ERM, Temples and Pyramids: Mysteries Solved

Canadian, European and United Kingdom regulators are moving towards the requirement of capital adequacy modelling, risk controls and disclosure requirements — all components of an enterprise risk management (ERM) program. But regulators aren’t the only driving force in the march towards ERM, according to panel speakers at a Guy Carpenter seminar on ERM in Toronto.

Ratings agencies are increasingly pressuring and requiring organizations to put their ERM dollars where their mouths are, says seminar panelist Susan Witcraft, the managing director of Guy Carpenter & Company LLC’s Instrat team, mid-western America division.

Standard & Poor’s (S&P’s) appears to be leading the charge, but others are not far behind, Witcraft observed. Each of the agencies has its own model, explanations and expectations of what an effective ERM program should entail, Witcraft said. She then proceeded to analyze the ERM models of the two heavy-hitters, S&P’s and A.M. Best, so the panel audience of risk managers would know what might be expected of their organizations when they next come under review.

BUILDING A TEMPLE

S&P’s model is shaped like a temple, Witcraft noted, including a foundation, three pillars and a capstone. The base of the S&P’s temple is a corporate culture that embraces and practices ERM.

“One of the things S&P’s focuses on when evaluating a company’s risk management culture is to what extent is this message being driven down [to the non-executive layer of an organization] and is required by the top of the organization,” Witcraft said. “[S&P’s] won’t be happy with a little ERM department in the corner doing lots of research. It wants [ERM] to be a culture change. That’s one of the key issues in this area.”

The first pillar represents risk control processes, she continued. Although insurance companies have traditionally been strong in this area — emphasizing the importance of underwriting guidelines, investment guidelines, claims authorities and things of that nature, for example — S&P’s has become more interested in the enforcement of these guidelines.

She said the investment banking industry is an example of what she means. If traders exceed some of their guidelines, there are some pretty serious ramifications, she noted. In some cases, traders will get fired for breaching guidelines. But when it comes to insurance companies, Witcraft said, this is typically not the case. “What S&P’s is saying is: ‘It’s all well and good that you’re identifying these exceptions, but now what are you doing about them?'”

The centre pillar is emerging as extreme risk control management. “That’s a lot to do with how you’re managing your property cat exposure,” Witcraft said. “How are you evaluating terrorism exposures? It also gets into business contingency planning. What happens if the power goes out? So, it’s a very broad spectrum in that area.”

Some companies invest a lot of effort into thinking about “the extremely unlikely things,” like pondering what the next mass tort will be, she said. While S&P’s has not offered as much guidance as to what they’re expecting in that emerging risk area, some of these items might fall into the category, she suggested.

The final pillar is risk and economic capital models. In an interesting twist, S&P’s has not focussed primarily on how the model works and what’s included in it, as one might expect, Witcraft said. “Rather, they’re focusing on a couple of different aspects — the beginning and the end.”

Given S&P’s focus, organizations can expect to answer questions like: How good is the data? Is the data consistent with what you’ve used for other purposes? How well has it been checked? What level of detail is in it? What assumptions did you have to make because the data wasn’t available in exactly the level of detail that you wanted it to be in?

“So they are focussing on the front end, and they’re also focussing on the back end — that’s called The Use Test,” Witcraft noted. “The capital model can’t just be the ERM-Once-a-Year-We-Check-to-Make-Sure-We-Have-Enough-Capital model. It has to be something used regularly in decision-making. It’s not only S&P’s [approach], but we see it in Solvency II and U.K. regulations, and they specifically call it a Use Test.”

Finally, once the foundation has been laid and the pillars taken care of, strategic risk management forms the capstone of the S&P temple. This involves shedding the ‘silo perspective’ that most companies still use in viewing their internal operations. “It’s our sense that very few companies have actually gotten to the point of putting the capstone on the temple,” Witcraft observed. “That would be having a clearly identified set of risk metrics and reward metrics that are used for strategic decision making.”

PYRAMID MYSTERY UNRAVELLED

A.M. Best’s pyramid is not as intuitive as S&P’s temple model, but there are some similarities, Witcraft noted. First, A.M. Best’s pyramid model has a base formed by the traditional risk management practices and control. The steps lead up towards capital management, breaking the silos and putting practices into an enterprise context. Finally, senior management forms the peak of the pyramid.

Witcraft agrees with A.M. Best that smaller companies tend to be less complex and more stable. As a result, traditional frameworks typically serve the purposes of smaller companies. In such situations, smaller companies “might want to take advantage of the new tools and thought processes that have [emerged] as a result of ERM, but, if you’re a straightforward company, it may not be necessary to make some of those revolutionary changes that need to be made to implement some of the ERM processes.”

One thing A.M. Best is clear about, she continued, is that if you have a strong risk management program, it could affect the guidelines of a company’s ‘BCAR.’ BCAR is the name given to A.M. Best’s capital model for Canada, modelled after the National Association of Insurance Commissioners’ risk-based capital formula. It is the standard for evaluating rated companies’ capitalization. Strong and stable operating results are required for minimum capital levels to apply.

A company with a strong risk management program may have a lower BCAR than one with a weak risk management program, Witcraft said. In other words, on a “case-by-case basis,” a company with a strong ERM program will be more likely to maintain a financial strength rating of ‘A’ with A.M. Best, despite having a lower BCAR. On the flip side, a more volatile, diverse company with a high BCAR and a weak ERM program may still have a difficult time maintaining an ‘A’ rating.

PRESSURES ASIDE

Earning a strong financial strength rating is an important goal, but it shouldn’t be the only reason a company employs a solid ERM program, Witcraft told the audience. A strong, effective ERM program will also ensure consistency across an organization, increase transparency, assist in maintaining an organization’s positive reputation, assist in establishing fair economic value and increase stewardship. Implementing an ERM program “shows the rating agencies that you are working together as an organization.”