COSO ERM framework – Megrow Gave Feedback and They Listened

all good – finally?

Over previous months, I wrote much about the new COSO ERM framework . Actually, in the middle of 2018 the new framework isn’t exactly that new anymore. I’m an absolute convert with regards to linking ERM to strategy and performance. However, the apparent lack of real life, tangible cases left a sourish taste in an otherwise good meal. So, I kept bickering about it over a number of blogposts, Tweets and G+ posts.

I understand the confidentiality and resource constraints the authors faced. However, it always felt incomplete. A few month back, pwc, one of the key contributors to the framework update, reached out to the community for feedback. Needless to say, I completed the survey most diligently. I’m sure my and other practitioner’s feedback helped!

And lo and behold, a new podcast episode is out. The pwc team announces a case compendium. Can’t wait to see the cases – well done!

Megrow Goes Fintech – It’s Not about ERM

or is it?

Oracle was very kind to invite me to their innovation summit in May 2018. They choose an auspicious location, namely the Fintech Hub in Singapore. So, the first question was, “what am I going to wear?”. After some deliberation, I decided to wear black jeans, non suspicious Dr. Martens tasseled loafers, an ironed shirt (not tucked in) and use my Freitag laptop bag. That should be enough to blend in smoothly, or so I thought. I stepped out of the elevator, spotted the modern office design and layout and felt elated when I looked around. Post registration, I was escorted to the actual event location. Oh boy was I wrong about the dress code: the Brioni’s, cheaper clone’s thereof and the Louboutins were omnipresent. It turned out to be a banker’s conference, after all….

and then?

A few important take-away messages emerged, so the event was a full success from my point of view (leaving the missed dress code aside…).

key message #1: the world is under-banked, which is not a surprise per se.

key message #2: the all-out banktec disruption (aka the uberisation of banking) is NOT happening; hasn’t happened and won’t happen; period.

key message #3: its now Fintech 2.0/3.0/4.1 (pick your number), where established players and start-ups find ways to leverage on each other’s strength.

These three messages sound very familiar to the insurance community, where the initial believe in an uberisation have largely waned as well. Hence, it’s time to make clever use of smarttech to improve customer experience, reduce operating expenses and reap other benefits. Insurance executives replace “under banked” with “protection gap”. So who copied whom or is this a clear case of convergent evolution?

Thank’s again to Oracle for hosting this event. Hopefully another Innovation Summit will follow soon.


No, in this post I wont make a case for ERM, although it is tempting to do so. If you feel like “ERM”, read one of the more technical ERM-blogs here.


ERM – It’s All About Strategy!

NO, it isn’t.

I have sympathy with directors who complain about boring red-amber-green risk heat maps. How do we engage directors for Enterprise Risk Management? COSO and other opinion leaders have taken a great step into the right direction with the new COSO framework. Linking risk and opportunity to strategy and performance is the right way to go. I have shared some thoughts about the 2017 update  in previous blogposts.


By its very nature Enterprise Risk Management looks at the entire enterprise. Hence, we need to find a way to cover the micro, such as smaller operational risks AND the macro, such as the really significant risks and opportunities. Then ERM truly becomes “E”. When I accompany customers along their ERM journey’s, I really make sure we cover the entire spectrum. Otherwise we miss out on either end. And btw – that’s the beauty and the challenge of doing good ERM….

and the benefit is

I still have two bones to pick with some of the proponents of the ‘new’ ERM. Firstly, strategy is very important, but let’s not forget all the other, smaller risks! Many a little makes a mickle. And secondly, we need to up the ante in terms of communicating the tangible benefits of ERM. Concepts are great to understand a matter. However, a board of directors or a CEO will want to see expected tangible benefits before engaging a CRO. When writing about ‘tangible benefits’ in a business context, I’m clearly referring to a measurable impact on either sales or profits and preferably on both. These benefits must be on top of the well-documented benefits of good ERM with regards to credit rating or reduction of compliance costs.

Keen to know how my work benefits your company? Contact me via the social media buttons below or directly at


The CRO – A Superhuman ?

The Chief Risk Officers’ Skill Set

Clients often ask me, “what skills should our CRO have”? The answer is very easy and very difficult at the same time. Ideally, the person is a decathlete and holds the world record in each discipline of a decathlon. I chose decathlon over e.g. triathlon, because the CRO really, really needs a very broad skill set! Naturally, such a superhuman doesn’t exist – so what is the practical answer then?

CRO the decathlete

I came up with this picture to describe the CRO’s skill set; this somewhat simplified description has served me well over the years. I will describe it quadrant by quadrant.

the ideal CRO
CRO skill set
  1. Let’s start at the bottom left-hand side. The satellite and the atomic structure depict well, how a CRO should be able to see the “big picture” like a satellite and at the same time should have a view for small items that matter.
  2. The bottom right hand side. Often, good ERM requires a view outside of the box, that’s the reason for the rocket heading up in the drawing. At the same time, the basic tool set of e.g. risk mapping comes in very handy over and over again. The sun and the exclamation mark represent leadership skills and grit, two essential ingredients to get a good ERM framework up and running.
  3. The upper right hand side. It’s all about communication skills. Internal, external, to peers, to the board of directors, to other C-suite members and any colleague(s) within the organization.
  4. And last but not least, the decathlete. Domain knowledge in a few areas is necessary and being “conversant” at least in a few others is very helpful!
superhumans don’t exist – here is the practical approach

A single person might have all the skills shown in the picture above. But this is a rare, fortunate occasion. Mostly, aspiring / incumbent CROs might posses a fair number of the skills, but not all of them.

So how to close that gap? IMHO, nothing beats hands-on growth and development. Megrow Consulting has helped many CROs along their journeys, done onboarding of risk officers and worked with board of directors to define the necessary skill sets for “their” CRO.

The hands-on coaching as described above is best combined with solid knowledge of the methods and procedures. For instance, RIMS or COSO provide ample literature, seminars and e-learning to cover the basics and beyond.

Keen to know how I can support your CRO?

Contact me under or via the social media listed at the bottom of the page.

The COSO ERM Update – Megrow Continues the Dissection

The COSO ERM Update – So What?

The dust on COSO’s updated ERM framework is slowly settling. It is time to dig a little deeper and ponder about the actual impact of the update. Part one of my scribbling is here and part two is here.

for the non-converted

The executive summary of the update release is a hefty 16 pages long; some stakeholders have released YouTube videos to explain the updates, some are publishing podcasts and others release valuable comments on their websites. All these sources offer great content and explanation how risk management, strategy culture and execution fit together.

I have been asking myself: if I were the CEO of a company and (for what ever reason) unconvinced of the comprehensive benefits of ERM, would this update make me change my mind?

Probably not.


Because the link to measurable performance improvement is not that obvious. Or in more colloquial terms: “where is the beef”? I know this is a hard call, but after all business is about making investments in the aspiration of generating returns.

where are the $$?

It would be great if tangible, real-life examples show how the updated framework is making a quantifiable difference to companies. Ideally, the impact needs to be as closely related to revenue generation and profit of the core business. Invoking the argument of “reduced compliance” cost is tangible, but this is likely NOT what a CEO is looking for. A good argument would be a showcase in which ERM led to a significant change in strategy, which in turn positively impacted sales and/or profits.

Hopefully, over time the pundits will share case studies with a wider group of stakeholders. And until then, let’s keep up the good work, focus on the business opportunities when doing ERM work and stay tuned for more!

PS: this is a really comprehensive drawing…
control freak or risk taker

the pic is posted under creative common’s license

The COSO ERM Update – Megrow Starts the Dissection

The COSO ERM Update – So What?

COSO, together with a number of partners, published the much anticipated ERM-framework update a few months back. I blogged about it the moment it was hot off the press.

The dust has settled, it’s time to dig a little deeper and ponder about the actual impact of the update. The executive summary of the press release already spans 16 pages, giving us an indication about the complexity of the task the authors have tried to tackle.

I decided to look at the new framework from two angles. First: what does it mean to the “converted”, i.e. the ERM practitioners who are familiar with the matter and second, how does an ERM-skeptic (yes, they exist in large numbers… ) look at the new framework and more importantly would it convince him or her to become an ERM-believer?

for the converted

For the “converted” it seems to makes sense. The world has moved on, risks have become more complex, Cyber, IoT and other hot topics were not on the agenda 14 years ago when the original framework was published.

