The COSO ERM Update – Megrow Starts the Dissection

The COSO ERM Update – So What?

COSO, together with a number of partners, published the much anticipated ERM-framework update a few months back. I blogged about it the moment it was hot off the press.

The dust has settled, it’s time to dig a little deeper and ponder about the actual impact of the update. The executive summary of the press release already spans 16 pages, giving us an indication about the complexity of the task the authors have tried to tackle.

I decided to look at the new framework from two angles. First: what does it mean to the “converted”, i.e. the ERM practitioners who are familiar with the matter and second, how does an ERM-skeptic (yes, they exist in large numbers… ) look at the new framework and more importantly would it convince him or her to become an ERM-believer?

for the converted

For the “converted” it seems to makes sense. The world has moved on, risks have become more complex, Cyber, IoT and other hot topics were not on the agenda 14 years ago when the original framework was published.

Furthermore, linking ERM to strategy and ultimately to performance also is the right thing to do. After all, elaborately conceived risk heat maps that end up in drawers don’t contribute much to a company’s performance. Boards have become bored with just looking at risk maps, showing numbers in red, amber and green.

And lastly, to counter the ever-increasing complexity of risk with a set of principles is probably the only way to go about it. It is impossible to define universal, detailed standards for today’s and tomorrow’s rapidly evolving risk landscape. Taking the “principles” route is an easy way around being tangible – this criticism of the new framework is heard often.

for the non-converted

stay tuned, update coming soon.



another new normal?

“The New Normal” is a popular theme in the insurance industry. What does it actually mean? And how do ERM and the New Normal go together?

The word “new” implies that matters have changed – so far so good. What about the term “normal”? One meaning of the word “normal” is “as expected”. Here it gets difficult when e.g. looking at data that indicates an ever-increasing frequency of hurricane landfall (cf ref below). In other words, the “new normal” is probably closer to the “new abnormal”.

I therefore coined the phrase “the ever-increasing volatility” to describe the challenge and opportunity of the re-/insurance industry.

How can businesses deal with increasing volatility? Portfolio planning and steering is one approach; in layperson’s terms it’s all about “take more different bites and take smaller bites”. A second solution is to harvest from good Enterprise Risk Management practice and a third approach leverages partnership between reinsurers and insurers that go beyond the provision of capacity.

Good Enterprise Risk Management creates a number of tangible benefits. Firstly, companies that practice good ERM are more robust to withstand shocks. Secondly, companies with strong ERM are more profitable than their peers with average or poor ERM-practice. And last but not least, companies with good ERM demand a higher valuation. Most recent data point at a 20% uplift in company valuation through good ERM!

Keen to know more about the benefits of ERM? Read my blog posts here.

AM Best was kind enough to interview me during the 14th Singapore Reinsurance Conference (“SIRC“) early November 2017.

the interview

Watch the 3+ minutes interview HERE. Thanks to AM Best for having me.

Diana Dorahy and Reto Brosi @ SIRC
with Diana Dorahy of AM Best







COSO ERM Framework Update

COSO ERM Framework

The COSO ERM Framework is one of the best established and most widely used ERM frameworks. Whilst becoming the quasi-standard after its publication in 2004, the framework started getting a little long in the tooth. COSO and PWC just published the “COSO ERM Framework Update”, 2017 version with some fanfare.

COSO ERM 2017 update
Updated COSO ERM Framework
Why update?

Since the original publication in 2004, the risk landscape has evolved dramatically. Back then, big data and cyber were not yet buzz words and the global financial crisis (which wasn’t “global” after all….) was far away. Secondly, practitioners realised that the true value of ERM becomes evident only if companies link ERM to their strategic considerations. Finally, the notion that risk also means opportunity, i.e. ERM is about capturing upside and mitigating downside, gained more traction.


The executive summary released by COSO is a hefty 16 pages long. At first glance, this violates every possible rule of “how to write an executive summary”. Maybe it is a symptom of how complex the overall risk and opportunity landscape has become?

