COSO & ISO 31000 & ERM for Insurers
Over the years, Riskviews has seen many risk management systems that are developed by people, usually auditors, from the COSO guide to ERM. What is most commonly seen is that COSO based ERM system has a few characteristics in common:
- They usually take at least a year to implement phase 1. By the end of that year, no actual improvements or changes to actual risk treatment activities take place. The most common product of that year’s efforts is a risk register.
- The risk register usually contains at least 100 risks. Many of these systems have closer to 200 risks identified.
- Top management is completely baffled about why they need to spend their time paying any attention to such activity. If you ask them anything about risk or risk management at the end of the year, you will often find that they cannot recall anything specific about the process.
The COSO process seems to be totally a Loss Controlling approach to ERM. This approach would appeal to companies and managers of companies who have the Conservator risk attitude. Riskviews has found that a small minority of insurance company management have the Conservator risk attitude and that almost zero insurance firms are managed with a Conservator risk approach. That is another way of saying that COSO does not fit well with insurance company management approaches.
ISO 31000 is new risk management standard that was developed from the Australia/New Zealand standards that have been used and improved over the past 15 years. The following post gives a discussion of the differences between the two.
ISO 31000 does not clearly fall into the Loss Controlling category of ERM approach. It seems to seek to be in the Risk Steering camp. Which makes it much more applicable to insurers, many of which are managed with the Manager risk approach.
Riskviews main complaint about ISO 31000 is with the degree to which it emphasizes endless process over actual risk treatment action.
ISO 31000 encourages firms to adopt what Riskviews calls a Risk Management Entertainment System. Sadly, this is not a joke. Many firms will proudly present a show and tell about their reports and meetings and org charts and policy statements when asked about ERM and be flummoxed when asked about any actual risk treatment that is taking place and where it fits into the risk management system.
That is a major problem with detailed prescriptive systems like ISO 31000. While that document says nearly all the right things, the people who pick it up and seek to apply it quite often do not get the sense of what is IMPORTANT and what is less important in developing an ERM system.
In fact, what is actually IMPORTANT is that ERM helps management to focus on the important risks of the firm and making the right moves so that exposures to those risks are of the size that they would choose. Human beings have limitations and those limitations would suggest that these important risks need to number less than 10 if they are really going to get top management attention.
And in practice, the people who implement COSO and ISO 31000 risk management systems often miss that most important objective.