University of St. Gallen Law School
Law and Economics Research Paper Series
Working Paper No. 2008-19
June 2007
Enterprise Risk Management – A View from the Insurance Industry Wolfgang Errath and Andreas Grünbichler
Second International Conference on Law and Economics
held at the University of St. Gallen (Switzerland) in June 29, 2007
Published in: Peter Nobel and Marina Gets (Eds.), Law and Economics of Risk in Finance,
(Schulthess, Zürich 2007), p. 111 - 120;
This paper can be downloaded without charge from the Social Science Research Network
Electronic Paper Collection:
http://ssrn.com/abstract=1138211 Electronic copy available at: http://ssrn.com/abstract=1138211
Enterprise Risk Management – A View from the Insurance Industry
Enterprise Risk Management – A View from the
Insurance Industry*
Wolfgang Errath and Andreas Grünbichler**
Index
I.
II.
III.
Introduction
Drivers behind ERM
Zurich’s Enterprise Risk Management Framework
A. Risk Governance and Culture as the Foundation of ERM
B. Risk Quantification
C. Risk Management Operations
D. Risk Communication and Disclosure
E. Strategic Risk Management
IV. Summary and Outlook
References
I.
111
112
114
114
116
116
117
118
118
119
Introduction
The term “Enterprise Risk Management” (ERM) represents a holistic approach
to managing the risks that a company faces in a changing environment. Risk
can be considered as a function of change, and risk management may thus be
described as a technique for coping with the effects of change.1 Although risk
management practices and methodologies have been around for decades, the
area of ERM has recently gained attention from executive management, investors, rating agencies, regulators and academics.
While risk management functions initially only monitored adherence to risk
and other policies, they later on implemented the first risk measurement and
quantification approaches. The next natural step was that risk management not
only provided the risk status, but also took responsibility for hedging and risk
mitigation activities, followed by satisfying the need for more risk-and-return
*
**
1
This article reflects the personal opinion of the authors and does not represent Zurich Financial Services.
Chief Risk Officer, Zurich Financial Services, Switzerland.
G. N. CROCKFORD, The changing face of risk management, The GENEVA Risk and Insurance Review, August 1976.
111
Electronic copy available at: http://ssrn.com/abstract=1138211
ANDREAS GRÜNBICHLER
analysis and recommendations. Nowadays, risk management functions further
expand their activities into the area of strategic analysis and business decision
support. To put it in other words, risk management has moved from a passive
analysis and quantification function to a proactive business enabler and strategy consultant role.
Organizations of all types and sizes face a range of risks affecting the achievement of their objectives and influencing all decision-making. ERM supports
intelligent and effective decision-making in order to optimize the level of calculated risk taken and to recognize opportunities where taking risks might benefit the organization.
Zurich Financial Services defines Enterprise Risk Management as the structured Group-wide view to identifying, measuring, managing, reporting and
responding to risks that affect the achievement of Zurich’s strategic and financial objectives, including both upside and downside risks on both sides of the
balance sheet.
II.
Drivers behind ERM
An integrated view on risk was not only requested internally by management,
but also external stakeholders currently put more focus on these capabilities.
Rating agencies in particular focus on this topic and most of the market leaders
have introduced their ERM assessment and review methodologies and processes. Some rating agencies introduced ERM as a new criterion for their overall
financial stability ratings, while others see ERM as an integral part of their
operational, organizational, financial and capital assessments.
The main differences in their approaches can be identified when it comes to
risk quantification: some rating agencies have their own deterministic capital
models, others do not have their own models and rely mainly on insurers’ internal capital models and others have developed stochastic portfolio models
during the last few years.
