Given the vertiginous swirl of the past few years, it's all too easy to forget the sheer magnitude of the calamities recently impacting the work of risk mangers: dyspeptic volcanoes in Iceland, ruinous earthquakes in Japan, New Zealand, Haiti and Chile, a large oil spill in the Gulf of Mexico, raging wildfires in Russia, massive flooding in Pakistan, political upheaval across the Middle East, a profusion of cyber crime, currency woes and the threat of sovereign default throughout the European Union.
These events come on the heels of the gravest financial crisis in decades which catalyzed a profound rewrite of the rules governing the financial services.
While most of us can view this paroxysm of events with a certain detachment, insurance companies and their risk managers are not afforded that luxury. Taken as whole, what do these events entail for risk managers at insurance companies?
Perhaps the most immediate effect has been to dispel, if only for a time, the notion that risk managers all descend directly from Cassandra. Prior to the financial crisis, the legitimate concerns of risk managers were often ignored and regarded as impediments to growth. Worse still, many came to regard risk management as a compliance program, where boxes are checked to appease regulators. In its June 2010 oversight report, The Congressional Oversight Panel noted that American International Group's infamous financial products division was able to keep risk managers and auditors at arms length. "While the problems at AIGFP can be viewed as a valuation and risk management failure, exacerbated by accounting issues, the life insurance subsidiaries' securities lending business was a blatant risk-management failure," the report states.
In the introduction to a report commissioned by the Casualty Actuarial Society, Canadian Institute of Actuaries and Society of Actuaries' Joint Risk Management Section, consultant Max Rudolph notes it often makes good economic sense-in the short-term-to discount the concerns of risk managers. "In a competitive market, business opportunities often go to those who mistakenly ignore significant risks," Rudolph wrote. "Risk managers who recognize a risk before others can encounter several downsides. Rather than enjoying the immediate benefits of a lucrative investment that may, however, be doomed in the long run, their organizations may, on the other hand, do poorly in the short-term and not survive long enough for a hedge to pay off."
This calculus now seems to be shifting. Lizabeth Zlatkus, EVP and chief risk officer, The Hartford Financial Services, says one positive consequence of this multitude of risks is that risk managers are having an easier time commanding attention and resources, noting that many CROs now report to boards and CEOs. "Risk management now has an enhanced prominence," Zlatkus said, addressing the 2011 ERM (enterprise risk management) Symposium in March.
Despite the upsurge in senior management's willingness to listen to risk managers, she still questions how long this higher profile is sustainable. "If the economy is booming five years from now, will this still be a board level concern?"
So what can risk managers do to entrench the primacy of ERM with senior management? First, they need to ensure they have sufficient modeling tools and human analytical capital at their disposal. Indeed, as insurers compete with other industries for talent in the Big Data, the former may be easier and cheaper to come by than the latter.
THE CULTURE
Yet risk management will not succeed if it is solely the province of a few dedicated risk mangers. Rather, risk managers need to strive to make ERM become part of the strategic decision-making process across the enterprise. "Risk models are a good tool, but an overall risk culture is more important," Zlatkus said. "It needs to be embedded in the firm's decision making."
Part of creating this enduring risk culture is facilitating the free interchange of ideas between people who may not interact with each other otherwise, whether it is underwriters and actuaries or accountants and claims personnel. Susan Cleaver, director, enterprise risk management, State Farm Insurance Co., says she relies on talent from the company's actuarial, underwriting and finance teams to augment the full-time employees on her team. An additional challenge revolves around crafting a common language about risk that everyone throughout the enterprise can understand. "Articulating an exact risk appetite is a tall order," she says.
Zlatkus agrees that assembling a diverse risk management team is essential in order to spur a wide range of ideas and avoid groupthink. "Risk management departments need people with business seasoning and different backgrounds," she says.
In addition to beefing up risk departments in numbers, insurers will need to create new governance structures that add to the risk function's authority and independence. The true goal is to encourage employees in individual business units to inculcate risk management in their everyday decisions.