I will publish a series of blog posts going a little deeper into the changes that the new framework brought. Stay tuned for more blog posts on Megrow Consulting’s website.


Copyright of the picture is with COSO.


Risk Culture

tough topic

I planned to write an article about “what is risk culture” for many many month already. A number of tries ended up in the draft folder and then in the trash bin. Simply because the output never quite satisfied me.

what is it?

The question “what is risk culture?” comes up frequently in conversations with clients. A Google search reveals over ten million answers and at every ERM-event somebody talks about it. Hence, it shouldn’t be that difficult to answer the question, should it?

Far from it actually. Firstly, there is no such as thing as “a” culture, there are many different cultures. Secondly, published literature often uses terms like “values” to describe “culture”. I’m not judging whether this is right or wrong, but describing one qualitative term with another qualitative term might obfuscate the matter more than actually clarifying it.

I will not dwell into the debate whether the term “culture”, which originally refers to norms and behaviours in human societies should be used in a corporate context or not. Instead, I will give some practical, tangible recommendations in the paragraphs below.

keep moving

The ERM-process is well defined and practical advice is abundant. I have written a few blogposts about how to go about it. Many sophisticated ERM-tools support the process, make the output more tangible, easy to share and document. So is that it? Far from it, actually. Risks and Opportunities constantly evolve, so ERM must be dynamic as well.

use it

“our work ended up in the drawer”. I guess we all heard this comment about projects that were carried out with great enthusiasm, got good feedback from stakeholders and were lauded for tangible outcomes. Really sad, so sad. Btw: me using these words is NOT an endorsement of a certain, current political leader.

CRO, step-up and make your voice heard, outline the benefits of ERM, push for airtime with your fellow executives and the board of directors! That’s your job!

do it!

The most trivial, yet most effective advice: get started and do it. Keep on improving and realise that it is a journey. The entire company will benefit from good ERM work.

Want to know more? Contact me via any of the channels shown at the bottom of the page.


Linking Capital Modelling to ERM

Remetrica Conference

AON’s Paul Maitland has invited me to speak at the Remetrica Conference in Singapore in May 2017. A great opportunity to share my views about the benefits of ERM and to learn from others.

The ongoing development of quantitative capabilities helps ERM practitioners to make our ERM-efforts more robust, easier to adjust and less prone to biases. Having said that, the best ERM-mechanics help only if the company lives its risk culture. The board and management needs to debate the findings from ERM-work and use the insights for strategic considerations. And lastly, the board should regularly challenge any underlying assumptions to ensure that the output stays current.

This ongoing “do-measure-learn-adjust-communicate” approach is especially crucial for risks that evolve quickly. Do I really need to mention “Cyber” here?

If ERM is reduced to filling-up a spreadsheet and the output is taken out of the metaphorical “drawer” once a year, then no wonder the benefits are not evident and the board looses interest.

my presentation

click HERE to access my sway.

PS:  embedding a Microsoft SWAY into this blog is a real challenge, lets hope it works with your browser.


With Paul Maitland of AON (at the far right); Jim Attwood; and Cynthia Yuan of Sunshine Ins. China.

How to ERM: Part Four, Know Your Appetite and Tolerance!

An Exiting Journey Lies Ahead – Where and How Do We Start?

You have decided to implement  good ERM-practice in your firm because you believe in the value of ERM as a strategic tool – that is great news!

Let’s assume that some risk mapping and some mitigation measures are in place and that these efforts are reported to senior management and the board, but NOW you want to boost ERM to the next level.

So where and how to start this voyage?

Should you deploy the most recent ERM-software or invest in modelling capabilities or put more emphasis on cyber risk or worry about reputation risk that your company might be exposed to? The answer is: NONE of it, for now!

it starts with risk tolerance and risk appetite

Before getting into any work that propels you up the risk maturity ladder, I’d strongly recommend you ensure that the risk tolerance and risk appetite is explained to and signed off by the board. Most companies would have such limits in place, however a fresh look and an update never harms! Additionally, ensure that everybody in the company understands those limits and uses them to generate profitable business.

