Enterprise Risk Management – Getting The Tone Right
Recently, I was lucky to meet with Dr. Paul Walker, the Director of the Center of Excellence for Enterprise Risk Management at St. John’s University, New York City. We talked about how insurers can best implement enterprise risk management (ERM) and other risk management practices in their organizations.
We both agreed that ERM has shot up the agenda in the insurance industry in the last few years as boards take risk control more seriously. Dr Walker said the tone and attitude set by senior management has made a big difference. He believes that an important characteristic of a strong risk culture is how far “risk thinking” penetrates the organization.
In a strong risk culture, the organization aggressively tries to identify and manage all risks.
Dr. Walker is working on a research project for the Institute of Internal Auditors on the often quoted Three Lines of Defense risk management concept, so I asked him how he defines it. The first line of defense is management; the second line is the key support functions, such as risk, legal and compliance; the third line is internal audit.
He said that internal auditors are increasingly positioning themselves as trusted business advisors, working on ERM program design and focusing on strategic risks.
Even if they do not have internal auditors, there are several things an insurance company can do to build an effective framework for managing risk. According to Dr. Walker, organizations should first ensure there is a clearly communicated emphasis on, and commitment to, integrity in a broad sense and also to integrity in reporting.
In a wide ranging discussion, we also talked about ERM developments on the horizon. One to watch is the trend for building predictive key risk indicators and performance metrics – though companies haven’t yet figured out how to link incentives to risk, Dr. Walker concluded.
Read our Bulletin for the full interview with Dr Paul Walker.