Regulators also focus much more on risk management capabilities: in Switzerland, requirements for risk management are laid out in insurance-specific laws
and in other, more general requirements for corporations. It is worth highlighting the Federal Office of Private Insurance (FOPI) directive 15/2006, where
general principles for risk management are defined: among other requirements,
the risk management processes must be verified periodically, training and other communication to sensitize employees must be conducted, and risk strate112
Electronic copy available at: http://ssrn.com/abstract=1138211
Enterprise Risk Management – A View from the Insurance Industry
gies that take into account the insurer’s appetite and tolerance for risk must be
introduced.2
The Swiss Solvency Test (SST) introduces an economic capital model for regulatory purposes which become an integral component of the new ERM framework.
Furthermore in the European Union, Solvency II will influence the requirements for ERM, mainly through the regulatory capital assessments and the requirements for internal models in Pillar I and the development of standards for
sound internal risk management and risk self-assessments in Pillar II.
All these efforts lead to slightly different meanings and interpretations of the
term and coverage of ERM. Two other initiatives are worth mentioning in this
context.
The International Association of Insurance Supervisors (IAIS) drafted a document in 2007 that focuses on the risk management framework around the adequacy of financial resources3. For the IAIS, ERM has the potential to provide
a link between the day-to-day management of risk and the long-term business
strategy, and should become an established discipline and separately identified
function assuming a much greater role in the majority of insurers’ everyday
business practices.
Another framework for ERM, provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2004, has had a strong
influence on the review and assessment approaches used by audit and internal
control functions.
2
3
FOPI Directive 15/2006, section 4.
IAIS (2007), Draft standard on ERM for solvency Purposes.
113
ANDREAS GRÜNBICHLER
III. Zurich’s Enterprise Risk Management Framework
Strategic
Risk M anagement
Risk
Quantification
Risk
M anagement
Operations
Risk
Communication
and Disclosure
Risk Governance and Risk Culture
The goals of Zurich’s ERM Framework are to:
• Protect the capital base: an insurer must make sure that capital is deployed in the most efficient way and that risks are not taken beyond its
risk- taking capacity. This helps to meet shareholders expectations of
optimizing the risk-return trade-off;
• Enhance value creation and contribute to an optimal risk-return profile;
• Support the decision-making process by providing reliable and timely
data and analysis on current and planned status;
• Protect the reputation and the brand by building a risk culture and increasing awareness about risk management across the organization.
In the insurance business a company’s reputation, especially the perception of
it as reliable is one of its main assets. ERM helps explain the risks of the business, thereby raising customer value and enhancing confidence by clients,
customers and the media. ERM raises regulators’ confidence and facilitate reviews, and thereby decrease regulatory burden and capital costs. ERM has a
positive effect on the financial strength rating, thus impacting the overall cost
of capital.
A.
Risk Governance and Culture as the Foundation of ERM
A well functioning risk culture requires a mix of effective controls with an
empowered risk organization that has a clear role and mission. The general
114
Enterprise Risk Management – A View from the Insurance Industry
message is set at the top of the organization and cascades down through the
management layers by showing a consistent commitment to risk topics expressed in the common language of risk-adjusted returns.
The commitment to establishing a robust risk culture is expressed in several
ways. One element is that risk managers participate in the key decisions of the
firm and are considered peers with the business unit equivalent-level managers. Another element is the independence of risk measurement and risk monitoring from risk taking, expressed through adequate reporting lines and escalation procedures.
Coverage of risk management topics in meetings of the board and executive
management are another important aspect. Many insurance companies are
creating specific risk committees at the top level to review and approve current
risk levels and future plans.
The relevance of risk-return awareness not only covers product and business
decisions, but should also be reflected in a clear linkage of executive management compensation to the achievement of risk management objectives.
Documentation of risk policies and the development of appropriate guidelines
are essential elements of risk governance: risk management policies and procedures must be complete, updated regularly and communicated throughout
the whole company. A risk policy establishes a common framework and language to foster a consistent approach to risk.
