Enterprise risk management (ERM) in Insurance

Enterprise risk management (ERM) is an expansion of the traditional risk management process applied to the portfolio of risks facing an organization. The traditional risk process involves:

1. Risk identification - understanding the nature of the risks that face an organization,
2. Risk assessment - measuring the impact of risks to the organization,
3. Evaluating alternatives to mitigate, exploit, and/or finance the effects of risk events,
4. Implementation - after evaluating alternatives, implementing the chosen optimal strategy, and
5. Monitoring the outcomes to ensure that results are consistent with predictions.

Benefits of ERM to Insurance Organizations

The Executive Risk Manager for one insurance company stated that ERM helped their organization to better identify and prioritize risks. They discovered that in some cases they were able to save money because the risk management method they were using was too costly for the actual exposure it was mitigating. In this podcast above he gives a brief overview of his ERM experience.

ERM History

Traditional risk managers focused on pure risks - hazards including fire, liability, and business interruption. Over time, the concept of risk management evolved to include financial risks due to changes in interest rates, commodity prices, and foreign exchange risks. As a result of derivatives debacles of the 1990s and corporate scandals of 2000s, ERM has emerged as a more global view which encompasses all the risks facing an organization. Aside from evolving risks, the concept of ERM gained acceptance as Sarbanes-Oxley and related international regulations required the board of directors of companies to become an integral part of the risk management process. The board is now ultimately responsible for a company's risk management program.

ERM Definitions and Frameworks

Various organizations have had the early word on the ERM process for insurers.

• The Committee of Sponsoring Organizations (COSO) proposed an ERM framework that leverages a company's internal audit function. As indicated by COSO's definition of ERM, their framework appears to be concerned with protection against downside risks:

"ERM is a process, effected by an entity's board of directors, management an dother personnle, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

• Aside from downside risks, the Casualty Actuarial Society (CAS) also considers the potential benefits inherent in corporate risk taking in their definition of ERM:

"ERM is the decipline by which an organization in any industry assesses, controls, exploits, finances and monitors risk from all sources for the purposes of increasing the organization's short- and long-term value to its stakeholders."

While the definitions are not unique, most descriptions include the following principles:

1. Effective ERM is unique to a particular organization. Since every organization has a unique portfolio of risks and exposures, there is no single ERM program appropriate for all cases.
2. ERM Is a dynamic and continuous process, not a singular event in a company’s history. Since risks evolve and change, so must a company's responses.
3. ERM is a proactive process, not reactive. ERM creates a controlled risk-taking environment. Organizations must understand the risks that it takes and establish procedures to ensure that risk retention remains within pre-determined limits. In this way, while a company's results may vary due to uncertainty, outcomes will not be unexpected given a clearly defined tolerance level.
4. ERM Involves a portfolio of you of risks, not a fragmented or silo approach. While specific roles within the organziation may look at individual risks in detail, aggregation, communication, and mitigation are coordiated activities in the risk management process.
5. ERM is part of the strategic decision making of an organization. Different strategies have different levels of risk which must be reflected in the operations of the company.
6. ERM Is focused on value creation for stakeholders. While a variety of benefits may be obvious, ultimately ERM should be implemented because it improves shareholder wealth.

Standard and Poor's ERM Review

While A.M. Best has indicated that they look at ERM when evaluating an insurer's financial strength, no formal guidelines have been directly issued. In 2005, S&P formally released its guidelines when considering an insurer's ERM strength, by looking at five separate areas:

1. Establishing a risk management culture
2. Risk control processes
3. Emerging risk response
4. Internal models to quantify risk exposure
5. Incorporate risk management information strategically

In late 2007, S&P announced that it will include ERM when evaluating credit risk of bonds issued by industrial companies.

International Developments

Concern toward corporate governance issues has initiated a number of ERM-related projects internationally.

• The European Union developed Solvency II using a structure similar to the Basel II Accord.
• In Canada, Dey Report
• Australian and New Zealand Risk Management Standard
• UK - Turnbull report and FSA's ARROW framework

Additional ERM Resources

1. Casualty Actuarial Society ERM web site
   
2. North Carolina State University ERM Initiative
3. Standard & Poor's ERM Initiative
4. Society of Actuaries ERM certification