I've seen many well intended efforts to put some rigor around processes that would flesh this out but few done with much effectiveness. I know one thing for sure.
"Tell me something I don't know," is the one consistent theme I've heard for years from my CEO. What CEO's want is to know more about what they can't see or see clearly, that could impact the company's performance?
You know that old crystal ball that can predict the future? Frankly, I've never been very good at predictions, except when I had an actuary take my loss data history for casualty and use it to "forecast" the next 12 months. This has often yielded respectable results and allowed my staff to deliver a smoother cost of risk over time. Sometimes, being conservative, we actually delivered multimillions in reserve reductions to profit centers craving any assistance they could get.
Unfortunately, the need for getting ahead of unidentified or fuzzy risks has much more significant implications for leaders and their companies. Board directors are just one source of an increasing need for more and better information about emerging risks. With their increasing exposure to liability for management's mistakes, it's no wonder the hue and cry is deafening.
Other stakeholders who want more evidence of an increasing and maturing capability in this realm include rating agencies and regulators. Standard & Poor's latest expectations in this regard are outlined clearly in its Level II Enterprise Risk Management Review. (Also see my last column on this specific review criteria.)
It's clear there's lots of interest in this capability but also clear that little guidance exists to outline an approach that will deliver results. Like enterprise risk management itself, effective "emerging risk" process is in the eye of the beholder. Regardless, there are some basic elements that seem to me to make the most sense to exploit in a drive to generate some data points that might help management and others get useful information for decision making. Let's explore a few.
Start with looking at the industry/industries within which you operate. Scour the business press for the problems of competitors and suppliers. Where are significant losses occurring? Are these losses your company is exposed to? What mitigation strategies are typically deployed against these exposures? Are you using any of them? Which ones can you adopt and which ones are worthy of investment and for which a business case should be built?
Consider developing a robust approach to scenario analysis that allows you to "war game" things that could impact your company. Involve many leaders to gain diversity of opinion in interpreting the output. Stress testing can enable you to build multiple alternate scenarios, in effect modeling the various levels of impact that these events could have on your company.
Subscribe to publicly available loss databases in order to apply more quantitative assessments of exposures and begin to build on predictability. These losses would be in areas where you have not experienced losses yourself.
Finally, never capitulate to the "it won't ever happen or happen here" syndrome. The events of September 11 were barely conceivable before they occurred. Likelihood was remote; impact devastating. Get ahead of your risks before they catch up with you.
CHRIS MANDEL is the enterprise risk manager for a leading financial institution and a former president of the Risk and Insurance Management Society.
June 1, 2010
Copyright 2010© LRP Publications