Tag Archives: Risk Institute advisory board series

Board oversight of emerging and long-distance risks—and how ERM can help

holly-gregoryFounded in 2011, the Milliman Risk Institute provides scientific-based thought leadership on all facets of enterprise risk management (ERM). Composed of senior risk executives, actuaries, and university professors, the Milliman Risk Institute Advisory Board meets semiannually to discuss ERM trends, research, and key topics.

Risk-taking lies at the heart of all entrepreneurial activity, and monitoring management’s efforts to identify, monitor, and manage risk is a key responsibility of the board of directors that is closely linked to the board’s role in overseeing corporate strategy and performance. The board has a vital role to play in assisting management to:

• Focus on the risks associated with corporate strategies and the ever-changing business and geopolitical environment,
• Determine the company’s risk appetite
• Devote appropriate resources to risk identification and management activities.

Prudent risk-taking requires reliable information about the trade-offs in risk and reward and a fundamental understanding of risks associated with the drivers of corporate performance. Management is responsible for capturing this information with the assistance of the enterprise risk management (ERM) system it puts in place to help identify risks and their possible impacts.

Identifying and understanding both emerging and long-term risks can be difficult, and boards should press management to continually scan the environment and think about both the immediate future and the longer-term outlook. The challenge is to escape overreliance on data that by its nature is focused on the past.

The good news is that both boards and managements have become more savvy over recent years with respect to risk oversight, particularly since the global financial crisis. Many boards are currently focused on geopolitical risks relating to Brexit and the recent U.S. presidential election, and are grappling with what uncertainties may lie ahead and what the company can do to prepare. Boards are also beginning to pay more attention to risks relating to the Internet of Things—in addition to cybersecurity, which has been top of mind for many companies for some time now. Some boards have also added directors with specialized competencies to help navigate risks of particular concern to individual companies. For example, technology and/or cybersecurity expertise are on the “wish list” of new director backgrounds for many companies (per the Spencer Stuart Board Index 2016).

ERM professionals can help boards “look around corners” with respect to emerging risks and provide support to boards that are determining what to do next. They can also help boards understand the time horizons involved with respect to risks such as those relating to climate change and water rights that require longer-term thinking, and they can assist the boards in prioritizing discussions on longer-term issues. Boards should ensure that there is sufficient time on the agenda to discuss emerging and long-distance risks, in addition to more typical risks, and pay attention even when something might not seem mission-critical. The world is constantly changing at an ever-increasing pace and risk managers help boards stay in front.

Holly Gregory is a member of the Milliman Risk Institute Advisory Board. She is co-leader of Sidley Austin LLP’s Corporate Governance and Executive Compensation practice. As part of this blog series, we asked Holly to share her views on trending topics in ERM.

Does ERM add value?

Robert-HoytFounded in 2011, the Milliman Risk Institute provides scientific-based thought leadership on all facets of enterprise risk management (ERM). Composed of senior risk executives, actuaries, and university professors, the Milliman Risk Institute Advisory Board meets semiannually to discuss ERM trends, research, and key topics.

In this ongoing blog series, members of the Milliman Risk Institute Advisory Board share their views on ERM research and development and how it can support business insights.

Over time I have focused on assessing whether or not there’s a value proposition to enterprise risk management (ERM), examining it at a corporate level. My research as well as the work of others documents that there are ERM efforts that do create value. However, how can companies use ERM to create value for their organization?

I think companies should use ERM to look at opportunities that positively add value to the company. In terms of adding such value, some trends have shown intriguing potential. For example, the notion of identifying and steering away from compensation that directly incentivizes employees or management to undertake behaviors that ultimately are value-destroying—the kinds of perverse incentives we saw leading up to the global financial crisis of 2008 in the major banks.

At present, the breakdown in these efforts appears to be regarding a willingness to acknowledge that a harmful environment was created and existed in the first place. There are some very interesting questions that need to be addressed around why that is, but it’s clear, going back to the global financial crisis, that many of the issues came down to people undertaking the behaviors they were incentivized to take. If you compensate them for taking on mortgages and all you care about is the number of mortgages and not the quality of them, then they’re going to put as many mortgages on the books as they possibly can.

