Do you have an enterprise risk management approach? It's the key to survival in the midst of regulatory, rating agency and stakeholder pressure and in an increasingly uncertain environment, warns Ronald Gift Mullins.

While enterprise risk management (ERM) only has a soft toehold in the insurance industry, this sophisticated mechanism of evaluating an organisation's risks may already have proven to be a powerful force in the remarkable recovery of the property casualty primary insurance industry in 2006 following record catastrophe losses the previous year. Even reinsurers, which shouldered billions of dollars in losses in the latter part of the year, managed to shake off that burden and produce a net profit in the first quarter of 2006.

Granted, the improvement in the property casualty results over the past three years has been steadily encouraging as insurers seemed at last to be pricing their risks more appropriately, backed by adequate capital and a less competitive offering of terms and conditions. As a result of this resolute attention to planning and profit, in 2004 the industry registered an underwriting profit for the first time in 26 years. And even with almost $50bn in catastrophe losses in 2005, P/C insurers produced a small underwriting loss of $5.9bn, according to ISO's Property Claim Services. For the first quarter of 2006, property casualty insurers had an incredible $8.4bn underwriting gain and $16.7bn in profits. Supporting these positive operating results for the primary insurers, especially the larger ones, has been their ceding 10% to 30% of their catastrophe risk to reinsurers, especially those domiciled outside the US. Judicious use of alternative risk transfer products such as catastrophe bonds and captives also helped to further relieve the claims burden for P/C insurers.

Insurance companies ceded a significant proportion of their claims and saddled the reinsurance and retrocession communities with staggering losses. Yet even with these billions of dollars in claims, 26 reinsurers, as reported by the Reinsurance Association of America for the year of 2005, declared a hefty $7.4bn underwriting loss, and yet still managed to produce a net profit of $1.9bn. Even more astounding, in the first quarter of 2006, even with the torrent of claims from the hurricanes of the previous year still cascading in, the group had a net underwriting gain of $56m and a net profit of $1.6bn. Contrast these figures with those of 2001, the year of 9/11, which resulted in a $11.4bn underwriting loss for the year and a net loss of $3.6bn. In the first quarter of 2002, a similar group of reinsurers had a $391m underwriting loss and net income of only $359m.

The force

How much of this amazing recovery of the P/C insurance and reinsurance industry in 2006, following the costly disasters in 2005, can be attributed to ERM cannot be readily determined. Yet it is evident that a more prudent and thoughtful management philosophy within the past few years has had a considerable influence on the operations and results of insurance and reinsurance companies. Increasingly, leading companies in the industry are implementing ERM as a framework under which they can most profitably manage their various categories of risk, portfolios and product development. Time and implementation will determine whether ERM will at last be the rational force that will flatten the reoccurring, self-destructive insurance cycles that have plagued the insurance sectors for half a century.

A study by PricewaterhouseCoopers a few years ago confirmed that ERM has become a key driver for a competitive edge in the insurance industry, but noted that there was a serious gap between the design and planning stages, and the actual execution and integration of ERM programmes. The study suggested market and regulatory forces would continue to drive insurers to implement ERM as an enabler for attaining financial goals. "Some, however," the report said, "continue to struggle with the necessary infrastructure, people, processes and technology essential to fully reap these benefits." There is no "one size fits all" solution for designing and implementing an ERM programme, and the study said that just 5% of those responding to the survey felt ERM was fully integrated with their company's strategic business decisions.

Pre-eminent risk managers

The need for ERM in the financial services sector, as with other business sectors, is driven by external and internal pressures. Some of the external pressures are common to all businesses - calls for corporate governance reforms from stock exchanges, accounting bodies, rating agencies, institutional investors and government regulators in countries around the world. Other external pressures, especially in the US, are specific to the financial services sector. They come from banking and insurer regulators and legislators who want to ensure that policyholders and customers - as well as the financial system as a whole - are protected from unwarranted risks.

The internal pressures come from business conditions and risks unique to the insurance and reinsurance industry - especially those that arise from operating in a more competitive environment. "The insurance and reinsurance industries have a distinct, competitive reason to get ERM right," the PWC study continued. "They are in the business of taking on other people's risks. Developing sophisticated tools to do that is their core competency. An insurer that can demonstrate that it has mastered ERM internally will make itself more credible in the marketplace and more likely to attract and retain clients, customers and shareholders."

Fitch Ratings said in a special report that ERM represented a step forward in the evolution of risk management practices, but should not be viewed as a brand new concept in the insurance industry. Insurance is the business of understanding, assuming and transferring risk, the report noted, and insurers need to be the pre-eminent risk managers as "the ability to measure risk is paramount to their success." Although the sophistication and techniques can vary substantially between organisations, the principles of understanding relevant risks and managing them is universal, the report concluded. "Improvements in risk management have allowed insurers to better control their risks and has had an effect on the competitive landscape," said Keith Buckley, group managing director in Fitch's Insurance Group in Chicago. "Insurers that are not up-to-date in their ERM techniques may be at a disadvantage in the market."

CEO as CRO

ERM puts its emphasis on risk evaluation at an enterprise level rather than in isolated business operations. Considering risks on an individual basis (the "silo" approach) can ignore potential offsets and concentrations of risk across the various silos. The silo approach can also lose sight of the overall objective - to protect and optimise the value of the enterprise. It is important for a risk department to view risks as profit opportunities that must be managed rather than as something to avoid at all costs.

