Enterprise risk management (ERM) can be like eating your vegetables or doing homework as a youngster: Most kids didn’t particularly enjoy it; they only did it because parents and teachers made them.

While these necessities of childhood change as we grow into adults, the fundamental concept does not. There are things we don’t take pleasure in, like renewing our car registration or getting a root canal. We just do them because the consequence of inaction is much worse.

ERM can be much the same way for insurance carriers.

Whether it’s to fulfill ORSA requirements, boost credit ratings, or comply with SEC or stock exchange regulations, the vast majority of insurance companies establish ERM and go through the motions each year because it’s something they have to do rather than want to do.

To many carrier executives, ERM is just that—a nuisance to check off the list and move on. As Norman Marks explains in his book “World Class Risk Management”: “…when risk management is implemented in response to regulation, it becomes a cost of doing business instead of a way to do business more effectively.”

Like nutrition and exercise, ERM doesn’t have to be something you just check off a box. When the goal or scope of ERM moves beyond preventing failure and complying with regulations to include strategic planning and execution, decision-making, and ensuring the company’s success, it can transform from being a cost-center into a valuable tool (i.e., from something you have to do into something you want to do.)

You’ll probably agree this transformation will be a challenge, but thankfully, it’s not one that requires huge, expensive or time-consuming investments in software or elaborate models.

Despite widespread adoption of ERM, especially in the insurance industry, surveys like the 2022 State of Risk Oversight Report from NC State and Protiviti indicate that only 15 percent of financial services firms believe their ERM process either mostly or extensively is a “proprietary strategic tool that provides a unique competitive advantage.”

But to understand what needs to be fixed to change this belief, you first need to understand what’s broken and how this can keep your company stuck.

Based on my observations of practices over the years, the struggles that insurers experience with ERM can be broken into three main areas. Continue reading to learn more about these struggles plus changes that can be made to transform ERM.

Struggle #1 — Risk meetings occur sporadically and are all about documentation.

Since regulators ask to see a risk register, audits of risk controls and other supporting documentation, risk meetings (whether held quarterly or annually) will just review a list, talk it over for a few minutes and move on. As long as the risk discussion is documented, everything is fine—or at least, that is what people think.

The problem with this style and purpose of meetings is that they don’t provide insights to help the leadership make better decisions around prioritizing strategic initiatives, allocating resources to operational or administrative projects, pursuing opportunities, and responding to any issues or crises that inevitably come up.

Much of the discussion results in simply putting what everyone already knows down on paper. This may be good for satisfying regulators, but since risks change so quickly, this information is usually obsolete before the report is even finished.

Solution #1 — Instead of quarterly, semi-annual or annual risk meetings, embed risk into more frequent, existing executive team meetings.

It’s customary for the executive team to meet more frequently than a few times a year; in fact, my experience shows leadership typically meeting anywhere from once a week to every other week. To effectuate better decisions and transform beyond a cost center, ERM needs to have a seat at that meeting for business discussions and not be considered some separate activity with limited value.

The individual who fills the ERM role at the table can be a CRO, but if this person holds multiple titles or fills multiple rolls (i.e., wears too many hats), they may not have the experience or even the time to devote to it. What’s needed is someone with enough knowledge of the business to provide good input and ask good questions. In the end, this is the role of the ideal risk professional—to challenge assumptions and ask questions in real time as decisions are being made.

For example, management must deal with a vendor who isn’t meeting its service metrics and figure out the next steps. Risk can be there to ask: What is that vendor being used for? How critical are they for the company? What processes/functions do they support? How is this vendor impacting our policyholders, our agents, our employees? Can we get along without them, and if not, why? What will we need to do if this situation continues to deteriorate? What do we need to do to get this relationship back on solid footing? How far are we willing to let it go before taking action?

You can see from this one example how questions like these can help ensure better decision-making.

As for reporting risks to regulators, there doesn’t need to be a separate meeting just to have “risk committee minutes.” You don’t have to share every private detail of a corporate or executive meeting. Instead, simply take a summary of what was discussed in the executive meeting, list what risks were discussed, what action items were agreed upon and who is responsible.

Struggle #2 — Risk assessments only occur annually.

