Regulators are getting tough on risk, demanding more accountability from company officers and boards of directors to identify and manage the myriad exposures challenging the bottom line. To provide a firmer handle on corporate risk, enterprise risk management is shaping up as the answer. This systematic, comprehensive method for identifying, assessing, quantifying and managing the full spectrum of corporate risk is expected to burgeon in the next few years, as its benefits become more clearly understood.
By creating a single framework to examine all corporate exposures, including market risks, financial risks and operational risks, companies gain a greater appreciation of aggregate corporate risk.
The objective of enterprise risk management is threefold:
* to provide senior management and the board with high-level knowledge of all of the company's associated risks and the systems in place to manage those risks;
* to ensure appropriate reporting of risks up the organizational chain of command; and
* to reduce overall losses.
These goals address squarely what regulators are demanding. The Securities and Exchange Commission, the U.S. Federal Reserve, the American Institute of Certified Public Accountants and various corporate advisory bodies both here and abroad want more accountability from corporate directors and officers in terms of identifying risks and developing systems for managing them.
Corporate exposures run the gamut, from customary property and casualty exposures to credit, asset and finance risks, such as interest rate fluctuations or foreign currency exchange translation. There are reputational risks, cyber exposures, human-resource risks and business-interruption threats. Instead of different corporate departments managing different kinds of risks--with insurance risk management overseeing property/casualty exposures, treasury riding herd on financial risks and internal audit dealing with operational/strategic risks--enterprise risk management calls for a single, unified system of assessing the entire risk landscape. Some companies are beginning to tear down their former silo approach to different risks for a more holistic system guided by enterprise risk management.
But enterprise risk management is not a product, it is a process--one in which companies partner with their brokers and insurance carriers to identify, assess and quantify risks. Our goal as risk advisers should be to work with clients as they seek greater understanding of their risks through the enterprise risk-management process. The key is to bring to bear all the right resources to address clients' real needs. Just as clients are tearing down silos charged with different risk-management responsibilities, insurance brokers and carriers must assemble the right teams of people to service clients' enterprise risk-management strategies.
Only after all risks are identified, analyzed and quantified can a company determine its risk retention/transfer strategy. Integrating risks into a basket of risk for transfer to one or several risk bearers may be the most opportune strategy. Since it is unlikely that all risks will produce losses in the same calendar year, blending them into a basket of risk, just like a basket of different equities, theoretically narrows the potential for loss. Then again, traditional insurance may be the best way to fill this niche. So might financial instruments for transferring foreign exchange or currency risks or trading systems for shedding or sharing market risks.
Traditional risk-transfer methods will not disappear, and for many companies without the internal resources to muster an enterprise risk strategy, such stalwart systems will continue to offer effective financial recourse. It takes roughly two years to perform a soup-to-nuts enterprise risk analysis--time and resources that few small companies can spare. Nevertheless, this time frame is expected to narrow as risk assessment and quantification technologies improve and brokers and carriers become more adept at utilizing them.
Meanwhile, as risk managers team up with the corresponding insurance managers throughout their organizations to effect enterprise risk management and as regulations increase on public companies to identify capital risks and develop systems to manage them, the insurance industry must evolve to provide enterprisewide services. Enterprise risk is a natural evolution for traditional risk bearers like the insurance industry.
There are many rewards for undertaking and completing this journey, but only if we address enterprise risk management as a process and not a product. That's the enterprising solution.
Douglas H. May, a Best's Review columnist, is president and chief operating officer of CNA Risk Management, Chicago.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||assessing risk|
|Author:||May, Douglas H.|
|Article Type:||Brief Article|
|Date:||Sep 1, 2000|
|Previous Article:||Internet Start-Ups May Be Vulnerable to EPL.|
|Next Article:||Anatomy of a Failure.|