Risk management principles can help optimize every strategic, operational, financial, and resource decision in pursuit of organizational objectives but often is relegated to a control on business decision making.
Five influencer groups have culpability in positioning risk management as a control rather than an enabler. Will the repositioning of risk management as a core principle for effective decision making take an evolutionary path or does it need a full makeover? A review of the macro dynamics of these five stakeholder groups that define risk management offers some signs for future progress.
1. Risk Management Defined by Insurance Industry Trends
While insurance represents just the transfer portion of enterprise risk response REITA options (reduce, eliminate, ignore, transfer, or avoid), direct spending on gross insurance premiums totaled 8% to 9% of GDP in OECD nations over each of the past ten years.
The sheer magnitude of insurance expenditures demands focused expertise within business enterprises to manage the intricacies of insurance coverage portfolios. For many businesses, insurance policy management is the primary, or even sole, focus of risk managers.
In these cases, the role of risk management in decision making is a binary control dependent on policy coverage. Are we covered or not? Can we move forward or not?
As noted in our June 15th post, Can your Enterprise Risk Manager Handle the Role Tomorrow?, an insurance market primarily addressing physical asset hazards was fine for protecting enterprise value in the bygone economy based on manufacturing and bricks-and-mortar operations. Most of today’s business value, however, exists in the intangibles of information in the cloud, intellectual property, and brand reputation. The latest Ocean Tomo analysis placed the intangible value of S&P 500 corporations at 87% in 2015 versus 17% in 1975.
The insurance industry has struggled to develop standard products for cybersecurity and reputation risks, but its best inroads for intangible value coverage involve innovative partnerships with public relations firms and cybersecurity experts that integrate risk assessments, crisis planning, and crisis management offerings with insurance coverage.
Airmic’s June conference speakers warned insurance is still far from serving today’s enterprise risk management needs. The insurance industry is on a path of evolving the positioning of risk management from “Are we covered?” to “Are we prepared?”.
2. Risk Management Defined by Industry Analysts
In the wake of corporate management and accounting scandals, including Enron and WorldCom, Sarbanes-Oxley (SOX) set standards and regulations for management and reporting accountability. The industry analyst community assessed the demand for greater transparency and meshed the key concepts of risk management and controls. Michael Rasmussen, in particular, assessed the challenges from his perspective as a Forrester Research analyst at the time and outlined the potential for consultants and software vendors to support the integration of governance, risk management, and compliance (GRC) to elevate ethical decision making.
While GRC components are inexorably linked for the purposes of assuring effective controls on decision making, the power of risk management as a decision enabler tends to be lost in the broader scope of GRC. The potential fines and penalties associated with SOX and ensuing regulations were the driving force behind U.S. investments in GRC software and business processes.
The market acceptance of the GRC acronym became a convenient tag for Gartner and other analyst firms to apply to anything associated with risk management. Most of these firms are still struggling with how they apply the GRC term to functional or specific risk source categories (e.g. financial GRC, IT GRC, eGRC, etc.).
The GRC concept presents a useful model for connecting enterprise functional responsibilities for accountability and adherence to governance demands and regulatory requirements. Risk management, however, must also define its standalone value for optimizing decision making. The analyst perspective needs a makeover and will be aided by those like Intelligent Management Trends that seek to bend the market value of risk management back toward supporting effective decision making in the context of business objectives.
3. Risk Management Defined by Vendors
Risk management consulting offerings can range from risk assessment services and organizational consulting to decision support and insurance advisory services. The Big Four and other large networked advisory firms tend to address risk management more holistically, but they also follow the money. The money in this case concentrates on advancing financial risk management in the financial sector, as well as ensuring regulatory compliance across industry sectors.
As for risk management software vendors, up to this point they have focused on what technology historically does best…manage data and enable repeatable well-established processes. Most use the GRC acronym and gravitate to risk registers, regulatory libraries, and compliance assurance. Others, like risk management information systems (RMIS) were originally developed to enable efficient claims processing.
Some of the GRC and RMIS vendors are now evolving to integrate decision support based on risk management principles. Other risk software vendors founded on more holistic ERM concepts are already there. You can access IMT’s complimentary Perspective “Defining an Enterprise Risk Management Vendor” using the following link for more information on the vendors now positioned as, or evolving to become, true risk management vendors.
While the core historical value of technology is data management and business process enablement, augmented intelligence is quickly emerging as an additional value to support decision making. This is an opportunity for vendors to align risk management concepts more directly with efficient business decision making.
4. Risk Management Defined by Industry Standards
With the backdrop of corporate ethical failures and financial failures, industry risk management standards such as ISO 31000, COSO Enterprise Risk Management, and the King Reports, set definitions and guidance for identifying, assessing, and addressing enterprise risks over the past fifteen or so years. Auditors and regulators have used these guidelines to assure effective controls, accountability, and compliance are in place within corporate entities.
ISO, COSO, and King IV entered revision processes in the past few years with calls for more practical directions for implementing risk management in support of decision making. Tim Leech of Risk Oversight Inc. is one leading voice advocating a shift of standards to focus on objective-centric ERM.
Despite the calls for a new emphasis on objectives and decision making, the standards organizations seem to be opting for a simpler presentation of the existing process guidelines to aid the communication of core concepts rather than shifting the underlying perspective of risk management. The future direction for standards seems to be an evolutionary path, but the debate among risk professionals on risk management value will continue to build pressure for change.
5. Risk Management Defined by Risk Managers
The future direction of risk management depends on the emergence of new risk managers. The general trends of the insurance industry, industry analysts, vendor offerings, and the standards organizations may exert heavy influence, but risk managers will determine the practical application of risk management principles within their own organizations.
Our last blog post explored the potential skill sets for future successful enterprise risk managers. IMT is optimistic a new breed of actuaries or other quantitative risk management analysts can emerge with enough creativity and practical experience to accelerate the use of risk analysis in decision making processes across all business functions.
Since experience is a key qualifier, changes driven by risk managers may evolve in the next few years until more revolutionary risk managers develop the capability to leverage new data sources and analytical tools enabled by emerging data acquisition, AI, and visualization technology.
Risk management associations will provide the communication platform for advancing the decision and objective-focused practices among risk managers.
A Risk Management Value Evolution or a Makeover?
If the value of risk management is to shift from a control to a decision-making enabler, the five influencer groups and macrotrends outlined above point to an evolutionary process on balance. The greatest hope for faster change lies with a refocused insurance industry, emerging machine learning technology, and a potential new breed of risk managers who can apply risk quantification across enterprise risk sources.
Perhaps new terminology and acronyms are needed to accelerate more risk-aware decision making in support of enterprise objectives, but there is no need to add more confusion when the core principles of risk management already provide the basis for increasing management proficiency. This Ixnay Ceteris Paribus blog is dedicated to highlighting the trends that integrate risk management principles, management best practices, technology, and burgeoning data sources to enable optimized decision making (subscribe here).
Risk management should not be a control. Instead it should underlie the process for identifying where the marginal return equals the marginal cost of taking risks in support of enterprise objectives. Scenario analysis is making inroads into corporate boards, offering an opening to accelerate the effort to build robust, or anti-fragile, organizations and decision-making processes based on risk management principles.