erm- from boardroom to shopfloor page 1 - conzultingconzulting.in/docs/enterprise risk management -...

ERM- from boardroom to shopfloor


Introduction

Enterprise Risk Management has been a topic of hot debate in the boardrooms for the last few years. Companies are recognizing the need for moving from a silo-based approach to a more holistic approach towards ERM. Companies realize that better capital management through increased predictability and lower volatility are key factors contributing to shareholders value. Global economic and industrial developments have changed the risk profile of insurance companies. Insurance companies are recognizing the importance of a risk-sensitive system towards managing scarce capital. Regulatory changes have also forced insurance companies to move towards risk-adjusted return. Insurance companies have understood that to deploy scarce capital effectively and to maximize economic value, they need to move towards risk-based capital wherein an insurance company’s capital requirements are based on the risks that the company faces. The merits of moving from an individual risk exposure model to an integrated risk model are well established by now. However, the biggest stumbling block in the path of ERM has been the difficultly in translating the plans on the drawing board to reality in operations. This paper is aimed at discussing the following, drawing from experiences from the insurance industry:

� Implementation challenges for ERM

� An approach to realization of ERM goals

� Suggestions for implementation

Why is implementation a challenge? ERM calls for a cultural and mindset change to the way risk is perceived and managed. It, hence, poses all the challenges of implementing a major organizational change initiative. Further, developing the right model for an organization itself is a daunting task. Some of the key issues which impediment implementation are:

� Lack of alignment of ERM objectives with Corporate objectives : While drawing up ERM objectives, the mistake of not keeping corporate and organizational objectives closely synchronized is often made. This could send the initiative wayward or could create friction owing to the mis-aligned goals pulling groups or individuals in different directions.

� Insufficient commitment from top management : Implementation of ERM is usually a large initiative and like most of the large initiatives, it requires whole hearted support of the top management. It is all the more critical since the implementation may also call for change in approach which usually meets with resistance.


� Inadequate conceptualization of ERM model : Creating an appropriate ERM model is one of the critical activities in the initiative. Adopting the right model and adapting it to the company is often a tough task. An inadequate or in-appropriate one is unlikely to yield the expected business benefits and in turn would render the whole initiative ‘under-par’ in achievement.

� Poor decision support / statistical analysis tools and systems : An integrated risk management environment – which is the end product of an ERM implementation – would require efficient statistical and analytical tools which provide support for informed decision making. Unavailability of such tools may make the implementation sub-optimal.

� Cultural mis-matches : As discussed earlier, the introduction of ERM is also a change management challenge. Insurance companies traditionally have the ‘silo’ approach. To give an example, to a traditional claims manager it may sound preposterous to club the claims risk exposure with the risk of investment returns.

Fig 1: ERM implementation impediments

Some countries also have legal constraints within which companies need to operate. Very often, these constraints are impediments to implementing an ERM strategy effectively.

A structured approach to implementation The key to successful implementation of ERM is a structured approach. One of the key reasons why major issues come up during restructuring the Risk Philosophy of an organization on ERM lines is the ‘randomness’ in approach.


The model shown below helps in developing a framework for adoption of ERM in a real life scenario. This is a generic model, the components of which would be tuned and customized to suit the needs of the organization which is using it. ‘As Is’ analysis:

Understanding the approach to risk, prevalent in the organization is the first step towards the migration to ERM. This phase of implementation would focus on understanding the risk appetite of the organization and the broad philosophy of risk followed. One would also need to look at the threshold levels of tolerance to risk while doing this exercise. The key focus areas of the As-Is analysis are methodology, tools, environment, exposures and impact.

� View of the exposures and impact: The primary focus of the As-Is analysis is

to look into the key exposures and their impact on the achievement of organizational goals. The analysis not only includes study of these exposures independently, but also the combined impact of co-related risks. Analysis should render a clear picture of the potential impact of these exposures on the organizational goals.

� Risk management methodology: The existing methodology adopted for risk management is an obvious indicator for understanding the organization and its approach to risk. Hence, this is one of the first aspects to be considered while approaching ERM. There could be a struggle for the assessor in many organizations where the methodology and approach are not well articulated and documented. In such cases, the assessor will have to develop innovative ways to get the right picture – several standard tools ranging from surveys to workshops could be utilized for this.

