Home Breadcrumb caret News Breadcrumb caret Risk RISK MANAGEMENT STRATEGIES BEYOND Susan Meltzer, president of the Risk and Insurance Management Society (RIMS) for the 1999/2000 term, bridled in her opening comments in the panel discussion to a previous reference made by a seminar speaker at the RIMS’ “Operational Risk Management” conference recently held in Toronto. Meltzer’s objection was to a widely held belief in the corporate […] February 29, 2000 | Last updated on October 1, 2024 8 min read Susan Meltzer, president of the Risk and Insurance Management Society (RIMS) for the 1999/2000 term, bridled in her opening comments in the panel discussion to a previous reference made by a seminar speaker at the RIMS’ “Operational Risk Management” conference recently held in Toronto. Meltzer’s objection was to a widely held belief in the corporate and insurance communities that risk management is a new and ungrounded profession. In fact, she notes, “the first risk manager was appointed in 1963”. While Meltzer’s comment may appear on the surface to be a fairly minor observation, it struck to the heart of the panel debate, that being what exactly is the function and post of the risk manager in a corporate world of increasing global financial sophistication and highly diversified areas of business. The panel speakers all agreed that the role of the risk manager has to be defined by the nature of business and operational structure of the businesses they are employed by. However, the issues quickly targeted on were whether the risk manager versus the directors of a business were accountable for risks and if advantages can be gained by centralizing the risk function as opposed to assigning the task to operational units. Meltzer is a firm believer that risk management is a team-driven function requiring multiple skills which cannot be invested in a single person. As such, she stands against the idea of a “single corporate risk officer” responsible for an entire organization. “What is really needed is that the concept of risk has to have a higher level of exposure throughout the organization.” The crux of the issue, she observes, is that the directors and officers of a company have to understand and instill a sense of risk awareness in business strategies. Ultimately, she adds, it is the directors and officers who are responsible for operational risks incurred. This view was supported by Chris Mandel, director global risk management at Tricon Global Restaurants Inc. (owner of the KFC, Taco Bell and Pizza Hut fast-food chains), and John Ryan, vice president of commercial marketing at Liberty Mutual. “How realistic is it to think you’re going to find the best financial, insurance and risk manager in a single person,” Ryan points out. Although Ryan is skeptical of the single “chief risk officer” concept, he believes that the role of the risk manager or managers really depends on the nature and structure of the business in question. In addition to which, Mandel agrees with Meltzer that a company’s CEO or directors appointed to a specific portfolio will not willingly pass on the responsibility of managing operational risk, “which is really what the CEO function is”. Mandel adds, “and can any one person [risk manager] deal with all the issues [of operational risk]?” Overall, he believes a business should have a formal risk officer, but that the primary role of the individual in question should be to coordinate and orchestrate the implementation of risk strategies through to the operational business units. Kim Stephans, director of risk management at Encore Energy Solutions, took an opposing view. Stephans is a firm supporter of the “chief risk officer” concept, pointing out that the CEO and directors of a company lack the knowledge and skills of risk management to adequately take on the function. Furthermore, he notes, “I don’t believe that a CEO has the time to get into the groundwork of risk management to take the responsibility of a ‘chief risk officer'”. And, he continues, “yes, the board of directors ultimately have the responsibility for the business, but they don’t necessarily have the risk skills”. The most effective manner to manage risk is to have a professional empowered with responsibility as a chief risk officer to handle the risk portfolio, he states. “I believe the function should be handed down [by the board of directors] and reported directly back [by the chief risk officer].” A significant advantage to a single chief risk officer is centralization of the risk management function, Stephans says, the result providing a uniform approach to operational risk procedures. The other panel members agree that the process of risk management should be centralized, although the responsibility not necessarily vested with one individual. Meltzer points out, “if you push the function of risk management back into the business units, then you’re losing the opportunity to apply commonality, and without centralized mechanisms to identify risk solutions, you’re going to miss out on opportunities”. Audit approach to operational risk The prime objective of approaching risk management through an audit approach is to categorize and bring about accountability, says Pankaj Puri, senior vice president and chief auditor at TD Bank Financial Group. A speaker at the seminar, Puri outlined some of the benefits of addressing risk management through a formal process similar to an audit function. In 1998, the bank decided to tackle operational risk management through an audit risk model, he explains. “Have we had problems [with TD Banks’ decision to place risk management with its audit department], absolutely, it’s a learning experience,” Puri adds. However, Puri points out that the disciplined process of auditing applied to risk management has enabled the bank to focus on operational risk and apportion resources appropriately. Risk