For nearly 40 years, Colin Knox has been in the trenches of insurance and risk management in his native Australia. He began his career with a brief stint as an underwriter, followed by longer stretches as a broker, risk manager in the mining and beverage industries, and now principal and director of Canterwood Risk & Insurance Services, where he focuses on enterprise risk management. During his career, he has seen ERM evolve from being operationally focused to more strategic in nature. “ERM begins at the top with strategy and then cascades down throughout the enterprise,” he said.
This interview is part of a continuing Q&A series spotlighting ERM success stories. For more, visit the RIMS Strategic and Enterprise Risk Center, and don’t miss the RIMS ERM Conference, which will be held in Chicago from October 26-27.
RM: How has your risk management experience shaped your overall perspective on ERM?
Knox: ERM is not about insurance as a way to help companies do what they want. It’s really about knowing the things that get in the way of achieving strategic plans, whether they’re one-year plans or five-year plans. These are the things that, in many cases, will make or break a company. To do this, you have to first understand what the organization’s overall strategy and strategic initiatives are and then identify the impediments to reaching these goals. Once the blockages are understood, you have to manage them, which requires people and processes. That is ERM as I see it—something fundamental to business success.
RM: How does that strategic, top-down evaluation process play out in practice?
Knox: It definitely begins at the top of the organization with the CEO and the board. It’s their job to set the strategy. They determine where they want the company to be in the future, in terms of its size, markets, products and geographic territories. Then it’s the risk manager’s job, working with the business heads, to brainstorm the things that can stop or slow this progress. But this top-down approach is just part of the paradigm. It’s also the risk manager’s job to understand the operational risks that impact day-to-day business operations—the activities directed toward implementing the strategies to achieve the corporate goals and where the processes may be breaking.
RIMS: How can risk managers help bridge the gap between an organization’s strategic and operational concerns?
Knox: Interestingly, there are some strategic risks that are also operational risks. For example, at Treasury Wine Estates, we had operations in California’s Napa Valley, a major wine-producing region that is subject to a higher-than-normal earthquake risk. The threat of an earthquake was both a strategic and operational risk for the company.
From a strategic standpoint, we managed the risk by spreading the risk—we didn’t want to be solely reliant on wine from the Napa Valley. Treasury Wine has operations throughout the world; they own vineyards and wineries elsewhere, and most of the wineries are well separated in distance. We still grew grapes and produced wine in Napa Valley, but we also produced wine in other regions where we had operations.
Operationally, we undertook seismic studies from a risk engineering perspective to understand and, where practical, to minimize the impact of an earthquake. We also made informed risk retention decisions with regard to our captive insurer and the use of deductibles, based on the risk appetites and risk tolerances of the board. Only then did we make decisions around risk transfer to insurance companies.
RIMS: Once the obstacles to organizational strategy are identified, how do you best manage these risks?
Knox: You need governance around the identified threat, whatever it might be, which requires structure for reporting purposes. My preferred model is one where the board has audit and risk committees composed of and chaired by independent board members, and executive management also has an audit and risk committee. The risk assessments identifying the strategic and operational risks emanate from these committees and then filter down throughout the organization.
Management of these risks is every employee’s responsibility, although key individuals are appointed as specific risk owners. They must monitor their respective risks on a daily basis and provide concise, accurate reports on these risks and their impact on strategy to the risk and audit committees. This way the executive management team is constantly engaged with the ERM program and has comfort and assurance that the strategic risks are being monitored and effectively controlled. Structure also is important to ensure that the risks don’t end up residing in silos. Rather, they are understood and managed enterprise-wide.
RM: Is there anything you would advise risk managers not to do when implementing an ERM program?
Knox: I’ve definitely made some mistakes along the way. If I had to point to one major learning lesson, it would be the need for the executive team to truly talk up the importance of ERM. If they don’t fully buy into it and constantly champion it, then getting buy-in from business leaders and everyone else in the organization will be elusive. People only do something when they are required to do it.
RM: What does executive buy-in mean on an operational level?
Knox: You want ERM to be embedded in the culture—to become the things that employees are doing when you’re not looking at them.