RISK MANAGEMENT IN INSURANCE: CRITICAL AREA OF CONCERN

The recent changes in the insurance market and socio-economic environment have meant that the risks that insurers now find themselves facing have evolved. These range from volatile investment conditions, increases in longevity and mortality risks through to terrorism threats and climate change. As a consequence, stakeholder focus on these risks and the way in which they are managed has also sharpened. It is, therefore, increasingly important that insurers fully understand the risks to which they are exposed.No one likes to think about the bad things that can happen to them, but for many people, unexpected shocks are a daily threat. Low-income families are particularly vulnerable to potential losses from a host of situations and may be ill-prepared to cope financially with their negative impact. Small and frequent shocks, such as children’s illnesses, may only have short-term impact, while more significant events, such as the destruction wrought by natural disasters or the death of an income earner, can bring financial ruin. Such crises wipe out the hard won gains painstakingly accumulated over time. As families go deeper into debt and/or sell assets to pay their unexpected expenses, their climb out of poverty can easily be thwarted. Hence ,anticipating risk and managing risk is of paramount importance not only for an insurance company but for an individual also.

Coping with Shocks: Reaction or Protection?

Shocks are not new; neither are the pain and expense that come with dealing with them. From country to country, the list of risks is very similar: accident, illness, death of an income earner, fire, theft, natural disaster and economic shocks caused by events such as hyperinflation. The consequences of these risks are significant and may include grief, financial hardship, loss of income, loss of productive assets and lost economic opportunities.

What is Risk Management

Simply put, risk management is a two-step process – determining what risks exist in an investment and then handling those risks in a way best-suited to your investment objectives.  Risk management occurs everywhere in the financial world. It occurs when an investor buys low-risk government bonds over more risky corporate debt, when a fund manager hedges their currency exposure with currency derivatives and when a bank performs a credit check on an individual before issuing them a personal line of credit.For insurance companies , knowing and anticipating risk is of paramount importance to be successful in the business.

Risk management ensures that an organization identifies and understands the risks to which it is exposed. Risk management also guarantees that the organization creates and implements an effective plan to prevent losses or reduce the impact if a loss occurs. A risk management plan includes strategies and techniques for recognizing and confronting these threats. Good risk management doesn’t have to be expensive or time consuming; it may be as uncomplicated as answering these three questions:

What can go wrong?

What will we do, both to prevent the harm from occurring and in response to the harm or loss?

If something happens, how will we pay for it?

Below a series of questions which senior management may wish to consider when reviewing the effectiveness of their own risk management practices.
Questions for senior management to consider
  • How can the board and senior management provide more effective and informed oversight of your insurance company’s risks?
  • Are risk considerations given appropriate profile in your company and strategic planning processes?
  • What should your insurance company be doing to realise the benefits of further integration of risk, capital and business management activities?
  • How can your insurance company improve the knowledge and understanding of your board and senior management to raise the quality of discussion and challenge on more complex matters?
  • Are your company’s risk appetite statements and risk policies sufficiently comprehensive and well understood and workable?
  • Does your firm have a clear view of how it wants to develop its risk management practices?
  • Are there enough opportunities for independent and informed challenge to risk management processes and outcomes?
  • Is there enough objectivity in your risk identification and assessment processes?
  • Does your firm’s management information provide sufficient and timely material on risk issues and does it prompt appropriate action?
  • Is there enough clarity of how responsibilities for risk management activities are allocated in your firm?
Benefits to managing risk

Risk management provides a clear and structured approach to identifying risks. Having a clear understanding of all risks allows an organization to measure and prioritize them and take the appropriate actions to reduce losses. Risk management has other benefits for an organization, including:

  • Saving resources: Time, assets, income, property and people are all valuable resources that can be saved if fewer claims occur.
  • Protecting the reputation and public image of the organization.
  • Preventing or reducing legal liability and increasing the stability of operations.
  • Protecting people from harm.
  • Protecting the environment.
  • Enhancing the ability to prepare for various circumstances.
  • Reducing liabilities.
  • Assisting in clearly defining insurance needs.

An effective risk management practice does not eliminate risks. However, having an effective and operational risk management practice shows an insurer that your organization is committed to loss reduction or prevention. It makes your organization a better risk to insure.

