Guide to ERM: Policies and Standards

traffic signs

Risk management policies are nothing more and nothing less than a clear statement of what the insurer intends to do within its ERM program.

The entire set of risk policies can be all included in one consolidated corporate risk policy document or, more commonly, contained in a series of separate documents. The latter approach makes sense for large companies and groups which typically have detailed policy documents on all major risk types.

Below, we discuss the various types of risk policies:

Risk Strategy Statement

Risk strategy should go hand in hand with the business planning process. Regulators will look to see that risk appetite provides the limits and boundaries for business plans and associated targets for KPIs.

These KPIs will be varied and reflect the requirements of multiple stakeholders such as the board, shareholders, regulators, and rating agencies.

The risk strategy statement provides the structure for finding and taking risks that present opportunities for the group while balancing KPI choices.

It should support loss control, including by diversifying risks by type and geographies, and setting capital targets that can be allocated to each risk and business unit.

Risk Management Framework

For an insurer who has just completed the initial 4 stages of ERM development, the risk management framework is a statement of what was decided for each of those steps:

  • Identification of risks
  • Development of risk measures and reports
  • Identifying risk mitigations and setting risk limits
  • Appointing individuals to be responsible for the ownership of the identified risks as part of a defined risk organization structure. This structure should provide the board with an on-going view of corporate risk profile.

As the insurer develops its ERM process further into additional ERM practices, the risk management framework is also extended to include statements about the objectives of those practices within the insurer’s program.

An insurer who is preparing for an Own Risk and Solvency Assessment (ORSA) should strongly consider having an additional set of associated policies.

Insurance Risk Policy

This policy sets out the identification, measurement, mitigation and reporting stages associated specifically with insurance risk. It is a statement of the types and amounts of insurance coverage that the insurer will write as well as the methods that the insurer will use to select the specific risks.

Processes should be defined for measuring these risks such as monitoring and reporting aggregate claims experience.  Mitigation practices should  be set to keep the insurance risk within the boundaries that management has set in the form of appetites, tolerances and limits.

The insurance policy statement will also likely set out the approval and exception authority structure used by the company as well as the notification requirements for breaches of the policy.

This breach process establishes expectations for actions to be taken in the event of significant deviations between actual and expected claims.

The insurance rate setting process will also be described, as well as who has the responsibility of determining initial and final rates.

Investment Risk Policy

The investment risk policy is a fraternal twin to the insurance policy. It defines the approval process for accepting types and amounts of investment risk. It also sets mitigation practices to be used and authorities for approvals and exceptions.

These should all be consistent with the risk appetite, tolerance and limit statements of the insurer.

The investment policy should set forth communications requirements on investment risk exposures and emerging experience in terms of timing and audience for that communication.

Expectations for actions in the event of deviations from the policy and/or from investment losses or under-performance are also set out here.

ALM Policy

An asset/liability management—or ALM—policy is an expectation of regulators, but such a policy is primarily a concern for life insurers whose products are often inherently linked to investment performance.

For non-life insurers, the ALM policy can usually be expressed as a short paragraph in the investment risk policy.

This paragraph should set forth the targets for investment cashflows and should also address tolerance for liquidity risk.

Risk Appetite, Tolerance and Limit Statements

Regulators and rating agencies all expect that insurers will have an articulated statement about their objectives with regard to risk taking. This includes both quantitative restrictions on the aggregate amount of risk that is retained and not fully mitigated and qualitative restrictions on the risks that will be taken.

In most cases, the quantitative risk appetite statements is likely to be qualified by both amount and likelihood.

For example, a company may seek to take risks to maintain a maximum net 1 in 10 year underwriting value at risk (Var) of £10m.

This target defines limits for the gross underwriting risk which can be written at business unit level. Importantly, it also defines an important input into the reinsurance decision-making process.


This blog was authored with Stephen Mullan.

About Dave Ingram

Dave is an Executive Vice President of Willis Re, specialising in theory and practice of ERM for insurers. Based in…
Categories: Analytics, Reinsurance | Tags: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *