in decision making
10. 10 Hallmarks Of Good
Risk Management
1.
2.
3.
4.
5.
6.
7.
8.
9.
Board Understanding & Commitment to Risk Management
Executive Level Risk Management Stewardship
Risk Communication
Risk Culture: Engagement & Accountability
Risk Identification
Stakeholder Participation in Risk Management
Risk Information & Decision Making Processes
Integrating Risk Management & Human Capital Processes
Risk Analysis & Quantification to Understand Risk & Demonstrate
Value
10. Risk Management Focus on Value Creation
11. What Skills Do Insurance
Risk Managers Bring?
1.
2.
3.
4.
5.
6.
7.
8.
9.
Board Understanding & Commitment to Risk Management
Executive Level Risk Management Stewardship
Risk Communication
Risk Culture: Engagement & Accountability
Risk Identification
Stakeholder Participation in Risk Management
Risk Information & Decision Making Processes
Integrating Risk Management & Human Capital Processes
Risk Analysis & Quantification to Understand Risk & Demonstrate
Value
10. Risk Management Focus on Value Creation
13. Risk Register 2008
Risk Register
Risk
No.
Report Dated:
Status of
Mitigation
(RAG)
Country
Specific/EM
EA
Amber
UK
Martin
Weinthrop
Retention of key clients.
Top 25 clients account for
70% of revenue.
EMEA
Martin
Weinthrop
Serious reputational issue Could seriously impact our EMEA reputation and competitive
arises anywhere in the
position
world.
Owner
Description of Risk
Impact if it occurs
Impact
(Critical, Major,
Manageable)
Probability
(High,
Medium,
Low)
Major
Medium
Major
Low
Current Control Activities
Market
MKT01
- General erosion of Reputation in the marketplace
- Potential for A domino EFFECT
- Financial Loss of revenue
Key Account Management (KAM) team
Reputational
REP01
Green
Country Managers pack sets out the standard to be
adopted.
Media Policy sets out the structure of our external
communications
Regulation
REG01
Amber
UK
Stephen
Pearsall
Lose FSA authority to
conduct regulated
business
Severe direct impact upon the regulated business.
There would also be a severe reputational impact the nonregulated parts of our business.
Amber
EMEA
Stephen
Pearsall
Top 25 Client organisation Would impact upon the EMEA revenue and margin heavily,
fails
Amber
UK
Nicola Fu
Key staff leave or are
otherwise unavailable.
Could seriously impact the ability of the EMEA to achieve its
corporate objectives.
Loss of key staff or revenue could result in collapse of business
within that country, e.g Greece. Plus loss of team culture.
Also have a country manager without a contract.
UK
Sam Friend
Lack of adequate disaster
recovery provision in the
event of the total loss of
key IT infrastructure
Inability to trade effectively. Specifically inability to:- Update claim systems
- Raise Invoices
- Review electronic claim files
- send/receive e-mail
Major
Low
Peter J Ward has advisory role
Critical
Low
Appoint a designated client relationship manager who
would be expected to identify early warning signs.
Monthly credit control reports detailing status of
current debt and identify adverse trends.
Major
Low
Informal
Critical
Low
Cobit Controls (Framework used for SOX compliance)
in place to ensure integrity of data.
Financial
FIN01
People
PP01
Operational
OPS01
Projects
Amber
23. Hallmark 10. Risk Management Focus
on Value Creation
Stumbling blocks…
Best Practice
No recognizing ‘value’
Balancing short term gains with long
term sustainability
Corporate culture views risk
management as a staff function, not a
source of added value.
The upside of risk is acknowledged in risk
assessments
Employees are not encouraged to
optimise risk-reward activities.
Assuming lasting value will be
maintained through single iterations of risk
management assessments.
8/10/2013
Processing trends versus events
Project risk profile is taken into account
when making capital investment decisions.
Insurance portfolio optimised through
robust analysis of risk exposures and
tolerances. These combine to drive decision
making.
23
24. Conclusions
Evolution of risk management
What risks are facing global companies facing?
10 Hallmarks of Best Practice in Risk Management
What skills does insurance bring to ERM?
What should Risk Managers be better at?
Where are we on the journey to risk maturity?
Can we identify value?
8/10/2013
24
25. 1 Board Understanding & Commitment
to Risk Management
Stumbling blocks…
Best Practice…
‘Intuitive management’ means
decisions are not based on a clear
understanding of the organization’s
risk exposure and appetite.
Key risk exposures, risk
appetite and controls are consistent
and embedded into corporate
strategy.
Board maintains a onedimensional attitude to risk –
effective risk taking is avoided.
Coordinated reporting cycles that
are conducted frequently for full
Board and its committees.
Risk is managed purely to meet
compliance requirements.
Alignment of agreed risk
management strategy with the
firm’s overall strategic direction.
8/10/2013
25
26. 2. Executive Level Risk Management
Stewardship
Stumbling blocks…
“It’ll never happen to us...”
Demoting risk management
function to that of administrator.
Risk management competency
not valued as an important invisible
asset.
Best Practice…
Formal assignment of executivelevel risk champion
Risk Management leader’s full
involvement in strategic decisions
and overall RM strategy.
“Walk the Talk”
Management temptation to avoid
bureaucracy by not tying down
accountabilities.
