I N S U R A N C E C O M P L I A N C E T H O U G H T
L E A D E R S H I P
Integrating Risk and Strategy Using
Two Sides of the Same Coin
By Denise Tessier, Senior Consultant, Wolters Kluwer Financial Services
How can companies better integrate their risk management programs with their business
plan goals and strategies? This question is hotter than ever in the financial services
industry. Insurers are implementing or improving enterprise governance, risk and control
(“eGRC”) programs to meet increasing expectations of rating agencies, regulators,
and shareholders. Many are also preparing to meet new reporting obligations under
the NAIC’s Risk Management and Own Risk and Solvency Model Act, or “RMORSA.”
Managing strategic risk, and using eGRC processes to achieve business goals, is a key prerequisite to effective capital and solvency management.
However, aligning risk and rewards is a tough task. Achieving corporate goals - such as profitability,
growth, diversification or stability - while dealing with the day-to-day challenges of running a multifaceted organization, demands strong action and leadership. Companies today thus need heavy-duty
tools to break down problems involving risk and uncertainty, and build the individual, elemental
decisions back into a firm foundation supporting the business direction.
There are many methods and tools to improve corporate decision-making processes and tackle threats,
to better manage risk strategically. This whitepaper examines two pre-requisite concepts and four key
actions, that leading companies take to face these challenges head-on.
1
Defining “Strategic Risks” vs. “Strategic Risk Management”
The first step towards aligning risk and strategy is to appreciate
the difference between “managing strategic risks” and “managing
risk strategically.” Both concepts are critical to integrating risk
and strategy, and are often considered “two sides of the same
coin.” But eGRC program development efforts must be targeted
separately to each concept, and tailored to the unique features
and benefits of the differing perspectives.
Managing “strategic risks” involves:
Strategic Risks
■■
■■
■■
Strategic risks are the highest subset of events or occurrences
which could cause loss, or create opportunities, of a magnitude
or frequency that could impact business plans more than other
risks in the company. In financial terms, strategic risk can also
be identified as the current and prospective impact on earnings
or capital arising from adverse business decisions, improper
implementation of decisions, or lack of responsiveness to industry
changes.
■■
Companies are willing to assume a certain amount of risk that a
business will fail to meet its financial and strategic business goals,
provided they can get a higher rate of return on their investment
for taking the risk than they could with other investments. The
higher the level of risk assumed, the higher the reward or return
payments are expected.
Identifying risks which could be classified as “strategic;”
Looking at those risk separately from other risks in the eGRC
program, with heightened scrutiny – generally through
a dedicated team of advisors such an Audit or Strategy
Committee of the Board, or other grouping of managers and
risk experts; and
Identifying related controls and allocating resources towards
mitigating such risks. Ideally, more money, time, and effort
should be expended to minimize the impact of risks deemed
“strategic,” than to other risks.
Continuously evaluating strategic risks as both business goals
and the company’s operating environment change. Do last
year’s strategic risks have the same significance, or have they
gotten measurably better or worse? What risks are imminent
threats to the company in the short term, or emerging in the
industry on a longer scale?
Strategic Risk Management
In contrast, “managing risk strategically” refers to the decisionmaking process itself that is used to align risks with business
plans. Future uncertainty and the sheer number of variables that
can impact an insurer’s business make planning choices difficult,
particularly those involving new product offerings or geographical
expansion efforts.
What exactly are the company’s most pressing or severe strategic
risks? What risks most impact, or are impacted by, multiple areas
or departments of the company? How can the most dangerous
strategic risks be best mitigated? More than ever, these
questions need to be raised against all functional areas of the
company, quantified as much as possible, and prioritized. Further,
appropriate controls or mitigating actions must have followthough, and the entire process needs to be well documented
so that interested parties (shareholders, rating analysts and
regulators) have visibility into the process.
“Strategic management” of risk involves:
■■
■■
■■
2
Adopting a more formal or systematic framework and
process for appraising complex issues.
Breaking down “big picture” options into more manageable
segments, where smaller, individual decisions and
alternatives can be weighed, measured, prioritized and
pushed forward more clearly;
Gathering and considering all available information, and
presenting key data in a way that will have the most impact
on different categories and levels of decision-making
participants.
Wolters Kluwer Financial Services
Now let’s look at four key ways to polish both sides of the strategic risk coin...
