Natural hazards cause ‘un-natural’ disasters that man made!

Dr. Dennis Bessant, senior advisor to Megrow, has written a very interesting article about risk management. Asia Insurance Review  published the articles during the 14th Singapore International Reinsurance Conference.


page 1

page 2

Access the full article in pdf-format here.

And before you ask: yes, we have the publisher’s OK to go ahead with this blogpost.



another new normal?

“The New Normal” is a popular theme in the insurance industry. What does it actually mean? And how do ERM and the New Normal go together?

The word “new” implies that matters have changed – so far so good. What about the term “normal”? One meaning of the word “normal” is “as expected”. Here it gets difficult when e.g. looking at data that indicates an ever-increasing frequency of hurricane landfall (cf ref below). In other words, the “new normal” is probably closer to the “new abnormal”.

I therefore coined the phrase “the ever-increasing volatility” to describe the challenge and opportunity of the re-/insurance industry.

How can businesses deal with increasing volatility? Portfolio planning and steering is one approach; in layperson’s terms it’s all about “take more different bites and take smaller bites”. A second solution is to harvest from good Enterprise Risk Management practice and a third approach leverages partnership between reinsurers and insurers that go beyond the provision of capacity.

Good Enterprise Risk Management creates a number of tangible benefits. Firstly, companies that practice good ERM are more robust to withstand shocks. Secondly, companies with strong ERM are more profitable than their peers with average or poor ERM-practice. And last but not least, companies with good ERM demand a higher valuation. Most recent data point at a 20% uplift in company valuation through good ERM!

Keen to know more about the benefits of ERM? Read my blog posts here.

AM Best was kind enough to interview me during the 14th Singapore Reinsurance Conference (“SIRC“) early November 2017.

the interview

Watch the 3+ minutes interview HERE. Thanks to AM Best for having me.

Diana Dorahy and Reto Brosi @ SIRC
with Diana Dorahy of AM Best







COSO ERM Framework Update

COSO ERM Framework

The COSO ERM Framework is one of the best established and most widely used ERM frameworks. Whilst becoming the quasi-standard after its publication in 2004, the framework started getting a little long in the tooth. COSO and PWC just published the “COSO ERM Framework Update”, 2017 version with some fanfare.

COSO ERM 2017 update
Updated COSO ERM Framework
Why update?

Since the original publication in 2004, the risk landscape has evolved dramatically. Back then, big data and cyber were not yet buzz words and the global financial crisis (which wasn’t “global” after all….) was far away. Secondly, practitioners realised that the true value of ERM becomes evident only if companies link ERM to their strategic considerations. Finally, the notion that risk also means opportunity, i.e. ERM is about capturing upside and mitigating downside, gained more traction.


The executive summary released by COSO is a hefty 16 pages long. At first glance, this violates every possible rule of “how to write an executive summary”. Maybe it is a symptom of how complex the overall risk and opportunity landscape has become?

I will publish a series of blog posts going a little deeper into the changes that the new framework brought. Stay tuned for more blog posts on Megrow Consulting’s website.


Copyright of the picture is with COSO.


Risk Culture

tough topic

I planned to write an article about “what is risk culture” for many many month already. A number of tries ended up in the draft folder and then in the trash bin. Simply because the output never quite satisfied me.

what is it?

The question “what is risk culture?” comes up frequently in conversations with clients. A Google search reveals over ten million answers and at every ERM-event somebody talks about it. Hence, it shouldn’t be that difficult to answer the question, should it?

Far from it actually. Firstly, there is no such as thing as “a” culture, there are many different cultures. Secondly, published literature often uses terms like “values” to describe “culture”. I’m not judging whether this is right or wrong, but describing one qualitative term with another qualitative term might obfuscate the matter more than actually clarifying it.

I will not dwell into the debate whether the term “culture”, which originally refers to norms and behaviours in human societies should be used in a corporate context or not. Instead, I will give some practical, tangible recommendations in the paragraphs below.

keep moving

The ERM-process is well defined and practical advice is abundant. I have written a few blogposts about how to go about it. Many sophisticated ERM-tools support the process, make the output more tangible, easy to share and document. So is that it? Far from it, actually. Risks and Opportunities constantly evolve, so ERM must be dynamic as well.

use it

“our work ended up in the drawer”. I guess we all heard this comment about projects that were carried out with great enthusiasm, got good feedback from stakeholders and were lauded for tangible outcomes. Really sad, so sad. Btw: me using these words is NOT an endorsement of a certain, current political leader.

CRO, step-up and make your voice heard, outline the benefits of ERM, push for airtime with your fellow executives and the board of directors! That’s your job!

do it!

The most trivial, yet most effective advice: get started and do it. Keep on improving and realise that it is a journey. The entire company will benefit from good ERM work.

Want to know more? Contact me via any of the channels shown at the bottom of the page.


Talking to AM Best About Risk and Regulation

what drives regulation?

