10.1 THE LARGE HEALTH INSURER TODAY

This is a large not-for-profit health insurer in the USA that has been in business for more than seventy years. Presently it has more than 10,000 employees. At the time of this writing (September, 2012), the company had an A.M. Best financial size rating of XV.¹ The organization's principal business is to provide health insurance for individuals and organizations in a defined geographical area. The organization provides traditional healthcare products, including products associated with the US Affordable Healthcare Act for which the first major changes will be implemented late 2013 and 2014. Beyond traditional health insurance the insurer offers Preferred Provider Organization (PPO) products, Health Maintenance Organization (HMO) products, and the Federal Health insurance program for seniors called Medicare.

10.2 IMPLICATIONS OF THE AFFORDABLE CARE ACT

The Affordable Care Act passed by Congress in March 2010 will have major implications for how health insurers will do business in the US beginning in late 2013. Approximately forty million uninsured persons are expected to be eligible for coverage, expanding the market approximately 13% (of 300 million US residents) for all insurers. Expanded eligibility rules will make some who were previously uninsurable for various reasons eligible to purchase coverage. Those who do not purchase health insurance and who are not otherwise exempted will pay a fee (tax) of a few hundred dollars early in the program's rollout. This fee or tax will increase in later years. How the influx of new customers will affect this insurer or other insurer loss ratios is unknown.

New rules also mandate minimum loss ratios. Depending upon the type of customer, insurers will have to demonstrate that they have paid out at least 80–85% of premiums in claims. This leaves health insurers only 15%–20% of premiums (before investment income) to pay for all, underwriting, and marketing overhead expenses. As a not-for-profit business, this insurer does not have the same requirements for shareholder value as for-profit competitors, but on the other hand it cannot raise capital in the equity markets. However, this insurer will be challenged to maintain a low expense structure in the years to come in order to meet new government loss ratio requirements.

The federal mandate of 80–85% claims payment combined with health insurance exchanges where individuals can go to a virtual market space to obtain quotes on insurance, will change the market dynamic for insurance sales. First, health insurers will be forced to compete on price which means operating at as low an expense ratio as possible. Second, the product benefits in the exchanges have been standardized by healthcare reform. The end result is that health insurance available from exchanges is likely to become a highly commoditized business where price and reputation will be the only differentiators.

There will still be traditional HMO and PPO insurance products and services for those who are employed by companies who will maintain their group insurance products and will not purchase insurance from the exchanges. Exchanges are expected to provide different plan options in terms of deductibles and co-payments for services rendered. The coverage, however, will be the same in all cases. The exchanges will likely be used by those who were once uninsured (taking advantage of government subsidies) and by those who have traditionally purchased individual or family policies. These exchanges may also include individuals who work for small companies or companies who choose not to provide insurance for employees.

The mandate of the Affordable Healthcare Act does not extend to all of this insurer's product lines. Fee products such as TPA services are not affected by the mandate. Medicare and Medicaid services are subject to other federal and state requirements. Health insurers are likely to look for product and business diversification opportunities to offset the higher loss ratios and lower expense ratios that the Affordable Healthcare Act mandates. There are likely to be consolidations in the marketplace as less cost-efficient health insurers or those without the resources to prepare for the exchange environment are acquired by larger, more cost-efficient insurers.

10.3 WHY ERM FOR THIS INSURER

In the 1990s a series of lawsuits for errors and omissions against health insurers were settled for multiple million dollar rewards in the US. New legal theories gave plaintiffs access to the “deep pockets” of the health insurer.²

Plaintiff lawyers introduced new legal concepts, one of which was that an insurer had some measure of control over how the doctors and hospitals practiced medicine through their coverage restrictions and claims handling/payment practices. RICO (racketeering and conspiracy) accusations against insurers were also on the rise, because the relationships between providers and payer were created by contract and could be interpreted as conspiratorial by a jury. To address this issue head on this insurer asked the risk manager to look beyond traditional risk management for answers.

