Insurance companies' business units and enterprise risk management (ERM) departments need to jointly contribute in order to leverage the benefits of economic capital models (ECMs) so that risk-based financial management is pushed through the entire organization.
ECMs are becoming standard fare at insurance companies, although the degree to which they are embedded in risk taking and risk oversight activities is more variable. Depending on the ECM's design, it has the ability to provide value in shaping a broad array of risk decisions, as the figure below shows. Participants in Towers Watson's 2012 Global ERM Survey suggest that their models currently support a number of key business decisions spanning various business functions and that expanded usage is planned for the future.
We advocate that all companies should strive to have senior management, model owners and frontline risk takers scope the ECM's design and use it to make risk-based financial decisions. Senior management must trust the model before it can be embedded in, and help support, decision making. The use of the model in decision making has the potential to result in financial benefits and improved competitiveness.
It's useful to step back and consider the way that an insurance company implements ERM in the real world. A common approach is to create a risk governance framework consisting of an organized network of coordinated, yet independently performed, risk management roles found in one of three functional areas sometimes referred to as the three lines of defense:
- Business units execute the company's business transactions and are the risk owners. Each business unit has experts who establish and execute risk policy designed to improve the unit's risk-taking activities that align with corporate risk appetite. Examples of business units at insurance companies are actuarial, underwriting, claim and investment departments.
- The ERM department coordinates and oversees an ERM governance system to manage the enterprise's net retained risk that originates from the collective set of business units. Its thematic role is to reduce the likelihood that the collective risk-taking activities of the business units could lead to the failure of the corporate mission and strategic objectives. It also helps the business units understand those risks that fall within the corporate risk tolerance and are therefore acceptable.
- Internal audit performs activities that ensure the policies and procedures established by the business units and the ERM department are documented and fulfilled in practice.
This article focuses on the ECM's role in the activities within the business units and within the ERM department. The ECM and the business units are important to each other, as we will explain. It is only when these vibrant synergies exist that the ECM becomes real, i.e., more than an expensive and academic actuarial exercise. We begin by making the case that the aggregation of all risk embodied in the ECM is owned by the ERM department. However, owning the model does not imply locking the business units out. Our contention is that risk-based financial management pushed through the entire organization creates value. Making the ECM real for business units is an important element of embedding risk-based financial management practices and risk culture in the fabric of the organization.
What Is the Purpose of the ECM?
ECMs at insurance companies are corporate tools that generate holistic measures of the enterprise's aggregate risk, which can include balance sheet volatility, earnings volatility or any of its components. The ECM provides an enterprise-wide view of threats to solvency and, ultimately, the corporate mission and strategic objectives. In order to meet this objective, the model needs to fully reflect all risks, both attritional and catastrophic, recognizing the aggregation of any single risk across the organization and the diversification effects at the enterprise level. One role of the ERM department is to present and interpret these ECM-generated strategic risk analytics for senior management and discuss whether they are in alignment with the risk appetite of the company, including stakeholder expectations.
Who Owns the ECM?
Measurement of enterprise risk is fundamental for the ERM department to perform its duties. The ERM department uses ECM analytics for the role it plays in the organization, and needs to understand and have confidence that the model is suitable for its purpose so it can explain and vouch for these analytics. It needs to be certain that the ECM captures the material risks of the enterprise and aggregates them properly to accurately depict enterprise risk. The ERM department needs assurance that the ECM combines the components of a risk that exists in several departments within the enterprise. It is responsible for ensuring the ECM is validated and represents a reasonable assessment of risk via well-informed parameters and data. Risk experts should always be used to inform the parameterization of the ECM, and this expertise may come either from within the business units or ERM teams. The overall robustness and reasonableness of the risk assessment lives with the ERM team, which should have the authority to expend resources on the model to keep it current and improve its robustness. So the ERM department should own the ECM model.
Business units with underwriting responsibility rely on pricing models and other analytic underwriting tools to prioritize resources, and maintain and update analytics, driven by their importance to the functioning of the underwriting units. Similarly, business units with investment responsibilities have their investment models tailored to their specific uses in evaluating risks taken. The sidebar above provides some specific examples.
The ECM and business unit models should be consistent whenever there is overlap, e.g., consistent volatility assumptions for underwriting or asset risk. This commonality is appropriate, since one ERM goal is consistency of the risk attitudes and risk perceptions in risk-based decisions made throughout the organization. The business unit should have a process for validation of output prior to it being shared with the ERM team. The healthy debates generated between the ERM department and business units during the validation process are a normal part of the interaction between the first and second lines of defense.
Why Does the ECM Matter to a Business Unit?
The ECM can be an effective means for senior management to communicate its attitudes about risk, encourage a unified risk language and promote a positive risk culture throughout the enterprise. Senior management uses the ECM to enhance the value of the enterprise through improved risk/reward decision making at the business unit level. The ECM may also be put to use to augment the tools owned by the business units. Here are some ways that the ECM can impact the units' activities and their people:
- It validates a business unit's contribution to the overall value of the enterprise. For example, while a business unit's contribution to income is additive to the income of the other units, the specific business unit may also provide a diversification benefit, reducing the volatility of the aggregated income for the enterprise.
