Building Blocks (September 01, 2010)

Insurers are in the business of insuring others’ risks, but they are increasingly expected to look after risk in their own backyards. Property and casualty insurance companies’ balance sheets were not immune from the negative effects of the global financial crisis, which prompted a more thorough examination of how different variables can interact to cause unexpected (and unpleasant) consequences. While banks were at the forefront, several high-profile insurers were caught up in the turmoil of the market meltdown.

In some instances, the very language of risk assessment and modeling has changed in the wake of the crisis. It is now not at all uncommon to hear chief risk officers talk about tail risks, correlations, aggregations of risk and ripple effects. Seemingly esoteric or arcane, these discussions relate to the very real and tangible scenarios of “black swans,” in which a number of different variables can coalesce to form a one-in-one-hundred-year event, wiping out billions of dollars in shareholder value and shaking to the foundations institutions that were previously thought to be “too-big-to-fail.”

Several factors, including the widespread impact of the financial crisis, raised regulators’ expectations and emphasized the link between solid risk management and business performance. This in turn led to visible signs of change among insurance companies. For example, there are more examples of chief risk officers (CROs) at top insurers, with broader roles across the organization. Independent risk committees have formed at the corporate governance level. Stress testing is being tailored specifically to individual company risk profiles.

“I get a sense that, after the financial crisis, more organizations asked themselves: ‘Did we have someone asking the key questions about risk?'” says Gregg Dunn, chief risk officer for Aviva Canada. “There is a different focus now. Certainly groups like the Office of the Superintendent of Financial Institutions (OSFI) are looking more closely at risk through the depth of questions they are asking.”

THE CHANGING LANDSCAPE OF RISK

OSFI says it has started to notice a change in the landscape as well. “Many of the larger Canadian incorporated property and casualty federally regulated (companies) have recently been enhancing their risk management capabilities, including hiring CROs and strengthening board governance processes in response to OSFI’s rising expectations,” says Penny Lee, senior director of OSFI’s property and casualty group. “Boards are being required to review and approve many of the risk management tools such as Dynamic Capital Adequacy Testing (DCAT), other stress testing, reinsurance risk management programs and internal capital target setting. This remains a focus for OSFI over the near term and we intend to continue working with the industry on this front.”

Insurers stress this is not just a knee-jerk response involving ticking off boxes to satisfy regulatory concerns. Rather, it is a wholesale examination of risk appetites and risk profiles geared to bottom-line business results.

“Our risk appetite states we will not assume risks that are not well understood at the appropriate levels,” notes Michele Hengen, chief risk officer for The Co-operators Group Ltd. “This is unlike some companies hurt severely in the recent economic crisis that (faced) risk exposures that were not fully understood. We did not have this experience, which is a testament to our current risk management philosophy.”

Others contend that enterprise risk management (ERM) models, in which a comprehensive set of external and internal risk factors are measured across the organization and integrated into business decisions, are the real driving force behind change.

“This is not just about responding to regulators and filling out forms,” notes Alister Campbell, president and CEO of Zurich Canada. “There is a very real business benefit to incorporating an ERM strategy into your organization — and a very real downside to taking it too casually.”

These trends and exercises in more active risk management are reinforced in other studies of insurance companies and risk. In a 2009 survey of more than 300 insurance executives from around the world, KPMG International found “the current environment has sharpened the focus of insurers on risk management… At board level, the proportion of time spent on both risk management and capital management has increased substantially — from 23% to 36%.”

The survey, conducted by the Economist Intelligence Unit in March and April 2009, resulted in two publications from KPMG: A Glimmer of Hope and Getting the Balance Right, both released in 2009. In these, KPMG observes:

• the role and responsibilities of the CRO became more far-reaching, now embracing strategic activities;

• the influence of regulators on risk management is increasing; and

• insurers rate themselves highly on most aspects of risk management.

This attention to operational risk has not always been the norm for property and casualty insurers. Although insurers are clearly “in the business of risk” and specialize in underwriting, pricing and risk selection, the application of best practices in risk management to their own operations has been uneven. In some instances, it has lagged behind that of their financial peers.

