Guide to ERM: Risk Identification

Risk Identification is widely acknowledged at the very first step in forming a new ERM program. What is not so widely known is that the risk identification process needs to be repeated and refreshed to keep ERM alive. In this regard, ERM is like a lawn. Initially, the ground is prepared, it is seeded and fertilized and watered until a bed of green grass emerges. But the lawn will eventually deteriorate if it is not reseeded and fertilized and weeded and watered regularly. Repeating the risk identification process is one of the key steps to keeping the ERM program alive and green!

Photo by Pavel Danilyuk on Pexels.com

Risk Identification Process Adds Value

Companies considering the risk identification process should be aware that it is not a solution in itself and can only add value if the results are used as the first step in a risk control cycle.

This is an iterative process that refines managements’ understanding of the exposures that it is managing, and measures the effectiveness of the mitigation strategies employed in controlling risk:

For the risk identification process to be effective it is essential that senior management is directly involved from the outset. Regulators may give little or less credibility to an ORSA report if this ownership of ERM isn’t in place.

A brainstorming session involving the leaders of all risk taking functions across the business provides an effective starting point in compiling a list of significant risks.

This often results in a list containing 30 or more risks; if the process involves a broad range of people at many levels in the organization, it is not uncommon to have a list of 100 to 150 risks.

By considering each risk individually and quantifying its potential impact on the business, management can work towards a shorter list of high priority risks which should be the starting point of the risk control cycle.

Risk Control Cycle

Step 1: Identify All Significant Risks

Risks must be identified in order to:

>Ensure that the full range of significant risks is encompassed within the risk management process
>Develop processes to measure exposure to those risks
>Begin to develop a common language for risk management with the company

Some companies prefer to start with a comprehensive but generic list of risks. The company should then aim to select its own list by considering the following criteria:

  • Relevance to the insurer’s activities
  • Impact on the insurers financial condition
  • Ability to manage separately from other risks

The risk output from the ERM program may be used in strategic capital allocation decisions within the on-going business planning process.

The final “risk list” should be checked for completeness and consistency with this intended use. A final check can be done by looking at the lists once separated into categories. Most risks can be classified into one of several categories.

For example:

  • Underwriting Risk
  • Market Risk
  • Operational Risk
  • Credit/Default Risk

Management can review the range of risks that appear in each category to make sure that they are satisfied with the degree to which they have addressed key exposures within each major category.

The remaining steps in the risk identification process are then used to narrow down this initial risk list to a set of high priority risks that can be the focus of ERM discussions among and with senior management and ultimately with the board.

Step 2: Understand Each Risk Exposure

It is necessary to develop a broad understanding of each of the risks selected from Step 1; this includes determining whether the risk is driven by internal or external events.

In some situations, it may prove helpful to actually plot the exact sequence of events leading to a loss situation. This could result in the identification of intermediate intervention points where losses can be prevented or limited.

Existing risk measurement and control processes should be documented, and if the loss sequence has been plotted, the location of each control process in the sequence can be identified.

The final step in understanding the risks is to study recent events related to risks, including loss events, successful risk control or mitigation, and near misses both in the wider world and inside the company. Such events should be studied and lessons can be learned and shared.

Step 3: Evaluate

The next step in the risk identification process is to evaluate the potential impact of each risk. This involves:

>Estimating the frequency of loss events, e.g., low, medium, and high
>Estimating potential severity of loss events, e.g., low, medium, and high
>Considering offsetting factors to limit frequency or severity of losses and understand potential control processes

Some insurers also include an additional aspect of the risks, velocity, which is defined as the rate at which the risk can develop into a major loss situation

Step 4: Prioritize

The evaluations of risk frequency, severity, and velocity from Step 3 are then combined into a single factor and the risks ranked.

The risks are ranked according to a combined score incorporating all three assessments. The ranking starts with the risk with the worst combination of frequency, severity, and velocity scores.

From this ranked list of risks, 10 to 15 risks are chosen to be the key risk list that will be the focus of senior management discussions. From that list, ultimately 4 – 6 risks are chosen to feature with the board.

This need not be a complex or time consuming task. Often a simple heat map approach provides an effective way for management to identify their highest priority risks:

The rest of the risks should not be ignored. Those risks may ultimately be addressed at another level within the insurer.

Regulatory Emphasis

Regulators have developed Own Risk and Solvency Assessment (ORSA) regimes which require re/insurers to demonstrate their use of appropriate enterprise risk management (ERM) practices to support their ability to meet prospective solvency requirements over the business planning period.

Regulators are providing only high-level guidelines and will expect companies to decide what “appropriate” means for them. There are a number of common threads linking the ORSA guidelines; one of these is the fundamental importance of risk identification.

ORSA Guidance Manual

This ORSA process is being applied in all parts of the globe. In the U.S., the National Association of Insurance Commissioners (NAIC) ORSA Guidance Manual names risk identification as one of the five key aspects of the insurer’s ERM program that should be described in the ORSA report.

That document provides a definition for risk identification and prioritization:

[a] process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels

For the EU, the Solvency II ORSA requires that solo undertakings provide:

[a] qualitative description of risks [and] should subject the identified risks to a sufficiently wide range of stress test / scenario analyses to provide an adequate basis for the assessment of overall solvency needs.

In the case of groups, the ORSA should adequately identify, measure, monitor, manage and report all group specific risks.

Insurance Core Principles (ICP)

The risk identification process is key to all insurers, not just those required to prepare an ORSA. This wider relevance is underlined by the Financial Stability Board’s endorsement of the International Association of Insurance Supervisors (IAIS) Insurance Core Principles (ICPs); ICP 16 highlights the importance of ERM as a process of identifying, assessing, measuring, monitoring, controlling and mitigating risks.

Perhaps the most attractive feature of the risk identification process is its low cost, high-impact introduction to risk management that builds upon the existing infrastructure and risk knowledge in the company.

It does not require a large commitment to capital expenditures and, if done appropriately, will provide a valuable first step in rolling out risk management across the company.

The ICPs are guidance for the insurance regulators in all jurisdictions. The ORSA, or an equivalent process with an equally odd name, may well be eventually adopted in all countries.

Advertisement
Explore posts in the same categories: Enterprise Risk Management, ERM, Risk Identification, Risk Management System

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: