Over the last few years, research has shown that an increasing number of employees want to understand the “why”—or otherwise have purpose—behind what they do to be committed until the end.

As busy executives, the answer to “why” is even more imperative. You are not going to be thrilled or motivated to spend your scarcest resource of all—time—on something for which you can’t readily answer this timeless question.

In the context of an insurance company’s operations, the answer to this question is easy in most cases. As an insurance carrier executive, you know why your company purchases reinsurance or has a meticulous underwriting process. Their purpose is clear and pretty uniform from one company to the next.

Unfortunately, the answer is not so clear cut for other areas, with two of the most significant being strategic planning and enterprise risk management.

Why is a strategy important?

It provides an overall direction for the company craved by so many employees and investors, creates a framework for allocating resources, and fosters a culture of informed decision-making, among others.

However, while it is common for companies to develop some form of a strategic plan, very few actually accomplish the goals outlined within it because the plans don’t consider the risks associated with the goals, objectives or initiatives selected in the strategy. But more on that later.

Now the “why” behind enterprise risk management (ERM) is even more vague to carrier leaders. Barely 1 in 10 executives derive any strategic value from their company’s ERM efforts, according to the State of Risk Oversight report from NC State and Protiviti.

You may have an answer to the “why of ERM” question but not necessarily the answer.

Some common answers to the question of “why” a company has ERM are that the practices are required by regulators, or otherwise centered on minimizing harm and providing a list of risks. It is also common to misconstrue what “enterprise” means, with a common view being that ERM is simply reinsurance or corporate insurance.

These reasons leave carrier executives feeling frustrated. In announcing job cuts in risk management, a recent media report quoted one chief risk officer of a banking group saying, “We know people are frustrated by time-consuming processes and ingrained ways of working that impede our ability to be competitive and leaves us lagging behind our peers.” (“Lloyds to cut jobs in risk management after finding it was a ‘blocker’ to transformation progress,” cityam.com, quoting Chief Risk Officer of Lloyds Banking Group Stephen Shelley)

This type of reaction is unfortunately very common of the typical ERM practices at insurance carriers, which are frequently described as second-generation risk management, which consists of creating a list of risks with no connection to anything and completely to avoid failure or minimize any risk-taking across the company.

But like many CEOs and other executives, you may not be aware that another approach to ERM exists—specifically one rooted in achieving objectives—that is far more effective while also enabling competitive advantage.

Or stated slightly differently, it may be time to consider practices rooted in merging strategy and ERM.

Based on your experience, you and other company leaders may also not be aware that ERM is effective as a day-to-day decision-making tool for ensuring intelligent risk-taking in pursuit of strategic and business objectives. This is where the emphasis of ERM shifts from a strict defensive, value preservation role to a more balanced focus.

Advisor, coach and author Tim Leech, a pioneer in this approach, dubs it objective-centric ERM.

In an interview with the online Global Risk Community (posted by Boris Agranovich on March 5, 2021 at globalriskcommunity.com), he said: “[E]ffective risk management is a framework that delivers a materially reliable picture of the state of risk and certainty linked to a company’s top value-creation objectives and value preservation objectives to the CEO and the Board.”

Top risk management standards, namely ISO 31000 and COSO, have been moving in this direction for several years. For example, ISO 31000 defines “risk” as the “effect of uncertainty on objectives,” with effect being a “deviation from the expected.” What is interesting is that “deviation” can be positive, negative or even a combination of both.

You do not need me to tell you the ever-increasing volatility, uncertainty, complexity and ambiguity—or VUCA—gripping today’s world. Between shifting consumer expectations, escalating claims volumes, increased litigation, the growth of AI and other technologies, and a litany of other elements, insurers are navigating the roughest waters in a generation or more. And there is no sign of it slowing down anytime soon.

In spite of this reality, many carriers typically focus on shorter-term planning because of the uncertainty of what the future holds. If any longer-range, three-to-five-year planning is done, executives and planners discuss ideal scenarios, which rarely become reality.

If risk is not merged with—and made a part of—both strategic planning and execution, you and your company will be hamstrung from achieving the goals that have been set.

This “merging” increases confidence among you and fellow executives, and employees, that the goals that have been set forth are the right ones, and it increases your confidence in the ability to achieve the goals.

But it does not stop there.

Developing scenarios around best case, worst case and likely case can help the company be better prepared to respond when, not if, any obstacles rear their ugly head.

Only looking at the best situation, which is the frequent focus during planning, will lead to confusion and scrambling when the metaphorical wrench is thrown into the gears of strategy implementation. The inclusion of worst case and likely case will result in your strategy execution teams confidently saying a plan of action or response is in place should a particular scenario play out.

Applying other “risk” tools, such as risk appetite and tolerance, can provide guidance on how much risk can be comfortably taken in pursuit of strategic objectives. Risks going beyond this defined tolerance should trigger a reassessment of the goal or management’s approach to achieving the goal.

A third way to merge strategy and risk is the use of modeling, which can provide a range of probabilities on the likelihood of success of a particular goal based on a set of assumptions associated with that goal.

The key reason for merging risk and strategy: This combined practice provides carrier management and executives teams with the ability to adapt to the constantly moving target of pursuing strategic goals in a VUCA world.

If your ERM efforts are currently focused on second-generation risk lists, shifting to objective-centric ERM by merging risk and strategy can take some time. It will take time and trial and error before your company will be able to harness tools like scenario planning, modeling, risk appetite and tolerance, and others effectively. Previous columns in Carrier Management have explored some of these tools more in-depth. (Related articles listed in accompanying textbox.)

This does not mean you have to wait to start making this shift. As the ancient Chinese proverb says, “A journey of a thousand miles begins with a single step.”

This single step can consist of a general set of questions to ask during strategic planning sessions or even everyday decisions. Some general examples include questions about dependencies, assumptions and key resources needed to achieve the goal—in essence, questions aimed at challenging assumptions.

Companies who do not merge risk and strategy simply will not have the wherewithal, or even the desire, to do this, which means they will only go for incremental improvements over innovative goals.

It is clear from the disruptions of the last few years that carriers will have to be truly innovative to be successful and avoid displacement by a more agile competitor.

Merging risk and strategy can help a company successfully achieve this as long as everyone has a clear understanding of “why” this is important. Without it, the company will flounder with no singular purpose behind ERM aside from regulator compliance and maintaining a list of risks.

Are you ready to have real purpose driving your company’s ERM efforts?