For most organizations, my sense is they’re very open to moving ERM from something mandatory for regulatory compliance and are more taking a view that ERM can actually help them gain competitive advantages. Companies need to be alert to identifying opportunities to integrate ERM more tightly with strategic missions. The changes may be process-related or they may address issues of compensation, incentives, and corporate culture. ERM is more and more moving away from playing a defensive role, and increasingly becoming a proactive element with the potential to add value.

Robert Hoyt is a member of the Milliman Risk Institute Advisory Board. He is the Department Head and Dudley L. Moore, Jr., Chair of Insurance, Risk Management and Insurance Program, at the Terry College of Business, University of Georgia. Robert is also the Department Heads of the Legal Studies Program, and the Real Estate Program at the Terry College of Business.

Levels of ERM: A sports analogy

wayne-winstonFounded in 2011, the Milliman Risk Institute provides scientific-based thought leadership on all facets of enterprise risk management (ERM). Composed of senior risk executives, actuaries, and university professors, the Milliman Risk Institute Advisory Board meets semiannually to discuss ERM trends, research, and key topics.

In this blog series, members of the Milliman Risk Institute Advisory Board share their views on ERM research and development and how it can support business insight.

The requirements of enterprise risk management (ERM) can vary widely by industry. Different companies within an industry may have different levels of ERM development, but stepping back, it’s clear that a lot of ERM development depends on the specific industry, and it’s key to stay competitive. We know the pharmaceutical industry is well advanced in ERM. Those companies make a practice of hiring analytics experts who can run projections continually. Eli Lilly and Company has been doing it for 30 years, and most pharmaceutical companies are not far behind, considering it an essential resource.

At that high level, you see oil companies, for example, making sophisticated efforts in simulation and predictive analytics. But modeling future oil prices is very difficult. Likely few people thought, just two or three years ago, that prices would fall to $40 a barrel when $100 seemed to be the stabilizing point. At the lowest levels of ERM competence, in some of the service industries, individual companies may hire consultants to provide periodic analyses, but they probably don’t have the internal resources to do it themselves.

Every type of industry deals with different problems identifying the best inputs for simulations. That includes sports, too, where baseball is now a widely agreed gold standard in predictive analytics. Thanks in part to Theo Epstein’s success using these powerful tools first with the Boston Red Sox and then, more recently, with the Chicago Cubs, every major league baseball team (and many in the levels below that) now invests in analytics. Five years ago, that wasn’t true of even a majority of teams. Basketball, similarly, has also begun to look more seriously at the uses of predictive analytics.

But football is another issue, partly because of the complexity of the data required and partly because not all of that data is publicly available. A critically important part of simulation and analytics—always—is identifying the data necessary to solve the problem (and excluding the data that is not useful). Say that we wanted to determine the value of an individual left tackle. We need to know how good other left tackles are and have been and also how well each player and team performs overall—on each play. Conventional wisdom, under the influence of the book The Blind Side, argues that the left tackle is the second-most valuable position in football after the quarterback. Is that true? Honestly, nobody really knows the answer, but left tackles are paid that way.

Companies can gain an advantage over competitors by monitoring the industry-wide level of ERM and using it as a benchmark as they commit to matching that level or raising it, with investments in new analytics positions moving forward.

Wayne Winston, PhD, is a Professor at the Bauer College of Business at the University of Houston and Professor Emeritus of Decision Sciences at the Kelley School of Business at Indiana University. Wayne is a member of the Milliman Risk Institute advisory board. As part of this blog series, we asked Wayne to share his views on trending topics in ERM.

Discussing ERM with the board and CEOs

Mark GreisigerFounded in 2011, the Milliman Risk Institute provides scientific-based thought leadership on all facets of enterprise risk management (ERM). Composed of senior risk executives, actuaries, and university professors, the Milliman Risk Institute Advisory Board meets semiannually to discuss ERM trends, research, and key topics.

In this blog series, members of the Milliman Risk Institute Advisory Board share their views on ERM research and development and how it can support business insight.

One of the ongoing issues in enterprise risk management (ERM) is the role of a board of directors and chief executive officer (CEO). What risk-related decisions should rise to the level that requires their participation? This year, NetDiligence is rolling out a new service called CEOcyberA!ert. This service allows us to build and host a data breach incident response plan based on a company’s unique requirements. The company can then access its plan on the fly from an iPhone as a crisis is unfolding on a Saturday night (including direct access to the company’s cyber liability insurance carrier’s breach response experts, thus maximizing coverage benefits). This is another step in rationalizing specific approaches to specific risks.

