Until the 1990s, few business leaders thought of risk management as something broader than the procurement and administration of corporate insurance. In this article, we explore the origins of the new field known as Enterprise Risk Management (“ERM”) and the value of the traditional risk management community to ERM.
“The literature of a subject constitutes a record of its evolution, and of the different aspects of which have received particular attention at various stages of its development. Risk management has now been a term in general use for some thirty years, long enough for it to have developed from a largely theoretical approach to risk problems fostered by a handful of academics and far-seeing insurance managers in industry into a generally-accepted approach to the practical solution of certain types of problem in the industrial and commercial world, and in local government. . . Research into risk management immediately encounters some basic problems of definition. There is still no general agreement on where the boundaries of the subject lie, and a satisfactory definition of risk management is notoriously difficult to formulate.”
- G. Neil Crockford, The Bibliography of Risk Management: Some Preliminary Observations, pp 169-170 (Geneva Papers on Risk and Insurance, 7 No 23, April 1982)
The preceding section described how a call for a holistic approach to risk management that is broader than the procurement and administration of insurance emerged long before today’s focus on Enterprise Risk Management (“ERM”). In his seminal article written in 1976 for Fortune magazine, Felix Kloman opined that a holistic approach should begin with a “clear written statement of policy supported by the board of directors, designating the administrative authority for coordinating the risk management effort.” (Felix Kloman, The Risk Management Revolution, Fortune (July 1976)).
Fourteen years later, in 1990, Kloman defined a holistic approach to managing risk, a profession that began in the 1950s, as follows: {R]isk management should be seen more as a function than a specific person. It should be practiced by many levels of management, with coordination and guidance from a senior level. . . . How will the new risk management process function? Ted Ferry of the University of South Carolina suggests:
The new risk management will be an outgrowth of earlier efforts and disciplines. It will be a true synthesis of many of the earlier ideas that have approached risk from a more limited vantage point. The synthesis will be composed of ideas and efforts from the following areas:
The new risk manager will not have to be, and certainly cannot be, an expert in each of these areas. He or she will, however, have to be a manager in the broadest sense of the word, one who is at least conversant with the applicable disciplines and willing to look broadly and holistically at risk as it affects the organization (Felix Kloman, Risk Management Agonistes, Risk Analysis, Vol 10, No. 2 (1990)).
This call for a holistic approach from Kloman and his contemporaries (Other international experts expressing similar views included Gustav Hamilton, a risk manager in Sweden, and Neil Crockford, a risk management expert working in England) in other parts of the world emanated from increasing recognition that various business functions of a corporation (e.g., finance, operations, insurance etc.) were managing different kinds of risk separately and independently of each other. These visionaries were sensing what previously-discussed leaders like Paul O’Neill and Stanley McChrystal came to realize – silos and stratification impeded building a shared risk consciousness that enables the right people at the right level to make better and timelier decisions with input from relevant and knowledgeable colleagues. In the 1990s, the business and academic community would give a name to this concept of using a holistic approach to manage uncertainty: enterprise risk management or integrated risk management.
Where are we 30 years after Kloman’s call for a holistic approach or what we know today as ERM? For starters, many organizations still follow the traditional model that equates risk management with insurance management. This traditional model is oriented toward prevention of accidental loss, insurance purchasing and management, and solving specific insurance-related problems through some combination of avoidance, control and financing. Subjects of interest include loss control, premium management which includes self-insurance and deductibles, claim management, and captive insurance companies. Each of these subjects, in turn, have spawned additional areas of specialization and expertise. Loss control, for example, has a mature base of expertise that includes fire and general accident prevention, health and safety, and security – all of which is designed to reduce the likelihood of a claim being made against an insurance policy. Insurance companies benefit from increased profits that result from not having to pay out claims and policyholders benefit from having their premiums lowered.
