The Changing Face of Risk Management

Printer version  PDF

Risk has always been with us; but today, it comes in shapes and sizes the risk management practitioners of just 15 years ago would hardly recognize. Back then, risk managers focused on physical assets (protecting property from damage, for example) and common liabilities (customers slipping and falling in the lobby, products causing injuries, and so on). Today’s risk managers are more likely to lie awake wondering what would happen if the overnight package containing 40,000 credit cards were to disappear or how the now-implicit threat of terrorism is affecting their operations and business decisions. On top of these issues, there’s new pressure from investors, rating agencies, securities analysts, and regulators — the diverse groups outside the organization that monitor its performance from day to day.

The new and far broader portfolio of risks is fraught with opportunity — the opportunity to take on these new issues proactively; to help management and the board devise solutions; and, in so doing, to get the company’s leadership to adopt a new way of thinking about risk.

To find out how risk managers are responding to this new world of risk and where they see themselves going in the future, Marsh and the Risk and Insurance Management Society (RIMS) jointly crafted and sponsored a quantitative survey of RIMS members to determine the current state of risk management. Greenwich Associates, a premier strategic-consulting and research firm for providers and users of financial services worldwide, conducted the survey.

The risk environment continues to evolve. New categories have materialized in the past decade, many of them more difficult to quantify than ''traditional'' property and casualty risks, both in terms of their frequency and their severity. And yet, the ''old'' risks have not gone away. Consequently, the demands on risk management have expanded as the world has become more complex, more interdependent, and more risky. Over time, the role and impact of the risk manager has expanded in some organizations to fill this increased demand.

Today, risk management must deal with the known risks as well as the unknown and the unknowable. Yet the degree to which individual risk managers deal with these risks depends on the level of risk management at which they operate.

The ''Excellence in Risk Management III'' survey results indicate that risk practitioners fall into three categories: traditional, progressive, and strategic. This may be a function of the risk practitioner’s skill set, the organization’s risk management supply and demand, or a combination of these and other factors.

The survey of nearly 900 risk management professionals clearly shows the functions and best practices at each of these three levels:

• Traditional risk management involves many long-established, routine functions. These include identifying risk, using various risk-control measures to eliminate or mitigate loss, analyzing claims and claims trends, and handling the details of insurance and other risk-transfer methods.
  
  
• Progressive risk management encompasses all of the concerns of traditional risk management, but adds alternative risk financing (such as self-insurance, captives, and risk-capital products), business-continuity planning, measurement of the total cost of risk (TCOR), and education of and communication with the rest of the organization about risk and its management.
  
  
• Strategic risk management goes further still, incorporating all the areas that fall in both traditional and progressive risk management, but adding the C-suite view of the totality of risk. The practitioner of strategic risk management views risk as something to optimize, not just to mitigate or avoid, and takes an enterprise-wide view of risk. Risk is indexed against the organization itself, year-over-year, and against competitors. Risk management information systems (RMIS) and other technologies play a large role in managing risk.
  
  

At every level, the risk management practitioner adds value to the organization, but there is an evolutionary process. Like Maslow’s hierarchy of needs — which suggests that humans fulfill basic needs first, then build toward self-actualization — the core competencies of traditional risk management form the basis and support the ability to move into progressive and strategic risk management areas.

The growing and changing risk environment faced by virtually all companies suggests that the demand for risk solutions continues to grow. Someone must step into this role and assume responsibility for filling the growing gap in the risk management supply/demand curve. At some companies, the risk manager could become that person — one of a small group of corporate officers known to possess a 360-degree view of how the firm operates and what challenges it faces. However, the majority of risk managers in the survey expressed a level of discomfort with certain nontraditional risks, including:

• brand risk;
  
  
• business continuity/crisis management risk;
  
  
• enterprise risk;
  
  
• human capital;
  
  
• intellectual property; and
  
  
• technology/e-risk.
  
  

To progress to being a strategic member of a firm’s decision-making team — the expert for known, unknown, and unknowable risks — risk managers must step outside their comfort zones.

Risk managers must widen their perspectives and develop broader skill sets. They must develop a full-spectrum knowledge of the company, not just a narrow range of what are traditionally understood as risks. This is essential if information about a serious new threat to the organization — be it a supply-chain vulnerability or a collapse in IT security — is to be communicated up from the risk manager to the C-suite instead of communicated down from senior officers. To ensure that this flow of information moves in the right direction, the risk manager must achieve a comfort level with every major aspect of the company’s operations.

