Given the volume of attention and buzz that regulators, credit rating agencies, the SEC, consultancies, Fortune 500 firms, insurance brokers, and others are creating about risk management and ERM in particular, you may be left wondering is ERM best practice, required practice, or a practice in futility? Let’s cut through the ERM buzz so you can determine if an ERM program could enhance your organization’s financial, operational, compliance, and/or risk management results while also enhancing and supplementing the value your insurance program provides.
Decoding the Acronym to Find the Value
ERM is a broad term whose definition and intent can change by individual, organization, and industry. But at its core ERM is a strategic-level risk management program an organization formally undertakes to better identify, measure, and manage enterprise-level risks. Common goals of most ERM programs include:
- Taking advantage of upside risk
- Increasing the likelihood that strategic objectives will be met or exceeded
- Decreasing the likelihood and impact of downside risk events
How organizations use ERM to achieve these common goals will differ by organization and industry, but the consistent purpose in all successful ERM is better-managed risk for better organizational results. Your organization will achieve better risk management because ERM will allow you to distil and aggregate external and internal data about risk into actionable knowledge that can be used to drive better business results. Successful ERM programs enhance the Board’s and senior management’s ability to control the organization’s “levers” of risk management, including insurance.
But I Have Insurance, Why Do I Need ERM?
A common misconception is that ERM is simply insurance by another name. To be sure, insurance is a powerful technique of risk transfer and mitigation used by ERM programs, but ERM is much more than just having or reviewing insurance requirements. ERM provides a comprehensive risk management strategy that is complementary to insurance by mitigating risk, maximizing insurance value, and minimizing premium investment by:
- Providing continuous risk monitoring and measurement across both insurable and noninsurable areas.
- Identifying enterprise-level risks, particularly external and internal emerging risks in noninsurable areas.
- Developing a structure to uniformly classify and report on the indentified risks, almost like a balance sheet of risks.
- Developing and defining quantitative and qualitative metrics— bright lines of risk, called “risk appetite” —to manage against and determining the level, if any, of insurance coverage needed.
- Identifying and using noninsurance-based risk management techniques including internal control enhancement, joint venture risk transfer, capital allocation, risk acceptance, or risk avoidance
In short, ERM provides different benefits than insurance but also maximizes the benefits insurance can provide.
How Would ERM Look and Feel at My Organization?
Given the variability by which ERM might be implemented at any given organization, your organization should not feel that there is a magical “ERM compliant” finish line to cross. Or any sense that, because your approach differs from a Fortune 500 company, it is wrong. In fact, a measured and sustainable approach to ERM is a hallmark of middle-market organizations, given their resource and budget constraints. Although the specifics for each organization will differ, what you would likely see in the middle-market in some form is:
- A designated cross-functional team and steering committee to design, implement, conduct, and govern the program. These internal roles will generally be part-time and supplemented by a full-time outside ERM consultant.
- Scalable ERM tools and methods that would work across the organization as the scope and sophistication of the program expand.
- A long-range plan to continually build, in a sustainable and measured way, the maturity of the program and the value it provides.
How organizations use ERM to achieve their risk management goals will differ by organization or industry, but the consistent purpose in all successful ERM is better-managed risk for better organizational results. Having ERM opens up a whole new set of levers the Board and senior management can pull to make the organization more successful. So do not rely on just insurance to reduce your risk; supplement and enhance your insurance investment with a successful ERM program.