As the financial crisis has once again underlined, the effective management of risk is fundamental to the success of an insurance business. Boards, investors and rating agencies have heightened their focus on risk in the face of market instability and continuing capital constraints. Solvency II will raise the stakes still further by requiring insurers to develop a systematic risk management framework capable of ensuring that risk considerations are appropriately understood, controlled and integrated into decision making.
Most board members understand the concept of an effective risk management framework. However, they may be less clear about what this entails in practice, including how the framework should be structured and governed and how it will affect the way they run their businesses. In fact, what all this boils down to is being able to provide answers to five fundamental questions that all boards should satisfy themselves upon.
Drawing on our experience of working with a wide range of insurers, PricewaterhouseCoopers has designed an integrated enterprise risk management (ERM) framework that aims to provide the strategic direction, organisational embedding and underlying infrastructure of risk identification, evaluation and communication to address these questions (see Figure 1). The benefits are not just a solid platform for Solvency II compliance, but also a more informed and assured basis for business planning and performance management.
In the autumn of 2009, we carried out an informal survey of more than 40 insurance professionals to gauge what they see as the toughest challenges they face in developing an ERM framework ready for Solvency II (see Figure 2).
 Placing a risk dimension at the heart of the organisation. Risk is a core consideration when setting strategy, formulating business plans, managing performance and rewarding management success. |  Risk appetite clearly articulated reflecting the group and BU risk carrying capacity, business strategy and financial goals. Processes and procedures in place to manage risk on an enterprise wide basis within defined (hard and soft) boundaries without stifling day to day operations. |  Identification and assessment of all (current and emerging/desired and undesired) risk faced by the organisation. Robust processes in place to aggregate and prioritise risks on an enterprise wide basis. |  ERM focused external communications strategy centred around actively managing stakeholders (policy holders, regulators (group and local legal entity), rating agencies, debt and equity investors, etc) in order to yield shareholder value added and capture wider business benefits. |  Establishment of clear Governance structure distinguishing between management and oversight activity. Clear accountability and responsibility for top tier risks. Development of detailed risk management organisation including mandate, scope and role of CRO, establishment of all risk functions and interaction with wider organisation. Development of detailed risk policies to manage individual risks, allocation of risk owners and Development of risk K.R.I’s to establish operating tolerances. |  Business performance measured on a risk adjusted basis. Capital allocated to Business Units/ transaction opportunities based on risk: reward trade off. Risk reflected in factory gate product design and pricing and post sale portfolio management. Capital managed to optimise Return on Risk-Adjusted Capital but cognisant of stress scenarios. |  Internal risk and capital models at the heart of the ERM framework. Models meet highest quality standards, appropriately calibrated (’real time’) and fully tested and documented. Models subjected to independent scrutiny and validation. |  People behaviour aligned with group risk, capital and performance strategy / business plans through balanced score cards, MBOs and incentives and rewards schemes. Required level of skill, experience and knowledge exhibited by majority of staff. |  Required level of M.I. to support ERM framework and manage within risk appetite. MI appropriately tailored to roles, responsibilities and authority levels. |  Core technology to support fully integrated ERM approach. Focus on organisational span, data quality and automated processing.
Two of the key findings were:
While much of the focus of implementation within many firms is still concentrated on the technicalities of capital evaluation, securing broader business understanding and achieving changes in behaviour are likely to be among the most difficult and time-consuming activities required.
Behavioural change is not only about influencing decisions and actions through individual performance evaluation and reward, but also revolves heavily around organisation design and responsibility, talent management (ensuring staff across the business have the necessary skills), and leadership at all levels.
A crucial element of winning frontline buy-in and achieving behavioural change is also ensuring that management information (M.I.) about risk is sufficiently intelligible, actionable and business-focused to address the ‘five fundamental questions’. This is because well structured and understood M.I. is a fundamental and necessary catalyst of real change. With many companies set to invest considerable sums in upgrading their risk and capital analysis in the lead up to Solvency II, it would be galling if all the critical business insights were lost in a fog of incomprehensible data.
The aspect of implementation rated as most difficult in our poll of insurance professionals was establishing risk appetite. Although this does not require the time and resource levels needed in behavioural change, it is central to an effective risk management framework.
As the key bridge between the ERM framework and the business strategy, establishing a clear and coherent risk appetite requires considerable input from the CEO and other senior executives. However, while most board members have an instinctive idea of how much risk they are prepared to take, many find it difficult to define and convey their risk appetite in a clear and concise manner that promotes effective decision making and that makes sense to external stakeholders.
A necessary first step in articulating risk appetite is to analyse the expectations of different stakeholders (shareholders, debt holders, customers, rating agencies and regulators). In relation to shareholders, for example, it is useful to gauge what balance between risk and return they are comfortable with to achieve a target level of growth. Typical considerations might include looking at whether the high rewards that could be realised through investment in a new emerging market venture would justify the potential for equally high losses, and then weighing up whether this is really a better bet than the lower, but more predictable returns, that could be achieved at home.
As Figure 3 outlines, this high-level group statement can then be translated into both hard (such as risk-adjusted return) and soft (such as reputational safeguards) risk limits for particular business units. The key is tangibility. For example, a ‘one in 200 year risk of ruin’ often means little outside the risk-modelling suite. However, a statement saying ‘we will only write business where the total portfolio yields an X%25 rate of return’ provides a much clearer link between risk tolerances and revenue objectives, and provides a metric that can be readily aligned with performance evaluation and compensation. The test of success is whether the metrics being used to define the risk appetite actually drive management action.
An effective risk management framework is critical to both the implementation of Solvency II and the ability to prosper in a tough market environment. A common-sense approach rooted in providing answers to the five fundamental questions is what the business needs to deliver long term and sustainable change. The foundation is a clear statement of how much risk the firm is prepared to take and an effective analysis of how it is performing in relation to this appetite.
© 2009 PricewaterhouseCoopers. All rights reserved.
PricewaterhouseCoopers refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.