Dave Ingram explains how Willis Re's study of insurers' risk appetite and risk tolerance statements revealed wide differences in the concepts they express
Risk appetite and risk tolerance are perhaps the most important, but at the same time the most confusing, and even almost mystical, topics in enterprise risk management.
A European observer told me recently that he thought that everyone had one by now. A few years ago, rating agency AM Best, which actively collected them from all the insurers they rate, found that fewer than half of insurers (mostly US) had adequate risk appetite statements. Most recently, AM Best has placed their request for a risk appetite statement as the very first question on their Supplemental Rating Questionnaire, and the question is followed by a quarter page of blank space. Obviously, not a simple yes or no answer is required.
But there are not even clearly accepted definitions of the two terms, "risk appetite" and "risk tolerance", so for this article, we will use the definitions provided by the National Association of Insurance Commissioners (NAIC) in their ORSA Guidance Manual:
Risk appetite: Documents the overall principles that a company follows with respect to risk taking, given its business strategy, financial soundness objectives and capital resources. Often stated in qualitative terms, a risk appetite defines how an organisation weighs strategic decisions and communicates its strategy to key stakeholders with respect to risk taking. It is designed to enhance management's ability to make informed and effective business decisions while keeping risk exposures within acceptable boundaries.
Risk tolerance: The company's qualitative and quantitative boundaries around risk taking, consistent with its risk appetite. Qualitative risk tolerances are useful to describe the company's preference for, or aversion to, particular types of risk, particularly for those risks that are difficult to measure. Quantitative risk tolerances are useful to set numerical limits for the amount of risk that a company is willing to take.
The most common concepts were included in less than 60% of the statements
So what are insurers actually doing? In 2016, Willis Re performed a study of 48 (mostly US based) insurer risk appetite and tolerance statements, and the clear conclusion is that there is low consistency among those insurers regarding the concepts that they express with their statements.
We identified thirty different concepts that were included by two or more insurers. The most common concepts were included in less than 60% of the statements and only four concepts were found in more than half of the statements! So at this point, it can clearly be concluded that these 48 insurers did not all work off of the same template, and are actually expressing their own independent opinions about what principles they will follow in their risk management, and how they express their risk preferences and limits.
Here are the most common concepts found in the 48 statements:
|Top 5 Concepts found in Risk Appetite Statements|
|1||Linkage between Strategies, Risk and Risk Management||55%||Usually a broad statement that Risk Appetite and Risk Management are consistent with business strategies or plans with few specifics.|
|2||Overall Security Objective||43%||A simple verbal statement about their overall security (or surplus) objective|
|3||Diversified Investments||35%||Over a third of insurers felt that this was a vital part of their risk management strategy.|
|4||Risk Trajectory or Targets||33%||Qualitative statement of where they are headed.|
|5||Primary strategies for major risk categories||25%||Insurers point out that they have different strategies for different categories of risks|
Concept 1 – Linkage between Strategies, Risk and Risk Management
The risk appetite statement can be the primary connection between the strategies and objectives of a firm and its risk taking/risk management. Just over half of insurers explicitly express this objective as part of their risk appetite statement. In some of the companies where this is not stated (and probably in some where it is) risk and risk management are treated as separate from company strategy. Sometimes, it is treated as a compliance exercise and in other cases risk management simply follows its own track independent of the business plans.
Concept 2 – Overall Security Objective
On reflection it seems difficult to "document the overall principles that the company follows with respect to risk taking" without at least mentioning that the company has an overall security objective. But more than half of the 48 insurers did not include any such statement. From our observation of the insurance sector over the years, we would say that insurers operate within one of four broad levels of security objectives:
More than half of the 48 insurers did not include an overall security objective
- Robust – enough capital to maintain a secure level of capital after a major loss event.
- Secure – enough capital to satisfy sophisticated commercial buyers that you will pay claims in most situations by providing for the maintenance of a viable level of capital after a major loss event.
- Viable – enough capital to provide for a single major loss event and to avoid reaching the solvency level with "normal" volatility. These companies generally operate comfortably in a market where customers are not focused on assessing their insurer's financial strength. Sectors such as personal auto and health insurance.
- Solvency – enough capital to survive under normal volatility. A major loss event would render these insurers insolvent. US insurers in this group effectively use the regulator's risk based capital authorised control level as their risk capital standard.
Many companies can be seen to operate within one of these four bands for years, while others might drift around as a consequence of uneven earnings and business growth. With a risk appetite statement that includes their overall security objective, an insurer can communicate where they want to operate.
