Cobus Fourie and James Latto examine risk appetite frameworks as part of the regulatory push for improved risk management standards
Given some of the recent high-profile corporate failures and losses in the financial sector, stakeholders (including investors, rating agencies and customers) are keen to understand firms' approaches to balancing return objectives with their risk exposure. The result is an increasing trend of disclosure of risk appetite approaches and statements by insurers. However, the common challenges remain:
Linking high level statements to day-to-day risk management; and
Embedding risk appetite at all levels of decision making within the organisation.
There is certainly no one-size-fits-all solution for risk appetite, but this article highlights some of the areas firms should consider when designing or evolving their risk appetite approach.
A common definition of risk appetite is an articulation of the level of risk the enterprise is willing and able to accept in pursuit of its strategic objectives. However, insurers need to consider what their specific objectives for utilising risk appetite are and regularly review their progress against these. The common goals with risk appetite are around:
Clarifying and explaining to internal and external stakeholders a firm's appetite for risk in the pursuit of growth and how it is managed
Developing more consistent risk-based decision making, to support the strategy
Complying with regulatory principles
Improving business agility and enhancing risk-taking to achieve returns, through clear and timely understanding of appetite across the business
Improving risk monitoring and prioritising management actions and resourcing (human and capital)
Achieving these goals is no short-term project and requires an iterative process, involving many roles within the organisation. Success also depends on tone set from the top and the maturity of the wider Enterprise Risk Management (ERM) system. For example, optimising the value from an embedded risk appetite framework requires an agile and multi-level management information system, allowing for timely reporting on multiple triggers and key risk indicators.
Where these ERM components are not mature enough, it may impair the implementation and embedding of risk appetite, and may result in the business monitoring risk appetite purely for the sake of compliance.
Articulating risk appetite
Many insurers have an inherent set of risk preferences and tolerances, covered in their risk policies, delegated authorities and the experience of their leadership (specifically of their Board, actuarial, finance and risk management teams). However, these are not always aligned or consistent and can sometimes be missed, suppressed or bypassed in decision-making. The first step in designing a value-creating risk appetite framework is agreement on and documentation of the existing enterprise-wide risk strategy or preferences of the firm. This should include discussions with the Board (who should play an important role in the development of the risk appetite) and senior management (which may result in challenges on risk and reward for some of the business lines). This step can be challenging but ultimately is essential to provide a robust basis for the risk appetite.
The next step is the articulation of qualitative statements, as well as quantitative metrics to define targets and tolerances. Given the ongoing regulatory developments to insurers' solvency, many find the articulation of qualitative and quantitative high-level appetites around solvency and earnings relatively easy. However, operational and reputational risk are examples of categories that do not lend themselves so readily to appetite quantification, even though these risks are experienced throughout the enterprise, with many significant reported losses often directly related to operational risk.
While companies should not shy away from stating qualitative principles (for example "a zero appetite for fraud"), the challenge is to ensure that they are used consistently across the business, that there isn't ambiguity or creep in the definitions and that they drive the right behaviour in the business (which having an absolute zero appetite for fraud may not do). While these qualitative principles could support the risk culture within an enterprise, more advanced companies have progressed to quantify key risk indicators (KRIs) and monitor limits around appetite metrics for all risk sub-categories. These metrics not only provide measurable assurance to senior management on the adherence to the appetite, but also support challenge and decision-making (for example the allocation of resources to balance risk exposure and the level of controls required).
Risk appetite embedding
While managing risk is part of business-as-usual for insurers, and while their actuarial and financial teams typically do take capital and earnings requirements into account in many of their regular activities, a number of insurers are struggling to embed their wider risk appetite at levels sufficiently granular to influence decisions. Even where some have developed comprehensive statements and high-level triggers for metrics, if these are poorly understood and managed across the business, it provides limited value. In some parts this is related to insufficient embedding of the wider ERM framework itself - for example, taking a silo approach to financial and operational risk or fragmented MI and reporting systems.
A common complaint is that lower layers of the enterprise feel disconnected from the risk appetite and find it difficult to understand and manage to some appetite metrics. This is especially relevant for metrics calculated in centralized functions without sufficient dissemination and cascading to allow business units to understand the impact of their decisions on the drivers of these metrics. Examples are liquidity (where typically a centralised Treasury function monitors the metrics) or capital requirements (managed in a specialist area, with little segmentation into the different drivers per business unit, product or risk type). More advanced approaches enable all levels of management to understand the impact of proposed decisions on the risk appetite metrics pro-actively, resulting in continuous and enterprise-wide efforts to optimize the risk / reward continuum of the enterprise.
The setting of granular, quantifiable metrics and indicators, clear triggers and tolerance bands, within a cascading framework, with documented ownership and escalation approaches, is not an easy process. Neither is it a process that can be implemented and driven by the risk management function alone - successful implementation and evolution requires top-down buy-in, from all functions within the enterprise. In particular it requires effective linkage between the capital management team (traditionally entrenched in the actuarial function), the risk management team (traditionally positioned and staffed to focus on operational risk) and the finance team (traditionally driving the MI).
This linking of enterprise-wide risk appetite statements with granular tolerance can be done top-down (i.e. Senior Management define the scope and levels of limits) or bottom-up (analysis of the lower-level decision making parameters are aggregated and translated into enterprise-wide tolerances). Successful companies combine the two approaches, by including existing thresholds and limits in investment mandates, product development processes, financial controls and process and system controls, within the setting of enterprise-wide limits and tolerances.
The embedding should also include well-defined management actions to manage potential or actual limit breaches. The challenge is the extent to which these actions are mandated pro-actively. Many firms are reluctant to define mandatory actions for appetite breaches, given the need to analyse the cause of the breach as well as the enterprise-wide impact. However, recent crises have indicated not only the need to identify and assess emerging risks, but also the need for agility and speed in the escalation and decision process.
The rewards of an embedded, granular risk appetite system are consistent, prioritised measurement and reporting throughout the firm up to senior management and the Board, healthy fact-based debate on risk profiles and the articulation and monitoring of management actions to protect the balance sheet. It will enhance the value of ERM for the firm and will provide assurance to stakeholders beyond the management and Board. However, this is not a silver bullet for the prevention of surprises or disaster striking the business - its effectiveness will rely on the maturity of the complete ERM framework of the insurer.
Cobus Fourie is a principal advisor in KPMG's Insurance Risk team and James Latto is a principal advisor in KPMG's Life Actuarial team.