Fordham -How effective decision-making is within the IT department - Analysis...
An approach to erm in the insurance industry apria 2002 rama warrier&preeti
1. AnapproachtoERMintheinsuranceindustry|www.conzulting.in
1
APRIA Conference
July 2002
AN APPROACH TO ERM IN
THE INSURANCE INDUSTRY
RAMA WARRIER & PREETI CHANDRASHEKHAR
ERM has made a considerable impact
on comprehensive risk management
strategy…
1. ABSTRACT
Enterprise Risk Management (ERM) is a
relatively new approach to managing
risks. ERM differs from the traditional risk
management method in its perspective of
seeing the risk exposure as a whole rather
than in parts. The benefits of this
integrated mode of risk management have
been well recognized now and we are
witnessing a clear drift towards this way
of addressing risks. This paper is an
attempt to explore the ERM options
available for managing risks of an
insurance company.
The concept of ERM, its objectives and the
way to implement it are discussed in the
paper. The main focus is to develop a high
level methodology for implementing ERM
approach in an insurance company.
2. INTRODUCTION
An enterprise operating in the current
global market operates under various
pressures. Some of them are:
reduced time-to-market
increased innovation to respond to
growing customer demands
leaner structures for greater profit
margins
Pressures like these are the drivers for the
desire of enterprises to stabilize their
operations around the expectations which
they would have carefully set for various
groups like shareholders, customers,
employees etc. The line dividing success
and failure is rather thin and hence
recognizing and managing risks which
may tilt the stability is a matter of great
importance. There are various ways of
defining risks. From an investment
perspective, risk can be defined as the
Issues viewing this
document ?
please check on
Conzulting website
For more articles /
white papers on
insurance, risk and
technology, visit
www.conzulting.in
2. AnapproachtoERMintheinsuranceindustry|www.conzulting.in
2
variance of return. Or, it is a measure of
one’s inability to meet financial liabilities
as and when they arise. For an enterprise,
risk needs to be defined at a broader level.
Any issue, action or threat that affects the
company’s ability to meet its business
objective and execute its strategies
successfully is called a risk. Risk could
also be defined as a distinct business
possibility with a relatively low
probability of occurrence, but with a
significant adverse impact on the
operation and goals fulfilment of an
organization. Another way of looking at
risk is "Risk is what could lead to the
unexpected scenario which is detrimental
to the smooth and efficient functioning of
an organization in its efforts to achieve
pre-set goals". Or, we could define risk as
any possible event that could undermine
shareholder's value. There are various
methods of addressing risks - avoid risks,
reduce their effect, and even convert risks
into opportunities.
3. ERM – A ‘CORPORATE’
APPROACH
Enterprise Risk Management, called ERM,
involves identifying, understanding and
mitigating the major risks to the success of
one’s business. The method allows the
organization to have a comprehensive risk
outlook and management method which
integrates various elements and helps in
optimizing the solution. The traditional
Risk Management approach looks at the
component risk exposures and designs a
mitigation method for each component
without really mapping it into the big
picture. ERM looks beyond this and
focuses on an integrated management
process to address the entire range of risks
faced by the organization spanning from
operational to the political risks. Hitherto,
Risk Management used to take place as a
"silos focused " activity. This method
severely curtailed the efficiency in
application of risk management
techniques as well as in maintaining an
integrated risk approach for the enterprise
as a whole. ERM helps in getting and
defining a flexible mechanism to handle
both financial and operational risks.
In a recent survey conducted by
Economist Intelligence Unit, the CEOs and
senior finance executive of a wide range of
organizations mentioned that 41% of them
manage risks using ERM techniques. And
nearly one-fifth is planning to move
towards it within a year. This success of
ERM in financial and non-financial
organizations confirms beyond reasonable
doubts that ERM is the future approach
for risk management.
4. OBJECTIVES
ERM essentially aims at defining a process
by which an organization monitors and
deals with enterprise-wide risks to enable
it to meet its business objectives. The
single objective of ERM is enhancing the
shareholder's value. This, when translated
to a comprehensive risk management
program for an organization would mean
achievement of the following objectives:
Strategic Objectives:
Improving capital efficiency
Building investor confidence
Pro-active (rather than reactive) risk
management processes
Improve ability to respond to critical
/ catastrophic risks
Operational Objectives:
3. AnapproachtoERMintheinsuranceindustry|www.conzulting.in
3
Standardizing understanding of risk
across the organization
More informed decision making
Converting risks into opportunities
Establishing processes for stabilizing
results
Optimal allocation of resources for
risk mitigation
5. ERM IN INSURANCE – ITS
RELEVANCE
ERM has been found very useful and
effective by companies who have used it
to manage their primary risk exposures.
