Skip to main content
The Actuary: The magazine of the Institute and Faculty of Actuaries - return to the homepage Logo of The Actuary website
  • Search
  • Visit The Actuary Magazine on Facebook
  • Visit The Actuary Magazine on LinkedIn
  • Visit @TheActuaryMag on Twitter
Visit the website of the Institute and Faculty of Actuaries Logo of the Institute and Faculty of Actuaries

Main navigation

  • News
  • Features
    • General Features
    • Interviews
    • Students
    • Opinion
  • Topics
  • Knowledge
    • Business Skills
    • Careers
    • Events
    • Predictions by The Actuary
    • Whitepapers
    • Moody's - Climate Risk Insurers series
    • Webinars
    • Podcasts
  • Jobs
  • IFoA
    • CEO Comment
    • IFoA News
    • People & Social News
    • President Comment
  • Archive
Quick links:
  • Home
  • The Actuary Issues
  • June 2015
06

The evolution of ERM

Open-access content Monday 1st June 2015 — updated 3.22pm, Thursday 30th April 2020

Paul Harwood considers enterprise risk management and discusses how to optimise the second generation of this method and make the right choices

Enterprise risk management (ERM) has become increasingly important to the running of firms over the past decade. It has been supported by regulators and other governance authorities, yet few practitioners appear convinced that ERM has added value.

Notwithstanding the assurances, attestations and certifications, do boards and managers feel they are running better businesses as a result? Given the resources, authority and access that has been afforded the risk management function, stakeholders should by now be feeling comforted by a well-embedded risk management process. Boards and managers have never had so much knowledge at their fingertips.

The IFoA's annual Risk and Investment Conference has never formally and thoroughly addressed the question of the value added by ERM. Under the surface, there are glimpses from those who question it, as commonly practised. In reflecting on these conferences, 

I concluded that the first generation of ERM has established firm foundations that can now
be built on. 

I suggest that second-generation ERM should consider a specific business plan first, and only then address the management decisions that ensure this is met in a range of varying circumstances. This allows a rehearsal of management decisions - 'When will we act? How effective can our intervention be?' - and an understanding of the plan's sensitivity. As time passes, the environment and the decisions can be tracked for their impact on the results. 

The scrutiny of possible management decisions allows for their refinement in advance and an understanding of the extent to which risks can be managed. The tracking demonstrates whether management action is making a practical difference.

In summary, second-generation ERM is about 'better decision making' (BDM ERM) which adds value when its users, primarily boards and managers, are confident that they are overseeing, or making, quality decisions. BDM ERM connects risks and actions more directly than hitherto. It is a continual process.


The business plan

The anchor for BDM ERM is the business plan, the board's required outcomes on specified assumptions, which will be achieved because management makes good decisions. This plan reflects decisions already made (the business model, the strategy), decisions that are largely already made given the business's culture and organisation (how do we handle project X?), and decisions yet to be made (do we launch into a new market?).

The BDM ERM business plan may not be the standard profit and loss and solvency projections that regulators require, but should set out the outcomes that the board is commissioning its chief executive to deliver. Doubtless, the impact of many of the decisions will be sales/expense/profit related, but there should also be room for qualitative outcomes, for balance sheet outcomes, for outcomes that don't arise evenly.


Testing quality

How do you test, at plan stage, the quality of decisions already fully or partially made? Achieving an outcome depends on what managers decide and the prevailing environment. By considering how outcomes might differ from those planned, each accountable manager can focus on the outcome's sensitivity and sensitivity drivers: the causes, contingent management action and possible changes in the environment can be better understood. The manager can reverse engineer action plans to understand the impact on the outcomes and therefore gain a deeper understanding of the likely results. 

How do you test new decisions? The expected impact of a new decision will either already be part of the plan, or part of the process of making the decision. The risk manager can work with the accountable manager to flex not only the assumption set but also the decision set, to understand the sensitivity of the decision and the factors that need to be managed to deliver the required outcome. Indeed, the McKinsey Quarterly in 2013 reported two interesting results on executive decision making. The first suggested that it was six times more effective when an alternative was considered alongside management's preferred decision. The second suggested that confirmation and overconfidence biases drive poor decision making, and that these biases can be addressed by assessing downside risk and stress testing (as per BDM ERM).

