https://www.podbean.com/media/share/pb-mcesh-15f7806
Feedback loops are increasingly seen as important in climate projections. Melting permafrost is expected to accelerate warming of the planet and release pathogens unknown to us today. By Max Rudolph.
https://www.podbean.com/media/share/pb-jmzzq-15de6f8
Four scenario examples leading to Regime Change from Neil Howe, Ray Dalio, Peter Zeihan and the IPCC show us how widely the disruptions can differ while consistently ending up with a big regime change in our near-term future. Part 2 of a four-part series. By Dave Ingram and Max Rudolph
Another Guest Post by ChatGPT
Whether it’s the regulatory landscape, organizational culture, or market conditions, the context in which an organization operates significantly influences its approach to managing risks. Context shapes every aspect of the risk management process, from identifying potential risks to implementing effective mitigation strategies. In the world of risk management, understanding the context is not just important—it’s essential.
Why Context Matters
Internal and External Environment: The context includes both internal factors, such as an organization’s structure and culture, and external factors, such as economic conditions, technological advancements, and regulatory requirements. These factors affect how risks are perceived, prioritized, and addressed.
Risk Perception and Evaluation: Different stakeholders may perceive the same risk differently based on their individual perspectives and experiences. For example, a risk that seems minor to a financial analyst might be considered significant by a safety officer. Understanding the context helps ensure that all relevant viewpoints are considered in the risk evaluation process.
Risk Mitigation Strategies: The effectiveness of risk mitigation strategies often depends on the specific circumstances surrounding a risk. For example, a strategy that works well in a stable market might be ineffective in a volatile one. Contextual awareness enables organizations to choose and adapt strategies that are appropriate for their particular situation.
Frameworks and Perspectives in Contextual Risk Management
Several frameworks and perspectives highlight the importance of context in risk management:
ISO 31000 Risk Management Framework: This framework emphasizes tailoring risk management to the organization’s context, considering both internal and external factors to ensure the effectiveness of risk management processes.
COSO ERM Framework: The COSO framework highlights the alignment of risk management with an organization’s strategy and performance, underscoring the importance of context in identifying and assessing risks.
Regulatory Requirements: Compliance with industry-specific regulations shapes the risk management context. For example, financial institutions must adhere to Basel III standards, which dictate specific risk management practices.
Organizational Culture: The culture of an organization, including its risk appetite and tolerance, influences how risks are managed. A strong risk culture fosters proactive risk management and open communication about risks.
Stakeholder Expectations: Understanding the expectations of various stakeholders, such as investors, customers, and employees, helps ensure that risk management aligns with their interests and concerns.
Technological Context: The rapid pace of technological change introduces new risks and opportunities. Organizations must consider their technological landscape, including cybersecurity threats and digital transformation initiatives, in their risk management strategies.
Incorporating Context into Risk Management
To effectively incorporate context into risk management, organizations can follow these steps:
Conduct a Contextual Analysis: Start by analyzing both the internal and external environment to identify factors that influence risk management. This includes assessing the regulatory landscape, market conditions, organizational culture, and technological advancements.
Engage Stakeholders: Involve stakeholders from different areas of the organization and external partners to gather diverse perspectives on risks and their potential impact. This helps ensure a comprehensive understanding of the context.
Tailor Risk Management Processes: Adapt risk identification, assessment, and mitigation processes to fit the specific context. This might involve using different risk assessment tools or modifying risk criteria based on the organization’s objectives and environment.
Monitor Changes in Context: Continuously monitor changes in the internal and external environment that could affect the organization’s risk profile. Stay agile and be prepared to adjust risk management strategies as the context evolves.
Communicate Contextual Insights: Share insights about the context and its implications for risk management with relevant stakeholders. Clear communication helps ensure that everyone understands the rationale behind risk management decisions.
Review and Update: Regularly review and update risk management practices to ensure they remain relevant and effective in the current context. This includes revising risk policies, procedures, and mitigation strategies as needed.
Conclusion
In conclusion, context is a critical factor in risk management decision-making. A deep understanding of the internal and external environment enables organizations to develop and implement risk management strategies that are tailored to their specific circumstances. By embracing a contextual approach, organizations can enhance their resilience, adaptability, and overall effectiveness in managing risks.
This post was created with a CustomGPT designed by RISKVIEWS. The GPT is called Risk Personalities Engine. To learn more about the Risk Personalities Engine. visit this page on the RISKVIEWS blog.
https://www.podbean.com/media/share/pb-vjyx3-15d6f83
When rates recently spiked it surprised many with direct and indirect implications. The market value of bonds decreased, and the price of replacement parts for autos increased. There are three ways that insurers can be affected by higher rates. Looking at past events help to prepare for similar tail events in the future. By Max Rudolph.
A Guest Post by ChatGPT
For Chief Risk Officers (CROs) navigating the complex and rapidly evolving landscape of risk in financial institutions, artificial intelligence (AI) presents a suite of powerful tools to enhance decision-making, improve risk assessment, and optimize risk management processes. AI’s capabilities can significantly impact various aspects of a CRO’s job, making it a pivotal ally in addressing strategic, operational, and financial risks.
AI can process vast amounts of data from diverse sources, including market trends, operational metrics, and social media, to identify and assess risks more efficiently than traditional methods. This capability allows CROs to detect emerging risks faster and with greater accuracy, facilitating proactive risk management. For instance, machine learning models can predict potential default risks by analyzing patterns in credit history, market conditions, and economic indicators, thereby enhancing the accuracy of credit risk assessments.
AI supports strategic decision-making by providing CROs with data-driven insights into risk-return trade-offs associated with different strategic choices. By simulating various scenarios and analyzing their potential impacts on the organization’s risk profile, AI helps CROs in making informed decisions that align with the company’s risk appetite and strategic objectives.
AI can automate the monitoring of operational risks by analyzing transaction patterns, employee activities, and compliance with procedures, identifying anomalies that may indicate fraud, errors, or inefficiencies. This real-time monitoring capability enables CROs to swiftly address operational risks, reducing potential losses and improving operational resilience. Furthermore, AI-powered process automation can streamline risk management processes, enhancing efficiency and reducing the likelihood of human error.
In the realm of financial risks, AI models excel at analyzing market data, economic indicators, and financial trends to forecast future market movements and assess the potential impact on the organization’s financial health. This analysis can include stress testing, value-at-risk (VaR) calculations, and sensitivity analyses, providing CROs with a comprehensive understanding of financial risks and the effectiveness of hedging strategies.
AI can also revolutionize risk reporting and communication by generating dynamic, real-time risk reports that offer insights into the current risk landscape. These reports can be tailored to different audiences, from the board of directors to operational teams, ensuring that all stakeholders have the information they need to understand and manage risks effectively.
For CROs, the adoption of AI in risk management offers a transformative approach to navigating the complexities of risk in the financial services industry. By enhancing risk assessment, supporting strategic decision-making, improving operational efficiency, and facilitating effective risk communication, AI enables CROs to manage risks more proactively and strategically. As the risk landscape continues to evolve, leveraging AI will be crucial for CROs aiming to foster a strong risk management culture and drive their organizations towards sustainable growth and resilience.
https://www.podbean.com/media/share/pb-tqu5x-15bb078
The 2024 survey sees respondents react to recent increases in specific risks as technology evolves and the environment moves away from the pandemic. The top 4 risks are the same as those seen in 2019. By Dave Ingram and Max Rudolph.
https://www.podbean.com/media/share/pb-v7mqb-155b778
New asset classes like junk bonds and subprime mortgages initially promised high returns without too much risk. Many investors were surprised to find that the risk premium was insufficient to provide for actual losses when they came. Modelers need to adjust for incomplete investment cycles that include only the positive part (e.g., high spreads) but not the defaults and liquidity crises typical at the end of a cycle. By Max Rudolph
https://www.podbean.com/media/share/pb-nw7u3-1581aab
Has any of your ERM program has been written down? Or is it at risk of being lost when a key player leaves the insurer? The Risk Management Framework document provides the RiskMaster Cheat Codes for understanding the overall ERM system and for specific topics like stress testing and risk reporting to allow a new risk team to start from a solid base should that be needed. It also can act as a cheat sheet for the Board to be able to participate in ERM discussions even though they do not live in the system. By Dave Ingram.
https://www.podbean.com/media/share/pb-c4r8z-156fb70
Climate change and population growth have stressed fresh water sources, leaving agriculture and coastal residents with opposing issues. While aquifers and rivers struggle, extreme weather and sea level rise provide an overabundance of water. Insurers increasingly are dealing with these extreme weather events that highlight the presence of too much water (hurricanes, inland flooding) or too little water (drought, fire). Today Max covers some existing issues while others will be emerging at a later time. By Max Rudolph
Again at the beginning of 2024, we polled a large group of insurance executives and asked them which of 48 risks taken from their risk registers do they expect will be more dangerous in the coming year.
