For an insurer who has just completed the initial stages of ERM development, the risk management framework is a statement of what was decided for each of those steps:
Identification of risks
Development of risk measures and reports
Identifying risk mitigations and setting risk limits
Appointing individuals to be responsible for the ownership of the identified risks as part of a defined risk organization structure.
This structure should provide the board with an on- going view of corporate risk profile. As the insurer develops its ERM process further into additional ERM practices, the risk management framework is also extended to include statements about the objectives of those practices within the insurer’s program. An insurer who is preparing for an Own Risk and Solvency Assessment (ORSA) should strongly consider having an additional set of associated policies.
Insurance Risk Policy This policy sets out the identification, measurement, mitigation and reporting stages associated specifically with insurance risk. It is a statement of the types and amounts of insurance coverage that the insurer will write as well as the methods that the insurer will use to select the specific risks. Processes should be defined for measuring these risks such as monitoring and reporting aggregate claims experience. Mitigation practices should be set to keep the insurance risk within the boundaries that management has set in the form of appetites, tolerances and limits. The insurance policy statement will also likely set out the approval and exception authority structure used by the company as well as the notification requirements for breaches of the policy. This breach process establishes expectations for actions to be taken in the event of significant deviations between actual and expected claims. The insurance rate setting process will also be described, as well as who has the responsibility of determining initial and final rates.
Investment Risk Policy The investment risk policy is a fraternal twin to the insurance policy. It defines the approval process for accepting types and amounts of investment risk. It also sets mitigation practices to be used and authorities for approvals and exceptions. These should all be consistent with the risk appetite, tolerance and limit statements of the insurer. The investment policy should set forth communications requirements on investment risk exposures and emerging experience in terms of timing and audience for that communication. Expectations for actions in the event of deviations from the policy and/or from investment losses or under-performance are also set out here.
ALM Policy
An asset/liability management—or ALM—policy is an expectation of regulators, but such a policy is primarily a concern for life insurers whose products are often inherently linked to investment performance. For non-life insurers, the ALM policy can usually be expressed as a short paragraph in the investment risk policy. This paragraph should set forth the targets for investment cashflows and should also address tolerance for liquidity risk.
Risk Appetite, Tolerance and Limit Statements Regulators and rating agencies all expect that insurers will have an articulated statement about their objectives with regard to risk taking. This includes both quantitative restrictions on the aggregate amount of risk that is retained and not fully mitigated and qualitative restrictions on the risks that will be taken. In most cases, the quantitative risk appetite statements is likely to be qualified by both amount and likelihood. For example, a company may seek to take risks to maintain a maximum net 1 in 10 year underwriting value at risk (Var) of £10m. This target defines limits for the gross underwriting risk which can be written at business unit level. Importantly, it also defines an important input into the reinsurance decision-making process.
Own Risk and Solvency Assessment (ORSA)
In the U.S. insurers that must file an ORSA are asked to include the following elements of an ERM Framework:
• Risk Culture and Governance – Governance structure that clearly defines and articulates roles, responsibilities and accountabilities; and a risk culture that supports accountability in risk-based decision-making.
• Risk Identification and Prioritization – Risk identification and prioritization process that is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels.
• Risk Appetite, Tolerances and Limits – A formal risk appetite statement, and associated risk tolerances and limits are foundational elements of risk management for an insurer; understanding of the risk appetite statement ensures alignment with risk strategy by the board of directors.
• Risk Management and Controls – Managing risk is an ongoing ERM activity, operating at many levels within the organization.
• Risk Reporting and Communication – Provides key constituents with transparency into the risk-management processes and facilitate active, informal decisions on risk-taking and management.
Larger organizations with mature ERM programs tend to have evolved a short list of major risk management specific roles; many of which are part-time additions to already full time positions, while some are full time risk management only roles. Smaller organizations tend to need an ERM operation with all part-timers. We will call the former “Group ERM” programs and the latter “Company ERM”.
