Wednesday, September 1, 2010

A Review of Enterprise Risk Management – A View from the Insurance Industry by Wolfgang Errath and Andreas Grünbichler

I. The Contents

In elaborating the concept of Enterprise Risk Management (ERM) as applied on the business model of the insurance industry, the authors’ review of Zurich’s Enterprise Risk Management Framework revealed a close resemblance to the EU’s Solvency II regulatory model. Which of the two came first, the proponent does not know, however. Enterprise Risk Management (ERM) is a holistic treatment and management of risk through which all organizations can align their strategic and operational policies onto in order to achieve their respective goals and objectives. The authors, first off, established the basic precept of risk management, which is its role as an instrument/function of an organization amid an ever changing environment. The paper dubs risk as a function of change, which more so highlights its importance, with change being such an inevitable aspect of life.

Early forms of risk management were mainly designed for monitoring risks and as a means of compliance to regulatory recommendations and statutory mandates. While these roles were being fulfilled, risk quantification also became a task corollary to following the guidelines set by management and public authorities. Risk management’s functions further expanded as it bore the responsibility to hedge and mitigate risk exposures of the organization, which may involve execution of transactions and arrangements that aim to bolster the risk-return profile of a company. The paper highlights the fact that risk management has evolved from taking a passive position to a more active role in business strategy and decision-making.

Enterprise Risk Management (ERM) found support not only from internal management, but more so from external stakeholders, who may not have had the proper avenues and facilities by which to ensure that their interests were protected. Rating agencies have developed different ways by which to integrate Enterprise Risk Management (ERM) to their evaluation models. Some have used their own capital models, some have utilized models developed by insurance companies, while others have developed their own stochastic portfolio models. Regulators and public authorities have also played a critical role in putting risk management in the mainstream of business practices. Switzerland, for one, has legislated insurance laws and other business-related statutes embedded with risk management requirements. Under the Federal Office of Private Insurance (FOPI) directive 15/2006, risk management inculcation among employees is a requirement and risk management oriented strategies must be introduced. The Swiss Solvency Test (SST), an economic capital model, was mentioned as becoming an integrated part of a new ERM framework. The EU’s Solvency II, a 2007 document by the International Association of Insurance Supervisors (IAIS), and a 2004 ERM framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) are models by which Enterprise Risk Management (ERM) has been refined under an academic and professional approach.

Under the Enterprise Risk Management (ERM) Framework of Zurich, which is a financial services organization with exposures to the business of insurance, the company intends to protect its capital base while finding an optimal risk-return profile for itself, enhance value creation, provide support to decision-making through useful information, and protect its brand and reputation by inculcating a culture conducive to nurturing risk-professionals and practitioners. The company recognizes the integrated influences that can find benefit through the implementation of an Enterprise Risk Management (ERM) framework. All stakeholders will not only perceive, but also experience a form of stability and order brought upon by the discipline of risk management.

The Zurich ERM Framework is structured as a 3-pillared structure, consisting of a base and 3 supporting pillars that hold-up a figurative roof. The base represents Risk Governance and Culture, which requires that all members of the organization be aware and educated on the concept of risk. This knowledge is expected to trickle down from the leadership of the organization to all employees. The establishment of a risk culture can best be facilitated through the institution of an independent risk unit, which also possesses degrees of authority and influence in decision-making and strategy formulation. The function of risk management must permeate through the figure-heads of organizational authority (i.e., the BOD and senior management). The documentation of risk-related policies and management authority limits reflect on the organization’s commitment to handle risk in the most systematic means. The drafting of a uniform risk management framework that all members of the company can defer to, while developing a common risk-management-oriented language are seen to help put emphasis on the importance of ERM to the success of the company. When talking about a culture of risk management, it means establishing a mechanism by which all members of the organization are constantly made aware of the company’s status, situation and exposures when talking about risk.

The first pillar of the framework pertains to risk quantification. Measuring risks has been a key function in the financial industry, which normally puts importance on knowing the financial exposure/s of a firm given a certain position during a certain period. The authors mentioned that risk aggregation or proper organization of single risk exposures is critical, since ultimately it will reflect on the results. Aside from arranging data with the intent of interpreting them, it is, of course, critical that the items comprising the data were properly collected. There are a myriad of methods to acquiring data, but it is important to be consistent, reliable, and accurate in getting them. The authors add that scenario analysis can serve as a useful tool in evaluating the data since these will eventually be translated into strategies and business decisions that will ultimately affect the firm’s business policies and performance.

