Chief risk officers often describe their main challenge as a lack of buy-in. Without buy-in—from heads of business segments, executive leadership, the board and external stakeholders—the impact of the enterprise risk management (ERM) program cannot achieve its full promise of supporting better risk-reward decision-making at the highest levels, starting with strategic planning. Without proper buy-in, ERM remains useful but limited, often supporting only risk mitigation and capital management decisions. This lack of buy-in is often not the fault of the chief risk officer (CRO), but rather due to inherent flaws in the most popular ERM approach, which is capital-based.
In this interview, Philip Sherrill, CPA, CIA, CHIE, and Sim Segal, FSA, CERA, recipients of Best Session Award for their 2018 ERM Symposium presentation “Building Buy-In: Overcoming the #1 Obstacle to Effective ERM,” share selected insights from their session. They explain how switching to a value-based ERM approach overcomes the limitations of a capital-based approach, achieves buy-in, paves the way for the ERM program to expand its reach and engages the CRO in the organization’s most important decisions.
Snow: What are some of the symptoms of an ERM program that may be lacking buy-in?
Segal: One sign of a lack of buy-in is when ERM has limited purview, such as not being adopted across all business segments or not being applied across all sources of risk. An example of the latter is that many ERM programs are not really ERM, but rather financial risk management (FRM) because their scope is limited to financial risks. Another indication is when ERM information is not used to inform routine business decisions.
Sherrill: When the buy-in isn’t there, you probably won’t see management and the board having meaningful discussions about ERM, at least not consistently. It’s not in their line of sight. The performance analytics they monitor may also exclude ERM metrics in favor of tactical results. We typically prefer to focus on things we think we can get our arms around. That’s where the value-based approach comes in.
Snow: What are some of the causes of this lack of buy-in?
Segal: One of the main causes is a capital-based ERM framework—one that defines risk as an event that results in a decrease in a capital ratio such as risk-based capital (RBC). A capital-based framework results in a disconnect between the ERM program and the strategic plan, incentive compensation and decision-making. To gain buy-in, organizations must adopt a value-based ERM framework, which defines risk as an event causing a deviation from achieving the results expected in the strategic plan.
Snow: How is value-based ERM better at achieving buy-in?
Segal: A value-based ERM program begins with a focus on achieving the strategic plan goals, which is something everyone in the organization cares about. So, right off the bat, you have buy-in, because your entire focus is helping others increase the likelihood of achieving their goals. Another aspect of value-based ERM that helps with decision-maker buy-in is that it measures both downside and upside volatility. This allows value-based ERM to support routine business decision-making, because it provides information on both the risk and reward sides of decision-making.
Sherrill: For our organization [Arkansas Blue Cross and Blue Shield], ERM is becoming the “golden thread.” It provides the needed discipline to tie together objectives, risks, strategies and tactics. All roads lead to and from the strategy. It forced us to explicitly examine the assumptions in our strategic plan. We had to reach a consensus on what they were and what they meant. That benefit alone strengthened our commitment to the strategy, and it continues to help us mature our ERM culture.
Snow: If an organization were to employ a value-based ERM framework, how would its approach to risk identification differ, and how would it generate more buy-in?
Segal: The central activity of risk identification is the qualitative risk assessment (QRA), which typically involves surveys to identify key risks. Often, the QRA survey participants are limited to a small group, sometimes even restricted to just the corporate area. This limits the opportunity to advance the organization’s risk culture and gain buy-in, because only a handful of individuals are learning how to think about risk in an advanced way. Instead, QRA interviews should be conducted with a group of two to three dozen participants who have broader inclusion horizontally—corporate, the business segments and key functional areas—and vertically—the C-suite, business segment leaders and their lieutenants, and some mid-level leaders.
Sherrill: This was important for our ERM program. We achieved a high level of engagement because we included executive staff, subject-matter experts and members of the board. We’re in our third year, and I see more enthusiasm and engagement today because we’ve stayed the course and kept them involved. We brought a broad range of disciplines into the process from the start, and we got everyone on the same page in terms of understanding how to think and talk about risk in a consistent way.
Snow: It’s clear that engaging the right people is critical. What insights would you like to share about the QRA methodology?
Segal: The most common methods for the QRA are:
- Open small-group facilitated discussions
- Individual surveys sent to participants to complete
Unfortunately, both methods have inherent problems. The open small-group interviews are often skewed by a single leader in the group. Also, participants often feel uncomfortable revealing certain key risks in a nonconfidential environment. Individual surveys sent to participants can damage relationships, because this method is impersonal. This can be the first interaction with ERM and what do they see? An email in their inbox assigning them a task to complete on their own. Also, the level of effort is inconsistent—some participants give it serious attention while others just rush to get it done—so the results are inconsistent. Finally, the quality is typically low, because there are several tricky aspects to ERM, and written instructions are often misunderstood or not even read.
To address these issues, leading ERM programs use individual, confidential face-to-face interviews for their QRA. There is no one else present to influence opinions. There is also confidentiality to create a safe space to share all key risks. This method can enhance relationships because it is personal—you are participating along with them. There is a consistent level of effort, because all participants are spending an equal amount of time in the interview with you. Finally, there is a high level of quality, because you are present to guide them interactively—in a Socratic way—through the challenging aspects.
Sherrill: There is no replacement for face-to-face interaction. I can’t stress that enough. You enhance clarity. You build relationships. You build trust. We created a safe environment for people to offer guesses and opinions, to disagree, to offer alternatives. I really like this about the value-based ERM approach: It’s not just about the numbers and how you score the risks and model the dollars. It recognizes the importance of the people participating, building relationships and enhancing the risk culture—which includes creating a consistent risk vocabulary and how we socialize it. We needed a jump-start for our program, which is why it was critical for us to engage the right external ERM partner—seeking out and engaging deep ERM expertise helped us set the right foundation and implement it the right way from the start. Both leadership and the board valued the guidance and direction.
Snow: You mentioned there are some tricky aspects to defining risk in a value-based ERM context. Can you share an example?
Segal: Unfortunately, in most ERM programs, risks are not always defined by their originating source. This causes confusion in the QRA scoring of likelihood, because there is no consistent context. For example, “reputation risk” is often labeled as a risk and scored in QRA surveys. The problem is that there are many different sources of risk—for example, poor product quality, poor customer service, internal fraud and so on—that can rise to the level where they trigger negative media coverage and then reputational damage, subsequently decreasing revenues and/or increasing expenses and/or cost of capital. Without specifying a single specific risk source, each QRA participant may be imagining a different source and context, and the likelihood scores are then aggregating results that are not scoring the same risk event. In contrast, in a value-based ERM approach, risks are consistently defined by their originating source, allowing all QRA participants to score the likelihood for the same risk event.
Sherrill: I agree. Getting the source right from the start is integral to clarifying what is a “risk” and what is not. It’s central to how we think and speak about risk. At one point, we were focused mainly on the outcomes of risk modeling and lost sight of what was driving the scenarios, the sources of risk. It has continued to advance our risk culture and the kinds of risk conversations we have with leadership.
Segal: Failure to consistently define risks by source also can cause problems in the QRA scoring of severity, because it can omit another set of impacts downstream from the originating source. The missing set of impacts could be exacerbating or offsetting, but either way, this results in misestimation and suboptimal results. See Figure 1 for an illustration of this concept.
Figure 1: Identifying Risk Source to Capture All Downstream Impacts
Sherrill: This is another aspect of the value-based ERM approach I like. We’re talking about plausible events, real-world possibilities. We focus on creating a complete and holistic real-world scenario of how a risk event might happen and all of its downstream consequences. It’s more realistic and more useful than mere stress tests, which are often hypothetical and rarely happen exactly as predicted in real life. We need to deal with the consequences of the real world, so I need risk scenarios that simulate that. This builds buy-in, because the scenarios are credible. It describes the way things could really happen, and it resonates with decision-makers.
Snow: How is buy-in enhanced with value-based risk quantification and risk decision‑making?
Segal: One of the themes I return to repeatedly is the importance of practicality in ERM modeling. Many ERM models are overly complex, resulting in an unacceptable level of model risk. Value-based ERM models are robust enough to rely on when making decisions, but they are designed with a clean and nimble structure to minimize model risk. Finally, ERM models often have esoteric constructs that cannot be explained simply and clearly to management. As a result, management is not comfortable enough with the model to use it in major business decisions. Value-based ERM models involve straightforward concepts that are transparent to management, generating trust, buy-in and reliance on the models to support key decisions.
Sherrill: For our organization, that translated into a model tailored to our business that aggregated results in a way that was meaningful to our leaders when making decisions. What helped build that level of connection was an ability to socialize the results and to explain the basic workings of the model in a way everyone could understand. The value-based ERM model also demonstrates the power of real-time “what-if” modeling, which is nimble, relevant and responsive to leadership’s needs. This was critical to embedding the methodology into the fabric of the decision‑making process.
Segal: Another key to gaining buy-in is that the value-based approach goes far beyond just measuring the threats to the capital ratio. It allows us to answer more interesting questions, such as:
- What obstacles are in the way of achieving the strategic plan?
- What is the likelihood of achieving our strategic plan goals, and how can we improve our chances?
- How can we make the business case for doing the things we know need to be done?
Sherrill: These were definitely questions our leaders were asking, among others. It allowed us to gain a deeper understanding of our strategic plan and its likelihood of success. It helped us identify and more rigorously evaluate alternate strategic decisions. It adds CROs to the equation. When you implement a value-based ERM approach, you become involved in the most important conversations and decisions in the enterprise. Being able to bring ERM information to the table that truly informs routine business decision-making, from strategic planning on down—that’s exciting.
The lack of buy-in that relegates capital-based ERM programs to supporting only mitigation and capital management decisions can be overcome by switching to a value-based ERM approach. With the right ERM methodology, tactics and implementation, CROs can gain buy-in, broaden their impact and be dealt into the conversations that inform the most powerful risk-reward decisions in the organization, starting with strategic planning.
Copyright © 2019 by the Society of Actuaries, Schaumburg, Illinois.