Role of insurance in risk management

Insurance is a valuable risk-financing tool. Few organizations have the reserves or funds necessary to take on the risk themselves and pay the total costs following a loss. Purchasing insurance, however, is not risk management. A thorough and thoughtful risk management plan is the commitment to prevent harm. Risk management also addresses many risks that are not insurable, including brand integrity, potential loss of tax-exempt status for volunteer groups, public goodwill and continuing donor support.

Why manage your risk?
  • An organization should have a risk management strategy because:
  • People are now more likely to sue. Taking the steps to reduce injuries could help in defending against a claim.
  • Courts are often sympathetic to injured claimants and give them the benefit of the doubt.
  • Organizations and individuals are held to very high standards of care.
  • People are more aware of the level of service to expect, and the recourse they can take if they have been wronged.
  • Organizations are being held liable for the actions of their employees/volunteers.
  • Organizations are perceived as having a lot of assets and/or high insurance policy limits.
Risk management is a major area of concern for an insurer

Risk management is a major area of concern for an insurer. The insurer who manages the risk adequately and prudently, always enjoys risk free functioning, which go a long way in building the inner core strength of  its future functioning in the industry. The recent happening in the US debt management, has taught a lesson to the global risk managers , that how important it is to anticipate risk well in advance ,other wise it will spell doom for that company or an economy.

A General Insurance company is exposed to various types of risks including underwriting, reinsurance, operational, market and liquidity risks – amongst others. The objective of a risk management framework is to ensure that various risks are identified, measured and mitigated; and policies, procedures and standards are established so as to adequately address these risks through systemic response and strict adherence.

The Insurance Regulatory and Development Authority (IRDA) in August 2009 issued guidelines on corporate governance for the insurance sector. Apart from laying emphasis on the importance of governance in the insurance sector, the circular laid out the importance of risk management and the need for control functions. Accordingly, every company was mandated to form a risk committee as well as appoint a Chief Risk Officer.

The guidelines stated that sound management of an insurer is dependent on how well risks are managed; and emphasized the need to lay down the risk management strategy and monitor all risks across various lines of business. So what should be the key constituents of a risk management framework? Every company would need to evolve its own risk management framework keeping in mind the nature, size and complexity of its business. A risk framework can be formulated with learnings from the failures of global insurance companies along with guidelines advocated by ratings agencies and the outlook of consulting companies towards risk management.

Issues to consider in insurance risk management 
Sound risk management is a business-critical issue

 Effective risk management increases the prospect of  insurance business objectives being achieved,whereas neglect of these responsibilities can have consequences for senior management and fair treatment of customers, with resulting damage to the business. So we place significant emphasis on senior management taking responsibility for their firms’ systems and controls and, in particular, assessing and managing risk. The effectiveness of processes and procedures to maintain adequate controls is also of equal importance. Firms who can manage their businesses well and demonstrate effective risk management processes and procedures are likely to receive less regulatory attention.

A significant number of insurance company may have  designed risk management processes primarily to meet our rule requirements. Good risk management was rarely thought of as a possible route to improved commercial effectiveness and performance. In this review the picture appears to have improved significantly. The level of buy-in to risk management by boards and senior management is demonstrated in a number of ways.

For example, risk management is a regular agenda item at board meetings in many firms. Risk is also becoming more of a factor in business planning and performance reviews, although in a minority of mostly smaller firms, risk assessment is not part of the business planning process. A few firms had also developed risk frameworks long before the introduction of latest rules and guidance, but managing the full range of risk exposures across the business was a relatively new concept for many. Despite these welcome developments, many insurance firms still appeared to lack a vision of how they want to develop their risk management frameworks. Development activities were often remedial rather than progressive.

In many of the firms with risk committees, these have become more focused on high level oversight . For example, in the last few years, the role of some risk committees has moved from identifying and managing operational risk to consideration of the firm’s full range of risk exposures. This reflects increasing management awareness of the importance of understanding all the factors that can affect future business performance. There are a number of possible reasons for this shift of emphasis. Firstly, as the underlying risk assessment processes have themselves developed, in particular for operational risk, the role of the risk committee has been able to move towards assessing the output from the risk assessment process rather than overseeing development of the process itself.

