27 January 2009

Published in: Risk governance

How insurers can use risk appetite to set risk limits

Producing a risk appetite statement is not easy; cascading it into a comprehensive limit structure even harder. But the rewards for achieving this are significant, explains Karl Chappell.

Shakespeare has Macbeth say, "Now, good digestion wait on appetite, and health on both!"- good health requires good digestion which in turn requires a good appetite.

Royal banquets are one thing, but this can also serve as a good motto for today's economy and in particular to insurers. Standard & Poor's seems to think so - in its view defining a risk appetite and digesting this throughout the organisation is an integral element of a healthy insurance company.

Standard and Poor's writes that insurers with a "strong" enterprise risk management rating must have defined a "process for developing the risk limits from the overall risk tolerance" and that insurers wanting to go beyond this to an "excellent" enterprise risk management rating must also have this "implemented throughout a higher percentage of its group." (Insurance Criteria: Refining the focus of insurer enterprise risk management criteria, Standard and Poor's, June 2006)

The risk appetite framework

The profile of risk management within insurers has increased progressively over the last decade driven in part by regulatory developments (most recently Solvency II) but also by the growing recognition that risk management should form a fundamental part of an insurance company's strategy and operations rather than being a siloed back-office function. Risk management will only become more important following the global financial crisis and its impact on the financial services industry, where many insurers have observed the apparent mistakes of the banks from the relative safety of the sidelines. In this context, it is of little surprise that the position of chief risk officer (CRO) has been formalised in many organisations and that the CRO often has the ear of the chief executive officer.

So how do insurers embed the risk agenda throughout the organisation? A risk appetite framework provides the context for active risk management, from the top-of-house articulation of a risk strategy which is endorsed by the board, through to the detailed monitoring of the risk exposure relative to pre-set limits or triggers. However, achieving this is no trivial task, requiring both the engagement of the full hierarchy of decision-makers in the business and the resolution of a number of complex risk budgeting and resource allocation problems. Insurers who are serious about embedding the risk agenda into the business need to follow four steps:

1. Articulate the group risk appetite
2. Allocate limits to business units / risk types
3. Embed limits at an operational level
4. Monitor adherence to the limit structure

While each of these steps has its challenges, many insurers have achieved steps 1 and 2 only to stall at step 3.

Articulate the group risk appetite

A group risk appetite statement is at the centre of the risk management framework: it articulates what types of, and how much, risk the organisation is willing to take.

The goal of this statement is twofold: to spell out the risk agenda of the company externally to the market place and to provide the basis for an internal risk limit structure consistent with board strategy. Therefore, it should be based on tangible risk impacts rather than abstract ideas - the board needs to be able to articulate it and the market needs to be able to understand it. The statement can have much greater immediate impact if it is expressed in terms of outcomes or effects rather than inputs or drivers.

The statement itself will usually contain only a handful of primary dimensions, perhaps four to six, with each dimension stating the risk appetite of the board for a given risk measure or outcome. The actual measures chosen will depend on the insurer's business and strategy but some common dimensions are:

• Earnings - how much of the planned or projected earnings is the board willing to put at risk?
• Capital/equity - how much (economic) capital or shareholder equity is the board willing to put at risk?
• Liquidity - how much of the available liquidity, distributable surplus or free cash flow is the board willing to put at risk?
• Franchise value - how much of the company franchise value is the board willing to risk (e.g. through adverse publicity, poor reputation or as a result of poor product and distribution strategy)?
• Regulatory - how much of the regulatory solvency headroom is the board willing to risk?

Defining the dimensions of the risk appetite statement is only the first step. Having done that, it is necessary to specify the risk measures that will be used and, most importantly, specify the board's risk appetite against these measures. This can be informed by considering the range of financial and risk exposure measures currently used and reported within the organisation - the statement itself should be broadly consistent with these measures. It should also ideally be expressed in terms of undesirable events - for example the capital-at-risk appetite can be expressed as the acceptable probability of breaching some capital trigger that would lead to a "difficult discussion" with a regulator or ratings agency. Finally, analysis of competitor statements can also provide useful benchmarks against which the organisation can measure itself.

