220 likes | 348 Views
Risk Team Structures: Formal or Informal?. Getting the Risk Mgmt Job Done Under Any Model Chris Mandel, Former President, RIMS 2003 Risk Manager of the Year. What Do Many Risk Managers Do?. Buy Insurance Supervise Safety Handle Claims Administer Insurance Policies
E N D
Risk Team Structures: Formal or Informal? Getting the Risk Mgmt Job Done Under Any Model Chris Mandel, Former President, RIMS 2003 Risk Manager of the Year
What Do Many Risk Managers Do? • Buy Insurance • Supervise Safety • Handle Claims • Administer Insurance Policies • Report to Management on: • Losses • Insurance marketing results • Loss Prevention Programs
What Do Some Risk Managers Do? • Identify Hazard Related Exposures • Identify and negotiate insurance product solutions to finance related risks and move them to third party insurers • Hope to get the policies in less than 6 months • Assess where prevention techniques are most useful and worthy of resourcing and make the business case to management for funding • Aggressively attempt to minimize the payment of loss dollars for claims and litigation, especially those self insured, to minimize the cost of risk. • Report to management of premium and claim dollars saved, losses prevented and the total cost of risk against a typically industry based benchmark • Work with brokers and selected internal functions, to achieve all of the above
What 2 Things Should Risk Managers Do? • Be well versed in all key aspects of core company operations, key staff functions and business strategy, that generate or have the potential to generate, the most significant exposures to the firm. • Apply a comprehensive and customized risk management model to all significant or material risks, operational, financial or business/strategic and regardless of whether insurable or not.
The Risk Management Model • Identify all significant or material risks to the enterprise • Assess the magnitude of each risk to confirm materiality • Measure each risk quantitatively or qualitatively to establish trackable metrics • Develop and implement mitigation strategies for each risk that reduce risk values to acceptable levels and ensure that each strategy is effective • Monitor and report to relevant interest parties, the information each needs to manager their aspect of the business
Risk Team Structures “Risk Management structures are usually tailored to an individual company and reflect the nature, likelihood and magnitude of risk faced by the company.” * To accomplish the risk mgmt mission, certain key functions must be performed. They can be achieved by both formal and informal team structures, by either dedicated or part-time, in-house or external resources. However, the key to successful risk management execution is to form, develop and align with your strategy, the right internal and external partnerships with key risk stakeholders and risk owners. Three Primary Approaches and the Relevent Criteria to Consider: - Traditional - Progressive - Advanced
Traditional Approach • Hazard Focused • Insurance solution oriented • Limited perspective on the risks of the entity • Heavily dependent on intermediaries • Low to medium management priority • No to low governance priority • Executable with dedicated, part time or outsourced resources
Pros and Cons First, remember that each company’s needs drive the response to this question. Pros: • Narrow focus easier to execute well • Well understand sources of loss; readily available solutions to finance and transfer • Much available talent to manage Cons: • Ignores what are likely to be the most significant risks to the firm • Heavy dependence on third parties may jeopardize effectiveness
Progressive Approach • Recognizes the need to look beyond insurable risks • Recognizes process ownership • Recognizes that process owners can’t be risk owners and that risk owner engagement is critical to successful risk management • Higher management and governance priority attached to managing risk • Less executable with heavy dependence on external sources of expertise • Success depends on full time dedicated, internal expertise trusted by management and governance • Recognizes the need for alignment with key risk stakeholders
Claim Function Safety Function Security Function Benefit Function Business Continuity Function Progressive Risk Management Model
Pros and Cons Pros: • More likely to be prepared for uninsurable events • More management and governance attention to risk issues • Less dependency or third party services Cons: • Usually in the developing stage and often difficult to sell and gain permanent traction with management • Difficult to find external sources of expertise that comprehensively understand the firms exposures and how they can best be managed
Advanced Approach • “C suite” power base with other key functional leaders • Full acceptance of need for comprehensive, state-of-the-art and urgent risk management methods, tools and techniques • Clear delineation between process and risk ownership • Recognition of insurance as just one of many mitigation strategies • Typically complete integration with strategic planning processes
Corp Ins Function Safety Function Security Function Benefit Function Business Continuity Function Advanced Risk Management Model
Advanced Approach Pros: • Surfaces key risk issues quickly and effectively • Evidences engagement by all key risk stakeholders and owners • Minimizes the likelihood that risk values will exceed tolerances or that controls will be less than effective Cons: • Expensive to implement • Expertise difficult to find and keep • CRO as scapegoat for all that goes wrong
Relevent Criteria for Selecting Your Approach Criteria: • Company Risk Profile and Tolerance for Risk • Company Size and dispersion • Operational and Strategic Complexity • Company Structure and Management Style • Sources and likelihood of large or catastrophe losses • Availability of Reliable, Accurate Data • Governance Expectations for controls and reporting • Management expectations for controls and reporting • Sources and costs of expertise within or available to the firm • Level of concern for control over sensitive information
Key Risk Stakeholders Risk Management Internal Audit Business Unit Risk Owners Compliance RMFramework Planning Process Engineering
Keys to Cross Functional Effectiveness • Clear understanding of how “risk” is defined • Clear communication of risk management processes • Clear articulation of risk stakeholder process roles, timelines and deliverables • Regular and meaningful communication on key risk issues • Processes for incenting and measuring accountability • Getting the right information and data to the right people at the right time for the right reasons
Risk Management Best Practices • Truly Business – Critical Exposures are best identified and mitigated by line. • Risk aggregation is a key role for the risk management process owner. • The ERM COE ensures proper tools for rigorous measurement and quantification of risks, and helps drive incentives to elevate risk mitigation. • Embedding risk management in existing process. • A more disciplined approach to risk communications. • Risk reporting should be specific to the target audience. Source: CFO Working Council
Best Practices (cont’d) • Use standardized templates and key future market conditions assumptions • Key earnings drivers and mitigations strategies for low probability, high-impact scenarios tested for resilience • Process leverages cross-functional expertise • Assign owners for each critical mitigation step • Updated assessments of risk and opportunities are embedded in core reporting processes • Require business unit and functional leaders to defend risk mitigation performance to Board and CEO directly • Balanced scorecards & incentives calculations used to evaluate and reward mitigation performance Source: CFO Working Council
Why Risk Mgmt Initiatives Fail • Lack of CEO and executive sponsorship • Poor communication culture and/or high level control environment divorced from business objectives • Unclear roles/responsibilities/organizational structures • Poorly defined/inconsistent risk policy • Undefined risk universe and no common language • Poor/inconsistent operational risk identification process Source: 2003 KPMG Operational Risk Study
Why Risk Mgmt Initiatives Fail • No linkage of risks to the control framework • Over-engineered risk measurement and evaluation • Reporting templates that do not integrate with business requirements • Unclear escalation channels • Poor action-tracking and project management systems • Poor education and communications programs Source: 2003 KPMG Operational Risk Study