Current State of Enterprise Risk Management (ERM)
If you ask a Risk Manager about the current state of their ERM, you’ll receive a mixture of responses—from “I know it’s important, but don’t have the bandwidth to start the initiative,” to “ERM is defined so many ways that our organization is trying to determine what’s important to us,” to “I’ve started our ERM initiative, but it’s immature.”
It’s not surprising to hear these responses as you look at mixed global market indicators, terrorism events, cyber threats, weather events, and fluctuating oil prices. Each of these challenges is unique, constantly changing, and can impact any part of an organization or its employees. Executives recognize that the overall risk environment is increasingly more challenging.
Fifty-seven percent of executives believe that the volume and complexity of risks have changed “extensively” or “mostly” in the last five years. This holds true for organizations of all sizes and types.
Sixty-three percent of executives admit they were caught off guard by an operational surprise “somewhat” to “extensively” in the last five years. This percentage was even higher for large organizations and public companies.
Furthermore, understanding how each of these challenges impacts the business can be difficult because data is often siloed across the organization. While organizations may be collaborating on a given ERM initiative, each department is looking at its particular data, from a different viewpoint.
As a result, boards of directors and key organizational stakeholders are looking to their risk management team to collaborate with legal, marketing, operations, human resources, and others to pull all ERM initiatives into a central location. This seems logical because risk management functions are making recommendations on insurance tolerance for their organization based on data from the various departments, whether it is historical data or current data, and receiving insights from industry experts. The struggle risk management teams face is having the software to map out an ERM initiative and ensuring they have all the data necessary to determine the impact.
So how do you know if your Risk Management Information System (RMIS) can advance your ERM initiatives?
Here are three questions you should be asking yourself:
- Does my RMIS application have an ERM component? If not, can my RMIS application interface or bolt on with a standalone ERM application?
- Can my RMIS application grow as my ERM initiatives change?
- Does my RMIS application allow for collaboration?
If you don’t have a solid response to each of these questions, it’s time to find a RMIS that will address these needs. ERM has taken hold globally as senior leadership looks for risk oversight. In addition, pressures continue to mount to build proactive plans for potential risks, including regulatory oversight, corporate governance, and unanticipated risk events affecting organizations. Events like 9/11, Super Storm Sandy, and the UK’s vote to leave the EU leave organizations scrambling to anticipate what will happen to their risk exposures.
Your RMIS offers a solution for ERM. Now what?
Once you determine your RMIS application can assist with developing ERM initiatives, the first step is to verify you have all the necessary ERM data in your RMIS. This does not include just claim data, but people, locations, value of assets/property, and insurance policy coverages. It’s not as important to house all the data in one location as much as it is to have a RMIS that can retrieve and transmit data seamlessly with other systems.
The next step is identifying the risk and the upside of an event. An effective ERM initiative should include both the downside and upside. Unfortunately, most organizations will focus on the downside and fall short on identifying the upside.
Does every event have an impact on my organization?
This is where data collection and a RMIS can help a risk management team forecast the probability of impact on the organization. A risk analyst can enter information, for example, on supply chain interruption. By raising the question of whether a supply chain interruption is going to have a significant impact, they can identify which departments, locations, and people are impacted, and the possible ramifications for the brand. By diagraming the event, they can share with other departments and verify their assumptions. With claim data and insurance policy information, they may also demonstrate the financial impact to the organization.
Once identification of an event has been mapped out and collaboration has begun on the impact, an action plan can be established. The goal is to mitigate, transfer, or reduce risk for the organization. By developing an action plan, they can continue to partner with internal sources to mitigate or reduce risk. Externally, they may have opportunities to transfer risk to another party or through insurance.
Finally, the RMIS needs to be flexible to change as information changes. Organizations should continuously collaborate to stay on top of its risks. Ultimately, as a risk management team, the goal is to manage risk and minimize the impact to the organization. The only way to do that is through constant reporting as new events and threats emerge. It’s crucial for risk management to stay proactive and always seek to understand and continuously recalculate the potential impact various events and threats can have on the organization. It’s important to keep in mind that events can take a while to develop while others, such as a natural disaster, can be instant.
No matter the level of maturity of your risk management program, it’s important that those tasked with identifying the plan to reduce, mitigate, or transfer the risk have the necessary tools to implement ERM initiatives. Unfortunately, there is no way to 100% predict the probability of an event happening. But with the right RMIS to collaborate, collect siloed data, and interface with other data sources across your organization, you can more accurately identify evolving risk, anticipate what’s around the corner, and analyze the big-picture impact.
 Beasley, Mark, Bruce Branson, and Bonnie Hancock. “Report on the Current State of Enterprise Risk Oversight: Opportunities to Strengthen Integration with Strategy.” North Carolina State University, ERM Initiative, for American Institute of CPAs Business, Industry & Government Team. June 2014. Available at https://www.aicpa.org/interestareas/businessindustryandgovernment/resources/erm/downloadabledocuments/aicpa-erm-research-study-2014.pdf.