I’ve shared some technical and practical considerations about ERM in a few previous blogposts. This episode addresses the most important topic: “ERM done – so what”. Whenever I talk about Enterprise Risk Management, I emphasize on its tangible benefits. ERM is about managing downside and creating opportunity.
The picture below displays a wide, although not complete, stakeholder landscape and the tangible benefits of good ERM. The regulatory, governance and credit rating agency related values are clear. Furthermore, an optimal alignment of risk appetite and capital possibly supports increased risk taking. So far, all so good.
IMHO Cyber Risk is one of the best cases in point to illustrate practical benefits of ERM; two aspects:
Firstly, the defensive angle: companies must prepare to deal with Cyber attacks as an “entirety”, silos don’t work. This is relatively new category of risk(s), hence it requires some subject matter expertise and a very diligent look “across” the entire organization. Megrow has done Cyber risk mapping with clients (and for its own good – just to state the obvious). I will not dwell on that here. However, if you are interested in good Cyber-webinars, I highly recommend FireEye.com – excellent!
Secondly, the opportunity angle. Let’s assume an insurer covers small and medium sized enterprises. Very many of these clients could and should do more to identify and manage Cyber risks. Buying Cyber insurance is only one mitigating factor. How can the insurer provide additional value and services for this type of risk? The principles of Cyber Risk management are rather universal. In other words, if an insurer has a good grip on its own Cyber risk landscape, this knowledge can become part of its service offering to insureds. This works exactly the same way as traditional loss prevention services that insurers offer their customers. Any sales person of that insurance company will be more than pleased to have an additional service ace in his/her sleeve!
In other words, we killed two birds with one ERM-stone. Thorough ERM helps this insurer manage potential downside risk of Cyber and enhances the company’s value proposition to its customers. It doesn’t get much better than this!
Megrow Consulting has turned three. A big “thank you” to all the clients, business partners, advisors and supporters for another fruitful year! Time really flies. Sometimes it is hard to believe that Megrow now is in its forth year of operation.
a brief glance back
Clients understandably ask for references prior to engaging Megrow’s services. Confidentiality is key, hence I cannot share details of prior and current engagements. However, I did a bit of data mining to get a view over the services Megrow provided over the past 3+ years.
ERM, Underwriting and Strategy work make up for app 70% of Megrow’s services over the past three years.
The remaining 30% comprise of other work such as coaching, training, providing second opinion on matters and similar type of work. Clients comprise local, regional and global players in Asia and the European Union.
a sneak peak into the future
Risk and the management thereof is a growing business. Opportunities for Megrow to deploy its distinct value proposition to clients will continue to emerge. Stay tuned for updates on this blog. In the meantime, you could read some of my more technical articles about ERM here.
In an earlier blogpost I wrote about setting risk appetite for insurance companies under the evolving Hong Kong ERM framework. My focus is on firms that develop their own ERM-framework.
In this blogpost, I “continue” the journey to building an ERM-framework and ponder about risk mapping. Whilst occasionally making reference to Hong Kong, most of the scribble is applicable to every insurer who wants to take its nascent ERM-framework to a next level.
I will share my thoughts about some key steps, write about challenges and, of course, how Megrow Consulting can support your ERM-journey. And most importantly, I keep advertising ERM as a strategic tool to support your business and not to paralyze it.
I like doing risk mapping! However, there is a significant risk (hahaha pun intended…) of getting lost along the journey when engaging an entire company in a comprehensive risk mapping exercise.
Plenty of competent bodies, such as COSO, describe risk mapping at great length and detail, hence I will not dwell on the methodology here. Instead, I share a number of practical aspects, pitfalls, successes and other considerations here.
When I lead or coach risk mapping work, I prefer to do it in small groups and over several iterations. Depending on the circumstances, some initial “ice breaking” might be needed. Generally speaking though, insurance practitioners LOVE to talk about risk, so there is little to worry about. That is good news! Having said that, there are a few points to bear in mind.
Firstly, we need to ensure that the involved teams cover risks across ALL major business activities. In my experience, operational risk often tends to rank highest in terms of risk “count”. Your risk officer or an experienced third party will need to moderate the mapping efforts to bring balance to the risk universe of your company. Secondly, we also need to ensure that the thinking is current and prospective, looking into the back mirror is important, but only looking backward will not get us very far. Thirdly, quantification efforts need to consistent across the entire risk catalogue, otherwise we compare the proverbial apples with oranges.
Last but not least, probably the hardest step on the mapping journey is prioritization of risks. One “must have item” is a list containing the few, all important strategic and key operational risks. Senior management and the directors will give all their TLC to that all-important set of risks. Yes, every risk is important, but depending on expected frequency and impact, it is handled at the appropriate level of the company! No CEO or board risk committee member wants to look at a risk register with 5000 entries, trust me on this one!
local and global perspective
Good risk mapping focuses on what matter most for the current and prospective market environment. Hence, a focus on Hong Kong (in our example) certainly makes sense. However, other risks, such as “Cyber” are prime examples where good risk mapping must take a bigger picture, global view. Quantification and mitigation of risks that are outside well-known “home turf” are a challenge. The good news is: there are ways and means to deal with that.
Senior management and the directors will sign off the risk map. Subsequently, the register enters its next phase. The risk officer will need to maintain it! After all, good risk management is all about mitigation of existing risks and detecting new risks (and opportunities). An important caveat, enlarging the risk register four times a year by adding new considerations isn’t best practice. Ideally, some risks should disappear from the list over time, otherwise the list will get bloated to an extend that nobody can distinguish the chaff from the wheat any longer.
Stay tuned for more blogposts about ERM in Hong Kong here @megrow.asia !
ERM for Insurers in Hong Kong – the Journey has Started
This series of blogposts ponders about the ERM in Hong Kong as it unfolds for Hong Kong based insurers. I chose Hong Kong for a number of reasons. First, the Insurance Authority (“IA”) launched the ERM process over the course of 2017/2018, so the implementation is in full swing. Second, Megrow has been fortunate to do quite a bit of ERM-related consulting work for companies in Hong Kong. And finally, the Hong Kong approach is a good example of a measured, gradual implementation of ERM, so it might serve well for both practical and theoretical considerations.
I will share my thoughts about some key steps, write about challenges and, of course, how Megrow Consulting can support your ERM-journey.
And most importantly, I keep advertising for ERM as a strategic tool to support your business and not to paralyze it.
All Set to Go?
Hong Kong’s IA has released draft ERM-guidelines for industry consultation. The document is comprehensive and doesn’t contain any surprises per se. However, a myriad of cogwheels needs to fall in place to make ERM work and add value to your company. Definitely, you have some well-established risk management practices already in your company and most certainly, ‘your’ board of directors has its own ideas about risk as well.
How to put this all together in an efficient and effective manner? Certainly, an experienced third party will make your journey efficient and effective. And: you can keep your focus on running your business.
step 1 – the tone from the top
In 2017 Hong Kong IA mandated insurers to establish a board risk committee and assign a risk officer function to a suitably qualified staff. Starting at the top was the right thing to do. Insurers have completed this step over the course of 2017 and early 2018 already. Time to move on.
step 2 – risk appetite
Now with the risk officer and the risk committee in place, what is the next step? In line with the philosophy of “starting from the top”, ideally companies move their attention to comprehensive risk appetite definitions and the implementation thereof. That is exactly what the proposed ERM guidelines suggest doing next on the Hong Kong ERM journey.
what is risk appetite?
I like to use the famous half-full glass analogy to describe my preferred definition of risk appetite.
The capacity of the glass represents the total maximum net risk – across all business activities – your company can bear with the current capital, reinsurance and other hedging mechanisms in place.
Simply, the glass cannot hold more water than its volume. (let’s omit surface tension and other considerations here, it’s not a science class….).
This capacity is largely given by the available capital and regulatory constraints, such as minimum solvency levels. This “capacity” is relatively stable.
How much water you actually decide to pour into the glass is almost entirely the company’s decision. If you overfill, the company will have challenges. If you leave it (almost) empty, then you are not making use of the capital that shareholders gave you. In other words, how full you want the glass to be is your specific risk appetite setting. The great thing is that the water level can vary over time, i.e. companies have some entrepreneurial freedom to accept more or less risk (as long as it doesn’t overflow).
how to set risk appetite?
Two challenges arise for management and the board. First, how full is the glass with the current business and second, how full (or empty…) do we want it to be going forward? In other words, is the glass big enough to support the company’s expansion strategy? The forward-looking angle is very important: that is the linkage of good ERM with strategy!
How to go about determining the “level of water” in the glass? All companies have risk appetite statements readily available. However, these statements might sometimes be insular and sometimes not of recent date. For instance, the investment department might use a different language to describe risk compared to the underwriting department. The true value of risk appetite definitions emerges, once the statements are quantified, comparable and the statements link risk taking to capital.
