Talking ERM at RIMS with Aon Global Risk Consulting Managing Director

By Anya Khalamayzer,

1. What is the role of ERM today? Has it reached widespread recognition by the C-Suite? When management teams think about risk management, they are probably thinking concurrently about ERM as well as specific risk management disciplines; for example, the treasury looking after financial risk, traditional insurance teams looking at Property and Liability, and the team that tracks quality or compliance efforts. The nomenclature is sometimes confusing because we can think about risk while also thinking about risk at different levels, and management teams today are absolutely doing that.

2. How is working on a consulting team different from your previous roles as an in-house risk manager with Ford Motor Company and Coca-Cola? We provide clients with advice, experience, tools and assist them in educational efforts within their company, but we’re different from a risk team within a corporation or nonprofit enterprise, where you have it as a staff function that looks after many aspects of risk within an organization. Sometimes we’re hired by a board of directors or a management team to do an independent analysis of their organization’s capabilities and help them determine where they would like the organization to be, and make a plan to get them there.

3. Has your background at a variety of other companies helped you do your current job? I think all of us, in any profession, bring our amassed prior experiences to the table. Working at Ford and Coca-Cola Enterprises was helpful for a lot of reasons, including exposure to the management level, decision-making around risk, an understanding of board responsibilities and the operational aspects of RM.

4. Is the C-Suite still equating “risk” with “loss”? I think risk is perceived at the C-level as the balance between taking the risks you want and have to take- it’s balance against avoiding negative surprises. All organizations take risk everyday because of the things they want to achieve. From a functional standpoint, risk management is still perceived as the organization that says “no” to avoid negative outcomes, but there are many risk managers who have been successful at recasting this view.

5. Do you have any personal frustrations about that fundamental perception? No. My job is to take organizations from where they are today to where they want to be, so we have to start with understanding their frustrations and barriers and helping them move through that to the next level of maturity based on their capabilities.

6. How are risk managers transitioning to strategic risk management (SRM), and why is this important? It’s interesting, this debate whether SRM is a different thing from ERM. I do not see them as two distinct practices. It’s my observation and experience that risk management in the strategic context is a natural result of having a well-designed and integrated ERM framework

7. How do you think that recent events, such as the attack in Boston and the Texas plant explosion, will affect risk management on a global scale? Will it make organizations more cautious, or will it spur them to become more resilient? Risk management tries to predict unforeseen events and understand the organization’s ability to deal with those matters according to their exposures. Whether it’s called risk resiliency, or dealing with a certain event, there are things that you can do proactively to enhance your organization’s ability to deal with it. Number one is aligning the leadership team to how the organization will govern itself in an unforeseen circumstance. Number two is to understand what your resources are and how to deploy them if an event occurs. Three is having the capability to modify your response in real time. It’s a lot about nimbleness and decision making capability in circumstances where time matters.

8. Speaking from the position as a NU board member, what’s on your mind that you would like to say to the RM community? Risk managers bring a tremendous amount of insight and capability to the question of how organizations should manage their risk. My thoughts are that it is important for senior-level risk managers to have technical capabilities to understand the operations and the “business of the business” that they are in. We must wear two hats: being a technical risk manager, and being a collaborative member of the organization’s management team.