How and which aspects of enterprise risk management (ERM) can link to strategy depends on how ERM is being practiced by the insurer. We suggest thinking of three sets of risk management functions. Any insurer ERM program might include one, two or three of these.
1. Individual risk management
Insurers practice risk management long before they adopt enterprise risk management. With individual risk management (IRM), the insurer enables the organization to raise the risk management activities relating to all of the key risks of the organization up to a high and effective level of practice.
IRM includes the identification, assessment and prioritization of key risks followed by the addition of more formal control processes, including decisions to mitigate, transfer, accept, limit or exploit each of the key risks. It also includes periodic reporting on those processes.
The result of an IRM function will be a transparent and disciplined approach to all of an organization’s key risks. This is often called a bottom-up risk management process as well. ERM standards such as COSO and ISO31000 promote an individual enterprise risk management process.
2. Aggregate risk management
Insurers generally know how their capital compares to regulators’ minimum requirements and/or the level of capital rating agencies require for their preferred rating. With aggregate risk management (ARM), these standards are recognized as outsiders’ views of the insurer’s aggregate risk.
ARM functions treat the combined total of all of the key risks of the firm as another candidate for a transparent and disciplined control process. An insurer will use one or a series of risk models to evaluate the amount of aggregate capital needed to provide security for the risk exposure and an aggregate risk appetite and tolerance to help articulate the company’s expectations for capital levels in aggregate control processes.
Regulatory and rating agency requirements often focus primarily on this ERM function. The result of the ARM function is a deliberate process for managing the relationship between the risks that are retained by the insurer with the capital it holds.
3. Risk reward management
One of the primary requirements of the model(s) used to evaluate aggregate risk is that they need to be as consistent as possible in their assessments. Only consistent values can be combined to determine an actionable total risk amount. Once the insurer achieves these consistent risk assessments, it can compare different business activities: First regarding which are responsible for the largest parts of its risk profile, and, second, to look at the differences in reward for the risk taken.
With information about risk and reward, this ERM function will inform the capital budgeting process as well as enhance consistency (or at least reduce conscious inconsistencies) in insurance product pricing. It will also help the insurer in considering the tradeoffs among different strategic choices on a risk-adjusted basis. This ERM function provides the upside benefit from ERM to the insurer, helping to enhance the long-term value of the organization.
Insurers may choose to implement one, two or three of these ERM functions in their enterprise risk management programs. One important consideration for insurers is that financial services firms – primarily banks and insurers – tend to have risk profiles where the majority of their risks have been tracked on a highly granular basis for many years and therefore lend themselves to statistical methods, such as insurance, market and credit risks. Those risks frequently make up 75% or more of an insurer’s risk profile.
Insurers are, of course, also exposed to operational and strategic risks that are harder to quantify. Non-financial firms’ risk profiles are more often weighted toward operational and strategic risks. This difference is one of the main drivers of the limited focus of some ERM literature that often may not even mention aggregate risk management nor risk reward management.
Regulatory requirements for insurer ERM usually include aggregate risk management and some rating agencies (Standard & Poor’s – but not A.M. Best) are expecting insurers to have risk reward management as well. We have also noted some regulators (e.g. in the UK) are focusing increasingly on the sustainability of insurers’ business models, which can be shown via risk reward management.
Next in series: 4 key steps to business strategy for CROs