The organizing process always begins with two roles – the senior sponsor and the risk officer. During the developmental phase, these two roles are very similar to those of Executive Sponsor and Project Manager as defined for normal project management[1]. The Executive Sponsor initiates a project and gets appropriate resources and budget for the project. The Project Manager runs the project on a day-to-day basis. During implementation, the Project Manager will keep the Executive Sponsor informed of progress and setbacks. When problems are outside of the Project Manager’s authority, the Executive Sponsor will help by bringing in assistance or removing blockages from outside of the project team.
Chief Risk Officer
The risk officer role that was the project manager for the initial development of a new ERM function will usually grow into a senior management role with the title of Chief Risk Officer (CRO).
The CRO differs from organization to organization, but generally have some or all of these responsibilities:
Head the Risk Management Function
Chair the Risk Committee
Report to the Board on ERM
Report to shareholders on risk and capital management
Communicate risk and risk management matters to other stakeholders including rating agencies, employees, regulators
Each of these will be discussed in following sections of this chapter.
The Chief Risk Officer may report directly to the CEO or, more often to the Chief Financial Officer. Or else, the CRO role is handled by another senior officer such as the Internal Auditor, or, in an insurer, the Chief Underwriting Officer or Chief Actuary.
The CRO has a wide variety of roles. First and foremost, the CRO provides leadership and vision for the organization’s ERM program. They must have a clear idea of the ERM objectives and the ability to direct a diverse group of employees throughout the organization, most of whom do not officially report to the CRO, to follow that vision. The CRO is the point person in establishing and updating the ERM Framework, the ERM Policies and the Risk Appetite/Tolerance/Limit system. This requires the CRO to understand the degree to which formal documents and processes fit with the organization’s culture. The CRO is always the champion of intelligent risk management – risk management that fits the objectives, needs and budget of the organization. The CRO may be the owner of the Enterprise Risk Model or that model may be owned by the Chief Actuary.
The CRO will lead the discussion that leads to the formation and updating of the Risk Appetite and Tolerance. This discussion will be based upon a single risk metric that is common to all risks; in countries that have adopted Solvency II, that single metric for insurers is almost always related to capital. This is a source of conflict between the regulatory process and the management culture, especially in for-profit insurers, because otherwise, the preference for risk metric would likely be tied to earnings shortfalls rather than capital.
The CRO is the leader of value added risk management. That means using the information from the ERM system to help the growth of the firm’s risk adjusted value. That requires some version of risk-adjusted financial results for various business units, territories and/or products. The risk-adjustment is most often made based on Economic Capital either via a cost-of-capital adjustment to earnings, or through the reliance on a return on risk capital ratio.
The CRO is the champion for the Value Added ERM, a major part of the implementation, as well as in explaining the idea and the results to stakeholders. A major step in that process is the development and implementation of the analytic platform for Economic Capital Allocation. The CRO may be responsible to perform analysis of risk-adjusted plan proposals and act as a resource to business units for developing risk-adjusted proposals. As time progresses, the CRO will also work with the CFO to provide monitoring of plan vs. actual performance.
The CRO’s wide range of responsibilities means that there is no single route to the position. A Canadian survey[2] of twenty-one CROs found that, in their opinion, CROs needed to be skilled in Math, Finance, Communication and Accounting.
Management Risk Committee
Most organizations form one or more risk management committees with a major role in the ERM framework. There are three main reasons: To provide support and assistance for the CRO, to help keep the ERM process realistic (i.e. Intelligent ERM above); and, to direct the application of resources for ERM activities that are outside of the risk management department.
Most often, the Risk Committee will focus first on the ERM reports to the board, reviewing the draft reports prepared by the risk management department for quality assurance, to make sure that the CRO will be able to tell the story that goes with the report, and that both the CRO and the risk committee members can answer any questions raised by the ERM report. The Risk Committee is the nexus of Risk Culture for the organization – each area of the organization that has a major role in risk taking and risk management is usually represented on the risk committee.
