Management Dynamics Management Dynamics

This paper discusses a framework for ERM with particular emphasis on the life insurance industry. The ERM framework involves eight key features ranging from governance aspects to risk management policy, risk tolerance, own risk and solvency assessment, capital assessment on economic and supervisory basis and continuity analysis. Given that the life insurance industry is a regulated industry the supervisory role is an important feature of the ERM framework. The paper highlights the different stages of ERM maturity starting with a compliance orientation and the highest stage with linkage to strategy and value creation. The insurance industry is currently somewhere in between but there are a lot of dijferences in the maturity of ERM within the industry. Embedding ERM is a significant challenge for the industry with quantification of economic capital, embedding risk management into decision making and dealing with operational risk being some of the primary ones that the life insurance industry is facing. Actuaries have played an important role in risk management of insurance companies for several years and their skills are well suited to take leading roles in ERM. This will however require them to not only possess technical skills but also rise to the challenge of dealing with non-quantifiable risks, change management and communication with senior management and board. ERM combines the three key elements of insurance risk, capital and value. By integrating these elements insurers are able to enhance performance assessment at a more granular level reflecting the risks underlying the business and identifying opportunities of taking more risk to create shareholder value.


This paper discusses
a framework for ERM with particular emphasis on the life insurance industry.The ERM framework involves eight key features ranging from governance aspects to risk management policy, risk tolerance, own risk and solvency assessment, capital assessment on economic and supervisory basis and continuity analysis.Given that the life insurance industry is a regulated industry the supervisory role is an important feature of the ERM framework.The paper highlights the different stages of ERM maturity starting with a compliance orientation and the highest stage with linkage to strategy and value creation.
The insurance industry is currently somewhere in between but there are a lot of dijferences in the maturity of ERM within the industry.Embedding ERM is a significant challenge for the industry with quantification of economic capital, embedding risk management into decision making and dealing with operational risk being some of the primary ones that the life insurance industry is facing.
Actuaries have played an important role in risk management of insurance companies for several years and their skills are well suited to take leading roles in ERM.This will however require them to not only possess technical skills but also rise to the challenge of dealing with nonquantifiable risks, change management and communication with senior management and board.ERM combines the three key elements of insurance risk, capital and value.By integrating these elements insurers are able to enhance performance assessment at a more granular level reflecting the risks underlying the business and identifying opportunities of taking more risk to create shareholder value.

INTRODUCTION
ERM has been implemented by insurers to improve their management ^Deputy Chief Actuary, Max New York Life Insurance Company Limited.E-mail: sanchit.maini@maxnewyorklife.com Management Dynamics, Volume 9, Number 1 (2009) practices and business performance.The emergence of ERM has been one of the biggest changes in corporate world in the last decade.Whilst the financial services industry has been one of the biggest proponents of ERM other industries like energy, pharmaceuticals and civil engineering have also developed the field.
The emergence of ERM does not imply that companies were not practising risk management earlier -its just that it was being done in various functions and not in a coordinated manner across the enterprise.
ERM has become an integral part of the three key elements of insurance: risk, value and capital.Indeed these elements are generic across industries but our focus in the paper is on the life insurance industry.Since insurance involves transfer of risk, its identification, assessment, management, mitigation, transfer and control is key to success in the insurance business.Value assessments of insurers need to appropriately reflect the amount of risk the enterprise is exposed to.The link between the two will become clearer when we consider the third key element of insurance -capital.The level of risk determines the amount of capital held by the enterprise.For example the lower the company's exposure to operational risk the lower the amount of capital it needs to hold against this risk.This will lower the charges to the customer or increase the profits for the insurer at a given price thereby adding value.Since holding capital has an associated cost, the value of the enterprise is inextricably linked to the amount of capital held and thus the level of risk.This paper introduces an ERM framework in Section 2. Ensuring a robust ERM framework is key to driving value for an insurance company and indeed will lead to value that is created considering the risk exposure of the entity.It also leads to effective capital management which is a key link between risk and value.Successful implementation of ERM in any company requires many steps to be taken over time and thus we focus on the various elements of the framework in some detail.
As the risks faced by insurers get more complex and intertwined having a robust ERM framework is seen as a critical success factor for the insurance industry.This is vindicated by the level of interest taken by insurance supervisors in ensuring risk management practices are embedded in insurance companies.Solvency frameworks developed or in development for the industry are placing great emphasis on risk management.
Management Dynamics, Volume 9, Number 2 (2009) The traditional way of managing risk in a silo functional way has yielded to a more comprehensive management of risk across the enterprise.Risk typically denotes something avoidable with a downside impact on our goals.As risk management has evolved it is now recognized that it is no longer only focusing on managing downside risk but also about recognizing areas where a greater amount of risk should be taken to increase the enterprise value.

WHAT IS ENTERPRISE RISK MANAGEMENT?
There are several definitions of ERM and no single universally accepted one.The key words that are associated with ERM commonly are 'holistic ', 'integrated', 'enterprise-wide', 'top-down', 'strategic', 'value  including senior management support, linkage of ERM with strategy and a clear segregation of line management roles and risk management roles.Source: 'The Role of ERM in Ratings', Mark Puccia, Standard & Poors, 2007

ERM FRAMEWORK
Insurers embarking upon ERM will soon realize that it is a long and hard journey with several stages of development.The International Association of Insurance Supervisors (lAIS) has identified eight key features of ERM.
The rest of this section briefly discusses each of the features.It is not the intention of this paper to provide a detailed account of each of these features instead we focus on the key framework that is required for a successful implementation of ERM in life insurance companies.Note that there are several papers that focus on specific features in greater detail.In the subsequent sections each of these features is discussed.

GOVERNANCE AND RISK MANAGEMENT FRAMEWORK
Corporate governance has received increasing attention in recent years after the fall of large established companies such as Enron.Corporate governance enables performance improvements for the benefit of the various stakeholders in life insurance ranging from policyholders, shareholders, regulators and others.
Each insurer must establish as part of its governance structure an ERM framework that suits the size, nature and complexity of the business and risks.This framework should incorporate all the foreseeable and material risks to the business together with a well constructed risk management policy.The framework should consider the behavioural expectations that the insurer wishes to drive towards.The framework needs to enable risk quantification for the purpose of Management Dynamics, Volume 9, Number 2 (2009) solvency and capital management.The framework must be adequately documented with detailed descriptions of all the risks.

ERM and the Role of Board
The Board is ultimately responsible for the insurer's ERM frameworic.Having this responsibility therefore means:

•
Approving the overall risk management strategy and policy; • Setting the risk appetite of the insurer; • Monitoring key risks on a regular basis through successfully implementation of a risk management and internal controls framework; In order to achieve these responsibilities the Board will establish a risk committee with a charter that might include:

•
Effecti veness of the ERM framework; • Compliance with any supervisory requirements; • Establishing an independent risk ftinction with appropriate staff and authority; • Monitoring the adequacy of the capital and solvency resources It is important to establish the independence of the risk function to prevent withholding of information to the Board.

Board and Management Responsibilities
The Board will not be responsible with the day to day running of the risk function which will of course lie with the management.The Board's role is to frame the strategy and to monitor and oversee the management's role.A risk management committee must also challenge management's assessment of risks.
The key link between the Board and the management is the insurer's CEO.Typically this would be achieved by the Board issuing a letter of delegated authority to the CEO.The CEO in turn would issue similar letters to other members of senior management.Ensuring that risk management is part of the CEO's responsibilities and performance evaluation is an effective way of embedding the risk management culture in the insurance company.The responsibilities might include for example promoting and embedding the risk management and control Management Dynamics, Volume 9, Number 2 (2009) framework in the company together with clearly set out risk tolerance limits; providing assurance to the Board on the effectiveness and adequacy of risk management and the control systems; and, promoting a culture in the company that does not tolerate a compromise in prudent risk management practices.

Enterprise Risk Function and the Chief Risk Officer
An important step in the ERM joumey for an insurance company is to appoint a Chief Risk Officer (CRO).The CRO will have to contend with several silo functions managing various risks which might include: The CRO's role is a challenging one particularly since it involves changes to the organization design and challenging the existing paradigms including the strategic choices of the insurer.A key task for the CRO is to establish whether an approved risk tolerance policy exists and, if not, establish one.The risk tolerance policy then needs to be translated into daily actions for example in product development, underwriting and investment management.It is important to maintain the independence of the CRO from the business units that ultimately produce value for the insurer and in doing so take risk.
For large insurers there may be a need to continue having separate risk committees for areas such as investment risk (to include market, credit and liquidity risks), pricing and underwriting risk and operational risk.Successful implementation of the ERM framework will require the enterprise risk function to establish processes that ensure each of the risk committees assesses risks consistently and act in a coordinated manner.

