According to Towers Watson’s Global Insurance ERM Survey of almost 400 insurers worldwide, insurers are most satisfied with ERM when they engage the risk management function as a business strategy partner. In this roundtable discussion, Towers Watson panelists share their insights based on experiences helping insurance companies advance their ERM programs.
Moderator: What does it mean for insurance company senior management to engage the risk management function as a strategic partner?
Mennemeyer: Companies looking for strategic value in risk management — as opposed to simply using it for regulatory compliance — want business insights they can’t get elsewhere. The risk management function can provide a broader perspective because it crosses company silos and looks at risk in the round.
Wilkinson: Risk management needs to be routinely integrated into strategic decision making at the beginning. Historically, risk management is brought in later in the process or after the process is complete, when there’s not much chance of influencing decisions. This is where we’re now seeing insurers making progress, and it’s quite a cultural shift.
Mennemeyer: I’d add that it’s important for insurers to emphasize managing risk as opposed to minimizing risk or avoiding it — really managing risk in a way that maximizes the trade-off between risk and return. By taking a strategic view of risk management, companies can focus on the risks they take intentionally as a consequence of doing businesses and avoid the risks that are inconsistent with company objectives.
Winslow: And strategic management of risk isn’t limited to large companies. We’ve been working with a small, privately held property & casualty insurer to develop their ERM program. Recently, they began to put together a comprehensive business strategy for the company for the first time. And they had the “aha” moment when they realized that they should directly link that strategy with their ERM planning and their understanding of the company’s risks. It’s so interesting that this small company with fairly simple exposures would really see the value in linking a strategic plan with the work they’re doing identifying risks, and then putting some ERM programs in place.
Moderator: What are some of the catalysts or business drivers that might prompt insurers to think more strategically about ERM?
Wilkinson: In the U.K., regulation has certainly been a driver. By that I mean that regulation can drive companies to think in a different way once they’ve gotten over the regulatory hurdle. Other catalysts traditionally have been losses or issues in parts of the business that require the company to fix something. But now, as ERM matures, we’re seeing more positive drivers: investment decisions, how to make the best use of capital and financial resources, how to change a portfolio or make M&A decisions. In other words, how to maximize the limited resources a company has at its disposal on a risk-adjusted basis.
Winslow: Another catalyst for ERM is a change in a member of the executive management team. One client of ours hired a CFO from the outside, and he understands that being more strategic about the ERM program would benefit the company. This is an extremely well-capitalized mutual company, so a key question for management is how they ought to be using that capital. In the process of answering that question, the company has done fundamental work to broaden its ERM program.
Mennemeyer: As a company develops, its leaders need a deeper understanding of risk and return so they can view their business from a broader perspective. But first, they’ll need to build a risk management framework and then link this to their business operations.
Wilkinson: A key point here is that risk doesn’t exist in isolation. Risk only exists as part of the business. So if your risk manager or CRO doesn’t have a clear understanding of company objectives, and the kind of risk/return balance needed to achieve those goals, he or she will only be doing half the job.
Winslow: The question really comes down to: What’s the purpose of risk management? Is it just there to stop a company from going out of business? Is it there to smooth the returns to shareholders? Is it there to make sure the company’s staying close to its business plan? You have to be clear about the purpose of your ERM program to understand what you’re testing for. It comes down to risk appetite.
Wilkinson: I’m glad you mentioned risk appetite because it’s so important. According to our recent research of almost 400 insurers worldwide, there’s been significant progress in the development of risk appetite in the last couple of years. Most (84%) now have a documented risk appetite statement, and more than half (57%) expect to make further changes to their risk strategy or appetite in the next 24 months. This is encouraging, because risk appetite is one of the first steps you need to take to really build your ERM framework. Risk appetite metrics with risk limits help bring the framework to life for day-to-day risk taking.
Wilkinson: More and more, management is looking at how they want to run the business not just on a capital basis, but on an earnings and a profit-and-loss basis. That’s an area that life insurers in particular could focus on more.
Winslow: A lot of insurers are asking fundamental questions about whether they really know and have properly articulated their risk appetite and risk tolerances for the entire organization, and the implications of that for business decisions. As an ERM program matures beyond regulatory compliance, the logical question is: What should we know about our risk appetite, and what are the implications of that for our capital model and business decisions?
Wilkinson: In my experience, not many insurers have actually addressed that very well. Recently, we’ve seen life insurers look at risk tolerance more closely. A key issue for them is how much discretion you give your asset managers and how you account for that in your risk appetite. We recently helped a client whose asset manager had quite a bit of discretion for one fund. Determining the scope of that discretion was a combination of expert judgment, quantitative measures and really understanding the true limits of that fund.
Mennemeyer: Many companies are comfortable articulating metrics for capital, liquidity and earnings at a very high level, but they almost immediately hit a steep uphill battle trying to figure out what it means for their business units. What it means to the front line, in terms of setting limits, creating metrics they can monitor frequently and understanding how to actually achieve those metrics.
Wilkinson: I certainly agree with that. And we see it across the industry. Risk appetite is complex, particularly when a company has to consider all its different risk types and a range of different businesses. You have to understand risk aggregations, diversification and so on, and how those elements combine in the overall risk appetite of a business. Flexibility and a level of interpretation are also necessary. Insurance companies can’t rely solely on a mathematical framework. Finally, risk appetite needs to change with market dynamics, and that has to be taken into account. So it comes down to having an effective risk/reward decision-making process.
