ERM: Relevant To Corporate Buyer

By definition, the insurance buyer has been successful in identifying, analyzing and managing the financing of hazard risks. However, in a recent survey by the Economist Intelligence Unit (an information arm of the Economist Group, publisher of The Economist), respondents said that the most significant losses impacting stock prices are not hazard risks, (which account for less than 1 percent of the impact of risk), but strategic risk (58 percent), operational risk (31 percent) and financial risk (6 percent).

This indicates that insurance buyers are universally doing a good job of lessening the impact of hazard risk and that the traditional insurance buyer role requires some growth. ERM may be the springboard that will enable such expansion.

Insurance buyers should not miss the opportunity to become more recognized within their organizations as the concept of ERM becomes more widely accepted. This requires some work, however, because many internal and external parties are attempting to fill the gap ERM has created between traditional insurance buying and overall enterprise risk management.

The bulk of the current ERM activity has been spurred by the Sarbanes-Oxley Actdesigned to improve corporate governance and financial reporting. Because this act clearly describes controls relating to financial risks as the centerpiece for the enterprise-wide view of risks, the internal audit community quickly grabbed the opportunity to promote their role in the ERM field, and they have been very successful.

Have some insurance buyers simply handed over 100 percent of the ERM responsibility to internal audit?

At RIMS 2003, there was little emphasis on ERM. Of the more than 150 educational sessions, only a few were directed specifically at ERM.

The Institute of Internal Auditors, on the other hand, runs an annual conference, "Enterprise Risk Management and Control Self Assessment," that attracts more than 400 attendees and is attended by very few traditional insurance buyers.

When analyzed, it can be noted that Sarbanes-Oxley may be relevant to the corporate insurance buyer and can be used as leverage to ensure that insurance buyers are part of the enterprise risk management process.

During this analysis, some vital questions arise. The first of which is what impact do internal audits information gathering activities and recommendations have on the corporate buyer, and vice versa? The identification and assessment of the controls and the documentation process required under Sarbanes-Oxley should be of significant interest to the corporate insurance buyer.

Internal audit should be aware that the insurance buyer could bring considerable unique expertise to the risk identification and assessment process. Furthermore, the documentation of possible issues relating to controls that impact insurable risks needs to be brought to the attention of the corporate buyer and probably their insurers.

The Committee of Sponsoring Organizations of the Treadway Commission recently introduced a 150-page draft framework on enterprise risk management, which can be downloaded from www.erm.coso.org. (COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance.)

The definition of enterprise risk management contained in this draft framework can be readily adapted to match many of the functions of the corporate insurance buyer: "Enterprise risk management is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

COSOs framework for controls is now an integral part of Sarbanes-Oxley. This framework contains more than 500 controls, linked to over 300 risksmore than 25 percent of which have potential insurance implications.

For example, what would be the insurance underwriters stance if, following a loss of cash for which there is an insurance claim, the underwriter discovers the same organizations Sarbanes-Oxley certification documentation indicated that there was inadequate cash security?

Similarly, would a liability underwriter be interested to discover that the internal audit evaluation of controls indicated that there may be inadequate product testing?

In addition, what would be the insurance implications if an internal auditor had reservations about the effectiveness of specific controls that could lead to an insurance claim (or a larger than expected claim)?

These are serious considerations for the organization, and only the corporate buyer can assist in determining the relevance and consequences of the organizations Sarbanes-Oxley certification documentation.

COSO-ERM creates the framework for the establishment of shared duties between internal audit and the corporate buyer. It uses four objective categories (strategic, operations, reporting and compliance); eight components (internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communications, monitoring); and the organizational units of the entity to build its framework.

This may seem daunting, and the relevance to the insurance buyer may not be clear. On closer examination, however, there are specific areas where the insurance buyer has a compelling justification to be involved.

Of the eight components, for example, the insurance buyer typically has considerable expertise in sixevent identification, risk assessment, risk response, control activities, information and communications, and finally, monitoring.

Event identification has long been the realm of the corporate insurance buyerthe "what if" scenario development in some cases has labeled them doomsayers. But in the current ERM environment, the ability to generate plausible events scenarios is very important, and the corporate buyer has been doing this for a long time. Risk assessment is ingrained into the role of the insurance buyer.

Risk response, either in evaluating and implementing some form of loss control or in overseeing the development of contingency plans and risk financing plans, should be an integral part of most corporate insurance buyers daily tasks. Though this may be overlooked in the day-to-day activities, it is something they should promote.

Control activities are probably the weakest of the six relative components, mainly because the term "control activities," in the context used here, is more targeted at the traditional internal audit type of control activities. The insurance buyer, however, has to be able to undergo the same scrutiny as others in their organization and to justify the controls they use, such as the processes, actions, plans and devices that are in place. Treatments are future controls.

Information and communication, as well as monitoring, are the lifeblood of the corporate insurance buyer and the consequences of failure to communicate the correct information at the correct time are well known. The insurance buyers skills in using risk management information systems are a prime example of the valuable skills they can bring to the ERM table.

There is a need to promote and demonstrate the skills and resources of the insurance buyer to groups within the organization that may not have previous knowledge of the importance of this role.

There is also a strong need to form an alliance with internal audit, not only to participate in the risk assessment and reporting process, but also to protect the organization from the undermining of sound insurance practices due to lack of communication and the underutilization of one of the organizations vital members, the insurance buyer.

Russell McGuire is director of consulting services, Risklabs in Marietta, Ga.

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, October 10, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.