Risk has traditionally played a minor role in the strategic discussions of many firms.
Often, planners get risk out of the way at the very start with a discussion of strengths, weaknesses, opportunities and threats (SWOT). Then as quickly as possible, the planners shift into concentrating on a discussion of opportunities. That is what they are there for anyway: opportunities.
Enterprise risk management now presents a different approach with the objective of aligning risk management with business strategy. This alignment takes place at two levels: first as part of the aforementioned strategy and planning discussion, and second, in the more operational discussions that result from the strategy and plan.
Risk appetite and strategy
The idea that aligning risk management and strategy is highly important may be a stretch for some businesses; but for insurers, risk is the raw material of the business. So it seems very natural that a discussion of risk management should fit well with the strategic discussion of the insurance business.
The main building block of the strategic discussion of risk and risk management is the risk appetite statement. Risk appetite is defined in the U.S. National Association Insurance Commissioners (NAIC) Own Risk and Solvency Assessment (ORSA) Guidance Manual as:
Documents the overall principles that a company follows with respect to risk taking, given its business strategy, financial soundness objectives and capital resources. Often stated in qualitative terms, a risk appetite defines how an organization weighs strategic decisions and communicates its strategy to key stakeholders with respect to risk taking. It is designed to enhance management’s ability to make informed and effective business decisions while keeping risk exposures within acceptable boundaries.
I have always interpreted that as saying that the risk appetite is the strategy statement for risk. And you can see that the regulators see risk appetite as directly linked to strategic decisions.
Besides risk appetite there are several ERM tools that can aid in the strategic risk discussion.
A part of the statement of the impact that the plan will have on the company should be a before and after risk profile. This will show how the plan either grows or diversifies the firm’s larger risks. Risk cannot be fully described by any single number; therefore, there is no one single pie chart that is the risk profile of the firm.
The risk profile should be presented so that it articulates the key aspects of risk that are the consequences of the plan – intended or otherwise. This may mean showing
- the geographic risk profile
- the product-by-product risk profile
- the risk profile by distribution system
- or the risk profile by risk type
By looking at these different risk profiles, the planners will naturally be drawn to the strengths and weaknesses of the risk aspects of the plan. They will see the facets of risk that are growing rapidly and consequently require extra attention from a control perspective.
And even if there are none of those reactions, the exposure to the risk information will eventually lead to a better understanding of risk and a drift toward more risk aware planning.
Risk management view of gains and losses
Planning usually starts with a review of recent experience. The risk managers can prepare a review of the prior year that describes the experience for each risk in terms of the exceedance probability from the risk models. This could lead to a discussion of the model calibration, and possibly to either better credibility for the risk model or a different calibration that can be more credible.
Risk controls review
Each risk operated within a control system. The review of recent experience should discuss whether the control systems worked as expected or not.
Risk-adjusted pricing review
The review of gains and losses can also be done as a review of the risk margins compared to the risks for each major business or product or risk type. Comparison to a neutral index could be considered as well. With this review, the question of whether the returns of the firm were a result of taking more risk or from better selection, and management of the risks taken, should be addressed.
Management groups may be much more interested in one or another of these tools. The risk manager must search for the approach to discussing risk that fits management’s interests in order for risk to become a part of planning and strategy. Without that match, any discussions of risk that take place to satisfy regulatory or rating agency pressures will be largely perfunctory.
Recent studies have found that insurers who link ERM to strategy are much happier with their ERM program. Over half of insurers who responded to a recent poll on risk appetite said that a linkage between ERM and strategy was an explicit objective included in their risk appetite statement.
Risk tolerance and company plans
Risk tolerance is the term of art for the aggregate risk plan. A company can skip having an aggregate risk plan, but if they have one, that plan is the risk tolerance. So, it is probable that more companies actually have a risk tolerance and simply do not realize it.
A majority of companies who recognize that they have a risk tolerance have set it to reflect the consideration of rating agency and regulatory requirements, and they sometimes also include a statement of the amount of surplus that is at risk under pre-determined circumstances. So, if the insurers who do not use the term “risk tolerance” indeed have a target for their RBC ratio or for the AM Best BCAR score, they are thereby setting an aggregate risk plan, which means that they do actually have a risk tolerance.
Strategy and plans impact on risk management
An enterprise risk management program will also work to align the management of individual risks to strategy and plans. At the highest level, there are four possible strategies for controlling individual risks:
The company strategy identifies the risks that are going to be exploited and managed. The ERM program should be active to assure that risk management is not serving as the business prevention function for those risks.
ERM should stand out of the way of the aggregation of the risks that the insurer plans to exploit, and it should make sure that due care is taken with the risks that entail managing. But that care should be of the “not too hot” and “not too cold” variety that allows for the success of the business.
The ERM program should also provide assistance with the processes and procedures needed to minimize and avoid the risks that are not a direct part of the success formula for the insurer.
Ultimately, this means that the plans for risk acceptance, limits and mitigation need to be carefully reviewed by ERM for each and every of the firm’s important risks.
Without a link to strategy
If risk management is well developed into a strong, effective, disciplined, function there are two possible outcomes: it can either help achieve the business strategic objectives or it can be a strong force that will at times prevent the achievement of strategic objectives that are perceived to be too risky.
An ERM program with transparency and discipline is a powerful tool for management to use. Such a program, if set on the path of alignment, can be counted on to stay on that path and to continually support the overarching strategy while providing evidence of that alignment for all to see.