By identifying critical risks, ERM emphasises the importance of managing these risks to ensure that the desired objectives are achieved. Various risk mitigation tools are available to help an insurer avoid risks that it is not adequately compensated for and the benefits of these actions can often be measured. An economic capital model can also help an insurer to optimise the use of scarce resources by helping to measure performance and acting as an aid to strategic decision-making.

ERM operates most efficiently if it is implemented from the top of the organisation and is centralised within one person, usually called the chief risk officer (CRO). It is the responsibility of the CRO to identify the sources of risk and determine what measures can be taken to neutralise them, which helps to level out the peaks and valleys of earnings.

Madhusudan Acharyya and Johnnie Johnson of the school of management at the University of Southampton, UK prepared a paper that described a study they conducted of three insurers and one reinsurer in Europe on how they implemented and made use of ERM. The paper, published in The Geneva Papers on Risk and Insurance, suggested that there is a need for a person or group of people "who can see the holistic picture of risk within and outside of the organisation." The study concluded that unfortunately "often only one person has such an opportunity, and that is the CEO; which is why the CEO is the ultimate CRO. Consequently, the CRO in effect represents the CEO within the management hierarchy to look after risk and its holistic management."

Capital adequacy

For most insurance or reinsurance firms one of the greatest challenges for implementing ERM is determining the amount of capital to adequately support the various risks it has taken on from others. For example, the greater the level of capital a company holds, the lower the risk of insolvency, all else being equal. However, too high a level of capital will dilute the returns to shareholders. Therefore, the objective is to establish the minimum level of capital for an insurer's diverse risks but that will achieve the desired level of protection for each one, as well as for the overall company.

Once the risks are identified, standards are selected to evaluate the economic capital required to protect the institution to an agreed-upon solvency standard given the risks it covers using a uniform time horizon. Aggregating the economic capital required for each risk provides the economic capital required for all the risks, which is linked to the solvency standard for enterprise-wide risk.

The first step in developing an ERM programme is to assess the current risk environment of an insurer or reinsurer. The assessment includes examining financial and operational risks, and using qualitative and quantitative methods. Financial risks include credit, interest rate, currency, mortality, liability, and reinvestment risks. Operational risks include people, technology, distribution, political, and regulatory risks.

Risks should be described as fully as possible, taking into account how risks correlate with other risks, including whether a given risk could trigger or be triggered by another risk and whether certain risks are negatively correlated and, therefore, represent "natural hedges" against each other. The process involves a combination of gathering historical data, reviewing documents, and conducting interviews to gather information on business processes, organisation, technology, people and culture.

Plotting the risk

However they "plot" the risks, managers can then decide which risks require their greatest attention by classifying them as "manageable" or "strategic." Manageable risks are those that the organisation can address with existing capabilities. These risks might include such things as weak contingency planning in critical facilities or midlevel employees dissatisfied with opportunities for advancement. The proper response to manageable risks is simply to use the existing organisational capabilities to mitigate them by assigning them to the appropriate managerial level.

Strategic risk factors, on the other hand, are those that have to be addressed with substantial expenditures and/or a change in strategic direction. These can arise, for example, when an organisation enters unfamiliar business territory because of a major acquisition, when a new competitor emerges or when customers change their buying preferences. These strategic risks require greater analysis and often need to be analytically modelled. The models represent the uncertainty associated with each strategic risk factor regarding how, when, and the degree to which it will manifest itself. These models may range from entirely quantitative relying strictly on hard data, to entirely qualitative, relying almost entirely on expert testimony. In either case, the objective is to develop probability distributions for each risk factor.

David Ingram, director & ERM specialist at Standard & Poor's, believes that performing the complicated and myriad computations of risk data would not have been possible until recently. "Immense computer power is required to track and analyse millions of complex insurance transactions, and the capability has only been developed and tested in the past decade. Software has improved as well. Without these advances in computer technology, it would take a very long time to calculate risk evaluations that are now done rather quickly." He cited an example of a large international insurer that about ten years ago spent a year systematically calculating its global risks for the first time. "Now, it does it faster," he said, "and more often with greater and more useful information being obtained."

ERM detractors

There is, however, within any large, complex company a situation that can prevent ERM from being fully utilised. As explained by Acharyya and Johnson in their paper, this is the sometimes awkward distinction between the specialist and the generalist. "Specialists (actuaries, financial managers etc) are often blinded by the perceived wisdom of their discipline and fail to realise the benefits of a broader perspective," they wrote. "Moreover, specialists tend to be overconfident and rigid in their views even when dealing with conflicting opinions from specialists in other disciplines." They said that while ERM is supposed to be an interdisciplinary endeavour, too often the financial risks are considered paramount.

Their study suggests that effective communication across disciplines is the core requirement for including the wider community within the company when implementing ERM. Only with consistent understanding and a willingness to communicate the motivations for implementing ERM, can the process succeed fully.

Ronald Gift Mullins is an insurance journalist based in New York City.

What is enterprise risk management?

Enterprise risk management (ERM) identifies the risks faced by an organisation and then takes the steps necessary to address them. The exercise encompasses all types of risk and the way they interrelate with each other. It balances risk and reward and places special emphasis on those risks that threaten the survival of the organisation.

Implementation of ERM within insurance and reinsurance companies normally requires the use of financial models to simulate the impact of different possible scenarios. This exercise should not, however, be conducted in isolation: ERM is only truly successful when there is an integrated approach to business strategy and planning, risk management and capital modelling.