Guide to ERM: Risk Limits and Controls

At the most fundamental level, enterprise risk management can be understood as a control cycle. In an insurance company’s risk control cycle, management needs to first identify the key risks.

Management then decides the risk quantity they are willing to accept and retain. These decisions form the risk limits. It is then imperative to monitor the risk-taking throughout the year and react to actual situations that are revealed by the monitoring.

Photo by Ann H on Pexels.com

The Risk Control Cycle

There are seven distinct steps in the typical risk control cycle:

1. Identify Risks – Choose which risks are the key controllable risks of the company
2. Assess – Examine what are the elements of the risks that need (or can be) controlled
3. Plan – Set the expectation for how much risk will be taken as an expected part of the plan and also the limits on how much more would be accepted and retained
4. Take Risks – Conduct the primary function of an insurance company
5. Mitigate – Take actions to keep the risks within limits
6. Monitor – Determine how risk positions compare to limits and report
7. Respond – Decide what actions to take if risk levels are significantly different from plan

Risk Control Cycle

The Complete Risk Control Process

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following.

• Identification of risks: The identified risks should be the main exposures which a company faces rather than an exhaustive list of all risks. The risk identification process must involve senior management and should consider the risk inherent in all insurance products underwritten. It must also take a broader view of overall risk. For example, large exposures to different investment instruments or other non-core risks must be considered. It is vital that this risk list is re-visited periodically rather than simply automatically targeting “the usual suspects”
• Assess risks: This is both the beginning and the end of the cycle. At the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. At the end, management needs to assess how effective the control cycle has been. Did the selection process miss any key risks? Were limits set too high or perhaps too low? Were the breach processes effective?
• Plan risk taking and risk management: Based upon the risk assessment, management will make plans for how much of each risk the organization will plan to accept and then how much of that risk will be transferred, offset and retained to manage the net risk position in line with defined risk limits
• Take risks: Organizations will often start by identifying a list of potential risks to be taken based upon broad guidelines. This list is then narrowed down by selecting only risks which are aligned to overall corporate risk appetite. The final stage is deciding an appropriate price to be paid for accepting each risk (underwriting)
• Measuring and monitoring of risk: With metrics or risk measures which capture the movement of the underlying risk position. These risk positions should be reported regularly and checked against limits and, in some cases, against lower checkpoints . The frequency of these checks should reflect the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may choose to report regularly at a granular level that supports all decision making and potential breach actions. The primary objective of this step is facilitating upwards reporting of risk through regular risk assessment and dissemination of risk positions and loss experience using a standard set of risk and loss metrics. These reports convey the risk output from the overall ERM framework and should receive the clear attention of persons with significant standing and authority in the organization. This allows for action to be taken which is the vital Respond stage in the risk control cycle
• Risk limits and standards: Should be defined which are directly linked to objectives. Terminology varies widely, but many insurers have both hard “limits” that they seek to never exceed and softer “checkpoints” that are sometimes exceeded. Limit approval authority will often be extended to individuals within the organization with escalating amounts of authority for individuals higher in the organizational hierarchy. Limits ultimately need to be consistent with risk appetites, preferences and tolerances Additionally, there should be clear risk avoidance processes for risks where the insurer has zero tolerance. These ensure that constant management attention is not needed to assure compliance. A risk audit function is, however, often incorporated within the overall risk organization structure to provide an independent assessment of compliance.
• Respond: Enforcement of limits and policing of checkpoints, with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. In some cases, the risk environment will have changed significantly from when the limits were set and the limits need to be reassessed. Some risks may be much more profitable than expected and risk limits can be raised, while other have become more expensive and/or riskier and limits need to be lowered
• Assess risks: And the cycle starts again

The control cycle, and especially the risk appetite, tolerance and limit setting process can be the basis for a healthy discussion between management and the board.

Gaining the Greatest Benefit from the Risk Control Cycle

Ultimately, to get the most risk management benefit out of a risk control cycle, management must set limits at a level that matters and are tied to good measures of risk. These limits must be understood throughout the company and risk positions should be frequently and publicly reviewed so that any breaches can be identified.

But in addition to a policing function, the control cycle needs to include a learning element. With each pass through the cycle, management should gain some insight into the characteristics of their potential risks and associated mitigation alternatives, as well as the reactions of both to changes in the risk environment.

Advertisement

Guide to ERM: Risk Identification

Risk Identification is widely acknowledged at the very first step in forming a new ERM program. What is not so widely known is that the risk identification process needs to be repeated and refreshed to keep ERM alive. In this regard, ERM is like a lawn. Initially, the ground is prepared, it is seeded and fertilized and watered until a bed of green grass emerges. But the lawn will eventually deteriorate if it is not reseeded and fertilized and weeded and watered regularly. Repeating the risk identification process is one of the key steps to keeping the ERM program alive and green!

Photo by Pavel Danilyuk on Pexels.com

Risk Identification Process Adds Value

Companies considering the risk identification process should be aware that it is not a solution in itself and can only add value if the results are used as the first step in a risk control cycle.

This is an iterative process that refines managements’ understanding of the exposures that it is managing, and measures the effectiveness of the mitigation strategies employed in controlling risk:

For the risk identification process to be effective it is essential that senior management is directly involved from the outset. Regulators may give little or less credibility to an ORSA report if this ownership of ERM isn’t in place.

