The purpose of ERM is NOT to try to elevate all risk decisions to the highest possible level, but to master discerning the best level for making each risk decision and for getting the right information to the right person in time to make a good risk decision.
This is the Hierarchy Principle as it applies to ERM. It is one of the two or three most important principles of ERM. Why then, might you ask, haven’t we ever heard about it before, even from RISKVIEWS.
But most insurers follow the hierarchy principle for managing their Underwriting process for risk acceptance of their most important risks.
You could argue that many of the most spectacular losses made by banks have been in situations where they did not follow the hierarchy principle.
- Nick Leeson at Barings Bank was taking risks at a size that should have been decided (and rejected) by the board.
- Jerome Kerviel at Soc Gen was doing the same.
- The London Whale at JP Morgan is also said to have done that.
On the other hand, Jon Corzine was taking outsized risks that eventually sank MF Global with the full knowledge and approval of the board. Many people suggest that the CRO should have stopped that. But RISKVIEWS believes that the Hierarchy Principle was satisfied.
ERM is not and cannot be held responsible for bad decisions that are made at the very top of the firm, unless the risk function was providing flawed information that supported those decisions. If, as happened at MF Global, the board and top management were making risk decisions with their eyes fully open and informed by the risk function, then ERM worked as it should.
ERM does not prevent mistakes or bad judgment.
What ERM does that is new is that
- it works to systematically determine the significance of all risk decisions,
- it ranks the significance and uses that information, along with other information such as risk velocity and uncertainty, to determine a recommendation of the best level to make decisions about each risk,
- it assesses the ability of the firm to absorb losses and the potential for losses within the risks that are being held by the firm at any point in time,
- it works with management and the board to craft a risk appetite statement that links the loss absorbing capacity of the firm with the preferences of management and the board for absorbing losses.
ERM does not manage the firm. ERM helps management to manage the risks of the firm mainly by providing information about the risks.
So why have we not heard about this Hierarchy Principle before?
For many years, ERM have been fighting to get any traction, to have a voice. The Hierarchy Principle complicates the message, so was left out by many early CROs and other pioneers. A few were pushing for the risk function to be itself elevated as high as possible and they did not want to limit the risk message, deeming everything about risk to be of highest importance. But RISKVIEWS believes that it was mostly because the Hierarchy Principle is pretty fundamental to business management and is usually not explicitly stated anywhere else, even though it is applied almost always.
ERM now receives a major push from regulators, to a large extent from the ORSA. In writing, the regulators do not require that ERM elevate all risk decisions. But in practice, they are seeing some insurers who have been elevating everything and the regulators are adopting those examples as their standard for best in class.
Just one more way that the regulatory support for ERM will speed its demise. If regulators advocate for consistent violation of the Hierarchy principle, then ERM will be seen mainly as a wasteful burden.