Expanded Horizons

There’s an old adage in the risk management circle that says, ‘Never waste a good crisis.’ In fact, the financial crisis emanating from events in 2008 proved to be a great catalyst for organizations to shine a spotlight on risk management.

For years, risk managers struggled to gain the ear of the C-suite. Many times, they had to overcome a perception within the organization that risk management is about putting “pins in balloons” and placing hurdles in front of the long-term goals and objectives of the organization. But things have changed.

Since the unwinding of the credit crisis, risk practitioners have recalibrated, re-thought and re-energized some of their approaches to the profession. And the executive and board level is listening. A shift has occurred: the focus of risk management has broadened, moving away from simply protecting an organization’s value through loss prevention and towards actually creating value. At its annual conference in May in Vancouver, British Columbia, the Risk and Insurance Management Society (RIMS) dubbed this shift as the emergence of Strategic Risk Management (SRM), the next step in the evolution of Enterprise Risk Management (ERM).

The expansion of the risk professional’s horizon isn’t just conceptual. The toolbox of risk managers has also evolved since the financial crisis, allowing them to delve deeper into their organization’s risk analysis. Technology now allows risk managers to conduct a more thorough risk analysis and gain deeper insights into their company’s risk portfolio using less money, effort and time. As a result, risk managers are now able to move beyond administrative duties that previously bogged them down and really develop a laser-like view into their risk profile. Consequently, when the time comes to meet with their executives or underwriters, they’re armed with a much stronger set of information to make their case and assist management in making informed decisions about the direction of the company.

Defining the new horizon

A definition of SRM and how it differs from ERM is tricky to pin down. Some say SRM is a part of a robust, mature ERM program. Others say it’s something that can be practiced separate and distinct from ERM. Generally speaking, SRM involves a risk manager taking a longer view of the risks facing an organization. In contrast, ERM focuses primarily on the immediate risks facing the operation of a company.

For example, a risk manager taking an ERM approach program might ask questions like: If an event were to occur tomorrow, how would this affect our organization’s ability to function, deliver its products or services to market? What would that mean for our reputation?’

A risk professional practicing SRM, on the other hand, might ask: What are the long-term objectives of the organization? What risks might challenge those objectives? What opportunities can the organization exploit to reach or surpass its goals?”Risk managers may feel they have made good strides towards implementing ERM and managing the downside of risk,” says Nowell Seaman, manager of risk management and insurance at the University of Saskatchewan. “But organizations still want to know how they can effectively deal with the opportunity side of risk. We know that taking an integrated approach to our risks has really helped on the operational and financial side, but organizations are still saying: ‘Look, we don’t feel we’re doing enough to use risk management to help us achieve our strategic objectives.”

Understanding an organization’s capacity to take risk is a very important element of identifying opportunities that are right for the organization, he continues. “Strategic risk management can help an organization effectively take risks and opportunities and I think that’s where there’s a lot of drive for SRM.”

Susan Meltzer, vice president of enterprise risk management at Aviva North America, agrees. “For today’s risk manager, the new skill set is to be more forward-looking in [assessing] the risks that could impact the organization,” she says. “For example, you don’t want to be the U.S. auto industry saying ‘Americans will never buy Japanese cars.'” There is more emphasis on the need to be a strategic thinker, to be able to connect the dots and to help the business understand the risks inherent in its strategic plan, Meltzer said.

Seaman illustrates the point using examples of strategic risks facing the University of Saskatchewan. “When I think of the strategic risks of the university, they would relate to where we intend to go as a medical doctoral research university. What are our long-term strategies? What are the areas of excellence we are pursuing? And what are the risks that could affect that strategy? ERM would be looking at everything from operational compliance, investment risks, human resources risks, recruitment and retention. But the more strategic [risks] would [relate to] broader, longer-term trends.”

Garry McDonell, Aon Global Risk Consulting’s national director, describes a “fundamental shift” he’s observed in the past few years. He said when he first started out as an ERM consultant, his clients used to ask him how they might prevent some of the losses they were experiencing. “That’s of little or no interest to the people we’re talking to today,” he said. “Now, it’s: ‘Tell me how you as an ERM consultant can help my organization earn more money.”

Carol Fox, RIMS’ strategic and enterprise risk practice director, says now you can use risk management to create value as well as to protect value. “When the risk practitioner is perceived within the organization as a business partner, risk is no longer just a barrier.”

Making this transition is not necessarily a matter of examining and analysing a new set of risk factors, Fox continues. Rather, it’s about becoming a part of – as opposed to taking over – the strategic planning process.

She tells the story of how at a previous job she approached the strategic planning department and asked for a seat at the table. “I told them, ‘I know you have a great process, but I think we can enhance it. Here are some of the methods and tools we can bring to the table. Would you mind if I joined your team to help you succeed in meeting your objectives?'”

It wasn’t a matter of storming the castle, but rather a way of becoming a part of the castle’s infrastructure, she says. Once inside the castle, risk managers can then describe what they are doing to executive management, and managers are able to see the value in it. This brings risk managers into the company’s strategic planning process.

