COSO ERM Framework – One Year After the Update

The COSO ERM framework update

COSO released a significant update of its well-known ERM-framework in late 2017. An executive summary is accessible on their website.  The ERM community, especially the “COSO-istas” most eagerly awaited the update. Additionally, the wider stakeholder community was excited to see how the new framework will benefit businesses.  I’m a fan of COSO because their approach is forward looking and tries to integrate strategy and performance with Enterprise Risk Management.

So far so good.

who is the target?

Once I started reading the executive summary, a few questions came to my mind. First, who is the target audience? Second, how many ERM-sceptics can this update convince? And lastly, where are the increased, practical benefits of this version versus its predecessors? I’ve shared some of my supportive and critical views about the new framework in a few blogposts.

gnōthi seauton

Lo and behold, pwc, one of the key contributors to the revision, published a blog reflecting on the “so what” question one year after the update. I really like the open and candid views in that blogpost. Hurdles, miss-conceptions, prejudices, resistance to change… not surprisingly, it’s all there. My advice: “NEVER EVER GIVE UP”.  Having said that, it is no surprise to me that “take up” of the new framework probably isn’t where the authors envisaged it.

and now?

Talking to practitioners and clients across Asia, I noticed that the new framework needs significantly more marketing. It appears not to be known (almost) at all. Out of the many people I spoke to, only ONE (yes 1) appears to have read the new framework.

I have a few suggestions

  1. The effort to summarise the entire approach into a picture is a great endeavour. However, this double-triple helix (*) needs to be simplified and made more tangible. Only then, business leaders will buy into it. In plain simple English: the current depiction is too complicated.

    COSO ERM framework update
    the COSO ERM double triple helix
  2. Nothing beats tangible, $$$-denominated examples. Concepts and frameworks are great, but ultimately businesses will only buy into it, once they see tangible top and bottom line benefits. Preferably, these benefits are palpable within the coming quarter or two.  Dear reader: I “hear” you screaming that ERM is a long-term strategic undertaking,,,, but after all,,,,, sales and results drive a business.
  3. I’m also cognisant that a special compendium with “real life” cases has been released. However, why do we need to buy and read even another document to convince us that the first document (the framework) is a good thing? Somehow counter-intuitive..
megrow

Whenever I speak or write about ERM, I make a point to emphasise the tangible benefits of good ERM for the business. The benefits come in various shapes and forms:

  1. better understanding of new risks can be transformed into new business
  2. better ERM contributes to positive credit rating evaluation, which will lower capital costs and open doors to new business as well
  3. properly managed Cyber exposures protect the downside and can lead to new business opportunities, too
  4. good ERM will lower compliance cost

    Keen to know more? Contact Megrow via the “buttons” at the bottom of the site and stay tuned for new blogs on www.megrow.asia


    (*) the picture is used with permission from COSO as stated on their website.


ERM – The Benefits

ERM done – so what

I’ve shared some technical and practical considerations about ERM in a few previous blogposts. This episode addresses the most important topic: “ERM done – so what”. Whenever I talk about Enterprise Risk Management, I emphasize on its tangible benefits. ERM is about managing downside and creating opportunity.

The picture below displays a wide, although not complete, stakeholder landscape and the tangible benefits of good ERM. The regulatory, governance and credit rating agency related values are clear. Furthermore, an optimal alignment of risk appetite and capital possibly supports increased risk taking. So far, all so good.

good ERM - happy stakeholders
all stakeholders profit from good ERM
cyber

IMHO Cyber Risk is one of the best cases in point to illustrate practical benefits of ERM; two aspects:

  1. Firstly, the defensive angle: companies must prepare to deal with Cyber attacks as an “entirety”, silos don’t work. This is relatively new category of risk(s), hence it requires some subject matter expertise and a very diligent look “across” the entire organization. Megrow has done Cyber risk mapping with clients (and for its own good – just to state the obvious). I will not dwell on that here. However, if you are interested in good Cyber-webinars, I highly recommend FireEye.com – excellent!
  2. Secondly, the opportunity angle. Let’s assume an insurer covers small and medium sized enterprises. Very many of these clients could and should do more to identify and manage Cyber risks. Buying Cyber insurance is only one mitigating factor. How can the insurer provide additional value and services for this type of risk? The principles of Cyber Risk management are rather universal. In other words, if an insurer has a good grip on its own Cyber risk landscape, this knowledge can become part of its service offering to insureds. This works exactly the same way as traditional loss prevention services that insurers offer their customers. Any sales person of that insurance company will be more than pleased to have an additional service ace in his/her sleeve!