Risk management has been practiced for decades around the world. However, increasing court judgments, regulations, rating company requirements, globalization, and the impact of catastrophes, whether natural or economic, have forced large companies and organizations to reconsider their risk management practices. The predecessor term to ERM was IRM or integrated risk management. From the beginning of the international debate to expand risk management from operational to organizational, the concern was that organizations faced more than hazard risk, the traditional risk that most risk managers focused upon. Prior to IRM and ERM, the job of many risk managers was insurance procurement and hazard risk control of operations. Understanding and managing strategic, financial and other risks the organization faced was not part of the risk manager's responsibility.

When the risk manager for this insurer began the process of rethinking risk management there was limited information and literature about how one might consider and manage all of the critical risks an organization does or could face. While the acute problem of these large vicarious lawsuits in the industry has substantially been mitigated by state reform, the enterprise risk management initiative has evolved over time as the external and internal risk profile changed. The maturation of this insurer's ERM program has been a dynamic process. Processes or reporting structures have been implemented only to have them changed or eliminated as reporting structures or company processes changed. However, even though there have been rough spots and learning curves, this insurer has been working within an ERM framework for more than a decade.

10.4 ERM REPORTING STRUCTURE AND ERM DEPARTMENT STRUCTURE

After beginning the IRM conversation in the mid-1990s the organization realized that it needed to better understand the risks that the organization faced. However, there was not a structure in the organization to accomplish this task.

Throughout the years of the ERM initiative, the risk management department has focused on a business capability to help the organization to identify, evaluate and manage risk. The majority of activities are conducted in the context of making the insurer's projects, products and process changes successful by removing obstacles from the paths of project sponsors. Early on in the initiative, risk management invited itself to functional meetings to summarize the insurer's risk management process and explain the benefits of using risk coaches in the identification and assessment of risk. Over time departments have become amenable to risk management assistance because the coaching and process helps managers feel more comfortable that they have identified, evaluated and treated the critical risks so that unexpected consequences are much less likely to result.

Within eighteen months of beginning the conversation with risk management, the legal counsel's office brought risk management, legal services, internal audit, compliance SIU (Special Investigative Units³) together as one department. Bringing these units together not only provided the insurer with valuable information after events occurred but also allowed greater integration of disparate risk management functions to identify and manage potential issues before they turned into events or losses.

Where the risk management department reports to in the organization can have considerable impact upon the tasks the risk manager and team are asked to perform. In many organizations risk management reports up through the CFO (Chief Financial Officer), the place where insurance was traditionally purchased in many companies. In other organizations risk management reports to human resources. This is often the case in organizations where workers compensation is the significant operational cost of risk driver. In technology companies, some risk managers report up through the CTO (Chief Technology Officer) where data integrity and security are of prime importance.

There are some advantages for having the risk management department report up through the chief legal officer for a health insurer. The principal product of an insurer is an insurance contract and the service provided in the majority of its healthcare business is to pay a claim. In other divisions (e.g. TPA – Third Party Administrative Services) fee income is generated. Both ends of this insurer's business spectrum involve contracts which require legal scrutiny. Additionally, litigation along with claim payment trends provide valuable information concerning emerging risks. Audit, compliance, and risk management services reporting up through legal services also provides additional information about how well the company's internal controls are working and where changes need to be made. Finally, the insurer has acquired business. Acquisitions require significant legal, risk, compliance, and audit scrutiny before any deal is consummated.

Yet there are also disadvantages in an ERM initiative where the risk management and similar risk identification services report up through one member of the executive committee. The principal disadvantage is that the risk management team may not have direct access to the business units run by other executives.

There are those who suggest that the CRO (chief risk officer) should report directly to the board. However this is organized, it is important that ERM is at least perceived as an enterprise-wide initiative and at best becomes part of the strategy and culture of the entire organization.

However, there are methodologies for grafting ERM onto a company's strategy and culture even when risk management is not a position on the executive committee. This insurer's ERM program has evolved over time to provide services to the many departments and divisions that report up through all executive committee members, not just legal services. Table 10.1 provides an overview of the ERM program and the components associated with its tools, process, management and administration.

