The coronavirus pandemic has proven companies can overlook factors with catastrophic impacts on cash flow and operations. This is not the first pandemic and will not be the last. Companies assess risk and prepare for consequences with an Enterprise Risk Management (ERM) framework. Smaller companies without chief risk officers often assign the CFO to create an ERM program.

For CFOs who need to develop an ERM program, reviewing how insurers apply risk frameworks to their operations is a great start. Few businesses have their financial stability as closely monitored as insurers, making them a natural model for others. They rely on their ERM framework to demonstrate strength and security to insurance regulators, policyholders, and ratings agencies.

Equally important, insurers manage their risks not just to preserve assets but to capitalize on their ability to price risks, turning a certain type of risk into a source of income.

What is ERM?

Each company's risks and risk tolerances are unique. ERM is a structured process for evaluating and managing those risks, with a goal of positioning the organization to navigate those risks over the short- and long-term, based on its exposures and preferences.

Six steps to manage organizational risk

If you're responsible for developing and executing an ERM strategy, implement it through a lens focusing on protecting current assets and growing future assets. The process can be outlined in six steps:

1. Identify risks.
2. Analyze and quantify risks using available qualitative and quantitative techniques.
3. Integrate risks into an aggregate profile expressing the results in terms of company impact.
4. Assess and prioritize your risks to determine the degree to which each one contributes to the overall risk profile, prioritizing them to help your executives make decisions on how to treat them.
5. Mitigate and exploit your risks using available strategies to avoid, retain/finance, transfer, or exploit. This could even lead to pursuing new risks for their value-creating potential.
6. Monitor and review to gauge the ongoing risk environment and implement appropriate strategies.

Insurance ERM practices

For insurers, ERM is not just a check-the-box exercise; it's ingrained in their employees' DNA and is an important part of their day-to-day operations. Insurers know ERM is about getting the most out of their risk profile — capitalizing on the risks it's good at managing, and avoiding, hedging, or insuring the rest. It takes an integrated approach to measuring and managing the risks to optimize their risk-return profile.

A multidisciplinary team approach is the best way to develop your organization’s risk profile. Start by applying a root-cause analysis to identify your organization’s high risk areas. By performing this exercise, you shift enterprise risk management from reactive to proactive, removing the possibility of some events even occurring.

From there, assess what level of risk your organization and stakeholders are comfortable taking on. Once the appropriate risk appetite is established, implement the relevant strategies to control and account for your high-risk areas. Most importantly, once your ERM program is developed, use the "tone at the top" to communicate your strategy and reasoning that led to that decision. Business resilience, communicated effectively, will be highly valued by stakeholders in the post-COVID era.

Improving business performance

ERM is not just about minimizing risk — it is about managing risk effectively to optimize a company's risk-return tradeoff and manage the volatility of business performance. By clarifying risk and return tradeoffs in a corporate context, ERM is ultimately a tool for both identifying and appropriately pricing risk, which in turn impacts the pricing of products and the choice of capital investments.

Understanding risks can improve investment decisions, better allocate capital, and maximize shareholder value. A well-conceived and communicated ERM program can also help companies raise capital more cheaply by demonstrating effective risk management to investors, ratings agencies, and markets.

The benefits of ERM are clear: Create value from risk while reducing the volatility of corporate earnings (and stock value) resulting from unpredictable events and external variables.

Companies with an ERM program are aware of risk, take steps to quantify and manage it in the formation of the program, and use it as a mechanism of cost-effectively controlling downside risks and increasing opportunity.