One response we include each fiscal period is notifying the board and/or CEO of certain key events. In researching assumptions for CEOcyberA!ert, NetDiligence found that, in many cases, boards and CEOs are careful to avoid being overwhelmed. They want to be hands-on, but not too hands-on—they want balance—and many of them know they don’t have the necessary technical understanding. Still, they want to know enough to feel they have taken reasonable due care, having paid attention to all significant issues.

The Wyndham Hotels case is a good example. There was a series of incidents involving the hotel chain in which it was attacked by hackers three times between 2008 and 2011. The Federal Trade Commission looked closely at Wyndham’s potential corporate culpability. Wyndham’s board was able to demonstrate that it had been doing enough on a quarterly basis for the court to find its cyber security efforts reasonable. That’s essentially what we’re hoping to do—give boards and CEOs enough tools to exercise effective due diligence and defend themselves against any charges of security negligence. They’ll be able to demonstrate the steps they’ve taken. As a service, it’s actually as easy as an annual subscription.

In the past, our services have been far removed from the board, but that’s starting to change now. Federal agencies are looking at corporate behavior in these realms with a more critical eye, holding boards and CEOs to higher standards. Normally, we’re brought in by, and deal with, mid-level information technology professionals or risk managers in the chief financial officer’s chain of command.

A decade ago, the federal government enforcers, such as the Office for Civil Rights, were not really penalizing companies yet. That has changed dramatically over the last few years, and we think it could start happening with other regulatory bodies, too, because they recognize the need to promote good security and privacy and to protect citizens’ data. Penalty dollars fund these departments, so they have incentive to go after board members and CEOs more aggressively. Boards and CEOs are starting to recognize this—and recognize the importance of being in the loop on all key security issues.

A cyber pioneer and thought leader, Mark Greisiger serves as the President of NetDiligence, a cyber risk assessment and data breach services company. In October 2015, Mark presented at the Milliman Risk Institute Advisory Board Meeting as a keynote speaker. His remarks were well-received and followed by a robust Q&A session. As part of this blog series, we invited Mark to provide some additional commentary to his speech and share his views on trending topics in ERM.

Responding to privacy and security issues

Mark GreisigerFounded in 2011, the Milliman Risk Institute provides scientific-based thought leadership on all facets of enterprise risk management (ERM). Composed of senior risk executives, actuaries, and university professors, the Milliman Risk Institute Advisory Board meets semiannually to discuss ERM trends, research, and key topics.

In this blog series, members of the Milliman Risk Institute Advisory Board share their views on ERM research and development and how it can support business insight.

In enterprise risk management (ERM), we talk a lot about privacy. Privacy is tied to security—you can’t have one without the other. One growing area of risk in the privacy realm is tied to ethical privacy practices. This is called “wrongful data collection” or “wrongful sharing.” It’s one of the fastest growing areas of litigation, according to defense lawyers with knowledge of these practices.

Many marketing departments want to employ analytics to leverage big data from their consumers. They’re collecting enormous amounts of private information in covert ways. Sometimes they do it through third-party partners and technologies, but it’s all done under the radar outside of the scope of their internal privacy policies. That can be viewed as deceptive trade practices by plaintiff lawyers or state attorney generals. There are companies telling customers one thing in their privacy policy, but doing the opposite when they collect information. In some companies, the internal risk manager doesn’t even know what is happening.

This risk centers on data management and privacy ethics. Organizations need to ask their employees important questions related to these areas. These questions can include what actions are you taking to collect data, are you following privacy protocol, and are you being transparent. Not following proper procedures can cause problems for some risk managers because their organizations end up being sued.

Reputational risk is a related issue. There are response crisis services that employ lawyers from around the country as data breach coaches. A data breach coach helps organizations assess the infiltration of data, alert clients of a breach, and facilitate crisis communications. Among other responses to a breach, a company will get a free call from the coach after a breach. Interestingly, it’s reported that one in four clients that experienced a breach event—a privacy violation—have been unresponsive to a breach coach’s guidance.

