Organizations are faced with a complex mix of risks, regulations, external issues and technological advancements. Aligning strategy, operations, people, processes and technology with these evolving dynamics can prove challenging.
Executive Summary
Enterprise risk management professionals often use predefined published lists as a starting point for addressing the risks their organizations may face, but in doing so they introduce another significant risk: the risk of underestimating risks, according to Linda Conrad and Donna Galer, two veteran risk professionals.Here, they zero in on four risks that are downplayed on the published risk rankings, which may impact their customers and threaten customers' ongoing viability. Two of the underappreciated risks—heightened employee expectations and risks related to taking controversial stances—may also disrupt business strategies at insurers' own organizations.
This is the first in a series of articles in which Conrad and Galer promise to highlight a dozen risks that should be higher on P/C leaders' radar screens.
Unfortunately, enterprise risk management, or ERM, is frequently undertaken using a predefined list of risks as a starting point for assessing exposures or a list that lacks strategic perspective, thereby limiting the usefulness of the risk evaluation to actual business operations.
Business leaders have been deluged with lists of top risks in recent years. Some of these are produced by global think tanks, academia, government agencies, professional associations, brokers, insurers and others. There are lists that are focused on macro geopolitical areas or on industry segments, such as energy, healthcare, financial institutions. Still others are focused on one set of risks within a risk category—for example, cyber risks, climate risks, financial markets risks.
In contrast, this article will zero in on certain risks that are downplayed in these published lists of risks, in business practice and in the enterprise risk management domain. There is a significant “risk of underestimating risks” by relying on or focusing solely on issues raised in these published lists, without performing an independent assessment of business exposures.