We’re hosting the Executive ERM Forum at PwC’s NYC office today. Twenty enterprise risk executives are gathered to discuss current topics in enterprise risk
management such as regulatory reform, emerging risks, risk reporting and quantification, convergence, and GRC implementation.
Executives gathered represent a variety of industries, including banking, insurance, consumer products, travel and entertainment, and telecommunications.
At the outset, executives discussed the key issues around risk management in their business today:
- Companies are very good at operational reporting, but not as good as risk reporting.
- How do we improve the quality and consistency of risk reporting?
- What is the right amount of information to provide the board?
- How do you quantify your risk reporting?
- What are the organizational, cultural and process issues associated with implementing a GRC solution?
- What role should IT play in defining, architecting and managing the risk management function?
- How do we as risk managers enable our business managers to make better risk decisions?
- How should the risk management and audit functions collaborate?
The discussion started off on risk identification. The moderator articulated the problem as board members saying that they’re not seeing the right risks while management’s struggling to present succinctly a huge amount of information related to risk. One participant pointed out that it takes a long time to say something short.
Here are several of the key takeaways so far:
Developing the Initial Set of Risks
A couple companies talked about building up a set of risks accretively over the years, adding and deleting risks from the prior year based on the current year’s risk environment. Initially, the risks can be identified through brainstorming and/or process owners and the risks they manage.
Express Risks in Terms the Board can UnderstandOne insurance executive brought up the point that when reporting to the board, identified risks have to be expressed in terms that the board can understand relative to their notions of risk tolerance, e.g. impact on earnings per share. The board owns risk, but risk managers have to help board members understand the risk in the business. So what information does the board need? Managers need to report within the context of tolerance, something as simple as red, yellow, green. Companies need to be careful that reported risks don’t get “greener” as they move up the reporting chain to the board.
Pictures and Problems
One financial services executive discussed his company’s risk reporting as “Pictures and Problems”: What is the picture of the overall risk profile, and where are the problems (expressed in terms of risk tolerance). This gives the board both qualitative and quantitative ways to think about risk exposure.
What Does the Board Actually Believe?
The discussion turned to what does the board actually believe? A couple executives noted that board members are very skeptical of the traditional bottom up roll-up of risk. Participants agreed that this process results in a high degree of inaccuracy. One executive described their process of assessing risk at a mid-level. Then, risk is only quantified around those areas of concern. So, quantification is only at the risk level, not any aggregate. An insurance executive pointed out that companies are beginning to think about “notional exposures” – absolute value of the worst thing happening.