It's a risk that every insurance company faces, yet the common ground is sometimes hard to find. In part one of this InsuranceERM/Towers Watson roundtable, risk managers discuss what strategic risk means to them, the value of risk labels and the influence of regulators
Kevin Borrett, head of risk, Unum
Mark Chaplin, group enterprise risk director, Aviva
Sue Kean, group chief risk officer (CRO), Old Mutual
Andrew Pryde, CRO, Beazley
Penny Shaw, CRO, Hiscox
Georgia Tsiakki, group operational risk manager, Amlin
Mike Wilkinson, insurance management consultant, Towers Watson
Chaired by Peter Field, InsuranceERM
What is strategic risk
Do you think it's possible to define strategic risk and does it matter anyway whether we can fix on a definition?
Kean: I think we are in danger of not seeing the wood for the trees. If we try to over-technicalise it and get into narrow definitions we are going to miss the point.
Wilkinson: I think there are two distinct issues covered by strategic risk management. One is how do we manage strategic risks and the other is how do we use risk management strategically in the business. They can be seen as two sides of the same coin but they are different. The problem sometimes is that the two aspects get mixed together and it can result in a lack of clarity.
Pryde: In Beazley's risk register, one seventh of the second-tier risk categories relate to strategic risk. So, it is an integral part of the ERM [enterprise risk management] framework and that means it is handled like any other risk that we have in the organisation; which includes formal risk assessments twice a year and controls captured against activity associated with strategic risk. The risk owner is the CEO [chief executive officer] because he is the person responsible for the strategic direction of the group.
Moving through our risk management framework, there are emerging risks associated with strategic risk. In fact, there are probably more emerging risks related to strategic risk than any of the other areas of the risk register.
Borrett: Our approach is probably fairly similar to Beazley in that we have eight categories, one of which is strategic risk and that breaks down. We have not got 57 [risks], we have got 38 but we are looking to expand them at the moment.
Pryde: We are looking to reduce ours!
Borrett: For reporting, we aggregate under three headings: financial, insurance and operational risk. The big debate at the moment though is whether we go from three to four and whether strategic/reputational risk gets elevated alongside these headings.
There are two dimensions to that debate. You have your business strategy, and the way that plays out is arguably best managed and controlled through what we currently call operational risk; that is the failure to execute and deploy a strategy.
"Avoiding spending too much time on labelling and categorising and focusing more on actual risk management is critical." Mark Chaplin, Aviva
However, there are other aspects of strategic risk, reputation being the most obvious one, particularly with increasing emphasis on electronic access and the growth of Twitter. There is a growing view within our organisation that strategy can be a cause of a risk, but these days brand and reputation is a key area of risk in itself. So, we may well end up formally adding strategic risk with a link to brand and reputation as a fourth risk.
Chaplin: We moved away from the model where we defined eight risk categories and then 36 underneath and so on because we found that that limited people's thinking, particularly when you repeated it time after time as you found that no new risks were being identified. We have also deliberately avoided using "strategic risk" as a category, partly for the reasons that have already been discussed.
Another part of our reasoning is based around the philosophy that risk management, considering both the short and long-term, needs to happen in all the key processes involved in running the business. This is true whether the process is ALM [asset liability management] or product development or your strategy and business planning. Avoiding spending too much time on labelling and categorising and focusing more on actual risk management is critical.
Pryde: I think that illustrates the point that there is no right answer; the risk management framework we implement has to fit the culture, the structure and the size of our respective organisations. One of the reasons why we have the categorisation is because our board appreciate seeing commentary on activity from the strategic risk area.
Are strategic risks just "big picture" issues?
Borrett: Our risk committee are very comfortable with the taxonomy that we can report against, but we found that reporting against known and defined risks alone could appear deficient. In our quarterly report, which links to the ORSA [own risk and solvency assessment], we have two sections, firstly, the corporate risk profile report.
The other section I call business headwinds – those external pressures that you have recognised and may need to flex your approach to compensate for. That enables you to call out emerging risk trends.
"There are two aspects to strategic risk. One is the risk register and the other one is the stand-back, bigger-picture business issues – or headwinds – that you cannot label." Penny Shaw, Hiscox
Where I struggle with emerging risk is the moment you can really articulate it well, is it an emergent risk or has it emerged as an established risk? You cannot always fit those into your existing risk taxonomy.
Shaw: There are two aspects to strategic risk. One is the risk register and the other one is the stand-back, bigger-picture business issues – or headwinds – that you cannot label but you can actually say "these are strategic risks or threats."
How often is there a discussion at the board risk committee that is about the bigger picture strategic risks, and how are those being managed?
Kean: We do that at annual risk workshops that are deliberately designed to get a view on a longer-term time horizon. If you have got those sorts of processes already, why does strategic risk have to be a separate process? Do you not build it into those existing processes? I suppose I am more in Mark's camp; maybe it is because we are big groups and the issue for a group is perhaps different to an individual business.
Wilkinson: There are differences across the industry. So much time and effort has been put into processes, taxonomies and building the models that sometimes this gets a bit divorced from the management of the business and focusing on what the real headwinds are.
Pryde: A very helpful discussion we have is at our annual board strategy day, where there is a slot to debate strategic and emerging risks. We have identified five broad areas of strategic risk and I then provide a quarterly update on these categories in our ORSA, covering any changes to the environment and activity undertaken by the business.
Is regulation a strategic risk?
Kean: "Regulation" has to become something very specific. For example, South Africa is going through advisor remuneration changes similar to the UK's Retail Distribution Review. So the risk is about our distribution model and we can think about what we can learn from the UK going through RDR, etc.
I am really against buckets and labels because I think the difference between strategy and the day-to-day business plan is really just time horizons. It is about sustainability and you need the board and management to really think about specifics.
I accept regulators like [labels], but I am not sure it adds to things because the particular strategic issues will be different for different businesses.
Are they a help or hindrance?
Chaplin: I would only use the headings as prompts to think about investigating an area. I see firms being long-aware of the pitfall of thinking, "I can give it to the risk department to solve and that means I can forget about risk management." I believe that the industry evolved beyond that thinking some time ago and that the need for the first line of defence to embrace its responsibility for managing risk is well established.
However, the one thing that has worried me in distracting from the management of risks associated with the strategy has been the use-test. This is because it puts so much emphasis on the internal model, which is a model of business in-force at a particular valuation date and is focused on a one-year time horizon. This is somewhat counterbalanced by the ORSA, but even there the regulator is really driving the way in which you do risk management.
"Unless you have somebody waking up and worrying about it, providing the information and facilitating the discussion, you can sometimes miss things." Andrew Pryde, Beazley
It is important to recognise that the regulator's principal prudential focus is not the sustainability and resilience of a business model and the protection of the long-term franchise value and so this can skew the approach to risk management.
If you do not have the framework to start with, it is quite hard to have that conversation?
Pryde: Any high-performing executive committee will be debating risk all the time. However, I have observed that unless you have somebody waking up and worrying about it, providing the information and facilitating the discussion, you can sometimes miss things. That is how I see my role as CRO in the discussions; whether it is within a strategic category, it does not really matter.
Shaw: If I was the regulator, the key test for me would be asking various companies, "What are the top three strategic risks you are managing, and how are you managing them?", seeing how engaged the CRO is within this as well as asking three or four people on the risk committee to see how much of a handle collectively there is on managing and oversight of strategic risk.
Part two of this roundtable will appear next week, covering the regulator's view of strategic risk, cooperation between insurers on strategic risk, and a discussion on two key strategic risks: talent and culture