Carol A. Williams has been working with Risk Management and Compliance/Regulation projects for over a decade having specialised in Enterprise Risk Management (ERM) since 2011. One of her key projects was to design and implement an ERM Programme for a $7+ billion property and casualty insurance company, managing and directing the programme for over two years (read more about Carol’s bio in her blog ERM Insights by Carol).
Carol was kind enough to concede Risk Management Guru an exclusive interview, providing unique insights and opinions about ERM and more topics related to risk.
Risk Management Guru (RMG): Thank you for conceding this exclusive interview. Let me start by asking a bit about your background and profession. How did you end up becoming an Enterprise Risk Management Consultant?
Carol A. Williams (CAW): While pursing my master’s degree in Risk Management/Insurance at Florida State University, I was inspired by a course, Risk in the Business Enterprise, that discussed enterprise risk management at a high level. Although my career history was full of implicit ways of managing risk, this course prompted me to think about it in a different way. I was working at Citizens Property Insurance Corporation, and the ERM program was getting moved from IT to the CFO. I volunteered to help the program vice-president during the development of governing documents. I went from there to becoming the ERM manager at Citizens, then the Director of ERM in 2014. After designing, implementing, adjusting the process and tools, and managing the ERM program over a six-year span, I wanted to share this knowledge with other companies. So…I started my own consulting firm where risk management is all I do.
RMG: In a nutshell, what broad advantages do you point to when adopting an ERM program rather than a traditional risk management framework?
CAW: There are several advantages to an organization having ERM. In fact, it is hard to narrow down the list, so I have provided my thoughts below. More details comparing ERM to a traditional risk management program are compared in my blog post on this topic.
- Linkage to strategic goals and objectives to help ensure achievement of goals.
- Use of metrics to get ahead of negative trends that could increase risks.
- Identify areas where there is opportunity (positive) instead of loss (negative)
- Create mitigation plans and test them frequently.
- Getting information across the organization – facilitating conversations that typically wouldn’t be had.
- Explicit use of risk information during decision-making
- Communication of risk considerations to board and stakeholders
- Engagement across the organization, especially front-line employees who have the biggest opportunity to make a difference.
- Make more informed decisions regarding vendor selection, project planning, etc.
Overall corporate performance is better. In fact, research has shown a 25% value increase for companies with mature ERM program.
RMG: Do you think there are industries which are more likely to implement ERM frameworks? Most people immediately think of Financial Services/Banking and Insurance but are there other industries where ERM can be important?
CAW: While I believe that all industries can benefit from ERM, there are several industries that stand out to me for being more likely: technology firms, manufacturing, and logistics/transportation.
Technology is my first choice because the companies need to be flexible when it comes to competition and strategy. And getting the right people with the right skill sets will be key. An ERM program can really help companies manage talent risk, especially due to so many inter-dependencies. It’s huge!
I believe manufacturing is another industry due to supply chain dependencies. Manufacturers are always dependent upon raw materials, equipment, people, buyers of goods, etc., which are all areas that have risk. And technology in the manufacturing world is constantly evolving. Are companies prepared? Will they help their people be prepared?
And then logistics/transportation. This industry drives the world. How else do people get food, clothes, fuel, their Amazon shipments? With technology disruptions, rising customer expectations, and the ever-changing global business environment, logistics companies need to stay ahead of their competition. What better way than to implement an ERM program?
RMG: A sound Risk Culture is crucial for successfully implementing an ERM framework in a firm. Do you agree with this statement?
CAW: Absolutely! Of course, there is a slight caveat. The risk culture may not exist at the beginning of implementing ERM. In fact, the best way to think about risk culture is this: the culture of the organization adds an additional facet – the risk culture – with all the activities associated with ERM.
Here are some good questions to gauge your risk culture. How do the executives approach risks? Do they understand that risk means both upside and downside? Do they want risk at the table during the tough discussions and decisions? Or do they prefer to talk around it? What about the front-line people? Do they understand their impact to the organization when it comes to risk and decision-making?
