Insurer Enterprise Risk Management Eyed

Officially announcing new criteria for the ERM component in a report released last week, the New York-based S&P said its evaluation of risk management practices will not replace any existing rating components but will instead be added to them.

"S&P has always looked at risk and at how insurers manage risks within the rating review," said Laura Santori, a credit analyst based in Paris, during a Web conference last week, explaining why "wholesale ratings changes" are not expected from the addition of ERM analysis. "What the ERM project does is provide a more structured framework," she added.

S&P detailed a process that looks at a very wide range of risks and risk-management activities. Analyst David Ingram in New York said S&P will tailor this process to each insurer during the actual evaluation.

For example, a formal ERM process or a complex probabilistic model to evaluate risks won't be required to garner good grades. Instead, S&P will "look at activities…intended to limit losses" in firms that don't have formal processes, he said.

For insurers with ordinary risks and excess capital, ERM won't be as important to the rating as it is for those with tight capital and complex risks, he added.

The report addresses other questions about the new rating component–such as why it's being introduced now, how small companies will be treated, and whether S&P will now penalize companies holding excess capital (rather than managing capital efficiently to match risks).

Insurers with capital cushions won't be penalized, nor will small companies, which may not need formal ERM processes if executives are closely aligned with employees performing day-to-day tasks.

S&P said the primary reason for introducing ERM evaluation criteria is "to improve the rating process," adding that a significant number of insurers have now developed and implemented ERM systems, allowing for meaningful evaluation.

The report noted that to assess risk management culture, S&P analysts will seek to determine whether risk management is an important consideration in corporate decision-making, and whether risk managers report to the boards of their companies, among other things.

"We think that risk management culture is the base on which an effective risk management program is built," Ms. Santori said, as she described a pictorial representation of S&P's ERM process showing "culture" as the base of a building resembling an ancient Greek temple.

With respect to risk controls–one of the pillars supporting the sloping "strategic risk management" cornice–the rating agency will want to know if company managers have control processes to identify risks, set limits of risk tolerance, and monitor and manage to those limits.

Risks to be controlled in most insurance organizations include credit risk, market risk, insurance risk and operational risk, Ms. Santori said–noting, however, that the list will be refined to reflect those that apply in each individual company situation.

During the conference, and in the report, S&P sorted out the details of its ERM process, including characteristics that define weak, adequate, strong and excellent ERM–the four levels of quality that will be assigned as part of the review.

In addition, two broad messages were repeated throughout S&P's report–insurers that learn from risk management mistakes and those that don't try to deny that they take any risks will fare well.

S&P said it will look favorably on insurers that learn from past lapses in risk management–adding, in fact, that ERM programs that haven't been tested in adverse situations won't be judged as favorably as those that have.

As for a company where executives assert that the company doesn't take any risks, "that could mean it is not taking any risks that it knows about," the report said, suggesting that S&P will frown on such assertions.

Mark Puccia, a New York-based S&P analyst, said: "Our use of ERM is an incremental process. We're not looking to overhaul our rating structure." He added, however, that by focusing on ranges of risk scenarios that could occur, the dynamic prospective process ultimately "has the potential to change how we analyze insurers."

Flag: Recap

Head: What Will S&P Evaluate?

S&P said it will assess enterprise risk management by evaluating five components of each insurer's ERM program:

o Risk management culture.

o Risk controls.

o Extreme-event management.

o Risk and capital models.

o Strategic risk management.

ERM evaluations will be in addition to existing rating categories, including competitive position, management and corporate strategy, operational analysis, investments, capitalization, liquidity and financial flexibility.