Limits for risk-taking are another aspect, reflecting the fact that substantial
variations in approach and detail are necessary for different risk types. A risk
policy also should articulate the responsibilities of the Chief Risk Officer and
that position’s interaction with the CEO, governance and executive management committees and the businesses. A risk policy should also contain the vision and objectives of risk management.
Further, risk management topics must be communicated throughout the organization so that awareness of risk and the importance of risk management at all
levels of the company is raised. Without spreading the knowledge to those
employees who do not have regular interaction with the risk management function, a broad consciousness and acceptance of individual risk responsibilities
cannot be achieved.
A pervasive risk culture goes beyond measurement of easy-to-identify risks
and provides the first line of defence in the identification of unexpected losses
from sources such as non-compliance or conflicts of interest.
115
ANDREAS GRÜNBICHLER
B.
Risk Quantification
The first pillar deals with the development, maintenance, application, use and
governance of economic and regulatory capital management models, databases
and systems.
Risk quantification is an evolving discipline and new models and methodologies in the market, credit, insurance and operational risk area have been introduced over time, leading to more precise quantification of single positions and
portfolios.
Typically companies use a variety of different risk indicators and figures. ERM
has to look at the different methodologies to ensure consistency across the full
spectrum of risk types. Many insurers spend substantial time and effort on integrating the stand-alone models for the single risk types into company-wide
economic capital models. Risk aggregation within and among the single risks
is a major part of the quantification exercise and can influence the final results
substantially. Consistency also allows risk management to present a complete
view of a company’s risk profile.
In order to receive reliable information, robust processes for validating metrics
along with regular reviews of the appropriateness of assumptions, methods and
models also must be in place. Also clear processes for updating data and ensuring data quality and data reliability are needed.
Effective risk quantification contains more than producing figures for the single risk types and having models in place is only one part of the exercise:
Also the application and effective usage of metrics and timely and appropriate
responses are an important element of ERM. Results from internal risk and
capital models can be applied to capital allocation and performance management processes, pricing, business and product development, hedging and reinsurance purchasing.
Additional scenario analysis should be conducted not only for different confidence levels and time horizons but also for evaluating new business and product proposals, M&A activities and securitization transactions.
C.
Risk Management Operations
The second pillar deals with the qualitative aspects, organizational setup, authorities and human factors of the risk management function. Global organiza116
Enterprise Risk Management – A View from the Insurance Industry
tions have implemented different structures that reflect the variety in scope of
the risk management function. In some insurance companies, risk management
focuses mainly on financial and operational risk, while in others risk management is linked with the actuarial function. Bank assurance groups tend to split
the responsibility for market and credit risk from the other risk types.
The sharing of responsibilities and tasks between local and centralized risk
management units may depend on the risk types: market and credit risk responsibility tends to be more centrally organized, while operational risk management and internal controls need local presence and accountability.
The risk management function must have the power to highlight and escalate
emerging risks, enforce adherence to limits and monitor the effectiveness and
execution of hedge and derivative programs.
In a global organization, various functions such as risk, audit, compliance, finance and legal collectively, as assurance providers, give confidence that risks
are being identified and appropriately managed and internal controls are in
place and are operating effectively. To avoid duplication of effort, it is important that these functions cooperate efficiently, share information and have an
integrated risk view based on common standards, measures and terminology.
A framework structure that identifies the key risks, processes, controls and
other assurance activities and that assigns activities and responsibilities to the
assurance providers supports the implementation of an effective governance
structure.
D.
Risk Communication and Disclosure
One of the main objectives of ERM is to enable communication with senior
management by creating full transparency around the exposures of the firm at
different levels of granularity (i.e. from the single unit all the way to aggregated results for the company). Risk concentrations and limit breaches must
get escalated to managers for resolution, and they must be monitored proactively.
Internal communication is a top-down and bottom up exercise: executive management must provide business units with a clear strategic direction, risk tolerance and appetite and allocation of risk budgets. Units have to report emerging
risks, market, business and regulatory developments and changes in risk levels
in a timely and accurate manner.