10.5 THE ERM INITIATIVE TODAY

Today this insurer's risk management department reports up through to the chief legal counsel. The risk management department has a director, program managers, and risk finance and insurance procurement professionals. In addition to managing the ERM initiative, risk management staff serve as risk coaches – sources of expert guidance to departments, managers and executives on the organization's efforts to optimize risk taking decisions in support of corporate directives. Towards this end, the risk management department has developed tools and methodologies to help other units of the company to understand and evaluate the risks they face. These tools have been developed in consideration of the risk appetite and strategic vision of the company and have been reviewed, approved, and published by the executive committee as company policy. The risk tools and risk assessment process associated with change and project management are covered later in this case study.

The risk management department has its own mission and vision statements which are aligned with the corporate mission and vision statements. The risk management mission statements are associated with its three main responsibilities: ERM, risk financing and business continuity.

• The ERM mission is to provide corporate leadership, methodology and tools to support operational and strategic management with their responsibility to optimize risk taking decisions.
• Risk Financing's mission is to support corporate objectives by sharing optimal design and cost effectiveness of the risk financing program including corporation insurance retention and transference of risk.
• Business continuity's mission is to lead the company to an appropriate level of resilience through expert guidance to operational areas within the established business continuity program.

From this mission, this insurer's ERM program has identified specific goals (see Table 10.2).

While the ERM mission statement supports operational management this has changed with the growing business diversity efforts of the company, its increased appetite for acquisitions and partnerships, and the need to adapt processes and practices in advance of the Affordable Healthcare Act's legislated changes. This means that today the risk management team is spending more time on strategic issues than on operational issues.

Certain risks such as unintended release of private information and sexual harassment have established processes to both prevent and mitigate events. Also risk management does get involved with risk management of data security and similar risks when assessing risks associated with new ventures, joint ventures, product and process change projects.

Business continuity does not just prepare for a weather or earthquake event but any event that could cripple infrastructure or otherwise make operations in its territory less than optimal or even impossible. The event-centric approach is more flexible than the peril-centric (e.g. hurricane plan) approach for it can be used in many situations i.e. fire, earthquake, flood, windstorm, lockdown or other events that require coordination, evacuation, in-situ patient care and reallocation of resources to areas not affected by the event. Resiliency and business continuity concerns do not involve only owned organizations. With certain outsourced functions such as claims handling, this insurer must also have partners who have the same ability to maintain and adjust operations to meet customer needs after what could otherwise be crippling events.

This insurer is vertically integrated with a centralized management structure. The risk management department is also centralized within the organization which is consistent with the organizational structure of the organization. However, the message from the risk management department to executives and employees alike has been that regardless of the centralized management nature and function the individual employee is also a risk manager. Everyone manages risk – risk management is distributed in the broadest manner possible. What the risk management department at this insurer has worked towards is developing a “risk taking competency” to support leadership, management, and project teams when they are faced with change, acquisition, or new projects that require new thinking about critical risks or when they face new risks or risks the organization has not contemplated previously. Part of developing this competency is to provide active risk coaching and consultancy within the organization.

Although the ERM concept is supported by the CEO and senior executives, no edict or mandate to use the ERM discipline has been issued by either. This requires the risk management team to sell the need for its services within the organization. This is not a simple task and has taken time for the risk management team to be “automatically” engaged by project sponsors when new processes, procedures, and acquisitions are initiated.

The risk management team has gained respect from many departments in the organization through the application of risk management services and tools. First and foremost, the job of the risk management coach is to support the leader of the project, acquisition, or partnership initiative. This means that the risk coach's job is to help assure that the sponsor and the team have a successful project or initiative. This means not only identifying risks and obstacles towards facilitating a successful result so they can be proactively addressed but also means giving the leaders and teams credit for their successful result. Second, there is a viral component in the organization that results from successful risk coaching. Managers talk with managers, they and executive sponsors recommend to new project managers that they consult with the risk management team. Finally, specific corporate mandates require that project managers or acquisition leaders consult with risk coaches for acquisitions or process or procedural change. Projects involving certain critical risks also must engage a formal risk assessment process. Subtle reminders to project sponsors may be necessary to begin this effort.

While risk coaching requires knowledgeable risk professionals, the process of identifying, analyzing, and categorizing risks must be simple and intuitive to those who are not risk professionals. Risk management understands that not only the process must be simple, but the end product produced must be simplified so that it is understandable to all stakeholders of the project, process change or acquisition or joint partnership initiative. The results of the risk assessment process including mitigation plans are incorporated into the project team's ongoing reporting process.

