By Jeff Tetrick, Pinnacol Assurance in Colorado
“Risk” is the business we are all in, yet as we have learned over the last few years, perhaps decades, risk can take many forms. Many times, the risks of yesterday, while similar, are not quite the same risks of today. We suspect that the risks of tomorrow will be different still. With a tradition of risks mutating into new, and perhaps more dangerous events and occurrences, how can we as management prepare? How can we finance the consequences? And, more importantly, how can we make promises to policyholders, claimants, dependents and other stakeholders not knowing the next risk to our very being, the risk of ruin!
But before we get too far, let’s go back in history, to a time before Hurricane Andrew or the Northridge Earthquake, maybe even before asbestos was the death sentence for many insurance companies. This was a time when most of the finance industry felt that risk was something that was managed through various departments of the company; the Treasurer focused on financial risks, the Risk Manager dealt with property and liability risk, maybe Human Resources was responsible for employee benefits and pension, and the CFO
was tasked with assuring capital was in line with the expectations of all stakeholders. In hindsight,
this distribution of various risk management activities through various divisions and departments of a company was a natural evolution of the corporate organization chart.
Everyone was trying to limit risk by focusing in the area where they had expertise or responsibility. This created within a company various definitions, tolerances, and time horizons for acceptable risk to be retained by the company. At times, this process even created various methods within the same company as to how to purchase insurance for the risk. Sometimes these efforts complimented each other, sometimes they didn’t, but one thing was certain: Controlling risk was not a company wide initiative, but was many times controlled purely by accident.
Everyone was trying to limit risk by focusing in the area where they had expertise or responsibility...Sometimes these efforts complimented each other, sometimes they didn’t, but one thing was certain: Controlling risk was not a company wide initiative, but was many times controlled purely by accident.
To add to the mix of concerns, “capital adequacy” evolved in the early 1990s from comparing a number of ratios to Risk Based Capital standards. Soon, rating agencies followed with similar models for capital adequacy. These included Standard & Poor’s (S&P) and A.M. Best with their own unique adequacy ratios. So now we move from an industry that manages risk along the path and boxes of the organizational chart, to the rating agencies and regulators attempting to evaluate risks at the enterprise level, in an attempt to determine the appropriate surplus for the organization. For a little more than a decade the risk based
approach to capital has served the industry, rating agencies and the regulators well; we all now feel comfortable with the outcome, and we all feel that as we plan and adjust our business to the needs of the marketplace, the required Risk Based Capital from the models is fairly predictable. But don’t get too comfortable!
During mid-2005 S&P announced a “new risk-management evaluation process” to assist with the evaluation of insurers and reinsurers. This new method to evaluate a company is known as Enterprise Risk Management (ERM). Additional metrics will be added to the existing categories used by S&P of Competitive Position, Management and Corporate Strategy, Operating Performance, Capitalization, Liquidity, Investments, and Financial Flexibility. And I know you all are saying “S&P does a great job when it comes to evaluating credit risk in our portfolio, but they don’t evaluate us.” Well, that’s true – for now. Remember we all
said that about Sarbanes-Oxley several years ago, too, and look what we have now - the NAIC Model Audit Rule! I call it compliance by association; just because we are in this industry we need to be aware of the implications on our business and our customers of issues facing the industry. And maybe, just maybe, we need to look at implementation for those aspects that seem to benefit our stakeholders.
The ERM Practices category as reported includes evaluations in five areas: risk management culture, risk controls, extreme event management, risk and capital models, and strategic risk management. Each of these categories will be ranked weak, adequate, strong, or excellent, and from there, the ERM Practices view will be arrived at. We will now briefly touch on each of these areas:
Risk Management Culture
Risk management culture is the extent to which risk and risk management practices are important considerations in all aspects of a Company’s decision making process. Does the company learn as risks materialize into events whether impacting their balance sheet or the financial position of others? Another way of looking at this: Is risk management part of every manager’s role, or organizationally, has the company delegated risk management to the “risk manager.”
As insurance companies we face several general areas of risk – credit risk, market risk, insurance risk, and operational risk. And in our markets with the long-tail of the workers’ compensation business, we are particularly susceptible to the risk of reserve inadequacy arising from interest rate risk and insurance risk. How do we address this? What have we done to insulate our balance sheets from these risks? What are the “controls” in place to protect the stakeholders’ equity in the enterprise?
Extreme Event Risk
This category focuses on the low-frequency, high-severity event - what has the company done to envision such events, what are the scenario analyses that have been applied, and is there documentation of the stress testing of management’s thought process in this area?