ACTION 1: Develop... and Continue to Improve...
a Comprehensive Risk Management Framework
How this Action helps companies manage strategic risks:
■■
The RMORSA Model Act, currently being implemented into
law, state by state, obliges insurers above certain thresholds to
create an enterprise risk management or eGRC framework by
January 2015. Many insurers subject to RMORSA have already
built initial frameworks, are in the process of strengthening and
improving their platforms. However, all companies regardless of
size can benefit from creating a formal structure for evaluating
risk and controls, and ensuring that the most significant risks are
identified, measured, prioritized, and well mitigated – within the
context of business plans and goals.
■■
■■
Building a risk framework requires concentrated efforts to:
■■
■■
Catalog and categorize risks throughout the company;
Prioritize them using a consistent and repeatable scoring
methodology;
■■
Apply effective and efficient controls to mitigate each risk;
■■
Develop monitoring and reporting processes, and
■■
Creating a common library and taxonomy
framework for documenting risks is the first
step necessary in order to score, measure and
prioritize hundreds or thousands of risks, and
distill what risks are “the big ones.”
Centralizing risks and controls company-wide
makes it easier for an organization to create, coordinate and
execute distinct treatment plans for high level strategic risks,
with participation by all parties potentially affected by the
risks;
Brining all functions less than one umbrella eGRC program
assists in the prompt identification of trends, imminent
threats and emerging risks, as “hot spot” strategic risk in one
area of the business will be immediately visible and can be
acted upon by other departments or lines.
How this Action helps companies manage risk strategically:
■■
Model the impact of risk against the company’s capital and
surplus, using scenarios and assumptions simulating the
insurer’s current and potential future operating environment.
There are several ways to develop a framework for eGRC to best
meet corporate objectives. Trade organizations can be a good
place to start. Many companies base their eGRC principles on
recommendations from COSO, The Committee of Sponsoring
Organizations of the Tread way Commission, an association
dedicated to providing thought leadership on critical aspects
of risk and governance. ISO, the International Organization for
Standardization, has also promulgated standard 31000:2009
setting out principles and framework processes for managing risk.
■■
■■
Hybrid approaches are also common; as companies which best
align risk and strategy focus their framework activities on business
objectives. They also use their framework to evaluate and seize
profit-making opportunities, not just to meet legal obligations or
avoid losses.
■■
3
Building a formal eGRC program often
involves obtaining new or centralizing current,
knowledge resources and analytical tools.
These new or shared tools typically catapult
management decision-making processes to a
new level of sophistication.
Risk should be a core consideration when setting strategy,
formulating business plans and managing performance
Having a common framework for risk and control review
ensures that as many variables and options as possible are
identified and considered.
Creating a framework which dedicates management focus on
high priority risks, encourages a more reasoned and thorough
decisions on the allocation of resources, and help companies
get the “largest bang for their buck” on control-related
expenditures.
Establishing a “common language” for risk concepts within
a formal framework helps embed risk culture into decisions
made through all layers of the organization.
Insurance Compliance Thought Leadership
ACTION 2: Establish Risk Appetites and
Risk Tolerances, and Track Key Risk Indicators
authority.” These types of violations may call for renewed focus
on the peer review process, and shoring up of management
review protocols – all of which helps manage an insurers’ business
goal of keeping its book of business and policies issued within a
certain underwriting limit.
Since there is no way a company can eliminate all risks of
doing business, clarifying the amount and type of risk that an
organization is both able and willing to pursue or maintain, by
line of business or functional area, helps a company evaluate
where its resources should best be allocated to minimize its most
significant risks.
KRIs support decision making and strategic business development
on a larger scale as well. Insurers may track KRIs such as “Win/
Loss ratios” over time for the acquisition of new business, or the
company’s policy renewal rate and trends through specific time
periods, for particular product lines. Under a more developed
eGRC program, KRIs can also be mapped and compared against a
company’s agreed or established risk tolerances, to give managers
a sense of when risk associated with a new strategy, plan or action
is “too much” for the company to accept as a reasonable business
activity.
Risk tolerance is the maximum amount of risk or uncertainty
that a company is comfortable taking. In contrast, risk appetite
is about the pursuit of risk. How much risk is a company willing to
take to get a particular return on investment? Risk appetite may be
greater than, less than or equal to risk tolerance, depending on the
circumstances. Both risk appetite and tolerance are unique to each
insurer’s internal management culture, size, capitalization, lines of
business (short or long-tail focused), income and financial goals.
How this Action helps companies manage strategic risks:
Most companies start their communication plan by crafting a
broad, formal risk-appetite statement for each major category
of risk, then honing it down to meet the needs of specific
business areas or functional departments. First-time riskappetite statements are frequently set in a scale or range of
broad narrative, such as “high, medium, low” or “averse/avoid,
cautious, moderately open, encouraging or actively pursuing.”
