Randall Davis, Delphi Risk Management
Enterprise risk management is how businesses overcome the human limitations of their management teams when it comes to thinking about the future. Too many businesses treat it as a box-ticking exercise, but a captive can make such a programme more effective, says Randall Davis of Delphi Risk Management.
We humans are not very good at predicting the future. We, like other creatures on this planet, tend to live in the present, with our daily decisions often based either on reacting to our hazy memories of things that happened in the past, or on knee-jerk reactions to immediate instinctive needs. We decide to put on a coat because we’ve been cold before. We eat and sleep reacting to instant physical stimuli.
As businesses are run by humans, they’re even worse at dealing with the future. Organisational momentum, sunk costs, and cultural hangovers prevent appropriate reactions to current external stimuli. Sloppy management processes exacerbate human weaknesses into full-on enterprise breakdowns.
Despite these weaknesses, we muddle on, continuing to plan, predict, and decide present actions based on these poor predictions of future outcomes. Risk management is our attempt to deal with these issues. We put a framework in place to help us try to understand our weaknesses and to deal with our potential and actual failures. This framework has become known as enterprise risk management (ERM).
“The champion of ERM must have real executive power and full support of the board of directors.”Benefits
While ERM is no panacea for human or organisational “disease”, it does inoculate us against the known strains, and allows for milder symptoms and quicker recovery when the inevitable pandemic strikes. However, ERM is still not widely practised, at least to the extent that ERM’s benefits are being realised by companies.
According to RIMS, the risk management society, an overly-rosy ERM survey reports that as of the end of 2020, 98 percent of companies have a “fully or partially integrated ERM program in place”. According to a recent survey by IT governance association ISACA, however, only 35 percent of companies have a defined view of risk tolerance, and only 38 percent have formal risk identification processes in place.
According to Deloitte, only 13 percent of companies say ERM “makes a significant contribution to the setting and execution of strategies”. That’s pretty poor considering ERM as a concept has been around for more than 20 years.
The 98 percent’s ERM programmes must be pretty weak if they can’t even identify the risks, much less do something about them. I’ve spoken to many of the 98 percent, and the typical response is “ERM? Yes. We have that … um ... what’s ERM again?”
So why is ERM or its effective implementation lagging? It’s a brilliant idea, and is badly needed in all businesses. But it often fails to register in the minds of the executive suite. COVID-19 has provided an opportunity for many to reassess their ERM programmes, but my guess is that top executives will be too distracted by present worries to reflect on what drove their failures.
Companies without a dedicated ERM programme manager with real executive clout are also less likely to succeed in the effort. Deloitte’s risk management survey revealed that only 50 percent of companies larger than $500 million in annual revenue had a chief risk officer (CRO).
It is likely that the vast majority of those with a CRO come from the financial sectors such as banks or insurers, as a similar survey suggested that 95 percent of those companies have a CRO.
ERM success is particularly unlikely if the ERM programme is relegated to the internal audit group or seen primarily as a compliance function. Unless ERM is inextricably tied to the overall business strategy, it will fail. To achieve this, the champion of ERM must have real executive power and full support of the board of directors.
Real clout via a captive
One way to ensure CROs have real clout is to empower them to effectively measure, manage and monitor the key risks to the organisation, and one way to achieve that is to use a captive insurance company.
Captives can play an important role in elevating key risk management issues and can even drive the appointment of a CRO. In doing so, they also increase the likelihood that ERM will succeed. According to a global risk survey by NC State University and consulting firm Protiviti, the top 10 cited risks for 2021 are:
1. That pandemic-related policies and regulation impact business performance;
2. That economic conditions constrain growth opportunities;
3. That pandemic-related market conditions reduce customer demand;
4. That the adoption of digital technologies may require new skills or significant efforts to upskill/reskill existing employees;
5. Privacy/identity management and information security;
6. Cyber threats;
7. The impact of regulatory change and scrutiny on operational resilience, products, and services;
8. Succession challenges, the ability to attract and retain top talent;
9. Resistance to change operations and business model; and
10. The ability to compete with “born digital” and other competitors
Not all perils that arise from these risks are insurable, but many are. If a CRO can demonstrate insurability of the key risks to an organisation, the likelihood of ERM getting executive support and succeeding greatly increases.
Historically, there was a very clear line between risks that the insurance market offered to insure and risks that were ignored. Modern captive insurance structures and design close the gaps in outdated coverage and pick up emerging risks more efficiently than commercial insurance markets.
Captives have always been incubators for risk management and insurance innovation. There are a variety of reasons, but the main one is their flexibility: captives are more flexible than commercial carriers, primarily because of their scale.
They have fewer insureds, lower limits, are generally geographically limited, and operate in a different regulatory environment. Further, a captive’s lower capital requirements puts less pressure on the balance sheet, allowing for greater underwriting and claims flexibility. All of this creates lower organisation momentum and makes captives a great place to test new coverage.
What to cover?
How does a CRO know which types of coverage are appropriate to insure? Insurance companies traditionally cover only pure risks, risks where either something bad will happen or nothing will happen at all, such as property damage, fires, floods and hurricanes. Exposure to lawsuits is the typical example of pure risk in liability. These risks are generally considered insurable.
Speculative risk, on the other hand, has both the chance of a negative loss and the chance of a positive gain. Gambling and stock market investment are the usual examples of speculative risk. The insurance market does not consider speculative risks to be insurable.
If a proposed captive insurance line intends to cover risks with characteristics that are considered uninsurable, it will likely be denied or challenged by regulators.
- Business risks where a loss is perceived to me more likely than not, for example, deterioration of property caused by wear and tear (perhaps because a decision was made not to maintain the property in question). Insuring an already burning building falls under the same category. Risk of loss here may be avoided, or at least mitigated, with proper “controls” or treatments in place, but insurance is not appropriate when the potential insured event isn’t random.
- Where insurance creates moral hazard, ie, when an insured would be financially better off buying insurance and making an insurance claim, than remaining uninsured. Insurance in and of itself cannot be the source of a financial gain, it operates on the principle of indemnification (being made whole). If there is a moral hazard created by a proposed line of insurance, then that coverage is not appropriate to provide.
- Ultra-catastrophic risk, such as nuclear or biological war. In this case “ultra” distinguishes this risk from regular “catastrophe” loss, where the latter loss may be catastrophic only to an individual, a single business, or at most a region. The point at which regular catastrophe becomes uninsurable largely depends on scale and captives, in particular, are not great vehicles for insuring larger catastrophes.
- Loss events with no defined time window or location. An insurable loss must be measurable from a financial perspective. Actuaries and underwriters cannot and will not calculate or offer insurance against amorphous, generic, or ill-defined events. There needs to be a clear trigger.
- Risk that is within the control of the insured. There is some wriggle room here. Ideal insurable losses should be random and caused by someone or something other than the insured, but all insurable risks arguably have some aspect that is controllable by the insured. This is the basis on which insurers recommend loss prevention activities. If a proposed insurable risk meets all of the other standards except this one, this wriggle room allows for innovation around the edges, and there may be a creative way to insure it.
Key business risks are insurable as long as they don’t have these characteristics. If you have a creative idea for a new insurance coverage, check that idea against this list. If it fits, then you should approach captive insurance experts, such as attorneys, managers, and consultants to discuss.
If a CRO is successful in matching key business risks with insurance, the likelihood of ERM success increases.
Delphi Risk Management, Captive, Insurance, Risk Management, Survey, Randall Davis, North America