INARM

Icon

The International Network of Actuarial Risk Managers

Nov 5, 2009

N Deadly Sins of Enterprise Risk Management

A 2008 White Paper, published by the CFO Magazine and written by Frank Edelblut, outlined the 7 Deadly Sins of ERM – Lack of a Clear Vision, Building Unnecessary Organization, Function and Process, Lack of Support from Leaders, Bottom-up Approach, Risk Confusion, Overly Complex Risk Assessment and Making ERM the Endgame. While most if not all of these sins sadly still take place within the enterprise, a whole year has passed since the publication and their amount is not decreasing, if not the opposite.

In true actuarial fashion we extended the upper limit on the sins to N and relied on the wisdom of the crowds, in particular on the INARM listserv and the LinkedIn Group. What followed is presented below.

ERM does not need introduction, although perhaps we flatter ourselves. While the abovementioned white paper credits the beginning of ERM to the Committee of Sponsoring Organizations (COSO) – Enterprise Risk Management – Integrated Framework, brought forward in 2004, or perhaps even further back to 1970’s, people are still unaware of the necessity of its implementation. Moreover, and sadly at that, the exposure of the actuaries as the prime candidates for the role is something to be desired. Just ask anyone in Europe what a CERA (Chartered Enterprise Risk Analyst) is!

Luckily, the Society of Actuaries (SOA) in the States, along with a slew of other bodies, is doing an excellent job at promoting CERA and the brand of actuaries as the best people for the job of a risk manager. There is even talk of 16 actuarial bodies working on agreement in principle regarding worldwide recognition of the designation, but again, it is too soon to tell.

Yes, the companies out there are implementing ERM, not as many as we would like to see, but it is a great start. However, just to start thinking about it and staff the risk management team is not enough. ERM is a mindset and should be prevalent in the whole institution. Below are some of the things you should not do in your quest to ERM nirvana:

Communication Breakdown

  • CEO thinks that risk management is the CRO’s job;
  • Not listening to your CRO – having him too low down the management chain;
  • Hiring a CEO who “doesn’t want to hear bad news”;
  • Not linking the Board tolerance for risk to the risk management practices of the company;
  • Having the CRO report to the CFO instead of to the CEO or Board, i.e., not having a system of checks and balances in place regarding risk practices;
  • The board not leading the risk management charge;
  • Not communicating the risk management goals;
  • Not driving the risk management culture down to the lower levels of the organization;

Ignorance is not Bliss

  • Not doing your own risk evaluations;
  • Not expecting the unexpected;
  • Overreacting to risks that turn out to be harmless;
  • Don’t shun the risk you understand, only to jump into a risk you don’t understand;
  • Failure to pay attention to actual risk exposure in the context of risk appetite;
  • Using outsider view of how much capital the firm should hold uncritically;

Cocksureness

  • Believing your risk model;
  • The opinion held by the majority is not always the right one;
  • There can be several logical, but contradictive explanations for one sequence of events, and logical doesn’t mean true;
  • We do not have perfect information about the future, or even the past and present;
  • Don’t use old normal assumptions to model in the new normal;
  • Arrogance of quantifying the unquantifiable;
  • Not believing your risk model –  waiting until you have enough evidence to prove the risk is real;

Not Seeing the Big Picture

  • Making major changes without heavy involvement of Risk Management;
  • Conflict of interest: not separating risk taking and risk management;
  • Disconnection of strategy and risk management: Allocating capital blindly without understanding the risk-adjusted value creation;
  • One of the biggest mistakes has to be thinking that you can understand the risks of an enterprise just by looking at the components of risk and “adding them up” – the complex interactions between factors are what lead to real enterprise risk;
  • Looking at risk using one single measure;
  • Measuring and reporting risks is the same as managing risks;
  • Risk can always be measured;

Fixation on Structure

  • Thinking that ERM is about meetings and org charts and capital models and reports;
  • Think and don’t check boxes;
  • Forgetting that we are here to protect the organization against risks;
  • Don’t let an ERM process become a tick-box exercise;
  • Not taking a whole company view of risk management;

Nearsightedness

  • Failing to seize historic opportunities for reform, post crisis;
  • Failure to optimize the corporate risk-return profile by turning risk into opportunity where appropriate;
  • Don’t be a stop sign.  Understand the risks AND REWARDS of a proposal before venturing an opinion;
  • Talking about ERM but never executing on anything;
  • Waiting until ratings agencies or regulatory requirements demand better ERM practices before doing anything;
  • There is no obstacle so difficult that, with sufficient thought, cannot be turned into an opportunity;
  • No opportunity so assured that, with insufficient thought, cannot be turned into a disaster;
  • Do not confuse trauma with learning;
  • Using a consistent discipline to search for opportunities where you are paid to accept risk in the context of the entire entity will move you toward an optimized position. Just as important is using that discipline to avoid “opportunities” where this is not the case.
    • undertake positive NPV projects
    • risk comes along with these projects and should be priced in the NPV equation
    • the price of risk is the lesser of the external cost of disposal (e.g., hedging) or the cost of retention “in the context of the entire entity”;
    • also hidden in these words is the need to look at the marginal impact on the entity of accepting the risk. Am I better off after this decision than I was before? A silo NPV may not give the same answer for all firms/individuals;
  • What is important is the optimization journey, understanding it as a goal we will never achieve;

More Skin in the Game

  • Misalign the incentives;
  • Most people will act based on their financial incentives, and that certainly happened (and continues to happen) over the past couple of years. Perhaps we could include one saying that no one is peer reviewing financial incentives to make sure they don’t increase risk elsewhere in the system;
  • Not tying risk management practices to compensation;
  • Not aligning risk management goals with compensation;

Actuary’s Got Talent

Why would one not insist on risk management qualification (an actuarial qualification, if I may add) for the position of Chief Risk Officer? Would you employ an unqualified individual for the position of a CFO? Why must the actuarial qualification requirement stop at the C level? Do not use your risk management team to save costs – your stakeholders will thank you for this later.

The actuarial societies around the world are making a fine effort in promoting the brand of actuaries for the non-traditional positions. It is insurance, reinsurance and pensions that the actuaries do best, if you ask anyone. With the increasingly complex and evolving business environment, organizations are seeking enterprise risk management professionals to join their teams and actuaries are ideal for this job.

 

Have more suggestions? Please comment and we will add them to this list.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • StumbleUpon
  • TwitThis
  • email
  • Print

Category: Articles

Tagged: , , , , ,

Leave a Reply

LinkedIn

Subscribe to Posts
Subscribe to Comments

Subscribe to Posts via e-mail:


INARM Listserv archives
Join INARM Listserv
Login

Recent Comments