Different stakeholders have different views on the purpose of regulation. Since I do a lot of Enterprise Risk Management work with my customers, I often use a risk-driven regulation view. For me, any discussion about risk always comprises the up-side and the down-side of outcomes.

Let’s take Cyber risk (‘Cyber”). Cyber evolves very fast and the saying that “Asia is different” has a new meaning in this context. Asia is at the forefront of Cyber. Exposures are omnipresent and often companies appear not well prepared to manage the downside and capitalize on the upside.

the link to regulation

Dispute resolution is less litigious in Asia when compared to other parts of the world. Hence, regulation can be a little more relaxed about such matters. However, as outlined above, for Cyber this clearly is different. Companies in Asia need to be ready for this new risk, otherwise they might miss business opportunities or Cyber threats might severely compromise their operations. So, for Cyber I take the view that regulation in Asia should give the necessary emphasis on the issue.

And indeed, regulators in Hong Kong and China (just to name two out of many) have issued specific guidance for companies on that matter*!

the interview

I shared my views on this topic in an interview in May 2017 – thank you AMBest for having me!

Click on HERE to watch the 3+ minutes interview

A screen shot with Meg Green of AM Best

Reto Brosi @AM Best Interview

(*) Hong Kong OCI issued GN10 in 2016

Linking Capital Modelling to ERM

Remetrica Conference

AON’s Paul Maitland has invited me to speak at the Remetrica Conference in Singapore in May 2017. A great opportunity to share my views about the benefits of ERM and to learn from others.

The ongoing development of quantitative capabilities helps ERM practitioners to make our ERM-efforts more robust, easier to adjust and less prone to biases. Having said that, the best ERM-mechanics help only if the company lives its risk culture. The board and management needs to debate the findings from ERM-work and use the insights for strategic considerations. And lastly, the board should regularly challenge any underlying assumptions to ensure that the output stays current.

This ongoing “do-measure-learn-adjust-communicate” approach is especially crucial for risks that evolve quickly. Do I really need to mention “Cyber” here?

If ERM is reduced to filling-up a spreadsheet and the output is taken out of the metaphorical “drawer” once a year, then no wonder the benefits are not evident and the board looses interest.

my presentation

click HERE to access my sway.

PS:  embedding a Microsoft SWAY into this blog is a real challenge, lets hope it works with your browser.


With Paul Maitland of AON (at the far right); Jim Attwood; and Cynthia Yuan of Sunshine Ins. China.

How to ERM: Part Four, Know Your Appetite and Tolerance!

An Exiting Journey Lies Ahead – Where and How Do We Start?

You have decided to implement  good ERM-practice in your firm because you believe in the value of ERM as a strategic tool – that is great news!

Let’s assume that some risk mapping and some mitigation measures are in place and that these efforts are reported to senior management and the board, but NOW you want to boost ERM to the next level.

So where and how to start this voyage?

Should you deploy the most recent ERM-software or invest in modelling capabilities or put more emphasis on cyber risk or worry about reputation risk that your company might be exposed to? The answer is: NONE of it, for now!

it starts with risk tolerance and risk appetite

Before getting into any work that propels you up the risk maturity ladder, I’d strongly recommend you ensure that the risk tolerance and risk appetite is explained to and signed off by the board. Most companies would have such limits in place, however a fresh look and an update never harms! Additionally, ensure that everybody in the company understands those limits and uses them to generate profitable business.

Setting risk limits and determining risk appetite is often guided by the regulatory framework and rating agencies’ views. Regardless whether you deploy a sophisticated capital model or a simpler, yet more tangible rule of thumb approach, it all starts with this step!

Once these limits are set, then you kick off your journey to ERM 2.0.

My mission is to make this journey smooth for you and your company. Want to know more? Contact me vis the social media buttons at the bottom of the page.


What is the relationship between risk tolerance and risk appetite?
Risk tolerance is the maximum risk you can take, risk appetite is the maximum risk you want to take. Ideally, tolerance and appetite should be close. If  appetite is much smaller than tolerance, chance is that capital deployment is inefficient, if appetite on an aggregated basis outdoes tolerance your company is at risk. If want to be more comprehensive, you can add risk bearing capacity to the consideration. Risk bearing is roughly equivalent to the firms equity (more on that in another post).

The drawing below illustrates the interlude of “bearing”, “tolerance” and “appetite”.


risk appetite, risk tolerance and risk bearing capacity


PS: my multi-part “how to ERM” series started here

ERM is dead – long live EROM !


Of course ERM is not dead, much to the contrary: recent studies show a strong correlation between the quality of a company’s ERM and the stock price. The correlation appears to be worth up to 25% better company valuation. That is serious money!!

However, wide-spread perception associates something negative with the word “risk”. If you doubt this statement, have a look at Wikipedia’s “definition of risk”. The majority of descriptors have a negative connotation, such as “loss, injury, damage, negative occurrence, et cetera”.  