Secondly, in some firms, risk committees found themselves out of their depth when considering technical risk issues, such as insurance underwriting exposures. Consequently, there was often more of a focus on detailed operational risk issues. To overcome this, increasing numbers of firms have passed responsibility for oversight of specific risk areas to other, often newly constituted, board committees. For example, there may be asset and liability committees for financial risks, comprising relevant technical experts. The risk committee can then focus more on high-level coordination and challenge to risk management activities.

When the remit of the risk committee does not extend across all risk areas, it is still important that risk management activities come together effectively through some other part of the governance structure. We have concerns that in some firms there are significant gaps or inconsistencies in the oversight of some specific risk issues. This could lead to senior management being unsighted on specific areas/risks. The use of committees should support, and not replace, board involvement in the most material matters for the firm.

Effective coordination is particularly relevant to insurers who are exposed to a large number of ‘boundary risks’. Risks such as those in claims management, for example, can have implications for both operational and insurance risk management activities. This is particularly important as arguably there are more boundary risks in the insurance sector than in other sectors. In the case of insurance company whose risk management is coordinated at group level, we expect the firm’s management to exercise appropriate oversight over the risk management processes and satisfy itself of the appropriateness of such processes. In such cases, a group risk function can enhance the process, for instance by monitoring aggregate risk levels and providing local advice. But the firm’s governing body also needs to oversee its risk management, including setting risk appetite at a level that is appropriate for the firm.

Reviewing the effectiveness of risk management oversight is important

We recognise that many aspects of risk management processes are complex and it is not necessary, and indeed not possible, for every member of the board to be fully technically competent in all risk areas. But to make effective individual contributions every board member should maintain at least a minimum level of understanding of all key issues and processes within the business. This may pose a recruitment challenge for some insurance company, but there is a role for executive management, not only in supplying or facilitating an induction programme and training and development, but also in helping governance bodies to assess, and regularly reassess, their individual and collective development needs.

Learning from insurance failures

The current financial crisis in USA makes abundantly clear the importance for insurance companies of pre-emptive and independent risk management. The debt which has posd risk for US economy could be insulated. This task poses demands at every level: individual companies, global groups, regulators, governments, rating agencies, and international institutions.

Regulators and governments in many countries have launched initiatives to bolster financial stability and restore market confidence. As part of this effort – and recognising that they themselves had not adequately appreciated the risks building up in the financial system – most are reviewing their regulatory regimes to help identify and avert future crises. Repeated crisis is a matter of grave concern, that some where risk in debt management has not looked after well in USA. It is lesson for other countries of the world. The  dot.com bubble, the sub-prime crisis and know the debt crisis in US has exposed that how US economy is non serious about anticipating risk and has exposed the entire US economy under deep financial crisis never seen before.Thr role of US insurance in managing risk is matter of concern.

It is crucial for the insurance industry that regulators and governments succeed in their battle to restart the world’s financial markets. Success will require international cooperation and coordination, with group-level supervision and efficient capital management for global (re)insurance groups. Any new regulation will need to take account of the insurance industry’s distinct business model; it should avoid creating market distortions and offer clear incentives for sound risk and capital management

There are various publications which study the reasons for insolvencies of global general insurance companies. AM Best, the global credit rating agency, published a study in May 2008 which evaluates reasons for US bankruptcies during the period 1969 to 2007. Further, a Canadian paper published in 2007 evaluates similar reasons for Canadian general insurance company failures. The main reasons assigned for insurance company failures as per these reports are shown in the table that follows.

Approach proposed by Credit Rating Agencies:

The role of credit rating agencies is of paramount importance. The way credit rating agencies visualise risk , is an important factor for the smooth functioning of the insurance company. With the ever growing importance of risk management, credit rating agencies over a period of time have been laying great emphasis on risk management practices of companies. The reasons for insurance failures are inter-related and hence adopting an ERM approach ensures that risks are identified on an Enterprise-wide basis and are correlated with their impact evaluated across the organization. Therefore, ERM is the evolution of operational risk management into a strategic process which aligns strategy, process, people and technology at the entity level.From the perspective of developing a company specific approach for risk management, both AM Best and S&P suggest the following areas to look at:

Setting a framework and culture towards risk management

There must be a framework and culture of risk management in the insurance company. if it is not taken seriously, it could spell disaster for the survival of the company in the long run and an sudden unanticipated risk.