Furthermore, linking ERM to strategy and ultimately to performance also is the right thing to do. After all, elaborately conceived risk heat maps that end up in drawers don’t contribute much to a company’s performance. Boards have become bored with just looking at risk maps, showing numbers in red, amber and green.

And lastly, to counter the ever-increasing complexity of risk with a set of principles is probably the only way to go about it. It is impossible to define universal, detailed standards for today’s and tomorrow’s rapidly evolving risk landscape. Taking the “principles” route is an easy way around being tangible – this criticism of the new framework is heard often.

for the non-converted

stay tuned, update coming soon.


Natural hazards cause ‘un-natural’ disasters that man made!

Dr. Dennis Bessant, senior advisor to Megrow, has written a very interesting article about risk management. Asia Insurance Review  published the articles during the 14th Singapore International Reinsurance Conference.


page 1

page 2

Access the full article in pdf-format here.

And before you ask: yes, we have the publisher’s OK to go ahead with this blogpost.


Happy Birthday – Megrow Enters the Third Year of Operation

Megrow Enters the Third Year of Operation

Thanks to all customers and business partners, the past year has been a  great journey! Some existing clients decided to continue the work with Megrow and some new customers engaged my services. This is good testimony to my value proposition.  I continue to focus on “outcomes matter” and the made-to-measure business approach. Ultimately, every client is different and so is my work with and for the customer.

We are megrow

Megrow is transforming from an “I” into a “we”: Dennis Bessant is senior advisor to Megrow since Q3 2017. He brings extensive experience in the single risk field and decades of leadership track record with him. His knowledge will enhance our value proposition and ultimately work to the benefit of our clients. Read more about Dennis.

Social Media

Find us on Twitter, Google+ and LinkedIn



another new normal?

“The New Normal” is a popular theme in the insurance industry. What does it actually mean? And how do ERM and the New Normal go together?

The word “new” implies that matters have changed – so far so good. What about the term “normal”? One meaning of the word “normal” is “as expected”. Here it gets difficult when e.g. looking at data that indicates an ever-increasing frequency of hurricane landfall (cf ref below). In other words, the “new normal” is probably closer to the “new abnormal”.

I therefore coined the phrase “the ever-increasing volatility” to describe the challenge and opportunity of the re-/insurance industry.

How can businesses deal with increasing volatility? Portfolio planning and steering is one approach; in layperson’s terms it’s all about “take more different bites and take smaller bites”. A second solution is to harvest from good Enterprise Risk Management practice and a third approach leverages partnership between reinsurers and insurers that go beyond the provision of capacity.

Good Enterprise Risk Management creates a number of tangible benefits. Firstly, companies that practice good ERM are more robust to withstand shocks. Secondly, companies with strong ERM are more profitable than their peers with average or poor ERM-practice. And last but not least, companies with good ERM demand a higher valuation. Most recent data point at a 20% uplift in company valuation through good ERM!

Keen to know more about the benefits of ERM? Read my blog posts here.

AM Best was kind enough to interview me during the 14th Singapore Reinsurance Conference (“SIRC“) early November 2017.

the interview

Watch the 3+ minutes interview HERE. Thanks to AM Best for having me.

Diana Dorahy and Reto Brosi @ SIRC
with Diana Dorahy of AM Best








ERM links to Credit Rating

Have you ever wondered how ERM links to Credit Rating? One is about financial stability (or debt repayment capabilities to be precise) and the other one deals with potential upside and downside of the business. So where is the link?

ERM as a key component

AM Best’s rating methodology outlines the connection very well . The picture below depicts the importance of good ERM as one of the rating adjustment factors. For example, if your ERM efforts are very good, the rating can increase by one notch  (the +1 in the ERM box). However, if your ERM efforts falls short of expectation, there is a potential of 4 notches downward adjustment (the “-4” in the box).

At first glance, it appears a daunting task to embed ERM into a rating process. The crux of the matter is to set-up a robust process and then use it, learn from the outcomes and amend as you go along. I have described the steps in setting up a ERM framework in several blog posts. Credit rating agencies look for the robustness of the ERM-approach. Furthermore, they seek evidence  that ERM is an integral part of strategy setting.

As an experienced ERM-practicioner and business executive who has dealt with rating agencies for several years, I’m well positioned to support you in making the ERM-Credit Rating link effective.

Keen to know more? Contact me via the social media buttons or directly

btw: Picture is taken from publicly available material.