1. Introduction :

Last month, we have discussed on the various facets of Risk Management processes available and applicable in Indian Life Insurance Sector. Now the Indian Life Insurance sector is coming of age and in terms of the Risk Management framework, so the life insurers now need to focus on the next generation issues as far as the implementation of Risk Management concept and better techniques of Risk Management is concerned. Identifying an individual cause of failure for any life insurance company is often not possible.

 

More possibly than not failure occurs due to a combination factors and these may, or may not be, be visible to common men during the months or years preceding failure. There is, however, one factor that appears common to most failures, and that is the adoption of poor risk management practices. Globalization and deregulation in financial markets, combined with increased sophistication in financial technology, have introduced new and additional complexities into the activities of insurers and therefore, added weight to their existing risk universe. These reasons accentuate insurers’ growing focus upon the identification and measurement of risk.

 

2. Concept of enterprise risk management (erm) implemented worldwide:
“ENTERPRISE RISK MANAGEMENT (ERM) is an integrated framework for managing credit risk, market risk, operational risk, economic capital, and risk transfer in order to maximize firm value.” ERM is also referred to as:

1. Integrated Risk Management (IRM) or,
2. Holistic Risk Management (HRM) or,
3. Global Risk Management (GRM).

 

In Life Insurance Companies we need immediate & successful implementation of Enterprise Risk Management techniques. Enterprise Risk Management uses ‘Integrated Framework’ encompassing the following issues:

1. Capital Requirement
a. Insurers may choose one of the many approaches to calculate capital for credit, market & operational risk.

2. Supervisory Review Process
a. Contains the key principles according to which insurers ‘supervision should be done:
i. Board and management;
ii. Risk management models and process;
iii. Internal control to be set;
iv. Stress Testing.

b. One of the targets is also to try motivating insurers to hold capital buffers in excess of the minimum requirement.

c. Financial Supervision should be proactive before insurers’ solvency margin, net worth and capital goes under the minimum requirement as stipulated by the regulator, the IRDA.

3. Market Discipline
a. Includes recommendations and requirements especially regarding disclosure information.

 

3. Risk management in life insurance & application of ERM:
Risk Management is applicable to all walks of life. Generally we attribute the need for Risk Management in General Insurance. But the concept is equally applicable in Life Insurance also. In this article we shall give a brief overview of necessity of risk management in life insurance. The definition of risk management states “the art of managing the risk in such a way that the impact of risk is avoided or reduced to great extent.” Risk can affect both property and life. Though lot of discussions take place on risk management of property, the risk management in life is not given the equal importance.

A large number of persons are employed in industries. Some of the hazardous industries pose severe challenges to health of the workers employed in these industries. Are all the industries taking suitable care of their manpower? The answer to this question would certainly be NO.

 

The work labour force around the world have still not been rewarded with improved safety measures in their workplace and as a result large number of deaths take place in industrial accidents around the world. At times the impacts on labours are direct and sometimes they indirectly suffer from industrial accidents.

 

To quote an incident from world health organizations report: “One of the world’s worst chemical accidents occurred around midnight on 2 December 1984, in the city of Bhopal in central India. A deadly cloud containing the toxic gas methyl-iso-cyanate spilled from Union Carbide’s large pesticide plant while most of the population of nearly 900 000 people were asleep.

 

The exact figures for the number of people killed and injured by the gas are disputed. According to official Indian figures, nearly 3000 people died in the first few hours of the accident, while hundreds of thousands were harmed, and more than 15 000 people have since died from cancer and other diseases. Some estimates, however, have put the numbers much higher, suggesting that 10 000 people died initially and over 20 000 subsequently.

 

Officially, it is estimated that about 120 000 people continue to suffer from chronic respiratory, ophthalmic, reproductive, endocrine, gastrointestinal, musculoskeletal, neurological and psychological disorders associated with the event. The release of gas also caused hundreds of thousands of people to flee the city and the polluted local environment.

 

The emergency and local health services were overwhelmed by the event at Bhopal. Lack of information about the identity of the gas, its health effects and the necessary clinical management and mitigation measures contributed to enormous health consequences. The acute industrial accident triggered a long-term crisis for the entire population of Bhopal, the Government of India and the industries involved. The health, economic and environmental consequences of the catastrophe is still being felt today.

