A Rising Tide for Risk Managers

With its cornucopian mix of natural disasters, economic brinksmanship and political upheaval, the past year has provided ample grist to test the mettle of risk managers. In the United States, 2011 produced the most billion-dollar storms of any year on record.

While the earthquake-induced tsunami that leveled Japan struck without warning, other events, from floods that subsumed Thailand to events in Tahir Square, unfolded gradually. One commonality was how each laid bare the increasingly complex and interconnected nature of risk.

In the case of Japan and Thailand, the initial focus was rightfully on the frightful human cost of the disasters. Nonetheless, over the longer term each also revealed the inherent fragility of supply chains that now span the globe. In the case of Thailand, the world's largest producer of hard drives, the floods left computer and server manufacturers short of critical components. Paired with the stratospheric demand for storage, the constricted supply of hard drives meant unexpectedly high storage costs for data centers across industries.

"Cyber risk, business continuity and climate changes are leading to risks around the supply chain," says Mike Kerner, CEO of Zurich Global Corporate in North America. "Who would have thought that heavy rains in Northern Thailand could have such a large impact on logistics, manufacturing and procurement for IT folks? Our level of global interconnectedness and the speed of play in business are making risks bigger and more complex."

Likewise, the events in the Middle East created another under-appreciated relationship-that between technology and potential political and social upheaval. If the Arab Spring demonstrated the power of social media technologies to advance the cause of personal freedom, the role of Twitter in facilitating the riots in London last summer is also instructive.

It is this very need to better understand these interconnectivities that "Global Risks 2012," a new report from the World Economic Forum, seeks to elucidate. The report, now in its seventh edition and a product of the WEF's Risk Response Network in collaboration with Marsh & McLennan Cos., Swiss Re, Zurich Financial Services and the Wharton Center for Risk Management, breaks down risk into five spheres: economic, environmental, geopolitical, societal and technological.

For each sphere, the report identifies a center of gravity. For example, in the economic sphere, the center is "chronic fiscal imbalances," which has attendant risks including rapid inflation or deflation, and recurring liquidity crises. Indeed, economic risks dominated the list in terms of likelihood (fiscal imbalances, severe income disparity) as well as potential impact (imbalances, major systemic, financial failure, extreme volatility in energy and agriculture prices).

As risks from separate spheres begin to intersect and hybridize, risk management becomes less about identifying individual risks than concatenations of them. This is not to say that risk managers have all categories of risk assayed with equal accuracy. A new McKinsey report, "The Next Frontier in Property/Casualty Insurance," identifies challenges surrounding risk management as a potential impediment to profitable growth.

McKinsey sees two areas of risk assessment as particularly in need of advances. The first is earthquake exposure. While the industry has made strides in making atmospheric models more reliable and granular, earthquake models have lagged. One reason is that unlike the annual spate of hurricanes and typhoons, large earthquakes that strike population centers are comparatively rare and thus furnish less data for analysis.

Moreover, the corollary damage that can arise from earthquakes, such as damage caused by fire, is often difficult to anticipate. McKinsey expects this deficiency to become acute as U.S.-based insurers expand internationally in search of growth in markets where building codes are variable. "As U.S. insurers continue to grow their international books, calibration becomes more challenging," the report states. "How many primary carriers or reinsurers understood the exposure in Chile? What if the earthquake had struck Santiago?"

The second area of risk assessment McKinsey identifies as wanting is casualty losses related to food, drugs, technology and terrorism. "The science of tracking property accumulations has become reasonably mature, building on the increase in major windstorms in the U.S. over the past decade," the report states. "Casualty exposures are much more difficult to track, because they are not centered in specific locations and litigation outcomes drive a major component of the damages."

The Operational Response

Given the complexity and the scale of the risk management challenge for carriers that operate globally, the corresponding response needs to be equally extensive from an organizational perspective. For example, a large carrier with multiple lines of businesses and geographies needs to assess risk separately at the departmental, business unit and corporate level, before assessing it as a whole. Yet, meshing these bottom-up and top-down views of risk is no mean feat.

