Insurance company risk managers need to recognize that traditional activities like underwriting, pricing and reserving are vitally important parts of managing the risks of their firm. Enterprise risk management (ERM) tends to focus upon only two or three of the seven important principles of insurance company ERM.
In my presentation “The Seven Principles of Insurance Company ERM” at the 2013 ERM Symposium in Chicago, I first framed the reason for financial ERM in terms of a hierarchy of corporate needs, as shown in the diagram below.
Financial ERM focuses upon Profits and Survival, while Strategic ERM’s focus is on Sales and Value Growth.
Risk: It’s what we do
For an insurer, risk taking is their business, not an unwanted offshoot of their main activities. That means that insurers need a more robust financial risk management program than firms in some sectors.
Existing insurance company risk management programs are built around the following seven principles:
- DIVERSIFICATION: Risks must be diversified. There is no risk management if a firm is just taking one big bet.
- UNDERWRITING: There must be a process for risk acceptance that includes an assessment of risk quality. A firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
- CONTROL CYCLE: There must be a control cycle to manage the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting and feedback.
- CONSIDERATION: There must be a process for assuring that the consideration received for accepting risk is adequate. For risks that are not traded, such as operational risks, the benefit of the risk needs to exceed the cost in terms of potential losses.
- PROVISIONING: There must be appropriate provisions held for retained risks, in terms of set asides (reserves) for expected losses and capital for excess losses.
- PORTFOLIO: There must be an awareness of the interdependencies within the portfolio of risks that are retained by the insurer. This would include awareness of both risk concentrations and diversification effects. An insurer can use this information to take advantage of the opportunities that are often associated with its risks through a risk reward management process.
- FUTURE RISKS: There must be a process for identifying and preparing for potential future emerging risks. This would include identification of risks that are not included in the processes above, assessment of the potential losses, development of leading indicators of emergence and contingent preparation of mitigation actions.
This list includes the traditional risk management activities of underwriting, pricing and reserving along with the new ERM activities of capital, portfolio and future risks. The control cycle is the bridging element, used in both traditional risk management and the new ERM. Diversification is the most primitive element of risk management and probably the most neglected. Specialization is usually the foundation of profitability for insurers (and most other businesses) but is in conflict with the diversification principle.
It’s all about perspective
Each insurer will find that they put varying degrees of emphasis upon these seven ERM principles. The insistence of regulators and rating agencies that ALL insurers include a focus upon capital, portfolio and future risks is not necessarily appropriate. But, the right answer for each insurer may change over time as the financial strength, risk profile and risk environment of the insurer shifts.
Stuart Greenbaum of the Olin Business School at Washington University in St. Louis was the other presenter for this session and he provided a perspective about ERM from his decade of experience on the board of a financial firm. Boards have shifted over time to a primary focus on risks that threaten the strategy or existence of the firm. He divides risk into Core risks and Ancillary risks. Core risks are fundamentally linked to how the firm makes its money.
Management of a Core risk must be a core competency of the firm. Greenbaum explained that a financial firm will often have unlimited appetite for its Core risks. That does not mean that they will be able, in practice, to actually take an unlimited amount of the Core risk due to practical constraints on factors such as capital. Ancillary risks, explains Greenbaum, are risks that companies should seek to minimize via risk management actions such as insurance and hedging.