Here is their response:
Down the full report:
Last Year’s Report:
https://www.podbean.com/media/share/pb-78duc-155b765
Resilience can be described as bending without breaking. There are four aspects of ERM that all need to be fully adopted to achieve this important result. By Dave Ingram.
https://www.podbean.com/media/share/pb-5d3r4-1544f79
It is commonly assumed that higher returns require higher risk to be accepted. Fear and greed may outperform over the short term but often the last investor in does poorly. Long periods of stimulus provide warning that economic cycles come to an end eventually. By Max Rudolph.
Have you listened to these ten popular Crossing Thin Ice Podcasts of 2023?
https://crossingthinice.podbean.com/
| Title | Released | Downloads |
| Spillover Diseases | Apr 07, 2023 | 207 |
| Telling Your ERM Story to Rating Agency | Jul 10, 2023 | 186 |
| Concentration | Aug 07, 2023 | 163 |
| Inflation – Most Dangerous Risk of 2023 | May 08, 2023 | 159 |
| Six Futures for ERM | Sep 11, 2023 | 156 |
| Super Volcano | Aug 21, 2023 | 153 |
| Three Levels of Stress | Jun 07, 2023 | 150 |
| Risk and Capital | Nov 06, 2023 | 136 |
| Fear vs. Danger | Apr 24, 2023 | 134 |
| Microplastics | Jun 19, 2023 | 126 |
Spillover Diseases – As humans encroach on new ecosystems diseases found in animals and birds can jump to a new home inside us. We think about coronavirus and influenza but should monitor closely diseases like bird flu and Ebola.
Risk Reporting to Rating Agencies – Insurers view interactions with rating agencies with trepidation, but a strategy can be implemented for your presentation that gives the rating agency what they need to know to give a fair review.
Concentration Risk – Concentration is added by doubling down on things you do well. This two-part article considers strategic drivers that add to concentration and tactical methods to mitigate these risks.
Inflation – Emerging risks sometimes seem like they come out of a science fiction movie. Solar storms are more than just pretty northern lights. An impactful solar storm happened as recently as 1859. While some problems with telegraph wires were reported, just imagine how much more we depend upon electronics now than we did then.
Six Futures for ERM – Scenario based planning is good for forming company strategy and it can also be good for planning risk management. There are a number of ways that the future might play out for risk management and the likelihood of each of the six possibilities mentioned here has probably changed significantly because of our experiences over the past two years. Which future will you be prepared for and which would have been a total surprise if you hadn’t read this article?
Super volcano – A volcano erupts somewhere, on average, every week. Eruptions large enough to impact the global environment happen much less frequently, but they have happened. The “Year without a Summer” in 1815 affected crops and immigration, and similar events will happen again. These Super Volcanoes tend to have numerous knock-on effects.
Stress Testing – Three levels of Stress – Stress tests come in various levels of adversity; normal volatility, realistic disasters and worst case scenarios. Aligning the situation to the appropriate stress test is very important when managing an insurer. Regulators are less interested in how you manage day-to-day, more in scenarios that might result in insolvency.
Risk and Capital – Stakeholder perception about the appropriate level of risk and the corresponding capital level varies. Some insurers focus on optimizing income and disbursements, while others find their goals aligned by holding redundant capital. Here we consider the available options and the pros and cons of each.
“Fear vs. Danger” – Using rational thought to balance fear and danger, with an appropriate response, is hard. Having a process to think about how to react improves the likelihood of success.”
Microplastics – Tiny pieces of plastic are found in the ocean, soils and the human body. This can’t be good. Scientists are still learning about the implications of microplastics, but it’s clear that better recycling and reduced use of plastic bottles, fishing nets, micro beads and nurdles are a start.
https://www.podbean.com/media/share/pb-4bdz4-151ecf3
Radical changes in our Physical, Political, Economic and Social systems have been and will continue to buffet humanity. Every so often the combined result is a major change of regime in which new patterns for each of these systems develops and persists for some time creating a new normal. We make the case that this is coming in our world. By Max Rudolph and Dave Ingram
https://www.podbean.com/media/share/pb-kwyv3-1516af7
It is quite tempting, when interest rates are so very low, to take on debt just because you can. But that might not be the best thing for an organization, especially from a risk/reward perspective. Leverage, or borrowing, can have a major impact on the risk profile of an organization that is not usually considered when talking about risk management. Leverage, it turns out, is actually the flip side of risk management. By Dave Ingram
https://www.podbean.com/media/share/pb-pspyx-14eacbb
No one is arguing anymore that the planet is not getting hotter, but what are the limits to temperature rise for humans survival? The ramifications for those who live in poverty in tropical zones is that they will need to move because of the heat. The alternatives are unacceptable. The world needs a plan to deal with massive climate migration. By Max Rudolph.
https://www.podbean.com/media/share/pb-v9zvq-14d6998
Stakeholder perception about the appropriate level of risk and the corresponding capital level varies. Some insurers focus on optimizing income and disbursements, while others find their goals aligned by holding redundant capital. Here we discuss several broad choices for the level of capital and the pros and cons of each based upon common business objectives. By Dave Ingram.
Crossing Thin Ice ERM podcast series started in March 2023. Through the end of October 2023, there have been over 2300 downloads.
Here are the ten most popular:
These are all available at https://crossingthinice.podbean.com/ along with links to Apple, Google, Spotify, Amazon and 5 more podcast distributors.
Historically, scenarios have focused on one assumption at a time but that is not realistic in today’s quickly evolving world. Risk interactions are very important considerations and impact scenario assumptions dynamically. Three narrative scenarios that interact between financial and non-financial risks are discussed. By Max Rudolph.
https://www.podbean.com/media/share/pb-qr47i-14c51f9
Enterprise Risk Management is practiced in different ways by insurers. Some focus on the basics while others consider ERM as a strategic strength. In a recent survey, ARM asked what is most important to them about ERM.
The findings are that what S&P thought of as the most advanced ERM objective, Strategic Risk Management, is a lower priority to many insurers. Perhaps this is a sign of the (very uncertain) times.
For more on Strategic RIsk Management
https://www.podbean.com/media/share/pb-vzfk7-14a3809
Prior to 2019, Pandemic was the most studied emerging risk. And now that one has happened, it is time to study our reactions to COVID. In this podcast, we look at the reactions that people typically have to near death experiences and find that they are similar to the reactions that companies are having to COVID. Several very different reactions have been observed, but only one has a lasting favorable impact on the risk management program. By Dave Ingram
https://www.podbean.com/media/share/pb-553wy-149ed71
Scenario based planning is good for forming company strategy and it can also be good for planning risk management. There are a number of ways that the future might play out for risk management and the likelihood of each of the six possibilities mentioned here has probably changed significantly because of our experiences over the past two years. Which future will you be prepared for and which would have been a total surprise if you hadn’t listened to this podcast? By Dave Ingram
https://www.podbean.com/media/share/pb-5g9b6-14789a1
A volcano erupts somewhere, on average, every week. Eruptions large enough to impact the global environment happen much less frequently, but they have happened. The “Year without a Summer” in 1815 affected crops and immigration, and similar events will happen again. These Super Volcanoes tend to have numerous knock-on effects. By Max Rudolph
https://www.podbean.com/media/share/pb-nfa83-146f322
Concentration is added by doubling down on things you do well. This two-part article considers strategic drivers that add to concentration and tactical methods to mitigate these risks. By Dave Ingram and Max Rudolph.
https://www.podbean.com/media/share/pb-83zhp-1457084
When a catastrophic event hasn’t happened since 1700 there is not much historical data to aid those who live there or insure residents. Here are some of the basic concerns. By Max Rudolph
https://www.podbean.com/media/share/pb-che39-144bbd3
There is a story about ERM that most insurers can tell. A story with four chapters: ERM Framework, Individual Risks, Aggregate Risk & Capital and the ERM Journey. Usually there isn’t enough time to tell the the ratings analyst all four chapters, so you have to choose.
This is a story that I have told privately many times over the years based upon my experiences as the first rating agency ERM specialist at S&P and as an advisor to insurers who are preparing to present.
https://www.podbean.com/media/share/pb-5vz5q-1434294
Tiny pieces of plastic are found in the ocean, soils and the human body. This can’t be good. Scientists are still learning about the implications of microplastics, but it’s clear that better recycling and reduced use of plastic bottles, fishing nets, micro beads and nurdles are a start. By Max Rudolph
Prior Emerging Risks Podcasts
Episode 10. Solar Storms
Solar storms are more than just pretty northern lights. A high impact solar storm happened as recently as 1859. Then, some problems with telegraph wires were reported, just imagine how much more we depend upon electronics now than we did in 1859. That is exactly what we try to do in this podcast.