“While the property and casualty industry has perhaps been ahead of the other sectors in the management of specific risks, the establishment of the CRO position and the processes that accompany it, which allow for quicker assessment of risk across an entire organization, have been slower to develop in the p&c industry to date,” OSFI superintendent Julie Dickson said at a risk management seminar for insurance companies in November 2009. “OSFI recognizes that the p&c industry has a diversity of institutions in terms of their size, number and complexity of business lines and risk appetite… However, I cannot overemphasize the importance of having an organization-wide enterprise risk management process in place.”

For this article, 10 of the top Canadian property and casualty insurance companies (as ranked by net premiums written) were contacted about their approach to risk management. Four companies responded; others (both Canadian-owned and foreign branches or subsidiaries) either declined to participate or did not respond. The four companies that responded were Aviva Canada, The Co-operators, Intact Financial and Zurich Canada.

ESTABLISHING CROS AND RISK COMMITTEES

For these four companies, the re-evaluation of risk and the formalization of risk functions and models have taken place over the past two or three years. CRO positions were created at Intact Financial (January 2008), The Co-operators (April 2008) and Aviva Canada (March 2010). At Zurich Canada, a Canadian risk manager position has existed for the past 15 years, according to Campbell. In the example of both Aviva and Zurich, CRO positions for the group of companies have existed for several years.

In addition, these insurers have all created Canadian-based risk committees at either the board of director or senior management levels within the past two years. Intact Financial, for example, formed an enterprise risk committee made up of senior officers that reports on an ongoing basis to the CEO, quarterly to the audit committee and at least annually to the board of directors, according to Claude Dsilets, the company’s chief risk officer.

“The committee, chaired by myself, identifies the risks that could materially affect our business and measures them from a financial or other impact standpoint,” he notes. “The committee also monitors the risks and develops the risk avoidance and mitigation strategies when the potential risks are not in line with the level determined by the board.”

SimilarlyThe Co-operators established a management risk committee in 2008, consisting of the CEO and senior executives. “In 2009, we worked closely with our management risk committee and board of directors to develop the top risk issues for the organization and then to define our risk appetite,” says Hengen. “We have a clear vision on which risks we desire and how much, and which risks are not to be tolerated.”

Aviva’s group operations also have a separate risk committee at the board of director level, according to Dunn, while the Canadian operations maintain an audit and risk committee with specific and separate accountability for risk management. “Our risk management function is focused on the link between risk and business strategy,” he says. “There is a clear distinction between risk and audit, with the latter focusing more on compliance and controls. Our approach and biggest priority is to align our approach to risk with our business units and embed our understanding of risk into day-to-day decision making.”

Zurich’s group operation has had a separate executive risk committee in place since 2006, which “puts us ahead of the curve, I think,” says Campbell. “This committee establishes Zurich’s risk policy and the risk assessment flows directly from the board of directors. It is up to the senior executives in all our regions to implement that policy.”

In Canada, Zurich has a local risk management committee, which is composed of the senior executive team and meets monthly, according to Campbell. “We regularly review specific areas of risk, including financial, insurance and operational risk, as well as regulatory compliance.”

While insurers have created their own risk management committees at the executive level, regulators are also carefully monitoring corporate governance and risk. This year, OSFI established a new corporate governance unit to supervise risk-based activity at the senior level of financial institutions.

“A key part of the work of our new corporate governance unit will be a review of risk governance practices across our largest banks and insurance companies,” says Lee. “A major area of focus will be risk appetite — how it is defined, measured, monitored, controlled and reported.”

Several property and casualty companies have sought to better understand their risk exposures and appetite through risk profile workshops. Campbell says Zurich Canada conducts an annual, day-long risk profile exercise that “identifies anything that could go wrong and the probability of it happening on a, for example, one-year, five-year or even 100-year frequency. This is a very useful exercise and from it we develop what we call our ‘total risk profile.'”

Similarly, The Co-operators engages in risk-planning scenarios. “A thorough risk evaluation is regularly performed at the company level through risk planning workshops held with the management teams to determine the inherent and residual likelihood and severity of all risks in our universe,” says Hengen. “This is designed to be a cyclical process and our group of companies have now undergone their second round of risk profiling. New this fall is the expansion of risk profiling at the business level.”

A common thread among insurance companies is the notion of taking risk management away from merely being a separate function geared towards compliance, and instead integrating it directly into business units.

“As a CRO, I would not be doing my job if I was just checking off the boxes,” Dunn says. “Our risk management role is to be an independent, but friendly challenge to the business decisions we are making on a daily basis. We want to ensure that we are making valid risk decisions at the business unit level.”

Campbell cites a specific example at Zurich of how risk assessment and management is pushed directly to the level of business decision making. “One of the issues we identified as a risk management issue in our company was the lack of a modern claims management system,” he says. “This fell outside our risk tolerance level and justified the business case for a substantial investment in a new claims system, with which went live in June.”

STRESS TESTING

Another rapidly evolving area of risk management for insurance companies is stress testing. In December 2009, OSFI put out Guideline E-18, which sets out expectations for federally regulated financial institutions. In it, OSFI defines stress testing as “a risk management technique used to evaluate the potential effects on an institution’s financial condition of a set of specified changes in risk factors, corresponding to exceptional but plausible events.”

Guideline E-18 essentially widens the parameters for how and what insurance companies (and other firms) are expected to measure when it comes to their financial stability and solvency. In particular, OSFI notes the financial market turmoil has prompted more specific attention to certain risks, such as:

• risk mitigation;

• securitization and warehousing risks;

• risks to reputation;

• counterparty credit risk; and

• risk concentrations.

Insurers can use sensitivity testing, which measures changes in one or a limited number of risk factors over a shorter time horizon. Or they can employ scenario testing, which typically involves tracking changes in a number of risk factors, as well as ripple effects, conducted over a longer time period.

OSFI notes one example of stress testing for insurers is the existing DCAT. But it also “expects to see evidence that stress testing is integrated into institutions’ internal risk management processes.” In addition, the regulator stipulates: “board and senior management involvement in the stress testing program is essential for its effective operation.”

Insurance company sources say they are in compliance with Guideline E-18, as well as the DCAT. In fact, many say they are moving beyond these regulatory measures to customize stress testing to their individual needs. “In addition to the required stress tests like the annual DCAT and those required by insurance regulators, we are regularly running stress tests,” says Dsilets. “These stress tests, while aimed at covering the full array of potential adverse scenarios, tend to focus on the investment risks and underwriting risks, including the risk of natural catastrophes. Refinements have taken place and continue to take place, in particular in the areas of correlation, tail risks and ripple effects.”

For Dunn, regulatory stress tests are a “minimum base we check to make sure our models are compliant. Unlike some companies that run a model to satisfy regulators, we are using our stress test models for business decisions and strategic purposes.”

Campbell notes that in addition to regulatory compliance stress tests, the Zurich group of companies has developed a “top-down risk assessment model,” which identifies a set of variables for stress testing that change on a regular basis. “If we are doing portfolio management across the group of companies, for example, our group-wide diversification may mean that the effect of one variable is marginal,” he says. “But if you push it down to the local level, that variable may have a much greater impact. We don’t always know what this top-down risk assessment will be in any given year, so it certainly keeps us on our toes.”

The Co-operators is in the process of developing a formal stress testing program that will fulfill regulatory requirements, “while also being tailored to suit our specific needs,” according to Hengen. “The more significant differences from our current stress testing practices include:

• board and senior management involvement in creating the scenarios to be tested as well as risk mitigation strategies;

• increased focus on ensuring that selected scenarios are ‘extreme enough,’ capture risk correlations and aggregation and include non-historical (emerging) risks;

• formal documentation, including roles and responsibilities;

• aggregation of risk across the entire organization; and

• development of a process to embed the results into planning and decisi on-making.”