“SRM is really distilling potential trends – not necessarily events – and also looking at the organization’s knowledge base around those trends and how certain it can be about what will occur,” she says. This is where the risk management function needs to work closely with the strategic planning team. A company’s strategic planning team is already looking at social changes, economic indicators and market indicators. “It’s a matter of taking those indicators they’re already looking at, and building a discipline around the potential implications. That allows the people actually executing the strategy to adapt to quickly changing conditions,” she says.

Wes Gill, SAS Institute (Canada) Inc.’s executive lead of enterprise risk management, describes an SRM package that allows people to visualize a “cascading from, ‘Here’s your vision, here’s your strategy, and here are your initiatives and processes around it,’ and peel it back to: ‘Here are the risks that could affect you.’ If a risk [materializes], it can cascade up to ‘Here’s what’s at risk’ and we can create dashboards for management for that.”

Ultimately, SRM is using risk to a company’s advantage, he says. “By having predictive capabilities, risk now becomes a tool. Risk is not just a compliance thing to look at the downside, but a tool that allows you to manage your business better and possibly take advantage of opportunities, as well as to mitigate losses.”

SRM and Data: Technological Tools of the Trade

SRM was not the only aspect of risk management to have evolved over the past few years. As the profession emerged from the financial crisis, a growing emphasis was placed on the accuracy, timeliness and completeness of data used in the models and methodologies.

“At the time of the financial crisis, a lot of companies were comfortable they had a risk management program in place,” says Gill. “And there was a lot of good risk management activity that had taken place in-house in firms. But I think many parties found the information they needed to get wasn’t always available in the timeframe they needed to get it.”

This led to a greater awareness and interest in analytics, says Angela Iannetta, Canadian national practice leader for Marsh Business Analytics. “The collection, storage and manipulation of data today have evolved. Technology is cheaper today and there is easy online accessibility and connectivity. There is more system integration and there is an increase in computer speeds.”

Craig Rowe, president and CEO of ClearRisk Inc., recalls his frustration when he was a risk manager for a municipality that didn’t have current, up-to-date technology. “Today, I can identify all of my risks, put them in a risk map and what it is I’m doing to address them all, all in one place,” he says. “I can do that so quickly and easily, it’s not funny. So when I go to talk to an underwriter or manager, I have a much better understanding or picture of our risk. It’s formalized and it’s organized. Not long ago, we weren’t able to do that.”

Typically, big powerhouse companies have robust analytical systems in place. But as technology evolves, it’s becoming much more accessible for the smaller and mid-market.

“Many are looking to put the foundations in place to enable analytics to be used,” Iannetta says. “And organizations collecting information are looking for new ways to use this information to better manage strategic operational, financial and hazard risks.”

Gill notes many organizations found they had disparate information systems across the company. These systems weren’t always integrated or reconciled. “Basically, organizations found out through the [financial] crisis that they needed to get better information, be it on the financial risk side, the credit risk side, the market risk side and even the operational risks. Someone had to pull all of that information together in a timely fashion so that they can get all of that information to the parties in charge of decision-making, so that they could make a decision in a short timeframe.”

Historically, technology has been a limiting factor when trying to run models in a timely fashion. Developments such as ‘in-memory’ computing have helped to overcome that barrier. The Financial Times describes in-memory computing as storing data in the main random access memory (RAM) of specialized servers instead of in complex relational databases running on relatively slow disk drives. “[Organizations] such as banks, retailers and utilities can [now] analyse huge volumes of data on the fly, detect patterns quickly and adjust their operations almost immediately,” the Financial Times reported.

Given this new development, Gill says, “we can take these massive models, which used to take literally days to run, put them in these new integrated software/hardware configurations, and we’re seeing those [analysis] times drop from days to hours – and in some cases minutes.”

Iannetta suggests less-sophisticated risk management programs, in which information is still stored in databases or Excel spreadsheets, also benefit from advances in computing speeds. “When you have these really large databases, which are thousands and thousands of lines of information, a lot of times it can be tedious to extract the information,” she says. “With programs like Excel or any SQL-type database platform, there shouldn’t be a hiccup because these tools are so readily available to organizations today.”

Rowe notes the emergence of cloud-based platforms has changed the mode of delivery of risk management systems, expanding accessibility for risk managers with reduced resources. “A cloud-based platform doesn’t have to be installed onto your mainframe and your servers and won’t cost hundreds of thousands of dollars,” he says. “Also, the pricing models are changing. There are no longer-term licences or one-time purchases. Now you’re getting SAAS (software as a service), so the construct has changed. It’s no longer an upfront capital cost. It becomes part of your operating budget and becomes very affordable.”

Rowe adds it’s a lot easier to make a pitch to the C-suite for something that’s going to cost between $15,000 and $20,000 a year, rather than saying, ‘I need half a million dollars.’

“And the levels of authority are different,” he adds. “You don’t need to go up so high to get that kind of authority’s approval to make those kinds of really big purchases.”

