In the current regulatory and investigatory climate the importance of implementing and maintaining an effective enterprise risk management strategy is paramount, as Kaveri Niththyananthan discovers
Risk Management is not a new concept in the insurance or reinsurance industries, but there is no doubt of its increasing prominence within the business strategies of many companies in the sector. It is not just the fall-out from accounting scandals in the US, or from Spitzer's investigations, that is making the industry wake up, but a recognition that good risk management can positively affect both shareholder value and credit ratings.
Bryan Joseph, principal at Karoni Insurance Services, explains, "It is only recently that management has been thinking of asset liability modelling and of understanding the degree of risk on their balance sheet and the aggregation of risk that occurs. Lack of understanding or analysis of this aggregation makes a firm more vulnerable to going insolvent. Once a concern about a company is highlighted, the management always seem surprised by what actually went wrong. Had they been looking at the risk within the balance sheet, they should have recognised that those risks existed."
The insurance industry has a long history of making changes only because they have been imposed on it from above, rather than because they represent good management practice. It is thus understandable that the pace of change and the degree of regulation being applied retrospectively are making the industry nervous. 33% of respondents to our survey currently regarded regulatory change as the main risk affecting their business. Economic conditions were considered the most important factor by 29%, while 27% placed internal risk control structures and culture at the top.
The UK FSA Integrated Prudential Sourcebook took effect on 31 December 2004, and significant progress has occurred with the implementation of the Individual Capital Adequacy Standards approach. For example, the FSA requires, "life insurance firms with aggregate with-profit liabilities in excess of £500m to hold capital based on the higher of a 'regulatory' peak and a 'realistic' peak."
Ian Dilks, chairman, European Insurance Group at PricewaterhouseCoopers explains, "Regulatory issues are certainly top of the agenda, and, from a UK perspective, the biggest change is with capital regime, where each firm has to make capital assessments that involve looking at risk in the organisation."
He explains that the need to identify and monitor risk will have an impact on capital charge. In addition, as the quantity of regulation increases, becomes tougher and more pervasive, the potential to breach regulation becomes a risk in itself.
In the US, the main issue where regulation is concerned is that what was previously accepted is now being thoroughly re-examined. The organisations that are affected by Sarbanes-Oxley (SOX) are those based in the US, and those foreign firms that are listed there. The latter will, however, only be subject to SOX at a deferred date. Many European firms suspect that domestic regulatory tightening may well come to mirror the provisions of SOX, and are keeping a close eye on it in consequence. A relatively high proportion of respondents to our survey ranked SOX as having a significant impact on their business. However, as can be seen in the chart below there was a fair number of respondants who did not see any significant impact from the act. Dilks, however, begs to differ. "Like it or not, Sarbanes-Oxley is setting a benchmark for companies to assess their own governance arrangements. It could be the fact that not a lot of people really understand what SOX involves, as it is restricted to financial reporting, as opposed to the overall business risk framework.
"For example, in theory it is not really about stopping fraud, but if a fraud does occur, you now have to account for it properly. People are talking about it, and improved controls over accounting should lead to better control overall."
There are concerns, however, that the reporting itself can be very subjective, and that the regulations are not clear enough on the subject. There is an obvious need for further work in this area.
Despite such concerns, more than half (54%) of respondents said the benefits of compliance justified the efforts made, which, considering the complaints that have arisen over the costs, is of interest. No one denies that cost remains a real challenge, but it is essential that firms deal with regulation and internal reporting effectively, and with sufficient flexibility to be able to adjust rapidly to change, if competitive advantage is to follow. In the light of Basel II, SOX, FSA regulations and the Turnbull and Hicks reports, the issues of compliance, governance, culture, and enterprise risk management can no longer be ignored. The global trend towards increased regulation is unlikely to go away.
OPERATIONAL AND REPUTATIONAL RISK
When asked to rank different risks in order of their importance to their company, 77% of our respondents ranked operational risk in either the first or second positions.
"Ten years ago, they would not have even understood what operational risk was," says Dilks. "Through the FSA's attempts to increase knowledge and understanding in this area, and its link to capital, more people are aware of it, as shown with contract certainty, for example."
This understanding of risk and its relationship to capital has long been a challenge. The reasons behind failures among insurance or reinsurance firms inevitably include the writing of a bad piece of business, or reserves that were too low compared to market norms. At times this has been compounded by sheer bad luck. But where firms have written premiums that were too low, it is often fundamentally because they did not understand the relationship between capital and the risk undertaken, causing capital to unnecessarily cost them more. The subsequent need to purchase reinsurance has then merely added to the costs.
Reputational risk also scored highly. Without doubt this reflects the impact of a potential breach of regulation on the business. Clive Martin, senior manager within the Insurance Sector of UK Financial Services at Ernst & Young explains, "Reputations are damaged and impacted by the occurrence of other risks. To many reinsurers, reputational risk manifests itself in their credit rating, so when they say they are worried about reputational risk, potential changes to their credit rating can be uppermost in their minds."
This sensitivity to ratings is the greater because the insurance industry does not work in a totally efficient market, where Adam Smith's "invisible hand" could apply. If it did, it would be easier for a difference in credit ratings to be reflected in competitive pricing - both upwards and downwards, allowing the consumer rather than the broker to make the comparative judgements between risk and reward. In its absence, good risk management is the best answer to a business environment ever more sensitive to credit ratings.
When asked whether respondents considered that their Board was well advised on internal risk issues, 86% answered positively. Dilks considers that this is surprisingly high, given the rapidly evolving regulatory environment. "To some extent the Board will have risk on the agenda, but whether the assessment of risk is sufficiently comprehensive, or whether the board have a good handle on programmes of risk identification, mitigation and the impact on capital is debateable."
However, Steve Manning, head of Risk Management at Lloyd's argues "From the survey Lloyd's conducted in July 2004, 98% of our businesses see risk management as a broad priority. 93% saw risk management as a driver to improving business. Again, 93% had undertaken detailed risk assessments, with 96% saying they were strong in risk identification. This shows that risk management is on the board agenda."
CHIEF RISK OFFICERS
If you look through a chairman's or directors' statements, you will seldom find any details of how risk is managed. The market is more inclined to make judgements on premium volumes than on a firm's ability to analyse and monitor risk. This may change. On 1 June 2005, Standard & Poor's announced an initiative to include risk management assessments in its methodology. "Those insurers with robust processes that are well integrated into the daily functions of the enterprise would be scored highly, while those with weaker risk management capabilities, or poorly integrated risk management frameworks, would be scored lower," said S&P credit analyst David Ingram.
A sea change such as this ought to set firms pondering the role of a Chief Risk Officer (CRO) and the likelihood of the need to appoint one. The CRO should be the guardian of capital for a company, and the one who understands and monitors the intricate network of potential risks, continuously assessing if the assumptions that were originally put in place are still valid. Communication is vital; the CRO must be at home with actuarial niceties and be able to express them in a language appropriate to the decision-making processes of the senior management team.
Perhaps the key challenge for any CRO is that of assimilating risk management practices deep into the company's culture. Manning explains why this is important. "Within Lloyd's, the approach adopted is risk management is good management and should be at the heart of every entity within Lloyd's. Key risk associated by franchise board at Lloyd's is shared with franchisees. By adopting a silo and compliance approach, you will fail to gain the full benefits risk management can offer."
But to escape the silo mentality, and to recognise that merely sticking to the letter of the regulations is not the best way of approaching compliance, is easier said than done. To go from implementation to assimilation, there is a need for visible and active advocacy of the importance of risk management by senior management. "The cultural shift required will not occur unless the CEO is the champion of risk management and business units need to see what is in it for them, which could mean a capital release," Manning emphasises.
Joseph explains that allocating capital to underwriting teams once or twice a year is simply not good enough, as the market is changing, products are changing and, with that, the risk on the balance sheet changes. "Thus it is important to monitor it more frequently and assess where you are in the cycle and if you are consuming capital too quickly. Allocations should be assessed during the peak periods of premium volumes, and, if 80% of your premium volumes occur in January, it is necessary to monitor and allocate capital as frequently as on a weekly basis."
The perception of the necessity for a CRO is relatively novel. Even so, 37% of respondents indicated that their company already had a CRO, or planned to appoint one within the next 12 months. Dilks suggests this is only the beginning: "The fact is that most large UK firms have, or will plan to appoint, a CRO. But of the current incumbents, few have been in the role for more than two years, and their backgrounds vary enormously, reflecting the fact that this is a new profession." To date, those backgrounds have included underwriters, actuaries, lawyers, consultants, accountants and company secretaries. Martin explains this diversity "Skill-sets of risk management are in existence, but there are not many people who have the experience of pulling this all together." This may explain why many CROs are being recruited from banks and consultancy firms, where they have the experience to fulfil the role more effectively. Martin believes that, "ultimately, those who responded that they did not have CROs nor planned to have one within the next 12 months, may change their in mind in the medium term. If not, they face losing out to those who already have, as the recent advancement of cross-category risk assessment in financial services has been considerable."
It is alarming to consider the claim that the very industry whose business it is to look at risks and insure them, does not like to manage its own risks. This perception may be changing, yet, in comparison with banks, the insurance industry still seems to be lagging. One of the reasons given for being slow off the mark is that the risks associated with insurance are fundamentally harder to define and measure than those elsewhere. However, as the insurance industry comes to see the assessment of its own risk as less an art form than a science, and begins to take full advantage of the plethora of tools and training now available to the risk management profession, things are beginning to move.