Insurance companies being risk carriers
need an even more integrated approach
for risk management, as they are required
to manage secondary risks that yield less
accurate impact analysis results. Insurance
companies the world over are operating in
an environment of stiff competition and
increased volatility. They are exposed to
higher risks of insolvency. Added to that
is the fact that there is additional pressure
on technological innovation (expansion of
e-commerce means that more and more
information is stored in the form of data
thereby increasing technology risks). With
the expansion of operations of most
insurers into new and emerging markets
with relatively lesser-known exposures
and the simultaneous multiplication of the
complexity of risk exposures, the
effectiveness of risk
management is growing in
relevance for the insurance
industry. Compared to many
other industries, insurance
industry has a very wide
range of operational
decision-makers at various
levels. Having a "risk
doctrine" with a clearly
defined direction is essential
to steer the organization in
the right path. Various
departments like
underwriting, claims, policy
services etc operate in silos and hence
having an integrated risk management
method is essential. Another aspect which
makes ERM a useful tool for insurance
companies is the decision making process
in the industry. Insurance decisions are
based on the highly dynamic information
pool. Unless there is an organization -level
approach to risk management, ensuring
that the decisions are optimal from the
risk management angle is impossible.
6. STRATEGY FOR AN
EFFECTIVE ERM PROCESS
An effective ERM process for an insurance
enterprise should integrate its non-
insurance related activities with insurance
related ones resulting in a more
comprehensive and strategic approach.
This means that over and above the
insurance related risks like strategic risks,
Legal risks, Political risks (including
terrorism risks) and Catastrophic risks, the
more general risks like technology risks
should also be considered. The ERM cycle
could be modelled in four phases as
shown in figure 2
Identification phase
Quantification phase
Measurement and evaluation phase
Management and Monitoring phase
Essentially, the process entails developing
4. AnapproachtoERMintheinsuranceindustry|www.conzulting.in
4
a Risk matrix at the enterprise level that
meshes together the risks identified with
the acceptable level of risk. Such an
approach helps in crystallizing the risk
identification process and helps the
enterprise to map its risk management
process to its business needs more
effectively.
Identification Phase:
This phase entails identifying the various
risks that an insurance company is
exposed to. After the risks have been
identified, they need to be prioritized to
arrive at a set of risk factors that are
crucial to the business. The most suitable
way of doing this is through interviews
with the management and any relevant
documentation that may be available. This
is better than verifying a checklist based
on a preconceived idea of potential risk
factors. The risk should be such that it
should be material in preventing an
organization in meeting its goals. The
risks can be broadly classified in the
following categories:
Marketplace risks:
The insurance company is exposed to
various risks due to the environment in
which it operates. The company has to
develop its market strategy keeping the
various entities like its competitor,
regulator etc. in mind.
The company needs to develop a
product management strategy that
would reflect changing market and
customer requirements.
An efficient an effective Customer
Relationship Management strategy
would enable to establish a profile for
customers and prospects to determine
their insurance needs and also the
risks they are exposed to (occupation,
financial strength, claims history etc.).
This information would enable the
company to define new products, the
product specific underwriting rules
and perhaps profit testing and
sensitivity analysis.
The technology that supports the
company’s product development and
management strategy should give it a
leading edge to reduce cycle time for
introduction of new products and
changing business rules of existing
products.
Deregulation in many South East
Asian countries has brought in new
competitive pressures with increased
pressure on margins for the existing
players. e.g. in the Indian insurance
industry, some companies who have
not traditionally been operating in
financial services have entered the
newly opened up insurance market.
Globalization of the industry brings in
new capital , best practices and
business process know-how into the
market.
Operational Risks :
Another major area of risk exposure for
insurance companies is the operations.