Allocate limits to business units / risk types

While the group risk appetite statement is critical from a communication perspective, it is very difficult to manage risk solely by means of such a high-level statement. To have full impact on the company's risk profile, the risk appetite statement must be cascaded down through the organisation in a meaningful way, to reach those whose decisions steer the business. The first step in doing this is to develop a risk limit structure that sets out the amount of desired (or tolerated) risk exposure at, for example, risk-type and/or business-unit level.

The conversion of a risk appetite into cascaded business-unit or risk-type limits is no trivial task, especially when resources are scarce and business units are effectively competing for the allocation of risk-taking capacity. There is no sure-fire mechanical way of performing this allocation. In theory, optimisation using risk-return tradeoffs could provide a scheme for allocating limits but, given uncertainties in models and, more importantly, other qualitative and quantitative considerations, a more balanced and less prescribed approach is required.

The task of allocating limits can, however, be made easier by providing management with an array of both quantitative and qualitative information on which to base the decision. The following gives a summary of some types of information that should be included and considerations for each:

Current risk profile

Where risk infrastructure is already in place, the current risk profile should be calculated for each business unit or risk type across each of the defined risk appetite dimensions. This will provide a benchmark for the allocated limits by reflecting the relative appetite for risk across business units and risk types implicit in the group's current risk-taking activities (but may not have previously been explicitly determined. For example, a company may currently sell many life insurance products but relatively few motor insurance products, implying that their risk appetite is higher for mortality risks than it is for motor accident and liability risks. Therefore, a higher limit may be appropriate for mortality risks than for motor risks.

Sensitivity of risk profile

Various business scenarios should be defined for each business unit or risk type and their impact on the current risk profile determined. These scenarios should span the realistic action space open to management, i.e. what actions management can realistically take to impact the business and hence the risk profile, thereby providing the calibration points for setting the risk limits. Businesses that have little impact on the risk profile for fairly major shifts in business strategy do not need a large spare limit capacity in order to allow management operational freedom.

Risk-return assessment of individual risk types and business units

Adding an assessment of the potential return to the above scenario analysis can help define the risk-return characteristics of each business unit or risk type. This will provide an additional lever for setting the limits, particularly when the limit system is seen as a method for steering the business rather than just limiting it (the distinction here is that, in the usual course of business, resource allocation within strategic planning is the primary tool for steering the business, which should adhere to the risk limits; however, the limits themselves could also be used to steer the business by strategically setting the upper bound in the resource allocation process).

Diversifying impact of individual risk types and business units

An assessment of the risk-diversifying impact of each category within the limit framework can provide management with a view on those business units that contribute to concentrations of risk and those that do not: higher limits may be appropriate for those risk types and business units that diversify well with the rest of the organisation.

Benchmarking of event-driven losses

Management may be able to state the maximum loss they could be comfortable with disclosing to investors for specific risk events, at a similar level of granularity. This can be performed by differentiating between strategic risks, which investors expect the company to take; consequential risks, which result automatically from core risk-taking and are therefore inevitable; and non-core risks, which an investor would not expect the company to take at any significant level as a part of the core business strategy. Overlaying this assessment with investor reaction to historical losses (own or peer experience) provides management with the basis to set the upper bound beyond which limits should not be set.

Group strategy and strategic assessment of business units

The differentiation between core, consequential and non-core risks can extend beyond providing the maximum acceptable loss for a risk type or business unit to providing a basis for assessing the trade-off between risk types or business units. All other things being equal, core risks should be allocated a higher proportion of the overall limit allocation than the non-core risks. Moreover, the set of core risks should align with those where, over the medium term, the best risk-adjusted returns can be expected to be gained.

Steering senior management to the appropriate allocation of risk limits requires this qualitative and quantitative information to be clearly articulated into a series of straightforward decisions. The senior management responses will then naturally lead to a recommendation for the final limit allocation.