Episode 7. Spillover Diseases
As humans encroach on new ecosystems diseases found in animals and birds can jump to a new home inside us. We think about coronavirus and influenza but should monitor closely diseases like bird flu and Ebola. By Max Rudolph
Episode 5. Bacterial Antimicrobial Resistance
This podcast is a challenge for you to consider something that is likely not yet on your risk register. Could the spread of bacteria with resistance to antibiotics have an impact on your business plans? We provide some questions that you might ask as well as some preliminary answers. By Max Rudolph
https://www.podbean.com/media/share/pb-b9eqk-141c0a3
Stress tests come in a wide variety of levels of adversity. This podcast suggests that we all should focus on just three: normal volatility, realistic disasters and worst case scenarios. Aligning the appropriate stress test to the audience is very important when managing risk for an insurer. Management, Boards and Regulators will each find something to like with these three levels of stress. By Dave Ingram
https://www.podbean.com/media/share/pb-87fck-140cc58
Risk managers have a difficult job, anticipating risk events and interpreting how they interact and aggregate with internal exposures. Emerging risks play a key role in this analysis. One such emerging risk, Solar Storms, is much more than just pretty northern lights. An impactful solar storm happened as recently as 1859. Then, some problems with telegraph wires were reported, just imagine how much more we depend upon electronics now than we did in 1859. That is exactly what we do in this podcast.
https://www.podbean.com/media/share/pb-34vde-13e5c6e
A deep dive into the risk selected as the Most Dangerous of 2023. We compare recent inflation spikes against past events, look at the drivers of the current bout of inflation, the impact on the insurance industry along with the most common responses. In addition, we also invert the question and consider what would cause future inflation to be very low. By Dave Ingram and Max Rudolph
https://www.podbean.com/media/share/pb-xx6kb-13dc9a1
Fear or Danger is a false choice. But using rational thought to balance fear and danger, and find an appropriate response, is very difficult. This repeatable process for thinking through how to react can improve your likelihood of success. By Dave Ingram.
This podcast refers to an article “Risk Intelligence” in the magazine Contingencies. You can read that article here.
Or is the target the problem?
Central bankers are doing all that they can to get inflation back to NORMAL, where in their minds, NORMAL is 2% inflation.
But what if, as many of us seem to be experiencing, the world is still going through some pretty extensive upheavals. And as those upheavals play out, the “natural” result would be for some major adjustments in the prices of a variety of things, especially the price of an employee’s time, that when measured by our inflation metrics result in a rebalancing which looks like 4% inflation. And what if that rebalancing is a force, like the forces that cause earthquakes, that will happen sooner or later whether we wish them to or not.
Let’s look at the wage thing in this context.
What happened in the US over the past several years to employment is very different from our experience over the history of the country. First of all, the retirement wave of the Baby Boomers had started. During the Pandemic, those retirements started to accelerate, in some situations, retirements doubled over a short time period. Increases in retirements often happen during a recession when unemployment rises as older folks at or near retirement age lose their jobs and decide that they might as well just retire. But the Pandemic was not a normal recession. The shutdowns were very temporary and were followed by rapid reopenings in many sectors. So employers needed to scramble to fill in for the retiring seniors. Meanwhile, many people (as well as businesses, government entities and other organizations) received cash assistance during the pandemic. Which made some less likely to take undesirable positions that they otherwise might have felt compelled to take.
With the openings due to retirements occurring at all levels, unemployed folks would have “moved up” the employment ladder to take as high paying of a job as they could qualify for. And some businesses have shifted to actually hiring people who may have the potential to fill a position, after training. That is an almost totally forgotten way of hiring – most employers have been doing decades of just in time = perfect fit – hit the ground running hiring.
Its a new world out there.
A new Insurance ERM Podcast
A discussion of Risk and Risk Management from the perspective of an Insurance company risk manager. Insurers provide products that help everyone to manage their risks. Here you will hear Dave Ingram and Max Rudolph, actuaries from the global consultancy Actuarial Risk Management talk about the sorts of things that keep those insurance company risk managers up at night. Or at least they should.
From Actuarial Risk Management
Available at https://crossingthinice.podbean.com/
And through your favorite podcast service:
Episodes Available Now:
Episode 1: Narrative Scenarios https://crossingthinice.podbean.com/e/narrative-scenarios/
The current real life scenario combines a pandemic, weather events, supply chain issues, inflation and a regional war all at the same time. Multi risk scenarios can provide major insights about a firm’s resilience that do not necessarily happen with single risk scenarios or even with stochastic models. You may not agree with all of them. They are meant to encourage you to think rather than to be predictive.
Episode 2: Three Little Pigs https://crossingthinice.podbean.com/e/three-little-pigs/
When you encounter vastly different risk-taking behaviors at two different businesses, you shouldn’t automatically presume that they are driven by totally different risk tolerances. In some cases they are actually the result of similar risk tolerances and major disagreements in risk assessment. Just ask the Three Little Pigs.
Episode 3: Moderately Adverse Conditions https://crossingthinice.podbean.com/e/moderately-adverse-conditions/
We have generally used a continuation of the current environment as our base assumption. But now, with the encouragement of the NY DFS, that is being treated as worse than “Moderately Adverse” scenario. Insurers need to develop a robust set of stress scenarios to test reserve adequacy that include continuation of current conditions and a variety of variations in experience, not just interest rates.
Episode 4: Learning from Loss https://crossingthinice.podbean.com/e/learning-from-loss/
A major loss often causes management to question past decisions. They might even reverse some of them, but this may be an overreaction. The Chief Risk Officer improves the discussion by bringing a systematic review of the risk related decisions that preceded the loss. In many cases potential problems can be fixed without taking drastic and dramatic actions.
Episode 5: Bacterial Antimicrobial Resistance https://crossingthinice.podbean.com/e/bacterial-antimicrobial-resistance/
This podcast is a challenge for you to consider something that is likely not yet on your risk register. Could the spread of bacteria with resistance to antibiotics have an impact on your business plans? We provide some questions that you might ask as well as some preliminary answers.
Episode 6: Most Dangerous Risks https://crossingthinice.podbean.com/e/most-dangerous-risks/
Over 200 respondents in the 6th annual Dangerous Risks to Insurers Survey reordered the top risks of 2023, with Inflation swapping with Cybersecurity and cybercrime for the top spot, and Global/National recession moving into the top 5 at #3.
Episode 7: Spillover Diseases https://crossingthinice.podbean.com/e/spillover-diseases/
As humans encroach on new ecosystems diseases found in animals and birds can jump to a new home inside us. We think about coronavirus and influenza but should monitor closely diseases like bird flu and Ebola. By Max Rudolph
Episode 8: Fear vs. Danger https://www.podbean.com/media/share/pb-xx6kb-13dc9a1
Fear or Danger is a false choice. But using rational thought to balance fear and danger, and find an appropriate response, is very difficult. This repeatable process for thinking through how to react can improve your likelihood of success. By Dave Ingram.
Episode 9: Inflation – Most Dangerous Risk of 2023 https://crossingthinice.podbean.com/e/inflation-most-dangerous-risk-of-2023/
A deep dive into the risk selected as the Most Dangerous of 2023. We compare recent inflation spikes against past events, look at the drivers of the current bout of inflation, the impact on the insurance industry along with the most common responses. In addition, we also invert the question and consider what would cause future inflation to be very low. By Dave Ingram and Max Rudolph
Don’t miss out. Make sure that you subscribe – new podcasts will be published twice a month.
https://www.podbean.com/media/share/pb-mtzhs-13d6861
As humans encroach on new ecosystems diseases found in animals and birds can jump to a new home inside us. We think about coronavirus and influenza but should monitor closely diseases like bird flu and Ebola. By Max Rudolph
https://www.podbean.com/media/share/pb-54pkj-13c2ffd
Over 200 respondents in the Dangerous Risks to Insurers Survey reordered the top risks, with Inflation swapping with Cybersecurity and cybercrime, and Global/National recession moving into the top 5 at #3.
https://www.podbean.com/media/share/pb-fjc7p-13a4a76
This podcast is a challenge for you to consider something that is likely not yet on your risk register. Could the spread of bacteria with resistance to antibiotics have an impact on your business plans? We provide some questions that you might ask as well as some preliminary answers.
The new risk at the top of the Dangerous Risks poll is not surprise to anyone.
