A Pragmatic Approach to Deliver Enterprise Risk Management (ERM)

Banks and insurers spend large amounts of money on risk management.  Increasingly this expenditure tends to be part of an ERM programme where a holistic and enterprise-wide view is adopted.  This involves delivering appropriate tools and changing the business culture.

There are many challenges to deliver successfully an ERM programme.  It is usually accepted that one of them is embedding ERM.  However, the changing nature of financial services means that the main challenge to deliver an ERM system would be managing a process of continuous improvements and getting ERM to work over a period of time rather than at a point in time.  This has a number of implications for how financial institutions should regard ERM programmes.  

An immediate implication is that delivering an ERM system would be less of a ‘big-bang’ where this vision is adopted from the outset.  First steps would likely be material to signal the enterprise-wide dimension and start changing the culture.  However, an important part of the cultural change would be about explicitly recognising that it is a process of continuous improvements.  This should also bring about a focus on easy-wins, which is usually regarded as contributing to the success of transformation processes. 

Where an ERM programme has been going on for some time, this alternative approach would require a different vision and a change in the ‘tone from the top’.  This would mean a change in the risk culture of the business.  Given that the vision is more pragmatic and consistent with the changing nature of financial services, I would not envisage a significant challenge from modifying the culture. 

In my view, the real challenge arising from an ERM perspective of continuous improvements is identifying what are those changes that should happen over time.  This requires initially identifying the minimum that must be implemented to meet the expectations of various stakeholders.  This approach also requires identifying and monitoring the maturity of the ERM system in a structured manner at regular intervals.  That goes beyond taking stock of what has been implemented and should cover the effectiveness of the tools and processes that have been put in place.  Gaps will not necessarily reflect shortcomings in the implementation but changes in the business and in the markets. 

There are already tools available to assess the maturity of an ERM system, which would provide useful starting points.  For example, the International Actuarial Association published an ERM assessment tool that covers 14 categories ranging from board engagement to risk management culture and rates an insurer’s position as ‘early’, ‘intermediate’ or ‘advanced’.  Internal audit functions would be well placed to lead these assessments given their independence from business and risk function.  

Understanding the maturity of your ERM system is fundamental to ensure that there can be an adequate assessment of the costs and benefits of alternative improvements so that these can be prioritised accordingly.  This perspective means that one of the key documents for senior management of an ERM programme would be robust road-maps that set out prioritised improvements.  

Overall, a perspective of continuous improvements means that the process to deliver an ERM system becomes as important as the objective.  This is more likely to result in genuine embedding.