- It can impact a company's perception of risk and alter the desired composition of risk that is to be written in the business unit. For example, the business unit's mix of business in the annual corporate business plan may be impacted.
- It may be used in a way that affects the overall profit loads used in a business unit's actuarial pricing. For the business unit, output of the ECM is often used by senior management to notionally budget a portion of the enterprise's capital at risk for segments of the unit. This may lead to the creation of a performance benchmark with underwriting profit and/or combined ratio targets that the segments are expected to achieve over a time horizon. In such circumstances, the permissible loss ratio may be adjusted, and actuarial prices would move in concert.
- The ECM may affect bonus plan targets. For example, allocation of capital to the business unit may become the methodology used to budget profit goals across the business units. This may be used in a bonus plan to reward the unit for goals it achieves.
The ECM can be deployed either directly (mini-models connected to the overall ECM) or indirectly (allocated capital or risk-adjusted targets) within the business unit. The ECM outputs really do matter to the business unit because they can influence the unit's risk decisions, destiny and the compensation of its members.
Consequently, key people in the unit should possess a high degree of confidence that the ECM robustly captures the material riskiness and profitability of a business segment, and its contribution to the diversification of the entirety of the enterprise's risks. The segment leadership needs to be charged with the responsibility of helping frontline individuals understand how their daily risk-taking decisions affect the aggregate risk of the entire enterprise.
Why Does Business Unit Participation Matter to the ERM Department?
The ERM department should actively solicit the participation and buy-in of the business units in ECM development, validation and maintenance. In so doing, the model will be more robust and will better reflect the business unit's business needs and expert understanding of the risks assumed, how they should be measured and how they correlate with other risks of the enterprise. We believe that this participation will reduce ECM risk, model and data errors.
Here are a couple of techniques we have observed to be effective in getting the business unit's expertise into the model. One way to achieve this objective is to have the business units heavily involved with the parameterization of the ECM elements associated with their unit. Another is for the business unit to be provided ECM output reports and asked to sensitivity-test the effect on risk metrics of these methodologies and parameters. In fact, a risk parameterization process ideally includes: 1) sensitivity/stress testing, 2) results validation, 3) expert/audit signoff and 4) documentation shared by the business unit and the ERM team. These methods have been shown to create business unit buy-in. They facilitate a process whereby the segment takes ownership of the quantification of the risk inherent in its business. A clear benefit is the confidence that is built within the business units that the ECM really does capture both the risk and reward that the business unit adds to the organization.
By sharing model architecture and parameters with designated risk experts and owners throughout the organization, the ECM becomes more embedded, resulting in the following benefits to the enterprise:
- Generates understanding in the event that capital allocations change unexpectedly
- Facilitates model upgrades and explains their effects on the segment's risk metrics and performance targets
- Reduces bias in decision making
- Motivates enhanced risk-taking behaviors and encourages learning, in the belief that a segment can influence its capital allocation with improved risk processes
- Improves lines of communication and builds collaboration between the business units and the ERM department
- Develops broader risk management acumen from experts who truly understand the underlying risks, which will deepen and broaden an enterprise-wide understanding of the risks and their measurements
The ECM Belongs to the Enterprise
The business units' participation is more than just a step in the right direction for ECM integration. It encourages a common risk language and continual reinforcement of the staff's risk attitudes and behaviors. A coordinated ERM effort promotes a more profound understanding of the complementary ideals of model consistency and model independence. In the long run, we believe that it will create value for the enterprise.* But one of the barriers to such a coordinated ERM effort is a lack of understanding of the language used in the conversation — the ERM department's language can be too technical, and the business unit's language can be focused solely on the unit's function. By working together, these two essential elements of the risk governance structure will learn to communicate with each other.
In our work with certain insurance companies, we sometimes observe reticence on the part of the ERM department to share the ECM with the business units. Some are concerned that it will divert attention from the work of running the business, and some are protective of their turf. Likewise, we have observed reluctance on the part of the business units to get involved with the ECM. Some are too busy already; some are concerned that it's too far outside their area of expertise for them to understand; some are fearful they will have a diminished role in risk selection, and some don't understand why it's important to them. We contend that an insurer should work actively to overcome these barriers because there is little downside risk to getting the business units involved with the ECM, yet there is a huge potential for gains.
According to participants in Towers Watson's 2012 Global ERM Survey, allowing for risk in business processes like capital management, performance management and pricing enhances business performance. Our survey found that 61% of insurers responded that allowing for risk in business processes creates value for the enterprise. That percentage increases to 81% for those insurers that have more fully implemented these practices.**
Active inclusion of the business units relative to the ECM is healthy for the enterprise and is an organizational affirmation of their risk expertise.
For comments or questions, call or email
Tom Hettinger at +1 312 201 5438,
Martha Winslow at +1 952 842 6527,