Healthy Appetite

It's not like the insurance industry needs to go out of its way to search for new risks to obsess over. An industry that was built on helping others avoid risk now spends as much time managing its own risk as it does helping policyholders avoid theirs. But as some carriers have found in recent years, there are plenty of new things happening in the world on which to keep a close eye.

"Enterprise risk management [ERM] at its most basic is us understanding all the risks that we face and being able to manage those risks," says Mark Talerico, chief risk officer for Narragansett Bay Insurance. "On the one hand, you could argue any company that has ever been successful has done exactly that. I don't think it's always been thought about or quantified in one central location, though. We are being forced to think about it and lay it out a little more cleanly."

In the consulting practice at Keane, Alkesh Shah examines enterprise risk in six areas: credit risk, market risk, portfolio risk, audit risk, SOX compliance, and operational risk. "These are the things we are helping our clients with to be in compliance or in better control of," says Shah, who is senior director and client partner in Keane's financial and insurance practice. "I would say a blanket statement is no one is doing a great job [with ERM]; some are doing a good job, and some are doing an OK job."

Shah characterizes insurers that are doing a good job of ERM as those making strides in at least half of the six categories. "They are the ones that have gotten better control of their data and are creating intelligence around that data by building reports," he says.

The need for better risk management increases as the financial markets go through turmoil, says Shah. "Things have been changing a lot in the last few months, especially in the financial area," he says.

Doug French, managing principal and insurance advisory services leader for Ernst & Young, is encouraged by the industry's efforts to grasp enterprise risk management. "If you look at our risk leadership survey [recently issued by Ernst & Young], we can see over the last couple of years insurance companies are making strides, including putting building blocks in place around their ERM initiatives," he says.

At Nationwide Insurance, enterprise risk includes all risk within the carrier's risk classification framework, according to Al Schulman, vice president of ERM. "We have catastrophe, market and credit, interest rate, litigation, and unknown mass torte risks," he says.

There are certain risks that naturally exist in multiple parts of the organization, explains Schulman. For an insurance company, particularly a life insurer, the most obvious one is interest rate risk. "You have [interest rate] risk with respect to your assets, your bond portfolio, and your insurance liabilities either through the discount rates on those liabilities, the time value, or money or [else] the liabilities themselves are inflation-sensitive," he says.

Insurers have multiple entities capable of generating the risk and therefore have the responsibility of managing the risk, continues Schulman. "Those multiple parties either can be because of functional roles or responsibilities or they can be your own segregation within business units," he says. For example, Nationwide has an excess and surplus lines business that takes interest rate risks through its underwriting operations, an admitted property/casualty business that generates interest rate risk through its operations, a life insurance company that generates interest rate risks through its operations, and an investment department that generates interest rate risks through its bond decisions. "One question is: Do you have modeling capabilities with respect to all those sources of risks?" asks Schulman. "The other question is whether you can manage that risk effectively with multiple owners."

That is more of a governance issue than a modeling issue, points out Schulman, but in part, Nationwide's approach is to form risk subcommittees by risk type rather than by business unit. "So, we will have a market credit risk committee responsible across the organization for all sources of market credit risk rather than have a life company risk committee and a property/casualty company risk committee," he says. "That's one way to make sure you are managing that risk effectively across all operations."

One goal of ERM is to leverage it to help make key strategic decisions for business planning, asserts French. An example of strategic risk analysis would be determining what would happen if healthcare is nationalized in the United States. "What does that do to your business?" French asks. "Risk management is a little more tactical around the day-to-day management of risk, whether it is financial or operational, rather than strategic."

Another area of strategic planning encompasses what French calls emerging risks. In the survey conducted by E&Y, French found such planning was near the bottom in the minds of insurance carriers. "They are just not doing it," he says. "It's not the way the industry thinks. People aren't doing the really deep risk analysis."

Many of the emerging risks are just beginning to become clear, notes Shah. "I don't know whether there's a crystal ball out there, but we are working with clients to develop parameters and scorecards to look for these kinds of risks going forward," he says. "The models they have to measure the risk don't always work."

Talerico compares emerging risks to the theory of the black swan–a large-impact, hard-to-predict event beyond the realm of normal expectations. But he stops short of calling an event such as the mortgage lending crisis a black swan.

"I don't think it was a surprise to most people given the amount of risk some of these companies were taking," he says. "They were giving mortgages to people who obviously couldn't afford it and weren't supporting it with documentation. We knew it was happening, and we chose to turn away. Was it avoidable? Yes."

Part of the responsibility for these crises lies in what types of incentives are placed before underwriters, Talerico believes. "We compensate underwriters for simply pushing premium dollars through the door, but now we're doing things on a risk-adjusted basis. So, it's not about premium dollars; it's about each dollar of premium and what it contributes to the overall risk position," he says. "I'll accept the premium if the risk is prudent, and I'll compensate those people who follow those lines."

Larger insurance carriers over the last couple of years have begun hiring chief risk officers, but French is not sure whether carriers are in agreement regarding exactly what the job descriptions are for those CROs. "Are they owners of risk?" he asks. "Are they monitoring risk? Are they reporting risk? People still are trying to figure out what the CROs are going to bring to the table."

