Login

Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

So who really needs ERM?

Reprints

e-mail John Hampton

So who really needs ERM?


Prioritized, focused plans are essential to successfully mitigate risks

At April's RIMS 2008 conference in San Diego, a considerable buzz existed around the topic of enterprise risk management. At the same time, the question persisted, "Who needs it?"

My answer is, at least four people within an organization: the chief executive officer, the chief financial officer, the internal auditor and the risk manager.

If ERM means listing the 2,000 to 3,000 or so risks that face an organization, no one really needs it. An undisciplined approach to identifying risk and integrating risk mitigation into a single program will bog down after much expenditure of time and money. On the other hand, a disciplined ERM structure is just what is needed by the CEO, CFO, auditor and risk manager, among others.

The disciplined structure has four components:

  • Hierarchy of categories: Risks are organized in clusters with five to nine subrisks from the C-suite on down.
  • Risk owners: Each category or subcategory is assigned to a risk owner.
  • Alignment with business model: The categories match operating units, staff functions and key initiatives.
  • Visual risk clusters: Risk relationships are presented visually using technology to explain mitigation efforts.

To illustrate, let us use a lightly disguised and somewhat simplified public utility. Central Power & Light is a regional power producer with three main subsidiaries: Central Fossil, which operates natural gas, coal and oil-fired electric generating units; Central Nuclear, which operates two nuclear generating stations; and Central Energy Trading, which buys and sells electric and gas commodities, trades in environmental credits, and is responsible for all planning and risks involved with long-term generation.

Figure 1 shows the top-level risks in its ERM program using (with permission) the Riskonnect Visual Risk Cluster Tool.

Figure 1. CP&L ERM program.

The company wants to develop a new nuclear power plant that has possible wetlands impact. The project is critical to the future of the company. The risk was assigned to the energy trading company. Although a critical risk, it is far down the hierarchical ERM structure:

  • Energy trading: First-level risk owner.
  • Business disruption: Changes in conditions that affect long-term capabilities to generate electricity.
  • Environment disruption: State or federal regulations that limit the use of coal or oil in peak generating periods.
  • Federal agencies: Conflicting federal agency environmental regulations or interpretations of existing regulations.
  • EPA: Relations with the Environmental Protection Agency.
  • Water, air and ground pollution: EPA regulations for cooling, water usage; discharge into the air, wetlands and porous surfaces; and related exposures.

The four individuals have different interests in the risk if the EPA were to deny permission to build the critically needed nuclear power facility:

The CEO and CFO seek transparency and accountability. The Sarbanes-Oxley Act requires the CEO and CFO of public companies to verify internal controls and reliability of financial statements. Rating agencies require risk programs to achieve favorable ratings on debt issues. The internal auditor is responsible for monitoring compliance with company policies and directives. The risk manager needs to present the wetlands exposure to insurers and others as part of risk management and the purchase of liability coverage.

All four individuals can go into the ERM structure and work down to ground pollution as shown in Figure 2.

Figure 2. Risks from the top to EPA

The questions common to all parties are: What is being done to mitigate risk? What are the plans, the activities and the timetable?

Mitigation activities can be stored in the ERM knowledge warehouse and accessed directly. Over time, a complete history of risk activities and mitigation will be created, stored in one place and be accessible to authorized users. The user can open and read the documents.

The original question was who needs ERM. The answer is that an ERM program with hierarchical risks and risk owners, visual risk clusters and a high-tech platform can serve the needs of many users. The logic is inescapable. Companies need enterprise risk management. It just has to be done right.

About

Advertise

Reprints and Licensing

Resources

. Privacy PolicyTerms of Use

COPYRIGHT © 2024 BUSINESS INSURANCE HOLDINGS

Member, Beacon International Group, Ltd.