ERM: a measured approach
In a year that’s been dominated by talk of Solvency II, soft market conditions and the impact of 2011’s unexpected losses, the issue of enterprise risk management (ERM) has become increasingly important. For re/insurers, a good ERM strategy can mean the difference between an A and an A+ rating, and changing regulatory requirements and the release of more sophisticated measuring tools mean that companies’ approach to identifying and mitigating risk will be placed under increasing scrutiny by ratings agencies in the years to come.
We spoke to Tom Mount, vice president, and Greg Reisner, managing senior ﬁ nancial analyst, at AM Best about how ERM strategies are measured, and how inﬂ uential they are on a company’s overall rating.
What particular risks are emerging as the most worrying for re/insurers?
Mount: For property catastrophe writers in the US, it’s been the frequency of natural catastrophes such as tornadoes and wildﬁ res. For those involved in medical professional liability, it’s the introduction of affordable healthcare plans and the Patient Protection and Affordable Care Act, and for life, and even property and casualty insurers, low interest rates are a big concern, as well as the regulatory risk worldwide. It really differs based on the company, where they’re domiciled and what risks they are writing.
How has this developed since 2008?
Mount: The ﬁnancial crisis certainly alerted a lot of companies to how much more investment risk is out there than they initially thought—it’s a slow economy worldwide, and there’s a lot of sovereign risk and correlations that companies have had to pay much more attention to recently. Further changes in the healthcare and regulatory environments since 2008 have also been the main factors driving changes in ERM strategies.
How are risks rated and understood at AM Best?
Reisner: We don’t assign a public or speciﬁ c ERM rating, but we do look at it carefully and it’s embedded in the overall rating we assign to companies.
Mount: There are what we consider the traditional risk categories— investment, operation, pricing, reserve, strategic and credit risk—and in the past, a lot of companies managed those risks as individual silos with their own risk management teams. ERM is a risk category that asks: ‘who’s at the top of this organisation looking at all these different silos from an enterprise point of view, and how are they correlated?’. If interest rates move, for example, then it’s not just interest rate risk on investments that’s affected, but reserve risk and pricing risk.
We also dig deeper, looking at the risk proﬁ le of a company and consider what lines of business they’re writing, policy limits, the competitive, economic and regulatory environments, the liquidity of investments and ﬁ nancial ﬂ exibility. We want to know what kind of reinsurance programme a company has and we also look at its management philosophy—whether a company is aggressive or conservative. We then acknowledge whether a company is high, low or moderate risk, and we look to see if its risk management is appropriate.
What speciﬁc risk management practices are you looking for in a successful ERM strategy?
Reisner: The basics are that a company has to clearly identify, measure, monitor and manage or mitigate its risks. How they go about doing that is down to their risk management structure, and that’s what we talk to them about. Companies have different risk proﬁ les depending on the risk categories outlined, but from our perspective, we like to try to understand a company’s process—for example, what its key risks and tolerances are, what tools or models it employs, how the company categorises its different areas of risk, what the risk governance framework is and who the individuals responsible for overseeing risk are.
In addition, we want to know how a company ensures that its business strategies and incentive programmes are in alignment with its risk appetite and tolerances, and if those decisions are based upon risk-adjusted returns.
How do you weigh the signiﬁcance of each element?
Mount: We don’t put different weights on different elements, as they’re all important, but certainly if there’s a key area where a company is weak, then it could have an impact on its rating.
Reisner: It also depends on the risk proﬁ le of the organisation, as this affects how we view its risk.
Mount: If you have a property writer that’s exposed to a lot of hurricanes, for example, and it’s in a tough regulatory environment where it can’t get the appropriate rate for that risk, then that’s a high risk proﬁle type of company. It may be good at investment and credit risk management, but if it does a poor job of managing its concentrations or writes too much along the coast, then even though it’s good in some areas of risk management, the fact that it’s weaker when it comes to managing exposures could have a negative impact on its rating.
How important is stress testing to understanding risk exposures?
Mount: We like to see companies do their own stress testing. We have what we call a supplemental rating questionnaire, where we ask companies writing natural catastrophe lines what events and stress tests they’re carrying out as part of their ERM. We have our own stress tests that we apply to companies for natural catastrophes, terrorism, casualty and such, but certainly, we want to know what a company’s doing in terms of stressing its own balance sheet. Financial strength isn’t just about the probability of something bad happening, but about having the ability to pay out when it does. The more situations you’re aware of, the more prepared you will be to pay if and when it happens.
How can risk triggers be instilled into an organisation and how should these be monitored?
Reisner: Many companies use what they term a risk register, which usually has individuals who own, or are assigned to, that risk. The best way to monitor these risks is to do so from the top of the organisation down—embed it in the business units, make individuals aware on the front line.
Mount: A lot of companies have a dashboard and a risk register. The dashboard is more of a summarised view, and gives companies an idea of which risks are getting out of control, but you have to develop those limits and triggers, and be alert all the way down to the individual risk level.
Organisations have to identify someone who’s assigned to each risk and identify the limit. They should be aware of the procedure—who is notiﬁed when a limit’s exceeded and what risk mitigation will be taken as a result. There should also be back-up plans for when a company’s ﬁrst control is not available or can’t be implemented.
Who within an organisation should be made aware of risk breaches?
Reisner: The chief risk ofﬁcer or, if there isn’t one, the ERM committee or the most senior level of management. We rate companies of all sizes, and we understand that not all may have a dedicated individual purely to manage risk. In a lot of businesses, a chief executive might double as the chief risk ofﬁcer or chief ﬁnancial ofﬁcer. Either way, whoever’s assigned to monitoring risk from a corporate-wide perspective should be kept abreast of breaches. It should also be ﬂagged throughout the organisation—from underwriters and actuaries up to the senior levels.
How concerned are you about cyber risk?
"Financial strength isn't just about the probability of something happening, but about having the ability to pay out when it does."
Mount: It’s not as pressing as a solvency issue, but it is an important concern, and companies are taking steps to mitigate it, because it’s a key operational risk. If there is a data breach within a company, then there’s potential for a lawsuit against the company. It’s happened for a number of companies, not just insurance ﬁrms, and the outcome depends on what type of data is stolen—if it’s just names and addresses, it’s probably not a big concern, but if it’s sensitive information such as driving licence and social security numbers, then that company could be facing lawsuits from those whose information was stolen and ﬁnes from regulators. There could also be some business interruption costs if an insurer’s systems were impacted by malicious software.
Reisner: From an underwriting perspective, we are aware of it, but we don’t look at every potential risk that’s out there for a company— we let them do their job. It does present a threat, but I think it may also present an opportunity, as companies could create a product or insure individuals or groups for that risk. If an insurer were to accumulate a large amount of cyber risk exposure, we would want to know how they are managing that exposure and what stress scenarios they are using to ensure their capital is appropriate.
Do you think the industry has shied away from too many risks in recent years?
Mount: It has happened in some areas such as terrorism—after September 11, insurers pulled back from coverage—but over time, the government offered to put in a backstop and insurance came back. It’s a balance between pricing and availability, and if companies were to start excluding everything then it would be a cause for concern, but some exclusion creates opportunities for other insurers to step in and ﬁll that gap in the market. And ultimately, it’s the policyholders’ decision—they will opt for whomever gives them the most coverage for their money.
Thomas Mount is a vice president at AM Best. He can be contacted at: email@example.com
Greg Reisner is a managing senior ﬁnancial analyst at AM Best. He can be contacted at: firstname.lastname@example.org