The second pillar of the framework involves a qualitative directive in evaluating risk. Risk management operations deal with policies, mechanisms, and manpower. In the context of the insurance industry, financial and operational risks have become focal functions. Actuarial operations, being a unique aspect of the insurance business, have also been given a greater amount of attention. Risk management can be localized or centralized, which means there are locations wherein first hand handling is a must, while there are instances wherein aggregation and standardized decision-making is the most beneficial to operations. In a range of risk management functions, synergy is a desired product through which organizational objectives can be achieved. Internal controls and human judgment are key factors that organizations ought to develop if it is to better promote the qualitative aspect of risk management.

The third pillar of is risk communication and disclosure. Transparency has been a great deal of interest to most parties who have had minimal access to certain aspects of company operations. These parties are usually top management, regulators and external stakeholders, who all have an interest in ensuring that everything is running smoothly and in accordance to the policies and internal controls set for compliance by all. A structure for internal communication is a facility by which information dissemination, data evaluation and decision making can pass through in order to preserve the stability of the company. External stakeholders and regulators, being unfamiliar with certain day-to-day and internal activities of the organization, would require a means by which they can scrutinize for themselves the choices and policies made by the company. Risk information disclosure through annual reports, documents and presentations are some of the ways by which risk-related issue can be made known to those who have a degree of interest to know.

Strategic risk management under the Zurich framework figuratively represents the roof of the model. Enterprise Risk Management (ERM), being a holistic and all-encompassing approach, is a means by which a coordinated type of strategy can be developed and implemented by the leaders and authorities of the organization. The risk-return profile of a company is usually a by-product of a myriad of choices and decisions made by those who have the authority to do so. The preferred risk appetite must therefore be aligned with the actual risk-return profile and there is no better means by which to match these two than through Enterprise Risk Management (ERM). Risk management stands as a function and discipline by and through which company objectives can be realized, while insuring that these were achieved without sacrificing the stability of the company (i.e., getting to the finish line at all costs and incurring collateral damage along the way).

The authors have portrayed Enterprise Risk Management (ERM) as an optimal framework that involves an immersive approach towards integrating the discipline of risk management to the culture of an organization. They see a strong link among risk management, value creation, and strategic management in the coming years. Internal risk-based capital models are one of the definitive tools by which risk management can be promoted, especially in insurance companies.

II. Personal Assessment/Insights

Much has been written about Enterprise Risk Management (ERM) in recent years and I have found it almost cliché-like, over-worn and, most often, an over-referred-to organizational philosophy that a lot of uninitiated people simply find convenient to mention and pertain to in most management discussions. It is extremely simple to make an elaboration of how properly handling risks in a holistic manner can bring about success in one’s business model, kind of like when a business promoter/proponent finds ways to dazzle potential investors by saying how a gamut of opportunities can be found in an allegedly profitable business proposition and would simply need some funding from some committed financier. After all, in deference to the risk-return concept, the talk about maximizing returns is indeed an endearing topic to consider and has often been the case in many board rooms and executive management meetings, on the other hand, this unraveling passion and motivation to explore the techniques by which to manage and minimize organizational risks can indeed be overwhelming to those who have paid little attention to it before as a useful business management discipline. Of course, for those who concern themselves with the business of risk, most importantly the insurance professionals, it can be said that there are nuances to treating risks and these can at times inevitably refer back to the insurance industry’s familiarity and expertise with risk management, quantification, monitoring, pricing, mitigation, transfer, among other means of treatment, that Mr. Pedro Benedicto, an insurance industry practitioner and academic professor of mine, once said as functions and activities done by some of the world’s very first financial engineers (i.e., insurance underwriters).

Risk quantification can be a tricky business. Just as, in my opinion, accounting seeks to develop models and philosophies by which to quantify objects and transactions of interest to businesses in order to standardize account name treatment, management, and regulation; risk management, too, faces the same challenges. Translating something so intangible, in view of risk being contingent and at times immeasurable in terms of scope, gravity, and extent, can be exposed to the vagaries of human perception and judgment. Standardization is indeed critical, if it is to become an authentic management discipline, if not a professionalized science. In this thrust, however, I believe lies the philosophical aspect of risk management. While risk is affirmed to be present, it only asserts its existence when it is known and recognized by those who concern themselves with it. The extent of risk covers only as wide as the area by which man chooses to put his interests on. An astronomical phenomenon that may lead to a destruction of a planet or two halfway across the galaxy is beyond the concern of any man, unless it has any repercussions, direct or indirect, to any of man’s social, economical, commercial or other endeavors of interest that he reaps some form of benefit or satisfaction from.