CHOOSING THE RIGHT DATA

One of the weak links in stress testing and risk management in general for insurance companies may be access to reliable, quality data, according to the KPMG International study. “Insurers have long complained about the quality and availability of data, and forthcoming regulatory requirements will expose even greater shortcomings if nothing is done to address the problem,” KPMG states in the publication Getting the Balance Right. “Many insurers have hundreds’ if not thousands’ of legacy systems which make it difficult to extract the data they need and present it in a consistent format.”

Campbell says insurance companies have always been good at gathering information about underwriting and pricing risk because “this is where we compete with each other. The operational risk side is the toughest one to get data on, in terms of what is happening in the business units on a daily basis. I don’t think gathering data is the hard part; it is identifying the important parts of data that can be used in risk assessment and risk management.”

“We face the challenge of pulling the right data, which needs to flow into our risk models,” adds Dunn. “The data you gather and input into your risk management and stress testing models have to reflect day-to-day business operations. This may be less of an IT issue and more of an issue of where we are trying to take risk in our organization. This is not just about putting reports out, but making sure we are engaging our senior management with the right metrics and data.”

A CULTURE OF RISK

The data and information gathering issue may pale in comparison to the far broader challenge of creating a “culture of risk” in any given organization, according to KPMG International.

“Clear ownership and leadership of risk is essential in order to embed a broader culture of risk in the organization,” the consulting group notes in Getting the Balance Right. “So too is the need to ensure there is clear communication and coordination between the various risk functions. It is clear from the survey that this kind of coordination is something that does not come naturally to many insurers. Only half of respondents say that they are effective in creating an appropriate culture of risk in the organization, and 47% say that they are effective at embedding it.”

Insurers interviewed in this article say they are on the track to creating a broader culture of risk in their organizations. The work of creating a strategic risk framework for many of these companies is already done, according to sources.

“We are focusing our capabilities completely around insurance and financial risks,” says Dunn. ” In essence, we want to drive a different level of discussion and evaluation of risk throughout the organization and this is being pushed directly by our senior management.”

Campbell notes Zurich Canada’s total risk profile workshop takes a full day of planning and is scheduled for a Friday this year. “Full-day planning sessions on a Friday are sometimes not greeted with great enthusiasm, but I can honestly say that people look forward to this risk planning exercise. It really allows people to ask ‘What if?'”

For insurers likeThe Co-operators, refinements will likely take place in areas such as emerging risks, better mapping out aggregations and correlations of risk, pushing risk modeling down to the business line level and more strongly linking risk management to capital management, according to Hengen.

Similarly, Dsilets says Intact Financial is not planning any radical changes, but intends to “continuously improve upon our approaches, our models and their sophistication and to adapt them to ensure the quality of our execution in the areas of risk identification and evaluation, as well as in our mitigation activities.”

For other insurance companies, especially smaller to mid-sized firms, the process of investing in risk management expertise and resources may prove to be a formidable challenge in the years ahead. Based on the regulators’ increased expectations concerning risk management processes and standards, it will be up to individual insurance companies to determine how they will respond.

In a 2009 report from the Economist Intelligence Unit sponsored by ACE and KPMG, called Beyond Box-Ticking: A New Era of Risk Governance, Duncan Wiggetts, an expert in risk governance at the global law firm DLA Piper, neatly summarizes the situation and choices for many insurers. “Companies tend to fall into two camps: those that have suffered a shock to the system and have woken up to the concept of risk, and those who haven’t — yet.”

———

There is a very real business benefit to incorporating an ERM strategy into your organization — and a very real downside to taking it too casually.

———

Although insurers are clearly “in the business of risk” and specialize in underwriting, pricing and risk selection, the application of best practices in risk management to their own operations has been uneven.

———

While the property and casualty industry has perhaps been ahead of the other sectors in the management of specific risks, the establishment of the CRO position and the processes that accompany it, which allow for quicker assessment of risk across an entire organization, have been slower to develop in the p&c industry to date.

———

As a CRO, I would not be doing my job if I just checked off the boxes. Our risk management role is to be an independent, but friendly challenge to the business decisions we are making on a daily basis. We want to ensure that we are making valid risk decisions at the business unit level.