8/10/2013
26
27. 3. Risk Communication
Stumbling blocks…
External and internal risk factors around
decisions are not formally justified and
documented.
Bearers of ‘bad news’ are deemed
unwelcome and negative disclose swept
under the rug.
No formal sanctions for failure to
disclose negative risk information.
Best Practice…
Consistent and coordinated content
reported on a routine basis.
Risk disclosures are expressed in both
quantitative and qualitative terms.
Enterprise-wide use of risk terminology,
encouraging open dialogue and
centralised tools to facilitate this.
Active sharing of war stories and
subsequent lessons learned.
Full disclosure of negative feedback
facilitated via formal and informal
channels.
As simple as possible; but no simpler
8/10/2013
27
28. 4. Risk Culture: Engagement &
Accountability
Stumbling blocks…
Best Practice…
Leadership sends ambiguous
signals regarding management-level
engagement and accountability.
Managers take ownership of risks
and how this fits with the organization’s
RM strategy.
Corporate culture which assumes
everyone knows how to manage risks
without appropriate training.
Risk management expectations are
articulated in executives’ job descriptions
and updated periodically.
People are not rewarded for effectively
managing their ascribed risk portfolio.
Performance metrics are embedded
and implemented consistently, driving
behaviour and communicating results.
Accountability is not assigned to a single
risk owner.
Risk management results are formally
incorporated into incentive structures.
Innovation not supported
Work on shared risks… not just my risks
8/10/2013
28
29. 5. Risk Identification
Stumbling blocks…
Lack of resources leading to a low risk
awareness.
Failure to prioritise the organization’s
Crown Jewels: critical processes and key
revenue generators.
Extensive risk mapping to the detriment
of its practical use.
Failing to realise risk identification is a
dynamic process and subject to change at
any given moment.
Best Practice…
External information is integrated into
strategic planning, supplementing
identification of actual/ emerging risks.
Defined channels facilitate collaboration
between the organization and strategic
partners to identify and address its risks.
Internal subject matter experts are
consistently privy to all risk identification,
validation and response discussions.
Risk drivers (causes) are well
understood & analysed.
Risk metrics are identified and
objectively track a number of key risk
indicators.
8/10/2013
29
30. 6. Stakeholder Participation in Risk
Management
Stumbling blocks…
Best Practice…
Failing to incorporate a range of
stakeholder positions into decision making
process.
Forums at executive and management
levels seek consensus to address crossfunctional risk.
No developed stakeholder
communication plan and no common
understanding of risk tolerance between
parties.
Demonstrate that stakeholder
expectations are analysed and
incorporated into the organization’s risk
and compliance management processes.
Withholding key risk information from
stakeholders
Ensure effective communication
channels to optimise information sharing
and strategy development.
Cross function approach to risk
8/10/2013
30
31. 7. Risk Information & Decision Making
Processes
Stumbling blocks…
Risk information disconnected from
strategic and operational decisions.
Inconsistent benchmarking and use of
risk information across business units.
No measurable comparisons developed
across time and business units.
Failure to benchmark and review the
process on a periodical basis.
“Something needs to be done….. And
this is something”
“Decide in haste – repent at leisure”
Best Practice…
Formal collection and incorporation of
risk information into decision-making
and governance processes.
Risk identification / assessment activities
follow given methodologies and are
considered in project /investment decisions.
Budget allocations incorporate risk
assessment plans and considers risk-return
expectations for each business unit.
Review systems make reference to RM
results and are formally communicated to
group and stakeholders.
BI exposures independently valued at
predetermined intervals, with set triggers to
prompt emergency valuations.
8/10/2013
31
32. 8. Integrating Risk Management &
Human Capital Processes
Stumbling blocks…
Best Practice…
“Any one person can bring a company
down” - Failure to realise the value of risk
management in the HR space today.
Monitoring of key HR processes are part
of a complete review process, and explicitly
linked to RM processes.
Cost-cutting dictates external support to
help manage HR risks is outlawed by the
organization.
Employee engagement is valued by
executives, quantitative in nature and
maintained on a periodic basis.
Managing numbers to the detriment of
employee satisfaction.
Talent management is aligned with the
organization’s future needs.
Leadership development plans are
consistent and in place for critical positions.
Retirement plan risks are managed and
reviewed quarterly and supported
externally.
8/10/2013
32
33. 9. Risk Analysis & Quantification to
Understand Risk & Demonstrate Value
Stumbling blocks…
Link between reward and
appropriate risk taking not considered.
Historical data not incorporated into risk
management decisions.
Best Practice
Quantitative and qualitative analysis
aligned to risk appetite and supported by
additional evaluations.
Common risk drivers are formally identified
and relationships between risks analysed.
Risk KPIs are measured quantitatively and
documentation includes qualitative
commentary and quantitative evidence.
Self-insured valuations are conducted
annually and are developed by actuaries.
Market assumptions are documented
consistently and organizational projects
developed through complex modelling
techniques.
8/10/2013
33
34. ERM Process Standards
ERM process standards and
guidance are available (e.g.
COSO, ISO 31000)
But these are generally
implemented in different
ways by different companies
So, from all this risk
management activity… what
really gives value to
companies?