How Strong is Your Insurance Company’s Risk Management Capability, Really?

Why an Enterprise Risk Management Maturity Assessment is Critical

Insurance companies can easily become complacent or narrow-minded when it comes to their ERM capabilities. They may adopt a "nothing bad has happened yet" approach to risk management or focus only on areas of obvious strength and familiarity. This can lead to the belief that their organization excels in ERM or lacks any significant weaknesses, which may actually be true. However, it is far more beneficial to have concrete knowledge rather than assumptions. It is important to identify areas that require attention and determine the extent of that attention needed.

The most effective way to gain this knowledge is by conducting a structured review using an Enterprise Risk Management Maturity Framework that encompasses the key Pillars of Risk Management Maturity. Below we share some best practices for insurance companies trying to mature their risk management program and why it's sometimes better to “Grade your own paper” before the Regulators do it for you.

1) Understanding Your Risk Culture

A big part of gauging a company’s current level of risk maturity is understanding its Risk Culture. This cuts across numerous risk management capability areas or “Pillars.” The Risk Culture is invariably a reflection of Senior Management’s actions, communications, and “tone” regarding risk. It’s all about values, and the rank and file must see Management “walking the walk.”

Quite simply, an organization lacks true Enterprise Risk Management maturity unless it has trained Risk Management professionals who have the ear of both Senior Management and the operating units. These professionals would know how to evaluate risks in terms of severity, likelihood, time horizon, correlation with other risks, etc. A company with a solid risk culture is also one where everyone in the organization is aligned around the company’s defined risk/reward tradeoffs, understands the company’s desired risk posture, and understands how its day-to-day actions and decisions affect this risk posture.

2) Leveraging Frameworks to Assess Risk Management Capabilities

Calibrating your Risk Management Maturity is essential for identifying gaps, assessing current effectiveness, and prioritizing improvement efforts. But where do you begin?

For one, there are several frameworks that a company can turn to for an assessment, and you can opt for either do-it-yourself approaches or assistance from a third party. For instance, COSO and ISO both have frameworks for Enterprise Risk Management that can be adapted for looking at Risk Maturity. But adapting these frameworks for ERM Maturity Assessments in the financial services space takes some doing – how do you know if your first attempt will stand the test of time, i.e., what’s the maturity of your Maturity Assessment?

Strategic Risk Associates (SRA) has already done the heavy lifting and developed a configurable Insurance Risk Maturity Framework that has been tried and tested multiple times across numerous organizations. Moreover, it’s compatible with the COSO and other recognized ERM Frameworks. Regardless of approach, the key is to get an honest, unvarnished assessment on where you are today, determine gaps that you must address, and prioritize those which will yield the “biggest bang for your improvement dollar.”

3) What Can a Risk Maturity Assessment or Risk Management “Pre-Test” Do for Your Company?

A Risk Maturity Assessment has numerous benefits for an insurance company. In the initial phases of the process, it requires Senior Management and the Board both to clarify their risk priorities and create meaningful metrics and action plans. The process also provides useful material for discussions with Regulators and/or Ratings Agencies. If these entities point out risks/risk categories that need attention, the Risk Maturity Assessment and the prioritized list of improvement actions can go a long way toward convincing the relevant parties that risks are either under control or mitigation is in process, i.e., no surprises.

Finally, the Risk Maturity Assessment can form the basis of a 2–3-year improvement roadmap. This roadmap “begins with the end in mind” starting with Management’s and the Board’s vision of ideal end-state capabilities and lays out the tools and skills required to get there. This not only enhances the odds of a successful outcome, but also goes a long way toward building a risk culture.

To recap, in our experience working with clients, a Risk Maturity Assessment is a critical first step on the journey to superior Enterprise Risk Management. This journey takes a company from a backward looking “what happened here and why didn’t we have the insight or time to act more effectively?” to a forward-looking “we’re watching things way before they become real threats.”  In other words, “ERM, Evolved.”