Mike Foley, CEO of Zurich's North America Commercial Division, says that risk needs a clear owner, such as chief risk officer (CRO) in a large organization or CEO in a smaller one.

In addition, insurers must be careful that line management retains some responsibility for risk-it's no longer acceptable to report up on a risk to shirk responsibility. "There's an old adage that when multiple people are responsible for something, effectively nobody is responsible," he says. "There needs to be clear roles and responsibilities for all the parties involved in the risk management process so that complex risks can be understood and covered. Understanding these risks requires a very robust process, a strong structure and many people in the organization rowing in the right direction."

Zurich's Kerner says one way to foster this common sense of purpose is to make explicit the link between risk management and overall company strategy. "Risk management needs to be tied in with corporate goals and strategies so that it is not being done in a silo," he says. "Given what we see in current events, it's more important than ever that an ERM (enterprise risk management) process look across an organization."

Moreover, Kerner argues, insurers need to break ERM from being a reactive, stand-alone discipline to being a value-added, proactive component that permeates all core business activities. Thus, a truly successful risk management culture focuses on the growth and profit potential surrounding risk as much as the downside loss and balances, accordingly. "The important thing is to be risk-aware and not necessarily risk-adverse," he says. "We won't be able to avoid all risks, so we need to learn how to best manage it going forward."

As for the top-down fixes, Foley says boards can make clear their commitment to risk management by moving it out of the audit committee and into its own committee. "There's an increasing awareness on the part of executive boards for the need for risk management and an investment of resources, but there's also an acknowledgement that there is still a long way to go."

Erwann Michel-Kerjan, managing director of the Risk Management and Decision Processes Center at the Wharton School of the University of Pennsylvania, says the way risk management is perceived by corporate boards and executives is changing. The cavalcade of extraordinary events of the past decade-from 9/11 to Hurricane Katrina to the financial crisis-have reinforced the importance of risk management.

Michel-Kerjan sees proof of this in both the creation of CRO positions at many firms and the type of people filling the position. "Risk managers used to tell people what not to do," he says. "What I see emerging is risk managers whose expertise lies in working with others. What risk management ought to be doing is changing."

The Tools

To augment the personnel and organizational enhancements necessary to improve risk management, carriers can also obtain increasingly powerful and specialized technologies. Many insurers have invested heavily in business intelligence and predictive analytics in recent years to improve the work of their actuaries and underwriters. Underpinning these purchases, improvements in high-performance grid and cloud computing have helped insurers' more complex models and algorithms for valuations and stress-testing. Don Canning, VP of insurance for SunGard, says insurers' risk managers will benefit from the tools of the Big Data era in a variety of ways. "Big Data coupled with actuarial [data] feeds easily into broader enterprise risk management," he says.

While the dynamic scalability inherent in the cloud computing model fits well with the spiky demand pattern common to stochastic modeling usage by risk managers, other benefits include redundancy, which is especially helpful to insurers domiciled in disaster-prone regions. "Cloud plays a big role in risk management for localities that are challenged by disaster recovery," he says.

While better, faster technologies and more complex models can go a long way to improving risk management, they are not paramount. Michel-Kerjan, who has a background in mathematics and physics, says risk managers need to remain cognizant of the limitations of predictive models. "We learned the hard way: Should you trust your models? If you don't have a model, it is difficult. If you do have a model, don't be blinded by it. By definition it is made up of assumptions."

Canning, too, stresses that insurance risk managers need to continually question the assumptions underlying their patterns and behaviors. "You tend to get blinders on from an operational perspective, and you don't double-check yourself, so the only time people pay attention is when there is a shock," he says. "Risk management is a continuum that doesn't end. It never sleeps."

For reprint and licensing requests for this article, click here.
Security risk Data security
MORE FROM DIGITAL INSURANCE