Cybersecurity remains in the top five, while Recession has broken into the number 3 slot.
Here is the entire report.
https://www.podbean.com/media/share/pb-3347a-139b504
A major loss often causes management to question past decisions. They might even reverse some of them, but this may be an overreaction. The Chief Risk Officer improves the discussion by bringing a systematic review of the risk related decisions that preceded the loss. In many cases potential problems can be fixed without taking drastic and dramatic actions.
https://www.podbean.com/media/share/pb-r52jb-138cae5
We have generally used a continuation of the current environment as our base assumption. But now, with the encouragement of the NY DFS, that is being treated as worse than “Moderately Adverse” scenario. Insurers need to develop a robust set of stress scenarios to test reserve adequacy that include continuation of current conditions and a variety of variations in experience, not just interest rates.
https://www.podbean.com/media/share/pb-e8t2j-1375fd9
When you encounter vastly different risk taking behaviors at two different businesses, you shouldn’t automatically presume that they are driven by totally different risk tolerances. In some cases they are actually the result of similar risk tolerances and major disagreements in risk assessment. Just ask the Three Little Pigs.
Over the past several years, an anthropologist (Thompson), a control engineer (Beck) and an actuary (Ingram) have formed an unlikely collaboration that has resulted in countless discussions among the three of us along with several published (and posted) documents.
Our work was first planned in 2018. One further part of what was planned is still under development — the application of these ideas to economic thinking. This is previewed in document (2) below, where it is presented as Institutional Evolutionary Economics.
Here are abstracts and links to the existing documents:
Still to be completed is the full exposition of Institutional Evolutionary Economics that is previewed in Section 1 of Modeling the Variety of Decision Making (Item 2 above).
Do you notice anything unusual in the graph above that occurred in the first quarter of 2022? This graph says that in January about 6% of Americans were sick. That is about 25% of all of the COVID infections over the past 26 months. Other than January 2022, COVID infections averaged 2.4 million per month.
First quarter GDP fell by 1.4% in 2022.
I would bet that some of the GDP drop was due to the absolutely extraordinary level of illness in the first quarter.
I hadn’t noticed any commentary that agrees with this point. But I am guessing that since we are all feeling that we have turned the corner on COVID, we are deliberately putting it out of our minds. Which may cause us to draw erroneous conclusions about what is happening with the economy and take actions to fix something that may have been driven to some extant by the pandemic, not some other type of weakness in the economy.
Knowing the amount of surplus an insurer needs to support risk is fundamental to enterprise risk management (ERM) and to the own risk and solvency assessment (ORSA).
With the increasing focus on ERM, regulators, rating agencies, and insurance and reinsurance executives are more focused on risk capital modeling than ever before.
Risk – and the economic capital associated with it – cannot actually be measured as you can measure your height. Risk is about the future.
To measure risk, you must measure it against an idea of the future. A risk model is the most common tool for comparing one idea of the future against others.
Types of Risk Models
There are many ways to create a model of risk to provide quantitative metrics and derive a figure for the economic capital requirement.
Each approach has inherent strengths and weaknesses; the trade-offs are between factors such as implementation cost, complexity, run time, ability to represent reality, and ease of explaining the findings. Different types of models suit different purposes.
Each of the approaches described below can be used for purposes such as determining economic capital need, capital allocation, and making decisions about risk mitigation strategies.
Some methods may fit a particular situation, company, or philosophy of risk better than others.
Factor-Based Models
Here the concept is to define a relatively small number of risk categories; for each category, we require an exposure metric and a measure of riskiness.
The overall risk can then be calculated by multiplying “exposure × riskiness” for each category, and adding up the category scores.
Because factor-based models are transparent and straightforward to apply, they are commonly used by regulators and rating agencies.
The NAIC Risk-Based Capital and the Solvency II Standard Formula are calculated in this way, as is A.M. Best’s BCAR score and S&P’s Insurance Capital Model.
Stress Test Models
Stress tests can provide valuable information about how a company might hold up under adversity. As a stand-alone measure or as an adjunct to factor-based methods, stress tests can provide concrete indications that reflect company-specific features without the need for complex modeling. A robust stress testing regime might reflect, for example:
Worst company results experienced in last 20 years
Worst results observed across peer group in last 20 years
Worst results across peer group in last 50 years (or, 20% worse than stage 2) Magnitude of stress-to-failure
Stress test models focus on the severity of possible adverse scenarios. While the framework used to create the stress scenario may allow rough estimates of likelihood, this is not the primary goal.
High-Level Stochastic Models
Stochastic models enable us to analyze both the severity and likelihood of possible future scenarios. Such models need not be excessively complex. Indeed, a high-level model can provide useful guidance.
Categories of risk used in a high-level stochastic model might reflect the main categories from a factor-based model already in use; for example, the model might reflect risk sources such as underwriting risk, reserve risk, asset risk, and credit risk.
A stochastic model requires a probability distribution for each of these risk sources. This might be constructed in a somewhat ad-hoc way by building on the results of a stress test model, or it might be developed using more complex actuarial analysis.
Ideally, the stochastic model should also reflect any interdependencies among the various sources of risk. Timing of cash flows and present value calculations may also be included.
Detailed Stochastic Models
Some companies prefer to construct a more detailed stochastic model. The level of detail may vary; in order to keep the model practical and facilitate quality control, it may be best to avoid making the model excessively complicated, but rather develop only the level of granularity required to answer key business questions.
Such a model may, for example, sub-divide underwriting risk into several lines of business and/or profit centers, and associate to each of these units a probability distribution for both the frequency and the severity of claims. Naturally, including more granular sources of risk makes the question of interdependency more complicated.
Multi-Year Strategic Models with Active Management
In the real world, business decisions are rarely made in a single-year context. It is possible to create models that simulate multiple, detailed risk distributions over a multi-year time frame.
And it is also possible to build in “management logic,” so that the model responds to evolving circumstances in a way that approximates what management might actually do.
For example, if a company sustained a major catastrophic loss, in the ensuing year management might buy more reinsurance to maintain an adequate A.M. Best rating, rebalance the investment mix, and reassess growth strategy.
Simulation models can approximate this type of decision making, though of course the complexity of the model increases rapidly.
Key Questions and Decisions
Once a type of risk model has been chosen, there are many different ways to use this model to quantify risk capital. To decide how best to proceed, insurer management should consider questions such as:
In answering these questions, it is important to consider the intended applications. Will the model be used to establish or refine risk appetite and risk tolerance?
Will modeled results drive reinsurance decisions, or affect choices about growth and merger opportunities? Does the company intend to use risk capital for performance management, or ratemaking?
Will the model be used to complete the NAIC ORSA, or inform rating agency capital adequacy discussions?
The intended applications, along with the strengths and weaknesses of the various modeling approaches and range of risk metrics, should guide decisions throughout the economic capital model design process.
In 1952, Harry Markowitz wrote the article “Portfolio Selection” which became the seed for the theory called Modern Portfolio Theory. Modern Portfolio Theory (MPT) promises a path to follow to achieve the maximum return for a given level of risk for an investment portfolio.
It is not clear who first thought to apply the MPT ideas to a portfolio of risks in an insurer. In 1974, Gustav Hamilton of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all elements in the risk management process, including assessment, control, financing and communication. In 1979, Randell Brubaker wrote about “Profit Maximization for a multi line Property/Liability Company.” Since then, the idea of risk and reward optimization has become to many the actual definition of ERM.
In 2005, Standard & Poor’s called the process “Strategic Risk Management”.
“Strategic Risk Management is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies.“
The Risk Reward Management process is nothing more or less than looking at the expected reward and loss potential for each major profit-making activity of an insurer and applying the Modern Portfolio Management ideas of portfolio optimization to that risk and reward information.
At the strategic level, insurers will leverage the risk and reward knowledge that comes from their years of experience in the insurance markets as well as from their enterprise risk management (ERM) systems to find the risks where their company’s ability to execute can produce better average risk-adjusted returns. They then seek to optimize the risk/reward mix of the entire portfolio of insurance and investment risks that they hold. There are two aspects of this optimization process. First is the identification of the opportunities of the insurer in terms of expected return for the amount of risk. The second aspect is the interdependence of the risks. A risk with low interdependency with other risks may produce a better portfolio result than another risk with a higher stand alone return on risk but higher interdependence.
Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk-adjusted return. This can be done as part of a capital budgeting/strategic resource allocation exercise and can be incorporated into regular decision-making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all the time.
There are several common activities that may support the macro- level risk exploitation.
