Risk appetite frameworks that connect risk strategy with an insurer's mission and effectively link risk tolerances and risk limits will add value by aligning risk-based decisions at all levels of the organization.
Enterprise risk management (ERM) and risk appetite have risen to the level of buzzwords in recent times. Their prominence is driven by well-publicized risk-control failures as well as emerging and recently enacted regulatory programs in many countries. It is axiomatic that managing risk is the core business of insurance companies. However, there is a growing spotlight on all aspects of risk management, including those routinely and effectively performed by insurers as well as some newer practices being advocated by regulators and other external parties.
While regulatory changes have been an important stimulus for ERM activity, a company's ERM framework should focus on adding value to the business. One way to do this is to implement an ERM framework that enables better business decisions that more fully reflect consideration of risks associated with the company's risk strategy. Risk appetite, which requires companies to articulate the type and magnitude of risks they are and are not willing to accept, is one pillar of an effective ERM framework and an important means to enhance business decisions.
Over the course of the last year, Towers Watson published three papers under the banner Risk Appetite Revisited, which address several related aspects of how to develop and apply a risk appetite framework. The first paper, "Another Bite at the Apple," describes the foundational elements of a risk appetite framework. The second paper, "Achieving Near-Real-Time Risk Monitoring," explores the concept of an enterprise risk measurement model to monitor risk tolerances and risk limits on a timely basis. The final paper, "Setting Coherent Risk Limits," describes a practical method of tying risk limits to risk tolerances.
The Risk Appetite Revisited series acknowledges the current interest in risk appetite as well as the frustration we hear from insurance executives, many of whom describe their companies' risk appetites as insufficiently linked to their business strategies and impractical to apply. The intent of the papers is to help insurance companies make their risk appetite frameworks more effective and useful in supporting real-world decision making.
Risk Appetite Revisited
The papers introduce an updated risk appetite framework and suggested vocabulary (Figure 1) that reflect an evolution in our thinking and that of the market about the essential features and characteristics of risk appetite.
Figure 1. Risk appetite framework
Risk appetite is the manner in which a company expresses an identified set of risk-trading opportunities (and sets boundaries on these) aligned with successful delivery of its mission. While risk generically refers to the uncertainty of outcomes, in this context, risk should be defined by those events and circumstances that may result from an insurer failing to realize its mission. Risk to a mission is not a singular but rather a multifaceted concept.
The risk appetite framework should explicitly state which risks the organization needs to take and separate those risks from ones not fundamental to or compatible with its mission. There are several key components:
- Risk strategy articulates how risk is tied directly to the insurance company's mission and business strategy. It is an expression (largely qualitative) of the company's overall philosophy toward risk trading.
- Risk preferences view risks as opportunities, ensuring the risk appetite statement balances the risks' expected returns (and risk-assumption needs to achieve the mission) against the likelihood of mission impairment.
- Risk tolerances are quantitative expressions of the aggregate amount of risk the company is willing to accept, usually expressed in probabilistic terms, time horizons and unacceptable mission-impairment impacts. Risk tolerances are set at the overall enterprise level across the full spectrum of risks contemplated by the business strategy. Actual levels of risk undertaken should be monitored and compared against the stated tolerances.
- While risk preferences are strategic, expressed as the extension of the risk strategy, risk attractiveness is more tactical, reflecting how current conditions affect the relative attractiveness of different risks as an element of the current business plan.
- Risk limits are more granular tolerance levels expressed for specific risk sources, business units or products used to implement risk tolerances. Risk limits are used to ensure the actual levels of risk will stay within the agreed-upon risk tolerances.
Another Bite at the Apple
In order to be useful, a company's risk appetite must be rooted in its mission and vision. Risk should be defined by those events and circumstances that may result in mission failure. When risks are articulated in such a way, risk appetite and the accompanying risk tolerances become actionable, helping to improve business decisions. Linking risk appetite to mission impairment leads to a broader view of risk appetite and the need to recognize a broader spectrum of risk types and sources that could cause impairment of the company's mission. As such, the company's risk appetite should address key risks beyond just capital preservation, the traditional focus of many companies' initial risk appetite statements. We suggest four risk quadrants:
- Achieving targeted performance reflects the risks associated with nonperformance.
- Preserving capital adequacy includes the risks of substantial loss in tangible value, to the extent that it would threaten solvency, or trigger regulatory or other external party actions.
- Maintaining liquidity that is sufficient to meet obligations is critical to the mission.
- Protecting franchise value guards against risks that cause losses in a franchise's value.
Since risk tolerances set the boundaries for the aggregate allowable risk, corrective (or adaptive) actions must be taken when these boundaries are approached. The company has resources that can be deployed to provide management with a cushion to adapt its plans without modifying its strategy or mission. We call these resources "adaptive buffers." One example is capital held above the core capital required to continue normal operations, as illustrated in Figure 2. The company should identify a normal buffer operating range. At the top of that range, management increases activities to release capital, and at the bottom of that range, management will want to de-risk and strengthen capital. A buffer for nonperformance might be an extended track record of exceeding performance targets.
Figure 2. Capital buffer
Adaptive buffers should exist for each of the four risk quadrants. Buffers are costly, so their size must be cost effective. Buffers are linked to tolerances since the tolerance states the company's willingness to expose the buffer to potential exhaustion above a predetermined threshold.