� Tools used for risk management: Taking the inventory of the tools used for risk management and their effectiveness is beneficial in two ways. It helps in throwing more light into the approach of the organization as well as provides indicators for optimal re-use in the new ERM environment. Tools are indicators of trust worthy sources of data as well as pointers to the overall culture and disposition of people towards risk.

� Cultural aspects: An organization is often what its people are. The cultural dimension, hence, is very critical in understanding the pulse of the organization. That is the primary reason why analysis and understanding of the culture is an important element in the As-Is analysis. However, culture is not a tangible and measurable dimension. The assessor would need to look into a wide variety of information to gauge this aspect. Importance of risk in the performance metrics of units and individuals, risk related records maintenance, processes and policies related to risk, care and detail in risk related communication etc are some surrogate indicators.


An ‘as is’ analysis

Establishing the value proposition

Develop a model

Pilot the model

Review / Revise / Road map

ERM

Implementation

Institutio-

nalisation

Fig 2: Implementation Model Contextual fit:

The next important step would be to establish the value proposition of ERM in the context of the organization. This would cover the business and financial advantages which the organization would draw out of the revised approach to risk management There are some situations where the value proposition has been established at a larger level by the industry and regulations have been framed to facilitate implementation. Solvency II regulations related to Risk Based Capital approach to solvency evaluation is an example. Risk Based Capital approach mandates cumulating multiple risk exposures. This naturally gives a push towards an integrated risk approach.

Develop a model: The point at which many plans totter is when the right model needs to be chosen for ERM. Models are still in the evolving stage and would need customization to fit into a specific organization. One of the biggest challenges in the journey would be to design an appropriate model. All insurers would need to create a hybrid model since the combination of the risks which they are trying to assess include a wide range – from those which could be very well quantified to those which are beyond mathematical models.


The key aspects to be kept in mind while creating a model are :

Model attribute Relevance

Robustness • Scalability across multiple domains

• Ability to stand the test of time

• Consistent performance

Suitability • Matching with the complexity of operations

• Addresses the key exposures adequately

Changes needed • Minimum change requirements

• Easy to implement changes

Cultural fit • Would be acceptable to people

Risk Models – need to go beyond the traditional insurance roles

Insurance companies, being the professionals in managing large risks, have over a period of time developed robust modeling techniques for standard risks like underwriting risk, market risk (interest rate risk, credit risk) etc. However, while modeling risks at an enterprise level there are many non-standard risks to be actively considered – technology risk, employee attrition risk, fraud risk etc. Developing models to assess the non-standard risks continues to be a challenge for the industry. The models that are used could be deterministic or stochastic (deterministic implies that the model is based on a set of specific assumptions about the future while stochastic means that the model allows for the random nature of some of the parameters). Another area which has thrown problems to modelers is assessing the combined impact of risks on multiple dimensions. For example, an event like 9-11 could impact market risks, underwriting risks and employee risks. Developing correlation between multiple impacts in such cases is a tough task. This calls for analysis of the “cross-risk” effect. Very often, if the variability of parameters is very high, the insurance company needs to see the aggregate effect of various scenarios. This would require “simulation based” ERM modeling.

For example, even if a deterministic model indicates that there is an excess of assets over liabilities, insolvency may have a non-negligible probability that may not be identified through deterministic modeling. A stochastic model is required for this purpose. There could be other worst case scenarios that may appear innocuous but may lead to severe financial difficulties. Making provisions for such “worst-case” scenarios all the time means ‘larger than necessary’ provisions, which


are not always the most capital efficient options. A stochastic model is a better option in such cases. The salient features of both deterministic and stochastic models (as discussed above) can also be combined effectively. In a given model, the variables whose performance is largely unknown with a large risk associated can be modeled stochastically while other variables that are simpler can be modeled deterministically. For example, while modeling variability of general insurance claims, there could be 3 ways of modeling: 1. Number of claims can be modeled stochastically with Associated mean

claim cost being deterministic 2. Deterministic expected number of claims with Number of claims being

stochastic 3. Both claim amount and number are stochastic

Pilot the model:

Any change to be successfully implemented needs the buy-in of the stakeholders. A very effective way of winning the confidence of stakeholders is to run with a pilot, prove the concept and then move in for the large scale implementation. The main advantages of adopting a ‘pilot’ based approach are ;

• Implementation would not be a ‘big bang’. The organization gets to see the pilot live before committing in full.

