Guide to ERM: Risk Governance


What should a board expect from management regarding risk and resiliency? As a part of strong enterprise risk management practice the board of directors should consider the following:

Establish an Advance Agreement 

Establish an advance agreement with management regarding the quantity and quality of risks that the firm is expected to take in the coming year, which should be consistent with the board-accepted risk appetite.   The board and management should have a clear agreement regarding  how much variability of actual financial results is to be expected. This agreement should include parameters for how far things can drift from the original plan before management is expected to both do something different, and mention and or discuss that with the board. For example, the ERM policy may allow senior management to change certain soft limits, up to a defined maximum in either direction, without requiring board approval. There are also likely to be hard limits in place for certain risks which, if exceeded, should lead to immediate breach process.

Regular Updates

Require regular updates as to the quantity and quality of risks that are actually being taken by the firm as well as the quantity and quality of risks retained.  Risk management systems should comprise strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report, on a continuous basis the risks, at an individual and at an aggregated level, to which they are or could be exposed, and their interdependencies according to the Solvency II transitional arrangements’ System of Governance (SoG).

One of the major issues that banks faced in the financial crisis is that some of their risk offset programs were not as effective as management had expected, and so very large gross risk positions that were thought to be transferred or offset did become the responsibility of the bank.  Board reporting had focused only on net retained risks, which meant the board had limited input about how much gross risk was acceptable.

Periodic Reports

Receive periodic reports on trends in key risk indicators – changes in the environment that might indicate that certain risks might be increasing.

Ask Management About Changes

Ask management about changes to business plans in response to the continuously changing risk environment. Management may appropriately change course but defer mentioning that to the board. Even worse, lack of adequate reporting flow can result in the board being unaware when appropriate changes have not been taken. Regulators may well see it as a clear sign of potential trouble ahead if ongoing dialogue and reporting between management and the board is not in place.

Advance Discussion

Hold an advance discussion of losses and planned response strategies.  The word “risk” is short for “risk of loss,” but unfortunately many firms fail to discuss loss thresholds and responses ahead of time.  So when a loss occurs, there is often a period of uncertainty during which no one knows whether this loss exceeds the board’s tolerance or how the board might react.  While it’s impossible to compile an all-encompassing list of contingencies, there is potentially much to be gained by having this type of discussion before a real loss occurs.

Personal Responsibility

For each of the major risks and risk management practices of the firm, assign personal responsibility to individual members of top management – just as Sarbanes-Oxley has assigned personal responsibility to the CEO for the preparation of the financial statements.  Company leaders who have been given these responsibilities should regularly confirm to the board that they have sufficient resources, both in quantity and quality, to achieve the objectives for loss limitation; they should also report on the status of work to improve capabilities.

Periodic Discussions

Hold a periodic discussion of unusual and adverse events that might unpredictably affect the firm, and the ways in which management is preparing for such events. An important strand of this includes conducting stress tests and reacting appropriately to their results. The Solvency II SoG guidelines require both the definition of ‘regular’ stress tests and the frequency with which these should be carried out. Additionally, consider having a policy in place which describes situations which should prompt ad-hoc tests.

Major Corporate Strategic Initiatives

When a major corporate strategic initiative comes to the board for notice or approval, discuss the ways that this initiative changes the risk of the firm. The board should know whether a “headline” action further concentrates risks or instead broadens the risk exposures.  If it increases risk concentration, management might be requested by the board to explain what level of additional diligence will be applied to existing loss management actions. If the initiative is potentially diversifying, then management should explain what new risk management actions are contemplated.  Management may bring on a new type of risk and thinks that additional loss control is unnecessary because of diversification.  That type of risk management decision leads to “de-WORSE-ification.” For new risks, additional mitigation plans are particularly needed given management’s inexperience with the new risk. Regulators and rating agencies will probably be cautious of a culture where development of such mitigation plans appears to lag behind new risk acceptance.

Implications of the Strategic Plans

Similarly, when management discusses the major strategies of the firm with the board, those discussions should include the implications of the strategic plans for the firm’s risks and the risk/loss mitigation plans. The board should be sure that the firm’s plans reach for faster growth in expected profits as compared to the rate of growth of risks.

How to Organize the Board

To fully engage with management on these issues, the board will need to decide how to organize themselves to receive and react to this information.  Generally, there are four main ways that boards do that.

  1. Assign the responsibility for interacting with the company ERM program to the Audit Committee
  2. Create a new Risk Committee that is directly responsible for all of the above interactions with the company ERM process
  3. Distribute the risk responsibilities among existing board committees; usually that means the Investment, Insurance, Audit and Executive Committees are all given responsibility for a part of the discussions about risk
  4. Conduct risk discussions with the entire board

There are plusses and minuses to each of these approaches and naturally none of them are foolproof.  Which is best for your board depends on many factors, especially the current workload and effectiveness of the existing board committees. Under Solvency II, the responsibility for coordinating this process lies with the administrative, management or supervisory body (AMSB). The AMSB usually seeks appropriate interaction with any committee it establishes as well as with senior management and with other key functions in the undertaking, proactively requesting information from them and challenging that information when necessary.

Article authored with Stephen Mullan.

About Dave Ingram

Dave is an Executive Vice President of Willis Re, specialising in theory and practice of ERM for insurers. Based in…
Categories: Reinsurance | Tags: ,

Leave a Reply

Your email address will not be published. Required fields are marked *