Setting risk limits and determining risk appetite is often guided by the regulatory framework and rating agencies’ views. Regardless whether you deploy a sophisticated capital model or a simpler, yet more tangible rule of thumb approach, it all starts with this step!

Once these limits are set, then you kick off your journey to ERM 2.0.

My mission is to make this journey smooth for you and your company. Want to know more? Contact me vis the social media buttons at the bottom of the page.


What is the relationship between risk tolerance and risk appetite?
Risk tolerance is the maximum risk you can take, risk appetite is the maximum risk you want to take. Ideally, tolerance and appetite should be close. If  appetite is much smaller than tolerance, chance is that capital deployment is inefficient, if appetite on an aggregated basis outdoes tolerance your company is at risk. If want to be more comprehensive, you can add risk bearing capacity to the consideration. Risk bearing is roughly equivalent to the firms equity (more on that in another post).

The drawing below illustrates the interlude of “bearing”, “tolerance” and “appetite”.


risk appetite, risk tolerance and risk bearing capacity


PS: my multi-part “how to ERM” series started here

How to ERM: Part Three

We have a capital model – do we still need to do ERM?

That sounds like fair question, doesn’t it? After all, a sophisticated capital model allocates the firm’s available financial resources to different, well-defined risk categories. Operational, market, credit, underwriting – all covered by a state-of-the-art quantitative approach. “Conceptually maybe, but in reality, ERM matters more than ever”, is my answer to that question.


ERM complements a capital model in several elegant and meaningful ways. Firstly, it adds a discrete, more palpable view to the capital model output. Secondly, some risks are inherently difficult to quantify via a probabilistic model, hence a deterministic, ‘best-estimate’ always is better than no estimate. Thirdly, some stakeholders prefer a more deterministic approach to quantification. Furthermore, models struggle to cope with the inherent volatility of change of certain risks (see an earlier post HERE about the volatility of change). And last but not least, using discrete projections derived from the ERM risk-mapping process are crucial to validate the modelled output.

Top down meets bottom-up

Let’s assume, based on the output of a generic rbc-capital model or your own in-house modelling, you allocate 5% of the firm’s total capital to “operational risk”. What does this mean in reality: is it sufficient or overly conservative for now and most importantly, how relevant will it be going forward? After all, the capital needs to support past, current and future endeavours of the company. One way to answer these crucial questions is to develop and deploy a set of stress tests to see how strong the framework is.

Keen to know how to go about stress testing? Contact me

ERM is dead – long live EROM !


Of course ERM is not dead, much to the contrary: recent studies show a strong correlation between the quality of a company’s ERM and the stock price. The correlation appears to be worth up to 25% better company valuation. That is serious money!!

However, wide-spread perception associates something negative with the word “risk”. If you doubt this statement, have a look at Wikipedia’s “definition of risk”. The majority of descriptors have a negative connotation, such as “loss, injury, damage, negative occurrence, et cetera”.  

I look at risk more broadly: my conversations about risk always encompass the  upside and the downside. “Risk creates opportunity”, Megrow’s tag-line, reflects that mind-set. I ask: “what else can we do with the glass”, instead of “is it half full or half empty”?


Therefore, I propose to add the letter “O”, representing OPPORTUNITY, to the ERM terminology. Enterprise Risk and Opportunity Management (“EROM”) is born!

How to ERM: Part Two


A few weeks ago, I published the first part of my ERM-focused meanderings titled “how to ERM, part one”. The previous post, outlined the risk-mapping journey leading from an initially long list of risks to a focused, final list reflecting the big bets of a company.

In this post, I share my thoughts on how to take that map and add ‘coordinates’ to make it much more useful. It’s all about numbers. Well, it’s mostly about numbers…..


How to go about the quantification?

