Tag Archives: ERM

Spotlight on operational and reputational risk

macdonnell-bridgetOperational and reputational risks have become areas of greater focus in recent times. There have been so many high-profile operational risk events that it is clear how important operational risk management is for all companies—Anthem, Volkswagen, and UBS are just a few examples of companies that have suffered significant losses because of operational risk events. In addition, for every publicly reported incident there are sure to be a host of smaller cases, which have not been large enough to hit the headlines, and which, of course, can have a cumulative detrimental effect over time. There is also a somewhat invisible aspect to operational risk, given that the damage does not always affect physical assets. Information can be stolen through a cyber breach, agents can act in their own interests, fraudulent activity can happen, and all of these events can go undetected.

Operational risk can also contribute to other risks that undertakings face, particularly reputational risk—a risk we don’t always fully appreciate until the damage is done. There are many strategies and marketing campaigns aimed at ‘one brand’ and ‘one vision’ which show the value organisations place on their reputations. Yet reputational risk management is not always given the attention it deserves. It’s worth pausing for a moment to take a closer look at operational and reputational risk management.

Operational risk
The challenges of quantifying operational risk are numerous—they include the lack of data to properly calibrate models and there are also challenges in relation to the models themselves. For example, the major shortcomings of the Solvency II standard formula calculation of operational risk capital are highly topical at the moment. Under Solvency II, operational risk capital must be held as part of the company’s Pillar 1 capital requirements. Criticism of this factor-based calculation includes its failure to capture many relevant elements of a company’s risk profile, such as the operating model and the specific processes within the company.

Interestingly, the solvency regime in Switzerland (known as the ‘Swiss Solvency Test’) does not require operational risk capital to be held. Rather, operational risk is considered as part of the company’s risk management, therefore treating it as a Pillar 2, as opposed to a Pillar 1, issue. Earlier this year, the Basel Committee on Banking Supervision imposed an outright ban on operational risk internal models for banks, acknowledging the widely differing approaches and complex modelling of this risk within the industry. Whether or not such developments will flow over to the EU (re)insurance solvency regime remains to be seen, but regardless of where operational risk sits from a regulatory perspective it is nonetheless an area where there are increasingly sophisticated methods being used in companies’ own risk assessments, such as, for example, Bayesian Network modelling.

For those who may be unfamiliar with Bayesian Network modelling, it is a technique that is gaining more and more traction as companies continue to develop their understanding of their operational risk exposures. This technique aids the understanding of operational risk exposures through workshops with various experts within the business, in order to establish the key underlying drivers of operational exposure and the relationships between these drivers. They are often not obvious at first glance and tend to involve quite nonlinear relationships. Once these exposures are well understood, the company can focus its attention on managing and mitigating the risks.

Continue reading

What role should the c-suite have in creating business value through enterprise risk management?

Enterprise risk management (ERM) is at its most effective when it informs every aspect of the business and when the ERM framework is continually evaluated and updated. A key objective for senior management and board members should be to foster a risk-aware culture across the organization, and to actively monitor and update ERM.

A new paper entitled “The role of top management and the board in ERM” by Milliman’s Mark Stephens, Olivia Wang, and Vikas Shah assesses the characteristics of executives at companies with the best ERM frameworks. The paper takes a look at companies labeled “Trendsetters” in the Milliman Risk Institute’s 2014 ERM survey.

For more perspective on the survey, read this seven-part blog series.

Considerations for the new ORSA guidance

The National Association of Insurance Commissioners (NAIC) launched its Solvency Modernization Initiative to establish an Own Risk and Solvency Assessment (ORSA) similar to the European Union’s Solvency II directive. The ORSA guidance is designed to give regulators the capability to examine and evaluate the strength of an insurer’s enterprise risk management (ERM) framework.

In a new paper entitled “Planning for NAIC ORSA,” Milliman’s Wayne Blackburn, Matt Killough, Joy Schwartzman, and Conning’s Chris Suchar provide perspective on how insurers can develop ERM risk assessment practices suitable to the company’s risk profile and size. Here is an excerpt:

…There is a broad spectrum of activities that insurers should consider when developing a risk assessment framework.

Qualitative vs. quantitative assessment
The Guidance Manual allows for the possibility that some risks are not amenable to quantification, and that qualitative approaches may be appropriate for such risks, citing operational and reputational risks as specific examples. It is true that it is no simple task to quantify the probability and severity of loss from such risks, and even insurers with relatively sophisticated ERM frameworks have often resorted to purely qualitative approaches to them. The actuaries and investment professionals employed by the insurance industry have developed sophisticated tools for quantifying balance sheet risks, but insurance companies have not historically devoted significant resources to developing similarly sophisticated quantification methods for operational and strategic risk. Continued reliance on qualitative methods will likely be viewed as low-hanging fruit for insurers looking to minimize the investment of further resources in satisfying the ORSA requirements.

