Survey: Enhancing ERM

StrategicRISK Forum Kuala Lumpur 2017 and the Knowledge Live Singapore 2017 were held in September 2017 and focussed how companies can enhance their enterprise risk management programme.

Using interactive technology to conduct real-time polls during the events, the StrategicRISK team asked a series of questions of the audiences. When asked to describe the maturity of their ERM programmes, only 8% of Singapore audience said theirs were risk enabled (fully embedded into operations and strategy), while 21% of the Malaysia audience thought that this was the case. Almost half of the Malaysia audience chose risk managed (enterprise-wide approach to risk developed and communicated), while about a third of respondents in Singapore chose this option. Almost 40% of Singapore respondents said risk defined (risk appetite defined with policies in place and communicated), while this figure was only 18% in Malaysia. Almost one in five Singaporean respondents went for risk aware (silo-based approach to risk), with only slightly fewer Malaysian audience members choosing this option. Perhaps reassuringly, no one in either forum said that their organisation was risk naive with no formal approach.

The audiences were also asked how long would take for their organisations to become risk enabled. A similar amount (3%) of people at both events said around less than a year, while about 40% in both countries thought it was more like one to three years. A third of Singapore respondents answered three to five years, while 45% of Malaysian risk professionals gave this answer. More than five years was chosen by about one in 10 in both audiences. A similar number of Singaporeans said never, which was double that of the Malaysian audience.

About 12% of Singaporean respondents said that the prime sponsor of their ERM programmes was the chief financial officer, almost half the Malaysian response. About one in 10 of both audiences said it was the head of risk management/chief risk officer, but the Singaporean audience overwhelmingly named the chief executive officer/board (72%) as prime sponsor, while the figure was closer to 58% in Malaysia.

Only 4% of the Malaysian audience rated their senior management’s commitment to ERM as very high, with three times that figure choosing this option in Singapore. The rating was high in about a third of Singapore and a quarter of Malaysia answers, while moderate was the choice of 39% in Singapore and a whopping 73% in Malaysia. Interestingly, 15% of Singapore responders rated their senior management’s commitment to ERM as low or very low, choices that no-one in Malaysia selected.

Both audiences agreed that the most important goals of enterprise risk management were to drive profitability and growth and protect value, but Malaysians favoured the latter (protect value 56%; drive profitability and growth 32%), while almost half of Singaporeans went for driving profitability and growth, with protecting value receiving 42% of the vote. The remaining votes went to ensuring regulatory compliance or providing stability.

Lastly, when asked what level of influence ERM had on strategic planning and decision making at their organisations, only 3% of the Singaporean audience said very significant, a figure that rose to 7% in Malaysia. Significant influence was chosen by 28% in Malaysia and 19% in Singapore. About two in five of respondents in both events chose partial. Tellingly, more than a third of Singapore audience said very little, with more like one in five of Malaysians going for this option.

Probing the panels
The votes were conducted during panel discussions conducted by risk and insurance professionals on topics that included getting support for your ERM programme from senior management, and avoiding the risk that the ERM process is just layered on top of the business, causing stakeholders to become disengaged. Panel members shared some strategies they have used to demonstrate the benefits of their ERM programme to senior management, create a common risk language across an organisation, and measure the benefits of their ERM programmes.

The panel in Kuala Lumpur consisted of Suchitra Narayanan, general manager of risk and insurance at Bumi Armada Berhad; Frashad Shah, senior manager, risk management, at Prolintas; Tong Kang Lim, chief risk officer at Tenaga Nasional Berhad; and Siow Lyn Chin, vice president risk management at AIG. The Singapore panel was Roland Teo, deputy Director of ERM for Eastern Health Alliance; Kelvin Wu, risk and insurance manager at International SOS; Reginald Peacock, head of Zurich’s Singapore Branch; and Patrick Smith, director of Acumen Advisory.

Smith, who is currently working as global resilience leader at gig economy food delivery firm Deliveroo, is the former head of risk and insurance for Hertz, and is also a former chairman of Airmic, an association that represents risk managers and insurance buyers in the UK. He also works with Overark, a Lloyds managing general agent operating within the Social Housing sector, and Caucus, a captive company domiciled and regulated in Guernsey. This range of experience made him the perfect choice to speak at both events on the topics of developing, customising and implementing an enterprise risk programme, and taking your ERM programme to the next level.

In his presentations, Smith said that companies with truly embedded risk management processes should create a new chief strategic information officer role. “[That’s when] the role of CRO or risk management director becomes defunct and a title of chief strategic information officer becomes more appropriate for a truly embedded risk management process,” Smith said. “That would evidence that risk is shaking hands with opportunity, and ultimately the output from the ERM process is to gear the executive to make smarter and smarter strategic decisions,” he said.

Smith made it very clear that risk professionals needed to understand and adapt to the corporate cultures in which they find themselves. “If you want to be important to the important people in the business, figure out what they worry about, then work out what you can do to help with these concerns,” Smith said. “Are you a key adviser to the top level? If you are, you’re making good progress. If you’re not sure, you need to make a plan. The key thing is how you are perceived. Being perceived as supportive to the coalface – to the people who do the stuff – will help you succeed.”

The way in which risk management is approached in any company must be aligned to the culture and strategic goals of the organisation, Smith continued. “A risk manager needs to understand strategy and work out how they can assist with strategic decision making,” he said. “They can do so by using their risk radar to scan things such as competitors, consumers, process quality and supply chain.”

Smith pointed out that one of the key challenges for risk professionals was to “be credible in the context of their organisations”. “To a degree, proving and reproving their subject matter expertise is probably not the key,” he cautioned. “In all likelihood, their expertise in risk management is a given. Ultimately a proactive approach is for the risk manager to put themselves into the shoes of the executive and figure out by investigation – and in fact asking – what keeps them awake at night. Then they can start talking about what they would want to support their view of the objectives of the organisation and of the strategic achievements required.”

This engagement in truly understanding what an organisation is trying to achieve is what enables risk management to move itself from a risk register-based operational process to a strategic information-based service to senior management, Smith suggested.

‘What broke our company?’
One of the major principles of risk management is to evaluate an organisation’s propensity for loss, Smith reminded both audiences. “But I think to really test the risk culture of an organisation, the killer question to ask at executive or board level is to tell them that then organisation is broken, the organisation is failed and ask them to describe how that happened,” he continued. “So rather than looking at potential risks and how to manage them, to propose that fundamentally the business is defunct.

“In my experience that question has to be asked repeatedly on be truly heard because the knee-jerk reaction from most senior managements of course is to really think about the probability of a business failing. This question confirms that it has failed and how has it happened. Now when that question is understood and answered it can be very revealing in terms of what are the key strategic risks, the visualisation of how they might occur, and therefore identifying the next steps to mitigate that risk can be arrived at fairly simply.”

Smith went on to point out that, when you consider events that can really impact the reputation of organisations, you can generally point to crisis management as being the key to reputation enhancement or reputation erosion. “I think in a well developed and established risk management ERM program you will find that an enterprise crisis plan will be central to the management of risk once a major risk has crystallised and immediately deployed,” he said. “Certainly, when a major event happens that’s not the time to figure out what you’re going to do about it, so the enterprise crisis plan should simulate and rehearse the ‘what if?’ major scenario.”

StrategicRISK Forum Kuala Lumpur 2017 was sponsored by AIG and the Knowledge Live Singapore 2017 was sponsored by Zurich. Both events were supported by the Pan-Asia Risk & Insurance Management Association (PARIMA).