Who Will Fix Risk Management if Not Risk Managers?
Is a world of perma-poly-crisis an indictment of risk managers — or a golden professional opportunity?
Opportunity, for so say the Federation of European Risk Management Associations (FERMA) and the Risk and Insurance Management Society (RIMS).
“FERMA,” writes its president, Dirk Wegener, “believes that the business rationale for elevating the risk management position within an organization’s strategic hierarchy has never been more evident.”
Meanwhile, RIMS president Jennifer Santiago says that we “need to think big and be bold. We should aspire to be part of the C-suite and serving on boards.”
But setting aside ambitious personal aspirations, even the workaday reasons to embrace risk management are compelling. Risk managers are to crises like marketing executives are to falling sales: expendable scapegoats.
Broken risk management needs fixing. Here are three value-creating strategies.
Recognize When an Operational Risk May Threaten Enterprise Value
The purpose of a company is to conduct only lawful business by lawful means. The purview of risk management is anything that threatens the business’s value.
Today, any operational loss can erupt into a value-destroying enterprise crisis. Southwest Airlines, Norfolk Southern and Silicon Valley Bank all are paying enterprise prices for not appreciating that the systems at risk were mission-critical to their business value.
Most risk managers can recognize and mitigate the hazards of operational risk. Unfortunately, most lack the tools to recognize that certain processes have become mission-critical hazards to enterprise value. For most firms, #MeToo, Black Lives Matter, DEI, ESG, cyber incidents and the pandemic are all examples of risks that have only become mission-critical over the past five years.
Risk managers can use intelligence tools to alert them to impending problems in what is mission-critical. Nominally priced commercial methods of monitoring enterprise value risk use a range of modeling strategies, including credit default swap prices, equity-based implied credit risk and (most recently) reputational value volatility. The latter two methods anticipated by weeks or months the recent confidence (i.e. reputational) crisis in regional banks.
Package (and Communicate) the Value of Enterprise Risk Management Strategically with Insurance
Senior executives boards’, investors’ and regulators’ ears are keenly attuned to strategy. A universally recognized successful risk strategy was the 1933 drive to signal quality risk management through insurance. Simply put, banks with better risk management qualified for federal deposit insurance.
How insurance signals quality was conceptually formalized in 1973, and in 2001, a Nobel Prize in Economics recognized Michael Spence for his contribution. How insurance prevented stakeholder panic was conceptually formalized in 1983; that Nobel Prize went to Douglas Diamond and Philip Dybvig in 2022.
The secret sauce to signaling the higher quality of a risk strategy through insurance is objective exclusivity, which is one of several reasons why parametric insurances for enterprise exposures such as ESG and reputation are valuable in the eyes of capital markets.
One example: To signal its resilience to earthquake threats that might impair its large California real estate portfolio, First Republic Bank first disclosed in its 2019 ESG report that it had purchased “parametric earthquake insurance.” Over the next three years, its equity outperformed its peers’ by 15%.
Risk managers need these new instruments to replace those that are no longer effective strategically because their exclusivity is lost. Due to its rapid, widespread adoption, D&O insurance — which in the middle of the 1980s denoted better governance — is one example of a lost strategy.
Federal deposit insurance still keeps fully insured depositors from panicking, but recent failures of regulated banks put the lie to the claim that superior risk management is at work in banks with insured deposits.
Unify the Organization Responsible for Enterprise Risk Strategy
All risk is connected. An enterprise-level committee, chaired by the risk manager, must integrate what is now siloed.
Siloed risk management does not work. Operational risks covered by insurance are today the remit of risk and insurance managers. But the enterprise risks that threaten a firm’s reputation — like ESG risks — may be covered by marketing and communications or pooled with ethics and compliance and managed through the legal department. Banks have chief risk officers, yet assuring stakeholders of a bank’s reputation and preserving confidence are not part of a CRO’s remit.
Risk management is surely broken. Ambitious risk managers committed to upgrading risk strategy and creating enterprise value with better enterprise intelligence, strategic packaging and a unified organization can fix it. &