2012 Risk and Finance Manager Survey Report - Towers Watson
2012 Risk and Finance Manager Survey Full Report Executive Summary It might also highlight the need for more formal, thorough education about what ERM is and what it canThe Towers Watson Risk and Finance Manager Survey do for companies. The survey found that a significantexamines how North American companies use outside 40% of respondents answered that nobody has beenresources, tools and frameworks to address risk. Key able to articulate the value of implementing ERM,findings from this year’s survey include: largely consistent with our 2011 survey.•• 57% of respondents have ERM programs in place, With only 28% of respondents buying network just slightly improved over last year. liability policies, the lack of take-up in purchasing•• 95% have at least some concern over the hardening this coverage raises another glaring weakness in property & casualty (P&C) market. companies’ risk control efforts. Cyber-attacks and•• 22% are not aware of changes in property risk data theft are a major threat for corporations and will modeling. continue to grow as organized professional hackers•• 72% have not purchased network security/privacy find more sophisticated ways to infiltrate company liability policies. systems.Enterprise risk management (ERM) is receiving more Nearly two-thirds of survey participants were eitherattention worldwide from regulators, policyholders and seriously concerned (17%) or moderately concernedstockholders. Stability and financial health are more (46%) over a hardening market for P&C insurance.important than ever. The heightened scrutiny reflects Another 32% expressed slight concern. One wayrecent jolts to global financial markets that include a to address this issue is for respondents to moreEurozone debt crisis as well as continued uncertainty actively engage in the use of analytics to prepareover oil prices and economic recovery. And the recent their companies for a market change. This also offersmemory of the severe global financial downturn brokers an opportunity to help clients better see thecontinues to linger. In spite of these pressing reasons linkage between effective analytics and preparation forto implement ERM, the 57% implementation rate a hardening market. It is a connection that was not asdemonstrates that a disconnect exists, as little essential in a soft market where coverage was moreprogress was made to put programs in place over the accessible and relatively inexpensive.last two years of our survey. But if respondents are trying to prepare for a marketWhile ERM is important for the long-term health of hardening, there are still steps they need to take toall companies, companies outside of the financial become better informed about the market. A notableservices sector need to accelerate their efforts 22% indicated they were not aware there had beeneven more than those in the financial services changes to the assumptions being used in propertysector. Nearly three-quarters (72%) of financial catastrophe modeling, which has had a profoundservices companies, including insurers, had ERM in impact on the premiums charged to those companiesplace, compared with 54% of nonfinancial services with locations in catastrophe-prone areas.companies. This might be connected to efforts suchas the Own Risk and Solvency Assessment (ORSA)and other regulatory requirements that insurers willnow be required to complete.
A Closer Look 35% integrated risk metrics into the budgeting and planning process. These findings show that mostERM Implementation ERM programs are more qualitative and compliance focused. For the most part, financial services andERM implementation is slightly improved over 2011’s nonfinancial services had response rates that were54% response rate. This year’s 57% response offers a nearer the same. The one exception was the differenceslight reason for encouragement, although in a world in responses for integrating risk metrics into budgetingof heightened economic and political risk, the relatively and planning: 48% for financial services companiesflat implementation rate suggests that a lot more and 29% for nonfinancial services companies.needs to be done to encourage development ofERM programs. Figure 1. How risk appetite is determinedPrograms that are in place have attributes that 0% 20% 40% 60% 80%differentiate how risk appetite is determined, howERM is described, and how it is used to quantify At the corporate level based on qualitative judgmentrisks and potential mitigation strategies. 37 At the corporate level based on financial metrics (e.g., EPS)Nearly 60% of respondents said that risk appetite is 22determined either at the corporate level based At the operational/division level based on qualitative judgmenton qualitative judgment (37%) or at the corporate 9level based on financial metrics (e.g., EPS) (22%) At the operational/division level based on financial metrics (e.g., EPS)(Figure 1). Perhaps even more telling is the 26% of 3responses that indicated no risk appetite level is • Combination of factors at division and Otherexplicitly set. This large response rate may be due corporate levels/Combination of corporate 3 and operational involvementto several possible causes: Management wants to No risk appetite level is explicitly set • Variety of methodsremain nimble in the event company or economic 26circumstances change; there is reliance on a moregeneral range than a specific level; or respondents Note: Those giving a valid answer (percentages exclude ‘Don’t know’) n=14860% 0% 20% 40% 80%have not had the time, resources or understandingof how to establish a risk appetite level. Whatever At the corporate level based on qualitative judgmentthe reason, the lack of a definable risk appetite 14 53makes it difficult to effectively prepare for and 33manage potential risk. 14 At the corporate level based on financial metrics (e.g., EPS) 25Financial services companies, including insurers, 11 21had a better understanding of this need for definition. At the operational/division level based on qualitative judgmentA 10% response rate on “no risk appetite level is 6explicitly set” was far smaller than the 30% recorded 10for nonfinancial services companies. Financialservices companies were also more likely to make At the operational/division level based on financial metrics (e.g., EPS) 3decisions at the corporate level (53% based on 3qualitative judgment and 25% on financial metrics)than nonfinancial services companies (33%, qualitative Other • Combination of factors at division and 3 corporate levels/Combination of corporateand 21%, financial metrics). and operational involvement (both) 3 • Variety of methods (nonfinancial services)The overwhelming majority (88%) of those surveyed No risk appetite level is explicitly setresponded that their ERM identified, assessed 10and prioritized key risks and assigned risk owners. 30Over two-thirds (69%) indicated that their executivecommittees and boards of directors received regular Financial services, including insurance (n=32)ERM activity and findings reports. But a smaller 37% Nonfinancial services (n=116)regularly quantified key risks and use those metrics Note: Those giving a valid answer (percentages exclude “don’t know”)in making business decisions, and an even smaller 22 18 15 8towerswatson.com 2012 Risk and Finance Manager Survey 2 15 10
Risk Measurement expensive, far different from the 29% of nonfinancial services companies that responded to the question.When asked about the ERM framework that companies Existing risk management programs may explain thisused to quantify risks and potential mitigation willingness to accept resource requirements andstrategies, most organizations (52%) are doing this expenses.qualitatively using likelihood and impact scales,and a full 25% responded that they do not attempt Indeed, the need for more education also surfacesto quantify risks. Nonfinancial services companies when responses to questions about cyber-risk arehad a 27% response rate, and financial services examined.companies, including insurers, had a 16% rate. Thefinding is consistent with the overall 26% response Figure 2. Reasons for not having an ERM process in placerate for those that established no risk appetite level. 0% 20% 40% 60% 80%The two responses together present a picture of asizable minority of respondents that do not measure or Nobody has been able to articulate the value of implementing ERM to our companyunderstand how much risk they could bear. For those 40companies that do rank risks, 52% undertake the Too resource-intensive and expensive to pursue, regardless of valueexercise on both a frequency and impact scale. 25Even though a quarter of respondents do not quantify Too compliance-oriented and bureaucratic to pursue, regardless of costrisks and just over a quarter have not determined 14their risk appetite, over half (54%) of those polled We did an initial ERM project that was not viewed as successfuldid differentiate between their risk-bearing capacity 3 • In process/Coming soon/Looking into how to bestand their risk appetite/tolerance. Financial services Other implement one nowcompanies were much more likely to make this 18 • Not applicable/Not considered necessary given size/differentiation (78%) than nonfinancial services nature of businesscompanies (47%). 26 • Still in silos • We had one in place, but upon acquisition by another company, we have had other priorities. We are planningEducation a reimplementation at this time • UnknownThe lack of discernment among some surveyparticipants and reasons offered for not having ERM 14 Note: Companies not having an ERM process in place (n=65)in place speaks to the need for an organized, thorougheducation program to be put in place. A full 40% of 14 0% 20% 40% 60% 80%respondents indicated that nobody has been ableto articulate the value of implementing ERM, and 11 Nobody has been able to articulate the value of implementing ERM to our companyanother 25% cited ERM as too resource-intensive and 34expensive to pursue, regardless of value (Figure 2). 41These responses are slightly lower than last year’s Too resource-intensive and expensive to pursue, regardless of valuerespective 42% and 29%, suggesting that there may 0be some more awareness of ERM’s value from which 29a formal educational effort could be leveraged. Yet Too compliance-oriented and bureaucratic to pursue, regardless of costanother 14% responded that ERM is too compliance- 22oriented and bureaucratic to pursue, regardless of 12cost. This response rate is down significantly from lastyear’s 26% rate, a positive sign. We did an initial ERM project that was not viewed as successful 11Surprisingly, financial services companies, including 2 • In process/Coming soon/Looking into howinsurers, were nearly twice as likely (22%) than to best implement one now (both) Othernonfinancial services companies (12%) to consider 33 • Not applicable/Not considered necessary given size/nature of business (both)ERM too compliance-oriented and bureaucratic. 16 • Still in silos (nonfinancial services)Perhaps these respondents, in a heavily regulated • We had one in place, but upon acquisition bysector, believe that they already have too many another company, we have had other priorities. 10regulations and requirements. But financial services 30 We are planning a reimplementation at thiscompanies also need to control volatility and time (nonfinancial services) • Unknown (nonfinancial services)risk. It would seem that these survey participantswould understand that the advantage of effectiverisk management would outweigh any additional Financial services, including insurance (n=9)compliance burdens. Even so, no financial services Nonfinancial services (n=56) 22companies considered ERM too resource-intensive and Note: Companies not having an ERM process in place 18towerswatson.com 2012 Risk and Finance Manager Survey 3 15
Cyber-Risk analytics and preparation for a hardening market. It is a connection that was not as essential in a softAn important aspect of ERM is managing cyber-risk. market, where coverage was more accessible andYet nearly three-quarters (72%) responded that they relatively inexpensive.did not purchase a network security/privacy liabilitypolicy, roughly unchanged from last year. And those Companies are taking steps to prepare for a hardeningthat did purchase policies (28%), also relatively market. In both the property and casualty markets,unchanged from last year, opted for limits that were on companies are marketing their programs withthe low end of the spectrum. Forty-three percent said respective 69% and 63% response rates. A third ofthat their policies had a $1 million to $5 million limit. property respondents indicated that they are using broker-provided catastrophe modeling. Among casualtyA significant number of respondents expressed respondents, 44% are using independent, actuary-confidence in their own IT departments. When asked provided retained loss analytics and 30%, predictivewhy a network security/privacy liability policy was not modeling. However, predictive modeling is much morepurchased, 41% responded that their own internal IT likely to be used by insurers (38%) than noninsurersdepartment/controls were adequate. Another 25% (29%). A sure sign that companies are anticipating aindicated that they do not believe that they have a potential market hardening is the respective 25% andsignificant data exposure. Surprisingly, there was 19% response rates among companies participating inrelatively little concern over the prohibitive cost of the property and casualty markets that they are puttingtransferring risk (12%). out RFPs for brokerage services.Survey participants overwhelmingly responded But if respondents are trying to prepare for a marketthat they rely on their internal IT departments hardening, there are still steps they need to take toand are comfortable with their level of exposure become better informed about the market. A notable(78%). Less than half engaged in comprehensive 22% indicated that they were not aware that thereinformation security risk assessments (46%) and had been changes to the assumptions being used inconducted penetration tests (44%). Limit levels property catastrophe modeling.for network security/privacy liability policies werelargely benchmark- or broker-driven (68% and 50%, For those companies that do intend to reach out torespectively). insurance brokers or those that already have insurance brokerage services, depth of resources and knowledgeWhen respondents did purchase cyber-protection, are ranked as more important considerations thanexpertise was the single-largest determinant in the cost of services. Half of respondents ranked depthpurchasing decision, with 45% ranking it as number of resources as either first or second in range ofone and another 19%, number two. A positive finding importance for insurance brokerage services. Companywas that pricing was not the most influential factor in knowledge was ranked first by 27% and second byselecting coverage, suggesting that respondents are 20%, and industry knowledge received a respectivenot simply shopping for the lowest rates, but rather 20% and 28%. The response is an affirmation thatare interested in comprehensive coverage and carriers respondents are willing to pay for solid service andthat are committed to the business. Only 9% of survey reliability. But cost was only ranked first by 12% andparticipants ranked pricing as number one and 31%, second by 11%, for a combined 23%.number two. In a similar vein, technical skill, ranked most importantMarket Concerns by 46% of respondents, was the most important feature identified for actuarial services. And forIf cyber-risk was not a major concern for respondents, captive insurance companies, mitigating the impacta hardening market was. Nearly two-thirds of survey of insurance market price and coverage changes wasparticipants were either seriously concerned (17%) or the most important benefit of using captives, withmoderately concerned (46%). Another 32% expressed 41% citing it as the first choice. The ability to pursueslight concern. One way to address this issue is for innovative risk financing strategies, such as puttingrespondents to more actively engage in the use of employee benefits into a captive, ranked next mostanalytics to prepare their companies for a market important, with 33% ranking it first.change. And it offers brokers an opportunity to helpclients better see the linkage between effectivetowerswatson.com 2012 Risk and Finance Manager Survey 4