Since the business of insurance is risk management, it's not surprising that the majority of insurers have standards of practice for monitoring, managing and mitigating risk. What's more surprising, is that enterprise risk management (ERM)-identifying, prioritizing, quantifying, mitigating and financing risks from all sources across an enterprise-seems to be catching on fairly quickly.That's a conclusion of a recent survey by New York-based Ernst & Young's Insurance and Actuarial Advisory Services (IAAS), which found that 67% of insurers have a formal ERM committee. Of that 67%, 33% formed their ERM committee within the last three years. Another 21% of respondents say their organizations are considering establishing such a committee.
What's more, more than half of the current operational risk and compliance/regulatory committees have been formed in the last three years, and chief risk officers (CRO) now have more input in overall company decisions, whereas CROs didn't even exist a few years ago.
Ernst & Young recognized the shift and asked a group of 24 companies-a mix of life/health lines (46%), property/casualty lines (21%) and multi-lines (33%)-to participate in its Insurance Industry Risk Leadership survey. Ernst & Young in November 2005 held a roundtable meeting of survey participants to gain insight into the current state and future plans of insurers when it comes to ERM.
Several areas are demanding attention. For example, aggregation and diversification of risk measurement were mentioned by participants, and operational risk was identified as the most significant issue insurers face, though most are in the early days of addressing it.
Why so significant?
Perhaps one of the first obstacles is that the definition of operational risk differs from industry to industry-and more importantly, from company to company.
"There have been a number of attempts to define it. The one that most people tend to gravitate toward is one that has been raised by bank regulators," says Prakash Shimpi, global enterprise risk management practice leader at the Tillinghast division of Towers Perrin, New York. The Risk Management Association, Philadelphia, identifies the definition of operational risk management used by the banking industry as "the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events."
No matter what the exact definition, managing operational risks is fairly new to insurers, and because of that, they often don't have structured approaches for risk identification, risk prioritization, and risk measurement, for example, notes Mike Hughes, a principal with Ernst & Young's IAAS practice.
"So, part of what companies are starting to deal with is putting the processes in place to help assess the key risks they should be focusing on-and even more so on the operational side," he says. "And the measurement of operational risk is really in its infancy."
In fact, measuring operational risk has proved to be a major setback in ERM implementation. "[Measuring operational risk] is not so much a technology-enabled process as it is a qualitative process," Hughes says. " You need to get the business people to think about what the inherent risks are in their market and in their processes."
Positive results expected
Even with the work that needs to be done, half of the E&Y survey respondents expect positive results. While 33% of survey respondents only partially measure operational risk across the enterprise and 29% reported operational risk is not measured at all, a full 54% of survey respondents expect to measure operational risk across the enterprise by 2007.
Key to that success is internal development of ERM, according to John Phelps, director of risk management at Blue Cross and Blue Shield of Florida (BCBSF), a Jacksonville-based health insurer with $6.49 billion in revenue and 9,500 employees. Phelps says time spent with consultants can actually be a setback. "Enterprise risk management is very focused on the operations of a particular business, and I've found it took a lot of time to get consultants up to speed. [ERM] is something that should be grown inside an organization. It's an organic process."
A broader problem of operational risk management is the amount of data and the number of business areas-some with no experience assessing this type of risk-that need to be involved. BCBSF's Phelps, for instance, tried taking a strategic list of risks into the operational areas, but that didn't work.
"It was at such a high level, people in those areas couldn't relate to it," he says. "I was handing them something that may have well have been in Chinese."
This forced him and his group to start working on risk profiling, which he says is at the operational risk level.
Tillinghast's Shimpi concurs that methodology-how insurers identify risks and what effect they have on the financial performance of the firm-and tools are still lacking to assess and manage operational risk.
"Many operational risks are small and insignificant but frequent, so [it's possible to gather lots of data and fine-tune that]," he says.
In addition, there are operational risks that are significant but infrequent. As a result, "event databases" may be helpful, but they may not necessarily provide a good measurement of future outcomes. "These tools and models are in development, but methodology is still evolving," he says.
A solution
The fundamental shift in thinking for the operational areas to go from risk management to enterprise risk management obviously will require education and training, but it also will require some tools too, notes BCBSF's Phelps.
"If you aren't supplying these tools, whether it's a system or a simple Excel spreadsheet, you're not giving people what they need, so you're not going to get to where enterprise risk management needs to be," he says.
That is where the enterprise risk manager works with the entire organization-not just the risk management department-to manage enterprise risk. To provide such a tool, BCBSF turned to LogicManager Inc., a risk management software provider based in Burlington, Mass. The tool, which is designed to evaluate and aggregate risk across the company, is currently being implemented.
"We have people who manage risks associated with contracting with providers, and we have people managing the risks of finance," Phelps says.
But the problem is knowing how these risks affect each other. "With this system, I have a dashboard to view the aggregation of risk across the company," he says. "I click on something like organizational issues, and I can drill down." There are about 12 risks under organizational issues including insufficient staff, key stakeholder support, ongoing impact of organizational changes.
With this system Phelps can identify certain risks, such as privacy.
"As a health insurance company, privacy is serious," he notes. The dashboard will enable Phelps to quantify its privacy risk in its contracting area, its claims area or in customer service, for example.
"The LogicManager software aggregates that risk for a view across the company," he says.
The system is also providing root causes of risk, according to Phelps. "It tells me where most of my risk is coming from. So we can go back to those areas in a proactive way-or go back to those departments and work with them to mitigate those risks."
Even mitigation is improved by using this tool, says Phelps. It provides a method for tying risk mitigation steps with evaluation by creating risk indices. "We'll be able to compare before and after the mitigation, and the system provides a metric for us to see if the bang is worth the buck," Phelps says.
Standards Needed, But No Concerted Push
Could standardization be another aid in managing operational risk? Industry experts believe it may be a part of the future. Respondents to an Ernst & Young LLC Insurance Industry Risk Leadership survey expressed strong support for standard definitions, metrics and methodologies.
But at a subsequent roundtable held by Ernst & Young, some of them commented that, unlike Basel II for banks or Solvency II for insurers in Europe, there is no concerted push for insurance industry standards either by governing bodies or industry groups in the United States. Several roundtable attendees commented that while U.S. regulators have yet to make risk measurement standardization a front-burner issue, the rating agencies have "opened the door."
Prakash Shimpi, global practice leader at the Tillinghast division of Towers Perrin sees standards in the future. "With Solvency II in Europe, those kinds of rules that require firms to look at risks and do simulations are coming," he says. "So it's only natural that the scope of risks will embrace operational risk as well. The only questions are how specific, how precisely and what methods will be acceptable."