Concept 3 – Diversified Investments
By the time we get to just the third concept on the risk appetite list, we only have 35% of companies including this notion. Only a very few insurers are running hedge funds with the money that they hold for reserves and surplus. No harm in proclaiming that you are not one of those cowboys, but no great benefit for most.
Concept 4 – Risk Trajectory or Targets
This is an idea that we have stressed with insurers for a number of years now: that they ought to know and communicate whether they plan to grow risk faster than surplus, grow surplus faster than risk or to keep them in balance. When asked, only a few insurance company executives cannot say which is their intention, but only one in three insurers bother to mention it in their risk appetite statement.
Concept 5 – Primary Strategies for Major Risk Categories
This is actually what came to my mind when I first read the NAIC definition of risk appetite. For each major class of risk (e.g. underwriting, investment, operational and strategic), your primary strategy will to be exploit, manage, minimise or avoid the risk from that category. For some categories, underwriting for example, insurers will tend to have different strategies for different underwriting risks, territories or sources of business. Only one in four of the insurers in the study agreed that they should be communicating that selection of strategy in their risk appetite statement. I might argue that the process and criteria for choosing these individual risk strategies are indeed the real fundamentals of the risk strategy of the firm.
|Risk Tolerance Statements|
|1||Surplus - Risk Limit||57%||Often stated in terms of the overall Risk Metric. Sometimes used another metric.|
|2||Rating||55%||Companies said that maintaining a rating was part of their risk tolerance.|
|3||Regulatory||55%||Statement about maintaining compliance with regulatory capital requirements.|
|4||Surplus Loss Limit||48%||Most often stated as a percentage reduction in surplus that was the maximum loss that could be tolerated|
|5||Risk Metric Used||48%||Most often Value at Risk. Several insurers using Total Exposure.|
Risk tolerance is much less mystical than risk appetite, and therefore, there was much less dispersion among the responses. But those responses were by no means consistent. While the top 5 answers averaged a much higher level of usage compared to the top risk appetite concepts, they only averaged a little over 50% of participating firms.
Concept 1 – Surplus – Risk Limit
Only about a third of companies in the study had an earnings risk tolerance.
Might be stated as the likelihood of exhausting surplus entirely, or, as the likelihood of maintaining a certain level of surplus. This is what is expected from a risk tolerance statement. Only about a third of companies in the study had an earnings risk tolerance. That is where you start to get the disconnect between risk management and company strategies since most company strategies are more tightly linked to earnings than surplus, while it appears from these risk tolerance statements that more ERM programs are more closely linked with surplus.
Concept 2 – Rating
That overall security objective mentioned in the risk appetite discussion above is most often tied to a rating level. While the rating process provides simple quantitative goals, it also is tied to a qualitative element inside the rating agency.
Concept 3 – Regulatory
Depending upon the company's overall security objective, this may be a "push" objective or it may have real bite for insurers with a "viable" or "solvency" security objective. Especially for closely held firms, it helps to state this element of their risk tolerance and get buy-in from the owners.
Concept 4 – Surplus Loss Limit
My first impression was to dismiss this concept out of hand since it is not actually a "risk" item; it is an after-the-fact limit. But upon further reflection, this concept can be an acknowledgement that our view of the future, which is needed to form a view of risk, is not always correct. The surplus loss limit provides the point at which the gambler walks away from the table, because he clearly does not really understand the rules of the game. Our models may be telling us that "risk" is not too high, just as bankers' risk models might have told them that their capital was sufficient at the height of the financial crisis. So I have come to admit that a surplus loss limit is a healthy part of a risk tolerance statement and 48% of the insurers in the study agree.
Concept 5 – Risk Metric Used
Maybe only the quants care about this one – this is another item that I did not immediately consider to be of any significance. But, as I was eventually confronted with 23 risk tolerance statements with a disclosure and 25 without, I found that I was just a little more comfortable with the disclosers. I was imagining that their management team might be more familiar with the terminology and therefore more able to interpret and use their model output.
Other top concepts found in the risk tolerance statement were limits to individual risks, operational risk limits, the importance of monitoring risk levels, and, the time frame over which risk is assessed.
Less than one in four insurers in the study included any mention of which risks they will write, even though that concept is suggested in the NAIC definition.
All in all, we found 30 different concepts that were used by more than one insurer in either the risk appetite or risk tolerance statements. The average insurer included only 8 of the 30 concepts. And one firm rang the bell, including all 30 concepts in their lengthy risk appetite and tolerance pamphlet. In the past, the insurer had experienced severe losses and survived. Its leadership felt that getting risk management right was not compliance, nor window dressing, but rather, that it was fundamental to their long-term survival.
Dave Ingram is executive vice-president and head of ERM Advisory Services at Willis Re in New York