It is very important for a ‘Risk Aware’ culture to be set within the organization as a ‘Silo’ approach to risk management is unlikely to yield results towards sound risk practices. Some of the steps suggested by rating agencies include:

  • Involvement of the board and senior management in risk management
  • Establishing and communicating risk management objectives while forming an opinion on their credit rating.

They underline the criticality of adopting ‘E’RM as an approach wherein the company has a focus on Enterprise-wide risks, rather than the traditional approach of risk management wherein each department manages the risks related to itself e.g. reinsurance looking at reinsurance risks and the legal department looking only at legal risks. They also advocate

  • Setting risk tolerance and key risk metrics
  • Setting roles, responsibilities and oversight
Risk Identification and Management

To identify risk, one need to consider two key questions:

  • What can happen – this is about identifying all negative consequences for the risk
  • How and why it can happen – this is about identifying scenarios and events that may precipitate negative outcomes.

The steps recommended by rating agencies for  risk identification include working on defining   traditional risks and having exception reporting with action plans in place for exception items. The following five key areas would need to be monitored from a traditional risk management perspective:

  • Credit risk
  • Market risk
  • Underwriting risk
  • Operational risk
  • Strategic risk

For measuring and monitoring these risks it is imperative for firms to maintain a risk register.A risk register is a repository of risks that the  company is exposed to along with a clearly  formulated and consistent approach to   measuring risks and subsequently either migrating or mitigating that risk.  The objective of the risk register is for the company to be able to aggregate common risks across businesses and to analyze and manage those risks effectively.

This is done by employing a top-down as well as a bottom-up approach to risk identification:

From a top-down perspective, the company’s ERM leadership and corporate level risk committee must identify all risks that are large enough in aggregate to threaten the firm with financial distress in an adverse environment. The bottom-up process involves individual business units and functional areas conducting risk-control self assessments designed to identify all local-level risks that are material.

The goal is to identify all important risks, quantify them using a consistent approach, and then aggregate individual risk exposures across the entire organization to produce a firm-wide risk profile that takes account of correlations among risks.

Identifying Risks a challenge fir Insurance Companies

Insurance company faces major challenges while identifying risk.To identifying risk is a matter of serious concern. If risk is not properly identified, it may lead to serious problems for the smooth functioning of the insurance company. The most solution expert says is ERM programs.ERM programs all start out with a suggestion that you must identify your risks.Risks should be identified within several major categories.  Here is a typical list of categories for an insurer:

  • Insurance Risks
    • Underwriting
    • Reserving
  • Investment Risks
    • Interest
    • Credit
    • Equity
    • Foreign Exchange
  • Other Counterparty Risks
  • Operational Risks
    • Legal/Compliance
    • IT
    • Distribution
    • Human Resources
    • Operations
  • Strategic Risks
  • Group Risks

Sounds simple enough.  But there are two ways to do this that give very different results.

  1. Top Down
  2. Bottom Up

The bottom up process is urged by COSO and requires volumes of documentation and hours and hours of meetings and discussions.  The result is a list of as many as 100 or more risks for a major sized organization.  This process requires at least a year to accomplish.  However, at the end of that year, the top executives of the firm will find that the product may well not be ready for them to get any use out of it.

That is because risk identification and in fact risk management takes on very different character at different levels of the organization.  There almost needs to be three different risk management programs at any larger organization.  One that is oriented to the top management, one that is oriented to the middle management and one that is oriented to the supervisory levels.

The COSO type risk identification process is designed to serve the  supervisory and middle management.  The initial risk identification process is done at the supervisory level, which at a very large organization can mean hundreds of people.  The findings are eventually summarized and ranked, but the summary is at a level that is appropriate for middle management attention.

The top management is better served by a risk identification process that is more top down.  If top management is unable or unwilling to do the risk identification work themselves, then it can be a middle up process.

Regardless of how the process is started or ended, there will need to be guidelines for for the significance of risks.  A typical bottoms up risk identification can end up with well over 100 risks often as many as 200.

Prioritization is the second half of this basic risk management step.  And the prioritization will depend upon the significance of the risks and significance will be based upon a measurement of the risks.  Which is the second fundamental practice of ERM.

The thresholds should be established for significance of risks that should get board attention, a lower threshold that should get top management attention, then a lower threshold for middle management attention and a lower threshold for risks to get attention from supervisors.