Talerico recently has moved up to the position of CRO with Narragansett, and in his opinion, the industry is moving in this direction out of necessity. "The banking industry for years took a more pragmatic view of ERM and the need to look at all the pillars of risk," he says. "The insurance industry has been slow to recognize the similarities between our industry and theirs, but in the last five to seven years, there has been a greater appreciation."

Talerico maintains seminal events, such as Hurricane Andrew and 9/11, created an impetus to look at multiple sources of risk. He also asserts the efforts made by the A.M. Best rating agency in interpreting what it means by ERM are helping insurers get a better picture of risk.

In E&Y's survey, French reports carriers had multiple owners of risk and there was no correct delegation of duties. "That's an offshoot of running insurance companies by silos or by lines of business," he says.

For example, asks French, who within the enterprise owns responsibility for interest rate risk? "Each business unit could have responsibility for its particular interest rate risk, but that doesn't mean any one person has responsibility across the entire enterprise," he says.

In Shah's view, adopting a chief risk officer approach is sound because most insurance carriers do not have a single owner of a particular type of risk or one central function that looks at risk from different business areas. "[Carriers] use different tools to assess risk," he says. "So, when they have different measures and different tools, they can come up with different risk scores, and when the two scores are different, they don't tell the true story. That's been one of the issues."

One reason some insurers are struggling with ERM is there is no regulatory imperative or rule book for insurers to follow. State regulators in the U.S. have not put any processes or procedures in place for insurers to run an ERM program, but rating agencies have taken up the challenge of imposing their will on carriers. "The rating agencies want to review [insurers'] ERM activities, but again, there is no definitive rule book," says French. "Each rating agency is reviewing ERM on its own terms."

As a result, insurers are building out the framework as they react to what the rating agencies are after. French suggests if the Optional Federal Charter is approved, it will include a national solvency agenda and a risk management agenda. "You will see some definitive regulatory rules around the whole issue," he says.

Nationwide is ahead of the curve in some of its applications of capital modeling, according to Schulman, but he admits much of the impetus for improved risk modeling has come from rating agencies focusing on ERM. Carriers are working to convince the rating agencies to consider the carriers' internal models in establishing target capital levels, he notes. "If we can convince them to use our capital models instead of their models, it has the potential to save us hundreds of millions of dollars," he says.

As these external organizations raise the stakes on carriers' ability to track their own utilization of capital and to manage returns on capital on an economic rather than a GAAP basis, Schulman believes insurers have to improve their capabilities. "We're lucky enough we entered some of those actions early, and many of the applications companies are starting to build are fairly mature within Nationwide, particularly our ability to do economic capital modeling and what's known in the industry as dynamic financial analysis–simulation modeling of our entire enterprise," explains Schulman. "That's allowed us to look at how different risks contribute to our aggregate capital requirements and our aggregate risk profile in a way that's difficult to do if you're not satisfied you have robust modeling capabilities."

One challenge in insurance is the inability to measure risk vs. reward, French points out. Carriers have statutory returns, which measure solvency, and GAAP returns, which measure ongoing financial performance. "It depends on what metric you are looking at," he says. "That's the continuing confusion in the industry. Do you want to look at performance on a solvency basis or performance on an earnings basis?"

Due to the regulations surrounding Solvency II in Europe, Europeans are moving to an economic reporting basis where they are able to price, measure, and manage on a true economic basis, which currently does not exist in the U.S. market. "The Europeans are ahead of us in regard to that," observes French.

French defines risk appetite as the overall risk level a carrier has, which then is divided up by type of risk an organization wants to take, for example, so much interest rate risk and so much credit risk.

It can be broken down further by distribution channel, products, geography, and asset class, he adds, so it gives the carrier a more granular view of risk. French indicates insurers over the years have become good at aggregating within a risk class but are not quite as good moving across the organization in various risk classes.

To help strengthen its ERM program, Nationwide selected SAS OpRisk Management software. The software provides a standardized way to collect, measure, and report data from multiple risk management programs. In addition, ensuring risk information is commonly understood and effectively shared via Nationwide's Common Risk Information Architecture (CRIA) helps the carrier make more informed enterprise-level risk decisions.

"Our CRIA is most commonly used with respect to operational risks, but ultimately we want to send that to other risk types," says Schulman. "Right now, we are starting with operational risks as we get risk information from our various control environments, our audit environment, our IT security environment, our compliance environment, and our privacy environment–all on a common platform."

Schulman feels rating agencies have upped the stakes on ERM, and so insurer management teams have had to respond to that challenge, particularly as they look at the turmoil that arose from the subprime market. "I guess you can say the models didn't work [in that case], or else you can say you better get some better models," says Schulman. "You either can give up or do better. We're inclined to do better."

French reports CROs are optimistic about the role of ERM and they are setting lofty goals in a significant effort to achieve them. "I think the industry will continue to work on the issues, and without a regulatory imperative, companies will build out their ERM frameworks over the next few years," he says.

Technology has improved greatly, affirms Talerico, now allowing insurers to create robust models and gather information quickly. "That's the kind of stuff that sets companies apart," he says. "We're taking the models further and trying to use them where they are appropriate in rate setting and capital allocation settings."

In the past, insurers relied on their reinsurance company to provide access to risk models, but despite his own background in reinsurance, Talerico doesn't believe insurers can afford to abdicate responsibility. "You have to touch it and manage it in-house," he says. "It's more than being able to run the models. You have to translate what the models are saying to what you need to do today."