Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
APRIA Conference
July 2002
variance of return. Or, it is a measure of
one’s inability to me...
 Standardizing understanding of risk
across the organization
 ...
a Risk matrix at the enterprise level that
meshes together the r...
required to run the business. This
would include offices, busine...
factors emerging from the integration
issues. These could be rel...
In order to be able to model the risk, the
first step is an unde...
There is no straitjacket approach to
modelling risks. Each of th...
Management & Monitoring
After the top risks affecting an enterpr...
of the ERM plan. The roles and
responsibilities of the people ...
Upcoming SlideShare
Loading in …5

An approach to erm in the insurance industry apria 2002 rama warrier&preeti


Published on

An article on Enterprise Risk Management for insurance

Published in: Business
  • Be the first to comment

  • Be the first to like this

An approach to erm in the insurance industry apria 2002 rama warrier&preeti

  1. 1. AnapproachtoERMintheinsuranceindustry| 1 APRIA Conference July 2002 AN APPROACH TO ERM IN THE INSURANCE INDUSTRY RAMA WARRIER & PREETI CHANDRASHEKHAR ERM has made a considerable impact on comprehensive risk management strategy… 1. ABSTRACT Enterprise Risk Management (ERM) is a relatively new approach to managing risks. ERM differs from the traditional risk management method in its perspective of seeing the risk exposure as a whole rather than in parts. The benefits of this integrated mode of risk management have been well recognized now and we are witnessing a clear drift towards this way of addressing risks. This paper is an attempt to explore the ERM options available for managing risks of an insurance company. The concept of ERM, its objectives and the way to implement it are discussed in the paper. The main focus is to develop a high level methodology for implementing ERM approach in an insurance company. 2. INTRODUCTION An enterprise operating in the current global market operates under various pressures. Some of them are:  reduced time-to-market  increased innovation to respond to growing customer demands  leaner structures for greater profit margins Pressures like these are the drivers for the desire of enterprises to stabilize their operations around the expectations which they would have carefully set for various groups like shareholders, customers, employees etc. The line dividing success and failure is rather thin and hence recognizing and managing risks which may tilt the stability is a matter of great importance. There are various ways of defining risks. From an investment perspective, risk can be defined as the Issues viewing this document ? please check on Conzulting website For more articles / white papers on insurance, risk and technology, visit
  2. 2. AnapproachtoERMintheinsuranceindustry| 2 variance of return. Or, it is a measure of one’s inability to meet financial liabilities as and when they arise. For an enterprise, risk needs to be defined at a broader level. Any issue, action or threat that affects the company’s ability to meet its business objective and execute its strategies successfully is called a risk. Risk could also be defined as a distinct business possibility with a relatively low probability of occurrence, but with a significant adverse impact on the operation and goals fulfilment of an organization. Another way of looking at risk is "Risk is what could lead to the unexpected scenario which is detrimental to the smooth and efficient functioning of an organization in its efforts to achieve pre-set goals". Or, we could define risk as any possible event that could undermine shareholder's value. There are various methods of addressing risks - avoid risks, reduce their effect, and even convert risks into opportunities. 3. ERM – A ‘CORPORATE’ APPROACH Enterprise Risk Management, called ERM, involves identifying, understanding and mitigating the major risks to the success of one’s business. The method allows the organization to have a comprehensive risk outlook and management method which integrates various elements and helps in optimizing the solution. The traditional Risk Management approach looks at the component risk exposures and designs a mitigation method for each component without really mapping it into the big picture. ERM looks beyond this and focuses on an integrated management process to address the entire range of risks faced by the organization spanning from operational to the political risks. Hitherto, Risk Management used to take place as a "silos focused " activity. This method severely curtailed the efficiency in application of risk management techniques as well as in maintaining an integrated risk approach for the enterprise as a whole. ERM helps in getting and defining a flexible mechanism to handle both financial and operational risks. In a recent survey conducted by Economist Intelligence Unit, the CEOs and senior finance executive of a wide range of organizations mentioned that 41% of them manage risks using ERM techniques. And nearly one-fifth is planning to move towards it within a year. This success of ERM in financial and non-financial organizations confirms beyond reasonable doubts that ERM is the future approach for risk management. 4. OBJECTIVES ERM essentially aims at defining a process by which an organization monitors and deals with enterprise-wide risks to enable it to meet its business objectives. The single objective of ERM is enhancing the shareholder's value. This, when translated to a comprehensive risk management program for an organization would mean achievement of the following objectives: Strategic Objectives:  Improving capital efficiency  Building investor confidence  Pro-active (rather than reactive) risk management processes  Improve ability to respond to critical / catastrophic risks Operational Objectives:
  3. 3. AnapproachtoERMintheinsuranceindustry| 3  Standardizing understanding of risk across the organization  More informed decision making  Converting risks into opportunities  Establishing processes for stabilizing results  Optimal allocation of resources for risk mitigation 5. ERM IN INSURANCE – ITS RELEVANCE ERM has been found very useful and effective by companies who have used it to manage their primary risk exposures. Insurance companies being risk carriers need an even more integrated approach for risk management, as they are required to manage secondary risks that yield less accurate impact analysis results. Insurance companies the world over are operating in an environment of stiff competition and increased volatility. They are exposed to higher risks of insolvency. Added to that is the fact that there is additional pressure on technological innovation (expansion of e-commerce means that more and more information is stored in the form of data thereby increasing technology risks). With the expansion of operations of most insurers into new and emerging markets with relatively lesser-known exposures and the simultaneous multiplication of the complexity of risk exposures, the effectiveness of risk management is growing in relevance for the insurance industry. Compared to many other industries, insurance industry has a very wide range of operational decision-makers at various levels. Having a "risk doctrine" with a clearly defined direction is essential to steer the organization in the right path. Various departments like underwriting, claims, policy services etc operate in silos and hence having an integrated risk management method is essential. Another aspect which makes ERM a useful tool for insurance companies is the decision making process in the industry. Insurance decisions are based on the highly dynamic information pool. Unless there is an organization -level approach to risk management, ensuring that the decisions are optimal from the risk management angle is impossible. 6. STRATEGY FOR AN EFFECTIVE ERM PROCESS An effective ERM process for an insurance enterprise should integrate its non- insurance related activities with insurance related ones resulting in a more comprehensive and strategic approach. This means that over and above the insurance related risks like strategic risks, Legal risks, Political risks (including terrorism risks) and Catastrophic risks, the more general risks like technology risks should also be considered. The ERM cycle could be modelled in four phases as shown in figure 2  Identification phase  Quantification phase  Measurement and evaluation phase  Management and Monitoring phase Essentially, the process entails developing
  4. 4. AnapproachtoERMintheinsuranceindustry| 4 a Risk matrix at the enterprise level that meshes together the risks identified with the acceptable level of risk. Such an approach helps in crystallizing the risk identification process and helps the enterprise to map its risk management process to its business needs more effectively. Identification Phase: This phase entails identifying the various risks that an insurance company is exposed to. After the risks have been identified, they need to be prioritized to arrive at a set of risk factors that are crucial to the business. The most suitable way of doing this is through interviews with the management and any relevant documentation that may be available. This is better than verifying a checklist based on a preconceived idea of potential risk factors. The risk should be such that it should be material in preventing an organization in meeting its goals. The risks can be broadly classified in the following categories: Marketplace risks: The insurance company is exposed to various risks due to the environment in which it operates. The company has to develop its market strategy keeping the various entities like its competitor, regulator etc. in mind.  The company needs to develop a product management strategy that would reflect changing market and customer requirements.  An efficient an effective Customer Relationship Management strategy would enable to establish a profile for customers and prospects to determine their insurance needs and also the risks they are exposed to (occupation, financial strength, claims history etc.). This information would enable the company to define new products, the product specific underwriting rules and perhaps profit testing and sensitivity analysis.  The technology that supports the company’s product development and management strategy should give it a leading edge to reduce cycle time for introduction of new products and changing business rules of existing products.  Deregulation in many South East Asian countries has brought in new competitive pressures with increased pressure on margins for the existing players. e.g. in the Indian insurance industry, some companies who have not traditionally been operating in financial services have entered the newly opened up insurance market.  Globalization of the industry brings in new capital , best practices and business process know-how into the market. Operational Risks : Another major area of risk exposure for insurance companies is the operations. The growing complexity of operations has led to increase in the complexity in the risk exposures as well. The important categories of operational risk exposure are described below :  Technology Risks – With the dependency and investment in technology increasing in an exponential pattern, one of the prime risk areas which require the attention of the organization is technology risks. Technology risk exposures could vary from down-time of website which affects the image of the company and the service promises to security risks which could jeopardize the whole organization. The potential risk exposures on the technology side are shown in the table given below.  Property risks : One of the primary risk exposures in operations is the property / fixed assets which are
  5. 5. AnapproachtoERMintheinsuranceindustry| 5 required to run the business. This would include offices, business equipment, communication infrastructure, computers etc. Several insurance offices operating from the World Trade Centre had to cope with the problems generated by the property risk exposure. The business continuity plan of the company needs to specifically address the issue of providing alternatives to the dependence of operations on specific property.  Legal & Liability risks : Insurance companies handle two types of legal issues – litigations against them and litigations taken over by them as a part of claim settlement. Both these expose the company to legal and liability risks which need to be carefully assessed with legal assistance. The potential losses could include legal expenses, punitive damages, liability awards made by courts and fines. There is also a non- quantifiable part to the legal / liability losses, which relate to the reputation of the company. This is intangible and difficult to measure. However, careful allowance has to be given to this factor while taking important decisions on legal / liability risks.  Human Resources risks : Any service industry is highly human resources dependent and insurance is no different. The availability of the right skill sets is a critical factor for running the business. The significant exposures are in high employee turnover, labour issues, strikes, reduced productivity, lay-offs etc. The organization has to concentrate on improving the efficiency of the HR processes and management to curb these risks. International risks : The operations of most of the major players span over different countries, which exposes them to a new set of political and market risks. The biggest perceived risk on account of international operations is the political risk. The peculiarity of this type of risk is that it is well beyond the ability of the organization to influence, control or even foresee what is likely to happen. Developing clear policies to deal with political risks is essential for effectively handling them. The spectrum of political risks could range from the political differences between the home-country and the host-country to terrorism risks. In addition to political risks, there are significant other exposures like marketplace risks, cultural issues, demographic and economic issues which needs to be carefully managed in the host- country. M&A risks There has been substantial M&A activity in insurance markets in the recent past. This has led to the emergence of M&A risks as an area of concern for insurance players. The exposure to M&A risks can be classified into two – strategic and operational. The former relates to the objectives of the merger. Studies have shown that majority of mergers have eroded shareholders value. Identifying and evaluating the assumptions of generating synergy, leveraging the strengths of the individual entities etc. is essential to ensure that the merged entity would be able to achieve the desired results. The forecasts of revenues, growth, cashflows etc and the proposals of restructuring carry high level of risks unless carefully studied and managed. The operations of the merged organization are exposed to several risk
  6. 6. AnapproachtoERMintheinsuranceindustry| 6 factors emerging from the integration issues. These could be related to infrastructure, systems, cultural, management etc. The recent incident of the merged Japanese banking giant Mizuho failing to offer promised services owing to systems breakdown is a good example of how infrastructure and systems could pose a threat to operations at the time of a merger . Others The evolution of the insurance market has changed the way insurance is designed and transacted. The product development activity is on the ‘fast track’. Innovation is a necessity to survive. The eagerness to move ahead quickly on the path of innovation exposes the organisation to a lot of risks, the main one being unintentional acceptance of unknown risks from the insured. Increased competition is a business risk posed by the trends of Globalisation. Many of the markets have seen a sudden surge of a large number of competitors with the liberalization of regulations. Such sudden increase in competition could upset the business plans and projections of the established companies. Quantification phase This phase entails modelling the risks based on the data gathered. The modelling would involve analyzing:  Causes of the risk factor.  Various outcomes of a risk factor  The likelihood of the risk factor.  Frequency and predictability of its occurrence.  Potential effect of the risk on the financial metrics of the company. All the risk factors have an element of uncertainty associated with them with regards to the timing, nature and the quantum. The uncertainty can be best represented by a probability distribution. So, the aim of modelling the risks is to be able to represent the risk, its causes and effect in the form of a probability distribution.
