Thinking Strategically

Financial market turmoil, natural disasters and frightening cyber attacks: recent events have raised the profile of and heightened the interest in risk management. Add in a thick layer of regulatory requirements, shareholder activism, corporate compliance needs and governance reform, and suddenly all eyes are on risk managers to demonstrate the value that they bring to their organizations.

Consequently, many corporate leaders are taking a proactive, strategic approach to risk management by increasing their expectations of what the function can – and should – provide to an organization. The key question becomes: How can risk managers contribute to a sustainable operation and help achieve business objectives?

Marsh and the Risk and Insurance Management Society (RIMS) asked precisely this question when they gathered the views of 1,322 risk managers and C-Suite executives in the ninth annual Excellence in Risk Management survey. Survey results show the risk manager’s job profile is changing – and not everyone is on the same page.

Nearly two-thirds of C-Suite respondents said they expected their risk managers to be more involved in their organization’s business strategic planning efforts. But most risk managers polled disagreed: they believed their priorities included integrating more deeply with operations and executing daily activities more efficiently.

The C-Suite is clearly telling the risk manager to grab hold of strategic risk management. Risk managers not seizing this opportunity should assess the resources they need to help meet senior management expectations.

With a disconnect as significant as this, how does an organization start on the path to a more strategic risk management approach? For those already heading that way, how can they continue to make progress?

MAKING PROGRESS

Bridging the gap 

Before the gap turns into a crevasse, it is critical for risk managers to find out what senior management expects from the function. Is the role primarily defensive? Or should it be more anticipatory? Do risk managers need to be well-versed in the inner workings of their organizations and industry? Or should they possess a strategic view of risk and their role in driving the organization’s success?

When asked to identify the two most important skill sets for a risk manager, the two groups were in lock step, agreeing that industry knowledge and a strategic view of risk were critically important. However, despite being ranked third by risk managers, “insurance knowledge” was not emphatically endorsed as a key competency by the C-Suite. In fact, 75% of C-Suite respondents did not say that insurance knowledge was a critical ability.

The message is loud and clear: senior management are looking to move beyond the stereotypical role of insurance purchasers and towards a more strategic role that will help to define success within an organization. Addressing this disparity will bode well for future success.

Risk committees

One way to advance strategic risk management is through broad-based (cross-functional) risk committees. By looking at existing and emerging risks through the wide lens of a risk committee, companies gain a deeper view of which risks are most likely to affect their success, and where they should be focusing their resources.

According to the Excellence survey, more than 60% of companies now have such a committee, reflecting a steep rise between 2010 and 2011. The number is likely to keep growing: more than 40% of those that don’t have one said their organization should create one.

Among the companies that had a risk committee, 90% of respondents said they are effective, with 35% saying they are “very effective.” According to one risk manager at a Fortune 500 technology firm, buy-in from top management was key: “People at a high level within the organization are committed to making it work. They take responsibility for the action items and are committed to doing the activities themselves – not delegating action items to junior people. They are personally involved.” 

Data and analytics

More than a third of respondents to the Marsh/RIMS survey said their firms’ risk committees could make better use of analytics – loss simulation, loss forecasting and risk tolerance – to become more effective. But simply providing more data is not the answer, especially since the challenge is to find relevant risk information in the first place.

A risk manager must understand his or her company’s goals, its industry and what senior management wishes to pursue in order to know what analytics to run and who should be involved in the interpretation. Data analysis is all about providing context and adding value. Almost half of C-Suite respondents said they expect risk managers to provide improved analysis relating to the strategic goals of the organization.

One statistic worth noting: more than half of C-Suite respondents said their organizations do not measure total cost of risk, yet 70% of risk managers surveyed said that they rely on Total Cost of Risk (TCOR).

Develop a value proposition

As purse strings are tightened, the risk management function is being compressed and marginalized, forcing risk managers to do a more effective job of demonstrating the strategic value that risk management brings to a company. For many, risk management is at a critical juncture.

To avoid marginalization, risk managers need to find new and improved ways of demonstrating the value of the contribution that they make to the organization, describing results in a way that is better understood and sought after by senior management. 

Looking Forward

Organizations are better served when risk managers engage in strategy planning and strategy execution efforts by developing a formal strategic risk management framework. Whether it is through the creation of broad-based risk committees, the effective and innovative use of risk data and analytics or the application of a deep knowledge of the industry and the business, the message is clear: risk managers can be a fundamental strategic asset to an organization. But to earn a place at the strategy table, risk managers must demonstrate how their efforts translate into dollars and cents for the organization.

A risk management approach aligned with short- and long-term business objectives is important to clients. Marsh, for example, has developed a “Marsh 3D” service philosophy – Define, Design, and Deliver. Taking a page out of the strategic risk manager’s playbook, the approach helps quantify an organization’s risk, design solutions that will drive value for the organization and enhance service by measuring results in terms of key performance indicators defined by the organization.

In the nine years that Marsh and RIMS have tracked the thoughts of risk managers and their colleagues, the fundamental theme has stayed the same: a valuable connection exists between strategic thinking and true excellence in risk management. Yet, each year, we continue to uncover discover gaps between the views of the C-suite and the risk manager about the strategic role of risk management.

Our message to risk managers? Bridge that gap. Be valuable and be strategic.