The exact responsibilities of the Risk Committee will vary by organization. The four most common and most important responsibilities are:
Setting Risk Appetite and Tolerance
Approving Risk framework and policies
Allocating Risk Appetite & Setting Risk Limits
Setting standards for risk assessment and economic capital
The Risk Committee is usually responsible for setting (or recommending for approval by the board) the Risk Appetite and Tolerance for the organization. This is a difficult and often tentative process the first time; mainly because the Risk Committee, like most of the management team, has little experience with the concepts behind Risk Appetite and Tolerance, and is wary about possibly making a mistake that will end up damaging the organization. Once an initial Risk Appetite and Tolerance are set, making adjustments for early imperfections and updates for changing plans and circumstances become much more routine exercises.
The Risk committee usually approves the Risk Framework and Risk Policies – in some cases, they are recommended for approval to the Board. These will lay out the responsibilities of the CRO, Risk Committee, Risk Owners and ERM Department. The Risk Committee should review these documents to make sure that they agree with the suggested range of responsibilities and authorities of the CRO. The new responsibilities and authorities of the CRO are often completely new activities for an organization, or, they may include carving some responsibilities and authorities out of existing positions. The Risk Committee members are usually top managers within the organization who will need to work with the CRO, not just in the Risk Committee context, but also in the ways that the CRO’s new duties overlap with their business functions. The committee members will also be concerned with the amount of time and effort that will be required of the Risk Owners, who for the most part will either be the Risk Committee members or their senior lieutenants.
In some organizations, the allocation of Risk Appetite and setting of risk limits is done in the planning process; but most often, only broad conclusions are reached and the task of making the detailed decisions is left to the Risk Committee. For this, the Risk Committee usually relies upon detailed work performed by the Risk Department or the Risk Owners. The process is usually to update projections of risk capital requirements to reflect the final planning decisions and then to adjust Risk Appetite for each business unit or risk area and recommend limits that are consistent with the Risk Appetite.
Many ERM programs have legacy risk assessment and economic capital calculation standards that may or may not be fully documented. As regulatory processes have intruded into risk assessment, documentation and eventually consistency are required. In addition, calls for consistency of risk assessment often arise when new products or new risks are being considered. These discussions can end up being as much political as they are analytical, since the decision of what processes and assumptions make a risk assessment consistent with existing products and risks often determines whether the new activity is viable. And since the Risk Committee members are usually selected for their position within the organization’s hierarchy, rather than their technical expertise, they are the right group to resolve the political aspects of this topic.
Other topics that may be of concern to the Risk Committee include:
Monitoring compliance with limits and policies
Reviewing risk decisions
Monitoring risk profile
Proposing risk mitigation actions
Coordinate the risk control processes
Identify emerging risks
Discussing the above with the Board of Directors as agreed
Larger organizations often have two or more risk committees – most common is to have an executive risk committee made up of most or all of the senior officers and a working risk committee whose members are the people responsible for implementing the risk framework and policies. In other cases, there are separate risk committees for major risk categories, which sometimes predate the ERM program.
Risk Owners
Many organizations assign a single person the responsibility for each major risk. Going beyond an organizational chart, a clear organizational structure includes documented responsibilities and clear decision making and escalation procedures. Clarity on roles and responsibilities—with regard to oversight and decision-making—contributes to improvement capability and expertise to meet the changing needs of the business[3].
Specifically, the Risk Owner is the person who organizationally resides in the business and is responsible for making sure that the risk management is actually taking place as risks are taken, which most of ten should the most effective way to manage a risk.
The Risk Owner’s role varies considerably depending upon the characteristics of the risk.
Insurance and Investment risks are almost always consciously accepted by organizations, and the process of selecting the accepted risks is usually the most important part of risk management. That is why insurance risk owners are often Chief Underwriting Officers, and Chief Investment officers are often the owners of Investment risks. However, risk structuring, in the form of setting the terms and conditions of the insurance contract is a key risk mitigation effort, and may not be part of the Chief Underwriter role. On the other hand, structuring of investments, in situations where investments are made through a privately structured arrangement, is usually done within the Investment area. Other risk mitigations, through reinsurance and hedging could also be within or outside of these areas. Because of the dispersion of responsibilities for different parts of the risk management process, exercise of the Risk Owner responsibilities for Insurance Risks are collaborative among several company officers. In some firms, there is a position of Product Manager who is the natural Risk Owner of a product’s risks. The specialization of various investment types means that in many firms, a different lieutenant of the Chief Investment Officer is the risk owner for Equity risk, Credit Risk, Interest Rate Risk and risks from Alternative investments.