Finally the governance and monitoring of the limit system need to be able to cope with the practical complications of risk-taking. For example, the system needs to reflect that not all business units will fully use their limits. At the same time, in a unit which is aiming to utilise a particular limit fully, the process needs to manage the risk of limit breaches through the natural volatility of risk-taking. These fundamental methodology issues can be tackled by implementing appropriate governance and monitoring of the limit system.

Embed limits at an operational level

Embedding the limits at the operational (i.e. decision-making) level is key to ensuring that the risk appetite statement impacts everyday business decisions, allowing the organisation to be steered appropriately within the risk boundaries set by the board.

This step in the process requires a tailored approach for each "decision group" (which might be a business unit, function, product group etc.) as the requirements will vary significantly between them. For some decision groups the risk limits will need to be linked to the current risk measures incorporated in the business; for others new measures will need to be implemented to allow the business to track their risk-taking activities against their limit; and for still others, where the risk exposure is managed closely by the decision-group management itself, the business-unit or risk-type risk limit may be sufficient.

Any risk measures that are implemented need to be accepted as core to business decision-making and need to reflect the ability of the decision group to monitor them. For example, a capital risk limit for an asset management function may be linked to the current value-at-risk (VaR) framework; whereas, for a natural catastrophe underwriting function, the capital risk limit may be linked to loss distributions from catastrophe models. A tailored process is likely to be required for most business units, but we can consider three building blocks to help identify the most appropriate approach in each case:

Events: identification of the types of events the limit framework is trying to prevent

Individuals, committees and organisational units: mapping responsibilities to individuals, committees and organisational units, e.g. defining how different limits apply to senior underwriters vs. junior underwriters, defining how different committees oversee different risk-taking activities, etc.

Rules of conduct: defining rules by event and individual, committee and organisational unit alignment, e,g, defining to what extent risk-taking responsibility can be delegated downwards, defining what happens when limits are breached, etc.

Considering these items for each decision group defines the risk landscape against which the operational limit structure can be implemented.

Responsibility for the implementation of effective risk limits could be given to business unit heads where the management has strong control over the business and appropriate incentives are in place to encourage them to manage the business within the limits. However, it is more likely that a collaborative effort between each business and the group risk function is required to ensure appropriate implementation at an operational level.

Monitor adherence to limit structure

Once the risk appetite statement is in place and the limit structure has been defined and cascaded throughout the organisation, regular monitoring of the current risk profile against the limit structure and risk appetite statement will be required.

Incorporating the risk appetite statement and the reporting of the organisation's risk position into the group risk dashboard, regularly reviewed by senior management and the board, will provide the basis for monitoring adherence to the risk appetite. Linking the business-unit risk limits to appropriate and effective risk measures, as described above, provides a common link to risk measurement and control throughout the organisation, although ultimately the group risk function will have responsibility for aggregating the information and preparing the risk dashboard.

Sitting alongside the measurement of the risk profile should be a comprehensive governance framework that, from a proactive perspective, sets appropriate incentives for business units to remain within the risk limits, and, from a reactive perspective, defines the procedures for addressing breaches of limits, including the escalation process and any prescribed corrective actions specific to each business unit.

Embedding risk appetite into an organisation is a way to ensure that day-to-day business activities are conducted in a way that satisfies the aggregate view of tolerable risk levels from the board's perspective.

While the production of the risk appetite statement is not a trivial task in itself, the cascading of this statement into a comprehensive limit structure is likely to provide even greater challenges as it touches on many more decision-makers and requires the balancing of a number of competing interests.

However, the rewards of going through this process are significant, giving the board a means to translate its ambition for risk-taking by the company into tangible actions at the operational level. Furthermore, a risk appetite statement allows the board to illustrate their risk vision to investors and demonstrate how this vision is steering the business day-to-day.

A comprehensive risk appetite framework allows resources to be directed to the most valuable risk-taking opportunities while allowing management the freedom to take decisions within a defined playing field. Returning to our royal feast analogy, a healthy insurer is one which clearly articulates its risk appetite and successfully digests it through the organisation.

Karl Chappell is a senior manager in Oliver Wyman's Financial Services division, based in London.

Back to top