We’ve all heard the children’s story about the emperor and his new suit. The emperor ordered some clothes from some con men that had passed themselves off as weavers. These grifters convinced the king and his court that the clothes were “made of material that possessed the wonderful quality of being invisible to any man who was unfit for his office or unpardonably stupid.”
So, they pretend to dress the emperor, and as he stands there naked, all of his advisors and associates begin to comment on the beauty of the suit, since each feared that not being able to see this beauty would validate his unworthiness for his high position.
As each of the emperor’s confidantes spoke glowingly about the clothes, the emperor began to believe that he could be seen as unfit for his high place because he could not see the suit. As he stands there naked, he makes a really bad decision:
Hey — let’s have a parade so I can show off these wonderfully beautiful clothes!
So he parades through the street, and all marvel at the exquisite suit of clothes, until a small child calls out, “But he has nothing on.…” The crowd begins to chant this as well, while the emperor lifts his head higher and the chamberlains proudly hold higher the emperor’s nonexistent train.
What does this tale have to do with risk management and the current financial crisis? Read on.
The Rise of Enterprise Risk Management
The enterprise risk management (ERM) movement began to take hold of the risk management and financial community following two significant events shortly after the turn of the century. These events set the stage for the risk management community to step forward and make itself known to the business community as a vital element of the financial system, necessary to protect the assets of the organization.
The Attacks of September 11, 2001
In 2001, the attacks of September 11 forced businesses, governmental entities, and the general public to take a serious look at the risks they faced on a daily basis. On any given day, the walls could literally fall down, and life as we know it can be changed forever. After September 11, all of the securities we took for granted needed to be reevaluated. Our personal, financial, and infrastructural security all took a hit that day, and businesses were forced to look at risk as an important factor affecting the continuity of business activities as well as factors that could result in the actual demise of the entire organization.
Survivors Faced a Hardening Insurance Market
Some businesses failed. Ones that survived faced a hardening insurance market, a market in which insurers used the events of September 11 to divest themselves of risks they had taken on after the Gramm-Leach-Bliley Act of 1999 opened up the insurance markets to financial institutions that flooded the market with an increased supply of insurance choices while demand stayed fairly stable.
When the United States was attacked, the financial chaos that ensued gave the insurance industry the opportunity to tighten its underwriting requirements. The policies that were written for less favorable risks from 1999–2002 were summarily dropped, and those businesses that did not lose their coverage faced renewal increases as high as 150 percent.
Sarbanes-Oxley Act of 2002
In the early 2000s, the increase in defined contribution retirement plans and 401(k) plans flooded Wall Street with funds from smaller investors, and it became apparent to some that publicly traded companies needed to be more accountable to protect these small investors who were completely detached from the management of the organization.
On July 30, 2002, President Bush signed into law the Sarbanes-Oxley Act, after it was overwhelmingly approved by both the U.S. Senate and the House of Representatives. Sarbanes-Oxley set up strict financial and accountability standards for publicly traded companies. Coming on the heels of corporate accounting scandals at large companies such as Enron and Adelphia, the Act set a uniform standard for financial accountability to ensure that the assets of an organization and, therefore, the interests of stockholders would be protected.
The accounting standards, along with the civil and criminal penalties for noncompliance, set the stage for a codified infrastructure not only for publicly traded companies, but also for those companies that aspire to evolve from private ownership. To do so, these private firms would need to prove that they could withstand the scrutiny imposed by Sarbanes-Oxley before “going public."
An Opportunity Lost
The risk management community had success all laid out for them, and it cannot be denied that risk management is much more visible today than when I started in the discipline over twenty 20 years ago. Instead of being able to grasp the opportunity presented, the ERM profession is mired in uncertainty that stems from an inability to define itself in the business community. In fact, if you polled 100 risk managers and asked them the difference between traditional risk management and enterprise risk management, you would come up with at least 90 different answers, if not more.
The culmination of this lack of clarity was the publication by the Risk and Insurance Management Society (RIMS) of Enterprise Risk Management for Dummies, in an attempt to explain ERM to its own members. In fact, the book was given free to all members of RIMS in 2007 and is given to all new members who have enrolled since April 2007.
And Here Is Where the Emperor and His New Suit Come In:
Why is it so difficult to distinguish the difference between traditional risk management and enterprise risk management? Because they’re the same thing! The emperor has no new suit.
Why the ERM Initiative Will Not Work
Enterprise risk management collapses under the weight of its own expectations and the expectations of the risk management community. I cannot see ERM as anything other than a repackaging of traditional risk management practices. It is an attempt to market risk management to the business community, and the business community sees right through it.
Here’s why enterprise risk management will not work in its present state.
1. The inability to adequately define ERM — There is very little to distinguish ERM from traditional practices. Why, then, do we choose to call it something else?
2. Loss of focus — Sarbanes-Oxley defines a process for financial accountability. If there is one major difference between ERM and traditional risk management, it is ERM’s focus on risk financing as the primary vehicle for success. Any good businessperson will tell you that only when you control your losses can you control your bottom line.
