We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

RMORSA Series 1: Risk Culture and Governance

Vote 0 Votes
Risk Culture and GovernanceThe National Association of Insurance Commissioners adoption of the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) requires insurance organizations to take a broader approach to risk management. As US insurers begin to mobilize their efforts to comply with the regulation by the 2015 deadline, it's important for insurers to take a step back, leverage their existing risk management operations, and develop their RMORSA efforts with a mind to the future.

The groundwork for RMORSA was laid with International Association of Insurance Supervisors' (IAIS') Core Principle 16 - Enterprise Risk Management - and much of the ORSA requirements can be fulfilled with the adoption of an ERM framework:

Before you scoff at the scope of these requirements, consider that the ORSA Guidance Manual stipulates that insurers with appropriately developed ERM frameworks "may not require the same scope or depth of review" as organizations with less defined processes. In this blog series, each of the core elements will be examined with an emphasis on preparing your organization for ORSA compliance. Today's post will explore the first key principle: Risk Culture and Governance.

As defined by the NAIC, Risk Culture and Governance provides defined roles, responsibilities, and accountability in risk-based decision making. In effect, the principle builds off of a 2010 SEC mandate requiring corporate boards to document their role overseeing enterprise risk. This rule extends the board's role in risk oversight from C-level risks, activities and decisions to now having accountability at the business process level.  Boards are explicitly given a choice between either having effective risk management, or disclosing their ineffectiveness to the public. If they do neither, it is now considered fraud or negligence.  Enforcement actions by the SEC have doubled in recent years, so it's likely your board has already established risk management as a priority, but what does this mean for your organization?

The first practical issue is that it is no longer sufficient to rely on the audit function as a hub for risk management. Risk responsibility has always been the responsibility of process owners, and ORSA is now mandating better oversight under the guidance of a risk management function. For many organizations, the critical first step has been taken by establishing executive responsibility in a Chief Risk Officer (a CRO is actually required to sign off on the ORSA assessment), but without the appropriate tools to make risk management actionable, accountability beyond the CRO is never properly defined. Front line managers hear "Risk Responsibility" and take the same action they would for other lofty strategic initiatives - that is to say, they take no action at all.

To engage process owners in a Risk Culture, each business area must take ownership for a subset of the enterprise risks.  Risk managers, in effect, do not own the risks to the organization; on the contrary, they own the ERM process. Their primary role is to lay the groundwork for risk assessments, aggregate risk intelligence for board reports, and create actionable initiatives for business areas in need of oversight.

Engaging process owners has the dual effect of permeating an enterprise-wide risk culture, while also creating a sense of shared responsibility. The structure defined above also creates three levels of defense, a concept adopted and well-articulated by The Institute of Internal Auditors. The operational risks are owned by the process owners. The risk management function provides guidance and strategic alignment. And finally, Internal Audit ensures adherence to the proper policies and regulatory standards.

Risk Culture and Governance cannot be accomplished overnight, but significant progress can be made by adopting and articulating the best practices outlined above. For more information on how you can engage process owners, implement a standardized risk assessment process, and report this information to the board, download our complementary eBook, "Presenting Risk Management to the Board."

Enhanced by Zemanta

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives