Insurance companies generally have demonstrated greater resilience than other financial services companies in the wake of the 2008 financial crisis, but achieving a precise understanding of the risks insurers face has become increasingly difficult.
As underwriters, insurance companies are dealing with a riskier world with regard to both natural and man-made catastrophes. As investors, they face volatile economic conditions in a fast-paced and rapidly evolving business environment. Regulators, company directors and investors are demanding a clearer, more timely and more precise accounting of all these risks. And insurers are struggling to meet those demands, because of disparate and disconnected systems, data quality issues and operational silos.
Every successful insurer has, by definition, adequately managed risk from an enterprise perspective. However, to continue successfully managing risk, insurers must develop enterprise risk management capabilities commensurate with the pace of business and the demand for the rapid exchange of large amounts of accurate data. Genuine ERM consists of a process and framework that enable an insurer to identify and measure all major risk exposures across the company, methodically develop mitigation strategies, and apply analytic capabilities to produce cogent and succinct reports that managers can apply to daily decision-making, according to Bill Spinard, executive director of Ernst & Young's FSO Insurance Risk practice.
"The objective of an ERM program is to enable an insurance company to take risks more intelligently," Spinard says. "Done correctly, an ERM program aligns a company's risk appetite with its risk-taking initiatives."
Spinard provided Insurance & Technology executive editor Anthony O'Donnell with the following 10 criteria to build an effective insurance ERM framework:
1) Organization and governance: At the board level, establish a clear definition of and transparency around risk roles, responsibilities and strategies, particularly around actuarial, finance and internal audit. A company strategy should state the board's definition of the risk function, desired risk appetite and risk strategy. There also must be an alignment of risk and finance processes, with definitive roles and responsibilities.
2) Integration: In addition to being widely communicated, board-defined risk guidelines should be fully integrated with business planning, capital planning, risk limit setting and performance measurement. This includes risk functions partnering with management in the creation and support of product development, application life-cycle management and investment management, rather than just performing a risk oversight role. Also integrate the risk function with data, IT systems, modeling, and business knowledge and commercial awareness.
3) Increasing efficiencies: With integration and convergence, make sure you remove unnecessary oversight to prevent duplicated control activities. Consistency also needs to be established across different risk teams and the business functions they work with. This includes:
-- Minimizing touch points to the business in control assessments;
-- Establishing faster cycle times in reporting so more time is left for analysis;
-- Focusing on quality and consistency in data used by different business functions, such as the integration of business, risk, finance and capital management through the use of a common system infrastructure.
4) Enhanced risk identification: Implement a forward-looking perspective to identify emerging risks, facilitate a resolution and recovery strategy, embed a holistic view of enterprise-wide risks and understand the interactions among these risks. This includes prioritizing risks that have a higher likelihood of impact, risk velocity and vulnerability to an organization, and comprehensive stress and scenario testing.
5) Risk assessment and measurement: Quantitative standards for measuring risk must be established. The results of modeling should be validated by an independent team that understands those standards.