Can Risk Framework ‘Assurance’ reduce Insurance Costs? Yes, but will CROs pay for it?

I've long believed that effective Risk Management delivers tangible benefits to organisations. Ray Flynn, a risk expert with decades of real experience, shares his attempts to sell Risk Framework Assurance to reduce Insurance costs. Ray is a former Director of the IRM and independent Risk Consultant. 

Could an independent review of a professional service company’s risk framework result in it paying reduced Professional Indemnity Insurance premiums?  Probably.  Is it an easy sell?  No!

I was once on a management course where we started by listing things we would like to achieve from what we learned, detailed as a value to the company (additional revenue or profit).  It had to be something you wouldn’t have aimed for otherwise, so it could be directly attributed to the training.  Anyway, 6 months later we had to report on how well we had done in achieving these goals, again putting a value on them.  I think one of mine was to develop a new ‘product’ that would generate £X in revenue in the months following the course and I had achieved my objective.  Anyway, it turns out that this is how the training company sold their services to new companies.  They were able to list ‘testimonies’ from previous clients about how much the training had added to their bottom line.  In other words, the course more than paid for itself.

Whether this was in the back of my mind, or if through pure genius, I developed a plan to get companies to invest in an independent review of their risk management framework, in a way that would more than recover the cost of our consultancy work.  The focus was on professional service providers that paid huge amounts of money every year for Professional Indemnity Insurance coverage.  I remembered hearing that the company I once worked for had reduced its PII premiums by $millions by demonstrating to its insurers that it had implemented a robust system of risk management for its projects.  I figured that this could be taken further.  If these companies had their existing risk management processes and procedures reviewed by independent risk experts, would the insurance companies be even more comfortable in providing PII cover, to the extent that they would charge even lower premiums?  I checked with a contact I had in a broker specialising in this type of cover and the answer was that, as a general rule of thumb, an independent review by a reputable risk consultant could generate about a (once off) 20% reduction in annual premiums.  I asked if companies paying for other insurances, such as third-party liability, defamation, kidnapping, etc. could expect to see the same benefits, if they were to demonstrate some level of verification of their approach to risk, and the answer was a resounding ‘yes’. 

So, there it was: all I had to do was to team up with an established, reputable risk management consultancy (which I did) and target companies providing professional services (architects, engineering firms, law practices, hospitals etc.) large enough to be paying millions annually for their PII coverage and show them the sums: ‘Pay us £100,000 for an independent review of your risk management framework and, of course, implement our recommendations, and you will save yourself £1,000,000 or more on your PII insurance’!  Apart from that, you might actually improve your Risk Management performance.  The problem of in-house risk management teams not seeing the wood from the trees would be mitigated. It was a sort of Risk Management Framework Assurance certification, and it was a “no brainer”!

We started with engineering consultancies, which is where my background was, with a plan to bring on board legal, medical and other experts to ease ourselves into doing the same thing for other professional service providers.  The world was our oyster (I can’t think of a vegetarian equivalent of that one).  Everyone we spoke to in the companies we targeted was interested.  Some thought it was a brainwave.  “Why hasn’t someone come up with this idea before” and similar responses were heard.  Did we get any work out of it?  Nope, not a single paid hour!  Why not?  Well, I think there were a few reasons:

1)  We often ended up in front of the Chief Risk Officer (CRO) or equivalent, who, while agreeing with our approach, felt that the exercise could expose them in some way. Even though there was a chance that we would, independently, confirm that they were doing everything perfectly well, there was a risk that we would highlight some weakness, and that was a risk, I believe, some CROs weren’t willing to take, at least by voluntarily subjecting their ‘babies’ to scrutiny.

2)  Even when we got in front of CEOs, or other decision makers, I believe the worst enemy of risk management kicked in: Complacency!  “We’re fine on our own”.  “We can sort this out ourselves”.  Maybe they contacted their insurance brokers and were offered the ‘equivalent’ from their in-house consultancy arm?

3)  We ran out of time.  We were operating out of an office that was short of commissions and, with no easy wins, other things took priority, so we couldn’t sustain the campaign.  Maybe it needed a more global approach than we were doing at a local level.  We thought we’d be able to develop a successful template that could be taken and used in every country in which the parent risk management consultancy operated.  It might have been better to persuade the bosses in the US HQ to adopt it and develop it as an approach with existing clients in other sectors.  Perhaps we needed a bigger “name”. There used to be the phrase “no one ever got fired for buying IBM”. In the 1980s, IBM figured that their name was worth an additional 18% on the cost of their services. As long as their price came in ‘only’ 15% higher than the competition, there were assured of the sale. In a similar way, given the choice, most companies would engage a “Big-4” consultancy over any other.

I guess I’ll never know if this would have, or even has, in the meantime, succeeded.  Maybe someone reading this will think it’s still worth trying and message me from the Cayman Islands, in a few years’ time, to let me know how well it all went?  Go for it!  

