The risk heat map is a popular enterprise risk management (ERM) tool that many insurers use to assess and compare their risks. The most common format is the frequency versus severity version. Insurers know that they should focus more attention on risks in the red boxes and less on risks in the green. The ratings for each are usually developed by a group of people with the experience to consider the whole risk taxonomy (financial, insurance, operational, strategic risks etc).
The final frequency and severity score for a particular risk may be determined by a vote or discussion that ends with a consensus or at least a plurality. In some situations, the scores may reflect the fears of the group, which can be unduly influenced by risks that are easier to imagine and/or that are currently topical. But what is needed to effectively guide organizations’ risk management activities is an assessment of underlying danger — rather than irrational fear.
We suggest two techniques:
1. Scenario analysis
Prior to the risk assessment meeting, a group can convene to develop detailed scenarios that illustrate what could happen in adverse circumstances for each of the key risks. Once the scenario has been defined in detail, then the impact on the company can be estimated, reflecting the mitigating actions that the company uses for each risk and the likelihood of the effectiveness of those actions in the scenario.
In evaluating each risk the group should consider the stress scenario that has been prepared and determine whether the scenario is appropriate or whether they think that modifications to the scenario, and/or to the assumed impact of the scenario, need to be made.
The use of a specific stress scenario as a starting point will help to steer the group toward the underlying dangers as it focuses minds on plausible outcomes and the particular events that would need to occur in order to generate those outcomes. This facilitates a sense check, as the more detailed the assumptions underlying the scenario, the more rational and analytical the discussion and evaluation of the risks becomes. However, scenario analysis alone does not provide any indication of the likelihood that each scenario might occur.
2. Historical analysis
We have said “likelihood” where you may have been expecting us to say “frequency”, as frequency refers to an analysis of how often something happens or has happened and is typically validated by historical analysis. And that is one of two questions that we will want to answer as part of the risk assessment:
- How often have we experienced a loss of that size in the past? (Or how often has any other insurer experienced a loss that large relative to its size?)
The second question is a gut check on the severity assessment, assisted by the scenario analysis:
- Have we ever experienced a loss of that size? (Or has any other insurer ever experienced a loss that large relative to its size?)
We do not suggest that future losses will be limited to those implied by historical frequencies and loss amounts, but the historical analysis does at least provide a base to work from in evaluating potential future losses and in defining plausible scenarios.
This approach only works for risks that have existed over a longer period. More recently developed and emerging risks might still be subject to irrational fear. A sense check for new and emerging risks is to compare each with a more established risk that has been assessed to have similar frequency and severity scores. Can the group say that they believe that the two different risks are expected to have similar frequency and severity?
Once the risk assessment process has been made more reliable, the strategic CRO can consider using the heat map technique to inform strategy discussions. This can be done using the same process, but focused on the potential impact of key risks on each of the major and proposed strategies.
The above heat map presents the potential for each of the key risks to have an adverse impact on each strategy. These heat maps might be summarized in a table that shows the red and amber risks for each strategy. If certain risks appear in the red for many of the company’s strategies, then they should be given a high profile as key risks to the strategic success of the insurer, and for which effective risk management will be required.
Any new strategies that are materially impacted by key risks identified as applicable to one or more current strategies should be challenged as potentially concentrating the insurer’s risk exposure. This process could even be used to facilitate strategic diversification by identifying which strategies could potentially reduce net risk exposures if upside risks (gains) are considered in addition to downside risks (losses).
In summary, the strategic CRO can help to move the narrative from fear to danger to strategy by incorporating the following into the risk assessment and heat map process:
- Rigorous scenario analysis with challenge on underlying assumptions
- Historical validation on plausibility of scenarios: frequency and severity
- Pragmatic approach to more recent and emerging risks: include but sense check
- Explicit linkage of key risks to corporate strategies to identify concentrations of strategic risk
- Inclusion of upside and downside risk analysis to facilitate strategic diversification
Previous in series: How risk mangers can make everyday tasks strategic
Next in series: Changing the face of the risk function
Dave Ingram is an Executive Vice President of Willis Re, specialising in theory and practice of ERM for insurers.
Paul Headey is Willis Towers Watson’s Asia Pacific Life practice leader, Insurance Consulting and Technology.