Risk tolerance can also be established, often with a specifically
stated percentage or dollar amount. For example, “On this line of
business, our net unreinsured loss should not exceed $1 million.”
As companies become more sophisticated and grow in their eGRC
practices, risk-appetite or tolerance statements generally become
more explicit and measurable, more focused, and may be better
targeted to specific business practices or financial goals.
■■
■■
■■
How are appetite and tolerance statements used to further
business goals, once established? Through the use of Key Risk
Indicators, known as KRIs. Key risk indicators (“KRIs”) are metrics
or pieces of data serving as “early warning signs” of areas of
increasing risk. In contrast to key performance indicators (“KPIs”),
which are statistics or data points showing what has happened
in the past or current time, KRIs portend future trends, losses
and opportunities. When designed carefully, organized well, KRIs
can be used by risk managers to proactively monitor operational
processes, and identify serious business, legal, financial or other
environmental risks that may affect the company, long before
they can occur.
The process of setting formal tolerance or
appetite statements ensures that strategic
risks are well documented and monitored,
and often results in more resources being
allocated to the mitigation or control of such
risks.
Tracking KRI’s can serve as an “early warning system” to flag
risks that are trending poorly, or which may have the most
significant impact to the company in the future
When a KRI for a strategic risk is regularly monitored and
compared against the company’s appetite or tolerance for
the risk, any breaches can be promptly addressed. Mitigation
steps can be put into place quickly to help prevent any
potential loss from spiraling of control.
How this Action helps companies manage risk
strategically:
■■
■■
KRIs are generally monitored or tracked against risk tolerance
or threshold levels, and risks which “breach” or exceed levels
deemed tolerable or acceptable to the company, merit additional
management review and focus. In this way, KRIs help identify
key areas where additional controls or mitigation might be
needed, assisting managers with the day-to-day operations, in
line with business plans.
■■
For example, a common high-priority risk of “financial loss due
to breach of underwriting authorities” may be partially predicted
by a KRI of “numbers of policies written above $X million,”
or “number of times in a month a scheduled peer review was
not conducted,” or “failure to seek management approval to
underwrite a class of business outside of an assigned underwriting
4
Both risk appetite and risk tolerance is
intricately linked to company performance
over time. Insurers may set risk appetite or
tolerance levels for such diverse areas as
capital or liquidity levels, earnings volatility,
reputational rankings or operational targets – core risks most
affecting corporate strategy.
The process of establishing formal risk appetite and tolerance
statements for strategic risks engages senior management
in focused discussion about the company’s risk profile in
a dedicated forum where detailed information sharing,
brainstorming, debate, and group-decision making can take
place at a high level.
Communication of formal appetite and tolerance statements
can help embed risk concepts throughout the organization,
and help get all staff thinking of risk as bounded within
parameters tailored to the company’s goals.
Wolters Kluwer Financial Services
ACTION 3: Foster a Strategic Risk Culture
through a Strategy Committee
pass. For example, who will review, and what will be done to
review:
Establishing an organizational culture which focusses heavily
on risk and control management is not easy, even when those
risks are the most significant risks affecting the business. While
individual functions units such as claims, underwriting or
compliance are used to managing losses or risks within their own
departments, an eGRC program has a much broader scope - the
“whole world” of risk throughout a company when executing on
its business plans. eGRC may require from employees a new
perspective, attitude, or way of thinking.
As a foundational pillar in the eGRC framework, create a “Strategy
Committee” of the Board of Directors or senior management
team, who will be primarily responsible for identifying, measuring
and monitoring strategic risks. This group needs specially
allocated time to discuss eGRC as it impacts financial results, as
corporate Board meetings may be too focused on other Board
legal and financial obligations to really dig into evaluation of
business plan in light or context of the risk program.
■■
■■
This Strategy Committee may undertake a number of tasks
that would be more difficult to accomplish without a dedicated
group of individuals who can focus a pre-set, significant amount
of time and resources on such activities. Some of the steps a
Strategy Committee can effectively take to kick-start risk/strategy
alignment include:
■■
■■
nn
Material control deficiencies or poor audit findings?
nn
Threats to the organization’s reputation, such as
illegal activity by a Board member ?
nn
Imminent threats to the Business Plan by a new
competitor or rapidly-developing technology?
How this Action helps manage strategic risks:
For membership, a Strategy Committee should ideally recruit
participants with a wide range of skills set, not just all board
members or finance people or risk people. They should be
“forward thinkers” – not tied emotionally or intellectually to past
performance of the company, the industry or the environment.
■■
Major breaches of risk appetite and tolerances?
Having a Strategy Committee can speed the spread of risk culture.
Using their position of authority, and being so intimately involved
in Business Plan review, the Committee members can help to sell
the results/ and benefits of eGRC to other managers and Board
members. The Committee may even have, as its core mission, to
“Set a Tone from the Top” on the importance of risks. They can
also actively encourage and engage employees at all levels of the
company to participate on specific decisions, with a calculated
tactic to obtain “buy in” from individuals or departments that
have been reticent or slow to adopt policy or process changes
during the move to eGRC.
Companies adopting an eGRC program must therefore consider,
as a specific element, goal or task for their program, how to
embed “risk awareness” and analysis practices into all layers of
the organization. One of the best ways to align eGRC efforts with
business goals is to vest ultimate authority and responsibility for
identifying, measuring and monitoring strategic risks within a
distinct “Strategy Committee” of the Board of Directors or senior
management team.
■■
nn
■■
A dedicated Strategy Committee shepherds
the company’s most significant risks with a
unique perspective, and can spend more time
and attention than individual business areas
might give to the same risks;
Strategy Committees are likely to handle
serious issues, questions or events potentially impacting the
Business Plan that don’t have another “home,” or “owner,”
like a reputational, marketing or competitive crisis impacting
multiple business areas.
Strategy Committees often spend significant time reviewing
and tracking emerging and imminent risks. They are a natural
forum to review emerging risks on a “first pass” basis, and
to coordinate information to, or feedback from, individual
business areas.
How this Action helps manage risk strategically:
Assuming ultimate ownership for maintaining a separate
library or register of high level strategic risks and related
controls, and assessing such risks or controls on behalf of the
whole company;
■■
Reviewing company-wide Business Plans regularly, and
makings sure that the risk profile of the company is updated
at a high level with any changes in the Plan. The Strategy
Committee should be collecting all input into the new risks
and opportunities and serving as a back-stop or second pair
of eyes on the Plan, from a risk management perspective;
■■
Developing discussions, communications and/or training
plans for the organization specifically around the company’s
strategic risks;
■■
Creating standard decision-making or review/approval
process for anomalies in the risk and control assessment
framework that might require a senior management team
5
More brainstorming, discussion and debate
around an issue, problem or opportunity can
be encouraged with a Strategy Committee,
than would happen in another forum. A
Strategy Committee may be freer from the
procedural and agenda formalities of a Board
Meeting or legally-required Audit Committee.
Strategy Committees are typically very visible, involved
in both risk and financial planning, and can serve as the
coordinator or liaison to ensure that the right people and
sufficient resources are brought to resolve complex business
issues, and meet corporate goals.
The structure and makeup of a Strategy Committee brings
the organizations’ best talent together to tackle significant
decisions – they are the “MVPs” of risk and strategy
alignment.
Insurance Compliance Thought Leadership
ACTION 4: Continuously Improve Quality
and Quantity of Information & Reporting
effectively to staff at all levels of an organization so they can
understand (a) what exactly risk is; (b) the range of dangers and
opportunities presented to the company by certain events and
activities; and (c) how controls can help manage those risks.
More than ever, companies aligning risk and strategy need well
organized information, and reports that can be shared through
multiple levels of the company. In order to achieve business
goals, managers need centralized information on all key risks
affecting all departments, in order to compare and prioritize
relative risks. They also need to be able to rely on assertions and/
or ensure that controls are efficient, effective, and are operating
as intended. Decisions made on assumptions that turn out not to
be true can be disastrous, particularly when those decisions are
strategic ones.
Some risks are relatively simple to understand, such as physical
risk of loss from fire, flood, or collision. Other risks, such as those
dealing with financial matters, specific businesses, or market risks
– more significant risks tied to business planning - may require
more explanation and illustration. Further, it can be tricky to
describe a company’s risk appetite—risks it will and will not take—
to highlight high-priority or more urgent risks, illustrate trends
over time, and show future projections.
However, data visual aids, such as charts, graphs and dashboards,
facilitate eGRC program learning and buy-in. Companies need
databases with the ability to export many fields of data into
meaningful summaries. Further, graphics such as heat maps,
trend reports, timelines, and KRI indicators, give increased depth
and meaning to data reports, and can be used for clearly showing
relationships, process or business cycles, and hierarchy structures.
Sophisticated eGRC software, with the capability of producing
interesting, complex graphics, is thus in high demand.
All of the insurer’s eGRC information must also be as accurate
and compete as possible, from “ground up,” for all departments
or functions of the company. Otherwise, the insurer will not be
able to ultimately its risk-based capital and solvency position.
