As RISKVIEWS meets with more and more insurers over time, it becomes increasingly obvious that they all have lots of Risk Management. Probably because they are the survivors. Perhaps there was much less Risk Management in the failed insurers.
So if they already have Risk Management, why do they need ERM?
There are four possible reasons:
- Discipline -the sports teams with the most discipline win most championships. The coach can count on the players to execute the same way every time. In Risk Management, Discipline means doing the risk acceptance and risk mitigation the same way every time. ERM expects that discipline, but ERM operates on a trust but verify approach. Perhaps leaning more on the verify than the trust. So when an Insurer adds ERM to its already pretty full Risk Management processes, they are opting for Risk Management that is totally reliable because it has discipline.
- Transparency -much of the existing Risk Management in an insurer is a fairly private affair. It is done by the folks who need to be doing it but they rarely talk about it. When ERM comes along, it seems that the number of reports goes up. Some of those reports are of absolutely no help to the folks who are doing Risk Management. Those reports are to let everyone else know that the Risk Management is still going on and things in the Risk Management world are still working as expected. In one sense, Risk Management is all about making sure that some things rarely or never happen. This Transparency about the actions that result with that nothing happening are the records that need to be kept for the defense of the Risk Manager as well.
- Alignment – most of existing Risk Management grew up as the insurer grew up. That is a good thing because the Risk Management can be totally incorporated into all practices. But one of the main goals of Risk Management is to make sure that the risks that are insufficiently managed do not disrupt the plans of the company. The key element to that process is a Risk Tolerance. With ERM, the Risk Tolerances can be Aligned with the current plans, not with the plans and tolerances of the managers at the time that an activity was first started or last overhauled.
- Resiliency – system resilience is not a usual part of traditional Risk Management. Traditional RIsk Management is most often about defending the status quo. Resilience is all about figuring out how best to adapt. Within ERM is a process called Emerging Risks Management. Emerging Risks Management is all about preparing for the risks that are definitely not yet banking on the door. They may be far down the road or around the bend. Emerging Risks Management is an exercise process that builds Resilience Muscles.
Those are the Ends. ERM is the means to get to those ends.