With the Solvency II deadline of 2012 looming, there is much work for insurance firms to do in reviewing and adapting their risk management systems. Under Solvency II, firms in 30 countries will have to conform to one set of prudential regulatory requirements. Against this backdrop, enterprise risk management (ERM) - which is an integrated risk management framework - has received much attention in the industry as a compliance tool. Although ERM is not the only way through which an insurance firm can achieve the objectives established under Solvency II, the fact that such a framework will allow firms to get a clear picture of all the risks inherent to the business across departments makes it a natural solution for meeting the new standards.
Moody's team managing director of insurance, Simon Harris, says that a robust ERM framework will show regulators that a firm has the adequate risk management system in place. "A well-established centralised risk management system, with defined roles and responsibilities for risk managers, management and the board, will demonstrate to regulators and other parties that risk management is being given the appropriate level of focus," he adds.
Compliance aside, an integrated ERM system can provide firms with timely and dynamic information that can be harnessed to ensure competitive advantages and better synergies within large organisations. Insiders say that firms must not view ERM merely as part of the daily grind of managing an organisation and satisfying the requirements of regulators.
"The focus of regulators and supervisors is inevitably on protecting policyholders in relatively extreme scenarios," says Mark Chaplin, global head of risk and value services at Watson Wyatt. "This leads to a greater emphasis on controlling risk and downside and less on maximising the expected return for a given level of risk tolerance. This is natural, but does mean firms will need to look well beyond pure compliance to derive real benefits from their investment."
Crucial to a successful ERM system is a management that is committed to risk management. Organisations need to have a strong risk management culture and management needs to be able to articulate its risk tolerance throughout the ranks. By having a clear understanding of an organisation's risks, management can make better decisions and, in turn, improve returns earned per unit of risk taken. With management commitment, the implementation of an ERM framework will also come more naturally.
There are three elements to ERM. The first is governance, which means that an organisation's business units and risk committees must establish its risk appetite, risk limits and risk policies. The second is assessment, which refers to the identification and quantification of risks an organisation faces. Part of this process involves the reporting of risk and returns through management information. The third element of ERM is action, which is to put into practice business decisions based on the organisation's risk tolerance.
"The ultimate aim is to choose which risks to take so that the risk-adjusted return of the organisation is optimised and that the overall level of risk taken falls within the agreed risk appetite," says Chaplin. "Actions include setting the strategic asset allocation, selecting which risks to hedge and to reinsure, choosing the appropriate level and form of collateralisation, deciding what controls to put in place and deciding whether or not to outsource certain functions."
With such a framework in place, organisations will have a deeper understanding of their own risk appetites and, hence, can make a better assessment of their portfolios. This then allows management to seek ways to realise benefits and synergies within the organisation that it may not have been aware were there before. Organisations will also then be able to focus on the segments in the market that provide the most attractive returns and ensure that they are properly rewarded for risks taken.
"Through an ERM programme, management can better understand the risk exposures and the portfolio so that, if it had an opportunity to take more risks, it could make decisions that actually allow it to expand into new areas to get better diversification across all the risk categories," says Colin Ledlie, chief risk officer and group chief actuary of Standard Life who is also the chairman of the ERM practice area committee of the UK Actuarial Profession. "There may be some very positive synergy benefits organisations could get between different areas. It shouldn't be and it isn't the objective that ERM is purely defensive."
In practice, firms can create their own internal models in an ERM framework to calculate their solvency capital requirements under Solvency II, instead of using a standard formula. In some cases, a firm's supervisor will require it to use an internal model if the standard formula is not thought to reflect accurately all the material risks to the organisation. To this end, the benefit of using an internal model is that firms will be able to set up their own risk distributions, stress tests and correlations, as a result of which they will be able to get a more exact picture of underlying risk profiles and risk management activities. For supervisors to grant approval, internal models will be expected to meet statistical, calibration, validation, documentation standards and to pass the use test. All of these requirements only make the risk management system more robust, ratings agencies say.
"Embedded within the regulations will be a 'use test' before a company can use their internal model for solvency assessments," says Keith Bevan, director of insurance ratings at Standard & Poor's (S&P). "The use test is broadly aligned with what S&P would describe as a 'strong' or 'excellent' strategic risk management, a key part of an advanced ERM programme."
Ratings agencies and regulators are among the key proponents of using ERM as a risk management system. But, for all the benefits that an ERM framework provides, there are problems that could hamper the workings of such a system. For example, the calculation of economic capital is an area on which some firms have spent a lot of money and effort. But, because it is time-consuming to produce this figure, the information can be out of date by the time it is disseminated. Management information is also sometimes not timely enough for firms to be able to take better corporate decisions.
"Many organisations are held back by their systems, which are often incapable of providing the necessary risk and value information rapidly enough," says Chaplin at Watson Wyatt. "Improving processes and systems to reduce manual intervention in the calculations will help, but often a new approach may be required. Examples of this include the rapid increase in interest that we are seeing in the use of replicating portfolios alongside actuarial projection systems and the investments being made into GRID processing technology."
While there has been a perception in the market that implementing an ERM framework could be a financial drain for smaller firms, in reality, companies with less complicated structures and businesses will require simpler systems and will need to maintain and manage less data. There are simple things that companies can do without incurring huge costs. For example, they can strive to improve risk information and establish a clearer understanding of where the responsibility for the management of risk lies. Running stress and scenario tests to understand how different risks and combinations of risks could affect the balance sheet and the profit and loss accounts could also help.
"A smaller company can be nimbler and change the way things are done more easily," says S&P's Bevan.
More generally, while there may be some cost to improving ERM, the cost of not acting may be greater. "If the main competitors are using ERM to define their strategy and set their pricing, there is the possibility that companies without ERM will be writing unprofitable business, which would not be sustainable for long. Therefore, the costs of not implementing an ERM system might be substantial," says Bevan. Chaplin agrees, and comments: "There are plenty of examples of companies with a more advanced ERM framework finding it useful in implementing hedges to reduce the overall level of market risk being taken. This has been a source of competitive advantage in the recent market turbulence."