The attorney, or the breach coach, might literally say, “Here’s what you need to do. We need to get forensics in there to figure out the scope of the breach. Then we’re going to probably have to notify these victims. We’ll also have to notify the state attorney general and the state because that’s part of the law,” and so forth, laying out the gravity of the situation. Many organizations respond by saying, “Okay, we’ll get back to you,” but they never do. They quantify the reputational risk involved with the process and stick their heads in the sand, putting their business at further risk.

Certain sectors like healthcare tend to handle these issues appropriately. Healthcare organizations know they are in a high-compliance industry where regulators are looking at them proactively. However, in other sectors, there aren’t as many events being reported, even though they’re happening because traditionally they have marginal security practices. Such willful nondisclosure is another trend in the realm of privacy and security that is being studied more closely.

Legislation has even been proposed to include jail time for corporate executives who willfully decide not to disclose a big breach. It hasn’t come about yet, but could happen, certainly at the state level. These risks can be identified and fixed. Ultimately, companies need to think about the trade-offs between reputational risk and the potential for greater legal and financial risks if they become embroiled in a suit brought by a state attorney general based on issues of privacy and security.

A cyber pioneer and thought leader, Mark Greisiger serves as the President of NetDiligence, a cyber risk assessment and data breach services company. In October 2015, Mark presented at the Milliman Risk Institute Advisory Board Meeting as a keynote speaker. His remarks were well-received and followed by a robust Q&A session. As part of this blog series, we invited Mark to provide some additional commentary to his speech and share his views on trending topics in ERM.

Shifting grounds of D&O liability

Darren SondermanFounded in 2011, the Milliman Risk Institute provides scientific-based thought leadership on all facets of enterprise risk management (ERM). Composed of senior risk executives, actuaries, and university professors, the Milliman Risk Institute Advisory Board meets semiannually to discuss ERM trends, research, and key topics.

In this blog series, members of the Milliman Risk Institute Advisory Board share their views on ERM research and development and how it can support business insight.

Enterprise risk management (ERM) constantly tries to look ahead and forecast the future. For example, what do cyber risks mean for directors and officers (D&O) liability policies? It’s possible that the new cyber risks we have been seeing in recent years reflect greater systemic risks, which could be the primary issue. This makes it harder to project how cyber risks will affect D&O policies.

The pace in which claims are settled adds uncertainty. It can take three or four years before actual dollars are paid out on D&O claims. In comparison, cyber-related cases may be paid out in three to four months because those losses are immediately recognized by insurers. These two cycles are seriously out of sync. How do they affect D&O coverage?

As more and more companies acquire insurance against cyber risks – given what we see in the risk environment – it’s possible the market is mispricing the risk, and we may see a snowballing of insured losses. These complexities are certainly something for ERM programs to look at and think about.

For ERM programs to be successful, they need to skate to where the puck will be, not where it is. At the moment, I think we all believe that the market cycles are probably not going to get any softer. Something is going to occur that will probably create a hardening of the market. In terms of D&O coverage, it may indicate that now is the time to consider preparing for the upcoming changes. Insurance companies may need to think about more effective or aggressive means of underwriting. Every situation is different for every industry, but most companies have a sense of the market rhythms they live by.

When we think back to the global financial crisis, specifically the subprime meltdown between 2007 and 2009, there was a very hard market. Enhanced underwriting tools would have been useful because there were underwriters who could differentiate more moderate risk profiles from greater risk profiles. In the near future, it’s likely that these tools will become more useful for D&O policies. Nonetheless, now is the time to implement them– while the market is still soft. It may be too late once the market hardens again. It may take perseverance and some cycles to work in, but organizations end up with people who are finding ways to check boxes and get signoffs and are comfortable working in tougher underwriting environments. If an effective quantification of the ERM value is something that an underwriter can use to demonstrate heightened diligence, it will be useful in all market cycles – especially a hard market.

Darren Sonderman is an EVP at McGriff, Seibels & Williams, Inc. and co-founder of the company’s Financial Services Division, which specializes in the implementation, innovation and execution of Management Liability insurance programs. In the fall of 2015, Darren co-hosted a panel discussion on D&O insurance at the Milliman Risk Institute Advisory Board Meeting. As part of this blog series, we invited Dan provide some additional commentary on D&O programs and ERM.