One hard-coded rule to start with: we do a first round of quantification on an unmitigated basis, i.e. we estimate the quantitative impact of unexpected outcomes for each risk that made it to the final list. I use the term “unexpected” to emphasise the upside and the downside of unexpected outcomes. Always remember: “risk also creates opportunity”.

Example: Five days down-time of your e-commerce website cost you HKD 10 mio profit in case there are no mitigating efforts in place. So we put the HKD 10 mio next to the risk labelled “web-site down time” into the field “unmitigated impact”.

You get the point: once this quantification is done, we pick the top contributors and work on meaningful mitigation measures. “Avoidance” is a popular term in this context, however since we are in a business, “not doing” is often not an option, so we need to think a little harder about appropriate mitigation efforts.

Back to the example: as a mitigation measure, you have reserved capacity on e.g., so if your own website is down, you use Alibaba as your platform. The mitigation will allow you to keep selling on-line, the cost for this measure is the rental for the third party provider plus some lag in the sales uptake on the temporary platform. And who knows: maybe the new platform turns out to be a gold mine leading to abandoning your old platform!

So What?

The output is a map showing key risks and their impact on the company’s profit and loss statement and the balance sheet when mitigated and when left unmitigated.

Sounds simple? Yes, conceptually it is, however, the true beauty is in the detail. That’s where the experienced ERM practitioner adds value by speeding up the journey. Keen to know more: contact me @

How to ERM: Part One

Welcome to the inaugural chapter of my “how-to ERM” series! I will share my thoughts and practical advice to make your journey up the risk-maturity ladder more efficient. This first post is about risk mapping, giving some thought on how to separate the wheat from the chuff. Pondering about quantification, mitigation, reporting and adjustment will follow over the coming months, so stay tuned.

Risk Mapping: focus on what REALLY matters

I really enjoy creating risk maps. The task demands lateral thinking, I can interact with different people and creatively challenge their views, sometimes new ideas and opportunities emerge from the journey and the “grit, spit and some duct tape”1 part of it often is good fun.

How to go about it?

I find it useful to apply a disciplined, four-round, iterative approach to come up with a map that matters.

Round 1: Compile a very broad and wide map of risks covering all (yes, all!)functions of the company. Interviews, workshops, brainstorming, e-voting, etc – all works provided it is done thoroughly and consistently. It is perfectly OK to go long at this initial stage. People are always eager to share their views on risks; hence this initial round of mapping is mostly very straightforward.

Round 2: condense the list down to approximately 40 entries. At first glance, this looks like a gigantic task, but upon closer inspection, it becomes manageable. The guiding principle: “keep what matters at enterprise level”.

Round 3 : now is the time to get serious with senior management! The list is condensed down to approximately 15 entries. McKinsey refers to this as “the firm’s big bets”, a term that describes the list’s focus and relevance very well. The board-approved risk appetite and input from senior management guide this process. Again, an experienced practitioner can ease the process significantly. Ultimately, that “top 15” chart will make it to the board. The board and management will focus on that list and ensure that appropriate mitigation actions are put in place and follow-up on relevant progress.

Round 4 : at this stage I recommend a preliminary discussion with the risk committee of the board even if not all risks are quantified and/or sufficiently mitigated. Don’t take offence if new items make it onto the list or your favorite doesn’t get all the attention. After all, boards do look at risk differently than senior management, maybe they are more strategically inclined or they put more emphasis on qualitative factors, such as reputation. After round four, the list is good to go and the journey shifts towards quantification.

Here is an example of the selection process: this very website is an important component of the branding and marketing efforts I undertake for Megrow, hence a consideration about “Megrow’s website inaccessible” will be on the initial list.  In other words,  at micro level a “404 page” when accessing is undesirable. However, at enterprise level I can live with a few days’ downtime and manage it via an increased presence on social media. In other words, “website downtime” will NOT make it to round three of the process.

Shall we talk about how I can smoothen your journey up the risk maturity ladder? Contact me at

This is risk culture!

1 adapted from the movie Madagascar 2