University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Transcription

1 University of St. Gallen Law School Law and Economics Research Paper Series Working Paper No June 2007 Enterprise Risk Management A View from the Insurance Industry Wolfgang Errath and Andreas Grünbichler Second International Conference on Law and Economics held at the University of St. Gallen (Switzerland) in June 29, 2007 Published in: Peter Nobel and Marina Gets (Eds.), Law and Economics of Risk in Finance, (Schulthess, Zürich 2007), p ; This paper can be downloaded without charge from the Social Science Research Network Electronic Paper Collection: Electronic copy available at:

2 Enterprise Risk Management A View from the Insurance Industry Enterprise Risk Management A View from the Insurance Industry * Wolfgang Errath and Andreas Grünbichler ** Index I. Introduction 111 II. Drivers behind ERM 112 III. Zurich s Enterprise Risk Management Framework 114 A. Risk Governance and Culture as the Foundation of ERM 114 B. Risk Quantification 116 C. Risk Management Operations 116 D. Risk Communication and Disclosure 117 E. Strategic Risk Management 118 IV. Summary and Outlook 118 References 119 I. Introduction The term Enterprise Risk Management (ERM) represents a holistic approach to managing the risks that a company faces in a changing environment. Risk can be considered as a function of change, and risk management may thus be described as a technique for coping with the effects of change. 1 Although risk management practices and methodologies have been around for decades, the area of ERM has recently gained attention from executive management, investors, rating agencies, regulators and academics. While risk management functions initially only monitored adherence to risk and other policies, they later on implemented the first risk measurement and quantification approaches. The next natural step was that risk management not only provided the risk status, but also took responsibility for hedging and risk mitigation activities, followed by satisfying the need for more risk-and-return * ** 1 This article reflects the personal opinion of the authors and does not represent Zurich Financial Services. Chief Risk Officer, Zurich Financial Services, Switzerland. G. N. CROCKFORD, The changing face of risk management, The GENEVA Risk and Insurance Review, August Electronic copy available at:

3 ANDREAS GRÜNBICHLER analysis and recommendations. Nowadays, risk management functions further expand their activities into the area of strategic analysis and business decision support. To put it in other words, risk management has moved from a passive analysis and quantification function to a proactive business enabler and strategy consultant role. Organizations of all types and sizes face a range of risks affecting the achievement of their objectives and influencing all decision-making. ERM supports intelligent and effective decision-making in order to optimize the level of calculated risk taken and to recognize opportunities where taking risks might benefit the organization. Zurich Financial Services defines Enterprise Risk Management as the structured Group-wide view to identifying, measuring, managing, reporting and responding to risks that affect the achievement of Zurich s strategic and financial objectives, including both upside and downside risks on both sides of the balance sheet. II. Drivers behind ERM An integrated view on risk was not only requested internally by management, but also external stakeholders currently put more focus on these capabilities. Rating agencies in particular focus on this topic and most of the market leaders have introduced their ERM assessment and review methodologies and processes. Some rating agencies introduced ERM as a new criterion for their overall financial stability ratings, while others see ERM as an integral part of their operational, organizational, financial and capital assessments. The main differences in their approaches can be identified when it comes to risk quantification: some rating agencies have their own deterministic capital models, others do not have their own models and rely mainly on insurers internal capital models and others have developed stochastic portfolio models during the last few years. Regulators also focus much more on risk management capabilities: in Switzerland, requirements for risk management are laid out in insurance-specific laws and in other, more general requirements for corporations. It is worth highlighting the Federal Office of Private Insurance (FOPI) directive 15/2006, where general principles for risk management are defined: among other requirements, the risk management processes must be verified periodically, training and o- ther communication to sensitize employees must be conducted, and risk strate- 112 Electronic copy available at:

4 Enterprise Risk Management A View from the Insurance Industry gies that take into account the insurer s appetite and tolerance for risk must be introduced. 2 The Swiss Solvency Test (SST) introduces an economic capital model for regulatory purposes which become an integral component of the new ERM framework. Furthermore in the European Union, Solvency II will influence the requirements for ERM, mainly through the regulatory capital assessments and the requirements for internal models in Pillar I and the development of standards for sound internal risk management and risk self-assessments in Pillar II. All these efforts lead to slightly different meanings and interpretations of the term and coverage of ERM. Two other initiatives are worth mentioning in this context. The International Association of Insurance Supervisors (IAIS) drafted a document in 2007 that focuses on the risk management framework around the adequacy of financial resources3. For the IAIS, ERM has the potential to provide a link between the day-to-day management of risk and the long-term business strategy, and should become an established discipline and separately identified function assuming a much greater role in the majority of insurers everyday business practices. Another framework for ERM, provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2004, has had a strong influence on the review and assessment approaches used by audit and internal control functions. 2 3 FOPI Directive 15/2006, section 4. IAIS (2007), Draft standard on ERM for solvency Purposes. 113