Economic Capital
Economic capital (EC) is often calculated with a comprehensive risk model consistently for all of the actual risks of the company. Adjustments are made for the imperfect correlation of the risks. Identification of the highest-concentration risks as well as the risks with lower correlation to the highest-concentration risks is risk information that can be exploited. Insurers may find that they have an advantage when adding risks to those areas with lower correlation to their largest risks if they have the expertise to manage those risks as well as they manage their largest risks.
Risk-adjusted product pricing
Another part of the process to manage risk reward involves the Consideration principle. Product pricing is “risk-adjusted” using one of several methods. One such method is to look at expected profits as a percentage of EC resulting in an expected return-to-risk capital ratio. Another method reflects the cost of capital associated with the economic capital of the product as well as volatility of expected income. The cost of capital is determined as the difference between the price to obtain capital and the rate of investment earnings on capital held by the insurer. Product profit projections then will show the pure profit as well as the return for risk of the product. Risk-adjusted value added is another way of approaching risk-adjusted pricing.
Capital budgeting
The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period. The allocation of risk capital is a key step in this process.
Risk-adjusted performance measurement (RAPM)
Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the cost of holding the economic capital that is necessary to support each business as reflected in risk-adjusted pricing as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages. This should tie directly to the expectations of risk- adjusted profits that are used for product pricing and capital budgeting. Product pricing and capital budgeting form the expectations of performance. Risk-adjusted performance measurement means actually creating a system that reports on the degree to which those expectations are or are not met.
For non-life insurers, Risk Reward Management involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices.
Insurers that do not practice Risk Reward Management usually fail to do so because they do not have a common measurement basis across all of their risks. The decision of many insurers to develop economic capital models provides a powerful tool that can be used as the common risk measure for this process. Economic capital is most often the metric used to define risk in the risk/reward equation of insurers.
Some insurers choose not to develop an EC model and instead rely upon rating agency or regulatory capital formulas. The regulatory and rating agency capital formulas are by their nature broad market estimates of the risk capital of the insurer. These formulae will over-state the capital needs for some of the insurer’s activity and understate the needs for others. The insurer has the specific data about their own risks and can do a better job of assessing their risks than any outsider could ever do. In some cases, insurers took high amounts of catastrophe exposure or embedded guarantee and option risks, which were not penalized in the generic capital formulas. In the end, some insurers found that they had taken much more risk than their actual loss tolerance or capacity.
Risk Reward Management provides insurers with the framework to take full advantage of the power of diversification in their risk selection. They will look at their insurance and investment choices based on the impact, after diversification, on their total risk/reward profile. These insurers will also react to the cycles in risk premium that exist for all of their different insurance risks and for all of their investment risks in the context of their total portfolio.
Sales of most insurance company products result in an increase in the amount of capital needed by the business due to low or negative initial profits and the need to support the new business with Economic Capital. After the year of issue, most insurance company products will show annual releases of capital both due to the earnings of the product as well as the release of supporting capital that is no longer needed due to terminations of prior coverages. The net capital needs of a business arise when growth (new sales less terminations) is high and/or profits are low and capital is released when growth is low and/or profits are high.
The definition of the capital needs for a product is the same as the definition of distributable earnings for an entire business: projected earnings less the increase in Economic Capital. The capital budgeting process will then focus on obtaining the right mix of short and long term returns for the capital that is needed for each set of business plans.
Both new and existing products can be subjected to this capital budgeting discipline. A forecast of capital usage by a new product can be developed and used as a factor in deciding which of several new products to develop. In considering new and existing products, capital budgeting may involve examining historic and projected financial returns.
This multi year view of capital usage does in fact apply to non-life products where the claims are not fully settled in the calendar year of issue.
Pitfalls of Risk Reward Management
In theory, optimization processes can be shown to produce the best results for practitioners. And for periods of time when fluctuations of experience are moderate and fall comfortably within the model parameters, continual fine tuning and higher reliance on the modeled optimization recommendations produce ever growing rewards for the expert practitioner. However, model errors and uncertainties are magnified when management relies upon the risk model to lever up the business. And at some point, the user of complex risk models will see that levering up their business seems to be a safe and profitable way to operate. When volatility shifts into a less predictable and/or higher level, the highly levered company can find it self quickly in major trouble.
Even without major deviations of experience, the Risk Reward Management principles can lead to major business disruptions. When an insurer makes a major change in its risk profile through an acquisition or divestiture of a large part of their business, the capital allocation of all other activities may shift drastically. Strict adherence to theory can whipsaw businesses as the insurer makes large changes in business.
Insurers need to be careful to use the risk model information to inform strategic decisions without overreliance and abdication of management judgment. Management should also push usage of risk and reward thinking throughout the organization. The one assumption that seems to cause the most trouble is correlation. The saying goes that “in a crisis, all correlations go to one”. If the justification for a major strategic decision is that correlations are far from one, management should take note of the above saying and prepare accordingly. In addition, management should study the variability of correlations over time. They will find that correlations are often highly unreliable and this should have a major impact on the way that they are used in the Risk Reward Management process.
| The Joint Risk Management Section of the Canadian Institute of Actuaries, the Casualty Actuarial Society, and the Society of Actuaries will oversee an online survey to help understand individual risk managers’ perspectives on emerging risks. We value insights from all levels of experience and background and invite you to participate in this annual survey. Please complete this survey by Nov. 22nd. It should take about 15 minutes to complete. We hope you will share your thoughts and experiences in comment boxes. Responses from more than one risk manager within the same company are encouraged. All responses are anonymous. Thanks to the SOA Reinsurance and Financial Reporting Sections for supporting this research. If you have questions about the survey, please contact Jan Schuh at the SOA Research Institute, jschuh@soa.org. |
Take Part in the 15th Survey of Emerging Risks Click here to participate |
   |
You can see last year’s Emerging Risks Report HERE.
Many of the most serious problems that have beset firms have not been repeats of past issues but very new situations. Emerging risks is one description that is used to refer to these “unknown unknowns.” It is simply not sufficient for an ERM program to fully master the control of potential losses from the risks that are known to exist right now. Many would consider the current financial crisis to be the result of emerging risks that were not sufficiently anticipated. Emerging risks may be unknown, but their consequences are real and insurers need to actively prepare for them.
Management should be monitoring and controlling the known risks. Emerging risks management is concerned with the impact of completely new or extremely rare adverse events. These risks cannot be managed via a control process. Monitoring systems would not show any results. But there are ways that the best- practice firms address emerging risks.
Emerging risks may appear suddenly or slowly, are difficult to identify, and often represent a new idea more than factual circumstances. They often result from changes in the political, legal, market, or physical environment, but the link between cause and effect is not proven. An example from the past is asbestos or silicone liabilities. Other examples could be problems deriving from nanotechnology, genetically modified food, climate change, etc. The recent problems experienced by banks and other financial firms resulting from mortgage losses could be classified as emerging risks.
For these risks, normal risk identification and monitoring will not work because the frequency is usually completely unknown. Nevertheless, past experience shows that when they materialize, they have a significant impact on businesses and therefore cannot be excluded from a solid risk management program. Specific strategies and approaches must be implemented to cope with them properly.
Emerging risks can be unknown to the corporate body or merely unknown to the main decision takers. The O-ring problem was known about before disaster hit the US space shuttle Challenger in 1986 – just not known in a way that helped. When considering emerging risks, we need to consider communication to, and within, the corporate body. A good ERM approach should be able to handle both these aspects.
Emerging risks management will include a process of early warnings that will allow company management to anticipate disasters, however short the period of notice. Such a firm will have an inclusive approach to identifying and evaluating risk. This inclusiveness will encourage employees to express concerns openly, it will lead to the ability to learn from others’ experiences and it will allow a constructive approach to intelligence-gathering of both hard and soft information. A firm with good emerging risks management would expect to perform thorough post-mortem analyses of problem situations and would feed the results of that analysis back into its on-going disaster-planning process.
While the best ERM programs will often have a comprehensive emerging risks process, that process is not well served by a routine checklist. A company with excellent extreme-event management practices will instill and sustain a decidedly non-routine, imaginative flavor into its process.
Normal risk control processes focus on everyday risk management, including the management of identifiable risks and/or risks where uncertainty and unpredictability, are mitigated by historical data that allow insurers to estimate loss distribution with reasonable confidence. Emerging risk management processes take over for risks that do not currently exist but that might emerge at some point due to changes in the environment.
Emerging risks may appear abruptly or gradually, are difficult to identify, and may for some time represent a hypothetical idea more than factual circumstances. They often result from changes in the political, legal, market or physical environment. An example from the past is asbestos; other examples could be problems deriving from nanotechnology, genetically modified food, climate change, etc. For these risks, normal risk identification and monitoring will not work because the likelihood is usually completely unknown.