Achieving Near-Real-Time Risk Monitoring
A key step in making the risk appetite framework useful is implementing an enterprise risk measurement model to monitor risk levels against established risk tolerances and limits. By "risk measurement model" we mean a tool or system that measures the financial impact of one or more risk drivers (e.g., catastrophe models for property insurance portfolios or credit risk models for fixed-income portfolios). In the case of an enterprise risk measurement model, the business portfolio is the entire organization, such that the model calculates enterprise-level financial impacts. These models aggregate risks across all business units.
Enterprise risk measurement models can be designed and used to monitor actual risk levels at a point in time (e.g., quarterly or annually) or to model a defined set of stress-test scenarios (e.g., the impact of interest rate increases on both invested assets and long-duration liabilities). In order to be useful to the business, the models need to produce timely results. We refer to this timeliness as "near real time."
Many companies face the challenge of existing risk measurement models that are large and complex. They were not specifically designed for enterprise risk monitoring, and consequently, the original applications of the existing models were more tolerant of extended run times. Among the typical shortcomings of these first-generation models are the substantial efforts, resources and time needed to produce updated results. Some specialized models can produce more timely results, but they are usually unable to capture the net risk position necessary for an enterprise view of the company's aggregate risk profile. Without the ability to monitor the enterprise risk profile on a timely basis, risk tolerances are largely an academic exercise.
Depending on the complexity of its existing first-generation models, a company may need to move to a second-generation risk aggregation model among the various risk drivers that is better designed to support business decisions. The business requirements for such a model include a laser-like focus on producing near-real-time results that are usable by business leaders throughout the organization.
A case study in our second paper describes how one company was able to restructure its enterprise capital model. The redesigned model relied on loss functions as a substitute for the complex valuation of the financial impacts of risk drivers calculated more precisely (and directly) by the first-generation model. Essentially, the loss functions are equations that capture the impact of the risk drivers on the business portfolio without the need to revert to complex first-generation business models. As an illustration, a simple loss function might describe the overall financial impact of a shift in the risk-free yield curve on an existing asset portfolio without the need to measure the direct impact on each security within the portfolio. Loss functions need to be updated only when there are substantial or fundamental shifts in the underlying risk drivers. In the absence of these changes, scenarios or stress tests can be modeled by changing the inputs to the loss functions. This loss-function approach provides a reliable proxy for the information historically generated by the company's first-generation risk models, but it requires considerably less effort to run, and provides much more timely and, therefore, more useful results.
Setting Coherent Risk Limits
Risk tolerances are set at the overall enterprise level, across the full spectrum of risks expressed by the four risk quadrants. These high-level statements are not always easily actionable. Hence, risk tolerances must be operationalized by establishing processes and controls that help to manage the enterprise risk portfolio so that if effectively executed, actual levels of risk stay within the specified tolerances. These operational processes and controls generally take the form of local risk limits.
The first step in creating the link between the company's risk tolerances and its more operational risk limits is a risk allocation process. The adaptive buffers are allocated to risk drivers in proportion to the drivers' propensity to consume buffers. As a result, risk drivers with a higher propensity to consume a buffer receive a greater allocation. For example, a company with a large property exposure naturally has a larger portion of its required capital allocated to catastrophe risk. The result is a risk budget (e.g., not more than 40% of the company's total capital can be allocated to catastrophes).
The risk budget deploys the total risk-taking capacity of the enterprise to the various risk drivers and business portfolios. In essence, risk budgets are the highest-level risk limits imposed on each business portfolio. They can focus on specific risk drivers or on the total risk budget for a business unit, without specifying budgets by risk factor.
As illustrated in Figure 3, the risk budget helps create linkages between enterprise risk tolerances and risk limits set at the local level. They relate to specific risk drivers or specific business portfolios and are expressed using practical metrics relevant to local managers.
Figure 3. Risk budgets link tolerances to limits
Operationalizing the risk budget requires that it be linked to local risk limits in a form that is actionable by the managers of the respective risk portfolios. Examples of actionable risk limits include total insured property value, reinsurer credit rating and investment mix by asset type.
Local risk limits must be linked to the business portfolio's specific risk drivers to be quantified and, in turn, the impact of changes in the relationship of risk limits to risk tolerances assessed (e.g., the required buffer against capital loss). These quantifications can be determined using risk measurement models for specific risk drivers and the enterprise risk model. When first-generation models are too cumbersome to support the analysis, it is sensible to use loss functions that first link the local risk limits to the risk drivers and then link the risk drivers to the required capital.
Make Better Business Decisions
An improved articulation of risk appetite and timely monitoring of the company's actual risk profile against risk tolerances are necessary to make risk appetite a more valuable element of risk management. However, these are not sufficient to achieve that goal. Risk appetite must also be operationalized through coherent linkages between enterprise risk tolerances and local risk limits.
All insurance companies have one fundamental commonality: They are in the business of taking on risk to create value for their owners. Business decisions made with the benefit of greater risk awareness will be better, where "better" is defined as maximizing reward without taking on more risk than the insurance company is willing to tolerate. The concepts presented in the Risk Appetite Revisited series describe the basis for building a strong risk appetite framework as a foundation for better risk-based decision making.
For comments or questions, call or email
Manolis Bardis at +1 617 638 3807,
Martha Winslow at +1 952 842 6527,