Enterprise Risk Management: Pascal's Inspiration
In the Paris Louvre resides one of the most famous portraits in civilization. Da Vinci’s Mona Lisa is visited by nearly nine million tourists, art aficionados, historians, teachers, every year. Among those might be insurance professionals, who can find parallels to their own careers among the museum’s hallways.
I recall trying to see the portrait during a springtime visit, twenty years ago. I left in disappointment. There must have been three hundred or more individuals pressing against each other, to catch a glimpse of that icon of western civilization, whose image they had seen hundreds of time, in books, film, re-creations. It also seemed an icon to my eyes – a computer icon, because it was over 50 feet away, small and distant, blurred by the ebbing throng, with security monitors and guards stationed in every corner. I wasn’t inclined to inch ahead among the 300-person mob, no disrespect to Leonardo. I moved to the next wing, wondering when there was a slow day.
The valuation of Mona Lisa is approaching $1 billion today, based on estimates from 1962, when it was transported to Washington and New York for exhibition. It was not insured. The premiums far exceeded the cost of physical security; the security was deemed sufficient, in deference to VAR -- Value at Risk. Thus, the residual risk was acceptable, based on probabilistic calculations – the sustenance of actuarial analysis.
In that same Parisian landmark lies another piece of art, honoring another man, who sits at the foundation of insurance's quantitative discipline.
A sculpture attributed to Augustin Panjou shows a mathematician contemplating the cycloid. Panjou’s subject was Blaise Pascal. Maybe Pascal didn’t have actuarial figures in mind, or maybe he did, but the “Renaissance” man bequeathed a marbleized base for the art and science of risk management.
Chronicled in letters and correspondence – rather, collaboration(!) -- with Pierre de Fermat, nearly 400 years ago, Pascal laid the groundwork and inspiration for much of the statistical science that impacts an insurance carrier’s combined ratio. And at the heart of risk management is the art and mechanics of departmental partnerships.
The Cycloid and Collaboration
Pausing before the cycloid, be reminded of Pascal's contribution to recursive logic, forerunner to the constructs of artificial intelligence. But in a plainer, business-oriented perspective, consider the rise and fall of the cyclical trace as a metaphor to your company collaboration, and the cycle of risk management:
Identification of hazard
Control Development/ Selection
where it shall begin again.
Your partnerships in Enterprise Risk Management (ERM) will make or break your program. The enterprise perspective is not a catch-all canvas with splotches of risk management in isolated departments – Manufacturing, IT, Security, Legal, Sales…. It is not simply a palette of separate risks managed by separate leaders. Enterprise risk programs distinguish among departmental accountabilities, yet still string the disparate efforts into one holistic lens.
In several other essays, we’ve discussed the criticality of your foundation – your value chain and your enterprise business processes. Oftentimes, the business process hierarchy is absent, or immature -- not formalized nor socialized in the firm. I wish I could say that is rare, but it is typically a cultural omission that receives much hand-wringing but little addressing. Business process understanding and use case analysis in firms are stymied by the crisis du jour, the inwardly focused attention spans, the impenetrable silos, and procrastination, all symptomatic of communications dysfunction. The firm’s leadership can mitigate this particular risk by lending weight to the foundational expectation – formalized business processes that are embraced by every leader in the organization.
When an ERM program is established or sustained, the value chain perspective of the entire firm is the baseline. It is the artwork that all leadership eyes should recognize.
Over and over.
Then you can chip away at the layers.
I can’t tell you the times I’ve heard in various firms, “We started a business process effort but I’m not sure what happened to it.”
So then, just do it. An enterprise risk program demands certain prerequisites that are often ignored or postponed. For the sake of the firm, postpone them no longer.
Think of the cycloid as our iteration reminder -- continuous improvement. Start at the highest levels and then iterate in broad brushes, capturing the hierarchy of business processes, then departmental processes and then the assignment of risks within each.
Like the recursive wheel in Pascal’s immortalized marble tablet, continuous improvement in risk management begins with a point in time.
For your point in time, you begin with the value chain baseline.
The Risk Architecture
What is your taxonomy for risks? Is it socialized and formalized?