The objective of the risk assessment process is to help the assessment team understand the risks associated with the project, assess the impact of vulnerability, likelihood, and timing of these risks, develop risk mitigation strategies, and determine which of these risks are critical and require attention of the project team and/or senior leadership (see Table 10.3). The risk analysis report is passed along to those who will manage the implemented process or new venture so that these risks, their impact, and treatment can be monitored and changes made where necessary. In this process risk management becomes part of the project impact and efficacy statement. At the same time and since these projects represent strategic as well as operational initiatives for this insurer, they help to align risk and strategy within the project itself which, if the project is approved for implementation, becomes integrated with strategy of the company. The approach of the risk management team has been honed over many years into a process that is remarkably simple in its concept and implementation but effective in its results. Figure 10.1 provides an overview of the typical steps found in many ERM plans.

10.6 THE RISK MANAGEMENT PROCESS

Risk management gets involved with most significant projects, changes, new processes, acquisitions, and new ventures, and new joint ventures in various ways. Project sponsors and others request assistance directly from the risk management department. In other situations the process is mandated by company policy. In other cases, the risk management team learns of a new process or project and “invites themselves” to the team meetings.

A testament to the success of the process is the fact that the risk management department is often called back to conduct a new risk assessment when things change over time. For example, risk management has been consulted in all of the four iterations of the project to analyze outsourcing risk. As outsourcing evolved over time, new project teams were formed to reconsider the outsourcing process and risk identification and assessment has become integral to that evolving process.

Over time, corporate policy has evolved to define and embrace ERM standards and tools. As the company has rapidly evolved in recent years through change and acquisition the need to use the risk identification and assessment process has accelerated. As a result ERM and corporate ERM practices have become part of the culture to the extent that employees and leadership are aware of the standards, even though some may not have participated in a project where these tools were deployed.

The risk assessment process has the following iterative steps. See the Project/Committee Risk Assessment Users guide Appendix A for more details.

First, when a department initiates a new project, risk management recommends to the department head or project sponsor that a risk assessment should be conducted. In other cases, where the process has been incorporated into department culture, the project sponsor or manager contacts the risk management department to conduct the assessment.

The risk assessment itself is facilitated by the risk management department, generally in a two hour window of time. However, before the assessment is conducted, risk management meets with the project sponsor to determine together who should participate in the assessment. Most assessment participants are not project team members. Instead assessment participants are selected from areas of the company that will be affected by the change, new process, acquisition, or new venture. This might include someone from the legal department when contracts are part of the process or information technology when processes change and/or there are confidential data issues at stake. If the project involves reputational issues, a public relations representative is included. Other typical participants include those from affected departments, compliance, finance, and audit.

Prior to the assessment meeting the sponsor is asked to develop a brief but encompassing scope statement of what is to be assessed during the meeting. Risk management understands that the simpler this statement is the better it will be understood and embraced by the assessment team.

The assessment meeting date is chosen and is held in a room that has adequate technology to support the use of a computer interface and projection on a large screen or monitor. The information is recorded real time so all participants can see and agree with what is being documented.

Facilitated by the risk management representative, the first five minutes of the assessment is the review of the assessment scope statement and the consensus that this should be the scope. During the next thirty minutes or so, the risk management facilitator and recording assistant ask the assessment team to identify the risks that this project will have and how it will manifest itself in the company (e.g., reputation problems, affect upon net income, customer dissatisfaction, etc.) – limited, of course, to the scope statement agreed to at the beginning of the session. The facilitator must be skilled in gaining clarification and drilling down further where necessary. Often this is the first time that stakeholder participants in this meeting have heard that this project or process change is being conducted. The added benefit of this process and the inclusion of stakeholders is that this gives the insurer institutional notice that the project is being conducted and starts to socialize the need for the project and the intended outcomes.

After the initial brainstorming effort, the facilitator leads the group in a twenty minute discussion to consolidate these identified risks into six to ten critical risks.