I look at risk more broadly: my conversations about risk always encompass the  upside and the downside. “Risk creates opportunity”, Megrow’s tag-line, reflects that mind-set. I ask: “what else can we do with the glass”, instead of “is it half full or half empty”?


Therefore, I propose to add the letter “O”, representing OPPORTUNITY, to the ERM terminology. Enterprise Risk and Opportunity Management (“EROM”) is born!

How to ERM: Part Two


A few weeks ago, I published the first part of my ERM-focused meanderings titled “how to ERM, part one”. The previous post, outlined the risk-mapping journey leading from an initially long list of risks to a focused, final list reflecting the big bets of a company.

In this post, I share my thoughts on how to take that map and add ‘coordinates’ to make it much more useful. It’s all about numbers. Well, it’s mostly about numbers…..


How to go about the quantification?

One hard-coded rule to start with: we do a first round of quantification on an unmitigated basis, i.e. we estimate the quantitative impact of unexpected outcomes for each risk that made it to the final list. I use the term “unexpected” to emphasise the upside and the downside of unexpected outcomes. Always remember: “risk also creates opportunity”.

Example: Five days down-time of your e-commerce website cost you HKD 10 mio profit in case there are no mitigating efforts in place. So we put the HKD 10 mio next to the risk labelled “web-site down time” into the field “unmitigated impact”.

You get the point: once this quantification is done, we pick the top contributors and work on meaningful mitigation measures. “Avoidance” is a popular term in this context, however since we are in a business, “not doing” is often not an option, so we need to think a little harder about appropriate mitigation efforts.

Back to the example: as a mitigation measure, you have reserved capacity on e.g., so if your own website is down, you use Alibaba as your platform. The mitigation will allow you to keep selling on-line, the cost for this measure is the rental for the third party provider plus some lag in the sales uptake on the temporary platform. And who knows: maybe the new platform turns out to be a gold mine leading to abandoning your old platform!

So What?

The output is a map showing key risks and their impact on the company’s profit and loss statement and the balance sheet when mitigated and when left unmitigated.

Sounds simple? Yes, conceptually it is, however, the true beauty is in the detail. That’s where the experienced ERM practitioner adds value by speeding up the journey. Keen to know more: contact me @

How to ERM: Part One

Welcome to the inaugural chapter of my “how-to ERM” series! I will share my thoughts and practical advice to make your journey up the risk-maturity ladder more efficient. This first post is about risk mapping, giving some thought on how to separate the wheat from the chuff. Pondering about quantification, mitigation, reporting and adjustment will follow over the coming months, so stay tuned.

Risk Mapping: focus on what REALLY matters

I really enjoy creating risk maps. The task demands lateral thinking, I can interact with different people and creatively challenge their views, sometimes new ideas and opportunities emerge from the journey and the “grit, spit and some duct tape”1 part of it often is good fun.

How to go about it?

I find it useful to apply a disciplined, four-round, iterative approach to come up with a map that matters.

Round 1: Compile a very broad and wide map of risks covering all (yes, all!)functions of the company. Interviews, workshops, brainstorming, e-voting, etc – all works provided it is done thoroughly and consistently. It is perfectly OK to go long at this initial stage. People are always eager to share their views on risks; hence this initial round of mapping is mostly very straightforward.

Round 2: condense the list down to approximately 40 entries. At first glance, this looks like a gigantic task, but upon closer inspection, it becomes manageable. The guiding principle: “keep what matters at enterprise level”.

Round 3 : now is the time to get serious with senior management! The list is condensed down to approximately 15 entries. McKinsey refers to this as “the firm’s big bets”, a term that describes the list’s focus and relevance very well. The board-approved risk appetite and input from senior management guide this process. Again, an experienced practitioner can ease the process significantly. Ultimately, that “top 15” chart will make it to the board. The board and management will focus on that list and ensure that appropriate mitigation actions are put in place and follow-up on relevant progress.

Round 4 : at this stage I recommend a preliminary discussion with the risk committee of the board even if not all risks are quantified and/or sufficiently mitigated. Don’t take offence if new items make it onto the list or your favorite doesn’t get all the attention. After all, boards do look at risk differently than senior management, maybe they are more strategically inclined or they put more emphasis on qualitative factors, such as reputation. After round four, the list is good to go and the journey shifts towards quantification.

Here is an example of the selection process: this very website is an important component of the branding and marketing efforts I undertake for Megrow, hence a consideration about “Megrow’s website inaccessible” will be on the initial list.  In other words,  at micro level a “404 page” when accessing is undesirable. However, at enterprise level I can live with a few days’ downtime and manage it via an increased presence on social media. In other words, “website downtime” will NOT make it to round three of the process.

Shall we talk about how I can smoothen your journey up the risk maturity ladder? Contact me at

This is risk culture!

1 adapted from the movie Madagascar 2