Mitigate Complex Risk with Enterprise Risk Management

Compartmentalizing complex risks has always been difficult, but globalization and technological advances seem to make it impossible.

The spread of COVID-19 and its global impact on economies and social structures have illustrated how interdependent the world has become and the challenges in responding to any crisis.¹

Two years into the pandemic, about one-third of small businesses in the U.S. have closed.² Organizations that survived are grappling with rising costs of goods and labor, and seven of 10 small businesses say supply chain issues are hurting their bottom lines and ability to stay solvent.³

The current environment not only affects organizations’ finances, but their ability to secure insurance coverage, as complex risks multiply and become further intertwined. However, through enterprise risk management (ERM), organizations can identify, manage and communicate risk management across all aspects of an organization.

Building enterprise risk management programs to manage complex risk

ERM helps organizations understand internal and external complex risks and identify ways to hedge against insurable exposures, mitigating the impact of uninsurable risks. For example, it’s hard to insure the reputational damage that comes with a cyberattack through cyber insurance. However, the strict underwriting guidelines that demand increased cybersecurity can help reduce the risk of a data breach happening in the first place.

Creating an ERM foundation requires planning, a detailed assessment of all risk and a commitment from company stakeholders. Here’s how to begin:

Create a risk register. Establish a group to spearhead the ERM program; the group should initially conduct a comprehensive assessment of all complex risks in the organization, including hazard, operational, financial and strategic. This assessment results in a risk register that documents the challenges of managing each risk, the consequences of a triggering event and what the organization has done to mitigate the risk. Those in senior leadership should ultimately be responsible for managing each risk, delegating procedures to those best positioned to oversee them.

Ask for input. Acquire diverse perspectives of an organization’s complex risk from internal subject matter experts and outside resources when necessary. Employees representing each functional area should give their perspectives on all complex risks during the risk assessment process via workshops, surveys or interviews — these efforts can help uncover unknown exposures, illustrate how various risks intersect and enhance risk mitigation.

For example, a facilities manager’s suggestion to add streetlamps in a parking lot could substantially decrease parking lot theft. Such information — often not apparent to senior leadership — helps ERM teams address underlying vulnerabilities and develop mitigation strategies for each risk.

Analyze risk drivers and triggers. Estimating the likelihood of a risk, its potential impact, the organization’s preparedness to handle the risk and how the risk intersects with other exposures creates a risk profile. Organizations can conduct this analysis on their own, retain an expert or purchase software specifically made for ERM. In addition, this analysis should fully articulate complex risks, showing key components of underlying vulnerabilities, triggering events and current mitigation strategies.

This analysis should also note whether a risk is an inherent industry or geographical threat, or an operational threat specific to the organization. For example, a natural resources firm may be unable to reduce its exposures from the volatile petroleum market but could invest in renewable energy, minimizing the risk through diversification.  

Employ a multi-disciplined approach to complex risk. Prioritize the need to address exposures using data from risk analysis, as well as inform the organization’s overall risk appetite and tolerance threshold. Concentrate on risks that affect sensitive areas of the organization and could have a domino effect. Develop an insurance strategy that prioritizes risk mitigation for key exposures.

Coverage for complex risks lacking standard coverages like reputational and pandemic risk may require third-party assistance. Options could include hedging the risk through a counterparty, such as a contract with a financial institution, rolling the risks into a captive or pursuing coverage in the excess market.

Regularly evaluate success. An ERM strategy can grow stale. Ensure a comprehensive risk assessment is conducted at routine intervals, such as every 24 months. The assessment should include a deeper dive into an individual business unit’s risk and whether the ERM strategy is producing results. Interim assessments should be conducted at the business segment level on a rotating basis, over the course of 12 to 24 months.

Contact HUB International’s complex risk insurance experts to learn more about how to implement an enterprise risk management approach to control complex exposures.

¹ Reliable Engineering & System Safety, “Globalization and global risk: How risk analysis needs to be enhanced to be effective in confronting current threats,” January 2021.
² Austin American-Statesman, “Fact-check: Have one-third of U.S. small businesses closed during pandemic?” June 8, 2021.
³ Newsweek, “7 in 10 Small-Business Owners Say Supply Chain Issues Are Hurting Their Bottom Lines: Poll,” January 24, 2022.