20 September 2023

Why insurers do ERM

What objectives do insurers have when they establish their enterprise risk management programmes? Dave Ingram polled the industry and shares his results 

You have probably heard the old saying about the shoemaker's children who had no shoes. If you look back 25 years, insurers, whose primary business is to help individuals and organisations manage their risks, were not always working systematically to manage their own risks.

But losses that insurers experienced from the dotcom crash, from hurricanes and earthquakes and from the financial crisis in the first decade of this century cemented the idea that insurers generally needed to have very good risk management programmes.

"This makes ERM the only business management practice explicitly endorsed by the G20"

Banks and insurers worked together to create the massive losses in mortgage securities that led to the Global Financial Crisis. One of the responses to that was for the G20 heads of state of the 20 largest economies in the world to come forward and urge the adoption of better risk management practices in 2009. I believe this makes ERM the only business management practice explicitly endorsed by the G20.

It's a practice that has been widely adopted. As recently as 1 May 2023, rating agency AM Best said more than 90% of its rated insurers possessed ERM frameworks assessed at "appropriate or better".

But every once in a while, a new insurer is formed or new ownership/management of an existing insurer wants to develop a new ERM programme for their business. They then might charge ahead with creating a new ERM programme based upon one template or another.

Dave IngramBut that is likely to lead to dissatisfaction. That process is likely to end the same way as if they decided to order a new suit or dress without specifying the size or the type of event that the clothing is for. For a really important event, people will often want to get a suit or dress that has been personally fitted to them. And I've even noticed that many folks will want to pick out their own style of dress or suit from a number of choices even if those choices are all appropriate to the type of event.

ERM is just the same. It makes sense to have the ERM programme fitted to the size as well as to the style and objectives of the company.

Larger companies will need to have a formal programme with more rules and reports. Various parts of larger companies might not be in the same building or even in the same city, making effective communication an important consideration. In smaller companies, all of the folks who need to know about ERM matters might see each other at lunch several times a week, if not always passing each other in the hallways of the company.

"Quite a large number of insurer ERM programmes have at least a dozen different primary objectives"

But differences among style and objectives make for even more differences in risk management programmes. We have observed quite a large number of insurer ERM programmes and have seen at least a dozen different primary objectives often paired with secondary and tertiary objectives off of the same risk. Sometimes these different objectives lead to entirely different choices of ERM activities, but more often companies with different objectives might choose to take up the same activities but to attribute high importance to one or several of those chosen activities and lower importance to others.

Over time, which objectives are seen to be important to an insurer varies, sometimes because of varying past or future expected experiences; but other times because of changes in thinking about a particular type of activity or management philosophy. Think of current business reactions to ESG (environmental, social, governance) and the thinking about shareholder value vs. stakeholder value.

We asked our 300 subscribers to the Actuarial Risk Management newsletter about their priorities regarding ERM objectives, asking for help to rank the 12 possibilities that we had seen. Here are their choices for the top seven, which were seen as higher priority by a majority of the respondents:

7. Compliance with regulatory and rating agency requirements

This is the objective that we have heard the most often over the years. Requirements of rating agencies and regulators are significant and provide plenty of work to support. However, many experienced chief risk officers have admitted that risk management information created to satisfy an outside voice will rarely be used by management to drive important decisions.

6. Adaptability and resilience – ready for the next crisis or major loss event

This objective is new for many, initiated following the Covid-19 pandemic. That event showed us all how something unexpected can seem to come out of nowhere and turn everything on its head. With 20-20 hindsight, having more adaptability and resilience would have resulted in a real leg up on competitors who started out on their heels.

5. Consistency of risk taking and mitigation – policing/controlling

This is an important role that risk managers do not usually like doing since it often makes them unpopular with the business management folks. The "three lines of defence" model for ERM relegates this to the auditors. But whether risk managers like it or not, this is something that is a high priority activity in many insurers. If this important role is passed to auditors, that is likely to end up making the risk management function less important in the eyes of top management.

4. Transparency of risk taking and mitigation – risk reporting

This is another fundamental risk management activity that supports the idea of the "risk control cycle". Reporting on risk taking and mitigation would include a comparison of actual activity to a risk management plan. The risk management plan will clearly state intentions regarding risk taking and mitigations consistent with the business plan, and the risk reporting can track actual activity compared to that plan. Risk limits provide a systematic approach to identifying situations where the risk manager needs to draw attention to risk taking that is approaching or has gone significantly beyond plan.

3. Keep the company fully diversified – avoid risk concentrations and balance across risks

While diversification is the cornerstone of the insurance business, it becomes a strategic imperative during chaotic times when the future seems less predictable. Insurers today, by rating this objective so high, seem to be more concerned with surviving their risks and less with exploiting them. Interest in this objective could wane once the environment starts to seem more stable.

2. Alignment of risk and strategy

At least half of insurers will say they want this alignment explicitly in their risk appetite statement. With an ERM programme that produces a reliable and consistent measure of risk, an insurer can create a risk profile that then allows company planners to see whether corporate priorities are aligned with the risk profile – and whether growth of risk is supporting the highest priorities or if risk growth is supporting high-risk low-priority endeavours.

1. Identifying, measuring and monitoring risks

Everything needs to start somewhere and this trio of risk management practices is, in many ways, the very lightest touch way to start an ERM program. These three practices can be added almost totally without any impact on the existing operations of the insurer. It is, however, not going to have much impact on the risk taking of the firm, so it is not a failure of ERM if a company with this as its primary ERM objective still experiences unexpected outsized losses. If you are choosing this as your priority for a new ERM program, you need to keep looking at the items above to see if there is anything that might have a more substantial impact that you can imagine adding to your list of ERM priorities.

Other priorities

Other ERM priorities we have heard over the years but that are not seen to be high priority to our poll responders right now are:

  • taking a major role in capital budgeting;
  • participating in strategic planning;
  • getting better returns for risks taken;
  • support growth and innovation;
  • assuring that prices for insurance products sold is adequate for risks taken; and,
  • assist with due diligence for acquisitions.

In fact, this list almost exactly describes a risk management role that I once had inside an insurer decades ago.

Dave Ingram is ERM Advisor at Actuarial Risk Management. Email: [email protected]

The topic of ERM priorities will be covered in an upcoming episode of Dave Ingram and Max Rudolph's insurance risk and risk management podcast, Crossing Thin Ice, available on many podcast platforms.