After the critical risk list is developed, most of the second hour of the assessment is devoted to further assessment and evaluation of the six to ten critical risks using the ERM Risk Evaluation Tool. See Appendix B for details. The assessment team first considers the impact of the risk to various risk factors and aspects of this insurer's business for each of the six to ten identified risks. The impact portion of the tool assumes that the risk has not been controlled in any way. Impact assessments range from insignificant to catastrophic, even to the extent that an event could lead to impairment of the organization as a going concern. This is a multi-dimensional impact assessment, considering affected operations, reputation, privacy, compliance, and complexity of the project itself. By considering multiple dimensions of impact the assessment team can evaluate the degree of impact to each stakeholder of the project. Cumulative impact to the insurer is also considered and evaluated. For example a change in claims data reporting might have a slight risk to reputation but the complexity risk could be very high which may have a serious impact on compliance with state statutes.

After assessing impact for each of the six to ten risk factors, the team assesses the likelihood of a risk event actually occurring (see Table 10.4). The assessment for each risk can range from extremely unlikely to highly likely. This controls the bias of very conservative organizations to inappropriately assess the importance of specific risks and consider them all as “Black Swan” risks which causes them to misapply corporate resources.

Finally, the assessment team considers whether effective risk mitigation measures are in place or reasonably expected to be in place. The efficiency of these measures is rated using the tool guidance. The range here runs from effective to ineffective or ad hoc. Each level of effectiveness is defined by the tool so that assessment participants can identify categorical risk control techniques and measures that could or should be applied. At the same time the team considers how effective these controls might be both from the position of the technique itself and the organization's ability to implement and manage the control.

After the risk has been assessed using the ERM Risk Evaluation tool (see Appendix B), a risk index is created by multiplying the rates for each of the three risk aspects together. The list of risks is then reordered according to the index value to determine the top risks associated with the project or the process change being assessed. The higher the score, the more critical the risk is to the organization. The company has mandated that any risk that exceeds a certain composite score must have a documented risk mitigation plan. Other factors such as very worrisome impact and significant compliance risk also merit special treatment. Composite scores and other risk indices that exceed a specific threshold require review by increasing levels of authority.

After scoring and ranking the risks, the assessment team determines a cut line. Those above the cut line will require significant attention by the project team and the other affected stakeholders. While the risks below the cut line may not merit special attention, the fact that these near-critical risks exist may warrant review and evaluation periodically should things change.

The advantages to this risk assessment process are manifold. First, risk identification and assessment are assessed by stakeholders who would be involved with or impacted by the change or new process that is the intended outcome of the project. Second, the scope of the assessment is narrowly focused to the project or initiative at hand and is simply written for all to understand. Third, the risk identification and assessment process takes two hours, not months. Fourth, a company agreed upon ranking and scoring methodology is used to prioritize risks according to impact, likelihood, and controllability. This allows everyone in the organization to think consistently about risk and how it is evaluated. The assessment process also has built in vetting with higher levels of authority which serves to alert the organization to criticality of risk associated with the project. Ultimately this process serves the organization by identifying critical risks prior to any change that is implemented as a result of the project team's work.

The final step in the risk assessment meeting process is to make sure that there is consensus with all participants. After the meeting, the risk management facilitator produces a summary of the discussion, including the ranked critical risks, the cut score and other information obtained at the meeting. This report is sent to participants for review and approval. Participants are not permitted after the meeting to change the results or ranking, only to correct inaccuracies.

Following the assessment team approval process, the risk management facilitator vets the information with the business area sponsor or risk owner (usually a senior executive) to review the results. The owner is usually not a participant in the assessment meeting. The advantage of this is that the assessment team of stakeholders can speak more freely at the meeting and add their local expertise to the discussion. The disadvantage to not inviting the project sponsor to the meeting is that the sponsor may have a completely different assessment of the risks associated with the projects. Sometimes sponsors have identified risks not considered critical by the assessment team as being most critical to the project. In other cases the sponsor may suggest a re-ordering of the risks based upon his/her understanding of the project and its risks. There could be many reasons for this difference of opinion. One, of course, is that senior executives may have a greater (or possibly lower) appetite for certain risks than those chosen for the assessment team. Sometimes the risk category is something that has the attention of senior executives at the moment which may color the executive's thinking. Other possible reasons include experience differences, better data, or discussions at senior levels to which others are not privy. Although rare, changes made by the senior risk owner are considered by the risk management team, internal audit and other areas as appropriate. Changes are negotiated and reconciled until an agreed upon list of evaluated risks is developed.