Management Dynamics, Volume 9, Number 2 (2009)
The enterprise risk function will need to be staffed with a mix of skills, capabilities and experience.In addition to technical skills project and change management skills may turn out to be very useful.

Role of Internal Audit
Some companies start out an ERM implementation by allocating it to the internal audit function.This practice is only likely to lead to short term gains by providing assurance to the board but is not likely to be an effective solution in the medium and long term.It may also send a message to the wider enterprise that the ERM function is truly an assurance or compliance task.It is now being recognised that the ERM and audit function should be separated.

Role of Rating Agencies
Risk management has always been an important element of evaluation for rating agencies.Over time it has become more explicit particularly for some of the rating agencies like Standard & Poor's.It treats ERM as the eight pillar in its rating process focusing on the areas of risk management culture, risk controls, emerging risk management, risk and capital models and strategic risk management.

RISKMANAGEMENT POLICY
An insurer's risk management policy considers the links between its risk tolerance policy, regulatory and economic capital and the processes set up for monitoring risks.There are several critical aspects to consider while setting up a risk management policy:

•
Risk management philosophy and its strategic objectives including linkage with capital and value creation; • Risk management and its role in the insurers' vision, mission and values; • Description of the critical processes where risk management is embedded like capital and value management, products, underwriting, investments and performance management; • Comply with any regulatory requirements for risk management policy; • Risk categorization and definitions including terminology; • Govemance, committees, roles and responsibilities; Management Dynamics, Volume 9, Number 2 (2009) • Process set up for reviewing the risk management policy

RISK TOLERANCE STATEMENT
A risk tolerance statement establishes the insurer's quantitative and qualitative tolerance levels for the various risks considering the relationships between the risks.By definition formulation of such a statement would be underpinned by the insurer's strategic objectives.Therefore the formulation of the risk tolerance statement ought to be done by the board together with the involvement of the CRO.Linkages of the overall strategic objectives with the plans of the various business units will lead to the tolerance limits being decided at the business unit level.
Such tolerance limits identify thresholds beyond which the plans and the strategic objectives are under threat.These tolerance limits need to be set against agreed upon deviations in the key metrics of the business plan.This will help achieve a linkage with the strategic objectives and translate the tolerance limits into commonly understood business metrics.
Examples of statements that might be contained within a risk tolerance statement include:

•
Lines of business or products that the firm will or will not enter; • Maintaining insurance reserves (or technical provisions) to target a probability of adequacy; • Targeting a minimum level of liquid assets; • Investment mandates for both policyholder and shareholder funds; • Limits on the use of derivatives; • Operational risk policies including limits on outsourcing, business intermption, systems downtime, fraud, health and safety.
In developing a risk tolerance statement insurers must consider their current risk profile, risk capacity in terms of financial, operational and reputational capacity and finally the risk tolerance limits considering the other two elements together with the strategic objectives and market positioning.
The graph below depicts how risk tolerance can be determined by asking what confidence level is acceptable for each of a number of adverse scenarios.focuses on the quantification of risk into capital.Risk profiling involves an assessment of risk at both the inherent and residual levels.Inherent risk is the risk to an enterprise without the application of any management action to alter the risk's likelihood or impact.Residual risk is the remaining risk after the application of management action to alter the risk's likelihood or impact.

Risk Tolerance Curve
An understanding of risks at both levels is important to identify the risks whose likelihood/ impact is significantly altered by the application of management action ie high inherent risks/ low residual risks.Pricing and underwriting risks are examples of such risks.Such an exercise can also identify those risks where the existing controls are excessive ie low inherent / low residual risks.