 

Could a similar incident happen again? The answer is almost certainly yes. Chemical production and use has increased nearly tenfold worldwide over the last 30 years, and this is particularly true in developing countries. Several governments have learned from events such as Bhopal – and the accident at Seveso, Italy, where large amounts of dioxins were released into the environment in 1976 – and have introduced regulations to prevent and prepare for major chemical accidents. Poorer nations, however, are still struggling with a lack of technical capacity and regulatory infrastructure to ensure safe chemical management.

In some countries with good technical capacity, the rapid pace of industrialization is outstripping the implementation of effective control measures. Increasing urbanization in such countries is exposing growing numbers of people to the risk of chemical incidents as they settle in close proximity to hazardous installations. This particularly affects the poorer segments of society who have little choice about where to live.

 

On 26 April 1986, explosions at reactor No. 4 of the nuclear power plant at Chernobyl in Ukraine, a republic of the former Soviet Union at that time, led to the release of huge amounts of radioactive materials into the atmosphere. These materials were deposited mainly over countries in Europe, but especially over large areas of Belarus, the Russian Federation and Ukraine. An estimated 350 000 clean-up workers or “liquidators” from the army, power plant staff, local police and fire services were initially involved in containing and cleaning up the radioactive debris during 1986-1987.

 

About 240 000 liquidators received the highest radiation doses while conducting major mitigation activities within the 30 km zone around the reactor. Later, the number of registered liquidators rose to 600 000, though only a small fraction of these were exposed to high levels of radiation. In the first half of 1986, 116 000 people were evacuated from the area surrounding the Chernobyl reactor to non-contaminated areas. Another 230 000 people were relocated in subsequent years.

At the present time, about 5 million people live in areas of Belarus, the Russian Federation and Ukraine with level of radioactive caesium depositions more than 37 kBq/m2. Among them, about 270 000 inhabitants continue to live in areas classified by their governments as strictly controlled zones, where radioactive caesium contamination exceeds 555 kBq/m2. In 2006, as the world marked the 20th anniversary of the Chernobyl accident, WHO released a report assessing the health impact of the worst civil nuclear accident in history.

 

The report provided clear recommendations for future research directions and public health measures for national authorities of Belarus, the Russian Federation and Ukraine, the countries most affected by fall-out from the reactor explosion. More than 4000 thyroid cancer cases have been reported in these countries in children and adolescents for the period 1990-2002.

This is significantly more than would be expected, yet precise estimates of risk are still unclear. Approximately 40% of these cases were detected through screening programmes and may otherwise have gone undetected. New thyroid cancer cases are likely to be reported in the coming decades.

 

The same report revealed that the most serious long-term public health impact is in the area of mental health. In addition to the lack of reliable information provided to people affected in the first few years after the accident, there was widespread mistrust of official information and the false attribution of most health problems to radiation exposure from Chernobyl.

 

The necessary evacuation and relocation proved a deeply traumatic experience for many people: their social networks were disrupted and they had no possibility of returning to their homes. In addition, many had to face the social stigma associated with being an “exposed person”; this stigma continues and has led to increases in risk-taking behaviour, depression and other neurological and psychological disorders.”

 

This incident clearly shows that the impact of accident may be direct or indirect. Due to release harmful gas not only the workers died but general public suffered a lot.

 

The industries should recognize the need for better safety for their workers and implement measures that will help to provide better environment to them. As a part of their risk management strategy the companies should provide adequate insurance cover for their employees. Now a day’s many innovative and tailor-made group insurance covers are available.

 

The companies must compulsorily insure all their employees’ in order to give boost to employees’ morale and emphasize the fact that the company is thinking about them. Human life is more valuable than property. This fact needs to be clearly understood by the management and they should chalk out Enterprise Risk Management strategy bearing this important aspect in mind.

 

Risks in underwriting individual accounts: A non-life insurance company is in the business of assuming risk
from individuals and businesses. Underwriting is the discipline of understanding and evaluating which risks to intentionally assuming. Minimizing unintended underwriting risk and the risk to the enterprise from unintended risk accumulations is generally a responsibility shared between Underwriting and Risk Management (“RM”); both disciplines are critical.

 

The underwriting function needs to ensure that a robust infrastructure is in place so when individual accounts are underwritten the underwriter has: adequate information on the risk, such that the exposures can be reasonably known and understood, the skills and experience required to analyze the risk, and the ability and incentive to design coverage and price the account properly.