Between conducting interviews and surveys, aggregating the information, and prioritizing the risk(s), it often takes months to conduct a risk assessment for one business area. By this point, the competitive and operational environment has likely changed, and the risk information it took months to gather is now obsolete.

As a decision-maker and executive, this pattern can be especially frustrating because it seems to be a repetition of what you already knew. As a result, any reports are cast aside, little to no value is gained from the entire exercise, and everyone feels like it was a huge waste of time and effort.

Solution #2 — Conduct risk assessments more frequently but use different approaches each time.

Rather than one big annual assessment leading up to ORSA, ERM should be cycling through the business functions at least quarterly and having shorter, quicker conversations with leaders of these disparate areas of the company.

These conversations don’t have to be in-depth and can even use different techniques. Instead of an interview, use electronic surveys, workshops or self-facilitated focus groups.

Also, these check-ins should not be an update of what’s already been identified but rather an opportunity to ask in-depth questions beyond “What’s keeping you up at night?”

Example questions can include:

• What’s changed in your business area over the last quarter?
• Have any operational issues come up? If so, what?
• Were these issues resolved to your satisfaction?
• What are you seeing on the horizon that concerns you?
• Do you feel like you have the resources needed to accomplish what you have on your plate for this year?

A process can be developed to aggregate this information quickly. Again, not something so complex that it takes months to complete.

This approach transforms risks from a list into more of a narrative around management’s concerns and provides an opportunity and forum to discuss in real time the concerns that can impact the business, both strategically and tactically.

Struggle #3 — Board presentations occur annually simply rehash what everyone already knows or are so high level to be useless.

For many companies, management will only present “top risks” to the board once a year. Many regulations, like the Dodd-Frank Wall Street Reform and Consumer Protection Act, require banks of a certain size to keep boards informed on the bank’s top risks. Ratings agencies are increasingly assigning credit rating based on how robust (and useful) a company’s ERM processes and board reporting are, irrespective of any formal rules.

A company’s board can no longer abdicate their responsibility to know and understand risks to management. Nor can they claim they didn’t know a particular risk was a problem for the company without suffering any consequence.

However, in many cases, board-level risk presentations are hurried (15 minutes or less), and there’s little to no time for questions or in-depth discussion of supporting documents. The board may glance at the two-to-three-page report, but they quickly put it aside. And those documents put into the appendix for the board or board committee to read at their own leisure—that isn’t happening either due to lack of context, details or a person to answer questions.

Solution #3 — Delegate real risk oversight to a board-level risk committee.

Financial services firms of a certain size are required to have a board-level risk committee, but it’s valuable for any company to have one regardless of any requirements. These committees are where in-depth conversations about particular risk(s) can happen quarterly, although I personally prefer monthly or every two months. Doing this will enable the committee to understand what’s currently going on in the business, what’s being done about it, and how risks that have been accepted are being monitored and handled. The environment of the business, within and without, is too volatile to keep in-depth risk discussions to quarterly, and sadly, if you want accountability to get action plans done, ask about the status of those action plans more frequently. The action owner will want to demonstrate progress between inquiries.

While this board-level risk committee can handle the in-depth discussions, the discussions held during committee meetings will need to be summarized and provided to the full board. These updates can occur semi-annually and consist of something along the lines of what was talked about recently, any risk acceptances and status updates on risk mitigation action items that were assigned to various members of management.

Besides obtaining insights from board members to enable better decision-making on the part of management, the general public and investors will have greater confidence that the company is being run well.

Struggles like these are real and can keep an insurer’s ERM practices stuck in the past if not addressed. With game-changing technology across the insurance market, increasing litigation, escalating claim volume and complexity, financial market volatility, and other challenges, insurers can no longer afford to keep ERM limited to satisfying regulators and preventing failure.

This is a recipe for failure in the long run.

Transforming ERM into an active decision-making role starts with you, the carrier executive. It starts with leadership’s tone at the top.

Without leadership being totally behind the changes that need to be made and fostering the right culture, the rest of the company will not understand the value ERM can provide and will continue with business as usual. While the right risk leader can build out processes and so forth, executives will need to be there to keep the ball rolling in the right direction while ensuring any changes are lasting and providing value to the company.