Nevertheless, past experience shows that when they materialize, they can have a significant impact on insurers and therefore cannot be excluded from a solid risk management program. So insurers have implemented unique specific strategies and approaches to cope with them properly.
Identifying Emerging Risks
Developing an early warning system for emerging risks that methodically identifies potential new risk factors either through internal or external sources is very important. To minimize the uncertainty surrounding these risks, insurers will consistently gather all existing relevant information to amass preliminary evidence of emerging risks, which would allow the insurer to reduce or limit the growth of exposure as the evidence becomes more and more certain. However, insurers practicing this discipline will need to be aware of the cost of false alarms.
Assessing Their Significance
Parties should assess the relevance (i.e. potential losses) of the emerging risks linked to a company’s commitment— which classes of business and existing policies would be affected by the materialization of the risk—and continue with the assessment of the potential financial impact, taking into account potential correlation with other risks already present in the firm.
For an insurer, the degree of concentration and correlation of the risks that they have taken on from their customers are two important parameters to be considered; the risk in question could be subject to very low frequency/high intensity manifestations, but if exposure to that particular risk is limited, then the impact on the company may not be as important.
On the other hand, unexpected risk correlations should not be underestimated; small individual exposures can coalesce into an extreme risk if underlying risks are highly interdependent. When developing extreme scenarios, some degree of imagination to think of unthinkable interdependencies could be beneficial.
A further practice of insurers is to sometimes work backwards from concentrations to risks. Insurers might envision risks that could apply to their concentrations and then track for signs of risk emergence in those areas. Some insurers set risk limits for insurance concentrations that are very similar to investment portfolio credit limits, with maximum concentrations in specific industries in geographic or political regions.
In addition, just as investment limits might restrict an insurer’s debt or equity position as a percentage of a company’s total outstanding securities, some insurers limit the percentage of coverage they might offer in any of the sectors described above.
Define Appropriate Responses
Responses to emerging risks might be part of the normal risk control process, i.e. risk mitigation or transfer, either through reinsurance (or retrocession) in the case of insurance risks, through the financial markets for financial risks, or through general limit reduction or hedging.
When these options are not available or the insurer decides not to use them, it must be prepared to shoulder significant losses, which can strain a company’s liquidity. Planning access to liquidity is a basic part of emerging risk management. Asset-selling priorities, credit facilities with banks, and notes programs are possible ways for insurers to manage a liquidity crisis.
Apart from liquidity crisis management, other issues exist for which a contingency plan should be identified in advance. The company should be able to quickly estimate and identify total losses and the payments due. It should also have a clear plan for settling the claims in due time so as to avoid reputation issues. Availability of reinsurance is also an important consideration: if a reinsurer were exposed to the same risks, it would be a sound practice for the primary insurer to evaluate the risk that the reinsurer might delay payments.
Advance Warning Process
For emerging risks the response plans developed as described above would often not be implemented immediately. Their implementation would often be deferred until a later date when the immanence of the emerging risk is more certain. For the risks that have been identified as most significant and where the insurer has developed coherent contingency plans, the next step is to create and install an advanced warning process.
To do that, the insurer identifies key risk indicators that provide an indication of increasing likelihood of a particular emerging risk. These key risk indicators are tracked and compared to a trigger point that has been identified in advance. The trigger point might be set at the point when it is thought that action is needed, but more likely it triggers a new round of investigation of both potential impact and responses.
Learn
Finally, sound practices for managing emerging risks include establishing procedures for learning from past events is important. The company should identify problems that appeared during the last extreme event and identify improvements to be added to the risk controls.
All of these steps can be applied by any firm in any sector with some adaptation.
For an insurer who has just completed the initial stages of ERM development, the risk management framework is a statement of what was decided for each of those steps:
This structure should provide the board with an on- going view of corporate risk profile.
As the insurer develops its ERM process further into additional ERM practices, the risk management framework is also extended to include statements about the objectives of those practices within the insurer’s program.
An insurer who is preparing for an Own Risk and Solvency Assessment (ORSA) should strongly consider having an additional set of associated policies.
Insurance Risk Policy
This policy sets out the identification, measurement, mitigation and reporting stages associated specifically with insurance risk. It is a statement of the types and amounts of insurance coverage that the insurer will write as well as the methods that the insurer will use to select the specific risks.
Processes should be defined for measuring these risks such as monitoring and reporting aggregate claims experience. Mitigation practices should be set to keep the insurance risk within the boundaries that management has set in the form of appetites, tolerances and limits.
The insurance policy statement will also likely set out the approval and exception authority structure used by the company as well as the notification requirements for breaches of the policy.
This breach process establishes expectations for actions to be taken in the event of significant deviations between actual and expected claims.
The insurance rate setting process will also be described, as well as who has the responsibility of determining initial and final rates.
Investment Risk Policy
The investment risk policy is a fraternal twin to the insurance policy. It defines the approval process for accepting types and amounts of investment risk. It also sets mitigation practices to be used and authorities for approvals and exceptions.
These should all be consistent with the risk appetite, tolerance and limit statements of the insurer.
The investment policy should set forth communications requirements on investment risk exposures and emerging experience in terms of timing and audience for that communication.
Expectations for actions in the event of deviations from the policy and/or from investment losses or under-performance are also set out here.
ALM Policy
An asset/liability management—or ALM—policy is an expectation of regulators, but such a policy is primarily a concern for life insurers whose products are often inherently linked to investment performance.
For non-life insurers, the ALM policy can usually be expressed as a short paragraph in the investment risk policy.
This paragraph should set forth the targets for investment cashflows and should also address tolerance for liquidity risk.
Risk Appetite, Tolerance and Limit Statements
Regulators and rating agencies all expect that insurers will have an articulated statement about their objectives with regard to risk taking. This includes both quantitative restrictions on the aggregate amount of risk that is retained and not fully mitigated and qualitative restrictions on the risks that will be taken.
In most cases, the quantitative risk appetite statements is likely to be qualified by both amount and likelihood.
For example, a company may seek to take risks to maintain a maximum net 1 in 10 year underwriting value at risk (Var) of £10m.
This target defines limits for the gross underwriting risk which can be written at business unit level. Importantly, it also defines an important input into the reinsurance decision-making process.
Own Risk and Solvency Assessment (ORSA)
In the U.S. insurers that must file an ORSA are asked to include the following elements of an ERM Framework:
• Risk Culture and Governance – Governance structure that clearly defines and articulates roles, responsibilities and accountabilities; and a risk culture that supports accountability in risk-based decision-making.
• Risk Identification and Prioritization – Risk identification and prioritization process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels.
• Risk Appetite, Tolerances and Limits – A formal risk appetite statement, and associated risk tolerances and limits are foundational elements of risk management for an insurer; understanding of the risk appetite statement ensures alignment with risk strategy by the board of directors.
• Risk Management and Controls – Managing risk is an ongoing ERM activity, operating at many levels within the organization.
• Risk Reporting and Communication – Provides key constituents with transparency into the risk-management processes and facilitate active, informal decisions on risk-taking and management.
Larger organizations with mature ERM programs tend to have evolved a short list of major risk management specific roles; many of which are part-time additions to already full time positions, while some are full time risk management only roles. Smaller organizations tend to need an ERM operation with all part-timers. We will call the former “Group ERM” programs and the latter “Company ERM”.
The organizing process always begins with two roles – the senior sponsor and the risk officer. During the developmental phase, these two roles are very similar to those of Executive Sponsor and Project Manager as defined for normal project management[1]. The Executive Sponsor initiates a project and gets appropriate resources and budget for the project. The Project Manager runs the project on a day-to-day basis. During implementation, the Project Manager will keep the Executive Sponsor informed of progress and setbacks. When problems are outside of the Project Manager’s authority, the Executive Sponsor will help by bringing in assistance or removing blockages from outside of the project team.
The risk officer role that was the project manager for the initial development of a new ERM function will usually grow into a senior management role with the title of Chief Risk Officer (CRO).
The CRO differs from organization to organization, but generally have some or all of these responsibilities:
Each of these will be discussed in following sections of this chapter.
The Chief Risk Officer may report directly to the CEO or, more often to the Chief Financial Officer. Or else, the CRO role is handled by another senior officer such as the Internal Auditor, or, in an insurer, the Chief Underwriting Officer or Chief Actuary.