 

Underwriting authority needs to be granted based on skills and experience and not on managerial hierarchical level. Referral authorities need to be in place, as well as effective auditing to ensure compliance with delegated authorities, in order to minimize opportunities for “rogue” activities.

 

The underwriting infrastructure also needs to provide training and oversight such that applicable laws, statutes, regulations, filings and so forth are rigorously followed. Adherence to filed rates, forms and similar measures is intended to reduce the opportunity for money laundering, terrorism funding, and so forth, and to ensure that customers are treated fairly.

 

An underwriting infrastructure also needs to be in place to allow for the meaningful capture of data on the risks underwritten. This is necessary to monitor concentrations, meet any regulatory reporting requirements and have the ability to manage the underwriting of individual accounts to remain within agreed limits on aggregate concentrations.

 

Concentration risk from insurance activities: The insurance and reinsurance mechanisms work most effectively when dealing with risks that are not correlated with one another. By this we mean that the likelihood of a claim occurring is not impacted by the fact that another claim has occurred. In cases where risks are correlated with one another, the (re)insurer must be cognizant of potential concentration risk.

 

Concentration risk arises in multiple forms and is the area where RM generally has the greatest involvement. Concentration risk arises from systemic risks, stacking risk, and clash risks. A particular form of systemic risk comes from natural and man-made catastrophic exposure.

 

Systemic risk is the accumulation of losses triggered by a single event or cause, affecting one or more industry segments rather than a single risk. Asbestos is the classic example of a systemic risk affecting multiple industries and policyholders, lines of business and policy years. RM and Underwriting need to ensure processes are in place to identify similar potential risks and to monitor and effectively control accumulations. A current risk with potential systemic impact is nanotechnology.

 

Underwriting and RM need to determine the economic risks, which lines of business might be exposed to loss (i.e., products liability, workers compensation), the likely effectiveness of coverage restrictions in policy wordings, the probability of different economic risk outcomes and the aggregate limit to expose the enterprise.

 

Stacking is another aspect of concentration risk. Stacking refers to the accumulation of net (after reinsurance) retentions within the same line of business on the same insured. Here the risk arises, for example, from multiple business units providing coverage for the same policyholder plus participation in a reinsurance program from a policyholder’s reinsurance captive. Procedures such as a name and location clearance system are typical ways to prevent such an unintended accumulation.

 

Clash is a similar concentration risk that occurs when one or more business units insure more than one line of business for the same policyholder who could be affected by the same claim or incident. This could lead to a higher than intended aggregate loss. Reasonable foreseeability and a large dose of common sense, together with an effective name clearance system and an agreed exposure limit are the keys for Underwriting and RM in managing these exposures.

 

Exposure to systemic risk arises from both natural and man-made catastrophic events. Monitoring and managing risk accumulations requires detailed data (see below), models and an underwriting infrastructure that spans all lines of business and all business units that write policies in potentially exposed locations. Critical from a RM perspective is the ability to monitor accumulations across lines of business and locations and to intervene when aggregate limit boundaries are breached.

 

Mitigation actions might include simply abstaining from additional underwriting commitments (or non-renewing existing commitments upon expiry) or purchasing additional treaty or facultative reinsurance for peak exposures. The critical element is having the infrastructure to identify unintended accumulations across multiple business units and all lines of business.

 

The concentration risk of natural catastrophes arises primarily from exposure to earthquakes, floods and windstorms. Property damage and business interruption accumulations are typically modeled by using sophisticated commercial modeling tools (RMS, AIR, EQECAT, etc.). Systemic risk also includes additional lines of business, such as workers compensation, employers liability, accident and health, group life, marine, and automobile physical damage.

 

These exposures may not be coded to location in the same detail as property policies, nor be subject to the same modeling capability. As such, RM needs to be comfortable that processes are in place and effective to identify peak property exposures through name and location clearance systems in order to allow for identification of significant exposures to non-property lines of business at the same location.

 

Man-made catastrophic events can similarly impact all lines of business. This category includes events ranging from terrorism, primarily, to a train accident involving toxic chemicals. Terrorism exposures are generally divided into two categories: conventional attacks (conventional bomb, aircraft used as a missile) and non-conventional (nuclear, chemical, biological, radiological “NCBR” e.g. a “dirty bomb”).