Greater familiarity and fluency with financial matters will be especially important. Investors today focus on short- to medium-term financial performance and are increasingly intolerant of ''surprises'' — even when they can be chalked up to hard-to-plan-for crises. Regardless of the source of disruption, investors — and other stakeholders — are looking for businesses to return to business as quickly as possible.

Numerous major shifts in the way companies do business are forcing management and shareholders to change the way they regard risk. Many, if not most, of these new risks can be attributed to the two-decade explosion of new businesses, new markets, technology and computerization, and gains in efficiency. While these changes have propelled vast economic growth, they have also created new risks, magnified the old ones, and caused a fundamental change in the nature and scope of risk management.

Among these shifts are:

• corporate globalization, especially into developing markets, which can expose companies to a host of new political, health, and other risks;
  
  
• the rising importance of intellectual capital, which creates a need for risk management in such areas as branding, information security, and privacy;
  
  
• increased vulnerability of supply chains, particularly as companies outsource many business functions once performed in-house; and
  
  
• just-in-time inventory systems that stretch supply chains thinner and thinner, leaving them more susceptible to disruption from a hurricane, a strike, or even a terrorist attack.
  
  

Another significant change in the nature of risk management is its growing importance to analysts at credit-rating agencies. Most buy-side investment analysts interviewed said that a company’s risk management program would play a significant role in the future should more formalized methods of evaluation become available. Risk managers, the C-suite, and boards of publicly held companies should be asking themselves three key questions that analysts may soon be asking:

• Does the firm’s senior management know how much it is prepared to lose from all sources of risk over a given horizon (often a reporting period, but also over shorter horizons) to achieve its overall long-term financial objectives?
  
  
• Does the firm’s senior management know where the top exposures are, both in terms of measured risks and unmeasured uncertainties?
  
  
• Is there an adequate understanding of the profile and mitigation of the potential losses from the top exposures?
  
  

Companies unable to answer all three questions with a resounding and unqualified ''yes'' may find themselves in disfavor with investors.

The new risk environment has created opportunities as well as challenges for the risk manager. The opportunity is to better serve the CFO, the CEO, and ultimately the board by analyzing critical issues and bringing them to the attention of the C-suite before they become major problems. The challenge is that the new environment includes new areas, such as climate change and transparency, that the CFO — not to mention the board — will have to address before crises develop. If the risk management function does not take the initiative, one of two scenarios is likely to play out. Either the organization will operate with significant levels of unaddressed risk and, therefore, grave vulnerability, or other officers who may lack risk expertise and experience will be forced to tackle the job.

Strategic risk management today means leading, not merely responding to events or demands from senior management. It means playing a role in managing every aspect of the evolving risk environment — becoming a change agent rather than merely a caretaker of the ''traditional'' risk management areas. It means looking one to three years ahead and identifying risks and issues that could jeopardize financial performance and scuttle management’s plans.

Companies with a strong strategic focus are finding more positive aspects to implementing the Sarbanes-Oxley (SOX) rules, especially on their risk management efforts. Analysts caution against drawing too strong a connection here. Nonetheless, 63 percent of survey respondents with a strategic focus said SOX has had a beneficial effect on their companies, and 53 percent said it has had a positive impact on risk management as a practice.

The study also found that enterprise risk management (ERM) efforts are more prevalent today among companies with big brands and a strong awareness of the risks posed by intellectual property, human capital, technology, and e-risk than among those holding more traditional notions of risk. Larger companies are also further along with ERM. Overall, 4 percent of companies said they have fully implemented ERM, 20 percent have partially implemented it, and 47 percent said they are considering or planning to do so.

Risk management occupies a central place in a business environment undergoing change. The world of risk is expanding, making risk management more complex than ever. At the same time, these very visible threats are forcing the C-suite, the board, and investors to focus more attention on risk management than they have in the past. The new and far broader portfolio of risks is fraught not only with opportunity for risk managers, but also with the challenge to assert leadership in a complex and rapidly evolving field.

This article is an adaptation of ''Excellence in Risk Management III/The Changing Face of Risk Management,'' a white paper based on a survey of risk managers jointly sponsored by Marsh and the Risk and Insurance Management Society, Inc. A full copy of the report, as well as copies of ''Excellence in Risk Management I'' and ''Excellence in Risk Management II,'' are available at http://solutions.marsh.com/excellences.