Both the COSO and ISO risk management frameworks describe many excellent practices. However, in practice, insurers need to make two major changes from the typical COSO/ISO risk management process to achieve real ERM.
- RISK MEASUREMENT – Both COSO and ISO emphasize what RISKVIEWS calls the Risk Impressions approach to risk measurement. That means asking people what their impression is of the frequency and severity of each risk. Sometimes they get real fancy and also ask for an impression of Risk Velocity. RISKVIEWS sees two problems with this for insurers. First, impressions of risk are notoriously inaccurate. People are just not very good at making subjective judgments about risk. Second, the frequency/severity pair idea does not actually represent reality. The idea properly applies to very specific incidents, not to risks, which are broad classes of incidents. Each possible incident that makes up the class that we call a risk has a different frequency severity pair. There is no single pair that represents the class. Insurers risks are in one major way different from the risks of non-financial firms. Insurers almost always buy and sell the risks that make up 80% or more of their risk profile. That means that to make those transactions they should be making an estimate of the expected value of ALL of those frequency and severity pairs. No insurance company that expects to survive for more than a year would consider setting its prices based upon something as lacking in reality testing as a single frequency and severity pair. So an insurer should apply the same discipline to measuring its risks as it does to setting its prices. After all, risk is the business that it is in.
- HIERARCHICAL RISK FOCUS – Neither COSO nor ISO demand that the risk manager run to their board or senior management and proudly expect them to sit still while the risk manager expounds upon the 200 risks in their risk register. But a highly depressingly large number of COSO/ISO shops do exactly that. Then they wonder why they never get a second chance in front of top management and the board. However, neither COSO nor ISO provide strong enough guidance regarding the Hierarchical principal that is one of the key ideas of real ERM. COSO and ISO both start with a bottoms up process for identifying risks. That means that many people at various levels in the company get to make input into the risk identification process. This is the fundamental way that COSO/ISO risk management ends up with risk registers of 200 risks. COSO and ISO do not, however, offer much if any guidance regarding how to make that into something that can be used by top management and the board. In RISKVIEWS experience, the 200 item list needs to be sorted into no more than 25 broad categories. Then those categories need to be considered the Risks of the firm and the list of 200 items considered the Riskettes. Top management should have a say in the development of that list. It should be their chooses of names for the 25 Risks. The 25 Risks then need to be divided into three groups. The top 5 to 7 Risks are the first rank risks that are the focus of discussions with the Board. Those should be the Risks that are most likely to cause a financial or other major disruption to the firm. Besides focusing on those first rank risks, the board should make sure that management is attending to all of the 25 risks. The remaining 18 to 20 Risks then can be divided into two ranks. The Top management should then focus on the first and second rank risks. And they should make sure that the risk owners are attending to the third rank risks. Top management, usually through a risk committee, needs to regularly look at these risk assignments and promote and demote risks as the company’s exposure and the risk environment changes. Now, if you are a risk manager who has recently spent a year or more constructing the list of the 200 Riskettes, you are doubtless wondering what use would be made of all that hard work. Under the Hierarchical principle of ERM, the process described above is repeated down the org chart. The risk committee will appoint a risk owner for each of the 25 Risks and that risk owner will work with their list of Riskettes. If their Riskette list is longer than 10, they might want to create a priority structure, ranking the risks as is done for the board and top management. But if the initial risk register was done properly, then the Riskettes will be separate because there is something about them that requires something different in their monitoring or their risk treatment. So the risk register and Riskettes will be an valuable and actionable way to organize their responsibilities as risk owner. Even if it is never again shown to the Top management and the board.
These two ideas do not contradict the main thrust of COSO and ISO but they do represent a major adjustment in approach for insurance company risk managers who have been going to COSO or ISO for guidance. It would be best if those risk managers knew in advance about these two differences from the COSO/ISO approach that is applied in non-financial firms.