5 ANDREAS GRÜNBICHLER III. Zurich s Enterprise Risk Management Framework Strategic Risk Management Risk Quantification Risk Management Operations Risk Communication and Disclosure Risk Governance and Risk Culture The goals of Zurich s ERM Framework are to: Protect the capital base: an insurer must make sure that capital is deployed in the most efficient way and that risks are not taken beyond its risk- taking capacity. This helps to meet shareholders expectations of optimizing the risk-return trade-off; Enhance value creation and contribute to an optimal risk-return profile; Support the decision-making process by providing reliable and timely data and analysis on current and planned status; Protect the reputation and the brand by building a risk culture and increasing awareness about risk management across the organization. In the insurance business a company s reputation, especially the perception of it as reliable is one of its main assets. ERM helps explain the risks of the business, thereby raising customer value and enhancing confidence by clients, customers and the media. ERM raises regulators confidence and facilitate reviews, and thereby decrease regulatory burden and capital costs. ERM has a positive effect on the financial strength rating, thus impacting the overall cost of capital. A. Risk Governance and Culture as the Foundation of ERM A well functioning risk culture requires a mix of effective controls with an empowered risk organization that has a clear role and mission. The general 114

6 Enterprise Risk Management A View from the Insurance Industry message is set at the top of the organization and cascades down through the management layers by showing a consistent commitment to risk topics expressed in the common language of risk-adjusted returns. The commitment to establishing a robust risk culture is expressed in several ways. One element is that risk managers participate in the key decisions of the firm and are considered peers with the business unit equivalent-level managers. Another element is the independence of risk measurement and risk monitoring from risk taking, expressed through adequate reporting lines and escalation procedures. Coverage of risk management topics in meetings of the board and executive management are another important aspect. Many insurance companies are creating specific risk committees at the top level to review and approve current risk levels and future plans. The relevance of risk-return awareness not only covers product and business decisions, but should also be reflected in a clear linkage of executive management compensation to the achievement of risk management objectives. Documentation of risk policies and the development of appropriate guidelines are essential elements of risk governance: risk management policies and procedures must be complete, updated regularly and communicated throughout the whole company. A risk policy establishes a common framework and language to foster a consistent approach to risk. Limits for risk-taking are another aspect, reflecting the fact that substantial variations in approach and detail are necessary for different risk types. A risk policy also should articulate the responsibilities of the Chief Risk Officer and that position s interaction with the CEO, governance and executive management committees and the businesses. A risk policy should also contain the vision and objectives of risk management. Further, risk management topics must be communicated throughout the organization so that awareness of risk and the importance of risk management at all levels of the company is raised. Without spreading the knowledge to those employees who do not have regular interaction with the risk management function, a broad consciousness and acceptance of individual risk responsibilities cannot be achieved. A pervasive risk culture goes beyond measurement of easy-to-identify risks and provides the first line of defence in the identification of unexpected losses from sources such as non-compliance or conflicts of interest. 115

7 ANDREAS GRÜNBICHLER B. Risk Quantification The first pillar deals with the development, maintenance, application, use and governance of economic and regulatory capital management models, databases and systems. Risk quantification is an evolving discipline and new models and methodologies in the market, credit, insurance and operational risk area have been introduced over time, leading to more precise quantification of single positions and portfolios. Typically companies use a variety of different risk indicators and figures. ERM has to look at the different methodologies to ensure consistency across the full spectrum of risk types. Many insurers spend substantial time and effort on integrating the stand-alone models for the single risk types into company-wide economic capital models. Risk aggregation within and among the single risks is a major part of the quantification exercise and can influence the final results substantially. Consistency also allows risk management to present a complete view of a company s risk profile. In order to receive reliable information, robust processes for validating metrics along with regular reviews of the appropriateness of assumptions, methods and models also must be in place. Also clear processes for updating data and ensuring data quality and data reliability are needed. Effective risk quantification contains more than producing figures for the single risk types and having models in place is only one part of the exercise: Also the application and effective usage of metrics and timely and appropriate responses are an important element of ERM. Results from internal risk and capital models can be applied to capital allocation and performance management processes, pricing, business and product development, hedging and reinsurance purchasing. Additional scenario analysis should be conducted not only for different confidence levels and time horizons but also for evaluating new business and product proposals, M&A activities and securitization transactions. C. Risk Management Operations The second pillar deals with the qualitative aspects, organizational setup, authorities and human factors of the risk management function. Global organiza- 116

