The financial crisis has introduced the area of risk management to much of the Western World via news reports, blogs and tweets.
This fact has not been lost on insurance regulators, with many jurisdictions working on requirements for insurers to prepare and file an Own Risk and Solvency Assessment (ORSA). At a very high level, ORSA can be viewed as providing insights on the soundness of a corporation’s risk-based management.
However, in several instances, when company management first heard of Enterprise Risk Management (ERM), Economic Capital (EC) and other building blocks of risk management, they had much the same reaction as the Mock Turtle in Alice In Wonderland: “Well, I never heard it before, but it sounds [like] uncommon nonsense.”
Management has been accustomed to looking at specific key indicators and using those benchmarks to manage budgets, product profit margins and future business plans—rather than ORSA’s detailed evaluation of corporate risk.
ERM is the combination of risk assessment and culture. The quantitative side of ERM provides a methodical way to assess the risks assumed by an entire organization. The result of this review will provide insights into how various risks interact and the amount of capital that each risk demands, thus providing management with the tools to plan out the amount and type of risk their organization should retain.
While these tools are very important, the key to making these plans work is to have an organization that embeds the risk decisions made by management into the everyday running of the corporation. Diving deeper into this idea, ERM is the combination of five key steps:
| Strengthening Risk Culture | Identification of Risk |
| Measurement of Risk | Linking Risk to Capital |
| Executing Strategic Decisions |
Strengthen Risk Culture
According to McKinsey, risk culture can be defined as “The norms of behavior for individuals and groups within an organization that determine the collective ability to identify and understand, openly discuss and act on the organization’s current and future risks.”
To have a strong risk culture, it is crucial for management to both clearly communicate and set visible and consistent role-modeling of the desired behaviors required to execute the risk strategy. Two other important aspects of a strong risk culture are to set high standards for the analysis of risks, which are then shared across the organization, and to rapidly bring to management’s attention any threats or concerns that arise.
Identify Risk
Once the groundwork of establishing a risk culture has begun, the process of identification of risks begins. This process should be done in steps.
- There should be agreement on the high level items that will be included in the risk identification process.
- One place to start is to break down risks into those that are qualitative and those that are quantitative.
- Qualitative risks are ones more subjective and identified, then assigned some likelihood of occurrence (e.g., High, Medium and Low).
- Next, mitigation strategies are developed for the risks most likely to occur. Numerical modeling can provide insights on how each of the quantitative risks interacts with the others.
Measure Risk
Quantitative risks can be analyzed through either a fixed formula or through the analysis of several scenarios. An example of the former is Risked-Based Capital. A common way to understand risks where many scenarios need to be tested is through a stochastic approach. This approach runs many scenarios, with the likelihood of each assigned some probability rating. Stochastically analyzed risks allow management a more nuanced view of the interdependence of risks.
Link Risk to Capital
Along with showing the nature of various risks, risk analysis can also help determine how much capital is required to back each risk assumed by the corporation. The link between the risks assumed and the amount of capital needed to back each one helps management determine how much risk the corporation is willing to accept (its risk appetite).
Execute Strategic Decisions
Using all of the analysis techniques described so far, management can then decide on a plan for the future direction of the corporation. Even with this plan being created, management is still faced with the biggest challenge of all: execution of the plan.
Although setting a corporation’s risk appetite is important, it is often difficult to limit the risks assumed to just that amount. Does the corporation really want to turn down a large policy, or is there another way? Typically, many corporations will use hedging, such as reinsurance, to limit a corporation’s risk to suit their risk appetite.
Now that the basics of ERM have been laid out, future blogs will look into other building blocks of ORSA and more specifics on risks and how they can be managed.