 

In other words, we killed two birds with one ERM-stone. Thorough ERM helps this insurer manage potential downside risk of Cyber and enhances the company’s value proposition to its customers. It doesn’t get much better than this!


ERM – It’s All About Strategy!

NO, it isn’t.

I have sympathy with directors who complain about boring red-amber-green risk heat maps. How do we engage directors for Enterprise Risk Management? COSO and other opinion leaders have taken a great step into the right direction with the new COSO framework. Linking risk and opportunity to strategy and performance is the right way to go. I have shared some thoughts about the 2017 update  in previous blogposts.

however

By its very nature Enterprise Risk Management looks at the entire enterprise. Hence, we need to find a way to cover the micro, such as smaller operational risks AND the macro, such as the really significant risks and opportunities. Then ERM truly becomes “E”. When I accompany customers along their ERM journey’s, I really make sure we cover the entire spectrum. Otherwise we miss out on either end. And btw – that’s the beauty and the challenge of doing good ERM….

and the benefit is

I still have two bones to pick with some of the proponents of the ‘new’ ERM. Firstly, strategy is very important, but let’s not forget all the other, smaller risks! Many a little makes a mickle. And secondly, we need to up the ante in terms of communicating the tangible benefits of ERM. Concepts are great to understand a matter. However, a board of directors or a CEO will want to see expected tangible benefits before engaging a CRO. When writing about ‘tangible benefits’ in a business context, I’m clearly referring to a measurable impact on either sales or profits and preferably on both. These benefits must be on top of the well-documented benefits of good ERM with regards to credit rating or reduction of compliance costs.

Keen to know how my work benefits your company? Contact me via the social media buttons below or directly at reto.brosi@megrow.asia

 

The COSO ERM Update – Megrow Starts the Dissection

The COSO ERM Update – So What?

COSO, together with a number of partners, published the much anticipated ERM-framework update a few months back. I blogged about it the moment it was hot off the press.

The dust has settled, it’s time to dig a little deeper and ponder about the actual impact of the update. The executive summary of the press release already spans 16 pages, giving us an indication about the complexity of the task the authors have tried to tackle.

I decided to look at the new framework from two angles. First: what does it mean to the “converted”, i.e. the ERM practitioners who are familiar with the matter and second, how does an ERM-skeptic (yes, they exist in large numbers… ) look at the new framework and more importantly would it convince him or her to become an ERM-believer?

for the converted

For the “converted” it seems to makes sense. The world has moved on, risks have become more complex, Cyber, IoT and other hot topics were not on the agenda 14 years ago when the original framework was published.

Furthermore, linking ERM to strategy and ultimately to performance also is the right thing to do. After all, elaborately conceived risk heat maps that end up in drawers don’t contribute much to a company’s performance. Boards have become bored with just looking at risk maps, showing numbers in red, amber and green.

And lastly, to counter the ever-increasing complexity of risk with a set of principles is probably the only way to go about it. It is impossible to define universal, detailed standards for today’s and tomorrow’s rapidly evolving risk landscape. Taking the “principles” route is an easy way around being tangible – this criticism of the new framework is heard often.

for the non-converted

stay tuned, update coming soon.



 

ERM and THE NEW NORMAL

another new normal?

“The New Normal” is a popular theme in the insurance industry. What does it actually mean? And how do ERM and the New Normal go together?

The word “new” implies that matters have changed – so far so good. What about the term “normal”? One meaning of the word “normal” is “as expected”. Here it gets difficult when e.g. looking at data that indicates an ever-increasing frequency of hurricane landfall (cf ref below). In other words, the “new normal” is probably closer to the “new abnormal”.

I therefore coined the phrase “the ever-increasing volatility” to describe the challenge and opportunity of the re-/insurance industry.

How can businesses deal with increasing volatility? Portfolio planning and steering is one approach; in layperson’s terms it’s all about “take more different bites and take smaller bites”. A second solution is to harvest from good Enterprise Risk Management practice and a third approach leverages partnership between reinsurers and insurers that go beyond the provision of capacity.

Good Enterprise Risk Management creates a number of tangible benefits. Firstly, companies that practice good ERM are more robust to withstand shocks. Secondly, companies with strong ERM are more profitable than their peers with average or poor ERM-practice. And last but not least, companies with good ERM demand a higher valuation. Most recent data point at a 20% uplift in company valuation through good ERM!

Keen to know more about the benefits of ERM? Read my blog posts here.

AM Best was kind enough to interview me during the 14th Singapore Reinsurance Conference (“SIRC“) early November 2017.

the interview

Watch the 3+ minutes interview HERE. Thanks to AM Best for having me.


Diana Dorahy and Reto Brosi @ SIRC
with Diana Dorahy of AM Best

 

 

 

 


  • http://www.air-worldwide.com/Blog/How-Often-Are-There-2-U-S–Major-Hurricanes-in-2-Weeks-/


 

ERM and CREDIT RATING

ERM links to Credit Rating

Have you ever wondered how ERM links to Credit Rating? One is about financial stability (or debt repayment capabilities to be precise) and the other one deals with potential upside and downside of the business. So where is the link?

ERM as a key component

AM Best’s rating methodology outlines the connection very well . The picture below depicts the importance of good ERM as one of the rating adjustment factors. For example, if your ERM efforts are very good, the rating can increase by one notch  (the +1 in the ERM box). However, if your ERM efforts falls short of expectation, there is a potential of 4 notches downward adjustment (the “-4” in the box).

At first glance, it appears a daunting task to embed ERM into a rating process. The crux of the matter is to set-up a robust process and then use it, learn from the outcomes and amend as you go along. I have described the steps in setting up a ERM framework in several blog posts. Credit rating agencies look for the robustness of the ERM-approach. Furthermore, they seek evidence  that ERM is an integral part of strategy setting.

As an experienced ERM-practicioner and business executive who has dealt with rating agencies for several years, I’m well positioned to support you in making the ERM-Credit Rating link effective.

Keen to know more? Contact me via the social media buttons or directly reto.brosi@megrow.asia

btw: Picture is taken from publicly available material. 



 

Hong Kong – ERM on the Move

RBC on the horizon

In the run-up to the introduction of the RBC regime, Hong Kong’s recently established independent insurance regulator (“IA”), has issued this circular. Specifically, the regulator encourages all authorized insurers to participate in a first, quantitative impact study (“QIS 1”). The IA has given a challenging deadline for submission: the report is due by 01 December 2017.

ERM on the Move

Amongst many other things, HK-based insurers need to provide their “top 10” operational risk events by loss amount.

If they have these data at a simple push of a button, that’s great, but what if they don’t? Enterprise Risk Management enters the stage here. Risk reporting is a key feature of any good ERM framework. Furthermore, risk reporting will become a standard feature under Hong Kong’s evolving insurance regulation. Hence, it is the right time to set-up a risk register now and profit from easy reporting in the future.

In addition, a good risk register is as good as “half way there” to set up an ERM-framework. Do you know that companies with good ERM practice are valued approximately 20% higher compared to peers with sub-standard ERM? That sounds like a good investment to me.

SO WHATs NEXT?

Setting-up a risk register can be a daunting task. How broad and detailed should a good risk register be? What is the right balance between high level views and the necessary attention to details? How do I balance management views with the risk perceptions of the board of directors? And last, but not least: how do rating agencies and regulators look at risk?

My blog posts describe the journey of risk mapping.

