Regulators are developing Own Risk and Solvency Assessment (ORSA) regimes which will require re/insurers to demonstrate their use of appropriate enterprise risk management (ERM) practices to support their ability to meet prospective solvency requirements over the business planning period.
Regulators are providing only high-level guidelines and will expect companies to decide what “appropriate” means for them. There are a number of common threads linking the emerging guidelines; one of these is the fundamental importance of risk identification.
ORSA Guidance Manual
This ORSA process is being applied in all parts of the globe. In the U.S., the National Association of Insurance Commissioners (NAIC) ORSA Guidance Manual names risk identification as one of the five key aspects of the insurer’s ERM program that should be described in the ORSA report.
That document provides a definition for risk identification and prioritization:
[a] process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels
For the EU, the Solvency II ORSA is developing in a similar vein; EIOPA’s July 2012 draft guidelines require that solo undertakings provide:
[a] qualitative description of risks [and] should subject the identified risks to a sufficiently wide range of stress test / scenario analyses to provide an adequate basis for the assessment of overall solvency needs.
In the case of groups, the ORSA should adequately identify, measure, monitor, manage and report all group specific risks.
Insurance Core Principles (ICP)
The risk identification process is, however, key to all insurers, not just those required to prepare an ORSA. This wider relevance is underlined by the Financial Stability Board’s endorsement of the International Association of Insurance Supervisors (IAIS) Insurance Core Principles (ICPs); ICP 16 highlights the importance of ERM as a process of identifying, assessing, measuring, monitoring, controlling and mitigating risks.
Perhaps the most attractive feature of the risk identification process is its low cost, high-impact introduction to risk management that builds upon the existing infrastructure and risk knowledge in the company.
It does not require a large commitment to capital expenditures and, if done appropriately, will provide a valuable first step in rolling out risk management across the company.
The ICPs are guidance for the insurance regulators in all jurisdictions. The ORSA, or an equivalent process with an equally odd name, may well be eventually adopted in all countries.
Risk Identification Process Adding Value
Companies considering the risk identification process should be aware that it is not a solution in itself and can only add value if the results are used as the first step in a risk control cycle.
This is an iterative process that refines managements’ understanding of the exposures that it is managing, and measures the effectiveness of the mitigation strategies employed in controlling risk:
For the risk identification process to be effective it is essential that senior management is directly involved from the outset. Regulators may give little or less credibility to an ORSA report if this ownership of ERM isn’t in place.
A brainstorming session involving the leaders of all risk taking functions across the business provides an effective starting point in compiling a list of significant risks.
This often results in a list containing 30 or more risks; if the process involves a broad range of people at many levels in the organization, it is not uncommon to have a list of 100 to 150 risks.
By considering each risk individually and quantifying its potential impact on the business, management can work towards a shorter list of high priority risks which should be the starting point of the risk control cycle.
The following sections outline these steps:
Step 1: Identify All Significant Risks
Risks must be identified in order to:
- Ensure that the full range of significant risks is encompassed within the risk management process
- Develop processes to measure exposure to those risks
- Begin to develop a common language for risk management with the company
Some companies prefer to start with a comprehensive but generic list of risks. The company should then aim to select its own list by considering the following criteria:
- Relevance to the insurer’s activities
- Impact on the insurer’s financial condition
- Ability to manage separately from other risks
The risk output from the ERM program may be used in strategic capital allocation decisions within the on-going business planning process.
The final “risk list” should be checked for completeness and consistency with this intended use. A final check can be done by looking at the lists once separated into categories. Most risks can be classified into one of several categories.
Management can review the range of risks that appear in each category to make sure that they are satisfied with the degree to which they have addressed key exposures within each major category.
The remaining steps in the risk identification process are then used to narrow down this initial risk list to a set of high priority risks that can be the focus of ERM discussions among and with senior management and ultimately with the board.
Step 2: Understand Each Risk Exposure
It is necessary to develop a broad understanding of each of the risks selected from Step 1; this includes determining whether the risk is driven by internal or external events.
In some situations, it may prove helpful to actually plot the exact sequence of events leading to a loss situation. This could result in the identification of intermediate intervention points where losses can be prevented or limited.
Existing risk measurement and control processes should be documented, and if the loss sequence has been plotted, the location of each control process in the sequence can be identified.
The final step in understanding the risks is to study recent events related to risks, including loss events, successful risk control or mitigation, and near misses both in the wider world and inside the company. Such events should be studied and lessons can be learned and shared.
Step 3: Evaluate
The next step in the risk identification process is to evaluate the potential impact of each risk. This involves:
- Estimating the frequency of loss events, e.g., low, medium, and high
- Estimating potential severity of loss events, e.g., low, medium, and high
- Considering offsetting factors to limit frequency or severity of losses and understand potential control processes
Some insurers also include an additional aspect of the risks, velocity, which is defined as the rate at which the risk can develop into a major loss situation
Step 4: Prioritize
The evaluations of risk frequency, severity, and velocity from Step 3 are then combined into a single factor and the risks ranked.
The risks are ranked according to a combined score incorporating all three assessments. The ranking starts with the risk with the worst combination of frequency, severity, and velocity scores.
From this ranked list of risks, 10 to 15 risks are chosen to be the key risk list that will be the focus of senior management discussions. From that list, ultimately 4 – 6 risks are chosen to feature with the board.
This need not be a complex or time consuming task. Often a simple heat map approach provides an effective way for management to identify their highest priority risks:
The rest of the risks should not be ignored. Those risks may ultimately be addressed at another level within the insurer.
This blog was authored with Stephen Mullan. It was originally published January 6, 2014.