The advent of Sarbanes Oxley has put increasing pressure on insurers to implement an effective enterprise risk management approach, explain Rosemarie Sansone, Joseph Calandro and Mike Eagan.
Companies in every industry generally operate under the same profit/loss constraints. However, insurance companies operate under a unique set of economic forces which can make managing the insurance business a challenge.
For example, for most firms, calculating the cost of goods sold is a fairly routine accounting exercise. Such costs are then subtracted from sales (revenue) to determine the amount of gross profit generated from operations. For insurance companies, however, it is not possible to calculate the cost of goods sold because those costs are not incurred until after a policy has been sold. This time lag between the sale of insurance and the service of any claim can extend many years into the future, as asbestos claims demonstrate only too well. The significance of this operating dynamic in the post-Sarbanes Oxley era cannot be understated.
In the past, insurance companies generally approached the business of insurance with a focus on premium growth and non-claim-related cost containment. While never optimal, this approach was able to leverage rising capital market returns on a fairly large scale. Currently, and since the implosion of the "new economy" (in other words, since equity returns regressed to more normal levels), the focus of insurance executives is beginning to shift to pricing management rather than premium growth, and overall risk control rather than cost containment.
By focusing on pricing management, insurance executives should be better able to control activities such as premium adequacy and aggregation of risk. Premium adequacy is crucial because companies can no longer rely on capital market returns to help cover an underwriting loss. However, consistently hard insurance pricing serves as an invitation to competing insurers. Therefore pricing must be conservative enough to help ensure a profit over time and aggressive enough to forestall price-based competition. Achieving such a balance over time can be very difficult, as the industry's history of price wars vividly demonstrates.
With respect to aggregation of risk, there are two distinct aspects. These can be labelled separately as cluster risk and commingled risk. Cluster risk involves the extent of exposure to any single event based on the accounts or types of coverages a company underwrites. The easier of the two to prospectively model, cluster risk is best exemplified by geographic exposure. If the accounts are clustered in one area, for example, then that entire book of business could potentially be affected by a single event. Such a situation is inconsistent with the principle of diversification, which in many ways is a cornerstone of the insurance business. In fact, aggregate exposure can put a company's solvency at risk from a single event, as witnessed by the massive insured losses sustained by a number of US insurers following Hurricanes Katrina, Wilma and Rita in 2005.
The second aspect of aggregated risk, commingled risk, involves the correlation of risk between insurance coverage/exposure and the risks related to the investment portfolio. In addition to matching the cash flows and durations of investment and coverage, asset liability management (ALM) functions have begun to try to match the risk inherent in the investment portfolio with that of the coverage risk - for example, adding real estate investment exposure to the cluster risk for one geographic area. Much more difficult to prospectively model (that is, to better balance portfolio risk and coverage risk), commingled risk entails the integration of information and data among the ALM, pricing and marketing constituencies within a company.
Enterprise risk management
In addition to informing pricing, ALM and marketing management with aggregate risk analysis, insurance companies are beginning to focus on the management of risk across the enterprise rather than simple, non-claim-related cost containment. Such company-wide risks emanate from a variety of areas, such as claims handling, reinsurance selection and management, interest and dividend payments, and the like. Each of these activities affects an insurer's cash inflows or outflows, so each must be managed efficiently to optimise the value of the enterprise.
In many circumstances, the management of the risks generated by activities to create value can be more efficient if conducted at the enterprise level. Additionally, as value is typically estimated on an enterprise-wide basis, it is also logical to manage the associated risks at that level. There are a variety of methodologies to help companies implement an enterprise approach to insurance risk management. While the particulars and quality of each method differ, each has the same overall objective. Each is also dependent upon the design of the risk managing organisation, and the information generated by that organisation.
Many insurance companies are designed in a silo structure, an organisational configuration wherein each operational activity is generally undertaken independently and, frequently, so too are the risks generated by those activities. For example, there can be little interaction between the underwriting and claims departments of an insurance company. Similarly, there can be very little (if any) interaction between insurance investment personnel and corporate finance personnel. As a result of this structure, the information generated from insurance activities is rarely shared or synthesised.
In simpler and less volatile times, the silo organisational structure provided a workable framework in which to conduct the business of insurance. But the structure was not without difficulties. For example, problems often arose during merger and acquisition activities when different systems and operations were being integrated.
Given the dramatic regulatory changes experienced in the recent past by the insurance industry, progressive globalisation and quantum leaps in information technology, the silo structure is giving way to newer, more strategy-focused structures. This change facilitates the operational efficiency of each discipline (for example, underwriting, claims and administration), as well as the synthesis of the information generated from those disciplines. This synthesis can result in more insightful management reports, which can be used dynamically to manage the risks of insurance at the enterprise level to create value over time.
Automating the process
As the insurance organisation moves to an integrated enterprise risk management policy, taking a holistic rather than a purely financial approach, then it makes sense to implement a similar integrated approach to IT governance. Integration has proven beneficial through lower cost and risk, in conjunction with more immediate management information shared throughout the enterprise. In pursuit of integrated IT governance, the CIO may choose to implement the emerging ISO series of standards to demonstrate best practice through independent certification that covers key aspects of integrated IT governance.
At the heart of greater efficiency and support of enterprise risk management is the middleware. If this can be similarly linked through compatible products that are scalable and flexible to adapt to the different demands of risk management in life and pensions, general insurance and broker business, then the industry can utilise a common set of tools that are available globally.
- Rosemarie Sansone is a partner, Joseph Calandro a managing consultant and Mike Eagan a business solution professional at IBM global business services.
IT ERM approach
The use of middleware for governance, risk management and compliance in the insurance industry is growing quickly as companies are faced with the prospect of increasing regulation and compliance. Current challenges facing many organisations include Solvency II, International Finance and Reporting Standards, International Accounting Standard and Sarbanes Oxley. An effective ERM approach can be broken down into the following five areas:
1. Business insight
Improve understanding of what information exists and where in support of requirements for governance, risk and compliance, aligning the business with IT processes and controls.
2. Risk analysis
Integrate risk analysis with business policies, including portfolio assessment, threat evaluation, risk determination and mitigation, with modelling.
3. Policies and procedures
Document risk management and compliance policies, with predefined response to risk and events, including clearly defined and compliant approval processes, in conjunction with auditors.
4. Security and controls
Implement security access and controls, aligned with the ISO 27001 information security international standard, including policy support for privacy, retention and risk reduction through establishing tiered approval controls.
5. Demonstrate compliance
Demonstrate compliance to legal and corporate policy requirements using approved checkpoints and change plans, with results transferred into business improvement process. Automation is focused upon policy enforcement, log reporting, and improved speed and accuracy of document retrieval.