Profiles In Management

Delivering Promises

How Enterprise Risk Management can codify and integrate a culture of growth and success

by Joseph W. Sullivan, J.D.

Mr. Sullivan is Executive Vice President and Chief Risk Officer – Boston Mutual Life Insurance Company. Visit

A fully operationalized Enterprise Risk Management (ERM) strategy and discipline is a good business practice and critical component of any strategic plan. At my company, we’ve created an ERM culture throughout our entire organization to help ensure we can continue to deliver on our promises to our policyholders and producers.

In 2012, Boston Mutual Life Insurance Company (BML) embarked on a journey with a vision of an upgrade to an “A” rating by AM Best. To support that vision, we adopted a more holistic approach to our strategic planning process, and focused on an enhanced level of organizational readiness to drive sustainable, profitable growth. We achieved an upgrade to “A” in 2017.

From the outset, as part of our vision, we have been committed to best practices in ERM. Building off a solid ERM foundation, our strategy continues to evolve today with a goal of a fully operationalized risk management culture and discipline across the company.

In 2016, I joined BML as Chief Risk Officer, as part the company’s commitment to this endeavor, bringing an extensive risk background to the position. Then, in 2018, we doubled down on the commitment when we established and staffed an independent ERM department within our organizational structure.

New Processes & Workflows

Since its inception, the department has developed new processes and workflows to better understand and mitigate risk. The scope, pace, and complexity of risk issues continues to expand and permeate all aspects of our organization. An effective ERM practice must be engaged in all aspects of the business both strategically and tactically, while being keenly aware of internal and external influences. A holistic and collaborative ERM perspective and discipline, therefore, allows us to proactively assess and mitigate risk on a daily basis.

An effective ERM practice must be engaged in all aspects of the business both strategically and tactically, while being keenly aware of internal and external influences...

Our ERM strategy has always been driven by having the right tone at the top of the company, with the full support of our Chairman, CEO, and President, Paul A. Quaranto, Jr., as well as our Board of Director’s Risk Committee. Furthermore, the strategy is supported by our Corporate Governance Guidelines, developed in accordance with the National Association of Insurance Commissioners’ (NAIC) Model Act.

Alignment With A Strategic Plan

The ERM strategy was recently updated to better align with our long-term strategic plan and current organizational structure. New risk categories include Distribution and Underwriting, External Affairs and Corporate Communications, Finance and Investments, Human Capital, Legal and Compliance, Operations, Risk, Strategic Project Management, and Technology. The executive leadership for each of those disciplines also has risk ownership accountabilities.

Other enhancements that took place in 2019 to support the updated strategy included a comprehensive review of risk appetites and tolerances, the establishment of Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs), the deployment of an ERM dashboard to monitor those key indicators on a real time basis, and the launch of an ERM intranet page to increase risk awareness and provide a platform for information and education for all employees across the company.

The new department also developed a Third Party Vendor Information Security Policy, a standardized Information Security Assessment Form, a Third Party Relationship Management Program, and a User Defined Application Management Program. Finally, the Internal Audit team was integrated with the ERM department, resulting in enhanced organizational alignment and collaboration between the ERM and Audit teams.

Overall, we believe a thoughtful approach to ERM is important to our overall success. Moreover, we understand that this will be an iterative process — one integrated into our system — that will require ongoing review and modifications to remain relevant and contribute to our ongoing success.