8 Enterprise Risk Management A View from the Insurance Industry tions have implemented different structures that reflect the variety in scope of the risk management function. In some insurance companies, risk management focuses mainly on financial and operational risk, while in others risk management is linked with the actuarial function. Bank assurance groups tend to split the responsibility for market and credit risk from the other risk types. The sharing of responsibilities and tasks between local and centralized risk management units may depend on the risk types: market and credit risk responsibility tends to be more centrally organized, while operational risk management and internal controls need local presence and accountability. The risk management function must have the power to highlight and escalate emerging risks, enforce adherence to limits and monitor the effectiveness and execution of hedge and derivative programs. In a global organization, various functions such as risk, audit, compliance, finance and legal collectively, as assurance providers, give confidence that risks are being identified and appropriately managed and internal controls are in place and are operating effectively. To avoid duplication of effort, it is important that these functions cooperate efficiently, share information and have an integrated risk view based on common standards, measures and terminology. A framework structure that identifies the key risks, processes, controls and other assurance activities and that assigns activities and responsibilities to the assurance providers supports the implementation of an effective governance structure. D. Risk Communication and Disclosure One of the main objectives of ERM is to enable communication with senior management by creating full transparency around the exposures of the firm at different levels of granularity (i.e. from the single unit all the way to aggregated results for the company). Risk concentrations and limit breaches must get escalated to managers for resolution, and they must be monitored proactively. Internal communication is a top-down and bottom up exercise: executive management must provide business units with a clear strategic direction, risk tolerance and appetite and allocation of risk budgets. Units have to report emerging risks, market, business and regulatory developments and changes in risk levels in a timely and accurate manner. 117

9 ANDREAS GRÜNBICHLER Also the expectations from external stakeholders are rising: investors, regulators and rating agencies now request much more disclosure of risk information in companies annual reports or as a part of public presentations. E. Strategic Risk Management The strategic element of ERM supports management s view across risks to optimize risk adjusted returns. Capital must get deployed efficiently and risks must get aligned to risk taking capacity. The interplay among the current risk levels, the existing limits and the risk tolerance statement must be clear and transparent and aligned with the target risk profile (risk appetite). Risk tolerance levels should be based on the insurer's strategy and actively applied within the insurer's enterprise-wide risk management framework. Common dimensions of tolerance statements are capital, earnings, liquidity and financial flexibility and franchise value. Businesses with more favorable risk-return relations must be encouraged to grow, and those where the risk-based returns are below average must be watched closely. Risk management considerations should enter pricing decisions as well as optimization of reinsurance programs and other mitigating actions. Risk management is also a key element in certain strategic decision-making processes. Risk considerations enter into decisions on M&A activities or new business initiatives. By conducting additional stress tests, vulnerabilities to certain market conditions are revealed and the insurance company can take mitigating actions appropriately. IV. Summary and Outlook An optimal ERM framework systematically addresses the risks surrounding an organization s activities, and is wholly integrated into the culture of the organization. An ERM framework applies at all levels of an organization and to all activities and its main purpose is to assist organizations to achieve their objectives through effective risk management. In the upcoming years, the main challenges for insurers will be creating a stronger link among risk management, value creation and strategic planning to align risk-taking activities. 118

10 Enterprise Risk Management A View from the Insurance Industry Another task going forward will be to further develop internal risk-based capital models, especially in the area of risk aggregation and insurance and natural catastrophe risk modelling. Insurers have to establish a clear balance between risk modelling approaches and qualitative risk assessments and be aware of model risks, which can be substantial at higher confidence levels and during more volatile market conditions. In light of a changing regulatory framework in Europe and Switzerland, it will also be important to link internal risk-based capital models to new regulatory capital models. Also the refinement and implementation of risk tolerance statements throughout all levels of an organization will be a main task. This increased transparency on risk taking ultimately will lead to making people take ownership of risks, and will enhance decision-making, as companies are better able to act on opportunities to gain competitive advantage and to achieve their business goals. References G. N. CROCKFORD, The changing face of risk management, The GENEVA Risk and Insurance Review, August C. CULP (2002), The Art of Risk Management, Wiley Finance. Deloitte (2007), Global Risk Management Survey, 5th edition. R. DOFF (2007), Risk Management for Insurers, Risk books. Ernst & Young (2006), Managing Risk Shareholder perspectives. FSA (2006), Insurance Sector Briefing: Risk Management in Insurers. A. GRÜNBICHLER (2004), Vom Stresstest zum Risikomanagement, Versicherungsrundschau 7-8. IAIS (2007), Draft standard on ERM for Solvency Purposes. I. LELYFELD (2006), Economic Capital Modeling, Risk books. McKinsey (2006), Running with Risk in Insurance. Moody s, Risk Management Assessment: Non-life Insurance Companies, paper, March

11 ANDREAS GRÜNBICHLER PwC, The Economist (2007), Effective risk management in financial services, 15th edition. Standard & Poor s, Insurance Criteria: Refining the Focus of Insurer Enterprise Risk Management Criteria, paper, June P. TOWERS (2006), Risk Management. Risk Opportunity, 2006 Tillinghast ERM Survey, 4th edition. S. WANG; R. FABER (2006), Enterprise Risk Management for Property- Casualty Insurance Companies, ERM Institute International. 120