This article identifies some of the key areas of enterprise risk management and discusses how ERM can be achieved effectively.
There is no shortage of commentary hypothesizing what constitutes effective enterprise risk management (ERM). Many articles appear to draw upon the early efforts of the Committee of Sponsoring Organizations (COSO), which published Enterprise Risk Management — Integrated Framework in 2004.1 Its description of ERM offers useful guidance for financial institutions to this day:
“Enterprise risk management is a process, effected by an entity’s board of directors, management, and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
In essence, ERM involves managing the acceptance of risk to achieve the objectives of the business. The ERM process diagrams (Figure 1) are typically cyclical in nature, conveying the idea of continuous refinement of an insurer’s risk management approach in a dynamic business environment.
A firm needs to define its strategic business objectives, explicitly identify its material risks, quantify the willingness to take on more risks, define the actions to be taken for a variety of foreseeable circumstances, and measure performance against expectation.
Evaluating performance against business objectives requires the identification and measurement of risks to be delivered to stakeholders. The information generated can automatically trigger actions(e.g., breached limits and accompanying responses specified in policies), provide the basis for decision making, foster internal debate, or stimulate further analysis (e.g., stress testing).
While most risk management practitioners recognize the guidance provided by COSO as standard best practice, achieving effective ERM is by no means simple. This article discusses the key areas of ERM to propose ways in which it can be effectively achieved.
ERM confronts the challenge of combining disparate sources of risk to provide senior management and the board with a comprehensive and holistic view of the risks facing the business, so they can create value for stakeholders. This requires that firms understand the intangible qualitative shortcomings of a mathematical formula, instead of ignoring the weaknesses of the model.
The highlighted concern is not about the identification of the best statistical approach to aggregation, but rather the necessity for firms to understand the limitations of the method. The question that should be asked is: What is the sensitivity of the risk results to the assumptions that underpin the method? This example also underlines the importance of accessible models whose implications can be understood outside of the actuarial modeling department.
In addition to linking qualitative and quantitative elements, or combining risk types for a holistic view, another aspect involves the interaction of different job functions. ERM permeates an organization and requires the involvement of IT, actuarial, ALM, and finance. Operational silos hinder the development of a common understanding of risk among stakeholders, which reinforces the importance of risk culture and strong leadership.
Risk culture is commonly mentioned as an important factor in ERM, but few commentators acknowledge the practical difficulty in altering the existing culture of an insurance company (or any financial institution for that matter). Strong support from the board and senior management is critical to embedding risk in an organization. Senior level commitment involves more than simply stating the importance of risk – it entails the communication of how risk is defined, managed, and mitigated.
Of course actions speak louder than words, so the board and senior management must adopt and encourage risk-aware behavior. Integrating risk into a variety of business practices (e.g., product pricing/design, hedging, reinsurance, investing, and management compensation) can reinforce the message.
Shortly after management has outlined the strategic objectives, key indicators need to be defined that will allow the evaluation of performance metrics against these goals. These indicators can include profitability, capital adequacy, credit rating, dividend stability, and financial ratios. It should be apparent that the calculation of the performance metrics relates directly to the effective management of the business. While regulatory compliance may require a focus on a 1-in-200-year event (the tail of the distribution), a 1-in-20-year event may be more relevant for business planning purposes.
Regardless of the metrics selected, the ability to produce appropriate performance measures is essential. The challenge facing most insurance companies is that they are not creating an ERM framework from a blank page. There often exists a wide assortment of software packages (often multiple tools performing the same task), spreadsheets, databases, and manual processes – all of which can contribute to ineffective risk management. The inertia caused by the seemingly impossible task of updating these various systems and processes can prevent an organization from making real progress on ERM.
For most insurers, it is not practical to remove the existing technical infrastructure and start over, so pragmatic choices will be necessary. A robust technical infrastructure allows for the integration of various data sources, calculation engines, and reporting and analysis tools. The removal of unnecessary human interaction should be a guiding principal, along with security controls, audit trails, automated workflow, archival, and sign-off capabilities.
The technical infrastructure to support the generation of risk and capital metrics in a timely fashion should be robust, with the ability to accommodate the varied demands of the consumers of risk information. Firms should consider the potential for multiple representations of an insurance business, such as International Financial Reporting Standards (IFRS), Generally Accepted Accounting Principles (GAAP), Market Consistent Embedded Value (MCEV), economic capital, and Solvency II regulatory capital.
Everyone readily agrees on the importance of data quality, but it is not clear that the industry has responded to the challenge. The commonly recited adage of “garbage in, garbage out” captures the issue effectively. Given the eventual usage of data to make strategic business decisions and onward planning, it follows that the source data must be of the highest quality possible. It is hard to overstate the importance of using data quality – it is of little consequence that models are highly accurate if the data used is not reliable.
In general, data management involves the automated collection of data from internal and external sources, institutes quality checks, and applies modifications to arrive at a single “golden copy” of data that can be used in all downstream calculations. This single source of data then ensures that consistent information is used by the various calculation engines and establishes with certainty that apples are being compared to apples.
There has been a tendency to focus a lot of time and effort on the pursuit of the “perfect” model that produces the most accurate representation of the business. While this may be a worthy endeavor, it introduces potential shortcomings. If the model is too complex, it may not be well understood by management (see Gaussian copula above), or it may not be practical enough to generate a timely result.
This has led to the adoption of stress testing and what-if analysis to supplement the valuation and projection of the balance sheet. Evaluating how the risk or capital will change due to a shift in circumstances is the essence of good risk management. This could involve assessing the impact of different asset allocation strategies, altering the hedge program, comparing different management actions, new business expectations, and changes in correlations. It is important that stress testing fosters a dialogue about how resilient the business will be on feasible and extreme outcomes.
To make things even more intuitive for senior management and the board, insurers have recently adopted narrative stresses, which aim to map macro-themed events onto the underlying risk factors to show the change in the risk and capital position. For instance, these could replay historical events (e.g., Black Monday), or use economic research to estimate the implication of events that may not occur (e.g., Italy exits the euro).
While a robust technical infrastructure and suitable risk management tools are prerequisites to effective ERM, just as important is the institution of good governance, processes, policies, and – above all – senior management sponsorship.
The process of embedding ERM into the daily operations of an organization requires senior management and board support, with a good dose of patience. Culture is not something that will change overnight.
Establishing an effective enterprise risk management framework can be complex and difficult. However, providing a comprehensive and holistic view of the risks facing a business, so that senior management and the board can make more informed and risk-aware decisions, is worth the effort and can be achieved by focusing on the right areas.
1 COSO, Enterprise Risk Management — Integrated Framework, September 2004.
Director, Risk Consultant
Andrew helps develop the Moody’s Analytics Advisory Services offering, working across multiple teams to deliver tailored enterprise risk management solutions for insurers. He is dedicated to providing Solvency II internal models, and is experienced in liability approximations (replicating portfolios, curve fitting, Least-Squares Monte Carlo), ALM, hedging, economic capital optimization, and stress testing. Andrew has more than 10 years of experience in risk management for pensions, banks, asset managers, and insurers.