ERM in Practice: Risk Limits and Controls


One of the core elements of a thorough ERM strategy involves setting risk limits and controls. This practice forms an essential link in every organization’s risk management cycle, which includes identifying, assessing, taking, mitigating, monitoring, and responding to risk.

Without doubt, risk-taking is an intrinsic component of an insurer’s profitability. In order to mitigate risk and enact policies that conform to risk appetite and tolerance levels, an insurer may develop a risk limits and controls system with well-established and consistently enforced risk limits. The purpose of this set of practices is to ensure that individual risk-takers operate under company-wide parameters that are directly linked to company plans.

ERM in Practice Series

Keep an eye out for all the posts in our series:

As the fourth installment of the ERM in Practice series, this article will look at the annual reports of various insurance and reinsurance groups in order to gain some insight into the ways these large organizations approach risk limits and controls.

One primary insurer shines light on their reasoning behind risk control policies: They say that the main goal of an insurer is to increase profitability from the risks that they assume. Only by taking risks that fall within defined levels can groups optimize the resources available for risk-taking.

Local Limits

Over 50% of groups foster risk management at the local level. Although the degree of decentralization varies from group to group, the fundamental idea that responsibility for controlling risk should be shared at the business unit level is pervasive among them. In the most decentralized organizations, risk-taking guidelines and controls emerge at the group level. Operating entities not only abide by these limits but develop local controls that best serve their ERM strategy.

One insurance group explicitly entrusts its business units with management of all risks, provided that they also abide by group standards and local laws and regulations. For this group, local risk owners are in a better position to monitor risks at that level. Central management develops risk appetite and tolerance guidelines, but individual business units are ultimately responsible for maintaining adequate risk controls and for ensuring their profitability.

In another example that relates to liquidity risk, 60% of European insurers emphasize the importance of local operating entities’ role in monitoring and controlling cash flows. Group management develops thresholds that direct local units to acceptable cash levels and monitors their compliance. Nevertheless, the insurers allow local entities to set liquidity limits that reflect their idiosyncrasies. Other insurers allow for a similar interaction between the group and local business units when addressing market risks and credit risks.

Group Limits

All of the groups have developed centrally defined risk limit policies that apply to the organization as a whole. Central management plays a vital role in this process as it provides direction to subsidiaries and sets limits in accordance with group risk appetite.

Groups implement strong internal limit frameworks, setting strict limits and benchmarks that take into account group risk appetite and external requirements of regulators and credit agencies.

For instance, around half of the groups limit reinsurance credit risk by monitoring the financial condition and credit ratings of reinsurers and by applying maximum limits for reinsurance recoverable exposure.

Furthermore, one-third of insurers promulgate detailed underwriting limits and product design guidelines, with special attention accorded to emerging risks.

Some of the larger groups have developed very detailed risk limit frameworks that compare their target limit thresholds with actual limit utilization. For instance, one reinsurer actually discloses the dollar amount limit approved for 11 material risks and then includes actual utilization rates for the previous two years. This degree of disclosure can be useful for investors who want to assess the effectiveness of the risk control strategies.

An insurer approaches market risk with a three-tiered framework.

  1. First, the group defines aggregate tolerance for the risks to which it is exposed.
  2. At the second level, the group develops risk controls that apply to individual business units.
  3. Finally, it sets additional limits that apply to specific geographic locations and lines of business that fall outside the first and second-level limits.

In 40% of European insurers, the Chief Executive Officer is accorded direct supervisory functions regarding the group’s risk control system. Moreover, they have the responsibility to identify main risks, set financial limits, and report to the board of directors.

In addition, a non-European group approaches the subject with a highly organized system where ERM teams and CROs at local operating entities ensure compliance with risk limits, reporting directly to the group CRO.

Monitoring and Diversification

An integral part of setting limits at group level is monitoring and enforcing. Groups assess the various risks in slightly different manners. For example, a primary insurer monitors strategic risk through detailed three-year plans that are subject to annual reviews. Another group oversees liquidity risks on a daily basis, with strategic planning over time horizons of one and three years.

Around 40% of groups address breaches to group limits: Business units are required to address these breaches in an opportune manner, allowing for the implementation of adequate remedial measures. One insurer monitors risk by compelling local operating entities to take part in self-assessments, which are then collected in a central database. The purpose of this system is to allow central management to have a greater understanding of its risks and to share knowledge among its business units.

Key Risk Indicators

A common way of monitoring risks is with the use of key risk indicators (KRI). These metrics allow companies to track risks indirectly because KRIs provide early notice of increasing risk exposures.

Risk owners monitor these KRIs frequently—senior management and the board of directors only receive periodic status reports and aggregate data. Groups often use these metrics as part of a traffic light system that monitors adherence to set limits in a visually straightforward manner.

Risk Concentration and Accumulation

Finally, all of the groups incorporate an analysis of risk concentration and accumulation into their limits and controls structure. As most of these groups have global operations engaging in wide-ranging economic activities, they must avoid excessive concentration that could endanger their financial stability.

A diversified risk profile reduces dependence upon single risks and provides long-term stability to insurers. An insurance group, for instance, ensures diversification by establishing limits for asset classes, issuers, industries, sectors, and geographic region. The insurer then monitors compliance with these limits every day, month or quarter, depending on the exposure.

Risk limits and controls are an essential component of every company’s ERM strategy; they allow insurers and reinsurers to better manage their material risks. This ERM practice paves the way for timely inspection of limit breaches so that an organization can determine suitable alternate courses of action.


Roberto Fortuño This post was written with Roberto Fortuño, Treaty Analyst with Willis Re, based in New York. Roberto joined Willis May 2014. He received a J.D. from the University of Puerto Rico and a B.S. from Georgetown University’s School of Foreign Service.

About Dave Ingram

Dave is an Executive Vice President of Willis Re, specialising in theory and practice of ERM for insurers. Based in…
Categories: Reinsurance | Tags: ,

Leave a Reply

Your email address will not be published. Required fields are marked *