This contains some generic examples of current CRO risk management practices, obtained from the horses' mouths. I hasten to add that these are not all "best practice", and indeed some might not even be considered "good", but they are across all industries, which does help benchmark any progress you might be making on infant ERM programmes forced by Solvency II or Corporate Governance code changes.
In its entirety it feels 10 pages longer than it ought to be, purely due to the number of quotations and practice examples it includes. It does however include a decent sample size (1,419), so the response percentages are a better representation than a lot of benchmarking/best practice materials.
I took from it the following;
- Huge growth in number of CROs at large companies since 2008 (11% to 42%)
- Two-thirds felt they were not doing well at the 6 risk management capabilities cited in the report as critical to organisational performance - all of these capaibilities are very much embedded in the ORSA world for insurers
- Only 1-in-10 felt they had a "Strong risk-aware culture" - I know this is a topic for debate on the IRM's LinkedIn page, so worth a look if you feel you are lacking in this area
- Note a "broad agreement on the increased importance of ERM" - the PwC paper referenced in the last post argues the opposite!
- "Big risks" flagged as currently being the zeitgeist were; Nat Cat, Economic Crisis, Talent Retention and Reputation - this definitely shows how the CRO can pull themselves away from operational activity to focus attention on less visceral matters.
- Reference to "sequential risks" which to all intents and purposes is describing scenario analysis - is there a case for trying to enforce a common risk language on this matter as a profession?
- Reference to "proactively managing risk, rather than simply mitigating it in a reactive way" - is it not possible to proactively mitigate risk?
- Half of companies surveyed have a single identifiable individual reponsible for ERM, "a key factor in driving success in this area" - can't make up my mind if this is a good or a bad thing, but I guess it is dependent on how vigorously the three lines of defence are established.
- Aggregation of risk types and proactively identifying current/emerging risks were deemed by the sample to be less important than "embedding a risk-aware culture at all levels" - this seems very odd, and perhaps borrows on the vagaries of the term to enhance its importance to CROs
- Piece quoting from COSO on page 11 which contradicts the view mentioned above that individual ownership of ERM is something to aspire to.
- Some strange numbers on the relationship between Risk and Internal Audit - over a quarter of respondents said they either didn't work closely with IA at all, or didn't know. Goes on to describe an example of IA using ERM-identified risks as the basis of the Audit plan, which in my view is ideal, and a great example of knowledge and intelligence sharing.
- Strangely for something with heavy US input, no references to ratings agencies as a driver for ERM
- Primary barriers to implementing ERM all seem logical, though the failure of key staff to acquire new skills features around halfway down the list, and in my experience this would probably be top.
- Finally, one CRO talks of his "small, lean staff" - no need for a punchline there...