Automating as much of the EGRC process as possible also helps
ensure that key historical and financial data is secure and reliable,
and that formulas used for trending and analysis are consistent
and accurate – particularly important because one small error
in a spreadsheet calculation can magnify and throw of trends in
metrics, leading to wrong conclusions or poor decisions. Beware
- “garbage” inputs means “garbage” outputs, when running capital
risk models and building stress tests and scenarios.
How this Action helps manage strategic risks:
■■
Improving the quality and quantity of risk and control
information, and using that information in meaningful reports,
is an ongoing challenge for most eGRC project teams. While
companies generally start centralizing and building risk and
control libraries and registers, and conduct risk and control
assessments on spreadsheets and tables, as their information
store increases, or they start developing more sophisticated
analysis techniques, companies soon recognize the need for a
comprehensive eGRC system platform that will:
■■
■■
■■
■■
■■
■■
■■
■■
Accommodate large volumes of risk and control related data;
Aggregate risk and controls on multiple levels, showing the
impact of risks and controls on the company as a whole, or
on an individual functional, departmental, or legal entity
basis;
Minimize potential for inaccuracies and analysis bias by
having objective, rather subjective, input by users as much as
possible;
Commitment to capturing quality and
uniform data elevates reliability of risk
and control assessments, so the ultimate
identification of the insurers’ “biggest risks”
are more reliable;
When strategic risks can be linked
automatically and visually to their associated controls, any
control deficiencies or gaps can be addressed more quickly,
reducing potential loss;
Strategic risks for one department, function or division
might be different from another area’s biggest concern.
Implementing an eGRC allows the information from all
areas to be compared against each other, prioritized under
common standards, or rolled up into a company-wide view
in ways that spreadsheets alone can’t calculate or depict.
How this Action helps manage risk strategically:
■■
Show the multi-faceted relationships between risks, controls,
policies and procedures, and related audits of any of these
areas;
Track key risk indicators, and immediately flag breaches of
related tolerance and appetite limits;
Facilitate sharing of information with others, and help explain
the basis for strategic decisions made based on specific
assessments of risks and controls
■■
Companies are also driven towards better eGRC technology for
robust reporting features. Since risk is an abstract concept, one of
the biggest challenges in eGRC implementation is communicating
6
Within eGRC system “libraries,” risks and
controls can be linked to each other, and be
aggregated across multiple departments.
Connections can also be quickly shown
to related KRIs, policies and procedures,
losses, incidents, source legal and regulatory
content, compliance control actions taken, and audit results.
With such linkages, companies gain as much risk and control
detail as possible to analyze and support management
business planning decisions.
Historical decisions made about risk and strategy can be
well documented, with their assumptions at a point in time.
Audit trails of decisions can be provided for regulators and
examiners, and may help guide future decision-makers.
Wolters Kluwer Financial Services
Conclusion
“Managing strategic risks” and “managing risk strategically” may be two sides of the same “strategic
risk coin,” but each concept has distinct features that can help companies align risk management and
business planning within an eGRC program. Developing a comprehensive eGRC framework, formalizing
risk appetite and tolerance statements, tracking key risk indicators, and creating a Strategy Committee
all have significant benefits which make each side of the coin shine. Improving the quality and quantity
of information and reporting with an eGRC system brings all elements together. Leading companies
make full advantage of today’s technology to better manage both risks, and risk-based decisions.
Take steps now to align YOUR company’s risks and business strategy - HEADS OR TAILS, YOU WIN!
7
When you have to be right
About Wolters Kluwer Financial Services - Whether complying with regulatory requirements or managing financial transactions, addressing a single key risk, or working
toward a holistic enterprise risk management strategy, Wolters Kluwer Financial Services works with more than 15,000 customers worldwide to help them successfully
navigate regulatory complexity, optimize risk and financial performance, and manage data to support critical decisions. Wolters Kluwer Financial Services provides risk
management, compliance, finance and audit solutions that help financial organizations improve efficiency and effectiveness across their enterprise. With more than 30
offices in 20 countries, the company’s prominent brands include: AppOne®, ARC Logics®, AuthenticWeb™, Bankers Systems, Capital Changes, CASH Suite™, FRSGlobal,
FinArch, GainsKeeper®, NILS®, TeamMate®, Uniform Forms™, VMP® Mortgage Solutions and Wiz®. Wolters Kluwer Financial Services is part of Wolters Kluwer, a leading
global information services and solutions provider with annual revenues of (2013) €3.6 billion ($4.7 billion) and approximately 19,000 employees worldwide. Please visit our
website for more information.
© 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved.
FRC-14-3683 ICS Penny Whitepaper
Please visit WoltersKluwerFS.com for more information.