Regulators and rating agencies are pushing (re)insurers to combine risk controls with capital management. Global Reinsurance investigates the challenges – and rewards
Reinsurers should be well-suited to the concept of enterprise risk management (ERM), which in its technical definition is a risk-based approach to managing an organisation. The industry is, after all, in the business of risk. “The fundamentals of risk management had been baked into insurance companies before the term ERM became popular,” AM Best vice-president Ed Easop says.
“If you think of the fundamental reason an insurance company exists, it is risk management,” he continues. “It’s accepting a level of risk from the policyholder and beneficiary, trying to price that risk based on actuarial tables and reserving metrics to provide protection for that risk to the customer, while hopefully having enough left over to make a reasonable profit. For hundreds of years, the entire concept of an insurance company has been about managing risk.”
From around 2005, ERM became a familiar buzzword in the insurance world. (Re)insurers were starting to measure and manage their risks on a more holistic basis – bridging the gap between underwriting, investment and operational risks. There were two key drivers. In the USA, the rating agencies announced they were going to include assessments of risk management frameworks in their rating criteria. And in Europe, preparation for the new solvency regime put the onus on (re)insurers to more closely link risk and capital.
The birth of ERM
“The concept of ERM has been around for a long time,” Catlin’s group chief risk officer, Janet Nelson, says. “(Re)insurers have been attempting to manage aggregate exposures for a long time.”
“The evolutionary thing is how you integrate all those different components of risk management across the piece,” she explains. “The evolution and the role of regulators and rating agencies has been about getting it tied more closely with capital management so that this picture of risk is something that, in the industry, gets more stitched together with our view on how we manage capital.”
Beyond the regulatory and rating agency pressures, stakeholders are also demanding that (re)insurers manage their organisation-wide risks in a more controlled and auditable manner. Boards are appointing chief risk officers (CROs) and factoring the results of sophisticated risk analyses into their capital allocation decisions. In addition, shareholders in the post-Enron, Worldcom and credit crunch environment want to be reassured that companies are being transparent in their risk management and reporting.
The role of CRO is still a new concept for many insurers. “When I got the role of CRO, my first responsibility was to write my job description,” Nelson reveals. “I did some research and visited a lot of companies that had chief risk officers. What I learned is that there is no template and everyone did it differently … the role of the CRO has to be shaped to the strategy and the governance structure of a particular company.”
One of the key drivers behind the rating agencies’ decision to assess (re)insurers’ ERM programmes was the hurricanes of 2004 and 2005 – in particular Katrina, which cost the industry an estimated $45bn, according to ISO Property Claim Services. Standard & Poor’s announced in October 2005 that it would be evaluating the ERM practices of insurance companies.
“In the wake of the disaster, ERM was a differentiating element when we reviewed insurer credit ratings,” S&P stated. “Some insurers with weaker ERM had losses that were as much as twice what they previously reported as their ‘probable maximum loss’.”
As defacto regulators of the insurance industry in the USA, the decision by the rating agencies to formalise ERM evaluations were momentous for US (re)insurers, according to Aon Benfield ERM practice leader Chris Myers. “Certain companies used a lot of the tools and traditional elements of ERM prior to S&P modifying their criteria, but the majority weren’t quite there yet. So that was the true catalyst, particularly for North America.”
In Europe, the anticipation of the EU Solvency II Directive, due to be transposed in 2012, has enshrined ERM into day-to-day insurance practices. A key part of the new regime is ORSA (own risk and solvency assessment), which requires every insurance and reinsurance company to assess its own solvency needs and submit the results to the supervisor. Because of the potential impact on solvency capital requirements (SCR), (re)insurers are investing significant time and attention in identifying and quantifying their risks.
“With Solvency II, a lot of the focus is on what the impact will be on carriers’ overall capital position,” Ernst & Young reinsurance partner Clive Martin explains. “For some businesses, the impact could be enormous and for others it would be minimal – it can vary.”
Solvency II is based around three pillars (see diagram, opposite). The first pillar on quantitative requirements is related to SCR and is the key driver for many insurers’ ERM programmes. “The effect of Solvency II on capital management is getting the most attention from chief risk officers right now, which is why the ERM debate is frequently actuarial and quantitative in its focus, because it’s wrapped up in wider capital efficiency activity,” Martin explains. “Risk and capital shifts could bring greater capital efficiency, and influence the way in which people buy reinsurance, as well as the amount that they buy.”
Insurers that already have sophisticated risk management frameworks and capital models are unlikely to see much of a change in their SCR. But those insurers whose capital requirements do increase are likely to look carefully at their risk profiles and opt either to reduce exposures in expensive lines of business or to buy more reinsurance protection. By ceding more of their risk to reinsurers, it will free up more of their capital and allow them to write the same level of business.
