ERM in Practice: Risk Policies and Standards

written rules

The foundations of a solid ERM program rest on 5 key practices:

  1. Identification of risks
  2. Incorporating risk management into the organizational structure
  3. Measurement of risks
  4. Risk limits and controls
  5. ERM policies and standards

Every ERM program should start with these five practices as stepping stones before it can progress to more advanced ERM practices.

Effectively, the development of a concrete ERM policy and framework is the fifth and final basic step in an ERM process. This fifth installment of ERM in Practice looks at a dozen global insurance and reinsurance groups, extracting several concrete examples from their ERM policies and frameworks.

ERM in Practice Series

Keep an eye out for all the posts in our series:

A comprehensive ERM policy statement provides a high-level overview of an organization’s ERM program and guides its members to effective risk management. It is usually approved by the board of directors and it contains the chief tenets of the organization’s ERM program.

Frameworks vs. Policies

An ERM framework complements this policy statement by addressing specific practices and processes that form part of the ERM program. Whereas a policy statement sets goals and targets, an ERM framework strives to be detailed. The board of directors receives copies of the framework, but is less involved than with setting the ERM policy.

A further analogy can illustrate the interaction between ERM policies and frameworks: an ERM policy statement is similar to a constitution in that it is broad in scope and it is not easily modified. Conversely, an ERM framework is similar to a law or statute as it addresses and often prescribes specific practices that give form to the ERM program. In addition, an ERM framework must be consistent with the policy statement in the same way that legislation must adhere to the constitution in order for them to be valid.

In the previous installments of the ERM in Practice series, we selected examples from various global insurers and reinsurers in order to identify common practices related to the first four basic ERM practices. The fifth step, ERM policies and standards, forces a company to put in writing the elements that form its ERM program. Essentially, the ERM policy and framework statements describe, in varying degrees of detail, the basic ERM practices as well as any advanced ERM practice in place.

Objectives and Standards

A fundamental component of this fifth step is the expression of objectives and standards that will steer a group’s ERM program. Although there are various prevalent methods, each organization tailors its ERM program to adequately respond to its corporate principles, goals and risk profile.

Of the 12 annual reports studied, 10 acknowledge having a risk management policy and all 12 mention a risk management framework as part of their ERM program

One primary insurer makes explicit mention of capital adequacy as the principal objective of its ERM program. Its policy statement focuses on this target, stating that the organization aims to maintain capital levels that are significantly superior to minimum capital requirements.

In a different case, a reinsurer has developed a framework that starts with a capital-based risk appetite in order to find risks that fit these targets. The group stresses the value of its novel approach in that its risk profile derives directly from its risk appetite and not the other way around.

Another primary insurer outlines the circular nature of its ERM policy. After approval by the group board of directors, the group policy statement is sent to the individual business units. Furthermore, the operating entities make additions to the policy and create operational frameworks in order to address local regulations and idiosyncrasies. Both documents are approved by the business unit boards of directors and then return to group senior management for approval.

As part of its continuous validation of its ERM program, one insurer requires its business unit CEOs and CROs to attest compliance with group policies and standards on a semi-annual basis. In its policy statement, another group avows its commitment to obtaining prior approval of its internal risk calculations so that it can better comply with recently implemented solvency requirements.

Of the 12 annual reports studied, 10 acknowledge having a risk management policy and all 12 mention a risk management framework as part of their ERM program. Although the frameworks vary in their depth, common dispositions include:

  • risk positions
  • limits and thresholds for identified risks
  • risk appetite statements
  • risk governance

Developing coherent policies and frameworks allows for a more effective implementation of an ERM program. A comprehensive policy and framework anchors an organization’s ERM program, allowing it to jump to more advanced ERM practices that will be discussed in future installments of the ERM in Practice series.


Roberto Fortuño This post was written with Roberto Fortuño, Treaty Analyst with Willis Re, based in New York. Roberto joined Willis May 2014. He received a J.D. from the University of Puerto Rico and a B.S. from Georgetown University’s School of Foreign Service.

About Dave Ingram

Dave is an Executive Vice President of Willis Re, specialising in theory and practice of ERM for insurers. Based in…
Categories: Reinsurance | Tags: ,

Leave a Reply

Your email address will not be published. Required fields are marked *