arising from operational failures can arise from financial and non-financial risks, with the latter typically being loss of reputation. In the bank’s context, the audit approach identified three areas of risk, that being credit, market and operational. In addressing risk management, the bank has sought to identify risk exposures rather than look at eliminating risk, he says. Identifying residual risk rather than inherent risk is what Puri believes is the real function of risk management. He points out that business expansion will typically enhance the risk profile. In such circumstances, expansion of the business is a positive development, assuming that the risk incurred can be properly managed. “It’s important to focus on the residual risk and not the inherent risk, that’s the point of the risk audit framework.” And, similar to the comments of the risk management panel, Puri believes that in implementing a risk audit process it is critical to establish a defined risk management vocabulary throughout operational management. This enables accountability and recognition of operational risk, he observes. Integrating risk planning into the business Addressing seminar delegates on approaches to implementing a risk management process, Mandel defines operational risk as being any aspect of operations that could cause mission or objective failure. In addressing a risk management process, he says success rests on two vital factors: good data and establishing alignment with operational management, “this is key for the risk manager to perform effectively”. As the Tricon group has evolved with international expansion, greater need has arisen to bring risk management into a centralized role, Mandel says. This has enabled the group to better focus resources and apply common practices. A typical example where a centralized operational risk management approach produced meaningful benefits arose from two separate outbreak incidences of a food bacterial virus at one of the chains. With the first outbreak, the source was identified to the produce of an outside supplier. Quality controls were introduced at the chain in question, but the process was not monitored by head-office. Not long afterward, a second outbreak occurred at the same chain, once again an outside supplier was found to be the culprit. However, at this point, the company had implemented a head-office risk management team who set out to work a solution with the business managers. The decision was to implement a company policy not to rely on outside suppliers of this particular produce. “This was a great example of working with both strategic and operational management in coming up with a solution.” Managing Internet risks Electronic connectivity of businesses is going to become a significant factor in risk management portfolios, predicts Ryan. He provided an overview of risk factors likely to arise from the Internet as well as electronic transacting as a tool of the risk manager. “The Internet enables and endangers at the same time,” Ryan states. In the first part of his address, Ryan focuses on the business risks opening up through the Internet. “The risks associated with e-commerce falling on the property side is something we’re all fairly comfortable with knowing. However, the liability side is less so — infringement on privacy, and protecting trademarks are going to become big issues…Other items such as personal injury and errors and omissions liability will be there. The point is, how many of these [Internet related exposures] are covered under general covers [commercial general liability covers (CGL)]. The answer is highly debatable, there is definitely going to be some coverage, but will it be enough?” Whether or not to address potential Internet exposures is not a debatable point, Ryan cautions. The dramatic advancement of Internet use and business-to-business e-commerce over a relatively short time frame has thrust risk managers into the game. He notes that, currently about 90% of total business-to-business electronic transactions are conducted through electronic data interchange (EDI). Research shows, however, that by 2003 more than 90% of such transactions will be done through the Internet. While the Internet will present risk managers with additional headaches in managing exposures, it will also open windows of opportunity, Ryan comments. He refers to a recent survey of risk managers and the use of the Internet, the figures clearly showing a marked rise in information and application usage. “Seven out of 10 risk managers in the survey say they use the Internet for doing their jobs. Information searching has the biggest use, with 45% of respondents currently exchanging data with their insurance carriers over the Internet.” In addition, the survey suggests that the number of risk managers expecting to conduct claims reviews through the Internet over the next two years will grow substantially (see charts). Already, the survey shows the number of risk managers using the Internet for claims related transacting has more than doubled to 28% of the total respondents compared with just a year ago, Ryan observes. “For risk managers the Internet is changing from an information tool to a business tool.” The responsibilities and technical skills of risk managers should vary depending on the operational structure and nature of business of the organizations they are employed with, was the general consensus of a panel discussion on the future role of risk managers which was recently hosted by the Risk and Insurance Management Society (RIMS) in Toronto. The panel speakers sought to identify the central function of the risk manager, with the subsequent debate and interaction with audience members clearly illustrating that there is no “right” or “wrong” approach in what has become a highly diversified profession. Save Stroke 1 Print Group 8 Share LI logo