A brainstorming session involving the leaders of all risk taking functions across the business provides an effective starting point in compiling a list of significant risks.

This often results in a list containing 30 or more risks; if the process involves a broad range of people at many levels in the organization, it is not uncommon to have a list of 100 to 150 risks.

By considering each risk individually and quantifying its potential impact on the business, management can work towards a shorter list of high priority risks which should be the starting point of the risk control cycle.

Risk Control Cycle

Step 1: Identify All Significant Risks

Risks must be identified in order to:

>Ensure that the full range of significant risks is encompassed within the risk management process
>Develop processes to measure exposure to those risks
>Begin to develop a common language for risk management with the company

Some companies prefer to start with a comprehensive but generic list of risks. The company should then aim to select its own list by considering the following criteria:

• Relevance to the insurer’s activities
• Impact on the insurers financial condition
• Ability to manage separately from other risks

The risk output from the ERM program may be used in strategic capital allocation decisions within the on-going business planning process.

The final “risk list” should be checked for completeness and consistency with this intended use. A final check can be done by looking at the lists once separated into categories. Most risks can be classified into one of several categories.

For example:

• Underwriting Risk
• Market Risk
• Operational Risk
• Credit/Default Risk

Management can review the range of risks that appear in each category to make sure that they are satisfied with the degree to which they have addressed key exposures within each major category.

The remaining steps in the risk identification process are then used to narrow down this initial risk list to a set of high priority risks that can be the focus of ERM discussions among and with senior management and ultimately with the board.

Step 2: Understand Each Risk Exposure

It is necessary to develop a broad understanding of each of the risks selected from Step 1; this includes determining whether the risk is driven by internal or external events.

In some situations, it may prove helpful to actually plot the exact sequence of events leading to a loss situation. This could result in the identification of intermediate intervention points where losses can be prevented or limited.

Existing risk measurement and control processes should be documented, and if the loss sequence has been plotted, the location of each control process in the sequence can be identified.

The final step in understanding the risks is to study recent events related to risks, including loss events, successful risk control or mitigation, and near misses both in the wider world and inside the company. Such events should be studied and lessons can be learned and shared.

Step 3: Evaluate

The next step in the risk identification process is to evaluate the potential impact of each risk. This involves:

>Estimating the frequency of loss events, e.g., low, medium, and high
>Estimating potential severity of loss events, e.g., low, medium, and high
>Considering offsetting factors to limit frequency or severity of losses and understand potential control processes

Some insurers also include an additional aspect of the risks, velocity, which is defined as the rate at which the risk can develop into a major loss situation

Step 4: Prioritize

The evaluations of risk frequency, severity, and velocity from Step 3 are then combined into a single factor and the risks ranked.

The risks are ranked according to a combined score incorporating all three assessments. The ranking starts with the risk with the worst combination of frequency, severity, and velocity scores.

From this ranked list of risks, 10 to 15 risks are chosen to be the key risk list that will be the focus of senior management discussions. From that list, ultimately 4 – 6 risks are chosen to feature with the board.

This need not be a complex or time consuming task. Often a simple heat map approach provides an effective way for management to identify their highest priority risks:

The rest of the risks should not be ignored. Those risks may ultimately be addressed at another level within the insurer.

Regulatory Emphasis

Regulators have developed Own Risk and Solvency Assessment (ORSA) regimes which require re/insurers to demonstrate their use of appropriate enterprise risk management (ERM) practices to support their ability to meet prospective solvency requirements over the business planning period.

Regulators are providing only high-level guidelines and will expect companies to decide what “appropriate” means for them. There are a number of common threads linking the ORSA guidelines; one of these is the fundamental importance of risk identification.

ORSA Guidance Manual

This ORSA process is being applied in all parts of the globe. In the U.S., the National Association of Insurance Commissioners (NAIC) ORSA Guidance Manual names risk identification as one of the five key aspects of the insurer’s ERM program that should be described in the ORSA report.

That document provides a definition for risk identification and prioritization:

[a] process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels

For the EU, the Solvency II ORSA requires that solo undertakings provide:

[a] qualitative description of risks [and] should subject the identified risks to a sufficiently wide range of stress test / scenario analyses to provide an adequate basis for the assessment of overall solvency needs.

In the case of groups, the ORSA should adequately identify, measure, monitor, manage and report all group specific risks.

Insurance Core Principles (ICP)

The risk identification process is key to all insurers, not just those required to prepare an ORSA. This wider relevance is underlined by the Financial Stability Board’s endorsement of the International Association of Insurance Supervisors (IAIS) Insurance Core Principles (ICPs); ICP 16 highlights the importance of ERM as a process of identifying, assessing, measuring, monitoring, controlling and mitigating risks.

Perhaps the most attractive feature of the risk identification process is its low cost, high-impact introduction to risk management that builds upon the existing infrastructure and risk knowledge in the company.

It does not require a large commitment to capital expenditures and, if done appropriately, will provide a valuable first step in rolling out risk management across the company.

The ICPs are guidance for the insurance regulators in all jurisdictions. The ORSA, or an equivalent process with an equally odd name, may well be eventually adopted in all countries.