Enterprise-wide risk management (ERM) is now firmly on the boardroom agenda, though a new study of ERM has found that many companies are still struggling to get beyond the design and planning stage Mark Stephen looks at what the study reveals about the challenges facing re/insurers in developing effective ERM capabilities.

Since the 1990s, many forward-thinking insurers have been looking to develop a more holistic and sophisticated approach to risk management.However, it is only lately in the wake of escalating claims, solvency scares and governance scandals that enterprise-wide risk management (ERM) has come to wider prominence. ERM can help to protect insurers from losses, earnings surprises and reputational damage, and provide a platform for strengthening governance and regulatory compliance. ERM can also provide a better understanding of the trade-offs between risk and reward, leading to smarter capital allocation and more sustainable shareholder value creation.However, ERM is still an evolving discipline and many companies face significant challenges in implementing and fine-tuning their ERM programmes.In March 2004, PricewaterhouseCoopers published Enterprise-wide Risk Management for the Insurance Industry, one of the most detailed studies of ERM ever conducted within insurance worldwide, aimed at pinpointing what makes ERM work in practice. The study drew on an in-depth survey of 44 companies from Asia, Australia, Europe and North America, including five reinsurers.The questions covered infrastructure and analytical issues including organisation, governance, risk aggregation, capital allocation, data and systems. They also looked at specific risk categories including credit, investment and operational risk, along with the issues facing particular industry sectors including property and casualty, and life and health underwriting.The survey confirmed that risk management is now a board/CEO priority, with the protection of shareholder value emerging as the main benefit (see figure 1). However, it also revealed a mixed picture of attainments and expectations from ERM programmes (see figure 2). In particular, only 5% of respondents felt that ERM was fully integrated with strategic business decisions. Similarly, only one of those surveyed described their organisation as proactive in ERM, which is arguably the essence of effective ERM. Significantly, most of the participants, including all the reinsurers, would like to be proactive in ERM within five years.Clearly, one of the key challenges is translating the boardroom vision of ERM into a programme that is embedded and valued throughout the organisation.However, as figure 3 highlights, many respondents are finding it difficult to make headway in ERM in the face of uncertain direction and understanding.Only two-thirds of participants felt that the roles and responsibilities driving ERM were understood within the organisation as a whole. Only around 50% of those surveyed acknowledged that the strategy, processes, mission and objectives or tools and technologies underpinning ERM were even partially understood.A rich vein of consistent and comprehensive data is the lifeblood of ERM. However, it is evident from the survey that the communication of risk information around the enterprise is generally weak, with only one participant describing risk reporting as very effective and less than 50% of those surveyed believing that it is quite effective. On a portfolio level, these shortcomings tend to stem from gaps in systems capabilities and data availability. Only a third of respondents were either very or quite satisfied that their current information technology systems can meet the required frequency of risk management reporting. Similarly, only a third of those surveyed rated their data strategy as good.Any technical and organisational stumbling blocks will naturally impact on the performance of ERM. While most of those surveyed are making strenuous efforts to put risk controls in place, only 39% felt that their limits and exceptions monitoring are quite strong, and only two participants felt they were very strong. Similarly, systems hurdles and problems in sourcing timely and reliable risk information mean that most of those surveyed are still struggling with the data and modeling challenges of creating effective risk aggregation and risk-based capital allocation.Only 6% of respondents aggregate across all risk factors and business lines. The difficulties in developing viable capital allocation methodologies can be seen in the fact that more than 40% of respondents required between three and five years to implement their current systems.

Drivers for successIt is equally clear from the survey that many companies are beginning to bring greater clarity to their ERM mission and integrating their programmes into the overall management of the enterprise (see figure 4). As they overcome the technical and organisational challenges of ERM implementation, they can marry their deeper understanding of the risks faced within the organisation with new insights into the risks and opportunities facing them in the external environment.Indeed, it is notable that some of those leading the way in the more sophisticated areas of ERM are reinsurers. For example, only one respondent, a reinsurer, had procedures in place to correlate ERM indicators and losses, and use these indicators for predictive analysis. Similarly, 50% of the reinsurers surveyed had found their economic capital allocation programme very effective in gaining acceptance of ERM in the organisation as a whole, compared to around 25% among respondents from all sectors. These strengths can also be seen in specific risk categories, notably operational risk.Two of the five reinsurers surveyed have embedded the measurement, monitoring and management of operational risk into the day-to-day processes of the company. In contrast, only 20% of the survey population as a whole had achieved this advanced stage of implementation.It should be stressed that no participant or industry sector was universally strong in all areas of ERM. It is also evident that there can be no 'one size fits all solution' for developing effective ERM in such a diverse business as insurance. However, Enterprise-wide Risk Management for the Insurance Industry identified a number of guiding principles underpinning successful ERM that have emerged from both the recent survey and PricewaterhouseCoopers' continuing work and dialogue with the insurance industry:- sound governance underpins stable rewards and sustainable shareholder value creation. Senior management needs to ensure that risk management is a priority and manage business activities in a way that produces consistent and predictable returns;- senior management is responsible for defining and communicating the company's risk appetite including setting targets for shareholder value creation and tolerances for earnings variance that are then cascaded down to individual business units;- roles, responsibilities and accountabilities should be clearly defined.Business units are responsible for identifying, taking and mitigating risks. The risk management function is responsible for ensuring that appropriate limits, policies and procedures are in place within the business units.The audit function verifies that controls are in place and operating effectively;- active management of risk is ideally delegated to corporate risk committees, either at a portfolio level or relating to specific risk categories as appropriate. These can be supported by business unit representation or further committees at the business unit level;- it is critical to agree and apply clear policies and standards covering risk identification, monitoring, analysis and reporting across all risk types and business units;- the measurement and aggregation of risk(s) across the enterprise need to be based on consistent methodologies. Companies will need to discern an appropriate balance between quantitative and qualitative approaches.They will also need to capture all volatility and correlation variables;- companies need to be able to turn timely, reliable and comprehensive data into decisive management action. Some companies are now developing executive 'dashboards' that combine key risk and performance indicators; and- systems capabilities need to provide the necessary quality, integrity and timeliness of data. Key applications include risk detection, measurement, escalation and analysis of risks and returns.

The way forwardAs insurers enhance their ability to measure, analyse and respond to risk, ERM is likely to play an ever more proactive role in identifying the strongest sources of earnings and strengthening the execution of the strategic plan. The effectiveness of ERM is therefore likely to emerge as a key competitive differentiator.However, ERM is not an end in itself, rather an integral part of the effective governance and management of the business. Indeed, most of the key drivers outlined in Enterprise-wide Risk Management for the Insurance Industry can be achieved by improving the co-ordination of existing capabilities rather than creating an additional and potentially redundant tier of risk management. Nevertheless, to be successful, people at all levels of the organisation need to understand their responsibilities and appreciate the true nature/extent of the risks they are taking.

NotesTo download a copy of Enterprise-wide Risk Management for the Insurance Industry, visit www.pwc.com/financialservices.