The goal of enterprise risk management (ERM) is to eliminate the siloed approach to identifying, monitoring and managing risk practices throughout an organization. By applying a consistent approach to ERM policies and procedures through a clearly delineated organizational risk hierarchy, organizations can mitigate risk and identify new business opportunities.
Insurers have long employed risk management strategies. However, as their business models become more complex and geographic scope wider, many large insurers are wrestling with identifying the interdependencies of risk across the organization. Risk management is important not only to the largest companies; small and medium-sized insurers must also take a risk-centric view of their organizations. From the financial perspective, ERM promotes the effective allocation of capital to increase profitability and shareholder value. Financial risk is only one leg of the stool - unless the insurer can identify and integrate risk areas throughout the organization, ERM will fail. Corporate credit ratings are important to investors, consumers and regulators as an indicator of an insurer's financial stability. And so adoption of ERM accelerated as ratings agencies began to grade insurers based on their ERM capabilities. Standard & Poor's, one of the five independent agencies that rate the financial strength of life insurance companies, published ERM ratings guidelines in 2005, and began to assess ERM as part of the ratings process in early 2008.
Structuring of an insurance company's ERM initiatives and policies is at the insurer's discretion. The ratings agencies do not evaluate insurers based on their organizational risk structure but only whether risk management functions are performed adequately. ERM practices vary widely, depending on the insurer's geographical reach and lines of business. Ratings agencies expect insurers to identify the most crucial risk elements impacting their businesses broadly across credit, market, underwriting, operational and strategic risk categories.
Based on Standard & Poor's evaluation of more than 250 insurers across North America, Bermuda, and Europe in the past year, the majority of companies are rated as "adequate," defined as "having a complete and reliable control process in place for major risks." The adequate rating implies that although major risks are reliably controlled by the insurer, its risk management processes are siloed. In North America, only 23 percent of insurers scored above adequate in 2008, while in Europe the percentage was 33 percent. European insurers score better in the ratings because of their preparatory work for compliance with the Solvency II regulatory requirements for capital adequacy of EU insurers going into effect in 2012. The ratings indicate that much opportunity remains for insurers to improve risk management practices.
In S&P an analysis published in late 2010, they noted that “the financial crisis exposed a number of weaknesses in insurers' risk appetite frameworks. Some insurers were quite active in acquiring risks that we doubt whether they fully understood; therefore, they were unable to manage these risks within their stated risk tolerances.” One area of opportunity was the ability to align risk management practices and tolerances with business goals and broader management oversight. How does your organization create the link between business strategic and risk management across multiple divisions and functional areas?