Risk Team Structures: Formal or Informal?

Getting the Risk Mgmt Job Done Under Any Model

Chris Mandel, Former President, RIMS2003 Risk Manager of the Year

What Do Many Risk Managers Do?

• Buy Insurance

• Supervise Safety

• Handle Claims

• Administer Insurance Policies

• Report to Management on:– Losses– Insurance marketing results– Loss Prevention Programs

What Do Some Risk Managers Do?

• Identify Hazard Related Exposures• Identify and negotiate insurance product solutions to

finance related risks and move them to third party insurers

• Hope to get the policies in less than 6 months• Assess where prevention techniques are most useful and

worthy of resourcing and make the business case to management for funding

• Aggressively attempt to minimize the payment of loss dollars for claims and litigation, especially those self insured, to minimize the cost of risk.

• Report to management of premium and claim dollars saved, losses prevented and the total cost of risk against a typically industry based benchmark

• Work with brokers and selected internal functions, to achieve all of the above

What 2 Things Should Risk Managers Do?

• Be well versed in all key aspects of core company operations, key staff functions and business strategy, that generate or have the potential to generate, the most significant exposures to the firm.

• Apply a comprehensive and customized risk management model to all significant or material risks, operational, financial or business/strategic and regardless of whether insurable or not.

The Risk Management Model

• Identify all significant or material risks to the enterprise

• Assess the magnitude of each risk to confirm materiality

• Measure each risk quantitatively or qualitatively to establish trackable metrics

• Develop and implement mitigation strategies for each risk that reduce risk values to acceptable levels and ensure that each strategy is effective

• Monitor and report to relevant interest parties, the information each needs to manager their aspect of the business

Risk Team Structures“Risk Management structures are usually tailored to an individual company and reflect

the nature, likelihood and magnitude of risk faced by the company.” *

To accomplish the risk mgmt mission, certain key functions must be performed. They can be achieved by both formal and informal team structures, by either dedicated or part-time, in-house or external resources.

However, the key to successful risk management execution is to form, develop and align with your strategy, the right internal and external partnerships with key risk stakeholders and risk owners.

Three Primary Approaches and the Relevent Criteria to Consider:- Traditional- Progressive- Advanced

Traditional Approach

• Hazard Focused• Insurance solution oriented• Limited perspective on the risks of the entity• Heavily dependent on intermediaries• Low to medium management priority• No to low governance priority• Executable with dedicated, part time or

outsourced resources

CEO

Finance or LegalSub-Depart. Head

FT Risk Manager or Officer

ClaimFunction

BenefitFunction

Risk Financing Function

Business ContinuityFunction

SafetyFunction

SecurityFunction

CaptiveAdministration

Traditional Risk Management Model

Pros and Cons

First, remember that each company’s needs drive the response to this question.

Pros:• Narrow focus easier to execute well• Well understand sources of loss; readily available

solutions to finance and transfer• Much available talent to manageCons:• Ignores what are likely to be the most significant risks to

the firm• Heavy dependence on third parties may jeopardize

effectiveness

Progressive Approach

• Recognizes the need to look beyond insurable risks• Recognizes process ownership• Recognizes that process owners can’t be risk owners

and that risk owner engagement is critical to successful risk management

• Higher management and governance priority attached to managing risk

• Less executable with heavy dependence on external sources of expertise

• Success depends on full time dedicated, internal expertise trusted by management and governance

• Recognizes the need for alignment with key risk stakeholders

CEO

Finance or Legal

FT Risk Manager or Officer

Corporate Insurance ProcessIncluding Captive

ERM Process

Risk Owners Risk Owners

Progressive Risk Management Model

Business ContinuityFunction

ClaimFunction

SecurityFunction

BenefitFunction

SafetyFunction

Pros and Cons

Pros:• More likely to be prepared for uninsurable events• More management and governance attention to risk

issues• Less dependency or third party servicesCons:• Usually in the developing stage and often difficult to sell

and gain permanent traction with management• Difficult to find external sources of expertise that

comprehensively understand the firms exposures and how they can best be managed

Advanced Approach

• “C suite” power base with other key functional leaders

• Full acceptance of need for comprehensive, state-of-the-art and urgent risk management methods, tools and techniques

• Clear delineation between process and risk ownership

• Recognition of insurance as just one of many mitigation strategies

• Typically complete integration with strategic planning processes

CEO

CFO Chief Risk Officer General Counsel Other Senior Officer

Enterprise Risk Process

Business Risk Owners

Financial Risk Owners

Operational Risk Owners

Advanced Risk Management Model

Business ContinuityFunction

Corp InsFunction

SecurityFunction

BenefitFunction

SafetyFunction

Advanced Approach

Pros:• Surfaces key risk issues quickly and effectively• Evidences engagement by all key risk

stakeholders and owners• Minimizes the likelihood that risk values will

exceed tolerances or that controls will be less than effective

Cons:• Expensive to implement• Expertise difficult to find and keep• CRO as scapegoat for all that goes wrong

Relevent Criteria for Selecting Your Approach

Criteria:• Company Risk Profile and Tolerance for Risk• Company Size and dispersion• Operational and Strategic Complexity• Company Structure and Management Style• Sources and likelihood of large or catastrophe losses• Availability of Reliable, Accurate Data• Governance Expectations for controls and reporting• Management expectations for controls and reporting• Sources and costs of expertise within or available to the

firm• Level of concern for control over sensitive information

Key Risk Stakeholders

Planning Process

Engineering

Compliance

Internal Audit

RMFramework

Business Unit

Risk Owners

Risk Managemen

t

Keys to Cross Functional Effectiveness

• Clear understanding of how “risk” is defined• Clear communication of risk management

processes• Clear articulation of risk stakeholder process

roles, timelines and deliverables• Regular and meaningful communication on key

risk issues• Processes for incenting and measuring

accountability• Getting the right information and data to the right

people at the right time for the right reasons

Risk Management Best Practices

• Truly Business – Critical Exposures are best identified and mitigated by line.

• Risk aggregation is a key role for the risk management process owner.

• The ERM COE ensures proper tools for rigorous measurement and quantification of risks, and helps drive incentives to elevate risk mitigation.

• Embedding risk management in existing process.

• A more disciplined approach to risk communications.

• Risk reporting should be specific to the target audience.

Source: CFO Working Council

Best Practices (cont’d)• Use standardized templates and key future market

conditions assumptions

• Key earnings drivers and mitigations strategies for low probability, high-impact scenarios tested for resilience

• Process leverages cross-functional expertise

• Assign owners for each critical mitigation step

• Updated assessments of risk and opportunities are embedded in core reporting processes

• Require business unit and functional leaders to defend risk mitigation performance to Board and CEO directly

• Balanced scorecards & incentives calculations used to evaluate and reward mitigation performance

Source: CFO Working Council

Why Risk Mgmt Initiatives Fail• Lack of CEO and executive sponsorship

• Poor communication culture and/or high level control environment divorced from business objectives

• Unclear roles/responsibilities/organizational structures

• Poorly defined/inconsistent risk policy

• Undefined risk universe and no common language

• Poor/inconsistent operational risk identification process

Source: 2003 KPMG Operational Risk Study

Why Risk Mgmt Initiatives Fail• No linkage of risks to the control framework

• Over-engineered risk measurement and evaluation

• Reporting templates that do not integrate with business requirements

• Unclear escalation channels

• Poor action-tracking and project management systems

• Poor education and communications programs

Source: 2003 KPMG Operational Risk Study