Some say that in a perfect world, there is no need for a separate risk organization. But that is probably not true. Besides, we do not live in a perfect world anyway.
There are four common organizational steps that insurers take to enact implementation of their risk management objectives:
- Risk owners
- Risk committees
- Risk officer
- A risk department
Each of these steps forms an important part of the risk control cycle, which allows each identified risk to be owned and measured at business unit level and reported upwards to senior management via risk committees, ultimately to the board.
If this risk organization functions well, it provides the process and structure to close the ongoing feedback loop. A sudden change in the position of a volatile risk can be flagged to the board and prompt mitigating action taken.
In this way, value can be gained from investment in ERM and risk appetite development, beyond satisfying regulatory and rating agency requirements.
If risk organization is ineffective, growing risk positions may develop unnoticed and, in the most severe cases, lead to significant loss of capital and reputational damage.
Risk organization is important for all companies, irrespective of scale. Smaller insurers should have a structured feedback loop in place even if they have relatively few identified risks compared to their larger counterparts in the market. In fact, this lower diversification can make risk organization an even more relevant topic.
Setting up Your Risk Structure
Setting up an appropriate structure need not be an onerous task which requires dedicated risk staff and sophisticated risk dashboards.
It can suffice if senior management task staff at each risk-taking business unit with devoting a part of their time to risk management.
However, it is vital that this role is carried out. A culture of complacency where a structured feedback loop isn’t deemed necessary can quickly lead to problems, even for the smallest companies.
The starting point of effective risk organization is the assignment of responsibility for each identified risk. In many firms it is best to assign responsibility to a line manager that controls the business that creates the risk.
The person with responsibility should be a person who periodically stands before the board. They should be asked to say to the board regularly where things stand with respect to managing their risk.
These folks are called the risk owners. For many risks, the owner is already in place and has been for a long time. Underwriting risks are usually owned by the Chief Underwriting Officer, for example.
Some risks, such as reserve volatility are often traditionally owned in part by the claims officer and the chief actuary. Assignment of primary and secondary risk ownership provides a thorough means to monitor risk positions as part of an effective control cycle.
Smaller insurers are usually able to quickly and easily identify risk owners. Larger insurers sometimes have a more difficult time with this step. The primary owner should be responsible for ongoing review of the measured metric related to their identified risk.
In our example, the claims officer may review aggregate net claims for one or more lines of business. If intermediary checkpoints are exceeded, which sit below the defined aggregate risk limit, the claims officer can escalate the risk position to the chief actuary to decide on an appropriate course of action.
This may result in further escalation to a risk committee which can provide the final step to close the risk feedback loop by reporting to the board.
Risk organizations will generally include at least one risk committee. The committee roles will include high-level decision-making, policy setting, technical leadership, and execution.
In smaller insurers, the risk committee function is performed by the top management committee as a regular topic on their meeting agendas.
On the other hand, in many larger insurers, there are two risk committees, one more strategic and policy oriented, made up of some or all of the top management group of the firm.
The second risk committee will be more operationally focused often consisting of the functional unit heads along with the risk owners as well as the business unit risk officers. The second risk committee will have the responsibility to monitor compliance with risk limits.
The risk officer is the personal embodiment of the new risk management effort. That person needs to be a visionary leader of an effort that may well go against the grain of some parts of the existing culture of the company.
The risk officer most commonly reports to the Chief Financial Officer, but in some firms reports directly to the CEO or even to the board of directors.
Regardless of where they sit in the org chart, in the best cases, the risk officer will be the personal deputy of the CEO in matters pertaining to risk. In smaller and medium sized insurers, the risk officer is often a part-time position assigned to the CFO, Chief Actuary, Internal Auditor or Chief Counsel.
Independence of Risk
Effective risk organization also requires independence of risk: a clear distinction between the responsibility for managing risk and the responsibility for measuring risk and assessing losses. This is similar to what is done for profits.
The role of profit measurement has evolved into the financial reporting function which, in most firms, is largely independent of the line management. No one would consider assigning profit management to the folks who measure profits.
As with profits, there is a need for an independent role of risk measurement. Usually that role is given responsibility for both prospective measurement of risk exposures as well as the analysis of losses.
This function is most often assigned to the risk department. Some firms have a single centralized risk department; others have risk departments within each business unit that will have a dotted line reporting relationship to the Chief Risk Officer.
In many insurers, the internal auditing unit is also given a formal role in risk management that fits well with their role regarding other parts of the company. Their risk role is to assess and report on compliance with risk policies.
This role had originally been assigned to the risk officer and risk department, but it has been found that there is a formation that is called three lines of defense that can be particularly effective in assuring that risk management is being performed as needed to protect the firm. Those three lines are
- The risk officer and risk department
- The risk owners
- The internal audit unit
Although common, the three lines of defense approach is only one of many ways to structure risk organization. Regulators and rating agencies usually won’t stipulate which path to take but will expect companies to have in place effective risk organization which is appropriate to their size and the complexity of managing its key risk positions.
Risk organization provides the means for effective communication of risk throughout the business and promotes the use of ERM output in strategic decision making.