Immediacy or necessity has a way of sneaking up on us and getting our attention.

This principle is true across the board.

Nobody rushes to the front of the line to get a colonoscopy or root canal, but when circumstances force us, we’ll take action, albeit grudgingly.

Some examples of how this may look for an insurance carrier include:

• Ratings agencies like AM Best, Demotech, or Kroll say your current program is insufficient for the size or complexity of the company. Without drastic action, the company could see its rating downgraded.
• State insurance agencies and other regulators are asking more questions about risks, modeling, controls and mitigation verification, expressing concerns that the company will be unable to protect itself.
• The company is nearing the $500 million threshold for ORSA regulations and is nowhere near ready.
• Significant changes to corporate governance result in a misalignment between the board and the executive discussions and expectations regarding risk-taking behavior.
• Haphazard meetings create internal chaos and gridlock, leaving the company with missed performance goals; extended projects cost more money than budgeted and larger than expected financial losses overall.
• Premium growth creates more volume to maintain, leading to expensive changes in technology and employee costs.
• Expansion into new geographic markets makes the company subject to additional (new) regulations.
• Antiquated assessment and analysis methods generate reports that regurgitate what is commonly known already.

Enterprise risk management is a prime example of this principle in action in the insurance industry, or any business, to be honest.

ERM is a subject many executives would prefer to avoid. Admit it, you’d rather spend your time talking about operations, rates, products, claims and even systems—not enterprise risk management.

However, there are certain situations where you will have no choice—where, as a company, you are backed into a corner and focused into action: either adopt ERM or updates practices to reflect not only where the company is now but where it’s going.

Although there are many reasons or triggers that can back a carrier into a corner, prompting action, there is one overarching principle that drives these situations to come about. Nothing stays static over a number of years. Companies change internally, and so does the external operating environment. It’s been a fact of life since time begin.

Therefore, the question has to be asked: What makes an ERM practice or program any different? A carrier may be prompt in adapting its underwriting or claims processes based on current events and trends, but when it comes to ERM, many leaders expect practices, implemented five, 10, even 15 years ago, to still meet the company’s needs today.

Think of it like a new suit, especially for a fast-growing teenager. When the parent buys a new suit for their child, it fits perfectly (or even a little big) at first. But the teenager doesn’t stop growing just because he has a new suit. As his height and body changes as part of the normal growth process, the suit will eventually not fit anymore.

Much the same can be said for an insurance carrier and its ERM program.

The company itself keeps growing and changing, while the ERM program remains static. What results is an outdated ERM program that is unwieldly and provides little to no value to the company.

Surveys like the State of Risk Oversight Report from North Carolina State’s ERM Initiative show this to be a challenge for not just insurance carriers but all types of companies. According to the latest report released in June 2023, only around 35 percent of respondents believe their risk oversight to be robust, while only an astonishing 12 percent felt their ERM practices provide a unique competitive advantage to the company.

In light of numbers like these from NC State and elsewhere, it’s clear that ERM needs to catch up to the needs of today’s companies.

In his book, “Risk Management in Plain English: A Guide for Executives,” author and former Chief Risk Officer and Chief Audit Executive Norman Marks states the ultimate goal of ERM is anticipating what might happen, assessing whether that would be OK, and acting as needed—all so you can increase the likelihood and extent of success.

This is the ideal, but unfortunately very few companies get to this point. They get stuck in the past.

Like our teenager who has outgrown his clothes, these situations and similar ones outlined earlier necessitate changes to the company’s ERM and risk practices. Continuing to ignore this reality could negatively impact the company’s strategic goals, day-to-day operations or even its very survival.

The next question that naturally arises is: How do the risk practices need to change? Are only some minor, strategic tweaks needed? Or are practices so out-of-date that a complete overhaul is required?

When considering this and making changes, carriers should establish practices and routines that the company can grow into, like kid’s clothing. It would be unwise to buy clothes that are a perfect fit now but will soon be too small. Instead, clothes and shoes should be purchased with the future in mind, so the child can grow into them.

A similar approach should be taken with ERM. Any new or updated ERM practices should be able to adapt and mature as the company continues to grow and change.

Before determining where ERM needs to go, you have to first determine where it currently is. This is the first step in an ERM Maturity Assessment. The purpose of this type of assessment is not about checking all the boxes on some checklist but about the effectiveness of ERM practices relative to your company’s needs.

Many tend to compare (or benchmark) their ERM practices to what their competitors or peers are doing, but this is dangerous. What matters is how effective your ERM practices are for your company’s needs.

• Is ERM providing you and other executives and decision-makers with information and insights you didn’t already have?
• Is this information easy to use?
• What’s working well?
• What could work better?

These are just a sampling of questions that should always be top of mind since ERM practices are iterative, meaning the refining and improvement process should be ongoing. After all, the company’s needs are always changing.

The important thing is to get started. Imperfect action is better than perfect inaction.

Second to that, realize that to get to the ideal that Marks describes in his book can take time. Immediate results may be the norm for project management or other areas, but ERM sometimes requires a bit of trial and error to find out what works best now and for the longer term.

Similar to how good companies become iconic brands as discussed in the Jim Collins book “Good to Great: Why Some Companies Make the Leap and Others Don’t,” there is no single point or action that will get your ERM program to where it plays a valuable role in helping the company achieve its goals. Like pushing a “Good to Great” goal flywheel, it will happen “…turn by turn, building momentum until a point of breakthrough and beyond.”

Once it does though, you as an executive will be free to focus on the things you really want to focus on, with ERM helping you know how much risk is acceptable in certain areas and situations.

The question you have to answer is: Do you want to wait to act until you’re backed into a corner, or do you want to get ahead and address this underlying issue before it blows up into yet another crisis?