As the paper mentioned, rating agencies have found interest in integrating a Enterprise Risk Management (ERM) criterion to their requirements and have found use for it as a quantitative and qualitative tool in assessing an organization. This perhaps stems from a belief that although they have metrics by which to measure the financial stability of a company, they are short of ways by which to evaluate the “synthesized” quality of an organization. Operational and strategic management can be varied across periods of time, but risk management is reflective of the extent of over-all quality that an organization emphasizes when it conducts its business dealings.

One concept that I find interesting in the Enterprise Risk Management (ERM) framework is the qualitative pillar. This is an aspect that represents one true challenge towards achieving a standardized risk management discipline. The human factor is especially difficult to quantify since many variables interact within and among people of different backgrounds. Where there are focal points of decision-making and human judgment involved, the degree of quality will eventually revert back to the degree of appropriateness that a person possesses vis-à-vis his position’s roles, the duties, responsibilities, and even the prerogatives it entails. A chain (i.e., the mechanisms, policies, systems, internal controls in place) is only as strong as its weakest link (i.e., people being subjective and unpredictable individuals). While there may be times that a person will report-in for work and do the routine role he was assigned to do before checking-out at the end of the day, an employee is not like a simple gear that can be replaced when the machine grinds to a halt nor is he predictable like the movement of a piston. Personnel matching, training, and risk management inculcation are integral in assuring that quality is preserved in an organization’s operations.

Enterprise Risk Management (ERM), if it must be said again and again, is a holistic approach to orchestrating organizational success. Amid a very dynamic environment filled with threats and opportunities, risk management stands as a discipline through which a company can be assured of both protection and stability. While it may seem like it is barely a money-making function at all for most generic structures of organizations across different industries, it has its indirect purposes in assisting towards a more profitable future for all stakeholders. Risk management, of course, is at a different level all together when exploring the intricacies of an insurance company’s operations. The insurance industry has prided itself in identifying risks and finding ways by which to handle them for decades. Close-minded organizations may find it comforting to simply run away from risk exposures once they see them, but it can be said that there is no running away from risk. Risk is all around as long as people undertake profitable and beneficial endeavors in human society and in business and commerce. Organizations that do not find value in risk management might one day find themselves in a pincer or worse yet surrounded by risk exposures that will ultimately overwhelm their resources, manpower, and company policies; to their demise.

As a recommendation, this proponent would deem it very productive to have an initiative on creating various Enterprise Risk Management (ERM) frameworks applied to different industries in the Philippine context. Risk management has yet to see itself blossom in the Philippines. This may probably stem from the fact that our domestic insurance industry has not found its professional stride, whether in conduct nor in portraying itself as such through the years. In fact, it seems that it has deteriorated as revealed by a study made by Mr. Benedicto regarding the pricing of insurable risks. To have an appreciation of risk management in various industries and sectors of business in the country, a showcase of the insurance industry’s capabilities is a must. Insurance is a key component in building an economy. Why? It brings about security in both social and commercial endeavors and undertakings of interest. It allows otherwise risky and therefore costly infrastructures to be raised without fear of some bungled engineering wiping-out everything. It allows daily business dealings to be done without the constant fear or anxiety of having to face costly litigation in case awry and mutually undesirable events occur. It prevents unfortunate circumstances that might surround a citizen or organization dissipate. It allows citizens to go on with their daily lives and not abruptly and tragically be hindered by fortuitous events that all too often happen to the least suspecting, well meaning, and unprepared of good-natured people. These people with hopes and dreams of their own do not deserve to be castrated by the whims of chance and by the astronomical phenomenon of randomness. While people may possess free-will, they should be given the proper choices and avenues by which they can exercise their power to choose. Insurance and risk management, in the opinion of this proponent, are extensions of free-will and freedom.


All compositions, statements and opinions of the author are copyright © Earl T. Malvar 2009-2010. All rights reserved. There is no honor, respect, admiration, intellectual and academic dignity garnered through plagiarism.