One of the challenges with enterprise risk management (ERM) is how much is written on the subject. I find it useful to identify the key components. This provides a structure to sort out the detailed views and comments, though it is also more than that. If you are a busy CRO or senior risk leader, identifying the key components enables you to take stock and think about challenges and improvements that may be relevant to your priorities.
Here is an attempt to sum up ERM and provide that clarity in three headlines.
1. A vision of the ERM purpose
My preference for financial services is ‘protect and enable’. This highlights that risk management is more than just about avoiding the downside; it is about how risk management supports decision making, including the role of the CRO in that decision making. (More on ‘protect and enable’ and different views from practitioners shared on Crescendo Advisors’ blog are available here.)
2. An articulation of how to deliver and embed ERM in the business
This is your ERM framework, roles and responsibilities, policies, and risk appetite. They must provide the right balance between the level of detail and clarity to create a durable product and support business implementation.
3. Evidence of the outcomes of vision and articulation of ERM (1 and 2 above)
This is the outcome of the ERM, i.e. the assurance that is provided to the Board. This means that a feedback mechanism that supports improvement is in place. This is partly about risk or thematic reviews, but it also represents a wider perspective that involves 1st line and 3rd line as well. I also find that focusing on assurance is more ‘real’ than a discussion on the extent to which processes are implemented or embedded.
At the risk of oversimplifying, here is my own take on the UK insurance business position on these three aspects
- The articulation of the ERM vision is progressing but there is still work to be done. There is a sense that, broadly speaking, people operate according to the ‘protect and enable’ vision without articulating it as clearly as it could be.
- Good progress has been made articulating how to deliver and embed ERM in businesses; all businesses have ERM frameworks and policies in place. Some are considering external reviews after the frameworks have been in place for some time.
- The biggest challenge ahead is evidencing ERM implementation and providing structured assurance to the Board about ERM expectations. This is a challenge for risk management function (risk reviews?), first line (business and control reviews?) and internal audit (coordinate with first and second line?). Please get in touch if you want to receive a paper with initial thoughts on this challenge.
Do you agree with views about these views about the insurance sector in the UK? How about banking and asset management? How is this seen in other countries?
* No pun intended about the three lines of defence.
If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.