There is an opportunity here, however, for insurers interested in truly improving their risk management processes. In this age of extremely rapid innovation, strategic risk could well be the most significant risk facing many insurers, and companies would be well-advised to bring every available tool to bear. Tools have been developed to assist management in turning their qualitative understanding of such risks into quantitative probability distributions. Often the process itself can be its own reward: Forcing managers to think about these risks in new and unfamiliar ways can be an extremely effective tool in helping them find new risk management strategies. It is interesting to note that the Solvency II ORSA requirement is less flexible than the NAIC in this area. European companies will be required to quantify every risk.

Continue reading

Areas to which ERM programs are explicitly linked

Note: This is the 18th, and final, in a series of blog posts looking at key findings of a Milliman survey on enterprise risk management (ERM) sent to more than 1,000 CFOs, CROs, and ERM directors in the first quarter of 2012. More findings may be found here.

ERM is most frequently linked to risk transfer strategies, capital management, and strategy development. Linkage to performance management, product development, incentive management, and operating plans is lagging, as shown in Figure 18. It is interesting that some respondents indicated that their ERM programs are linked to risk transfer strategies because most operational and strategic risks cannot be mitigated with these strategies. The cost vs. value of ERM programs will appear more favorable once linkage is shown with operating plans, strategic planning, and incentive management.

It is well known that financial services firms use ERM strategies and techniques in conjunction with capital management, new product design, and strategy and financial planning. There is also increased linkage of ERM to operating plans for general corporates. This may signal more acceptance of ERM techniques around risk assessment by the operating companies and business units.

Ways to improve the maturity level and resulting value of ERM programs

Note: This is the 17th in a series of blog posts looking at key findings of a Milliman survey on enterprise risk management (ERM) sent to more than 1,000 CFOs, CROs, and ERM directors in the first quarter of 2012. More findings may be found here.

As seen in Figure 17, future development of the maturity and value of ERM programs will consist of:

  • Linking ERM with strategy development
  • Developing an emerging risk process
  • Moving from qualitative to quantitative risk assessments
  • Integrating ERM with performance management

ERM, when done effectively, should support the decision-making process in organizations. Strategic plans should be risk adjusted. A risk-adjusted strategic planning session can be an important component of the annual budget process because it can highlight risks and opportunities not previously considered.

An emerging risk process should be an important component of any ERM program. A simple process to identify, analyze, monitor, report, and communicate future risk information should be developed in all organizations. A complete risk assessment may not be necessary unless the emerging risk impact grows from one assessment period to the next.

As organizations move from qualitative to more quantitative risk assessments, they will start to provide much better information to their decision makers. Not only will they be collecting data on expected loss, but also on unexpected loss, which most organizations do not assess. Many organizations budget for expected loss, but it is the unexpected loss, especially those tail-event losses, that can cripple an organization. Moving from single-loss-distribution to aggregated-loss-distribution modeling can assist organizations with their mitigation capital and strategies. Credit and market losses are modeled by most organizations, and projected losses can be mitigated through hedging and risk transfer strategies. Finally, understanding risk relationships will substantially improve an organization’s ability to understand expected and unexpected loss.

Benefits of an ERM program

Note: This is the 16th in a series of blog posts looking at key findings of a Milliman survey on enterprise risk management (ERM) sent to more than 1,000 CFOs, CROs, and ERM directors in the first quarter of 2012. More findings may be found here.

Although compliance and BOD responsibilities for risk oversight still dominate ERM program benefits, risk reduction of likelihood/impact levels is growing quickly. The survey results shown in Figure 16 support this.

It is interesting to note that none of the respondents linked the benefits of their ERM programs to an increase in stock price or a reduction in stock price volatility. In February 2010, Standard and Poor’s (S&P) published the report “Enterprise Risk Management Continues to Show Its Value for North American and Bermudan Insurers,” which links effective ERM programs to increases in share value and reduced volatility in earnings. In the report, Howard Rosen, the primary credit analyst, says in part:

Although average stock prices declined among all public multiline insurers in 2008, companies with more advanced ERM programs experienced smaller stock price reductions. Those companies whose stock performance was better (i.e., those whose price declines were smaller) had received higher ERM scores. On the other hand, those companies whose stock prices had larger declines had lower ERM scores. This is consistent with Standard & Poor’s view that more robust ERM programs are the most valuable in times of more pronounced stress. Looking at ERM scores relative to stock performance in 2009 reveals a different pattern….

Companies with Excellent and Strong ERM scores—companies whose stock prices performed better during the more stressful 2008—still improved during 2009, but didn’t need to perform as well as companies with lower ERM scores to return to their pre-2008 levels of performance…

This report was updated in May 2011 with the same results.