-------------------

Ray Flynn

Ray is a semi-retired independent Risk Management consultant, with a focus on bribery and corruption.  He has carried out risk framework reviews and fraud risk assessments & investigations. He has also run two businesses and carried out interim management assignments, in 4 different countries.  He has worked extensively throughout Europe, the Middle East, the Americas, Asia and Africa and was also a key member of a team investigating corruption in the engineering industry with the World Bank over a two-year period.  He is currently based in Brussels.

 

Ray was a board member of the Institute of Risk Management for 3 years and Chair of the institute’s Investment Committee.  He also sat on the IRM’s Education & Standards Committee and spent 5 years on the Audit and Risk Committee.  He has contributed to, and authored, two of the Institute’s publications

Is Risk Management a Profession?

Is Risk Management a Profession?

So once again I have been invited to attend the ISO 31000 training programme. And at the end the 3 days I will, of course, pass my certification exam, and will be able to call myself a C31000 Professional. Wow am I excited, or not.

When I look at a range of "professions" I see a few things in common; years of experience and study, a professional body or association  (or bodies) that determine a set of standards for professionals, certification, and a set of disciplines. I also see regulatory bodies (even if self-regulating within the profession) that protect the name of the profession, and strike off those that fail to uphold the standards of the profession. I also see the profession seeking to protect itself from charlatans who do damage to the profession, and by pointing out clearly the standards required by the profession, to protect companies that employ such professionals.

So how does "The Google" define a Professional Association?

Somewhat limited I think, but for our purposes we can use this. What seems to be missing is protecting the integrity of the profession and professionals, but that might be included in furthering "the interests of individuals engaged in that profession" through protecting the name of the profession from charlatans.

Would the ACCA, ICAEW, IMA, AICPA, or the CICA stand by quietly as an organization or individual offered to create certified accountants in less than a week? The Medical Council would not allow someone to practice medicine without proper training and certification. Yet that is exactly what the Risk Management professional bodies do when someone offers three-day courses with a "professional" certification at the end. Where are the IRM, RIMS, GARP, PREMIA in protecting the reputation of the Risk Management profession and professionals?

So is Risk Management a profession? I'm sure that others have their definitions and expectation of what makes a profession and an professional. For me, as someone engaged in the profession, I like the definition from Google:

Considering this definition, I consider myself to be a Risk Management Professional. I have been advising companies on Risk Management, developed and ERM application from the concept to implementation, and I am a Risk Manager in a business. I am a member of a professional body, and have contributed to thought leadership published by that body, ranging from Risk Appetite and Tolerance, to Cyber Threats, and Risk in the Extended Enterprise.

Which apparently means that I should be "certified". Or at least, someone thinks that this will make me a professional.

So let us look at this kind invitation from Alex Dali again, the one that will, in three days, make me a Certified ISO 31000 Risk Management Professional.

The message from Alex Dali says:

I am pleased to inform you about the next training and certification session in London next month in May for you to become a Certified ISO 31000 Risk Management Professional with the official label C31000 certification.

It then gives the details of the course in London, for a very reasonable £1900, which includes the fee for the exam and certification.

It goes on to say:

Given your profile, I am sure that you will benefit a great deal from being a “Certified ISO 31000 Risk Management Professional” with in depth knowledge on the international ISO 31000 risk management standard. This session is also dedicated to those interested to become Certified ISO 31000 Lead Trainer.

Nice to see that my LinkedIn profile indicates that I would benefit from being such a certified professional. Or not.

So where am I going with this?

I expect my professional body to protect "the interests of individuals engaged in that profession" through protecting the name of the profession from charlatans. And that includes calling out examples like this, where people can claim to be a Risk Manager simply by paying for a three-day course.

To be very clear, any programme that offers a professional certification after a three day course and an exam (I wonder what the failure rate is, after paying £1900) is a joke. To be completely honest, I would have a difficult time taking someone seriously if they actually put C31000 or any other notification that they have receive this certification on their profile. I would then question every other certification that they claim, and I would wonder if that MBA or any other degree was from a mail-order "Institute" or "Institution" or just a postbox.

We as a Profession should be calling out specific examples like this, where someone sells certifications. We should be making it clear that we, individually and as professionals, will not accept bogus credentials.

For my part let me be very clear:

If you send me a CV with the C31000 certification on it, or if you have the C31000 certification on your LinkedIn profile, I will NOT be engaging with you. You are not a Risk Management Professional. You are the second definition of a Profession above: "an open but often false claim".

Just so there is not mistaking what I've just said:

To the professional bodies I ask, why are the Risk Management professional bodies and association such as the IRM, GARP, PRIMIA, RIMS and others not calling out the charlatans. Why are the professional bodies not protecting the interests of their members?

If my professional body will not openly state that this type of certification is a sham, then I need to do so, if for no other reason than to state categorically that I want my Profession to stand for something. When I say that I am a Risk Manager, I want it to be clear that this means I have years of experience, that I can back that up with evidence. That I am a professional.