  7. 7. AnapproachtoERMintheinsuranceindustry| 7 In order to be able to model the risk, the first step is an understanding of the causes of the risk. An insight into the causes could be obtained through historical evidence, interviews and brainstorming with the senior management. Tools like flow charts, questionnaires etc could be used to improve the efficiency of this process. If one maps the cause-risk-effect relationship in a graphical manner, it not only helps in the causal analysis and better understanding of the risk, but also helps in risk mitigation strategies. An illustration for the cause-risk-effect relationship for an insurance product is given below. Cause-risk-effect mapping for an insurance product is given in figure 3 Another way of analyzing risks is by mapping the risks with the possible indicative measures that can be used to model them. The output is a risk matrix that maps the various risks with the measures which enables to classify risks according to their scope and ability to affect the enterprise. Given below is an illustration: There are various other methods also available – influence diagrams, decision trees etc which illustrate graphically how different variables or factors that influence risk interact with one another. However, all these methods assume certain amount of prior information or knowledge (based on some preliminary analysis based on empirical data).In cases where empirical data is not available, the key challenge lies in coming up with a probability distribution that best represents the risk factor that is being modelled. In the absence of data or any scientific knowledge, one needs to rely on expert opinion. If one looks at the various methods that can be used, they can be positioned in a continuum depending upon the extent of knowledge that one has with regard to the outcome. While one end of the spectrum is complete knowledge, the other end is total lack of knowledge. In between lies the area that deals with problems whose outcome has varying degrees of uncertainty. The various methods used to model risks range from empirical analysis at one end of the spectrum to that based on expert statements and interviews on the other. The other methods like the Bayesian approach (causal modelling) fall somewhere in the middle of these two. (Refer: Enterprise Risk Management, An Analytical approach; Tilinghast-Towers Perrin, 1/2000).
  8. 8. AnapproachtoERMintheinsuranceindustry| 8 There is no straitjacket approach to modelling risks. Each of the methods has its advantages and disadvantages. The method to be chosen should depend upon the circumstances and data available. Measurement and evaluation phase After the risks have been modelled, we need to be able to identify the top risks for an enterprise. The risks identified need to be prioritized in the order in which they impact the enterprise. For this, the risks need to be linked to the financial metrics at the corporate level. What is required for this is a framework that links the risks to the financial metrics. However, the various risks that are modelled as articulated in the previous section may be expressed as different units. For e.g. the risk of competition that can be measured in terms of loss of sales volumes can be a probability distribution based on introduction of new technology, regulatory changes (de-regulation), attrition rate (especially of skilled workers) among others. The risks need to be combined to the extent possible and linked to the financial metrics of the company. Though the financial risks can be aggregated in at the enterprise level, the aggregation of operational risks poses a major challenge. There are no robust methods readily available to represent operational risks. For one, there is very little historical data available. Secondly, operational risks are addressed by changes in business processes, technology etc. They cannot be managed through hedging in the capital market. Let us try and illustrate this through a model for an insurance company that shows how the various components of business can be meshed together to map to the financial metrics. These components can be then mapped to the various risks that the enterprise is exposed to. Figure 4 shows the illustration. Once that is done, the various risks need to be classified as shown in figure 5 Risks which appear in the top two quadrants are highly critical and deserve special attention of the risk manager. The risks which are low on impact but high on control would require re-visiting as the control measures appear disproportionate with the exposure and may need toning down to save costs.
