This session presented by James Curbeam, CPCU, ARM, AIC (Risk Manager, Las Vegas Valley Water District) and Lisa Kremer (Strategic Risk Practice Leader, Marsh Risk Consulting) at the 2019 PRIMA Annual Conference discussed transitioning from a traditional risk management program to an enterprise approach when evaluating the risks of an organization.
Lisa began this session explaining what ERM is. The goal of an enterprise-wide risk management initiative is to create, project, and enhance stakeholders value by managing the uncertainties that could influence achieving the organization’s objectives. Lisa encouraged the approach of building upon the traditional risk management program into a more strategic approach. ERM programs are strategic, continuous, include across-the-board management representation, is focused and coordinated, include business risk, anticipates/detects, monitors risks, and focuses on processes and people.
Do we know our risks? James walked though his approach of level setting at his organization by identifying top risks and personally meeting with those risk owners to learn more. He suggested asking the following questions:
- What are the top 10 risks?
- Who is the risk owner for each risk?
- What are the mitigation plans?
- How are the mitigation plans monitored?
- How often are the mitigation plans reassessed?
Lisa talked through the value proposition and focusing on identifiable opportunities. An ERM:
- Provides important connection between strategy and performance
- Directly supports mission and goals
- Enhances decision making
- Improves communications across the organization
- Supports asset management processes, rate cases, business continuity
- Creates good governance.
Of those, Lisa believes the most critical is breaking down silos and communicating with global stakeholders to support business continuity.
James explained the establishment of a governance model including a functional leader as a sponsor, an ERM committee with risk management chair and senior management team members, and an ERM working committee who are managers across the organization. These partners meet to define and quantify risks. Ideally the committee represents a cross-functional operational view with risk management mindset and respected influencers.
In 115 meetings James and the ERM committee facilitated with supervisors and higher levels of leadership, 62 risks were identified. These meetings were critical to understand the perspectives of all processes and challenges to identify risk at every level. The committee classified those risks in four quadrants (hazard, financial, operational, and strategic), and be an defining further through:
- Risk Owner – Individual accountable identification, assessment, treatment and monitoring of risk in a specific environment
- Type of Risk – What is the Risk Quadrant and and focuses on the source of the risk
- Risk Theme – Category under each quadrant
- Risk and Risk Definition – State and define the exposure.
The organization then went through an analytical process with their broker parter and additional global data to define risk appetite (the level of risk that an organization wants to take in pursuit of its objectives and strategies) and risk tolerance (the level of risk that an organization is willing to take in pursuit of its objectives and strategies). Lisa discussed the importance of a diverse set of leaders evaluating information to determine what level of risk the organization has the ability to take on and what does want to manage. These will be different for each organization as it is the assessment of the company’s sources of capital and how they prefer to deploy those resources to deal with unexpected losses. James encouraged conversations that include the CFO and other financial executives to help set a rating of severity impact to help define appetite. It is also critical to include the broader leadership representatives to bring forward other brand and tangible exposures.
Visual illustration of the organizations strategic goals aligned with identified risks will help leaders see vulnerabilities and opportunities. Define risk definitions and assign a risk owner who be the champion of that risk and who will work with the committee to be the subject matter expert on how to resolve and mitigate risks.
Lisa discussed the benefits you can expect from implementing ERM including:
- Optimize Risk Assessment
- Improve Risk Management Performance
- Secure Value
- Strengthen Business Resilience
- Create Value
- Increase Risk Management Efficiency
Goal of good risk management is not to minimum effort risk but to achieve the best balance of risk and opportunity. James shared his goal is to work together to say yes, not to be the department of no.