My Contribution

How do you get ERM on the Move? Wouldn’t it be nice to have a pre-populated risk list? Or some industry benchmarks to start with? No need to reinvent the wheel, right?

That’s exactly where I, as an experienced industry and risk professional, come in to make your journey to a good risk list, efficient, smooth and effective. I’d be happy to tell you more how I will accelerate your ERM-journey. Contact me at reto.brosi@megrow.asia or via any of the social media buttons at the bottom of the page.



 

The Connection between Compliance and ERM

Same Same or Different?

A recent article in the South China Morning Post caught my interest. A company apparently failed to comply with certain disclosure requirements. This made me think about the perennial question what is the relation between Compliance and ERM (“Enterprise Risk Management”)?

Wikipedia defines compliance as conforming with stated requirements. These requirements can be external, such as codes and legislation, or internal, such as guidelines and rules.

I take the view that good ERM ensures, amongst other things, that all the necessary internal rules are in place. Furthermore, the rules must be robust and  management looks at “risk” from a strategic perspective. The focus is on “necessary”, i.e. it matters to have the appropriate quantity of rules. A flood of rules  is not a good idea, and having too few rules isn’t a smart choice, either.

Compliance is one aspect of risk management, since it focuses on avoiding breaches and trespassing of rules. So how does ERM come into play?

Test it!

A thorough ERM-process will ensure that the major risks of a company are appropriately defined and mitigated. If non-compliance with certain rules is defined as a significant risk of a company, then a sound ERM framework will check the corresponding set of rules at great length and detail. Often, the risk management team will use discrete scenario analysis to estimate the impact. For example, non-compliance with a certain external rule/code might result in a fine. ERM will quantify a range of possible fines and ensure that mitigation measures are in place. Risk Management will also need to stress test the mitigation measures to ensure that they work as desired.

So?

Let’s abstract the said case a little and run it through an ERM process. During the risk identification process, the compliance function would have come up with a risk category called something like “failure to comply with external rules”. If the compliance function didn’t come up with this risk category then the Risk team should guide the colleagues accordingly. In a second step, this “failure to comply” needs to be quantified. How to quantify such a scenario? Since no probabilistic models might be available for “fines”, it may suffice to define a few discrete scenarios and put a monetary estimate to each one. Subsequently, the compliance team comes up with mitigating factors, such as defined escalation and notification procedures. Then the ERM-function will stress test these mitigation efforts to ensure that they actually work in practise.

Megrow’s Service

An experienced outside party, like Megrow, will contribute very significantly in making the ERM-process cost efficient and effective. Keen to know more? Contact me under reto.brosi@megrow.asia or via any of the social media links at the bottom of the page



 

Keep It Simple

I am a fan of simple smart communication. I’ve expressed my admiration for Lucy Kellaway from the financial times in a previous blog.

Another great source of inspiration is the blog written by two communication professionals from Switzerland. They started out a while ago. Now they have taken it a step further – see what they in their most recent publication has to say.

Always remember: keep it simple!



 

Disruption or Innovation?

The Future

Much is “twittered” and “linkedined” about how fintech will reshape the insurance industry. No doubt there is massive potential for efficiency gains. Additionally, the outputs created by artificial intelligence will affect jobs for many insurance practitioners and innovations such as self-driving cars will alter the landscape of the entire insurance industry.

Uber-Insurance ?

Airbnb for instance, is successful because it offers the ENTIRE value chain of the temporary lodging industry. Research, booking, payment, pre- and after- sales service and the actual service of temporary lodging – all is there. And the same logic applies to Uber.

Most Insutech efforts appear to aim at improving parts of the value chain, which is a great effort in itself, but I doubt that it will lead to an Uber-style disruption.

audiatiur et altera pars

I recommend an article, written by Dr. Schanz,  on this topic: head over to their website to get a view from the “other side” on this highly interesting issue.

and one more:

Munich Re recently published another good read on the topic. Head over to their website and note the indication of “approximate reading time” right next to the article. That is an interesting concept of managing visitor’s attention.

https://www.munichre.com/topics-online/en/2016/11/digital-generation?ref=social