11 March 2010

Published in: Risk governance

How to structure and govern a risk management framework

Meeting Solvency II's requirement for an effective risk management framework boils down to boards of insurance companies being able to answer five fundamental questions, explains John Bromfield

As the financial crisis has once again underlined, the effective management of risk is fundamental to the success of an insurance business. Boards, investors and rating agencies have heightened their focus on risk in the face of market instability and continuing capital constraints. Solvency II will raise the stakes still further by requiring insurers to develop a systematic risk management framework capable of ensuring that risk considerations are appropriately understood, controlled and integrated into decision-making.

Most board members understand the concept of an effective risk management framework. However, they may be less clear about what this entails in practice, including how the framework should be structured and governed and how it will affect the way they run their businesses. In fact, what all this boils down to is being able to provide answers to five fundamental questions that all boards should satisfy themselves upon.

1. What risks does our business face?
2. How much risk are we prepared to take?
3. Who is specifically responsible for managing these risks?
4. How can we be sure there are no surprises?
5. How does our risk profile affect our capital requirement?

Answering these questions consistently and on a continuous basis requires an effective risk management framework to be developed and implemented.

At PwC, we have designed an integrated enterprise risk management (ERM) framework that aims to provide the strategic direction, organizational embedding and underlying infrastructure of risk identification, evaluation and communication to address these questions (see Figure 1). The benefits are not just a solid platform for Solvency II compliance, but also a more informed and assured basis for business planning and performance management. The framework consists of 10 interconnecting components that together, help clients articulate and manage risk.

Figure 1: 10 components of an ERM framework

However, successful implementation is no easy matter and requires considerable effort to overcome the challenges involved.

Biggest challenges

In the autumn of 2009 and spring of 2010, we carried out a survey of more than 75 insurance professionals involved in risk management and particularly Solvency II implementation, to gauge what they see as the toughest challenges they face in developing an ERM framework ready for Solvency II. We based the survey on 10 key questions related to the ERM framework (see Figure 2).

Figure 2: Biggest challenges in developing effective ERM frameworks

Two key findings quickly came to the forefront:

• the difficulty in embedding behavioural change across the organization, and
• the complexity of developing effective risk appetite that could be easily used by management to facilitate better decision-making.

Behaviour change: the real test

While much of the focus of implementation within many firms is still concentrated on the technicalities of capital evaluation, securing broader business understanding and achieving changes in behaviour are likely to be among the most difficult and time-consuming activities required. Behavioural change is not only about influencing decisions and actions through individual performance evaluation and reward, but also revolves heavily around organization design and responsibility, talent management (ensuring staff across the business have the necessary skills) and leadership at all levels.

A crucial element of winning frontline buy-in and achieving behavioural change is also ensuring that management information (MI) about risk is sufficiently intelligible, actionable and business-focused to address the "five fundamental questions". This is because well structured and understood MI is a fundamental and necessary catalyst of real change. With many companies set to invest considerable sums in upgrading their risk and capital analysis in the lead up to Solvency II, it would be galling if all the critical business insights were lost in a fog of incomprehensible data.

Risk appetite central to risk management framework

The aspect of implementation rated as most difficult in our poll of insurance professionals was establishing risk appetite. Although this does not require the time and resource levels needed in behavioural change, it is central to an effective risk management framework.

As the key bridge between the ERM framework and the business strategy, establishing a clear and coherent risk appetite requires considerable input from the CEO and other senior executives. However, while most board members have an instinctive idea of how much risk they are prepared to take, many find it difficult to define and convey their risk appetite in a clear and concise manner that promotes effective decision-making and that makes sense to external stakeholders.

A necessary first step in articulating risk appetite is to analyze the expectations of different stakeholders (shareholders, debt holders, customers, rating agencies and regulators). In relation to shareholders, for example, it is useful to gauge what balance between risk and return they are comfortable with to achieve a target level of growth. Typical considerations might include looking at whether the high rewards that could be realized through investment in a new emerging market venture would justify the potential for equally high losses, and then weighing up whether this is really a better bet than the lower, but more predictable returns, that could be achieved at home.

Once articulated, business managers can feed this analysis into their overall business strategy in making such choices as which markets to operate in and where to position themselves in relation to their competitors. The results can also provide the capital markets with a clear statement of intent about what kind of opportunities the company will pursue and how much associated risk it is prepared to accept to deliver a given return.

Figure 3: Risk appetite structure and design principles

As Figure 3 outlines, this high-level group statement can then be translated into both hard (such as risk-adjusted return) and soft (such as reputational safeguards) risk limits for particular business units. The key is tangibility. For example, a "one in 200 year risk of ruin" often means little outside the risk-modelling suite. However, a statement saying "we will only write business where the total portfolio yields an X% rate of return" provides a much clearer link between risk tolerances and revenue objectives, and provides a metric that can be readily aligned with performance evaluation and compensation. The test of success is whether the metrics being used to define the risk appetite actually drive management action.

Good business sense

An effective risk management framework is critical to both the implementation of Solvency II and the ability to prosper in a tough market environment. A common-sense approach rooted in providing answers to the five fundamental questions is what the business needs to deliver long term and sustainable change. The foundation is a clear statement of how much risk the firm is prepared to take and an effective analysis of how it is performing in relation to this appetite.

John Bromfield is a partner at PricewaterhouseCoopers (UK), john.bromfield@uk.pwc.com

Back to top