RMG: In your projects as a consultant how strong have you encountered firms in terms of culture?
CAW: There are firms that are very risk-focused when it comes to certain elements, such as compliance risk or people risk. It takes a very mature (not necessarily in years) company to have a strong risk culture. Personally, I haven’t seen many companies with a strong risk culture. But I think part of that is the mindset that risk management is a regulatory exercise, not a voluntary program with a benefit to the company.
With the amount of information coming out regarding emotional intelligence, my hope is that companies will begin updating their recruiting process to incorporate emotional intelligence and risk behaviour (risk averse versus risk seeking) when screening candidates. If new employees are consciously thinking about risk as part of their daily activities, the risk culture will improve with their influence.
RMG: You have written in your article “4 Critical Things Organizations Must Do to Ensure an ERM Program’s Success” that a very important aspect is the follow-through of an ERM program. Have you seen cases where an ERM was successful yet relaxed post implementation, resulting in a natural slow death?
CAW: I haven’t personally witnessed this happening. However, I have seen where executives get overly confident and think “we got this,” dismissing the value that ERM brings to the table. This mindset filters down through the organization, reducing the effectiveness of ERM activities and lowering the importance of risk-related discussions. It can be extremely detrimental to the organization.
Another highly potential way of ERM dying is by a change in risk leadership, who want to “make their stamp” on the program without determining if those changes are the right thing to do. If changes that don’t make sense to the organization or aren’t well thought out, then the program will be dismissed as not adding value, and people start thinking (and asking) “what is the point in doing this?” Having this occur makes it even harder for the ERM program to get restarted; in fact, it is similar to an organization that was once stellar, has fallen on hard times with its customers, and needs to make a comeback. Think Chipotle – once doing so well, had some food contamination issues, and has not managed to recover to its previous high point.
RMG: What are the critical success factors to avoid that an ERM program doesn’t get brushed aside in the long run?
CAW: I touched on some of this in my most recent blog post (“4 Critical Things Organizations Must Do to Ensure an ERM Program’s Success”) but will elaborate in my response.
- Have executive support and involvement. I am talking active engagement with the ERM professional(s), using the risk information as part of the decision-making process, making it very clear to everyone in the organization that ERM, with the related activities, is valuable. It also means including executives in risk workshops, so their perspective can be voiced and heard, with the requirement that executives should be open to listening and discussing any conflicting ideas and thoughts.
- Follow through. This refers to the integration of risk-related concepts into various parts of the organization, such as strategic planning, vendor management, procurement, and project management. And then involving ERM professionals in discussions on potential projects, initiatives, etc.
- Staying relevant. ERM is a group of processes and concepts that must evolve as the company evolves and changes; if ERM doesn’t evolve, it becomes stale and useless. The focus should not be on the idea of “we have implemented ERM, so we are done.” If this is the case, then ERM has failed from the beginning.
- Have the right people in the right role. For the ERM professionals, there should be a mix of skill sets and personalities to complement each other. Here is an idea of those needed skills (by no means all-inclusive): facilitation, detail-oriented, big-picture thinker, organized, people-oriented. The ERM professional(s) selected for a purpose can vary based on the needs and topic. I am actually going to writing a blog post in the near future regarding the soft skills needed for ERM professionals, so I don’t want to give too much information now. 🙂
RMG: In your experience, what was your biggest ERM challenge so far? What have you learned from that experience?
CAW: There are two things that come to mind for my biggest ERM challenge to date.
The first item is people resources – getting everyone together at the same time. ERM works because it facilitates gathering information from across various parts of the organization. But if everyone is not together in the meeting, it won’t work. You can’t split the discussion into two groups. The challenge came from calendars for the necessary people not being accommodating. Now, some of the issue was from people not prioritizing ERM above routine meetings that could be rescheduled. And as great as technology can be, conducting risk assessments over the phone is downright difficult. Participation either in person or via video conference is best. You as the risk professional must explain the importance of the discussion and coax some people to rearrange their calendars.