Operational risks are usually accepted as a consequence of other decisions; the opportunities for risk selection are infrequent as processes are updated. Often the risk owners for Operational risks are managers in various parts of the organization.
Strategic risks are usually accepted through a firm’s planning process. Usually the risk owners are the members of the top management team (management board) who are closest to each strategic risk, with the CEO taking the Risk Owner position for the risk of failure of the primary strategy of the firm.
The Risk Owner may be responsible to make a periodic Report on the status of their risk and Risk Management to the governing Board. This report may include:
Plans for Exposure to risk and Risk Strategy
Plans to exploit and mitigate
Changes to Exposures taken and Remaining after mitigation
Adequacy of resources to achieve plans
Risk Management Department
In all but the smallest organizations, the CRO’s responsibilities require more work and attention than can be provided by a single person. The CRO will gain an assistant and eventually an entire department. The risk management department serves primarily as support staff for the CRO and Risk Committee. In addition, they may also be subject matter experts on risk management to assist Risk Owners. Usually, the risk management department also compiles the risk reports for the risk committees and Board. They are also usually tasked to maintain the risk register as well as the risk management framework and risk policies.
Internal Audit
Internal Audit often has an assurance role in ERM. They will look to see that there is effective and continual compliance with Policies and Standards, and tracking and handling of risk limit breaches.
If there is no Internal Audit involvement, this compliance assurance responsibility falls to the risk management department; that may create a conflict between compliance role and advisory role of the risk management department. Compliance is the natural role of Internal Audit and giving this role to Internal Audit allows risk management to have more of a consultative and management information role.
In many firms, the roles for risk owners, the risk management department, along with internal audit, have been formalized under the title “Three Levels of Defense.”
This approach is often coupled with a compliance role for the board audit committee.
When internal audit is involved in this manner, there is sometimes a question about the role’s scope. That question is: whether internal audit should limit its role to assurance of compliance with the ERM Framework and policies, or should it also have a role reviewing the ERM Framework itself? To answer that question, the organization must assess the experience and capabilities of internal audit in enterprise risk management against the cost of engaging external experts to perform a review[4].
CEO Role in ERM
It is fairly common for a description of ERM roles at a bank or insurer to talk about roles for the board,CRO, and front line management, but not to mention any specific part for the CEO.
“No one has any business running a huge financial institution unless they regard themselves as the Chief Risk Officer” – Warren Buffett, speaking at the New School (2013)
Warren Buffett, the CEO of Berkshire Hathaway, has said many times that he is the Chief Risk Officer of his firm and that he does not believe that it would be a good idea to delegate that responsibility to another individual. While his position is an extreme that is not accepted by most CEO’s of financial institutions, there is an important role for the CEO that is very close to Buffett’s idea.
For the CRO and the ERM program to be effective, the organization needs clarity on the aspects of risk management which the CEO is directly delegating his or her authority to the CRO, which are being delegated to the Risk Committee, and which risk management decisions are being delegated to the Risk Owners. Leading up to the financial crisis of 2008, the authority for some risk decisions were not clearly delegated to either the CRO or the Risk Owners in some banks, and CEO’s remained aloof from resolving the issue[5].
[1] Executive Engagement: The Role of the Sponsor, Project Management Institute,
[2] “A Composite Sketch of a Chief Risk Officer”, Conference Board of Canada, 2001
[3] CRO Forum, Sound Risk Culture in the Insurance Industry, (2015)
[4] Institute of Internal Auditors, The Three Lines of Defense In Effective Risk Management And Control, (2013)
[5] Senior Supervisors Group, Risk Management Lessons from the Global Banking Crisis of 2008 (2009)
Peter Drucker is reported to have once said “what gets measured, gets managed.” That truism of modern management applied to risk as well as it does to other more commonly measured things like sales, profits and expens es .