A caveat. This risk assessment process may not identify every critical risk. Practitioner assessment team members or the risk management staff may have little or no experience in the process or change being investigated and may, as a result, miss critical risks. Missing critical risks becomes more probable the less experienced team members are with the subject of the project. For example, the organization may be assessing a completely new product, process or acquisition that currently has no peer within the existing organization. In a situation like this, the risk assessment team may want to consider hiring outside experts to assist in the assessment process.

An advantage in this process is that during the assessment the original members of the project team are augmented with individuals from finance, IT, legal, audit and compliance. As the project evolves over the course of its mission, risks that were considered not critical may become critical due to changes in project scope or external environment. Factors such as new laws or changing market conditions may make insignificant risks significant. Part of the risk assessment process is monitoring results. This includes monitoring the project team's process and its eventual deliverables.

Success can also produce risk. A limitation that the risk management department faces is the significant increase in demand for its services especially for its project risk assessment process. With its limited resources the department risks being stretched too thin.

10.7 SURPRISES

Although the risk management team currently enjoys strong support for ERM, direct support for ERM can change as organizational leadership changes. While the major ERM frameworks (ISO 31000, COSO) and others emphatically point to the need for support for ERM from senior executives, these guidelines provide little guidance to ERM managers on how to navigate the inevitable cyclicality of support and the labyrinth of internal cultural challenges necessary for ERM to be fully blended into the organization. The risk management team understands that despite the lack of a “thou must” mandate from the C-suite, ERM and the risk assessment process is becoming more organically ingrained into the culture of this insurer. In many departments the assessment process has been inculcated into process. One of the reasons for this inculcation, which was mentioned before, is that risk management's mission in the assessment process is to support the person who asked for and sponsored the assessment in order to make him/her successful in the project. If the risk management team can do this, likely they will be called upon again to assist the sponsor in future projects. Risk management believes that this socialization of the ERM processes has been one of the biggest benefits of the ERM initiative.

10.8 HOW CAN AN ORGANIZATION SUSTAIN AN ERM INITIATIVE OVER TIME?

ERM practitioners have complained of organizational fatigue that makes it difficult to sustain ERM initiatives. One reason for this is that ERM may have been engaged to solve a particular problem. Once solved executives lose interest and the initiative loses critical support from the top. In other cases practitioners complain that the initiative turns into a compliance score card, a check-box process where once the items are completed, the initiative is shelved until it is time to produce the next scorecard.

This insurer has sustained its ERM initiative for more than a decade. Risk management explained why their program has endured. First, while the ERM initiative is involved in both strategic and operational projects, the assessment process risk management uses can be applied with near universality to all organizational projects. Second, while the C-suite has not always had ERM at the top of its attention list, the risk assessment process was agreed upon and approved by the executive committee and codified into company practices, procedures and a corporate ERM policy. Third, the tool produces a metric which is simple and easily understood by all stakeholders in the organization. Thresholds require additional consultation which helps inform the entire organization from top to bottom of critical risks this insurer faces and how (or whether) they can be controlled.

Within this insurer's risk management approach is a recognition of the difference between operational risk and strategic risk. Each requires risk management but within different time frames. At the strategic level and three to five year time horizon, it's about managing risks to provide strategic advantage (strategy formation) and “straightening the path” for strategic implementation. Sizeable opportunities present themselves more at the strategic level than the operational level. At the operational risk level the effort is about managing within tolerance levels in the present to eighteen month time frame. While operational changes do not often provide sizeable opportunities there are times when changes in process or more efficient uses of resources can be opportunistic in nature and may even serve to offset some of the cost of risk of the operation itself. In between the strategic and operational levels are intermediary risk themes. These can include managing risks for a major business process that are both operational and strategic in substance and in time horizon. The focus at this level could also be on intermediate-term trends that may impact the organization such as a mild recession or an improving economy. It is also the space where emerging (and potentially critical) risks are reviewed and discussed by officers for possible acceleration to a strategic discussion at the board and senior vice president level or returned to the operations level to be addressed there.

