[Skip to content]

Sign up for our daily newsletter
The Actuary The magazine of the Institute & Faculty of Actuaries

Enterprise-wide risk management

W hile UK insurance companies, the
Lloyd’s market, and branches of non-
EEA/non-Swiss companies focus on the development of their internal capital assessments (ICAs) in time for the new regulatory regime, many are pausing to look at the wider benefits. Those companies that see the new risk-based techniques as a tool to help them run their business better tend to approach the implementation of ICA and associated risk-management processes in a different way from those seeing ICA simply as a new regulatory hurdle.
According to recent consultation papers, the FSA is likely to take a favourable view of companies which incorporate models adequately into their business strategy. This demonstrates good risk management and control practice, and could result in a lower individual capital guidance (ICG) than would otherwise be the case. In general, the expectations of the FSA will be dependent on the scale, nature, and complexity of the business written.
There is a clear need to embed the ICA process into the day-to-day management of the business. We recommend that companies focus on the following key areas:
– management’s ownership and involvement in the ICA process;
– details of the links and integration between the ICA process and the risk management framework (including support for key assumptions); and
– the link to management information, including reports to the board and senior management on key risks to the company.
Companies should also look beyond the regulatory requirements towards the wider benefits of capital management and enterprise risk management (ERM).
Where do companies currently stand?
The PricewaterhouseCoopers study entitled ‘ERM for the Insurance Industry’ showed that more than 80% of respondents agreed the most important goal of ERM is to communicate a portfolio view of risks to senior management. However, only 55% agreed that management information supports risk management objectives, and more than 50% of respondents had made only limited or no progress towards making risk indicators readily available to management. No respondents reported that risk indicators are in place and operating effectively.
Almost all respondents to the survey identified themselves as ‘addressing market conditions with a more sophisticated and holistic approach that seeks to integrate financial and non-financial risk management into a cohesive and comprehensive framework of governance, monitoring and control’. This approach brings asset-liability management, investment, credit, and underwriting risks together with the less quantifiable, though equally hazardous, threats to business objectives, such as operational failure, reputational damage, and breach of compliance with regulatory and corporate guidelines.
Around 50% of respondents viewed the protection of shareholder values as the key benefit of ERM (see figure 1). Interestingly, less than 10% saw the establishment of a common risk language as the main benefit.
While companies have a strong commitment to ERM, most stated that they were struggling to get beyond the design, planning and quantification stages. Most companies affirmed that risk management is ‘a board/CEO priority’, but were far less confident that ERM is ‘fully integrated with strategic business decisions’ (see figure 2). In other words, many companies were struggling to make progress in implementing risk processes and systems that supply decision-makers with the quality of information they need to support achievement of business goals.
Only one of the 44 organisations surveyed claimed to have a proactive approach to ERM. Despite this, most respondents recognised the benefit of implementing an ERM framework, with 61% having a five-year objective of being proactive in this field.
In assessing where companies currently stand, the participants generally rated their organisations quite favourably in risk identification and measurement, especially when compared with their own view of the insurance industry as a whole. However, the self-assessment is not as positive in respect of the key specifics of ERM, such as controls, reporting, risk aggregation, and capital allocation (see figure 3). From this evaluation, it appears many respondents believe they have more work to do in implementing the various aspects of ERM. The majority of the respondents worked for large companies, and it would be fair to say that small to medium companies may have even more work to do.
Overall, there is a clear correlation between a respondent’s self-assessment of the implementation of the key objectives and its success in integrating ERM into the overall strategic direction of the company.

Key highlights from the ERM survey
A number of themes emerging from the survey are of interest to the UK sector. These relate to governance, organisational structure, risk decisions, integration with capital management, and management information. Key results from the survey are highlighted below.
– Governance
– Less than 10% believed the role of ERM is fully understood by senior business managers in relation to ‘strategy’ or ‘mission and objective’.
– Around two-thirds of participants maintained a corporate risk committee.
– Only 26% of companies in the survey had ‘fully developed and implemented procedures for compliance, risk limits monitoring and exceptions approvals’, while 37% of participants had none at all.
– Organisational structure
– Most companies (77%) strongly agreed that ERM is a board priority.
– The ultimate responsibility for risk management usually rests with the CEO, the CFO, or the board of directors collectively.
– Risk decisions
– Rigorous and comprehensive underwriting standards, authority limits and exception monitoring are among the most effective ways currently used to curb downside risk. However, only 39% of companies categorised their controls for authority limits and exception monitoring as ‘quite strong’, and only two companies responded with ‘very strong’.
– Less than 60% judged their capabilities as ‘fully developed and implemented’ for either credit or investment (market) risks.
– Some leading companies were integrating economic capital deployment with both the performance analysis and product development cycles of strategic planning. However, few respondents were entirely comfortable that their key ERM practices were operating effectively.
– Integration with capital management
– Approximately 64% of participants deployed some form of economic capital metrics, although only 10% claim to have developed a ‘robust and dynamic’ model.
– It is encouraging that two-thirds of those respondents who have implemented an economic capital model stated that their economic capital allocation programme has gained some acceptance with the business units.
– The survey confirmed that the development and application of economic capital models can prove problematic.
– Around half of respondents have taken at least three years to bring their economic capital models up to speed. Only a third were now able to use their economic capital models for risk-adjusted performance measurements.
– Management information
– Half of the respondents had made only limited or no progress towards making risk indicators readily available to management.
– Companies are seeking to develop firm-wide controls, information flows and alignment between governance, risk and compliance that will not only meet the needs of regulation, but also build robust compliance and governance into their value creation strategies. However, many companies can simply find themselves overwhelmed by the scale, complexity and, moreover, the cost of implementation.
The development of ERM is set to accelerate as it becomes more closely integrated with strategic management. The most effective way the board and senior management can demonstrate sound corporate governance is to meet or exceed stakeholders’ expectations of performance. Effective ERM can support this by providing a clear view of:
– the amount of risk that will be taken to realise performance targets;
– the risks that have the potential to materially damage performance;
– the methods by which these material exposures are tracked and managed;
– the enterprise-wide structures and processes that will enable risk to be managed in a flexible and cost-effective manner; and
– the potential to increase shareholder value by managing and reporting risk.