The growing complexity of operations has
led to increase in the complexity in the
risk exposures as well. The important
categories of operational risk exposure are
described below :
Technology Risks – With the
dependency and investment in
technology increasing in an
exponential pattern, one of the prime
risk areas which require the attention
of the organization is technology
risks. Technology risk exposures
could vary from down-time of
website which affects the image of the
company and the service promises to
security risks which could jeopardize
the whole organization. The potential
risk exposures on the technology side
are shown in the table given below.
Property risks : One of the primary
risk exposures in operations is the
property / fixed assets which are
5. AnapproachtoERMintheinsuranceindustry|www.conzulting.in
5
required to run the business. This
would include offices, business
equipment, communication
infrastructure, computers etc. Several
insurance offices operating from the
World Trade Centre had to cope with
the problems generated by the
property risk exposure. The business
continuity plan of the company needs
to specifically address the issue of
providing alternatives to the
dependence of operations on specific
property.
Legal & Liability risks : Insurance
companies handle two types of legal
issues – litigations against them and
litigations taken over by them as a
part of claim settlement. Both these
expose the company to legal and
liability risks which need to be
carefully assessed with legal
assistance. The potential losses could
include legal expenses, punitive
damages, liability awards made by
courts and fines. There is also a non-
quantifiable part to the legal /
liability losses, which relate to the
reputation of the company. This is
intangible and difficult to measure.
However, careful allowance has to be
given to this factor while taking
important decisions on legal /
liability risks.
Human Resources risks : Any service
industry is highly human resources
dependent and insurance is no
different. The availability of the right
skill sets is a critical factor for running
the business. The significant
exposures are in high employee
turnover, labour issues, strikes,
reduced productivity, lay-offs etc. The
organization has to concentrate on
improving the efficiency of the HR
processes and management to curb
these risks.
International risks :
The operations of most of the major
players span over different countries,
which exposes them to a new set of
political and market risks. The biggest
perceived risk on account of international
operations is the political risk. The
peculiarity of this type of risk is that it is
well beyond the ability of the organization
to influence, control or even foresee what
is likely to happen. Developing clear
policies to deal with political risks is
essential for effectively handling them.
The spectrum of political risks could range
from the political differences between the
home-country and the host-country to
terrorism risks. In addition to political
risks, there are significant other exposures
like marketplace risks, cultural issues,
demographic and economic issues which
needs to be carefully managed in the host-
country.
M&A risks
There has been substantial M&A activity
in insurance markets in the recent past.
This has led to the emergence of M&A
risks as an area of concern for insurance
players. The exposure to M&A risks can
be classified into two – strategic and
operational.
The former relates to the objectives of the
merger. Studies have shown that majority
of mergers have eroded shareholders
value. Identifying and evaluating the
assumptions of generating synergy,
leveraging the strengths of the individual
entities etc. is essential to ensure that the
merged entity would be able to achieve
the desired results. The forecasts of
revenues, growth, cashflows etc and the
proposals of restructuring carry high level
of risks unless carefully studied and
managed. The operations of the merged
organization are exposed to several risk
6. AnapproachtoERMintheinsuranceindustry|www.conzulting.in
6
factors emerging from the integration
issues. These could be related to
infrastructure, systems, cultural,
management etc. The recent incident of
the merged Japanese banking giant
Mizuho failing to offer promised services
owing to systems breakdown is a good
example of how infrastructure and
systems could pose a threat to operations
at the time of a merger .
Others
The evolution of the insurance market has
changed the way insurance is designed
and transacted. The product development
activity is on the ‘fast track’. Innovation is
a necessity to survive. The eagerness to
move ahead quickly on the path of
innovation exposes the organisation to a
lot of risks, the main one being
unintentional acceptance of unknown
risks from the insured. Increased
competition is a business risk posed by the
trends of Globalisation. Many of the
markets have seen a sudden surge of a
large number of competitors with the
liberalization of regulations. Such sudden
increase in competition could upset the
business plans and projections of the
established companies.
Quantification phase
This phase entails modelling the risks
based on the data gathered. The modelling
would involve analyzing:
Causes of the risk factor.
Various outcomes of a risk factor
The likelihood of the risk factor.
Frequency and predictability of its
occurrence.
Potential effect of the risk on the
financial metrics of the company.