Expertise with the prevention of accidental loss is a core skill needed for effective ERM as the technology industry is starting to discover. A current fad in software development is the concept of agile development which is based on short iteration cycles that provide constant flow of program code to the customer. Because requirements for software are presumably clarified with each iteration cycle, there is a tendency to dismiss the need for documentation or to make the documentation less detailed than it should be. What happens when new members join the team and don’t know the details about certain product features or how they need to perform? Even worse, software development teams do not last forever and what happens when the inevitable handover occurs and there is no preserved knowledge about how security was addressed, especially when security is an important part of the end product?
This brings us to our concluding thought for this section. The traditional risk management community has an important and continuing role to play in the future development of ERM. It is true that some risk is complex and can only be handled through continuous learning in an ever-changing dynamic environment. But go back for a moment to risk and technology. Not all cyber-security risk is complex; some of it is simple or complicated risk that can be handled through basic tools like multifactor authentication, strong password rules, and data encryption. The challenge is getting business leaders, including systems developers and product managers, to recognize that security risk considerations need to be a core tenet of the design and developmental process and not something that is “bolted-on” later or mitigated by scans conducted by personnel responsible for information security.
Healthcare is another example where the traditional skills associated with preventing accidental loss arising from simple and complicated risk is important. Healthcare acquired infections remain a leading cause of death and illness. At any given time, about 1 in 25 in-patients have an infection related to hospital care, something we can easily classify as a preventable form of accidental loss. These infections lead to the loss of tens of thousands of lives and cost the U.S. healthcare system billions of dollars each year.
Why? Sadly, the answer is that healthcare settings struggle with managing the types of simple and complicated risks that comprise basic policies and procedures for infection control. These basic protocols include repetitive behaviors of hand washing and proper insertion, maintenance, and removal of devices such as catheters and ventilators. At a more abstract level, hand washing is a type of simple risk that can be managed in a linear fashion through standardized procedures that yield predictable outcomes (less infection). Similarly, using devices is a type of complicated risk that is managed by various experts coordinating the development and implementation of standardized instructions to achieve a specified outcome (again less infection). This kind of work is what the traditional risk management community excels at.
In short, simple and complicated risks will remain an important part of everyday life and the traditional risk management community is well poised to help ensure that ERM frameworks contain robust practices to manage this type of uncertainty.
- G. Neil Crockford, The Bibliography of Risk Management: Some Preliminary Observations, pp 169-170 (Geneva Papers on Risk and Insurance, 7 No 23, April 1982)
The preceding section described how a call for a holistic approach to risk management that is broader than the procurement and administration of insurance emerged long before today’s focus on Enterprise Risk Management (“ERM”). In his seminal article written in 1976 for Fortune magazine, Felix Kloman opined that a holistic approach should begin with a “clear written statement of policy supported by the board of directors, designating the administrative authority for coordinating the risk management effort.” (Felix Kloman, The Risk Management Revolution, Fortune (July 1976)).
Fourteen years later, in 1990, Kloman defined a holistic approach to managing risk, a profession that began in the 1950s, as follows: {R]isk management should be seen more as a function than a specific person. It should be practiced by many levels of management, with coordination and guidance from a senior level. . . . How will the new risk management process function? Ted Ferry of the University of South Carolina suggests:
- We need an overview of checks and balances that studies every interface and assures that all risk elements are considered. We need persons who can see the big picture, overview, coordinate, assimilate and bring every aspect of risk into focus.
- Using the new definition and these comments, risk management becomes a planning and strategic function, not solely an assessment, financial or safety one.
The new risk management will be an outgrowth of earlier efforts and disciplines. It will be a true synthesis of many of the earlier ideas that have approached risk from a more limited vantage point. The synthesis will be composed of ideas and efforts from the following areas:
- Insurance management and risk funding.
- General management theory and practice, from Henri Fayol to Peter Drucker.
- Macro-risk assessment and decision risk theory and practice, addressing such areas as nuclear, natural disaster, and environmental risk.
- Quality assurance methodology, for both products and services.
- Loss prevention, safety, and security engineering.
- Crisis management.
- Financial risk maneuvers, including currency hedging and interest rate swaps.
- Risk psychology, education, and communication.
- Statistics and actuarial sciences
The new risk manager will not have to be, and certainly cannot be, an expert in each of these areas. He or she will, however, have to be a manager in the broadest sense of the word, one who is at least conversant with the applicable disciplines and willing to look broadly and holistically at risk as it affects the organization (Felix Kloman, Risk Management Agonistes, Risk Analysis, Vol 10, No. 2 (1990)).
This call for a holistic approach from Kloman and his contemporaries (Other international experts expressing similar views included Gustav Hamilton, a risk manager in Sweden, and Neil Crockford, a risk management expert working in England) in other parts of the world emanated from increasing recognition that various business functions of a corporation (e.g., finance, operations, insurance etc.) were managing different kinds of risk separately and independently of each other. These visionaries were sensing what previously-discussed leaders like Paul O’Neill and Stanley McChrystal came to realize – silos and stratification impeded building a shared risk consciousness that enables the right people at the right level to make better and timelier decisions with input from relevant and knowledgeable colleagues. In the 1990s, the business and academic community would give a name to this concept of using a holistic approach to manage uncertainty: enterprise risk management or integrated risk management.
Where are we 30 years after Kloman’s call for a holistic approach or what we know today as ERM? For starters, many organizations still follow the traditional model that equates risk management with insurance management. This traditional model is oriented toward prevention of accidental loss, insurance purchasing and management, and solving specific insurance-related problems through some combination of avoidance, control and financing. Subjects of interest include loss control, premium management which includes self-insurance and deductibles, claim management, and captive insurance companies. Each of these subjects, in turn, have spawned additional areas of specialization and expertise. Loss control, for example, has a mature base of expertise that includes fire and general accident prevention, health and safety, and security – all of which is designed to reduce the likelihood of a claim being made against an insurance policy. Insurance companies benefit from increased profits that result from not having to pay out claims and policyholders benefit from having their premiums lowered.
Expertise with the prevention of accidental loss is a core skill needed for effective ERM as the technology industry is starting to discover. A current fad in software development is the concept of agile development which is based on short iteration cycles that provide constant flow of program code to the customer. Because requirements for software are presumably clarified with each iteration cycle, there is a tendency to dismiss the need for documentation or to make the documentation less detailed than it should be. What happens when new members join the team and don’t know the details about certain product features or how they need to perform? Even worse, software development teams do not last forever and what happens when the inevitable handover occurs and there is no preserved knowledge about how security was addressed, especially when security is an important part of the end product?
This brings us to our concluding thought for this section. The traditional risk management community has an important and continuing role to play in the future development of ERM. It is true that some risk is complex and can only be handled through continuous learning in an ever-changing dynamic environment. But go back for a moment to risk and technology. Not all cyber-security risk is complex; some of it is simple or complicated risk that can be handled through basic tools like multifactor authentication, strong password rules, and data encryption. The challenge is getting business leaders, including systems developers and product managers, to recognize that security risk considerations need to be a core tenet of the design and developmental process and not something that is “bolted-on” later or mitigated by scans conducted by personnel responsible for information security.
Healthcare is another example where the traditional skills associated with preventing accidental loss arising from simple and complicated risk is important. Healthcare acquired infections remain a leading cause of death and illness. At any given time, about 1 in 25 in-patients have an infection related to hospital care, something we can easily classify as a preventable form of accidental loss. These infections lead to the loss of tens of thousands of lives and cost the U.S. healthcare system billions of dollars each year.
Why? Sadly, the answer is that healthcare settings struggle with managing the types of simple and complicated risks that comprise basic policies and procedures for infection control. These basic protocols include repetitive behaviors of hand washing and proper insertion, maintenance, and removal of devices such as catheters and ventilators. At a more abstract level, hand washing is a type of simple risk that can be managed in a linear fashion through standardized procedures that yield predictable outcomes (less infection). Similarly, using devices is a type of complicated risk that is managed by various experts coordinating the development and implementation of standardized instructions to achieve a specified outcome (again less infection). This kind of work is what the traditional risk management community excels at.
In short, simple and complicated risks will remain an important part of everyday life and the traditional risk management community is well poised to help ensure that ERM frameworks contain robust practices to manage this type of uncertainty.
RSS Feed