 

Property and business interruption policies may or may not include coverage for a terrorist act or coverage for NCBR. Policies covering worker compensation or employers liability, by their nature, may provide coverage for all such events. From a RM perspective, it’s important that data be captured identifying policies with NCBR coverage. It is also vital that the same infrastructure and modeling capability for monitoring and managing accumulations noted for natural catastrophes be in place for man-made catastrophic exposures.

Stress Scenarios: Stress scenarios are especially necessary for determining aggregate limit boundaries for natural and man-made catastrophic events and guiding decisions on purchasing reinsurance protections. For example, in addition to considering the results generated from the modeling tools, the ERM framework for Lloyd’s includes consideration of specific Realistic Disaster Scenarios as a test of exposures under extraordinary circumstances.

Further, RM is uniquely positioned in many insurance organizations to consider the interaction of risks from different organizational silos in stress scenarios. Very low probability events, like a 1 in 250 year windstorm or earthquake, a significant terrorism incident, or a pandemic will require RM to have considered not just the underwriting risk but to have incorporated the potential impact on the investment portfolio, liquidity, reinsurance recoverable, and business continuity both from a holding company and individual subsidiary legal entities level. Mitigation actions may then involve internal or commercial reinsurance, standby credit, and/or similar arrangements to balance the potential exposures and financial stress the organization faces.

 

Concentration risk from credit-related exposures: Another aspect of concentration risk arises from multiple financial-related exposures to an individual policyholder. A significant event, such as a fraud or severe downturn in profitability, might lead to losses from a D&O policy, surety and fiduciary coverage, and/or financial guarantees, plus losses on any debt or equity investments, securities lending, reinsurance recoverable from a captive, and exposure as counterparty to a derivative transaction. In addition, third-party liability and/or retrospectively rated insurance programs may generate exposure due to large deductibles, retrospective premium adjustments or other credit risk.

 

From a RM perspective, tools to monitor and evaluate peak exposures bridging insurance commitments and financial holdings need to be in place, as well as assurance that assessments of the creditworthiness of the policyholder are effective and guiding collateral negotiations. Correlations between the various insurance and financial exposures under stress scenarios need to be determined with limits set reflecting both underwriting and credit rating considerations.

Data capture: Accurate, thorough, relevant, detailed data capture is key to measuring, modeling and managing the risks of unintended exposure accumulations. RM needs to ensure that adequate auditing is in place to allow reliance on the data collected.

Similarly, RM needs to be comfortable that underwriting has the processes in place to monitor and manage individual account underwriting across multiple business units, policyholders and lines of business to stay within agreed risk limits. Name clearance systems, allowing each underwriter participating on a policyholder’s program to see all the commitments to that policyholder, are an effective tool in this regard, as are systems to monitor accumulations by class and line of business.

 

Detailed data capture is especially critical for monitoring property accumulations for catastrophic exposure to both natural and man-made events. Granular data including the policyholder’s type of business, number of employees, construction type and age, values insured, business interruption coverage and limits, and so forth, for each precise location (street address, latitude and longitude) are critical.

 

Experience from many insurers examining losses from Katrina has shown that modeled catastrophic exposures were understated. One reason for this was incomplete data capture of insured locations. Risk needs to be comfortable that data capture is complete and audited as necessary for the modeled accumulations to be meaningful.

RM must also be forward thinking about data capture. It is not sufficient to think about capturing data for risks that are current and obvious, but to also think about where the emerging risks are arising and what data is necessary to assess these risks.

Reinsurance Risk: Reinsurance is a widely used and valuable tool for mitigating peak risks on both individual accounts and portfolios. Inherent in reinsurance are several risks of concern to the Risk Officer of insurers. First and foremost RM must be attentive that the reinsurance purchased is actually providing the appropriate coverage to mitigate the peak risks.

 

In this regard, there needs to be strong communication between underwriting and the reinsurance buying function to ensure that underwriters are aware of the provisions of the reinsurance treaties being purchased. In particular, awareness of exclusions or special acceptance criteria is vital. On the facultative side, underwriters or facultative buyers must be trained to have coverage afforded by the facultative reinsurance be concurrent with the terms of the underlying policy.

 

The insurance enterprise is exposed to various risks when purchasing reinsurance. These include: Credit Risk, Regulatory Risk, Operational Risk (including Non-Concurrency (mentioned above) Lack of Contract Certainty, and Accounting/Tax Risk) and potentially Reputational Risk.

 

Credit risk has numerous aspects which must be managed. The starting point is the assessment of the credit worthiness of the reinsurer. This process generally leads to an “approved list” of acceptable reinsurers and a limit on the aggregate credit exposure to an individual reinsurer which is linked to its credit rating.

 

Reinsurance may be purchased locally on a facultative basis by underwriters for individual accounts with peak exposures and also in multiple business offices on a portfolio, or treaty, basis. RM needs to ensure that adequate controls are in place so accumulations by reinsurer are monitored with actions taken to mitigate peak exposures.

Accounting risk arises as accounting for reinsurance transactions can be complex. Reinsurance transactions need to have risk transfer characteristics in totality support insurance/reinsurance accounting (to be included in financial results as reinsurance) and these characteristics need to be appropriately analyzed and documented. In particular, the accounting must consider all aspects of the agreement, including any written or verbal side agreements.

Also of concern is ensuring that reinsurance transactions are not structured to obfuscate the true financial results of the company. Overly complex transactions and certain “circular” transactions can lead to accounting difficulties. For example, policyholders may have captive insurers or reinsurers involved in their risk management program. Sometimes the structure of these transaction becomes extremely complicated with the captive being the insurer, a reinsurer and/or a retrocessional. With many moving parts, it becomes difficult to assess the true nature of the transactions and to record all of the necessary accounting entries in an accurate and timely manner. This operational risk is one on which the Risk Officer’s organization must focus, ensuring that appropriate controls are in place to mitigate the risk.

 

For both commercial reinsurance and captive arrangements, training and oversight need to be emphasized and sufficiently robust to ensure that there is a significant degree of risk transfer (underwriting and timing risk), any fees are reasonable, no side agreements, verbal or written, the financial records of both parties reflect the transaction the same way, and similar measures. The Risk Officer needs to be comfortable that procedures are in place so all such arrangements receive appropriate oversight and monitoring.

 

Facultative reinsurance purchased locally to protect individual policies and treaty reinsurance has significant measures of operational risk. These include delays in agreeing policy wording and a resulting lack of contract certainty, non-concurrent terms and a simple failure to execute as intended. The Risk Officer needs to ensure that the operational risk measures developed enterprise-wide extend to the placement of reinsurance.

 

Alternative risk transfer: Large natural catastrophe losses in 2004 and 2005 and enhancements to catastrophe accumulation models have increased the demand for reinsurance and retrocession protections. In turn, this demand has led to increased utilization of alternative risk transfer mechanisms to supplement the traditional reinsurance markets.

 

In particular catastrophe bonds, industry loss warranty protections, hedge funds and so-called “side-cars” have grown in popularity. These facilities provide much needed, fully collateralized capacity to insurers and reinsurers but may include basis risk which must be included in risk capital determinations.

Catastrophe bonds typically involve a special purpose vehicle which provides protection to the insurer/reinsurer. This is done through traditional, indemnity reinsurance coverage based on the insurer’s ultimate net loss, or, more typically, a recovery is determined based on a derivative (or parametric) measure of the loss. For example, one is based on the industry loss or the modeled loss from an event.

 

The SPV, in turn, develops its capitalization through the issuance of bonds to investors. In the event the reinsurance is triggered, the bondholder will not receive all or any of their principle at maturity. The parametric coverage approach, while more attractive to the investor in the catastrophe bonds as the investor doesn’t have to underwrite the individual company, includes basis risk the Risk Officer needs to evaluate. That is, it is possible that the buyer could have a loss to which the coverage does not respond.

 

Industry loss warranty protections are structured similarly but the protection triggers are typically based on relatively narrowly defined risks and regions and a resulting aggregate industry loss. Industry loss warranties are attractive to investors for simplicity but include considerable basis risk for the insurer which needs to be evaluated. Another alternative source of reinsurance capacity is reinsurance provided by thinly capitalized reinsurers backed by hedge funds.

 

These reinsurers provide reinsurance on a fully collateralized basis, meaning that the full limit of the reinsurance is collateralized at the inception of the contract. Risks with these vehicles include operational risks, risks pertaining to the collateral and failure to satisfy statutory requirements. The RM should also be aware that these vehicles typically do not include the reinstatement coverage available in traditional reinsurance.

 

Finally, so-called “side cars” are special purpose reinsurance vehicles similar to those vehicles that facilitate Catastrophe Bonds. These vehicles are funded by both debt and equity and typically provide quota share reinsurance to the sponsor (re)insurer.

The SPV has limited capital resources and this limitation acts to cap the quota share coverage provided by the facility. This structure has the potential of “tail risk”, which is the risk that the sidecar cannot meet its reinsurance obligations to the cedant in an extreme event.

 

RM should consider and be aware that many alternative sources of reinsurance are transacted with capital that may be more opportunistic than traditional reinsurance. This capital may disappear if terms and conditions are not ideal.

 

Post -event large loss reviews: Insight into the effectiveness of the myriad individual account underwriting processes, concentration monitoring and management, data collection and operational risk can be gained through a systematic review of large losses in a collaborative effort between underwriting and RM.

 

Incidents that lead to insured losses happen. That’s why people and companies buy insurance. But insight into adherence to relevant guidelines when the risk was underwritten and the impact the risk has had on the various concentration management measures can provide Underwriting and RM with valuable information.

 

Emerging risks: Emerging risks are exposures which may develop or already exist. They are difficult to quantify, may have a high loss potential and are marked by a high degree of uncertainty. Risks involving emerging technologies or environmental changes require identification, assessment, monitoring and mitigation. Examples of such emerging risks would include nanotechnology, pandemics, genetically modified foods, changes in weather patterns, and so forth.

 

RM needs to ensure that Underwriting identifies coverage triggers, lines of business potentially exposed, limits, accumulation potential across lines of business and policy years, reinsurance applicability and monitors developments broadly in the insurance, healthcare and legal arenas. Mitigation actions need to be agreed with Underwriting regarding coverage, limit and volume restrictions, reinsurance protection and monitoring of potential accumulations. RM is a key driver in determining the importance of identifying emerging risks, designing actions to contain unintended accumulations and monitoring that risk measures are effectively in place.

Correlated Risk: Assessing the degree of correlation between lines of business and for each line to other risk types is a critical requirement. It is necessary to determine risk capital and optimize the mix by line, limits exposed and volume in order to minimize required capital through diversification.

 

Relevant experience may well be very limited for analyzing correlations, especially at the critical stress levels most important to risk capital determinations. Hence, RM generally needs to work closely with Underwriting to judgmentally assess and agree the degree of correlation.

 

As an example, property and business interruption coverage may generally be seen as having a very low correlation with casualty coverage. An incident causing a loss may not typically affect both coverages, exposure to inflation in loss costs in future years is far less in property, reinsurance costs tend to have different trends, and so forth.

The actual situation is more subtle, however, for the more extreme scenarios. A large factory explosion may lead to losses to policies that protect workers and to liability if neighboring buildings are damaged. Potential for a D&O exposure also exists if the explosion was found to be the result of management negligence. Similarly, one would expect a higher degree of correlation between D&O exposure, surety, financial guarantees and the investment portfolio under stress scenarios.

Operational risk might be seen as more strongly correlated with property exposures due to the complications with monitoring aggregate catastrophe accumulations and placing facultative reinsurance than casualty exposures. RM and Underwriting need to ensure that adequate consideration is given to stress scenarios intended to mirror the probabilities and correlations underlying the risk capital calculations, especially as respects individual subsidiary legal entities.

Risks in the underwriting “cycle”: Price levels in non-life insurance tend to move in multi-year cycles as the result of varying levels of industry capital, economic outlook, competition and similar considerations (refer Figure no. 1 below). Theoretically, an actuarially correct price for each account can be consistently determined based on desired ROE and anticipated loss trends. Actual prices, terms and conditions will deviate from the actuarial price based on marketplace conditions.

Increased risk results from a failure to systematically measure deviations from the actuarial price and to fully recognize such deviations in current financial results, particularly during times when marketplace pricing is less than the actuarial price. RM needs special attention that actual pricing, terms and conditions are monitored and that loss reserves and current financial results reflect deviations from actuarial pricing.

Risk capital is required for uncertainty in this measurement due to the increased risk of understated loss reserves and added volatility as a consequence. We explain how enterprise risk management creates value for shareholders. In contrast to the existing finance literature, we emphasize the organizational benefits of risk management. We show how a firm should choose its risk appetite and measure risk when implementing enterprise risk management.

We also provide an extensive guide to the implementation issues faced by firms that implement enterprise risk management. There has been a dramatic change in the role of risk management in corporations.

 

Twenty years ago, risk management often denoted the tasks associated with the purchase of insurance. Treasurers also performed risk management tasks, but they focused mostly on hedging interest rate and foreign exchange risks.

Over the last ten years, corporations have taken into account additional types of risk. In particular, they started to pay much attention to operational risk and reputation risk. Most recently, strategic risks have been added to the panoply of risks considered.

 

More and more, the risk management functions are directed by a senior executive with the title of chief risk officer (CRO) and the role of the board in monitoring risk measures and setting limits for these measures has increased at many corporations.

A corporation that chooses to manage risks can do so in two fundamentally different ways: it can manage one risk at a time, or it can manage all of its risks holistically. The latter approach is often called enterprise risk management (ERM). In this article, we argue that firms that succeed at ERM have a long-run competitive advantage over those that manage and monitor risks individually.

Our argument is that, by measuring and managing its risks systematically and consistently and by aligning the incentives of employees to optimize the tradeoff between risk and return, a firm increases sharply the odds that it will be able to achieve its strategic goals. 

 

In the following, we first explain why ERM creates value for shareholders and gives firms a competitive advantage. We then describe how ERM should be implemented. First, we explain how a firm should choose its risk appetite. Second, we show how it should measure risk.

Third, we discuss the mechanisms that allow the firm to take and retain the risks that create value and lay off the others. Though ERM is conceptually straightforward, its implementation in practice is not. We therefore provide an extensive guide to the most important difficulties that arise in practice when implementing ERM in the last – and longest – section.

 

4. Finally let us consider the eight common pitfalls of enterprise risk management implementation common to all organizations: Enterprise risk management (ERM), which is an integrated approach to risk management, is being increasingly popular in the world. Bill Fuller, a general manager at Hudson in the United States, worked in multinational conglomerates and spent time in professional services with PricewaterhouseCoopers completing compliance audits and offering technical expertise.

 

He recently presented in Denver on the common pitfalls of ERM implementation. These are Fuller’s eight common pitfalls of ERM for organizations considering implementing ERM or that have stalled ERM initiatives:

1. Management must accept and choose a risk management framework like The Committee of Sponsoring Organizations of the Tread way Commission (COSO). COSO helped to build a risk management framework for organizations after high- profile business failures like Enron drove calls for increased risk management governance. Using a framework like COSO’s ERM framework is, “The start of a communication tool using common language throughout the organization,” Fuller said and important to ERM success in any organization.

2. Lack of senior management commitment. “Any initiative will fail if senior management is not committed,” Fuller said. Personally, I don’t know any risk management professionals who would disagree with this statement.

3. No designated risk management and change-process owners at the senior level or in each business unit. According to Fuller, “There needs to be ownership within the organization at senior- level management with clearly defined roles and responsibilities.”

4. Organizations must have a plan to move from the current state to the desired state. “With that plan, there must be tasks, roles, resources and time lines. It’s not just a plan that says, ‘Yes, we’re going to do this,’ but steps must be clearly outlined with a way to monitor progress,” according to Fuller.

5. Fuller believes that measurement tools will facilitate the alignment of activities to the overall business objectives. Then, match resource allocations (capital, operating expenses, people) to those objectives. “Put your dollars where they should be placed based on the risks,” Fuller said.

6. An organization should formally roll out a communication plan and training curriculum to develop risk management awareness and core competencies in the company. Training to those core competencies is needed, as well.

7. When a risk management program is in place, reinforce its use by aligning human resource mechanisms to that program. Fuller recommends incentivizing employee participation. Begin the process with qualitative measurements like meeting attendance, Fuller recommends, then add quantitative measures later.

8. Organizations must develop an ongoing monitoring mechanism to ensure the risk management mandate is implemented. “Every time you identify risks, the organization must develop a strategy to mitigate those risks. These are nothing more than action plans. Someone has to monitor the action plans and report to management and company governance. This is typically may be implemented by the internal audit teams.”

 

Author

Leave a Reply

Your email address will not be published. Required fields are marked *