Striking a balance

One debate emerging out of the financial crisis was whether companies over-relied on models that had limits or blind spots, thus leading to major, undetected losses. Meltzer says models are better today, giving us faster answers with more reliable numbers. But properly modelled data is only one of three elements required in truly understanding a risk. “We have better computing power to better understand the frequency and severity of a possible event,” she says. “We have great computing power to understand a 1-in-25 year event, or a 1-in-300 year event in British Columbia. But I am still looking backwards, not forwards. I’m still using past data to make presumptions about the future.”

The challenge is to supplement the modelled historical data with some kind of educated analysis about how the historical patterns might project out into the future. “We have a catastrophe every year and they’re never the same, so the numbers don’t reflect that,” as Meltzer puts it. “[Strategic risk management] requires adding in and combining what you get from those numbers with that more forward look.”

Fox adds the tools need to support the information. They should not be the sole source of information given to the decision makers. “Data should be used to uncover trends,” Fox says. “Then you allow the decision makers to use that to either support their vision, or to re-think that gut feeling. Data can never give you the creative element necessary for innovation, which is necessary for growth. It can only help inform.”

From Iannetta’s perspective, a lack of understanding of the function, intended purpose and the limitations of the models led to misuse of them or a reliance on overly simplistic approaches. “Some organizations didn’t use robust models, or any models at all for that matter,” she says. “In many cases, more advanced, robust techniques were always available as an alternative, but they weren’t used. They took too much time to use, they needed an additional cash investment or there was a lack of knowledge of the benefits and limitations. I don’t necessarily think it’s the models to blame. It’s more the lack of understanding of what the robust models could add over the simple approaches. If you understand what they can do and how they’re supposed to be used, then it would reduce the fear of using them.”

Fox says education is a key priority before turning to any of the new technological tools available on the market today. “I could give you a whole list of new tools,” she says. “But the message we want to deliver to risk practitioners is that they need to explore all different types of risk assessment tools [and] to make this increasingly complex world understandable to management, so that managers can make good decisions. We want to make sure risk practitioners aren’t using data analytics just to use data analytics. Think about what it is you’re seeking and then go and find the right tool.”  

Measuring the Value of SRM

Measuring the success of a risk management plan and then conveying that value to management has always been a tricky area for risk managers. In the past, risk professionals struggled with how to illustrate the value of their programs. There was no way to show how much a claim didn’t cost the company, because their ERM program prevented it from happening in the first place. In the SRM space, the task is even trickier, experts say.

Historically, the profession relied on benchmarking as one of the primary tools used to gauge its risk management success. “Benchmarking is the one you most commonly see, but benchmarking is peer-to-peer,” says Gill. “This issue becomes [a question of whether] ‘we are no better or worse than the industry.’ But there are always reasons as to why a direct comparison [with the industry] may not be suitable. It could be a difference in product offerings, geographic areas in which the companies are operating, etc.”

One “big change” is a move away from historic measurements only. The basis for determining value might be benchmarking, value-at-risk analysis or capital measures based on current positions. But the idea is then to “move forward in terms of having a view as to what this looks like on a predictive basis, and understanding what the sensitivities to this are,” Gill says.A quantitative approach to SRM is still a fledgling notion in many industries – particularly outside of the financial industry or commodities-based industries, adds Seaman. “We have metrics to track how we are doing on our strategic risks and indicators we have developed, but they’re not tremendously sophisticated,” he says. “In our sector, we are looking to learn how some of the approaches taken in other sectors might help us.”

McDonell describes research Aon is currently undertaking on the subject. The Aon ERM team has been tracking roughly 200 companies over a five-to-seven-year timeframe. By surveying how mature each company’s ERM program is, using a scale of one-to-five, McDonell’s team will be able to compare each company to other companies within its industry class. But researchers are taking it one step further: they will also track the companies’ stock value, profits, revenue or margins  (depending on whether they are public or private companies) over the course of several years. This will help determine definitively, one way or another, whether or not the implementation of an ERM program (which frequently includes the practice of SRM) adds value to the organization.

“Within a short period of time, I’m hoping to be able to say: ‘Here’s what our clients found when they measured what was relevant to them – i.e. their key performance indicators and long-term objectives,'” McDonell says. “Supported by real data for the first time, we as consultants will be able to say with some certainty: ‘Here are the components of an ERM program that truly add value.’ By the same token, we will be able to say our research shows little correlation between these components and your KPIs. That should be of tremendous benefit to organizations wondering what all the ERM hype is about.”

In the meantime, Meltzer feels risk managers can show their true value by bring strategic thinking to management’s table. “You can’t look at the past and say, ‘This will happen again,'” she says. “You can’t look at the numbers and say, ‘This will happen again.’ You have to connect the dots.

“When I write down what my contributions have been, I will include that I have done risk reviews that confirm what management is doing. Or I will write that I have done risk reviews and made recommendations of things to do that are different from management’s direction. Or I might write that management has decided to not do something because after the risk review, it understood the risk differently.

“It’s not difficult to show that you’ve added value if you can show one of these three outcomes. Clearly, you have added value if you have been able to influence management’s decision on the direction of the company.”