Mennemeyer: Another question companies need to ask themselves is: How much do you want to constrain the business? How many controls are in place, and how much movement will you allow within certain tolerance levels? How will you make risk management work in practice? These are complex issues. A company has to understand its culture, and decide how the risk function will interact with company management and business operations.
Moderator: What can insurers do to help the risk function inform and shape the company’s business strategy?
Winslow: Part of risk management’s job is helping companies see that a capital model is really useful to them in making good decisions about allocation of capital, or risk and return in a particular area of the business, or with respect to assets.
Wilkinson: A key to using capital models for this kind of decision making is ensuring the upward flow of information. A complex capital model spews out a lot of data. But to present it in a way that’s meaningful for boards, for committees, for business management and for different purposes takes quite a lot of effort. The risk function also needs to present information in language the business understands. I’ve seen lots of instances where the information that management is given actually doesn’t help them at all.
Mennemeyer: Exactly. Companies haven’t set up models that are flexible enough to provide different kinds of reports to different audiences with different needs. So even though the current models are technically capable, they’re not practical. Insurers need to decide what they are trying to accomplish and make sure that they’ve structured their models so they provide a variety of reports efficiently. The risk management team should be an essential link to bringing it all together.
Winslow: I agree. And business management ought to be encouraged to ask questions, to challenge the risk group to create reports that help them make decisions. They should also push risk management to make the information more business-friendly.
Wilkinson: A lot of insurers are drowning in data, drowning in metrics. One of the beneficial roles of the risk function is to pull a lot of that together, to help the business look at risk drivers, both qualitative and quantitative. Some of it will come from the capital models, but some of it will come from the business’s leading indicators. For example, motor insurance indicators change very quickly. You won’t get an early view of those emerging trends from capital, so you need to look at operational metrics that are coming through on a regular basis. I think the risk function has a part to play in bringing it all together.
Winslow: Models have limitations. They take a while to run, and they’re not very agile. They might take into account the latest market variables, but they don’t necessarily reflect what might be going on underneath those variables. So there needs to be a qualitative aspect to risk management as well.
Wilkinson: Yes, it can be dangerous to make decisions based on numbers without understanding the context and the commentary around them — without really understanding what’s going on in the business.
Our latest ERM survey shows that over 30% of respondents are improving their capital models in important ways: with better methodology for individual risks (35%), better control of model data and calculations, and better model validation (31%). The economic, social and regulatory environments have all been moving quite a lot over the last few years. So a big challenge for models is to be fit for purpose going forward. And that includes making them less cumbersome so that companies can get information more quickly. Now that many of these models have matured, companies can better understand what they can do for them and how the models need to change to be even more useful going forward.
Mennemeyer: Companies are still working on developing more accurate models, methodologies and techniques for performing calculations. Speed is another area for improvement. Models need to produce the information in a reasonable amount of time, but they also need to produce results that are explainable. It’s not enough to see that a source of risk is largely concentrated in one particular entity or one particular type of risk category. Companies also want to dig deeper to understand how those results came to be, whether they’re good or bad, and what can or should be done about them. A lot of work is being done with capital models in those areas.
Winslow: I know of one very large insurer that started out with a model for one of the business units, and learned a whole lot about how it wanted to use the model and what information it would give them. Now it’s moving ahead to develop models for the other business segments and also for the group as a whole. Building one model for one business unit was a big help in terms of understanding how to build a group model that would be more than just a summation of all the business unit models.
Moderator: Why are large insurers more likely than small insurers to view risk management as their strategic partner? Is it purely a matter of resources?
Winslow: Resources certainly come into it, but larger insurers have to be better at ERM because they’re more complex entities. They need a stronger level of risk management to help manage the business. Most small insurers haven’t been doing this work as long as the larger insurers have, and their ERM programs may not be as sophisticated. Working with risk management as a strategic partner is fairly far along the road in terms of a company’s ERM journey.
Wilkinson: A lot of the larger companies have been doing this for 10 years or more, before the regulators became involved. And because they weren’t originally implementing ERM for regulatory reasons, they’re further along. There’s another important point here. And that is, an ERM program can’t properly be assessed until it’s been in place for a while. Risk cycles are strange things, and to put a program in place and right away say yes, we’re very happy with it, doesn’t necessarily hold water.
Winslow: I haven’t really seen companies assess their overall ERM framework in terms of the value they add, or how they could be better organized or better focused. Because of the regulatory push, they may feel that the program can’t be challenged. They feel that it’s a given, and it’s costly, and it just has to be done.
Mennemeyer: One ERM objective is to avoid exposures that are larger than you’re comfortable with, but testing this often involves waiting for a bad event to happen and confirming whether the ERM program is protecting you the way that it’s supposed to. Fortunately, there are more practical ways to assess an ERM program’s strategic value. For example, a company can observe whether risk models are providing decision makers with timely and accurate information, and whether they can use this information to make informed decisions. That’s something that can be assessed right now.
Wilkinson: Back testing is another option. Although the danger there is that the organization is simply looking backward and fixing problems of the past rather than the problems of the future, which is what the ERM program really needs to do. If you do back testing, you have to take broad lessons from it and apply them to the present and future. Reverse stress testing can also be a good option.
Moderator: And on that note, I think we can probably wrap up. Thanks, everyone.