Author’s Note: This article published in the Policy Magazine (www.policy.ae) in late 2009 is a predecessor of CEO = Ceiling of High Opacity published on this blog. Because of the significant interest that this latter article attracted, I thought also of reproducing the earlier article hereunder emphasising the integrity of governance in the risk management equation:
“Risk Management is about people who have the courage to do things right.” This statement is borrowed from the 4th annual CRO Assembly, 2008, and encapsulates the true spirit of risk management.
An insurance company’s capital has an essential but somehow contradictory role. Whereas regulators and policyholders endeavour to ensure that an insurer is sufficiently capitalised to meet its obligations, shareholders want an equitable return for the risk they assume in putting capital at the company’s disposal
But, what is an equitable return? And, what level of risk is acceptable? Whereas equitable return is generally dictated in the form of opportunity cost in the more mature markets by the level and nature of market competition, there have been instances of greed gone wild. This brings us to the premise that the level of acceptable risk is not something that is fundamentally measured only through probability theories. It must be based on a firm foundation of business ethics. This is why the balancing act between risk and return is one that needs to be undertaken by someone who has the “courage to do things right.”
Quantitative or Qualitative Approach?
Risk Management has more to do with corporate governance than it does with mathematical calculations of capital adequacy and risk-adjusted returns. Admittedly, much of risk management as a discipline is mathematically driven. However, risk management as a profession is much more than that.
The risk-based approach to regulation adopted by many authorities internationally relies heavily on intelligent systems that are able to accurately calculate available and required capital for the various risk dimensions be they, for example, a company’s liability, asset, operational or emerging risk categories. Systems are consequently expected to objectively detail, say, the ten major risks to which an organisation is exposed and to calculate the diversified capital adequacy requirement to meet them should they materialise.
But in all of this could we be missing the wood for the trees?
Over the past decade or so we have had debacles of the scale of Independent Insurance plc in the UK on the one hand and Bernard Madoff’s Ponzi scheme on the other, not to mention the banks and financial institutions responsible for triggering a financial crisis that has brought world economies to their knees. In delivering his sentence, the Judge in Bright’s case (Independent’s CEO) stated that the crime was so grave that it was, “altogether beyond the scope that Parliament could have had in mind when fixing such a maximum, probably by a factor of several times.” Also convicted in Mr. Bright’s case was his former Finance Director who, according to the presiding Judge, “lacked the strength of character to say enough is enough and say something about it.” One does not doubt that the likes of Michael and Bernie had the systems in place to intelligently provide the information that they wanted to convey. Otherwise, they would not have got away with it for so long with auditors obliviously signing off on their misdemeanours. Where do directors fit in all of this? In the corporate world the inability to climb a career ladder is often referred to as ‘glass ceiling’. Could it be that in enterprise risk management we are sometimes witnessing the inverse? Could it be that directors are happy to endorse a signed-off auditor’s note on governance and risk management because there is a glass floor between them and the enterprise they direct? Is it sometimes a case that as long as the boxes are ticked reports are endorsed?
Although the words are derived from the same root, in Risk Management we need to differentiate between intellect and intelligence. Whereas intelligence is the ability to acquire and apply knowledge (something that can also be artificially simulated), intellect is the ability to learn and reason; the ability to perceive. When putting enterprise risk management systems in place are we giving undue importance to the intelligent systems that ‘run the numbers’ and help us measure up to rating agencies and regulators’ expectations? Or are we relying more on intellect to holistically monitor, measure and mitigate risk? No matter how intelligent, systems are tools which, by default, serve us. Like any tool, we can use them, misuse them or abuse them.
Intellect, on the other hand, is an attribute. It is a guide to principle-based judgement. Intellect, or the power of perception, is the root of sound corporate governance. No actuarially endorsed systems can give or take that away from an organisation’s culture.
This article by no means advocates a return to principles based self-regulation. That created its fair share of insurance market woes some three or four decades ago. But the move to a rules-based governance approach has proved to be, equally dangerous. There has to be a balance between the two with the principles based approach taking precedence as the foundation for the application, implementation and following of rules.
Therefore, enterprise risk management is as much qualitative (if not more) as it is quantitative in approach. If it is to be embedded in a company’s governance culture, then ultimate responsibility for Risk Management should lie with the Board. The Board’s responsibility does not end when the ERM Statement or policy with tolerance and appetite levels is signed off.
In the introduction to this article it was mentioned that capital has a somewhat contradictory role. The custodians of capital – watching over the interplay of risk and return are the company’s directors. So, in furtherance of this, it follows that the directors, who are also the custodians of corporate governance, should play an active role in ensuring independence and authority of the risk management function in an enterprise.
The author, James Portelli FCII FIRM, takes a more philosophical view at risk and its management, stressing that a principles-based approach should underpin corporate activity. A Chartered Insurance Practitioner by profession, James has been active in insurance and risk management in Europe and the Middle East for over 20 years, first moving to the Middle East in 1998.