• Allows refinement of the program. Mid-course correction of a full blown implementation is extremely difficult if not impossible, in the initial phases owing to the momentum of the exercise and the efforts needed to change course. Pilot would be easily amenable to such changes owing to the smaller size.

• Pilots make implementation ‘ incremental’ , which is always a more acceptable way from the people perspective. It allows enough time for people to come to terms with the change, before the big wave hits.

• Communication would be more effective with a pilot in motion, as it demonstrates to the stakeholders much more than documents and communication fliers can.

The choice of pilot, however, should be done very carefully to ensure that :

o The concept would be established o Stakeholders would get a good feel of the initiative o Results can be extrapolated to the organization

Monitor the experience:

The objective of the pilot is to have a ‘ proof of concept’ before a full blown implementation is set in motion. Hence, the pilot would be followed with analysis of results, revision of approach and model if needed and creation of the roadmap. The evaluators would need to intelligently project the experience of the pilot to the complete implementation and see if alteration to


the approach, model or any other aspect is needed. The pilot also serves the purpose of getting a ‘buy –in’ from different stakeholders.

Institutionalize ERM:

The last stage in implementation is the institutionalization of ERM. Institutionalization is the phase where the transition to the steady-state happens. It entails different steps to successfully integrate ERM philosophy with the culture and habit of the organization. The key elements of this phase are :

o Communication Plan : Developing full Communication plan to ensure that the organizational layers are made aware of the program as well as its key drivers, features and benefits.

o Governance model : Refining the governance model to yield the required control and guidance for the program

o Systems & technology : The implementation may need changes to the existing systems and introduction of new technology tools

o Resourcing plan o Risk measurements, metrics, reporting etc : These aspects need to be

documented and shared at the appropriate levels to facilitate free flow of information

Technology as an enabler – the “ADR model”

Technology is a key element in implementation as it calls for integration of information flowing in from different parts of the organization. This information needs to be analyzed, comprehended and communicated to key stakeholders. From a technology perspective the implementation could be sliced into three layers – data, calculation and reporting. This maps to the Assimilation, Diagnosis and Reporting layers of the ADR model. Assimilation / Data challenges: The data needed for successful running of ERM is spread across a large pool of systems in a typical insurance company. Also there would be multiple sources for the same data. In short, an incredible amount of raw data is available from various sources. The challenge is in distilling out relevant data with the appropriate quality. There are very efficient tools available today for data modeling, scrubbing, extracting, cleansing, tuning, integrating and transforming data. Diagnosis / Calculations: Diagnostic phase involves using risk models to analyze the current status as well as to create futuristic scenarios. Most of these models involve complex formulae and processing of large volume of data, which require technology support to run.


Fig 3: ADR model

Technology has made stochastic modeling feasible. It enables the use of Monte Carlo simulation techniques that involves numerous model runs to generate a single set of output distributions. Reporting: In a typical ERM scenario, there would be a large number of reporting requirements, for monitoring & decision making. Flexibility for dynamic report creation is also essential. A robust reporting tool is a must to handle these challenges.

Comparison with COSO framework What is COSO’s approach to ERM ? Committee of Sponsoring Organizations of the Treadway Commission , better known as COSO, developed an integrated framework for ERM. This framework defines eight components for ERM.

1. Internal Environment. 2. Objective Setting 3. Event Identification 4. Risk Assessment 5. Risk Response 6. Control Activities 7. Information and Communication 8. Monitoring

In the Executive Summary of Enterprise Risk Management – Integrated framework the suggestion is to relate these eight components to the four objectives viz. strategic, operational, reporting and compliance. The third dimension of relationship


is with the units of the business entity. The goal of the framework is to create a focused risk management approach for the entity by building on the three dimensions of components, objectives and units. The objective of this framework is to provide a basis for developing an effective ERM model for an organization. Relevance of components to ERM implementation : Internal Environment : The first component indicates the trigger point for the implementation thought process. Commencing with the risk approach or philosophy of the organization, this step defines the basic game plan for the implementation. Factors like risk appetite, ethics and values followed do constitute the foundation of the plan. Objective setting : Having decided the ground rules, the next stage is to define the risk related objectives of the organization and linked strategic goals. These goals and objectives should flow down through the hierarchy of the organization for the implementation to be effective. Different organizations adopt different methods for the goals and objectives flow down, but the imperative is to ensure that these are effectively communicated down through the supervisors / managers. Event identification : The third component focuses on identifying the internal and external events that could potentially affect the achievement of the strategic objectives and goals of the organization. The critical part is to identify multiple factors and the inter-linkage from an impact perspective. Risk Assessment : The next logical step is to understand the impact of the identified events on the objectives. Assessment would require employment of multiple qualitative and quantitative methods as appropriate to the risk. Risk Response : This component focuses on evaluating the potential responses and rating them against the scale of the risk tolerance. The effectiveness of the response in addressing the possible impact of the risk on the objectives and a cost-benefit analysis would be essential for selection of responses. Control Activities : Institutionalizing risk responses is critical to the successful implementation of ERM. This component focuses on the laying out of policies and procedures that would facilitate and ensure that the defined responses are operational.

