One of the most difficult tasks for insurers in establishing aneffective enterprise risk management (ERM) program is embedding ERMprinciples and practices throughout the organization. Aschallenging as it may be for chief risk officers and riskcommittees to master the key concepts and strategies of ERM, it canbe even more difficult to explain them to “novice” business peoplein the rest of the organization.

It is critical to the success of an ERM program, however, thatcompanies instill ERM practices at every level in the company. ERMshould be a day-to-day, simmering concern within businessdepartments, rather than just a once-a-quarter fire drill by asmall core risk-management team.

Accordingly, a major phase in most ERM programs is a “roll-out”phase of training and education for functional departmentalmanagers, business heads and staff that may be involved inidentifying risks, or implementing controls. Within this training,a foundational agenda item is often a session explaining what ERMis, and how it differs from what staff may be used to astraditional or historical compliance, internal audit, or riskmanagement efforts.

As part of this training, giving specific concrete examples ofpotential risks, claims or losses can be extremely effectivein helping individuals envision risks in their own area, and better appreciate how the issue could be of concern beyond his orher own functional area. Using case studies, and perhaps providingdetailed data or statistics about the frequency or magnitude ofrisk, enables respondents to really “picture” the significance ofloss. This helps participants extrapolate their own experiences andthoughts more fully into the future when assessing risk from an ERMperspective.

Embedding ERM into the organization, and tips for training, wererecent topics of discussion at this year's annual Risk andInsurance Management Society (RIMS) conference in Philadelphia. Oneinteresting idea for bringing ERM concepts into focus for businessstaff, and “making it real,” was introduced by a director ofcorporate risk for a Midwestregional carrier. He suggested at leastone simple training tool that could be considered as a “baby step”on the path of understanding ERM concepts, and gave trainees a copyof The Wall Street Journal to review from a riskassessment perspective.

In this exercise, employees were told that they should identifysome major risks that could impact their company from stories inthe daily news. Through a brainstorming session, the group was ableto come up with a list of major risks and identify emerging trendsthat had practical impact on the company. Increased mortgageinterest rates, stagnant unemployment rates, tornadoes intheMidwestand financial institution mergers were just a few of thepotential indicators of loss—as well as opportunity—that could haveknock-on effects to their company.

Some issues affected human resources. Some impacted interestrates and investment activity. Others were indicators of potentialasset or property risk. But most importantly, they were concreteexamples of real-world events that helped employees better envisionpotential loss or threats to their own business, which may cutacross functional departments and have even greater impact on theentity as a whole. This helped emphasize the need for, and benefitof, company-wide risk management.

Other variations of a “real world” exercise can be built intoERM training in a number of ways. For example, take a closer lookat cell phones, and the risks a company faces when issuingemployees mobile phones. In the “old world” before ERM, companiesmay have done a cost/benefit analysis of issuing cell phones bylooking at the total cost of the actual phone and any monthlycharges, and weighing that against the benefit of having employeesavailable to talk to colleagues and clients while travelling orotherwise away from the office, and at odd hours of the day.

A New World

In the “new world,” where risks need to be considered andweighed with a broader perspective, the company may approach such adecision from a new angle, weighing not only the pure cost of thehardware and airtime, but also potential loss to otherareas:

• What about employees talking or texting on the mobile phonewhile driving or walking, increasing their risk of first- orthird-party accidents? Might this warrant additional auto liabilityinsurance for the company? Or should the company at least make surethat accidents caused while talking or texting are not excludedfrom corporate insurance policies? This may impact the corporateHR, corporate risk or other insurance-buying departments.
• What happens if the phone is stolen or lost? Might there bebreaches of confidential corporate information, trade secrets, orlegally-protected customer data, especially for smart phones usedto send and receive routine company emails with attachments anddata exhibits? Are there IT security, data protection and privacypolicies and procedures which need to be put in place to ensurethat such risks are appropriately mitigated?
• Might there be tax deductions potentially available (or not) tocompanies for phones as corporate physical assets offsetting someof the dollar costs? This could be a major consideration for thefinance or accounting areas.

Taken to extreme, the analysis could even go as far as toconsider the risk of potential future personal injury fromradiation due to cell phone use, as the World Health Organization'sInternational Agency for Research on Cancer Epidemiology continuesto research mobile phones as a possible cause of cancer. Could thisrisk eventually increase group medical insurance costs forcompanies where corporate phones are routinely issued?

Make time for that first baby step. Look at the stories of todayand list out the answers to the question, “What is the best andworst that could happen from this occurrence or event?” This canbring home the message that important corporate decisions can beimpacted in multiple ways, through several departments by risks,flowing through multiple areas in the company.

Once this foundational principle is mastered, it is easier tomove to the next step of talking about risk assessment orquantification, and control or mitigation techniques. Down theroad, more complex ERM concepts such as using gathered data forstrategic decision making, operational improvements and financialplanning can be considered, on more solid footing.