Principles of ERM for Insurance Organizations
RISKVIEWS has published this list before. You will notice that it is different from many other lists of the parts of ERM. That is because we do not presume that there is some sort of risk management process already in place that “automatically” takes care of several of these things. Many writers implicitly make that assumption so that they can focus solely upon the new, more exciting things, especially number 6 on the list below. But in fact, ERM must include all seven of these things to actually work to manage risk as most managers expect.
- DIVERSIFICATION: Risks must be diversified. There is no risk management if a firm is just taking one big bet.
- UNDERWRITING: These must be a process for risk acceptance that includes an assessment of risk quality. Firm needs to be sure of the quality of the risks that they take. This implies that multiple ways of evaluating risks are needed to maintain quality, or to be aware of changes in quality. There is no single source of information about quality that is adequate.
- CONTROL CYCLE: There must be a control cycle to manage the amount of risk taken. This implies measurements, appetites, limits, treatment actions, reporting, feedback
- CONSIDERATION: There must be a process for assuring that the consideration received for accepting risk is adequate. For risks that are not traded, such as operational risks, the benefit of the risk needs to exceed the cost in terms of potential losses.
- PROVISIONING: There must be appropriate provisions held for retained risks, in terms of set asides (reserves) for expected losses and capital for excess losses.
- PORTFOLIO: There must be an awareness of the interdependencies within the portfolio of risks that are retained by the insurer. This would include awareness of both risk concentrations and diversification effects. An insurer can use this information to take advantage of the opportunities that are often associated with its risks through a risk reward management process.
- FUTURE RISKS: There must be a process for identifying and preparing for potential future emerging risks. This would include identification of risks that are not included in the processes above, assessment of the potential losses, development of leading indicators of emergence and contingent preparation of mitigation actions.
The Law of Risk and Light applies to these aspects of risk management just as it applies to aspects of risk. The risk management that you do is in the light, the risk management that you skip is in the dark. When parts of a full risk management program are in the dark, the risk that part of the risk management process would have protected you from will accumulate in your organization.
Future posts will explain these elements and focus on why ALL of these principles are essential.