117
ANDREAS GRÜNBICHLER
Also the expectations from external stakeholders are rising: investors, regulators and rating agencies now request much more disclosure of risk information
in companies’ annual reports or as a part of public presentations.
E.
Strategic Risk Management
The strategic element of ERM supports management’s view across risks to
optimize risk adjusted returns. Capital must get deployed efficiently and risks
must get aligned to risk taking capacity. The interplay among the current risk
levels, the existing limits and the risk tolerance statement must be clear and
transparent and aligned with the target risk profile (risk appetite).
Risk tolerance levels should be based on the insurer's strategy and actively applied within the insurer's enterprise-wide risk management framework. Common dimensions of tolerance statements are capital, earnings, liquidity and
financial flexibility and franchise value.
Businesses with more favorable risk-return relations must be encouraged to
grow, and those where the risk-based returns are below average must be watched closely. Risk management considerations should enter pricing decisions
as well as optimization of reinsurance programs and other mitigating actions.
Risk management is also a key element in certain strategic decision-making
processes. Risk considerations enter into decisions on M&A activities or new
business initiatives.
By conducting additional stress tests, vulnerabilities to certain market conditions are revealed and the insurance company can take mitigating actions appropriately.
IV. Summary and Outlook
An optimal ERM framework systematically addresses the risks surrounding an
organization’s activities, and is wholly integrated into the culture of the organization. An ERM framework applies at all levels of an organization and to all
activities and its main purpose is to assist organizations to achieve their objectives through effective risk management.
In the upcoming years, the main challenges for insurers will be creating a
stronger link among risk management, value creation and strategic planning to
align risk-taking activities.
118
Enterprise Risk Management – A View from the Insurance Industry
Another task going forward will be to further develop internal risk-based capital models, especially in the area of risk aggregation and insurance and natural
catastrophe risk modelling. Insurers have to establish a clear balance between
risk modelling approaches and qualitative risk assessments and be aware of
model risks, which can be substantial at higher confidence levels and during
more volatile market conditions.
In light of a changing regulatory framework in Europe and Switzerland, it will
also be important to link internal risk-based capital models to new regulatory
capital models.
Also the refinement and implementation of risk tolerance statements throughout all levels of an organization will be a main task.
This increased transparency on risk taking ultimately will lead to making people take ownership of risks, and will enhance decision-making, as companies
are better able to act on opportunities to gain competitive advantage and to
achieve their business goals.
References
G. N. CROCKFORD, The changing face of risk management, The GENEVA
Risk and Insurance Review, August 1976.
C. CULP (2002), The Art of Risk Management, Wiley Finance.
Deloitte (2007), Global Risk Management Survey, 5th edition.
R. DOFF (2007), Risk Management for Insurers, Risk books.
Ernst & Young (2006), Managing Risk – Shareholder perspectives.
FSA (2006), Insurance Sector Briefing: Risk Management in Insurers.
A. GRÜNBICHLER (2004), Vom Stresstest zum Risikomanagement, Versicherungsrundschau 7-8.
IAIS (2007), Draft standard on ERM for Solvency Purposes.
I. LELYFELD (2006), Economic Capital Modeling, Risk books.
McKinsey (2006), Running with Risk in Insurance.
Moody’s, Risk Management Assessment: Non-life Insurance Companies, paper, March 2007.
119
ANDREAS GRÜNBICHLER
PwC, The Economist (2007), Effective risk management in financial services,
15th edition.
Standard & Poor’s, Insurance Criteria: Refining the Focus of Insurer Enterprise Risk Management Criteria, paper, June 2006.
P. TOWERS (2006), Risk Management. Risk Opportunity, 2006 Tillinghast
ERM Survey, 4th edition.
S. WANG; R. FABER (2006), Enterprise Risk Management for PropertyCasualty Insurance Companies, ERM Institute International.
120