Next, the mantra of the risk management department is simplicity. This insurer's risk management team has boiled down the risk management process into four simple steps: identify, evaluate, mitigate or find the opportunity, and monitor. This simplified approach makes it easy for all employees to understand and remember.

There is a distinct difference in this insurer's risk management approach that is not often noted in other risk management process methodologies: mitigate or find the opportunity. What this insurer wants to understand is not only what the risk is but whether this risk has a positive opportunity to increase profitability, productivity, reputation or other valuable corporate assets. This subtle emphasis on the positive possibilities of risk can help alter the perception that risk management is all about pointing out the bad to the exclusion of the good. With this approach, project sponsors and others understand that efforts will be made in the assessment process to identify positive opportunities from the existence of risk that can be exploited.

The risk assessment process and tools have been simplified and improved over time and reports from risk assessment meetings are written for the average person, not a risk management specialist. The risk management team is also aware that it provides a coaching and consultative service that can command only limited amounts of time from busy employees and executives. The streamlined two hour assessment meeting is an example of this. At the same time the risk management team helps the assessment team, project team, executives and other stakeholders focus on critical risks – another simplification process.

Complexity has been a major stumbling block for other ERM initiatives. Consultants and others in early ERM initiatives tried to develop processes to identify every risk. The developed and deployed sophisticated analytical tools and instruments to sort, quantify, and assess impact and criticality. Often risk managers and executives became frustrated with the pace of the risk assessment process and/or the amount of time that individuals in the organization had to spend in risk assessment meetings answering surveys or providing more and more data to the risk consultants or risk management department.

Risk management at this insurer explained the assessment process with this analogy: it gets us to the right zip code, not to the street address. Rather than try to identify all the risks that face the organization, the risk management team concentrates on critical risks. This also means that if there is a need for sophisticated analysis this can be done on a small number of risks. A smaller number of critical risks makes it easier to consider how these correlate with each other which may increase occurrence probabilities or impact effects.

The risk management department is not distributed among business segments. The disadvantage is that the risk management team may not have specialists who have in-depth knowledge of the processes and procedures and products of the division. That said the annual companywide operational risk assessment by the risk management team is used to develop an annual audit plan which informs the compliance department and is used to drive new initiatives. However, the process that the risk management team has developed uses the expertise of the organization to understand risks and how to treat them. After all, the operational areas own the risks and are responsible for managing them. They are the ultimate risk managers and the ERM processes, including the risk assessment process and risk coaching, have served to make many participants better risk managers as a result.

An advantage of the centrality of risk management is that individuals have participated in most of the change projects and have a central risk database that they can use to determine whether there are risks of one project that could adversely impact other projects or produce correlated risks that might be detrimental to the organization.

The insurer has developed an ERM timeline that involves the different levels of risk ownership over the course of one year. Maintaining a consistent set of activities is important for many reasons. First, it allocates responsibilities and authorities to appropriate levels within the annual calendar. Second it provides temporal benchmarks for when certain reports or other results must be reported or meetings conducted to further the ERM discussion. To accomplish this objective the ERM program schedule is synched with the “rhythm” of the business and its tasks have been made part of the company's schedule of prescribed activities. Third, the ERM Program Timeline provides a framework for the ERM department to manage the ERM process and identify places where the process is being engaged and places where progress is slipping.

10.9 HOW DOES THIS INSURER RISK MANAGEMENT PROGRAM MEASURE ERM SUCCESS?

The persistent dilemma that all risk managers face is how to measure success. Success is preventing risks from producing problems and losses in the first place. Although there are some methods like comparing lawsuit or loss data to previous periods, it is difficult to measure what didn't happen. However, this insurer conducts regular employee surveys which include risk management questions that provide the risk management department with information on how well its acculturation efforts are working and how effective its processes are in identifying and assessing risk. ERM is embedded in most planning processes, in project management, internal audit, compliance and legal. Often it is key employees and executives who now deliver the message of why it is important to use the risk assessment process rather than the risk management department. Risk management has identified that one of the most critical measures of success is the increase in numbers of project managers and others who call the department when new projects or processes are being considered.