Enterprise risk sits atop several key domains that contribute or diminish the firm’s confidence. For example, in one engagement, after iteratively analyzing one particular firm’s processes and value chain, we settled upon four top-most risk clusters:
One could argue that there are several unaccounted-for risks; such as Strategic risks, which encompassed process failures or omissions in partnerships; there might be oversights in Marketing, or Environmental risks (some systematic, some not), which are the purview of Facilities or Sales. But we had identified those classifications as fitting inside Supplier and Operational categories, respectively.
Within Financial risk, we had several categories encompassing financial operations and reporting, R&D (in actuarial and investment planning) as well as currency risks; the firm was a global entity, ripe for thoughtful hedging.
Depending upon the organizational architecture, your workflows, business processes and exposures, your enterprise risk hierarchy will be customized to your value proposition as a firm. Remember that your taxonomy is your taxonomy. You can leverage some generic risk categories from the business literature, but ensure they are applicable to your own company. Once defined, then set the risk architecture in firm clay, and socialize it across the corporation.
Your enterprise risk platform (of which there exist many) connects the enterprise value chain to departmental processes and then to the control environment. If you are a department manager, ensure your departmental risk metric is equivalent to the metric that ERM uses to reference your domain. Believe it or not, there are environments where that is not implemented, where ERM uses a different lens to evaluate a specific function; meanwhile the department sees itself in a more positive light. This alignment fault must be corrected immediately.
Collaboration, Socialization, and Federation
Oftentimes, an "audit” is considered an operational headache, a regulatory requirement that slows us down. This is a mistake. As ERM leaders, ensure that audit preparation is built into your environment. Audit management pays dividends not only in mitigation of penalty risks, not only in reduction of errors in your control environment, but in your company’s profitability!
Nothing receives as many exasperated shrugs and shakes of the head as knowing you are about to be audited by a regulatory body or by your internal audit department. If you built your control environment according to the firm architecture that every leader, and I mean every leader, should be able to articulate and understand, then you can create a process called audit readiness. The value of such a process minimizes interruptions during the audit. The day of an audit is not the day to be scrambling for a process owner, or searching for testing documents, or signatory evidence.
We don’t implement risk management or quality management because of regulatory expectations. If we do, then our teams are misunderstanding operational excellence. Getting managers to think in terms of risk does not encumber their innovation. Analytically assessing risk in all departments must become as natural and expected as the unique competencies within each domain. It should be part of the day-in-a-life, across all functions.
If you are running ERM meetings, and the leaders throughout the organization are dreading them, then they are not understanding their fiduciary responsibility, and the ERM leadership is not articulating the roadmap. Each ERM meeting should be a recognizable progression of improvement.
Advance a structured methodology and don’t allow unfinished business process formalization to hinder your effort. If you are leading the ERM charge then take it upon yourself to construct the business process architecture and move ahead. If it’s incorrect, that’s still a success – it will be noticed by other top leaders, providing an opportunity for refinement or adjustment. Without recognition that ERM is a holistic and collaborative approach, you are in trouble. If there is no formalized business process architecture, then embrace urgency, and develop the architecture within your own shop.
Your firm’s valuation may well exceed the Mona Lisa's. Or maybe not. But similar to that priceless portrait, insuring against every hazard is not always feasible. Address exposures, for transference, avoidance, or assumption, by seeing their relationship to a higher-end business process, which rolls into the enterprise's value chain. Refer to it constantly in your ERM meetings.
Like the cycloid, your ERM is a recursive effort, institutionalizing predictability and minimizing exposures, protecting your reputation, your income statement, your strategic partnerships, your operational stability. Like Pascal and Fermat, collaboration is comprised of give-and-take, challenges and corrections.
When you are next in a museum of art, consider the monumental effort in assessing exposure – the underwriting complexity for its insurance coverage. Imagine its own risk management effort -- the processes (open visitations), the clients (visitors), the assets (art and intangibles), the response mechanisms (security and infrastructure), the numerous hazards.
Traversing the expanse of the galleries, think of the iterative cycle of identification through evaluation -- recursive and collaborative.
The commitment of every departmental leader to risk management is an expectation. As ERM head, continue to cite the value chain as the baseline. Your insurance premiums, your firm viability(!), are dependent on your level of thoroughness. And finally, think of the renaissance souls whose mathematical collaboration guided an industry.
In your own eyes, always respect your unique contribution to the enterprise, mitigating risk as a way of life. Three hundred tourists may not be crammed in a room yearning to see your deliverables, but you’re still a significant partner in the firm’s success.
Being mortal means your own time is priceless.