Risk Management Reports

You often hear of other people who call themselves risk managers, over in finance, safety, IT, internal audit, insurance, or in Washington measuring the probabilities of unusual events. Did you ever wonder what they looked like, how they thought? Have you ever made any effort to meet them, at their association meetings, or to read their publications?

For too long many of us have hunkered down within our own sub-specialties of risk management, declining to take the time to learn from other disciplines, arguing that we simply do not have the free time for this sort of exploration, and beside, "we" invented risk management, didn´t we? They should come us, not us to them!

The new effort to connect all risks, favorable and unfavorable, of an organization and build a coordinated response to them changes things. It mandates that this guild-like reluctance to acknowledge, much less study, the work of others be no longer tolerated. Enterprise (or as I prefer, strategic) risk management must be built on a shared knowledge base.

This was evident from the comments of panelists participating in a joint discussion at the May 2-3 Third Annual ERM Conference in Chicago. The sponsorship of this event, one of the best I´ve attended, illustrates my point: the Society of Actuaries (SOA), the Casualty Actuarial Society (CAS), the Professional Risk Managers´ International Association (PRMIA) and Georgia State University, four diverse organizations. I helped moderate a panel, with Chuck Lucas, the Director of Market Risk Management at AIG, including the current Chair of the Institute of Internal Auditors (IIA), Betty McPhilimy, the officer of the Risk & Insurance Management Society (RIMS) charged with ERM development, John Phelps, the Chair and Executive Director of PRMIA, David Koenig, an officer of the Risk Management Association (RMA), Nick Hayes, and past presidents of both the CAS and SOA, David Ingram and Jim MacGinnitie.

This alphabet soup, lacking, only representatives from the Society for Risk Analysis (SRA) and the Global Association of Risk Professionals (GARP), stirred up provocative ideas. I learned that both the CAS and the RMA trace their roots back to the early 1900s, making them possibly the oldest RM groups in the world. In terms of membership, the IIA dwarfs the others, with 107,000 globally, more than half outside North America, followed by PRMIA at 24,000, SOA at 16,000, RMA at 15,000, RIMS at 9,200 and CAS at 4,000. Numbers alone, of course, don’t necessarily mean influence: look at the SRA, with less than 3,000 members worldwide, yet its public policy influence is dramatic.

Chuck Lucas and I asked the panelists three questions. First, what are the principal purposes of risk management, as identified by your members? They all referred to published documentation, ranging from COCO in Canada and COSO in the United States, to the standards created by individual nations, led by those of Australia and New Zealand. Their goals, however, varied. For one it was "executive assurance" in an age of new regulatory compliance, for others "the management of risk in systems," "to reduce earnings volatility," "to manage insurance risk for insurers" and to recommend prudent capital in relation to these risks. One said, "All management is risk management." The best answer (to me, at least) was the goal of risk management is to "exploit risk and accept volatility as natural."

A second question was how a group measures the benefits, both tangible and intangible, of adopting enterprise risk management and whether or not a "common language" is desirable or feasible. All agreed that measuring a benefit is difficult, although the new risk-based capital rules for financial institutions permit managers to show that risk management value is proven by reducing mandated capital. Other benefits are "keeping out of the headlines" and "assuring that we will open tomorrow morning." One panelist warned it is probably too early for a "common metric." We should learn and respect the different terms as a starter (I agree on his latter point). Another suggested that economic capital and the return thereon might form the basis of a new risk language and benefit measurement. Still another emphasized that any risk language must include the potential for upside events, as well as the more common focus on downside events.

Third, we asked what major problems they saw in ERM today. First, to be successful, anyone pushing ERM must understand the existing power base of an organization and how best to work within it. Second, some form of internal "champion" is necessary, preferably a CRO reporting to the CEO and the board, but some organizations still question the value of a CRO. Third, responding to new regulations often undermines a broad-based ERM effort. Finally, human nature can be the greatest obstacle of all: people like doing things the way they’ve done them in the past. Changing a habit is difficult!

The panelists showed that the differences among their organizational approaches are not that great, suggesting that more collaboration and cooperation will speed the progress of ERM. For example, educational institutions in both London and the United States are building new broad-based curricula for ERM. Shouldn´t they work together? Another US group is attempting a glossary of risk management terms, when an excellent one is already is in use by ISO in Geneva. Cooperation can eliminate that classic problem of wheel reinvention!

So where can we go from here? I have several suggestions to stimulate more interdisciplinary dialogue.

1. Every organization in this alphabet soup should have an interdisciplinary panel for a plenary session at its next annual conference. We begin by understanding that there are others out there like us! We are not aliens.

2. Start reading what others have to say. Subscribe to the publications of these organizations (see below). Start writing articles for them.

3. Start listening. Invite members of the alphabet soup to your annual meetings AND your chapter meetings. Occasionally ask one to make a presentation.

4. If you do not already have one, create an ad hoc internal risk management committee in your own organization to build liaison with your risk management counterparts.

No one person, nor any one group, has a lock on this evolving discipline: it´s time to open our minds to the many new and refreshing ideas that are circulating in this marketplace. As a start, check out the websites of these organizations (and their publications):