At the most fundamental level, enterprise risk management can be understood as a control cycle. In an insurance company’s risk control cycle, management needs to first identify the key risks.
Management then decides the risk quantity they are willing to accept and retain. These decisions form the risk limits. It is then imperative to monitor the risk-taking throughout the year and react to actual situations that are revealed by the monitoring.
The Risk Control Cycle
There are seven distinct steps in the typical risk control cycle:
- Identify Risks – Choose which risks are the key controllable risks of the company
- Assess – Examine what are the elements of the risks that need (or can be) controlled
- Plan – Set the limits on what will be accepted and retained
- Take Risks – Conduct the primary function of an insurance company
- Mitigate – Take actions to keep risks within limits
- Monitor – Determine risk positions compared to limits and report
- Respond – Decide what actions to take if risk levels are significantly different from plan
This Risk Control Cycle is then repeated year after year and will perform a primary role in the ERM program of the insurer.
The Complete Risk Control Process
A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following.
- Identification of risks: The identified risks should be the main exposures which a company faces rather than an exhaustive list of all risks. The risk identification process must involve senior management and should consider the risk inherent in all insurance products underwritten. It must also take a broader view of overall risk. For example, large exposures to different investment instruments or other non-core risks must be considered. It is vital that this risk list is re-visited periodically rather than simply automatically targeting “the usual suspects”
- Assess risks: This is both the beginning and the end of the cycle. At the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. At the end, management needs to assess how effective the control cycle has been. Did the selection process miss any key risks? Were limits set too high or perhaps too low? Were the breach processes effective?
- Plan risk taking and risk management: Based upon the risk assessment, management will make plans for how much of each risk the organization will plan to accept and then how much of that risk will be transferred, offset and retained to manage the net risk position in line with defined risk limits
- Take risks: Organizations will often start by identifying a list of potential risks to be taken based upon broad guidelines. This list is then narrowed down by selecting only risks which are aligned to overall corporate risk appetite. The final stage is deciding an appropriate price to be paid for accepting each risk (underwriting)
- Measuring and monitoring of risk: With metrics or risk measures which capture the movement of the underlying risk position. These risk positions should be reported regularly and checked against limits and, in some cases, against lower checkpoints . The frequency of these checks should reflect the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may choose to report regularly at a granular level that supports all decision making and potential breach actions. The primary objective of this step is facilitating upwards reporting of risk through regular risk assessment and dissemination of risk positions and loss experience using a standard set of risk and loss metrics. These reports convey the risk output from the overall ERM framework and should receive the clear attention of persons with significant standing and authority in the organization. This allows for action to be taken which is the vital Respond stage in the risk control cycle
- Risk limits and standards: Should be defined which are directly linked to objectives. Terminology varies widely, but many insurers have both hard “limits” that they seek to never exceed and softer “checkpoints” that are sometimes exceeded. Limit approval authority will often be extended to individuals within the organization with escalating amounts of authority for individuals higher in the organizational hierarchy. Limits ultimately need to be consistent with risk appetites, preferences and tolerances
Additionally, there should be clear risk avoidance processes for risks where the insurer has zero tolerance. These ensure that constant management attention is not needed to assure compliance.
A risk audit function is, however, often incorporated within the overall risk organization structure to provide an independent assessment of compliance.
- Respond: Enforcement of limits and policing of checkpoints, with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. In some cases, the risk environment will have changed significantly from when the limits were set and the limits need to be reassessed. Some risks may be much more profitable than expected and risk limits can be raised, while other have become more expensive and/or riskier and limits need to be lowered
- Assess risks: And the cycle starts again
The control cycle, and especially the risk appetite, tolerance and limit setting process can be the basis for a healthy discussion between management and the board.
Gaining the Greatest Benefit from the Risk Control Cycle
Ultimately, to get the most risk management benefit out of a risk control cycle, management must set limits at a level that matters and are tied to good measures of risk. These limits must be understood throughout the company and risk positions should be frequently and publicly reviewed so that any breaches can be identified.
But in addition to a policing function, the control cycle needs to include a learning element. With each pass through the cycle, management should gain some insight into the characteristics of their potential risks and associated mitigation alternatives, as well as the reactions of both to changes in the risk environment.
This blog was authored with Stephen Mullan.