The CRO has a wide variety of roles. First and foremost, the CRO provides leadership and vision for the organization’s ERM program. They must have a clear idea of the ERM objectives and the ability to direct a diverse group of employees throughout the organization, most of whom do not officially report to the CRO, to follow that vision. The CRO is the point person in establishing and updating the ERM Framework, the ERM Policies and the Risk Appetite/Tolerance/Limit system. This requires the CRO to understand the degree to which formal documents and processes fit with the organization’s culture. The CRO is always the champion of intelligent risk management – risk management that fits the objectives, needs and budget of the organization. The CRO may be the owner of the Enterprise Risk Model or that model may be owned by the Chief Actuary.
The CRO will lead the discussion that leads to the formation and updating of the Risk Appetite and Tolerance. This discussion will be based upon a single risk metric that is common to all risks; in countries that have adopted Solvency II, that single metric for insurers is almost always related to capital. This is a source of conflict between the regulatory process and the management culture, especially in for-profit insurers, because otherwise, the preference for risk metric would likely be tied to earnings shortfalls rather than capital.
The CRO is the leader of value added risk management. That means using the information from the ERM system to help the growth of the firm’s risk adjusted value. That requires some version of risk-adjusted financial results for various business units, territories and/or products. The risk-adjustment is most often made based on Economic Capital either via a cost-of-capital adjustment to earnings, or through the reliance on a return on risk capital ratio.
The CRO is the champion for the Value Added ERM, a major part of the implementation, as well as in explaining the idea and the results to stakeholders. A major step in that process is the development and implementation of the analytic platform for Economic Capital Allocation. The CRO may be responsible to perform analysis of risk-adjusted plan proposals and act as a resource to business units for developing risk-adjusted proposals. As time progresses, the CRO will also work with the CFO to provide monitoring of plan vs. actual performance.
The CRO’s wide range of responsibilities means that there is no single route to the position. A Canadian survey[2] of twenty-one CROs found that, in their opinion, CROs needed to be skilled in Math, Finance, Communication and Accounting.
Most organizations form one or more risk management committees with a major role in the ERM framework. There are three main reasons: To provide support and assistance for the CRO, to help keep the ERM process realistic (i.e. Intelligent ERM above); and, to direct the application of resources for ERM activities that are outside of the risk management department.
Most often, the Risk Committee will focus first on the ERM reports to the board, reviewing the draft reports prepared by the risk management department for quality assurance, to make sure that the CRO will be able to tell the story that goes with the report, and that both the CRO and the risk committee members can answer any questions raised by the ERM report. The Risk Committee is the nexus of Risk Culture for the organization – each area of the organization that has a major role in risk taking and risk management is usually represented on the risk committee.
The exact responsibilities of the Risk Committee will vary by organization. The four most common and most important responsibilities are:
The Risk Committee is usually responsible for setting (or recommending for approval by the board) the Risk Appetite and Tolerance for the organization. This is a difficult and often tentative process the first time; mainly because the Risk Committee, like most of the management team, has little experience with the concepts behind Risk Appetite and Tolerance, and is wary about possibly making a mistake that will end up damaging the organization. Once an initial Risk Appetite and Tolerance are set, making adjustments for early imperfections and updates for changing plans and circumstances become much more routine exercises.
The Risk committee usually approves the Risk Framework and Risk Policies – in some cases, they are recommended for approval to the Board. These will lay out the responsibilities of the CRO, Risk Committee, Risk Owners and ERM Department. The Risk Committee should review these documents to make sure that they agree with the suggested range of responsibilities and authorities of the CRO. The new responsibilities and authorities of the CRO are often completely new activities for an organization, or, they may include carving some responsibilities and authorities out of existing positions. The Risk Committee members are usually top managers within the organization who will need to work with the CRO, not just in the Risk Committee context, but also in the ways that the CRO’s new duties overlap with their business functions. The committee members will also be concerned with the amount of time and effort that will be required of the Risk Owners, who for the most part will either be the Risk Committee members or their senior lieutenants.
In some organizations, the allocation of Risk Appetite and setting of risk limits is done in the planning process; but most often, only broad conclusions are reached and the task of making the detailed decisions is left to the Risk Committee. For this, the Risk Committee usually relies upon detailed work performed by the Risk Department or the Risk Owners. The process is usually to update projections of risk capital requirements to reflect the final planning decisions and then to adjust Risk Appetite for each business unit or risk area and recommend limits that are consistent with the Risk Appetite.
Many ERM programs have legacy risk assessment and economic capital calculation standards that may or may not be fully documented. As regulatory processes have intruded into risk assessment, documentation and eventually consistency are required. In addition, calls for consistency of risk assessment often arise when new products or new risks are being considered. These discussions can end up being as much political as they are analytical, since the decision of what processes and assumptions make a risk assessment consistent with existing products and risks often determines whether the new activity is viable. And since the Risk Committee members are usually selected for their position within the organization’s hierarchy, rather than their technical expertise, they are the right group to resolve the political aspects of this topic.
Other topics that may be of concern to the Risk Committee include:
Larger organizations often have two or more risk committees – most common is to have an executive risk committee made up of most or all of the senior officers and a working risk committee whose members are the people responsible for implementing the risk framework and policies. In other cases, there are separate risk committees for major risk categories, which sometimes predate the ERM program.
Many organizations assign a single person the responsibility for each major risk. Going beyond an organizational chart, a clear organizational structure includes documented responsibilities and clear decision making and escalation procedures. Clarity on roles and responsibilities—with regard to oversight and decision-making—contributes to improvement capability and expertise to meet the changing needs of the business[3].
Specifically, the Risk Owner is the person who organizationally resides in the business and is responsible for making sure that the risk management is actually taking place as risks are taken, which most of ten should the most effective way to manage a risk.
The Risk Owner’s role varies considerably depending upon the characteristics of the risk.
Insurance and Investment risks are almost always consciously accepted by organizations, and the process of selecting the accepted risks is usually the most important part of risk management. That is why insurance risk owners are often Chief Underwriting Officers, and Chief Investment officers are often the owners of Investment risks. However, risk structuring, in the form of setting the terms and conditions of the insurance contract is a key risk mitigation effort, and may not be part of the Chief Underwriter role. On the other hand, structuring of investments, in situations where investments are made through a privately structured arrangement, is usually done within the Investment area. Other risk mitigations, through reinsurance and hedging could also be within or outside of these areas. Because of the dispersion of responsibilities for different parts of the risk management process, exercise of the Risk Owner responsibilities for Insurance Risks are collaborative among several company officers. In some firms, there is a position of Product Manager who is the natural Risk Owner of a product’s risks. The specialization of various investment types means that in many firms, a different lieutenant of the Chief Investment Officer is the risk owner for Equity risk, Credit Risk, Interest Rate Risk and risks from Alternative investments.
Operational risks are usually accepted as a consequence of other decisions; the opportunities for risk selection are infrequent as processes are updated. Often the risk owners for Operational risks are managers in various parts of the organization.
Strategic risks are usually accepted through a firm’s planning process. Usually the risk owners are the members of the top management team (management board) who are closest to each strategic risk, with the CEO taking the Risk Owner position for the risk of failure of the primary strategy of the firm.
The Risk Owner may be responsible to make a periodic Report on the status of their risk and Risk Management to the governing Board. This report may include:
In all but the smallest organizations, the CRO’s responsibilities require more work and attention than can be provided by a single person. The CRO will gain an assistant and eventually an entire department. The risk management department serves primarily as support staff for the CRO and Risk Committee. In addition, they may also be subject matter experts on risk management to assist Risk Owners. Usually, the risk management department also compiles the risk reports for the risk committees and Board. They are also usually tasked to maintain the risk register as well as the risk management framework and risk policies.
Internal Audit often has an assurance role in ERM. They will look to see that there is effective and continual compliance with Policies and Standards, and tracking and handling of risk limit breaches.
If there is no Internal Audit involvement, this compliance assurance responsibility falls to the risk management department; that may create a conflict between compliance role and advisory role of the risk management department. Compliance is the natural role of Internal Audit and giving this role to Internal Audit allows risk management to have more of a consultative and management information role.
In many firms, the roles for risk owners, the risk management department, along with internal audit, have been formalized under the title “Three Levels of Defense.”
This approach is often coupled with a compliance role for the board audit committee.
When internal audit is involved in this manner, there is sometimes a question about the role’s scope. That question is: whether internal audit should limit its role to assurance of compliance with the ERM Framework and policies, or should it also have a role reviewing the ERM Framework itself? To answer that question, the organization must assess the experience and capabilities of internal audit in enterprise risk management against the cost of engaging external experts to perform a review[4].
It is fairly common for a description of ERM roles at a bank or insurer to talk about roles for the board,CRO, and front line management, but not to mention any specific part for the CEO.
