Motivation is defined as the process that propels, directs, andmaintains goal-oriented behaviors. It is the driving force causingus to act. Most of our pursuits in life—everything from continuingour education so we can get a better job, to running or exercisingto improve our health—are a result of the complex mix of emotional,social and intellectual forces that guide our behavior andprofessional achievement.

Motivation can be extrinsic, derived from anticipated rewardssuch as bonuses, social recognition, and professional degrees, orit can be intrinsic, driven from within, by such factors as thesatisfaction one gets from acting ethically, or a sense ofaccomplishment from solving complex problems.

NAIC's ORSA Model Act 505

These factors may well be on the mind of many risk managementprofessionals faced with the challenge of establishing anenterprise risk management program. There is only one year to gountil the effective deadline date provided for NAIC's RiskManagement and Own Risk Solvency (ORSA) Model Act 505. The ModelAct requires that subject insurers build a solid ERM program, perform a risk-based solvency and capitalassessment, and provide specific reporting about their efforts totheir supervisory states. States already adopting the Model Actinclude California, Iowa, Maine, New Hampshire, Pennsylvania, RhodeIsland and Vermont.

However, key participants may not yet be convinced that the timeand effort to thoroughly evaluate risks and controls is worth the time and effort beingasked of them. Board of directors and senior managers, alreadyfocused on SEC reporting disclosures, Sarbanes-Oxley rules, andother regulatory mandates, may give lip service to implementing anenterprise risk management (ERM) process, but many are not yetfully engaged.

What might risk professionals do to motivate colleagues to trulyembrace ERM and drive ORSA-related initiatives?

External regulatory, peer, and social forces play a big role;however, penalties and incentives are a primary driver. It maysound cliché, but studies show motivating individuals oftenrequires either an incentive “carrot,” or penalizing “stick.” Inthe world of ERM and ORSA compliance, both a “carrot and stick”approach may be most effective in elevating ERM adoption to thenext level.

The Sticks

We'll start with the “sticks.” Historically, regulators haveincented companies and individuals to conform to desired behaviorswith threats of heavy fines. Specific form, rate, disclosure, andfinancial filing requirements carry serious penalties fornon-compliance. State Financial Examinations or audits uncoveringregulatory breaches typically carry severe fines by type ofviolation at issue. In some extreme cases, the company's licensingstatus may be at risk.

On the federal level, laws affecting the financial servicesindustry focusing on corporate governance and ethics oftenestablish personal liability against board members for anywrongdoing. Companies doing business globally may also face thethreat of international sanctions. All of this offers strongincentive to the Board and senior management to commit time, energyand resources to other compliance efforts.

But what are the equivalent “teeth” behind ORSA? For better orworse, unlike past U.S. insurance regulatory mandates, the NAIC'sORSA reporting requirements provide no concrete standards orminimum requirements that companies must implement to have an“acceptable” or a “strong” ERM program. Instead, the NAIC has setbroad principles-based reporting requirements that give companiesflexibility in creating their own unique risk program.

This may result in a perception at some enterprises that theremay be little bite to the ORSA bark. Neither the NAIC nor thestates have outlined any specific dollar penalties, fines or feesfor failure to file an ORSA report or conduct risk-based capitalanalysis for any reason. There are also capitalization thresholdsfor ORSA reporting that do not require “smaller” companies toprovide an ORSA report to their home state regulator. To counterthis, state regulators have said that companies without a strongERM program may be more likely to be examined, and face more marketconduct scrutiny.

At the end of the day, is this enough of an incentive to divertcompany resources from perceived “higher penalty” complianceefforts, like conducting SOX audits? Lack of standards can be areal challenge for chief risk officers and others trying to pushERM initiatives forward in companies of all sizes.

At this point in time, companies may be more motivated by astick waved by a different source —rating agencies. Major ratingagencies have factored enterprise risk management review processesinto their rating methodologies. Failure to implement robust ERMprograms may result in ratings downgrades. A lackof sufficient risk review protocols, and/or failure of managementto take into consideration major corporate risks across theorganization, might result in negative narratives or publication ofdeficiencies in governance structure, with a significant impact tothe company's ability to write desired lines of business, orattract investors. Would your company prefer to have a reputationas a risk management leader, or be known as a company that does notfollow developing industry best practices?

Many Carrots

On the flip side, many studies of business and personal targetssuggest that it may be incentives (“carrots”) and not the stickthat drive human actions more successfully. While the threat ofpenalties may be effective in increasing ERM efforts, perhaps evengreater results will be achieved by showing individuals andorganizations how specific actions will benefit them.

When an organization sits down to explore why to implementstrong ERM and ORSA practices, it may end up asking the question,“What's in it for me?”

Fortunately, there are many concrete benefits of ERM, andcompanies who have well-developed risk and capital assessmentprograms are discovering new advantages every day. Implementationsof ERM programs ideally lead to improvements in risk managementefficacy, operations, and capital allocation, all with quantifiabledollar impact.