Modeling, Risk and Capital
What has the company done to quantify potential risk, what is the stress testing that management has gone through, has the company looked at events that happen VERY infrequently, like “the 250 year event”? What is the probable maximum loss under various scenarios? And what are the various modeling techniques applied to develop economic capital, or the amount of capital necessary to support retained risks?
Strategic Risk Management
Is the company aware of its retained risk profile? Has the company invested the effort to analyze its asset allocation to maximize economic capital, and has it provided for the optimal asset diversification? Has management reviewed risk reward data as to products and markets?
S&P is looking to see that insurance companies are spending the strategic time and resources analyzing their own economic risks, as each of their policyholders are relying on them to help manage their economic risks.
As any organization begins the process of asking the question “What does enterprise risk mean to us?” several major areas of responsibility come to mind:
Oversight - Do you know your risks and who is managing them? What’s the risk governance process? Have you invested the time and effort on identification, quantification and diversification?
Modeling - What are the financial impacts if these risks materialize; have you spent time looking at the balance sheet to determine the risk of ruin, have you involved the organization in the discussion of what is the reputational risk, if any, if the events materialize?
Solutions - What have you done to transfer the risk, or are you going to keep them and finance them internally; what are your tactics; reinsurance, hedging, geographic diversification, …
And then, how do you Execute - do you only plan, with no criteria to implement, is this a special project and treat this effort as a one-time event with no follow-up, or do you attempt to operationalize this effort and review the implications regularly with appropriate follow-up and include the topic as part of your strategic discussion?
The organizational change required to implement an effective enterprise risk management initiative within an organization is immense. And as such, as with any organization change initiative, the support of the chief executive officer is critical as this will be hard work and it will take, as noted above, a culture shift, often difficult for organizations. As with any major initiative, resources need to be committed
to the effort, and as in most environments, resources are limited. ERM, with its focus on surplus (stakeholder value), is uniquely different from historical views focusing only on the return to surplus. Think about that model; when things go well, return is good, and when they go wrong, return is poor. And traditionally when returns are poor there is a management change also - another great reason to embrace ERM and
implement it well! Avoid that management change! Again, with any organizational change initiative, senior executive support is necessary. This is pointed out in Kotter’s Leading Change and the Eight Stage Process.
Establish a sense of urgency – Be able to tell others why ERM is important.
Create a guiding coalition– Is there support for the change at the highest levels of the organization?
Develop the vision and the strategy – This appealing picture of what ERM might look like and then the strategy, or steps as to how the vision can be achieved, will give those involved a chance to say, “Yes I can get involved with that.”
Communicate the change – Do this often and do this in many different ways; do it such that everyone involved can understand.
Empower employees for broad-based action – This will include communication as mentioned above, and training; along with the organizational and political support to be successful.
Generate short-term wins – Don’t forget the near-term, report the savings from consolidation, from coverage elimination, from everywhere - just be sure to report.
Consolidate gains and produce more – use the results to help gain support for further improvement; don’t use the early results to celebrate success, it may give the impression that the end of change is at hand when it has only just begun.
Anchor the new approach in the culture – The struggle to get a new approach into the culture is immense, it is hard work; don’t let it slip away as a project on a shelf; work with those in the organization that have benefited from the change, those that believe in the change. Why is this important? Remember, this is a culture change!
And finally, in his Essentials Series, Tom Peters proclaims there is only one way to effect change “… Find heroes. Do demos. Tell stories. We need heroes: Mortal Exemplars of the exciting new way of doing things. We need demos: Palpable Proof that this exciting new way of doing things is eminently possible. We need stories: Riveting Tales that fire the imagination of … as-yet-reluctant heroes-in-waiting.” With heroes, demos and stories, the change will take place in the culture and enterprise risk management will be an integral piece of the fabric of the company.
Side Bar Definitions:
Risk - An insurance hazard from a specified cause or source.
Economic Capital – The amount of capital a company sets aside based upon its specific risk profile. If done diligently with economic value of assets and liabilities, it will represent the net economic value, generally much different than other surplus measures.
Risk of Ruin - The probability of disaster such that the very ongoing viability of the company is threatened.
- Integrating Corporate Risk Management, Prakash Shimpi, TEXERE LLC, 1999.
- The Essentials Series - Leadership, Tom Peters, DK Publishing, 2005.
- Leading Change, John P. Kotter, Harvard Business School Press, 1996.
- Insurance Criteria: Evaluating The Enterprise Risk Management Practices Of Insurance Companies, Standard & Poors, 2005.