Risk Team Structures: Formal or Informal?
Getting the Risk Mgmt Job Done Under Any Model
Chris Mandel, Former President, RIMS2003 Risk Manager of the Year
What Do Many Risk Managers Do?
• Buy Insurance
• Supervise Safety
• Handle Claims
• Administer Insurance Policies
• Report to Management on:– Losses– Insurance marketing results– Loss Prevention Programs
What Do Some Risk Managers Do?
• Identify Hazard Related Exposures• Identify and negotiate insurance product solutions to
finance related risks and move them to third party insurers
• Hope to get the policies in less than 6 months• Assess where prevention techniques are most useful and
worthy of resourcing and make the business case to management for funding
• Aggressively attempt to minimize the payment of loss dollars for claims and litigation, especially those self insured, to minimize the cost of risk.
• Report to management of premium and claim dollars saved, losses prevented and the total cost of risk against a typically industry based benchmark
• Work with brokers and selected internal functions, to achieve all of the above
What 2 Things Should Risk Managers Do?
• Be well versed in all key aspects of core company operations, key staff functions and business strategy, that generate or have the potential to generate, the most significant exposures to the firm.
• Apply a comprehensive and customized risk management model to all significant or material risks, operational, financial or business/strategic and regardless of whether insurable or not.
The Risk Management Model
• Identify all significant or material risks to the enterprise
• Assess the magnitude of each risk to confirm materiality
• Measure each risk quantitatively or qualitatively to establish trackable metrics
• Develop and implement mitigation strategies for each risk that reduce risk values to acceptable levels and ensure that each strategy is effective
• Monitor and report to relevant interest parties, the information each needs to manager their aspect of the business
Risk Team Structures“Risk Management structures are usually tailored to an individual company and reflect
the nature, likelihood and magnitude of risk faced by the company.” *
To accomplish the risk mgmt mission, certain key functions must be performed. They can be achieved by both formal and informal team structures, by either dedicated or part-time, in-house or external resources.
However, the key to successful risk management execution is to form, develop and align with your strategy, the right internal and external partnerships with key risk stakeholders and risk owners.
Three Primary Approaches and the Relevent Criteria to Consider:- Traditional- Progressive- Advanced
Traditional Approach
• Hazard Focused• Insurance solution oriented• Limited perspective on the risks of the entity• Heavily dependent on intermediaries• Low to medium management priority• No to low governance priority• Executable with dedicated, part time or
outsourced resources
CEO
Finance or LegalSub-Depart. Head
FT Risk Manager or Officer
ClaimFunction
BenefitFunction
Risk Financing Function
Business ContinuityFunction
SafetyFunction
SecurityFunction
CaptiveAdministration
Traditional Risk Management Model
Pros and Cons
First, remember that each company’s needs drive the response to this question.
Pros:• Narrow focus easier to execute well• Well understand sources of loss; readily available
solutions to finance and transfer• Much available talent to manageCons:• Ignores what are likely to be the most significant risks to
the firm• Heavy dependence on third parties may jeopardize
effectiveness
Progressive Approach
• Recognizes the need to look beyond insurable risks• Recognizes process ownership• Recognizes that process owners can’t be risk owners
and that risk owner engagement is critical to successful risk management
• Higher management and governance priority attached to managing risk
• Less executable with heavy dependence on external sources of expertise
• Success depends on full time dedicated, internal expertise trusted by management and governance
• Recognizes the need for alignment with key risk stakeholders
CEO
Finance or Legal
FT Risk Manager or Officer
Corporate Insurance ProcessIncluding Captive
ERM Process
Risk Owners Risk Owners
Progressive Risk Management Model
Business ContinuityFunction
ClaimFunction
SecurityFunction
BenefitFunction
SafetyFunction
Pros and Cons
Pros:• More likely to be prepared for uninsurable events• More management and governance attention to risk
issues• Less dependency or third party servicesCons:• Usually in the developing stage and often difficult to sell
and gain permanent traction with management• Difficult to find external sources of expertise that
comprehensively understand the firms exposures and how they can best be managed
Advanced Approach
• “C suite” power base with other key functional leaders
• Full acceptance of need for comprehensive, state-of-the-art and urgent risk management methods, tools and techniques
• Clear delineation between process and risk ownership
• Recognition of insurance as just one of many mitigation strategies
• Typically complete integration with strategic planning processes
CEO
CFO Chief Risk Officer General Counsel Other Senior Officer
Enterprise Risk Process
Business Risk Owners
Financial Risk Owners
Operational Risk Owners
Advanced Risk Management Model
Business ContinuityFunction
Corp InsFunction
SecurityFunction
BenefitFunction
SafetyFunction
Advanced Approach
Pros:• Surfaces key risk issues quickly and effectively• Evidences engagement by all key risk
stakeholders and owners• Minimizes the likelihood that risk values will
exceed tolerances or that controls will be less than effective
Cons:• Expensive to implement• Expertise difficult to find and keep• CRO as scapegoat for all that goes wrong
Relevent Criteria for Selecting Your Approach
Criteria:• Company Risk Profile and Tolerance for Risk• Company Size and dispersion• Operational and Strategic Complexity• Company Structure and Management Style• Sources and likelihood of large or catastrophe losses• Availability of Reliable, Accurate Data• Governance Expectations for controls and reporting• Management expectations for controls and reporting• Sources and costs of expertise within or available to the
firm• Level of concern for control over sensitive information
Key Risk Stakeholders
Planning Process
Engineering
Compliance
Internal Audit
RMFramework
Business Unit
Risk Owners
Risk Managemen
t
Keys to Cross Functional Effectiveness
• Clear understanding of how “risk” is defined• Clear communication of risk management
processes• Clear articulation of risk stakeholder process
roles, timelines and deliverables• Regular and meaningful communication on key
risk issues• Processes for incenting and measuring
accountability• Getting the right information and data to the right
people at the right time for the right reasons
Risk Management Best Practices
• Truly Business – Critical Exposures are best identified and mitigated by line.
• Risk aggregation is a key role for the risk management process owner.
• The ERM COE ensures proper tools for rigorous measurement and quantification of risks, and helps drive incentives to elevate risk mitigation.
• Embedding risk management in existing process.
• A more disciplined approach to risk communications.
• Risk reporting should be specific to the target audience.
Source: CFO Working Council
Best Practices (cont’d)• Use standardized templates and key future market
conditions assumptions
• Key earnings drivers and mitigations strategies for low probability, high-impact scenarios tested for resilience
• Process leverages cross-functional expertise
• Assign owners for each critical mitigation step
• Updated assessments of risk and opportunities are embedded in core reporting processes
• Require business unit and functional leaders to defend risk mitigation performance to Board and CEO directly
• Balanced scorecards & incentives calculations used to evaluate and reward mitigation performance
Source: CFO Working Council
Why Risk Mgmt Initiatives Fail• Lack of CEO and executive sponsorship
• Poor communication culture and/or high level control environment divorced from business objectives
• Unclear roles/responsibilities/organizational structures
• Poorly defined/inconsistent risk policy
• Undefined risk universe and no common language
• Poor/inconsistent operational risk identification process
Source: 2003 KPMG Operational Risk Study
Why Risk Mgmt Initiatives Fail• No linkage of risks to the control framework
• Over-engineered risk measurement and evaluation
• Reporting templates that do not integrate with business requirements
• Unclear escalation channels
• Poor action-tracking and project management systems
• Poor education and communications programs
Source: 2003 KPMG Operational Risk Study
Top Related