Regulators take a similar view; what gets measured should get managed. ORSA f rameworks aim to support prospective solvency by giving management a clear view of their on-going corporate risk positions.
This in turn should reduce the likelihood of large unanticipated losses if timely action can be taken when a risk limit is breached.
From a regulatory perspective, each identified risk should have at least one measurable metric that is reported upwards, ultimately to the board.
The Need to Measure Up
Many risk management programs build up extensive risk registers but are stymied by this obvious next step – that of measuring the risks that have been identif ied.
Almost every CEO can cite the company’s latest f igures f or sales, expenses and profits, but very few know what the company’s risk position might be.
Risks are somewhat more difficult to measure than profits due to the degree to which they depend upon opinions.
Insurance company profits are already seen as opaque by many non-industry observers because profits depend on more than just sales and expenses:profits depend upon claims estimates, which are based on current (and often incomplete) information about those transactions.
Risk, on the other hand, is all about things that might happen in the f uture: specif ically, bad things that might happen in the f uture.
Arisk measure reflects an opinion about the size of the exposure to f uture losses. All risk measures are opinions; there are no f acts about the f uture. At least not yet.
Rationalizing Risk
There are, however, several ways that risk can be measured to facilitate management in the classical sense that Drucker was thinking of.
That classic idea is the management control cycle, where management sets a plan and then monitors emerging experience in comparison to that plan.
To achieve this objective, risk measures need to be consistent from period to period. They need to increase when volume of activity increases, but they also need to reflect changes in the riskiness of activities as time passes and as the portfolio of the risk taker changes .
Good risk measures provide a projected outcome; but in some cases, such calculations are not available and risk indicators must be used instead.
Risk indicators measure something that is closely related to the risk and so can be expected to vary similarly to an actual risk measure, if one were available.
For insurers, current state-of-the-art risk measures are based upon computer models of the risk taking act ivit ies .
With these models, risk managers can determine a broad range of possible outcomes for a risk taking activity and then define the risk measure as some subset of those outcomes.
Value at Risk
The most common such measure is called value at risk (VaR). If the risk model is run with a random element, usually called a Monte Carlo or stochastic model, a 99% VaR would be the 99th worst result in a run of 100 outcomes, or the 990th worst out of 1000.
Contingent Tail Expectation
This value might represent the insurer’s risk capital target.Asimilar risk measure is the contingent tail expectation (CTE), which is also called the tail value at risk (TVaR).
The 99% CTE is the average of all the values that are worse than the 99% VaR. You can think of these two values in this manner: if a company holds capital at the 99% VaR level, then the 99% CTE minus the 99% VaR is the average amount of loss to policyholders should the company become insolvent.
Rating agencies, and increasingly regulators, require companies to provide results of risk measures from stochastic models of natural catastrophes.
Stochastic models are also used to estimate other risk exposures, including underwriting risk from other lines of insurance coverage and investment risk.
In addition to stochastic models, insurers also model possible losses under single well-defined adverse scenarios. The results are often called stress tests.
Regulators are also increasingly calling for stress tests to provide risk measures that they feel are more easily understood and compared among companies.
Key Risk Indicators
Most other risks, especially strategic and operational risks, are monitored by key risk indicators (KRIs). For these risks, good measures are not available and so we must rely on indicators.
For example, an economic downturn could pose risk to an insurer’s growth strategy. While it may be dif f icult to measure the likelihood of a downturn or the extent to which it would impair growth, the insurer can use economic f orecasts as risk indicators.
Of course,simplymeasuringriskisinsufficient.Theresultsof themeasurementmustbecommunicatedto people who can and will use the risk information to appropriately steer the future activity of the company.
Risk Dashboard
Simple charts of numbers are sufficient in some cases, but the state of the art approach to presenting risk measurement information is the risk dashboard.
With a risk dashboard, several important charts and graphs are presented on a single page, like the dashboard of a car or airplane, so that the user can see important information and trends at a glance.
The risk dashboard is often accompanied by the charts of numbers, either on later pages of a hard copy or on a click-through basis for on-screen risk dashboards.
Riskviews 