Future-proofing the Enterprise Risk Management Framework ‘Look Forward’

This was the question put to the actuarial profession at the 2021 All-Actuaries Virtual Summit by Elizabeth Baker and Tim Gorst. This was a follow up presentation to their Non-Financial Risk Management ‘Go Broader’ presentation delivered at the 2020 Virtual Summit along with fellow actuary Simon Lim. The backdrop of both the conduct issues raised during the 2018 Royal Commission into Financial Services and the challenges of the 2020 COVID-19 pandemic, have left organisations and industries re-examining their risk management approaches, business continuity plans and having to adapt to new ways of operating.

These events have brought into sharp focus the importance of a fit for purpose and contemporary RMF for effectively managing the breadth of risks facing organisations. Based on their industry and risk management experience, Elizabeth and Tim shared some key features for maintaining a relevant and forward-looking enterprise risk management framework. 

The presentation built on the 2020 Go Broader presentation with a focus on RMF design, integration into enterprise strategy & other case studies on stakeholder scorecards, incorporating new risk categories and using scenario analyses to ensure that the RMF can remain forward-looking and be readily adaptable to change and uncertainty. Approaches for ‘future-proofing’ an enterprise risk management framework covered the RMF are:

• being broad based, flexible and forward-looking;

• meeting the minimum regulatory requirements;

• reflecting on the big issues facing the organisation and the industry in which it operates;

• not being left on the shelf and getting ‘stale’;

• incorporating a stakeholder scorecard for considering risks set out in ‘plain English’;

• evolving with learnings from internal and external failures;

• being integrated with the enterprise’s strategy; and

• including stress and scenario testing as part of the framework.

Key aspects of the presentation

Ensuring the RMF covers the basics

In CPS220, APRA describes the purpose of an RMF as being for a Board to ensure it has in place systems (including the structures, policies, processes and people supporting them) for identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks to within Board approved appetite. Within the business the RMF is intended to create a sense of a ‘practical toolkit’ in place to help those responsible for management of risk within appetite across the lines of defence, in a way which relates to people with a balance of metrics and qualitative commentary. To be fully effective, the RMF needs to be integrated into the day to day management of the business, including the operations, enterprise strategy development and strategic and business planning. The Risk Management Strategy (RMS) is an essential part of the RMF and should have as much prominence as an organization’s business plan if risks are to be managed effectively.

Making sure the RMF is not becoming stale

If not future proofed, an RMF can quickly become stale, increasingly seen as just another compliance artefact on the shelf to meet regulatory requirements. The presentation highlighted some signs that an organisations’ RMF may be becoming less relevant, is inadequate and ineffective and needing to be overhauled. These included having RMF components developed in isolation with ownership unclear, staff not understanding the RMF and how they can use it on a day to day basis to manage risks, the RMS not changing from year to year perpetual qualifications to annual risk management declaration, ongoing lack of quality risk management capability, risk management initiatives unable to secure project funding, multiple compliance breaches and incidents and a poor risk culture evidenced by survey results and metrics.

Identifying and correcting weaknesses in the RMF

When there are major incidents or breaches, and/or significant new risks identified, the RMF requires review to identify and correct weaknesses in a timely manner. The ‘Fee for No Service’ issue seen in the Australian wealth management sector and associated conduct risks highlighted in the 2018 Royal Commission was used as a case study for identifying RMF weaknesses. Using the detailed components of the RMF, some fundamental questions arising from the ‘Fee for No Service’ failures were able to be considered in relation to Board Policies and Procedures and whether the Boards identified and properly understood the inherent risks when assessing personal advice strategies. This case study also identified inadequate operational controls whereby some licensees and advisers did not keep adequate records to enable monitoring and analysis. The presentation recommended that risk managers assist their organisations to learn from their mistakes by assessing and learning from any failures and updating their risk frameworks to correct weaknesses and prevent the recurrence of similar issues.

Prioritising risk management initiatives in the business planning process

Unfortunately, the RMS often stands apart from the annual business plan in many organisations and is not fully integrated into the regular business planning processes. To address this business plan initiatives should be considered with the lens of which investments will most effectively improve the enterprise risk profile or address risk management hotspots and/or address the material risks that are of most concern based on current or emerging risk profile. A key input into the process could be to develop an annual list of the top three to five initiatives to drive more effective risk management. These initiatives can then be deeply integrated into the business plan and strategy to secure appropriate funding and drive enterprise delivery.

Developing forward-looking scenarios

Stress and scenario testing is an essential component of a fit for purpose risk management framework. The use of ‘Severe Loss’ Scenarios potentially facing organisations such as climate change event risks, cyber security breaches and/or ransomware attacks, critical model errors, project execution failures and regulatory compliance breaches is an effective tool. Such scenarios can be considered in terms of likelihood (one-in-X years) and financial impact in dollar amounts. Any non-financial impacts such as reputational damage can also be considered. The scenarios developed can be linked to key risks to help executives understand ‘tail’ risk exposures that may not be evident in historical data sets of incidents and risks. The regular updating of these scenarios can be used as an opportunity for executives and the Board to identify and allow for any changes in risk profile.

Overall, the presentation highlighted the importance of future proofing the RMF and some techniques to achieve this. As in the words of Amazon’s CEO Jeff Bezos, “What we need to do is always lean into the future; when the world changes around you and when it changes against you – what used to be a tail wind is now a head wind – you have to lean into that and figure out what to do as complaining isn’t a strategy.”

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.