INTRO: Establishing enterprise risk management processes for any entity involves common pitfalls including the failure to link risk management to strategy setting, discussed here by Jim DeLoach and Shawn Seasongood of consulting firm Protiviti Inc. Additionally, areas of focus for insurers in particular are included.

In many ways, enterprise risk management is an enigma. Ask 20 executives to define it, and you might get 20 different answers.

Companies often ask us to explain what ERM is and how it is implemented because they aren't sure. While defining ERM is a separate topic, of equal importance is taking a step back and reflecting on why ERM implementations fail.

Based on our experiences in observing and working with many companies over the years, we explore eight common reasons why ERM fails that apply to all industries, after which we provide a perspective on ERM in insurance companies.

Lack of executive management support: This is the most common reason for an ERM failure. The problem is no one who matters cares. Without support from the top, most efforts to implement ERM are unfocused, severely resource constrained, and pushed down so far into the organization that it is difficult to establish relevance.

Poor governance and “tone at the top”: Effective governance and tone at the top drive the transparency, openness and commitment to continuous improvement that are needed for risk management to function effectively over time. A leadership failure will almost always undermine even the strongest risk management capabilities.

For example, if management does not consider risk explicitly when evaluating whether to enter new markets, introduce new products, or consummate a complex acquisition or investment; does not involve the board with strategic issues and policy matters in a timely manner; ignores the warning signs posted by risk management; or resists bad news or reliable indicators that the corporate strategy is not working or is obsolete, it's game over.

%%BREAK%%

Reckless risk taking: Every MBA program features case studies of companies relearning the time-honored lesson that, while competent people are an important aspect of managing risk, management's relying on them without limits, checks and balances, or independent monitoring and reporting is as ill-advised as not understanding the risks inherent in what they are doing.

It is interesting that companies, and even entire industries, keep relearning this fundamental lesson. If risk management responsibility is not adequately defined or linked to the reward system, or if the incentive compensation program rewards unbridled risk taking, or if there are “star performers” who are making a lot of money and no one understands how, executive management needs to take a look. The smartest people in the room can be dangerous if executive management and the board of directors don't understand what these people are doing and who oversees them.

Practicing ELM instead of ERM: When management experiences difficulty in translating a risk assessment into actionable steps that can be incorporated into a business plan, the organization often practices “enterprise list management” because nothing happens when a risk assessment is completed beyond sharing the most current list of risks.

Not integrating risk management with strategy-setting and performance management: If risk is just an afterthought to the formulation of strategy, strategic objectives may be unrealistic and risk management becomes an appendage to performance management. The consequences of this failure include a strategy the organization is unable to deliver, deteriorating competitive position, inability to adapt to a changing business environment and even loss of enterprise value that took years to build.

Potential indicators of this failure include poor alignment of risk responses with strategy and enterprise performance management, lack of connectivity of risk management to key management processes, and no efforts to anticipate risk scenarios that could derail execution of the strategy.

%%BREAK%%

Accepting a lack of transparency in high-risk areas: Lack of information for decision-making leaves management with little insight as to what is really happening or is likely to happen. Transaction complexity and volatility can significantly impact an understanding of the full picture when making decisions. If this environment exists and management does not seek to correct the situation, that is a clear signal that risk management is set up to fail. Complexity in a business model that contributes to a lack of transparency is an ominous warning sign.

Ignoring the dysfunctionalities and “blind spots” of the organization's culture: An organization's culture can have a huge impact on its ability to prevent the occurrence of unacceptable risk events and identify new and emerging risks in a changing business environment. More importantly, firms should pay attention to the root causes of missing the warning signs that something is either wrong or isn't working that objective parties see easily from a mile away with the benefit of 20-20 hindsight. An open, transparent environment can only flourish when individuals can raise issues without fear of retribution to their compensation and careers.

Not involving the board in a timely manner: Last but certainly not least, if the board has not been involved in a timely manner on issues relating to risk appetite and the risks inherent in the corporate strategy and business plan, an essential check is missing and the last line of defense for reputation management is thwarted. Key indicators of this issue include the board is only engaged in occasional ad hoc treatment of risk and risk management, management informs the board after the fact when significant risks are undertaken, and the organization's risk profile is rarely, if ever, discussed at the board level.

%%BREAK%%

An insurance perspective

Risks can arise from many sources in the insurance industry, including underwriting, sales distribution, investments, and policy and claims administration, to name a few. A comprehensive approach to ERM is instrumental in establishing the trust and integrity so essential to sustain the confidence of policyholders, carriers and other stakeholders in an insurance carrier and the broader insurance market. Below are three particular areas of focus for insurers:

Historical and forward-looking analysis: Most traditional insurance risk management processes generally do not include the forward-looking emphasis required to identify and assess previously unknown or hidden risks. Forward-looking models are required by Solvency II and the proposed NAIC ORSA Standards.

Don't just check the box—change your risk culture: One of the overriding findings coming out of some early industry ERM adopters is the tendency to view the initiative as a mere compliance exercise. Although these organizations may argue that they are managing their risks relatively well, their check-the-box approach misses out on the value an ERM initiative can contribute through a more risk-aware culture and improved risk management processes.

Increased transparency is coming: The level of risk-related information required by shareholders, regulators and rating agencies has been historically low. Insurers need to be prepared as shareholders, policyholders, regulators, rating agencies, key counterparties and other stakeholders demand more risk-related information to provide transparent disclosure of key risk issues and risk strategy.

%%BREAK%%

Summary

The above eight common problem areas and three areas of focus for insurers can be used by executive management and the board as a context for checking the health and viability of their organization's approach to ERM. The longer-term result of any of these failures can inhibit attempts to elevate risk management to a strategic level, leaving it driven by fragmented silos and tactically focused on process, hazard and compliance risks that are far below the radar of the strategic risks that can make or break a company's success.

Establishing an ERM framework is an evolutionary process. Its development is more successful when implemented in stages by people who understand the corporate vision and purpose for ERM. Each stage should provide building blocks that move the organization closer to its ultimate end-state vision. While making a commitment to improve risk management capabilities and infrastructure is an investment for any organization, a strategic, phased implementation plan helps to ensure that the investment is successful in achieving implementation objectives over time.

James W. DeLoach is a managing director at consultant Protiviti Inc. in Houston and a member of the Protiviti Solutions Leadership Team. He can be reached at Jim.DeLoach@protiviti.com. Shawn Seasongood is a managing director in Protiviti's financial services industry practice in New York. He can be reached at shawn.seasongood@protiviti.com.