  9. 9. AnapproachtoERMintheinsuranceindustry| 9 Management & Monitoring After the top risks affecting an enterprise have been identified and prioritised, the focus shifts to effectively managing them. Broadly, the risk manager has four options to choose from - (i) Avoidance (ii) Retention (iii) Reduction and (iv) transfer Risk avoidance is the ideal way to manage any type of risk. But it is more impractical in business contexts. Risk Retention involves efforts to optimise the level of retention of risk within the company without exposing the organization to exposures beyond what is strategically acceptable. Retention is a key decision owing to the impact which it could make on the bottom line and the difficulty in arriving at the best possible retention level. Risk Reduction is the strategy adopted to contain the potential effects of any exposure. Risk reduction actions could include steps like altering the business process to reduce the exposures. Risk Transfer is the easiest to implement, but the most expensive option at the same time. The Risk Manager would choose one or a combination of the options to manage the identified risks. He has to strike a balance between the cost – benefit relationship of each option. In order to arrive at the best option, the current methods employed need to be studied in terms of their effectiveness for evaluating their capacity to cater to the future risk management requirements at the enterprise level. The foremost objective of ERM is enhancing shareholders value. However, the corporate objectives like maximizing growth and improving financial measures have to be taken into account at the same time. The steps of the Management process are shown in figure 6 The effect of a particular risk management strategy should translate to its effect on financial metrics of the enterprise. Monitoring The effectiveness of the risk management program depends on the speed with which it responds to the changes in the assumed scenarios. The environments in which most companies operate are so very dynamic that frequent revisions may be called for, to maintain the program in line with the changes in exposure. The best example is the recent development of terrorism exposures. In the aftermath of September 11, all the insurance companies radically reviewed their risk management programs. Monitoring process would include measuring the effectiveness of the current risk management program as well evaluating the risk factors to verify whether any change in the program is required. Major changes may need to go through the full ERM life cycle to get properly integrated. The monitoring process needs to be clearly defined at the time of formulation
  10. 10. AnapproachtoERMintheinsuranceindustry| 1 0 of the ERM plan. The roles and responsibilities of the people involved and the frequency, methodology and reporting of the monitoring process should be clarified and documented to stop inefficiency of implementation. 7. IMPLEMENTATION OF ERM Implementing ERM involves a lot of challenges as it requires a cultural change in the organisation. Unless the concept is well sold inside the organisation, one cannot hope to get the best results. Corporate communication plays a key role here. Enterprises which have successfully implemented ERM have carefully managed internal communication, awareness- building and training of resources. There are several impediments to the implementation process. The main hurdles include the following :  ERM objectives not in alignment with the corporate objectives  Lack of good decision support and statistical analysis tools / systems.  Cultural mis-matches  Operations in a highly underdeveloped market  Ambiguous organisational structure within the enterprise. 8. CONCLUSION ERM has made a considerable impact as a comprehensive risk management strategy. Insurance companies are yet to adopt this approach in a full measure. This would be more relevant to insurance carriers as their risk exposure is much more complex than those of other industries owing to the complication of accepted risks in addition to the organizational risk exposures. ERM as a strategic approach should be an avenue which insurance companies would need to explore, especially in the highly competitive and low-margin market conditions prevailing today. ERM needs to be culturally integrated into the enterprise. It is not a mere technique to manage risks, but a philosophy which suggests that risks needs to be identified, measured and managed with a holistic perspective. 9. REFERENCES : 1. Metzner Claude S. 2001, Enterprise Risk Management - An Insurance Company Perspective 2. Tillinghast Towers Perrin Enterprise Risk Management - An Analytical Approach 3. Holton Glyn A. Enterprise Risk Management, Contingency Analysis 4. Kessler Denis 2001 Anticipating and Managing Risks in the 21st Century, The Geneva Papers on risk and Insurance Vol. 26 5. Dickinson Gerry 2001 Enterprise Risk Management : Its origins and conceptual foundation, The Geneva Papers on Risk and Insurance Vol. 26 6. Tillinghast Towers Perrin Creating Value Through Enterprise Risk Management - A Practical Approach for the Insurance Industry Authors could be reached at or