“No one has any business running a huge financial institution unless they regard themselves as the Chief Risk Officer” – Warren Buffett, speaking at the New School (2013)
Warren Buffett, the CEO of Berkshire Hathaway, has said many times that he is the Chief Risk Officer of his firm and that he does not believe that it would be a good idea to delegate that responsibility to another individual. While his position is an extreme that is not accepted by most CEO’s of financial institutions, there is an important role for the CEO that is very close to Buffett’s idea.
For the CRO and the ERM program to be effective, the organization needs clarity on the aspects of risk management which the CEO is directly delegating his or her authority to the CRO, which are being delegated to the Risk Committee, and which risk management decisions are being delegated to the Risk Owners. Leading up to the financial crisis of 2008, the authority for some risk decisions were not clearly delegated to either the CRO or the Risk Owners in some banks, and CEO’s remained aloof from resolving the issue[5].
[1] Executive Engagement: The Role of the Sponsor, Project Management Institute,
[2] “A Composite Sketch of a Chief Risk Officer”, Conference Board of Canada, 2001
[3] CRO Forum, Sound Risk Culture in the Insurance Industry, (2015)
[4] Institute of Internal Auditors, The Three Lines of Defense In Effective Risk Management And Control, (2013)
[5] Senior Supervisors Group, Risk Management Lessons from the Global Banking Crisis of 2008 (2009)
Peter Drucker is reported to have once said “what gets measured, gets managed.” That truism of modern management applied to risk as well as it does to other more commonly measured things like sales, profits and expens es .
Regulators take a similar view; what gets measured should get managed. ORSA f rameworks aim to support prospective solvency by giving management a clear view of their on-going corporate risk positions.
This in turn should reduce the likelihood of large unanticipated losses if timely action can be taken when a risk limit is breached.
From a regulatory perspective, each identified risk should have at least one measurable metric that is reported upwards, ultimately to the board.
The Need to Measure Up
Many risk management programs build up extensive risk registers but are stymied by this obvious next step – that of measuring the risks that have been identif ied.
Almost every CEO can cite the company’s latest f igures f or sales, expenses and profits, but very few know what the company’s risk position might be.
Risks are somewhat more difficult to measure than profits due to the degree to which they depend upon opinions.
Insurance company profits are already seen as opaque by many non-industry observers because profits depend on more than just sales and expenses:profits depend upon claims estimates, which are based on current (and often incomplete) information about those transactions.
Risk, on the other hand, is all about things that might happen in the f uture: specif ically, bad things that might happen in the f uture.
Arisk measure reflects an opinion about the size of the exposure to f uture losses. All risk measures are opinions; there are no f acts about the f uture. At least not yet.
Rationalizing Risk
There are, however, several ways that risk can be measured to facilitate management in the classical sense that Drucker was thinking of.
That classic idea is the management control cycle, where management sets a plan and then monitors emerging experience in comparison to that plan.
To achieve this objective, risk measures need to be consistent from period to period. They need to increase when volume of activity increases, but they also need to reflect changes in the riskiness of activities as time passes and as the portfolio of the risk taker changes .
Good risk measures provide a projected outcome; but in some
cases, such calculations are not available and risk indicators must be used instead.
Risk indicators measure something that is closely related to the risk and so can be expected to vary similarly to an actual risk measure, if one were available.
For insurers, current state-of-the-art risk measures are based upon computer models of the risk taking act ivit ies .
With these models, risk managers can determine a broad range of possible outcomes for a risk taking activity and then define the risk measure as some subset of those outcomes.
Value at Risk
The most common such measure is called value at risk (VaR). If the risk model is run with a random element, usually called a Monte Carlo or stochastic model, a 99% VaR would be the 99th worst result in a run of 100 outcomes, or the 990th worst out of 1000.
Contingent Tail Expectation
This value might represent the insurer’s risk capital target.Asimilar risk measure is the contingent tail expectation (CTE), which is also called the tail value at risk (TVaR).
The 99% CTE is the average of all the values that are worse than the 99% VaR. You can think of these two values in this manner: if a company holds capital at the 99% VaR level, then the 99% CTE minus the 99% VaR is the average amount of loss to policyholders should the company become insolvent.
Rating agencies, and increasingly regulators, require companies to provide results of risk measures from stochastic models of natural catastrophes.
Stochastic models are also used to estimate other risk exposures, including underwriting risk from other lines of insurance coverage and investment risk.
In addition to stochastic models, insurers also model possible losses under single well-defined adverse scenarios. The results are often called stress tests.
Regulators are also increasingly calling for stress tests to provide risk measures that they feel are more easily understood and compared among companies.
Key Risk Indicators
Most other risks, especially strategic and operational risks, are monitored by key risk indicators (KRIs). For these risks, good measures are not available and so we must rely on indicators.
For example, an economic downturn could pose risk to an insurer’s growth strategy. While it may be dif f icult to measure the likelihood of a downturn or the extent to which it would impair growth, the insurer can use economic f orecasts as risk indicators.
Of course,simplymeasuringriskisinsufficient.Theresultsof themeasurementmustbecommunicatedto people who can and will use the risk information to appropriately steer the future activity of the company.
Risk Dashboard
Simple charts of numbers are sufficient in some cases, but the state of the art approach to presenting risk measurement information is the risk dashboard.
With a risk dashboard, several important charts and graphs are presented on a single page, like the dashboard of a car or airplane, so that the user can see important information and trends at a glance.
The risk dashboard is often accompanied by the charts of numbers, either on later pages of a hard copy or on a click-through basis for on-screen risk dashboards.
Dashboard Example
Enterprise Risk Management practice is different at different insurers. Partly that is driven by the different cultures and missions of insurers. For the most part, those differences can be seen to be driven by the choices that management makes of whether to emphasize one, two or all three of the following three parts of insurer ERM.
1. Individual risk management
Insurers practiced risk management long before they adopted enterprise risk management. With individual risk management (IRM), the insurer enables the organization to raise the risk management activities relating to all of the key risks of the organization up to a high and effective level of practice.
IRM includes the identification, assessment and prioritization of key risks followed by the addition of more formal control processes, including decisions to mitigate, transfer, accept, limit or exploit each of the key risks. It also includes periodic reporting on those processes.
The result of an IRM function will be a transparent and disciplined approach to all of an organization’s key risks. This is often called a bottom-up risk management process as well. ERM standards such as COSO and ISO31000 promote an individual enterprise risk management process.
2. Aggregate risk management
Insurers generally know how their capital compares to regulators’ minimum requirements and/or the level of capital rating agencies require for their preferred rating. With aggregate risk management (ARM), these standards are recognized as outsiders’ views of the insurer’s aggregate risk.
ARM functions treat the combined total of all of the key risks of the firm as another candidate for a transparent and disciplined control process. An insurer will use one or a series of risk models to evaluate the amount of aggregate capital needed to provide security for the risk exposure and an aggregate risk appetite and tolerance to help articulate the company’s expectations for capital levels in aggregate control processes.
Regulatory and rating agency requirements often focus primarily on this ERM function. The result of the ARM function is a deliberate process for managing the relationship between the risks that are retained by the insurer with the capital it holds.
3. Risk reward management
One of the primary requirements of the model(s) used to evaluate aggregate risk is that they need to be as consistent as possible in their assessments. Only consistent values can be combined to determine an actionable total risk amount. Once the insurer achieves these consistent risk assessments, it can compare different business activities: First regarding which are responsible for the largest parts of its risk profile, and, second, to look at the differences in reward for the risk taken.
With information about risk and reward, this ERM function will inform the capital budgeting process as well as enhance consistency (or at least reduce conscious inconsistencies) in insurance product pricing. It will also help the insurer in considering the tradeoffs among different strategic choices on a risk-adjusted basis. This ERM function provides the upside benefit from ERM to the insurer, helping to enhance the long-term value of the organization.
Insurers may choose to implement one, two or three of these ERM functions in their enterprise risk management programs. One important consideration for insurers is that financial services firms – primarily banks and insurers – tend to have risk profiles where the majority of their risks have been tracked on a highly granular basis for many years and therefore lend themselves to statistical methods, such as insurance, market and credit risks. Those risks frequently make up 75% or more of an insurer’s risk profile.
Insurers are, of course, also exposed to operational and strategic risks that are harder to quantify. Non-financial firms’ risk profiles are more often weighted toward operational and strategic risks. This difference is one of the main drivers of the limited focus of some ERM literature that often may not even mention aggregate risk management nor risk reward management.
Regulatory requirements for insurer ERM usually include aggregate risk management and some rating agencies (Standard & Poor’s – but not A.M. Best) are expecting insurers to have risk reward management as well. We have also noted some regulators (e.g. in the UK) are focusing increasingly on the sustainability of insurers’ business models, which can be shown via risk reward management.
Riskviews 