10.10 QUESTIONS FOR STUDENTS AND PRACTITIONERS

1. Even if coverage grants will not differ between one insurer and another in the Health Insurance Exchanges mandated by the Affordable Healthcare Act, no participating insurer can predict its cost of goods sold in advance because it cannot know the frequency and severity of its claims costs during the coverage period. Thus the premium charged for a year is only an estimate of claim payments, reserves, and adjustment expenses plus underwriting expenses and a provision for profit. With other commodities such as grains, oils, and the like, the cost of goods sold is known at the time the product is sold.
   1. Speculate on how this difference in the health insurance commodity product might affect the marketplace for health insurance coverage in the exchanges.
   2. Consider also what impacts this difference might have on theories of supply and demand as it relates to commodity products.
2. Company leaders change. Often new leaders bring new ideas and sometimes lead the organization in new directions. While ERM is flexible conceptually, and techniques and critical risks can be adjusted with strategy changes, a change in leadership and/or strategy can move ERM either in or out of what leaders spend time thinking about or managing.
   1. Consider what techniques or steps that the risk manager can take to inculcate the ERM program into the culture of the organization so that it can continue to thrive even during the extremes of leadership and strategic changes with minimal disruption (proactive).
   2. Next, consider this scenario: there has not been time to inculcate ERM into the culture of the organization. There is a change in leadership where ERM becomes important to management. How can the risk manager optimize the ERM program in this environment (reactive)?
   3. Finally, consider the reverse: ERM is not important or much less important to the new leadership. How can the risk manager maintain a viable and productive ERM program in this environment (reactive)?
3. One issue with the success of an ERM initiative is something that this insurer is facing and others may face – having the risk management staff become stretched too thin. This could reduce the efficacy of the risk management initiative and as a consequence the ERM project may lose momentum over time which it may never get back again. One solution, of course, is to hire additional risk management staff to maintain the levels of service required. What other solutions could you offer this insurer or other organizations when faced with this dilemma?
4. There can be differences within the organization in people's appetite for risk. This insurer indicated that some senior leaders assessed the impact and criticality of risks differently from risk assessment team members. Differences in risk perception and appetite are likely inevitable between persons hired to take risks and persons with little appetite for risk who see themselves as protecting the assets of the organization from risks. However, this disconnect between stakeholders in an organization can lead not only to conflicting messages but missed opportunities or risks taken that could have been better managed.
   1. How would you identify and provide a metric that defines the target risk appetite of the organization?
   2. How would you assess the risk appetite across the levels of the organization?
   3. What techniques, processes, or activities would you recommend that an organization consider deploying that could produce an optimal consensus of the risk appetite throughout the enterprise?
5. Consider the risk assessment tool that this insurer has developed. As risk manager or consultant you want to adapt this tool for your organization, your client organization, or some other target organization.
   1. How would you begin this process? Who would you consult?
   2. What team of persons would you want to develop this tool?
   3. From what you know about this organization today: assess the risk appetite of the organization.
   4. After assessing risk appetite, modify the tool to meet the needs of that organization.
   5. Then, identify the risk score and/or situations where risk assessment must be elevated to increasingly higher levels of management.
   6. Finally, explain how you might influence the organization to adopt this tool and the circumstances under which this tool should be or must be used.
6. Organizations outsource critical services or processes and have critical suppliers. These suppliers and service providers are part of the extended enterprise of the organization. However, should critical suppliers or services be disrupted for any reason, critical services to customers of the enterprise may be interrupted which may be damaging to the enterprise's operations and reputation. Consider your organization, your client organization, or some other target organization.
   1. Define what a critical supplier or product or service delivery partner is for this organization.
   2. Identify critical suppliers and product or service delivery partners.
   3. Develop a plan to influence and/or mandate that critical suppliers or product or service delivery partners have a business continuity plan that is in synch with that of the organization.
7. Develop a simple but complete explanation/illustration of risk and the risk management process for your organization that can be understood by all employees. Consider that a significant percentage of employees speak English as a second language and may not have learned to read English.
8. This insurer has a centralized management structure and a centralized risk management department. Consider how you might construct an effective ERM initiative in a company:
   1. Where management is department driven and where there are business silos.
   2. Where the company is split into self-contained product or service divisions whose senior executives are members of the senior leadership team.
   3. In a matrix organization where individual division heads may report up through multiple senior executives.

APPENDIX A

APPENDIX B