Information and Communication : Policies, procedures, roles and responsibilities should be articulated and communicated throughout the length and breadth of the organization to ensure that the envisaged risk response is achieved. Monitoring : The continuing operational effectiveness of ERM is gauged by constant monitoring. It provides vital inputs for review and modification of other elements.


Mapping the proposed implementation framework to COSO elements : The following diagram shows an indicative mapping of the proposed framework to the COSO components. This helps in benchmarking the framework against COSO methodology as well as to facilitate dove-tailing of this approach with the COSO methodology.

Fig 4: Mapping to COSO elements

The above mapping also confirms the view of the COSO framework that the elements are not necessarily sequential, but are multi-directional.

An impact perspective

The visible impact of the implementation is usually not uniform. During the kick-start and acceleration phases, the impact may be more visible and felt internally whereas it gains external visibility when the transformation to the steady state happens. The table shows some of the visible indicators which could be noticed during different phases of implementation of ERM.

1. Internal Environment

2. Objective Setting

3. Event Identification

4. Risk Assessment

5. Risk Response

6. Control Activities

7. Info & Communication

8. Monitoring

An ‘as is’ analysis

Establishing the value proposition

Develop a model

Pilot the model

Review / Revise / Road map

ERM

Implementation

Institutio-

nalisation

5

8

1 3 4

1 2

5 6 7

6 7


Fig 5:Visible impact in different phases

Kick-start Accelerate Steady State

→ Compliance → Risk driven decisions → Improved

communications on risk

→ Initiatives to create awareness of integrated risk approach

→ Better utilization of capital

→ External communications on risk management

→ Safeguard shareholder value

→ Improving shareholder value

→ Improving governance

Monitoring the impact is a good way of sensing the health of the initiative. Anytime, the indicators are not in synch with the phase, it is an alert to the leaders. Though it may not always signify a problem, a review is definitely warranted.

CRO’s dashboard

In any initiative as huge as implementation of ERM, regular tracking of progress to anticipate issues and proactively adopt remedial measures is absolutely essential. There are five dimensions, the pulse of which, need to be monitored.

� People & roles


� Policies & communication � Models & Methodologies � Systems & Data � Results & Rewards

The Program Manager for implementation or/and the CRO should be given regular updates on the activities, concerns, issues and remedial action taken on the above dimensions.

Conclusion

The value of having an integrated approach to risk being well established, it is only a question of time till we see the concept of ERM rolling out to the shopfloor from the boardroom discussions. ERM is a large change management initiative which needs to be handled carefully in a structured way. This paper is an attempt to create a methodology and framework which would help organizations, taking up the ERM route, to draw up an implementation plan .


References

1. “Adding Value Through Risk and Capital Management”, An ERM Update on Global Insurance Industry; Towers Perrin Tillinghast 2004 Benchmark Survey Report

2. Enterprise Risk Management – Integrated framework , Executive Summary, September 2004

3. An Approach to ERM in insurance – Preeti Chandrashekhar & S. R. Warrier - APRIA 2002

About the authors S. R. Warrier and Preeti ChandraShekhar have long experience in insurance and risk management. Warrier & Preeti focus have published several papers in the area of Insurance and Risk Management. Preeti is an Associate Member of the Actuarial Society of India and Warrier is an Associate of the Chartered Insurance Institute, UK and a Fellow of the Institute of Risk Management, London. You could reach the authors at [email protected] / [email protected]

Disclaimer The views expressed in this paper are those of the authors

Copyright This paper may be copied and shared for academic, research or training purposes. However, reproduction in whole or part requires express permission from authors.

erm- from boardroom to shopfloor page 1 - conzultingconzulting.in/docs/enterprise risk management -...

Documents