3. The risk manager’s accountability standard — An organization’s appetite for risk should not be a green light for a risk manager to try a risk financing option that may not be in the overall best interest of the company. Most companies, once they become comfortable that their risk management staff knows what they are doing, will lean heavily on the expertise on that staff, and the risk manager needs to fight the power and ego that go along with that level of comfort.
4. Credibility in the insurance community — Like it or not, the major role of the contemporary risk management department is the purchase of insurance. Yet, ERM, with all of its emphasis on the risk financing aspect of risk management, downplays the need for insurance expertise. This is foolish. A risk manager who leans on a broker for insurance expertise instead of leaning on him or her to teach the manager about the insurance process will not serve the organization well. A risk manager needs to need to know what he or she is buying, and more importantly, what the insurance industry is selling.
5. Where risk management resides in the organizational chart — In smaller companies, risk management has to fight to be considered a full-time job. In larger entities, the challenge is to elevate risk management to a board position (chief risk officer [CRO]). Risk management is neither a parttime job nor a board level position, and any attempt to sell it as more than an executive-level position diminishes credibility in the business community.
How ERM Can Work
The ERM concept is not a total loss. Here are some suggestions to make it work.
1. Return to risk management roots — Get back to the basics. The traditional model of identifying, analyzing, examining, selecting, implementing, and monitoring has worked really well in many ways; this process should remain the core of any risk management program. Completely changing the focus, the approach, and the model without fully defining the plan is — well — poor risk management.
2. Adjust the focus — Enterprise risk management focuses primarily on risk financing as the core tool to risk management success. Yet, if you have been in this line of work for a period of time, you know that the best way to reduce costs is to reduce the frequency and severity of losses through solid risk control techniques. If your organization will commit resources to safety initiatives, employee screening, and customer qualification, you will create an environment for business success AND save money on insurance costs. You can’t get creative with risk financing unless you have proper risk control techniques to mitigate the losses you are self-insuring. Risk control always comes before creative risk financing, and Sarbanes-Oxley does not change that.
3. Define the profession — In the minds of many in the business community, risk management is not a full-time job. This perception must change. It is not a part-time job, nor is it a board position. Increase the responsibilities of the risk manager, perhaps to include an expanded role into benefits management. In a smaller organization, this would sell the position as a true management position; if you hire a risk manager, you get a benefits expert as well. In a larger company, the risk manager would take on a more strategic role, and the position can be elevated to an executive level position.
The risk management community should focus on promoting the risk manager position as being, at the very least, a management position, and at the most, an executive-level position. This will allow the business community to better define the role and to make better use of risk managers when they are hired. I believe the risk management profession loses the most talent within the first six months of new risk managers’ careers — not because risk management is a bad job or profession, but because most new risk managers don’t know what to do when they get the job, and the companies who hired them don’t know what to do with them once they’re there.
4. Learn the insurance business — Regardless of any evidence presented to the contrary, risk management's primary responsibility is to purchase and maintain insurance. Why do I say this? When a major loss occurs in any organization I have been involved in, the bosses do not come around and ask if we did all we can do to mitigate this loss using solid risk control and risk financing techniques. No, it’s always the same three words: “Are we covered?” You can save all the money in the world on premium and creative financing, but you always want to make sure that when a loss occurs, the organization is aware ahead of time of the ramifications of such a loss. To do so, you need to learn about what you are purchasing. It is only then that you can determine if what you are buying is really what you need.
5. Get more involved in the insurance purchasing process — Did you know that the insured that uses a broker is not even considered a party in the insurance purchasing process? In this process, the underwriter is the seller and the broker is the buyer. The insured is merely the financing source, and the underwriting process is a financial capacity evaluation in which the underwriter determines the insured’s capacity to pay and the amounts the insurer will potentially pay out to settle and administer losses. If you as risk manager fail to interject yourself into the process, you will find that the lack of communication will lead to higher costs. To get involved, though, you need to understand the language, the process, and the goals of each of the players.
6. It’s all about the business — The number one piece of advice I can give risk managers is to learn how business works. Then learn how your business works, and adapt your program to that business. It is the job of others within the organization to make the ultimate business decisions. It is the risk manager’s responsibility to make sure that those making the decisions have all of the information they need from your area of responsibility to make those decisions. If the decisions made are not what you would have done, bite down hard and ensure that the organization is protected. If you provide the best information, and the company decides to go down a slippery slope anyway, management will not come back and tell you that you were right. The question will be “Are we covered?”
Conclusion
I firmly believe that enterprise risk management can be saved, but only if there is a commitment to return to the traditional roots of risk management. The emperor continued to believe in spite of overwhelming evidence to the contrary. When the small child yelled out that the emperor had on no clothes, the emperor and his men stood taller, as if the ignorance of the crowd outweighed any and all common sense.
It’s the same with risk management. ERM can work, but not until it can be defined. In the meantime, let’s step back and see if we can marry the two approaches: traditional risk management with its risk control focus, and ERM with its risk financing core. This will advance the discipline and bring the profession the respect it desires and deserves.
Until then, remember:
Listen to the child — the child is right.