All the risk factors have an element of
uncertainty associated with them with
regards to the timing, nature and the
quantum. The uncertainty can be best
represented by a probability distribution.
So, the aim of modelling the risks is to be
able to represent the risk, its causes and
effect in the form of a probability
distribution.
7. AnapproachtoERMintheinsuranceindustry|www.conzulting.in
7
In order to be able to model the risk, the
first step is an understanding of the causes
of the risk. An insight into the causes
could be obtained through historical
evidence, interviews and brainstorming
with the senior management. Tools like
flow charts, questionnaires etc could be
used to improve the efficiency of this
process.
If one maps the cause-risk-effect
relationship in a graphical manner, it not
only helps in the causal analysis and
better understanding of the risk, but also
helps in risk mitigation strategies.
An illustration for the cause-risk-effect
relationship for an insurance product is
given below.
Cause-risk-effect mapping for an insurance
product is given in figure 3
Another way of analyzing risks is by
mapping the risks with the possible
indicative measures that can be used to
model them. The output is a risk matrix
that maps the various risks with the
measures which enables to classify risks
according to their scope and ability to
affect the enterprise.
Given below is an illustration:
There are various other methods also
available – influence diagrams, decision
trees etc which illustrate graphically how
different variables or factors that influence
risk interact with one another. However,
all these methods assume certain amount
of prior information or knowledge (based
on some preliminary analysis based on
empirical data).In cases where empirical
data is not available, the key challenge lies
in coming up with a probability
distribution that best represents the risk
factor that is being modelled. In the
absence of data or any scientific
knowledge, one needs to rely on expert
opinion.
If one looks at the various methods that
can be used, they can be positioned in a
continuum depending upon the extent of
knowledge that one has with regard to the
outcome. While one end of the spectrum is
complete knowledge, the other end is total
lack of knowledge. In between lies the
area that deals with problems whose
outcome has varying degrees of
uncertainty.
The various methods used to model risks
range from empirical analysis at one end
of the spectrum to that based on expert
statements and interviews on the other.
The other methods like the Bayesian
approach (causal modelling) fall
somewhere in the middle of these two.
(Refer: Enterprise Risk Management, An
Analytical approach; Tilinghast-Towers
Perrin, 1/2000).
8. AnapproachtoERMintheinsuranceindustry|www.conzulting.in
8
There is no straitjacket approach to
modelling risks. Each of the methods has
its advantages and disadvantages. The
method to be chosen should depend upon
the circumstances and data available.
Measurement and evaluation
phase
After the risks have been modelled, we
need to be able to
identify the top
risks for an
enterprise. The risks
identified need to
be prioritized in the
order in which they
impact the
enterprise. For this,
the risks need to be
linked to the
financial metrics at
the corporate level.
What is required for
this is a framework
that links the risks
to the financial
metrics. However,
the various risks that are modelled as
articulated in the previous section may be
expressed as different units. For e.g. the
risk of competition that can be measured
in terms of loss of sales volumes can be a
probability distribution based on
introduction of new technology,
regulatory changes (de-regulation),
attrition rate (especially of skilled
workers) among others.
The risks need to be combined to the
extent possible and linked to the financial
metrics of the company. Though the
financial risks can be aggregated in at the
enterprise level, the aggregation of
operational risks poses a major challenge.
There are no robust methods readily
available to represent operational risks.
For one, there is very little historical data
available. Secondly, operational risks are
addressed by changes in business
processes, technology etc. They cannot be
managed through hedging in the capital
market. Let us try and illustrate this
through a model for an insurance
company that shows how the various
components of business can be meshed
together to map to the financial metrics.
These components can be then mapped to
the various risks that the enterprise is
exposed to. Figure 4 shows the
illustration. Once that is done, the various
risks need to be classified as shown in
figure 5
Risks which appear in the top two
quadrants are highly critical and deserve
special attention of the risk manager. The
risks which are low on impact but high on
control would require re-visiting as the
control measures appear disproportionate
with the exposure and may need toning
down to save costs.
9. AnapproachtoERMintheinsuranceindustry|www.conzulting.in
9
Management & Monitoring
After the top risks affecting an enterprise
have been identified and
prioritised, the focus shifts to
effectively managing them.