The main aim of the first pillar is to more closely align capital to risk. In order to do this, Solvency II essentially gives insurance firms two options: either they can create their own internal capital models or they can use a standardised model. Those applying models for the first time could get stung, particularly if they adopt a standardised approach.
By its very nature, the European standard formula fails to take into account the complexities within an organisation’s risk profile. Changes to the formula since the last quantitative impact study (QIS4) by Ceiops (the Committee of European Insurance and Occupational Pensions Supervisors) are proving even more burdensome. The industry has had a forceful reaction to early calibrations from QIS5, which are even more conservative in nature.
“For a while, there were probably insurers who thought the standard approach was the option they would take,” Martin says. “But then they analysed the effect of using the standard model for their own data and realised that the capital requirement outcome would be very big. That’s why the market is red-hot for Solvency II skills, because many insurers want to create their own internal models to avoid being stuck with the capital drain they now associate with the standard model option.”
One study claimed the measures would leave the European insurance market under-capitalised to the tune of E150bn ($200bn). A Solvency II briefing from actuarial firm EMB attempted to quantify exactly how much SCRs are set to increase under the current standard formula. The study of 49 UK firms saw capital requirements increase by an average of 62% from their QIS4 calculation. Industry bodies have collectively called for Ceiops to relax its stance.
Insurers most likely to consider going down the standard route are smaller firms with a narrow geographical and/or business focus. There is also the expense of implementing an internal model to consider, but this can pale in comparison to the potential increases in required capital under the alternative, Martin points out.
“It can appear as though it’s an expensive item for businesses,” he says. “But on the scale of premiums they bring in and claims they’re paying out, the cost of the model is not particularly high. The other aspect of cost is the difference in your capital requirement. Using the standard model could result in some businesses having to tie up, and in some cases raise, hundreds of millions of dollars of additional capital – so it’s a no-brainer when they look at it in that way.”
Beyond the numbers
While capital – and determining how much of it is likely to be tied up under the Solvency II regime – is the current priority for European (re)insurers, the second and third pillars also have implications from an ERM perspective. The second pillar has an altogether more qualitative thrust than pillar one. It deals with the principles of internal procedures and controls.
While Solvency II has been an important driver of risk management systems and controls, the financial crisis has led many (re)insurers to question how effective they actually are, Martin says. “Beyond the specifics of the quantitative capital discussion, the financial crisis showed that some ERM frameworks didn’t do what they said on the tin. What a lot of insurers and reinsurers are now doing – particularly those in continental Europe – is investing in a more robust approach and methodology for their physical controls, so there is new best practice emerging from those initiatives.”
As they strengthen those risk frameworks, insurers and reinsurers will also be required to reveal more about their risk profiles to the outside world. This requirement for transparency, which comes under the third pillar of Solvency II, could impact an organisation’s value without them changing anything else about their business. Stakeholder perception of riskiness is likely to become a significant driver of (re)insurers’ capital allocation and risk management decisions.
“It’s about understanding the risks you take, why you take them, and communicating that strategy to all the relevant stakeholders. Then, your shareholders have no surprises, your policyholders know and understand the risks you run as a business, and the regulators, the board and non-executive directors all understand why we do what we do,” Catlin’s head of ERM, Paul Martin, explains.
On both sides of the Atlantic, it is clear that regulatory and rating agency changes are helping to drive the industry’s approach to ERM. While current attention is on the quantitative impact the new risk-based regimes will have on capital, the approach is likely to become more qualitative in future.
Ultimately, the regulators and rating agencies hope that better risk management will lead to stronger, more robust (re)insurers. Such companies will be better prepared for the next Hurricane Katrina or financial crisis, but the end game is not just about tying up capital and limiting the downside, Myers explains. “Not only are you understanding how to manage risks a little better, you’re also better informed so you can think of different opportunities the organisation might be exposed to ... ERM is also about finding ways to tap into value that might not have been readily appreciated without an ERM process in place.”
From a (re)insurance perspective, the path to ERM is a journey rather than a destination. The initial push towards regulatory compliance requires a sea change in risk culture and investment in capital models. But beyond this, the challenge for firms will be to continually update and improve their approach.
“Some companies that have gone down the path of introducing ERM view it as a project with an end date,” Myers says. “Companies that do it particularly well understand this is an ongoing process, and what is advanced practice today will be common practice tomorrow.” GR
Three pillars of Solvency II
- Technical provisions
- Investment rules and asset liability management
- Capital rules
- Internal controls and sound management
- Supervisory intervention