Risk Modelling Techniques
Several statistical and modelling techniques are used to quantify the risks by insurers.Some of these are captured in the table below:

ECONOMIC AND SUPERVISORY CAPITAL
Within the framework of ORS A insurers should determine the economic capital it needs to manage its business given its risk tolerance and business plan.This includes ensuring that the supervisory requirements are met.The risk management actions then undertaken by the insurer should then be based on the available economic capital, the supervisory capital requirements and financial resources.
The raison d'etre of the insurance business is to accept risk by charging a fair premium for it.The premium must be sufficient to meet the claims, expenses and provide a return on capital to the shareholders.Efficient management of risk is critical to ensure the adequacy of return on capital as it can reduce the amount of capital required for these risks.
To quantify the efficacy of the risk management program economic capital modelling can be quite useful.It essentially provides information about the likely impact of various plausible but adverse events on the emerging profit through the net impact on assets and liabilities.The models also provide indications of the risk of failure under these events.The users of economic capital models include supervisors, shareholders and insurance companies.An important distinction to note here is that economic capital models may be developed by supervisors and Management Dynamics, Volume 9, Number 2 (2009) by individual insurers.The former will be generic models whereas the latter are known as 'internal models' which take into account the risk profile of the insurer.It is expected that the intemal models provide more accurate assessments of the capital requirements and are therefore more useful for management action.
Economic capital models have developed to not only capture the enterprise wide capital requirements but also to allocate these into business units in order to abet decision making.Capital allocation may be done by channel, business unit or even product lines in order to better understand the value created relative to the capital consumed.
Effective capital management will result in risk being converted to value creation.We do not delve into further details of economic capital modelling in this paper as it is a topic which deserves a separate paper by itself.

CONTINUITY ANALYSIS
Continuity analysis refers to the ability of the insurer to continue its business and the risk management and financial resources required to do so over a long term horizon.The horizon used is typically longer than that considered for determining supervisory capital requirements.Continuity analysis will include the following:

•
Quantitative analysis -capital planning • Qualitative analysis -business continuity planning

• Crisis management and contingency planning
Capital planning can be used for economic capital requirements, disaster planning, investment strategy, M&A, capital allocation, reinsurance strategy, optimising business mix.It is also a key requirement of liability valuation through the risk capital margin requirement within the economic capital framework.The risk capital margin is essentially a cost of capital which requires the run-off of the capital over the liability duration.
Business continuity planning (BCP) is an integral aspect of operational risk management.It enables businesses to anticipate, identify and assess business interruption risks.An well documented and tested BCP reduces the impact of business interruption on the essential business processes and its reputation.Crisis management reduces the impact and loss in the event of a significant incident by framing a response strategy along with well defined procedures.The aim is to ensure the insurer's management acts quickly when an event occurs to mitigate the impact on business metrics like earnings, capital or reputation.

EMBEDDING ERM
Embedding ERM in life insurers remains a challenge.A survey by Tillinghast in 2008 indicated six major areas of improvement.

Embedding ERM and Economic Capital
Significant work is required to improve the use of economic capital in performance management and decision making.Insurers are currently focusing on getting the basic elements of economic capital models right with areas like improvement in modelling methodology for individual risks, data quality and extension of the number of risks covered.

Large insurers
Laige insurers have made more progress implementing ERM and are looking to use it as a means of competitive advantage.Many more large insurers use economic capitals compared to medium and small sized insurers.They also lead in terms of utilising economic capital in decision making.

Regional differences
European insurers are more advanced compared to North American insurers in economic capital implementation.Solvency II will lead to lower capital requirements with internal economic capital models and therefore a source of competitive advantage.
Another area of difference is a higher proportion of European insurers have documented their risk tolerance statements.

ERM and decision making
Insurers that have implemented ERM indicate it is influencing business decisions.These include areas such as risk appetite, asset strategy, reinsurance strategy and product pricing.

Economic Capital standards
Economic capital standards are emerging and converging towards one year value at risk approach together with a market consistent terminal balance sheet.Tail value at risk is most commonly adopted by reinsurers which is not surprising given the greater preponderance of low frequency and high severity events for them.

Operational Risk
Operational risk continues to remain an area of weakness for most insurers.This reflects the difficulty in quantifying operational risk.

CONCLUDING REMARKS
This paper has briefly covered some implementation aspects of ERM highlighting that it is much more than the use of complex models.However converting risk into capital does form an important element of ERM.There are significant challenges in implementing ERM with the lack of standard templates that could be applied to all companies.Successful implementation of ERM will require tailoring for the operating model of the insurer.A significant barrier to success is the entrenched culture in the insurer and the ability to embed ERM across the organisation.Regulatory as well as commercial reasons will drive greater interest in ERM implementation in the insurance industry.
Actuaries have historically played an important role in the risk management of insurance companies and are well suited to continue doing so.Indeed actuaries would like to be considered for such roles in other industries as well.