The main processes for enterprise risk management in an insurer involve two levels of control cycles:
- The first level looks at the individual risks and sets out limits, controls and mitigation processes to assure that each individual risk that is taken fits with the plans and expectations of the insurer.
- The second level looks at the risk aggregates of the insurer and steers the total amount of risk retained by the insurer and the risk profile.
Irregularly, but not infrequently, an insurer will undertake a major project that may not fit well with either of those control processes but that has the potential to overwhelm the careful attempts to control risk taking in one giant step.
These major projects include acquisitions, divestitures, new products, territories, distribution methods, joint ventures and outsourcing.
In the Solvency II version of the Own Risk and Solvency Assessment (ORSA) requirements, these events trigger a requirement for a re-evaluation of the ORSA.
While not required for the regulator in the U.S., an insurer with an interest in being able to know in advance that they will be able to deliver an acceptable ORSA on the next annual requirement would be well served to adopt practices that are here called change risk management to achieve that end.
The change risk management process usually takes the form of requirements that certain risk and risk management questions need to be answered satisfactorily for a major change project to get final approval by management and the board.
The process of answering the questions may be spread out over the time period when managers are assessing the viability of a project proposal or may be a part of a formal risk management review that is one major step in the project approval process.
The responsibility for developing the answers may fall on the business manager who is the sponsor of the project to be reviewed and approved by the risk officer, or it may be the responsibility of the risk officer to be reviewed and approved by the board or CEO.
The questions will differ somewhat for different types of projects, but for all types they fall into a small number of major categories:
- How will the execution risks of implementation be managed?
- How will we be assured that implementation costs will be as planned?
- How will we be assured that new risks taking will be under control during implementation?
- How do we get the expertise required to achieve the above answers?
Impact on Risk Profile
- Does the new project materially affect the amount of risk compared to the amount of surplus of the insurer? If so, should management and the board be asked to reassess the risk appetite and tolerance of the firm in the light of the information about the new project?
- Will the project increase the concentration of any of the existing risks in the insurer’s risk profile? Does that additional risk concentration pose a danger to the firm?
- Will the project increase the diversification of risks of the insurer? If so, how do we get the expertise to properly assess and manage those risks?
Integration into Risk Management Program
- Do the risks from this project fit into the existing risk management program?
- If not, what changes or additions to the risk management program are needed to effectively measure and manage the risks?
- Do we have the expertise to develop and implement the needed changes? If not, how can we get the needed expertise.
- Can those changes be ready
- when the first new risks are expected to be taken or
- before those risks become significant, or
- sometime later?
Many insurers have well-developed processes for decision-making and implementation of new major projects that do not already include the change risk review process that is summarized above.
The existing change decision-making and implementation steps will be seen as important, and it will take a major effort on the part of top management to make sure that the new change risk management steps are given equal weight and importance.
In addition to asking the questions, a process needs to also be developed to assist with preparing plans and analysis that allows the formation of answers that are both true and acceptable.
This process may be led by the risk officer or the business implementation team, or a person from the risk department may be a part of the implementation team.
Change Risk Management and the ORSA
It is easy to see that many of the change risk management questions are the same as the ORSA questions. The answers provided during this process can form the basis for the major changes that may be needed for the ORSA report when it is next prepared.
Perhaps the major difference between the Solvency II requirement for an ORSA process and report in the event of a major project and the U.S. requirement for annual reports is that the Solvency II requirement would imply reassessing ALL risks in the event of a major project. In the U.S., management has more discretion as to when they do that reassessment with the possibility of deferring to the next annual ORSA report process.