Ultimately, the best way of going about it to use a capital model, which allocates capital in a consistent way to the main business activities of the company. However, a few years will pass before RBC is mature enough in Hong Kong. So, what is an interim solution for Hong Kong based insurers?
purchase a third-party capital model (I won’t advertise for free here…)
and/or you develop your own capital model
and/or you find an interim, discrete solution and implement HK-RBC capital model along the way.
Every company is unique; hence it is difficult to make general recommendations. A practical view on risk appetite definitions: if you have a credit rating, using the rating agency’s capital model is certainly a way to go. If not, then taking the route via an interim solution would be my preference.
Megrow is well-positioned to support you through the decision-making process and the subsequent development and implementation of the chosen path. We follow industry-standard good ERM-practice, always ensuring that our work is efficient and of practical use. The wheel has been invented, so we focus on other things!
If you would like to know more about putting ERM in place contact me via the buttons shown below and stay tuned for more blogposts about ERM in Hong Kong and elsewhere.
Over previous months, I wrote much about the new COSO ERM framework . Actually, in the middle of 2018 the new framework isn’t exactly that new anymore. I’m an absolute convert with regards to linking ERM to strategy and performance. However, the apparent lack of real life, tangible cases left a sourish taste in an otherwise good meal. So, I kept bickering about it over a number of blogposts, Tweets and G+ posts.
I understand the confidentiality and resource constraints the authors faced. However, it always felt incomplete. A few month back, pwc, one of the key contributors to the framework update, reached out to the community for feedback. Needless to say, I completed the survey most diligently. I’m sure my and other practitioner’s feedback helped!
And lo and behold, a new podcast episode is out. The pwc team announces a case compendium. Can’t wait to see the cases – well done!
Oracle was very kind to invite me to their innovation summit in May 2018. They choose an auspicious location, namely the Fintech Hub in Singapore. So, the first question was, “what am I going to wear?”. After some deliberation, I decided to wear black jeans, non suspicious Dr. Martens tasseled loafers, an ironed shirt (not tucked in) and use my Freitag laptop bag. That should be enough to blend in smoothly, or so I thought. I stepped out of the elevator, spotted the modern office design and layout and felt elated when I looked around. Post registration, I was escorted to the actual event location. Oh boy was I wrong about the dress code: the Brioni’s, cheaper clone’s thereof and the Louboutins were omnipresent. It turned out to be a banker’s conference, after all….
A few important take-away messages emerged, so the event was a full success from my point of view (leaving the missed dress code aside…).
key message #1: the world is under-banked, which is not a surprise per se.
key message #2: the all-out banktec disruption (aka the uberisation of banking) is NOT happening; hasn’t happened and won’t happen; period.
key message #3: its now Fintech 2.0/3.0/4.1 (pick your number), where established players and start-ups find ways to leverage on each other’s strength.
These three messages sound very familiar to the insurance community, where the initial believe in an uberisation have largely waned as well. Hence, it’s time to make clever use of smarttech to improve customer experience, reduce operating expenses and reap other benefits. Insurance executives replace “under banked” with “protection gap”. So who copied whom or is this a clear case of convergent evolution?
Thank’s again to Oracle for hosting this event. Hopefully another Innovation Summit will follow soon.
No, in this post I wont make a case for ERM, although it is tempting to do so. If you feel like “ERM”, read one of the more technical ERM-blogs here.
I have sympathy with directors who complain about boring red-amber-green risk heat maps. How do we engage directors for Enterprise Risk Management? COSO and other opinion leaders have taken a great step into the right direction with the new COSO framework. Linking risk and opportunity to strategy and performance is the right way to go. I have shared some thoughts about the 2017 update in previous blogposts.
By its very nature Enterprise Risk Management looks at the entire enterprise. Hence, we need to find a way to cover the micro, such as smaller operational risks AND the macro, such as the really significant risks and opportunities. Then ERM truly becomes “E”. When I accompany customers along their ERM journey’s, I really make sure we cover the entire spectrum. Otherwise we miss out on either end. And btw – that’s the beauty and the challenge of doing good ERM….
and the benefit is
I still have two bones to pick with some of the proponents of the ‘new’ ERM. Firstly, strategy is very important, but let’s not forget all the other, smaller risks! Many a little makes a mickle. And secondly, we need to up the ante in terms of communicating the tangible benefits of ERM. Concepts are great to understand a matter. However, a board of directors or a CEO will want to see expected tangible benefits before engaging a CRO. When writing about ‘tangible benefits’ in a business context, I’m clearly referring to a measurable impact on either sales or profits and preferably on both. These benefits must be on top of the well-documented benefits of good ERM with regards to credit rating or reduction of compliance costs.
Keen to know how my work benefits your company? Contact me via the social media buttons below or directly at firstname.lastname@example.org
Clients often ask me, “what skills should our CRO have”? The answer is very easy and very difficult at the same time. Ideally, the person is a decathlete and holds the world record in each discipline of a decathlon. I chose decathlon over e.g. triathlon, because the CRO really, really needs a very broad skill set! Naturally, such a superhuman doesn’t exist – so what is the practical answer then?
CRO the decathlete
I came up with this picture to describe the CRO’s skill set; this somewhat simplified description has served me well over the years. I will describe it quadrant by quadrant.
Let’s start at the bottom left-hand side. The satellite and the atomic structure depict well, how a CRO should be able to see the “big picture” like a satellite and at the same time should have a view for small items that matter.
The bottom right hand side. Often, good ERM requires a view outside of the box, that’s the reason for the rocket heading up in the drawing. At the same time, the basic tool set of e.g. risk mapping comes in very handy over and over again. The sun and the exclamation mark represent leadership skills and grit, two essential ingredients to get a good ERM framework up and running.
The upper right hand side. It’s all about communication skills. Internal, external, to peers, to the board of directors, to other C-suite members and any colleague(s) within the organization.
And last but not least, the decathlete. Domain knowledge in a few areas is necessary and being “conversant” at least in a few others is very helpful!
superhumans don’t exist – here is the practical approach
A single person might have all the skills shown in the picture above. But this is a rare, fortunate occasion. Mostly, aspiring / incumbent CROs might posses a fair number of the skills, but not all of them.
So how to close that gap? IMHO, nothing beats hands-on growth and development. Megrow Consulting has helped many CROs along their journeys, done onboarding of risk officers and worked with board of directors to define the necessary skill sets for “their” CRO.
The hands-on coaching as described above is best combined with solid knowledge of the methods and procedures. For instance, RIMS or COSO provide ample literature, seminars and e-learning to cover the basics and beyond.
Keen to know how I can support your CRO?
Contact me under email@example.com or via the social media listed at the bottom of the page.
The dust on COSO’s updated ERM framework is slowly settling. It is time to dig a little deeper and ponder about the actual impact of the update. Part one of my scribbling is here and part two is here.
for the non-converted
The executive summary of the update release is a hefty 16 pages long; some stakeholders have released YouTube videos to explain the updates, some are publishing podcasts and others release valuable comments on their websites. All these sources offer great content and explanation how risk management, strategy culture and execution fit together.
I have been asking myself: if I were the CEO of a company and (for what ever reason) unconvinced of the comprehensive benefits of ERM, would this update make me change my mind?
Because the link to measurable performance improvement is not that obvious. Or in more colloquial terms: “where is the beef”? I know this is a hard call, but after all business is about making investments in the aspiration of generating returns.
where are the $$?
It would be great if tangible, real-life examples show how the updated framework is making a quantifiable difference to companies. Ideally, the impact needs to be as closely related to revenue generation and profit of the core business. Invoking the argument of “reduced compliance” cost is tangible, but this is likely NOT what a CEO is looking for. A good argument would be a showcase in which ERM led to a significant change in strategy, which in turn positively impacted sales and/or profits.
Hopefully, over time the pundits will share case studies with a wider group of stakeholders. And until then, let’s keep up the good work, focus on the business opportunities when doing ERM work and stay tuned for more!
COSO, together with a number of partners, published the much anticipated ERM-framework update a few months back. I blogged about it the moment it was hot off the press.
The dust has settled, it’s time to dig a little deeper and ponder about the actual impact of the update. The executive summary of the press release already spans 16 pages, giving us an indication about the complexity of the task the authors have tried to tackle.
I decided to look at the new framework from two angles. First: what does it mean to the “converted”, i.e. the ERM practitioners who are familiar with the matter and second, how does an ERM-skeptic (yes, they exist in large numbers… ) look at the new framework and more importantly would it convince him or her to become an ERM-believer?
for the converted
For the “converted” it seems to makes sense. The world has moved on, risks have become more complex, Cyber, IoT and other hot topics were not on the agenda 14 years ago when the original framework was published.
Furthermore, linking ERM to strategy and ultimately to performance also is the right thing to do. After all, elaborately conceived risk heat maps that end up in drawers don’t contribute much to a company’s performance. Boards have become bored with just looking at risk maps, showing numbers in red, amber and green.
And lastly, to counter the ever-increasing complexity of risk with a set of principles is probably the only way to go about it. It is impossible to define universal, detailed standards for today’s and tomorrow’s rapidly evolving risk landscape. Taking the “principles” route is an easy way around being tangible – this criticism of the new framework is heard often.