Insurance companies are, by definition, Risk Management companies. Their fundamental obligation to policyholders as well as share holders is to manage risk. Currently, this competency is focused almost entirely on the policies they write, the way they price the underlying risk, and how promptly and accurately they pay the associated claims. And this focus is well-placed, as managing these risks is essential for company survival.
Unfortunately, being good or even great at managing these types of risks is no longer enough. As recent events have shown, pandemics, supply chain disruptions, credit crunches and other upheavals can threaten the insurance industry with existential risks every bit as quickly and gravely as the traditional ones like poor underwriting or inadequate pricing.
It’s important to ask yourself if you really understand the risk implications of an increasingly remote work force? Its impacts on succession planning and employee turnover? Performance monitoring? Cyber exposure? Fraud exposure? And more importantly, how do these risks interact with each another? Does mitigating one risk simply create additional exposure with other risks? What about other elements of the risk landscape, like the macroeconomic environment, threats to corporate reputation, ESG, Regulatory, or Legal changes? Most importantly, how do you ensure that you continue to make the appropriate risk tradeoffs as these areas—and others—continue to evolve in the new world?
In a world which is only getting riskier, carriers need to invest the time and resources required to strengthen or even build true Enterprise Risk Management (ERM) capabilities. Corporate survival will increasingly require a holistic perspective to identify risks comprehensively, monitor their potential impact or threat to corporate survival, and determine how they might interact with each other under different scenarios.
Unfortunately, most carriers are not yet up to the challenge. Critical information currently resides in functional silos, often locked in individual Excel spreadsheets scattered across multiple departments. ERM will remain elusive until carriers can create coherent, timely, and relevant information that corporate stakeholders, including Senior Management, the Board and Regulators can make informed decisions.
ERM done right provides immense value to an organization. By providing a unified and coherent view of risk to Senior Management and the Board, the company can look at performance in its true form – that of risk-adjusted performance. It’s one thing to “blow the doors off” of quarterly sales performance – but it’s much more reassuring to know you achieved that without a potential “back draft” in the process.
A mature ERM process serves as an “Early Warning System,” providing insights as well as forward- looking views into risks that aren’t acute today, but could become material in the future. A ship’s crew wants to know that there’s an iceberg out there beyond the fog, as opposed to doing a root cause analysis as to why the ship collided with it.
ERM also requires companies to craft Risk Appetite Statements and identify Risk Tolerances, thereby creating alignment up, down and across the organization. When this happens, Senior Management and the Board know how much risk operating units assume, and ensure that they are neither taking on too much risk and putting the company in jeopardy, nor taking so little that they’re leaving money on the table. Finally, a mature ERM process enhances Risk Governance by providing clarity around policies, procedures, and individual responsibilities.
Quite simply, an organization lacks true Enterprise Risk Management maturity unless it has trained Risk Management professionals who have the ear of both Senior Management and operating units. These professionals would know how to evaluate risks in terms of severity, likelihood, time horizon, correlation with other risks, etc.
The company must also nurture a risk culture, which is both enabled by ERM and supports ERM. This culture is invariably a reflection of Senior Management’s actions, communications, and “tone” regarding risk. The rank and file must see Management “walking the walk.” A company with a solid risk culture is also one where everyone in the organization is aligned around the company’s defined risk/reward tradeoffs, understands the company’s desired risk posture, and understands how their day-to-day actions and decisions affect this risk posture. The ERM program must track existing risks and be flexible enough to monitor and prioritize new risks as they emerge. Just think of how relative priorities around Environment, Social, and Governance issues have changed over the past few years.
How Effective is Your ERM Program? Calibrating your Risk Management maturity is essential for identifying gaps, assessing current effectiveness, and prioritizing improvement efforts. But how do you begin?
For one, there are several frameworks that a company can turn to for an assessment, and you can opt for either do-it-yourself approaches or assistance from a third party. For instance, COSO and ISO both have frameworks for Enterprise Risk Management that can be adapted for looking at Risk Maturity. Strategic Risk Associates' (SRA), Risk Maturity Framework has recently been adopted by the Risk Management Association as the “go-to” Risk Maturity Assessment solution for the Banking space, and SRA has created a customized version of this Risk Maturity Assessment for Insurance companies. Learn more here.
Regardless of approach, the key is to get an honest, unvarnished assessment on where you are today, determine gaps that must be addressed, and prioritize those which will yield the “biggest bang for your improvement dollar.”
A Risk Maturity Assessment has numerous benefits for an insurance company. In the initial phases of the process, it requires Senior Management and the Board to get clear on their risk priorities and create meaningful metrics and action plans. The process also provides useful material for discussions with Regulators and/or Ratings Agencies. If these entities point out risks/risk categories that need attention, the Risk Maturity Assessment and the prioritized list of improvement actions can go a long way toward convincing parties that risks are either under control or in process, i.e., no surprises.
Finally, the Risk Maturity Assessment can form the basis of a 2–3-year improvement roadmap. This roadmap “works backwards,” starting with Management’s and the Board’s vision of ideal end-state capabilities and lays out the tools and skills required to get there. This not only enhances the odds of a successful outcome, but also goes a long way toward building a risk culture.
To recap, in our experience working with our clients, a Risk Maturity Assessment is the critical first step on the journey to superior Enterprise Risk Management. This journey takes a company from a backward looking “what happened here and why did we react that way?” to a forward-looking “we’re watching the horizon, and we know exactly how to evaluate, prioritize and manage any icebergs that come our way before they become real threats.”
In other words, “Evolved” ERM.