Out of Sight can lead to Out of Mind

Once you have outsourced a process, there is a tendency to forget about it. 

Outsourcing has become possibly the most popular management practice of the past 15 years.  Companies large and small have outsourced many of the non-essential elements of their business.

Many property and casualty (non-life, general) insurers have, for example, outsourced their investment processes.

Over time, if the insurer had any expertise regarding investments, that expertise withered away.  It is quite common that there is only one or two people at a P&C insurer who actually pay any attention to the investments of the firm.

But when Out of Sight becomes Out of Mind, outsourcing becomes dangerous.

Boeing had an outsourcing problem in 2012 and 2013 that resulted in the grounding of their latest jetliner.  Batteries produced by a third party were catching fire.  The ultimate cause of the problem was never identified, but it happened at the point of connection between an outsourced product and the jetliner systems manufactured by Boeing.

There are many possible causes of outsourcing problems.  RISKVIEWS believes that primary among them is the reluctance to recognize that outsourcing will require a higher spend for risk management of the outsourced process.

More on Outsourcing Risk at http://blog.willis.com/2015/02/emerging-erm-risk-of-2015-outsourcing/

The CRO is making a list and checking it twice

“You never said that you wanted me to do that”  is an answer that managers often get when they point out a shortfall in performance.  And in many cases it is actually true.  As a rule, some of us tend to avoid too much writing things down.  And that is also true when it comes to risk management

That is where ERM policies come in.  The ERM policy is a written agreement between various managers in a company and the board documenting expectations regarding risk management.

But too many people mistake a detailed procedure manual for a policy statement.  Often a policy statement can be just a page or two.

For Risk Management there are several places where firms tend to “write it down”:

• ERM Policy – documents that the firm is committed to an enterprise wide risk management system and that there are broad roles for the board and for management.  This policy is usually approved by the board.  The ERM Policy should be reviewed annually, but may not be changed but every three to five years.
• ERM Framework – this is a working document that lists many of the details of how the company plans to “do” ERM.  When an ERM program is new, this document many list many new things that are being done.  Once a program is well established, it will need no more or no less documentation than other company activities.  RISKVIEWS usually recommends that the ERM Framework would include a short section relating to each of the risk management practices that make up a Risk Management System.
• Risk Appetite & Tolerance Statement – may be separate from the above to highlight its importance and the fact that it is likely to be more variable than the Policy statement, but not as detailed as the Framework.
• Separate Risk Policies for major risk categories – almost all insurers have an investment policy.  Most insurers should consider writing policies for insurance risk.  Some firms decide to write operational risk policies as well.  Very few have strategic risk policies.
• Policies for Hedging, Insurance and/or Reinsurance – the most powerful risk management tools need to have clear uses as well as clear lines of decision-making and authority.
• Charter for Risk Committees – Some firms have three or more risk committees.  On is a board committee, one is at the executive level and the third is for more operational level people with some risk management responsibilities.  It is common at some firms for board committees to have charters.  Less so for committees of company employees.  These can be included in the ERM Framework, rather than as separate documents.
• Job Description for the CRO – Without a clear job description many CROs have found that they become the scapegoat for whatever goes wrong, regardless of their actual authority and responsibilities before hand.

With written policies in place, the board can hold management accountable.  The CEO can hold the CRO responsible and the CRO is able to expect that may hands around the company are all sharing the risk management responsibilities.

More on ERM Policies on WillisWire.

http://blog.willis.com/2015/01/erm-in-practice-risk-policies-and-standards/

http://blog.willis.com/2014/02/erm-practices-policies-and-standards/