None of the risks identified by the detailed bottoms up process are unimportant, but it is important to determine WHO they should be important to.

Risks can be mapped in a frequency severity matrix

 

The third step of this practice is to classify the significant risks between those risks that are known by management to be well controlled and those that are less well controlled.

Immediate attention can then be focused on those risks that were shown to be of high significance and lower control, providing an immediate valuable product out of this very first stage of ERM.

Risk Measurement & Capital Modeling

The key element in risk measurement is management reporting with regard to performance vis-à-vis risk tolerance. This is an exercise which should be done on a periodic basis with pre-defined levels of escalation. Capital modeling is a tool which enables the organization to evolve towards measuring returns based on risk allocated capital. There are various capital models available in the market based on which insurance companies in developed markets manage their business plan. Allocation of capital is done based on the risk adjusted returns for each line of business.The IRDA has recently come out with guidelines on Economic Capital which is the first step towards the migration of the Indian insurance industry in the direction of capital modeling.

Emerging Risk Areas

It is important for the management to stay focused on emerging risk issues like climate change and the outbreak of pandemics to keep the enterprise insulated from uncertainty. From a risk management perspective it is imperative that the management keeps evolving its risk framework and that the lessons learned through the ERM  evelopment process are continuously incorporated in the next steps of ERM development.

Further, the rating agencies state the importance of maintaining the independence of the risk function as well as ensuring a coordinated approach with the audit function and the Chief Financial Officer.

Approach proposed by consulting companies

Consulting companies, while reiterating the methodology indicated by the rating agencies, advocate the importance of maintaining a ‘Risk Dashboard’ or a ‘Risk Register’ which helps periodic reviews on the efficacy of the risk management practices. Further, they state that the ultimate aim of the risk management framework of the company would be to integrate the function with business strategy.

Another methodology suggested by them in  driving an effective risk management framework is internally  highlighting the risk items as heat zones. A commonly used tool is the “Heat Map” which illustrates the strength or weakness of the risk profile. This can be effectively classified through inputs scores through high level risk audit findings, risk workshops (self-audit) and benchmarking. It is important to define the critical risk control areas and measure the extent of controls that exist. It is imperative that efforts are focused on controlling the critical risk areas where gaps exist.

With increasing market complexity, ever increasing global regulatory requirements and customers demanding newer innovative products; there is a need to reinforce Enterprise-wide Risk Management. Effective risk management fosters an operating environment characterized by prudent risk profiling while seizing available market opportunities.

Conclusion

Risk management for an entity i s a comprehensive management imperative that takes into consideration every facet of risk exposure. Besides, the ancient styles of managing the risks as and when they arise are no   more functional in a world that is ever so dynamic, and where even to consider that one is above a particular risk could prove foolhardy.

Anticipating the risks well in advance and gearing up oneself to tackle the negative outcomes is more the order of the day. In this aspect, the top management has to ensure that these practices have percolated into the  organization’s culture. Especially at a time when the clientele is always on the prowl to watch the performance of the entity, embracing fire fighting methods alone can ensure that corporates eventually succeed.

It does not need to be emphasized that risk management is all the more pertinent in a business like insurance where the policyholders have transferred their risks to the players; and look forward to being compensated when the eventuality arises. Even the slightest failure in such a scenario would create a dent in the reputation of the players; and it is one’s guess as to what it would lead to, in a severely competitive environment. Risk management thus has to take a wholesome view of all the possible areas of risk exposure and gear up to face even the worst case scenarios.

How ironical that we keep talking about the importance of risk management; and to be prepared always for eventualities. And how often do the risk management strategies look so meek when nature strikes! Just as we are going to the press, news about the devastating earthquake and tsunami in Japan comes in; and nature’s fury is the victor again. Although the extent of damage and assessment of the losses would take some more time to be known, there is absolutely no doubt that the losses in every sense of the word are going to be colossal – for the humanity, for corporate entities as also for the insurers.


Author

Dr. Ashish Barua

MA.MBA,PhD,DLitt(Economics),PGDBA,PGDMM

Former Associate Professor,Indian Institute of Rural Management

Co-Chairman Center For Banking and Financial Institution

Professor & Proctor,School of Insurance

Member Insurance Research Board

National Law University, Jodhpur


Published : The Insurance Times – February 2013