The second challenge is determining the right level of information to gather during risk identification and assessment. Sometimes, the participants want to talk details and hammer out language right then and there. (I tell them that we need to focus on concept right now; language can be finalized down the road.) What matters is capturing the context and main points of the risk. But remember that the next time you assess the risk, the participants will ask “what did this risk include?” So it is best to be prepared with that information!
RMG: The subprime and credit crunch in 2007/2008 affected banks and a “too big to fail” insurance company (AIG). Looking back, what major differences do you see in terms of risk management guidelines and state of ERM comparing to nowadays?
CAW: Since my background is in the insurance industry, let me clarify that the mainstream insurance products of AIG (property & casualty, life insurance) were financially sound during the 2008 Great Recession. It was the financial services areas within AIG where the trouble occurred. There was a good in-depth analysis of what went wrong at AIG.
Okay, back to the question. I think that 2007-2008 saw ERM being actively practiced only at those companies who 1) had forward-thinking executives and/or board members or 2) were required to have such practices by regulators. Looking at ERM today, I believe that more companies have realized the value that ERM can bring, in daily decision-making which leads to an increase in firm value.
If regulators require ERM, then companies are still thinking of it as a compliance activity, not value-based. For example, in the U.S. insurance industry, most states have passed laws requiring insurance companies of a certain size to have an ERM program with economic capital scenario analysis. It will take years for these companies to move their ERM activities from being categorized as regulatory to being thought of as adding value.
RMG: Following these recent crises and increase of scrutiny by some regulators, do you think CEO’s and senior managers are developing a more risk type of mind-set?
CAW: I think the industries or companies under increased scrutiny might be becoming more risk-adverse in order to stay out of the limelight. But on the other hand, Samsung and Yahoo are recent examples of how executives and senior management are still risk-takers, even in the media. It really pays to stop and think through ideas before executing – ask how will this be perceived from our customers? Our stockholders? The media? Is there anything that needs to be clarified?
I like the Warren Buffett quote: “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” It summarizes how CEOs should be thinking about their companies, especially in today’s world of constant news and social media.
RMG: how do you think ERM will evolve in the next 10 years?
CAW: There are three areas that come to mind for evolution within ERM. First, I believe (and hope!) there will be less talk on ERM theory and more practical information made available in a concise and informative manner, especially as more and more companies implement ERM and have lessons learned. As more people have actual ERM experience, they can share their knowledge in a variety of ways, including posting on the Risk Management Guru blog, LinkedIn groups, networking, etc.
Second, ERM within companies will go through stages of centralization and decentralization; it is all about what fits the company best. What matters are the results and how well the information is being used.
Third, I believe that the ERM software field will continue to evolve. Just as other fields have technology disruption, ERM will be the same. More and more companies are entering the field, some with some innovative functions and features. ERM cannot solely survive using Excel and Word. It needs some type of information system supporting it. Otherwise, the risk information will not be communicated to the proper people in a timely manner.
RMG: what are your plans for 2017? Do you have a regular busy agenda or are you still always looking for new challenges?
CAW: I am continuing to build out my business. A new service was just launched this month, focusing on the small and medium businesses who may need some help with risk management. But I am always on the lookout for new ideas on how to move ERM forward! In fact, I am volunteering with Florida State University’s Risk Management/Insurance program to present to students on various risk-related topics to bring practical knowledge to the classroom. It has been a very rewarding experience, and I look forward to continuing this effort.
RMG: finally, what do you think about our Risk Management Guru blog?
CAW: I really appreciate how you are getting other people to provide their perspective on topics related to risk management. And the blog is not focused on any one aspect of risk management. As it continues to get built out, it will be a good resource for new and experienced risk management professionals.
RMG: thank you very much for your cooperation and availability for this interview. We will be following you closely.
CW: Thanks for asking me to participate. I have enjoyed our time. You can subscribe to my blog at www.ERMinsightsbyCarol.com.