Zlatkus says helping employees find the courage to ask unpopular questions is a primary undertaking for CROs. Thus, beyond their departments, risk managers need to enable managers and employees to speak up about activities they deem to be exceeding the company's stated risk appetite, even if that business is highly lucrative or seemingly detached from a company's core business. "People need to speak with conviction," she says. "If something seems too good to be true, it is."
Frank Petersmark, CIO advocate at insurance IT consultancy X by 2, adds that establishing an ERM program is as much a cultural shift as technological one. "It's not just about buying a couple of tools and building a database," he says. "ERM is more about changing your thinking about risk."
THE OPPORTUNITY
What should insurers now expect from ERM? Given the complexity of the ecosystem, spotting the next Black Swan may be asking too much. Petersmark says insurers need to avoid regarding ERM solely as a way to avoid the next big disaster. "You may not be able to model for every risk, but over time you should be able to recognize patterns and themes," he says.
Much as risk managers are wise to mix it up when assembling a team, they may also benefit from summoning their inner Gregor Mendel when assessing risks at a granular level. In a report on emerging risks, "Global Risks 2011, Sixth Edition," the World Economic Forum, notes that risk managers have recently encountered many risks that the markets did not anticipate, but would be better served to concentrate on identifying the interrelation of known risks. For example, the WEF's "macroeconomic imbalances nexus" clusters three separate economic risks-global imbalances and currency volatility, fiscal crises and asset price collapse-to gain a broader understanding.
Affording risk managers a view holistic enough to sythensize a broad group of risks can only be achieved, Petersmark says, if insurers continue to make progress busting information silos. "Ideally, you want people in disparate parts of company to use the same data to assess different risks," he says. "ERM will only be as good as the data, so the way information is organized has to be well thought through."
If approached in this manner, insurers should view ERM as an enabler. "ERM should be positioned as something that can help us analyze risks better than we could before and recognize opportunities that we didn't know that we had," Petersmark says. "Insurers will miss the boat if they don't think about ERM as a strategic approach to growth."
Compliance Risk Moves to the Fore
One persistent irony of the financialcrisis is that reform measures intended the mitigate the type of risks that sparked the immolation are themselves now giving risk managers pause.
Speaking at the 2011 ERM Symposium in Chicago, Greg Hayword, AVP and actuary, State Farm Insurance Co., said the rapid pace of regulatory reform itself presents challenges. "It's a daunting task to stay up to speed with all that the federal government, state governments and NAIC (National Association of Insurance Commissioners) are throwing at us," he says.
Indeed, one of the more pervasive concerns amongst insurers is the fear the Dodd-Frank Act (DFA), now in its implementation phase, will produce unintended and unforeseen consequences. Some worry that the law, intended to mitigate risk and create transparency, will instead complicate their efforts to hedge risk. As the laws surrounding capital become more onerous, the fear is liquidity will dry up in public exchanges as more money flows into unregulated "dark pools" run by hedge funds.
William Sergeant, director, State Farm Mutual Automobile Insurance Co., enumerated the concerns his company harbors about DFA. Foremost among these was the formula the newly established Financial Stability Oversight Council (FSOC) will use to determine "systemically important financial institutions." He stressed that the primary constituent of the formula, size of the institution, was an inexact yardstick considering the difference in business models between property/casualty insurers and, say, investment banks. "Insurance is fundamentally different and that should be acknowledged," he said. "There is little contagion risk in a traditional P&C insurance operation."
Sergeant said another primary concern was that a head of the incipient Federal Insurance Office has yet be named, depriving the FSOC of insurance expertise as it completes the rule-making phase. Even fully staffed, he questioned whether the FIO would have sufficient expertise to evaluate insurer ERM efforts and whether the new rules cross the line between management and regulator. "ERM is an evolving science, so I'm concerned about embedding overly prescriptive mandates in a model law," he says.
Another regulatory front for risk managers is the Solvency Modernization Initiative being undertaken by the NAIC. Sergeant was generally laudatory of NAIC's proposal for an Own Risk and Solvency Assessment for insurers but said, if enacted, the annual report runs the risk of duplicating state solvency efforts. "We support effective solvency regulation, but dumping thousands of pages of documents on regulators may not be the best solution," he said.