Specifically regarding ORSA compliance, there are benefits tothe NAIC's plan to allow insurers flexibility in how, and to whatdegree, to complete their risk-based capital and solvency review.Companies can tailor their program to their size, lines of businesswritten, capitalization structure, and management philosophytowards risk-taking in general. The NAIC hopes that thisflexibility will better enable companies to manage their own riskand capital/solvency position with terminology, methodology, andreporting that will be truly meaningful to the business over thelong run.

Aside from the ORSA report itself, ERM implementation givesinsurers a structured framework to review business challenges andopportunities in a new light, beyond a traditional evaluation ofrisk focused on the purchase of loss-mitigating insurance orreinsurance. Risks that affect multiple departments are beingreviewed together and aggregated. Insurers are gaining a betterunderstanding of, and appreciation for, the true organization-wideimpact of large-loss events or disasters.

Thinking about risk limits and tolerances as part of an ERMprogram allows companies to define their risk appetite, andeventually the value drivers in their insurance, which can helpstrategic business planning. Using a risk-based analysis to assesscapital helps maximize capital investments to the benefit of ownersand shareholders, since the approach forces insurers to think aboutthe potential risks and rewards of their strategy in theirunderwriting portfolios and operations.

There are other benefits from a practical, operationalperspective as well. Employee morale generally will increases inalignment with their confidence in raising issues. Employeesatisfaction has been tied also to a sense that the risks that mostconcern them personally will be given needed attention andresources.

Cost savings may be achieved, when controls are implemented forrisks on the basis of their frequency and severity, in ways thatmay not have occurred to management in the past. Management mayalso have more control over expenses overall, with a visible impactto financial results.

What encourages your organization – the carrot or thestick?

Companies have definite personalities and culture, and the jobof the Chief Risk Officer or risk champion is to identify whetherkey participants in the ERM process are either “stick people,”often defensive, and generally unwilling to take much regulatoryscrutiny, or “carrot” people, focused on long term benefits andoffensive, proactive solutions. Neither type is bad, they just mayneed information in different ways, and a program designed toaccount for different motivating factors aligned with theirpreferred perspective and approach.

“Stick” companies comply with all laws and regulations 100percent regardless of the cost or effort, and may, for example, beunnecessarily duplicating control efforts, policies, procedures,attestations, and disclosures in order to avoid any fines, fees orpenalties. Board of directors follow the letter of each regulatoryrequirement so as not to incur corporate or personal loss, but maymiss important business or strategic issues getting too focused onspecific details, being too “in the weeds” of items that have aregulatory bent.

Threat of loss, serious reputational impact, and rating agencydowngrade could be motivating factors to jump start or accelerateERM and ORSA efforts. For “stick” companies, helpful strategiesmight include:

• Outlining clearly for the Board and senior managers specificregulatory and non-regulatory drivers of ERM that can hurt thecompany, as noted above;
• Widely showcasing and circulating public examples of companiesthat have gotten penalized or hurt by large, poorly managedlosses;
• Running scenarios and stress testing exercises regularly forthe Board, managers and all staff involved in ERM efforts, toremind them of the “bad things that can happen” if risk is notproperly managed;
• Setting firm deadlines and timeline for ERM initiatives andproject stages, with penalties (such as visibility on a Board–level report) for individuals and departments who do not meet thedeadlines;
• Making individual managers and staff personally accountable intheir performance reviews for doing timely risk and controlassessments, and managing their part of the ERM program.

Carrot organizations are different. They work off a differentset of triggers. They're inspired to produce more when they can seetheir efforts will provide long term benefits, and may be morecreative in interpreting laws.

They may look more to principle than the firm letter of the lawand may appreciate having a broader range of (beneficial) reasonsto support risk management initiatives.

For carrot companies, some strategies may include:

• Breaking down ERM plan objectives with small, easy to reachsteps.
• Commemorating and celebrating success of individuals anddepartments in reaching milestones in the ERM program. A goodexample would be to show that a risk ranked as “high” in severityand frequency in one period has been reduced to a “medium” or “low”in a subsequent period due to the successful implementation of arevised plan of controls, policies or procedures.
• Allocating special time in, or outside of, Board meetings to doScenario and stress testing – but with “positive” examples, such asan opportunity to open a new branch office or enter into a new lineof business. The exercise can serve the same purpose as using amore “scary” example, such as a natural disaster or financialcollapse, but the response may be more energetic and productive inembedding the risk assessment message.
• Congratulating people whenever they appear to be just “gettingsmarter about risk.”

Recognize the positive and negative motivational drivers thatinspire your organization to take action. Using these factors toyour advantage can significantly move your ERM and ORSA effortforward.

May you find success and reap the full benefits of enterpriserisk assessment in 2014!