The risk manager's role in BDM ERM is crucial. In addition to working with individual managers with business plan accountability, the role includes the collation of the threats to the plan overall and the identification and challenge of weaknesses that span individual business plan areas. As a result, the risk manager can assert to the board, for director challenge, the circumstances in which managers are confident that they will achieve the plan, and when a different outcome will be achieved. 

Once the BDM ERM plan has been agreed by the board, the risk manager tracks the progress of the plan and the key parameters. Hence, the business always knows the extent to which the plan will be met (or the extent to which the plan does not match the factors that actually drive performance). It should then be clear whether performance arises from quality decision making or is independent of management action.

The BDM ERM risk manager is the guardian of the decision-making process and is responsible for broadcasting the expected consequences of decisions made. The risk manager will be expected to know if the plan will be met. The analysis of this is likely to entail projection deficiencies, estimation errors, random positive and negative impacts.


Criticisms of BDM ERM

"This is simply a representation of existing ERM: good ERM systems do this already."

BDM ERM does rely on many elements of first-generation ERM: this is a strength. Where it differs is that it views risk exclusively through the lens of business plan outcomes. This approach anchors risk discussions to real things, and drives challenge and accountability, not just by the board and management, but by the risk manager, who now has to understand the plan will be met, or know why it will not.

"Some risks would not feature on the business plan."

This is an interesting point. If a risk would not affect the plan and has no impact on the business's outcomes, should it be considered at all? The obvious risks here are identified black swans, those that no one saw but that would be catastrophic. These should be covered in the assumption set: the board should see the impact of, say, a liquidity crisis on businesses outcomes.

ERM to date has generated information in volume. BDM ERM distils this information by focusing it through the lens of the business plan to establish the sensitivity of outcomes. As the plan is effected, the outcomes and assumptions are tracked, post decision. Thus, we will understand whether the decisions made supported the outcome or were irrelevant to it.

BDM ERM is a tool for non-executive directors to be assured that their business is managed to deliver the plan commissioned by the board. It also helps managers to review existing, and consider new, decisions to ensure outcomes. In both cases, the value added by BDM ERM should be evident.

Paul Harwood is a consulting actuary specialising in strategy and risk management. He is writing a paper on the IFoA's Risk and Investment Conferences over the past five years and ERM evolution
This article appeared in our June 2015 issue of The Actuary.
Click here to view this issue
Filed in
06
Topics
Risk & ERM

You might also like...

Share
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print

Latest Jobs

Life Actuarial Trainee

England
Up to £55000.00 per annum
Reference
145815

Catastrophe Manager - Top Performing Syndicate

England, London
£70000 - £94000 per annum
Reference
145814

Senior Pricing Analyst

London, England
£40000 - £80000 per annum
Reference
145813
See all jobs »
 
 

Today's top reads

 
 

Sign up to our newsletter

News, jobs and updates

Sign up

Subscribe to The Actuary

Receive the print edition straight to your door

Subscribe
Spread-iPad-slantB-june.png

Topics

  • Data Science
  • Investment
  • Risk & ERM
  • Pensions
  • Environment
  • Soft skills
  • General Insurance
  • Regulation Standards
  • Health care
  • Technology
  • Reinsurance
  • Global
  • Life insurance
​
FOLLOW US
The Actuary on LinkedIn
@TheActuaryMag on Twitter
Facebook: The Actuary Magazine
CONTACT US
The Actuary
Tel: (+44) 020 7880 6200
​

IFoA

About IFoA
Become an actuary
IFoA Events
About membership

Information

Privacy Policy
Terms & Conditions
Cookie Policy
Think Green

Get in touch

Contact us
Advertise with us
Subscribe to The Actuary Magazine
Contribute

The Actuary Jobs

Actuarial job search
Pensions jobs
General insurance jobs
Solvency II jobs

© 2023 The Actuary. The Actuary is published on behalf of the Institute and Faculty of Actuaries by Redactive Publishing Limited. All rights reserved. Reproduction of any part is not allowed without written permission.

Redactive Media Group Ltd, 71-75 Shelton Street, London WC2H 9JQ