Broadly, the risk manager has
four options to choose from - (i)
Avoidance (ii) Retention (iii)
Reduction and (iv) transfer Risk
avoidance is the ideal way to
manage any type of risk. But it
is more impractical in business
contexts. Risk Retention
involves efforts to optimise the
level of retention of risk within
the company without exposing
the organization to exposures
beyond what is strategically
acceptable. Retention is a key
decision owing to the impact
which it could make on the
bottom line and the difficulty in
arriving at the best possible retention
level. Risk Reduction is the strategy
adopted to contain the potential effects of
any exposure. Risk reduction actions
could include steps like altering the
business process to reduce the exposures.
Risk Transfer is the easiest to implement,
but the most expensive option at the same
time.
The Risk Manager would choose one or a
combination of the options to manage the
identified risks. He has to strike a balance
between the cost – benefit relationship of
each option. In order to arrive at the best
option, the current methods employed
need to be studied in terms of their
effectiveness for evaluating their capacity
to cater to the future risk management
requirements at the enterprise level. The
foremost objective of ERM is enhancing
shareholders value. However, the
corporate objectives like maximizing
growth and improving financial measures
have to be taken into account at the same
time.
The steps of the Management process are
shown in figure 6
The effect of a particular risk management
strategy should translate to its effect on
financial metrics of the enterprise.
Monitoring
The effectiveness of the risk management
program depends on the speed with
which it responds to the changes in the
assumed scenarios. The environments in
which most companies operate are so very
dynamic that frequent revisions may be
called for, to maintain the program in line
with the changes in exposure. The best
example is the recent development of
terrorism exposures. In the aftermath of
September 11, all the insurance companies
radically reviewed their risk management
programs.
Monitoring process would include
measuring the effectiveness of the current
risk management program as well
evaluating the risk factors to verify
whether any change in the program is
required. Major changes may need to go
through the full ERM life cycle to get
properly integrated.
The monitoring process needs to be
clearly defined at the time of formulation
10. AnapproachtoERMintheinsuranceindustry|www.conzulting.in
1
0
of the ERM plan. The roles and
responsibilities of the people involved and
the frequency, methodology and reporting
of the monitoring process should be
clarified and documented to stop
inefficiency of implementation.
7. IMPLEMENTATION OF ERM
Implementing ERM involves a lot of
challenges as it requires a cultural change
in the organisation. Unless the concept is
well sold inside the organisation, one
cannot hope to get the best results.
Corporate communication plays a key role
here. Enterprises which have successfully
implemented ERM have carefully
managed internal communication,
awareness- building and training of
resources.
There are several impediments to the
implementation process. The main
hurdles include the following :
ERM objectives not in alignment
with the corporate objectives
Lack of good decision support and
statistical analysis tools / systems.
Cultural mis-matches
Operations in a highly
underdeveloped market
Ambiguous organisational
structure within the enterprise.
8. CONCLUSION
ERM has made a considerable impact as a
comprehensive risk management strategy.
Insurance companies are yet to adopt this
approach in a full measure. This would be
more relevant to insurance carriers as
their risk exposure is much more complex
than those of other industries owing to the
complication of accepted risks in addition
to the organizational risk exposures. ERM
as a strategic approach should be an
avenue which insurance companies would
need to explore, especially in the highly
competitive and low-margin market
conditions prevailing today.
ERM needs to be culturally integrated into
the enterprise. It is not a mere technique to
manage risks, but a philosophy which
suggests that risks needs to be identified,
measured and managed with a holistic
perspective.
9. REFERENCES :
1. Metzner Claude S. 2001, Enterprise
Risk Management - An Insurance
Company Perspective
2. Tillinghast Towers Perrin
Enterprise Risk Management - An
Analytical Approach
3. Holton Glyn A. Enterprise Risk
Management, Contingency Analysis
4. Kessler Denis 2001 Anticipating and
Managing Risks in the 21st Century,
The Geneva Papers on risk and
Insurance Vol. 26
5. Dickinson Gerry 2001 Enterprise
Risk Management : Its origins and
conceptual foundation, The Geneva
Papers on Risk and Insurance Vol.
26
6. Tillinghast Towers Perrin Creating
Value Through Enterprise Risk
Management - A Practical Approach
for the Insurance Industry
Authors could be reached at warrier@conzulting.in
or Preeti.Chandrashekhar@towerswatson.com