Insurance has always been about risk, and insurance companies, armed with actuarial tables and reinsurance, have generally handled it well. But there are risks that go beyond the ordinary-storms that wipe out a city's worth of houses and businesses and create enormous correlative exposure; lawsuits that result in liability where none existed before, or threaten to remove exclusions. These sorts of risks can drain capital reserves and put the entire company in jeopardy.To protect themselves, insurance companies increasingly step back and take a holistic, enterprisewide view of risk, and align their reserves to meet not just everyday actuarial and financial risk, but risks that cross organizational silos.
Enterprise risk management (ERM) is nothing new, says Prakash Shimpi, practice leader for ERM at Tillinghast, Towers Perrin in New York. His company has been using the term for about a decade, and Shimpi, along with colleagues at a former employer, wrote a book on the subject seven years ago. But lately, he says, interest in ERM has swelled from a trickle to a flood, especially among banks and insurance companies.
Why the interest? A.M. Best vice president Daniel Ryan sees ERM as a natural, evolutionary stage in the development of risk management. "It's really just a natural extension of what we've been doing-just the evolution of risk management," Ryan says. He notes that the 2004 and 2005 hurricane seasons may have nudged forward the evolution.
Adding further impetus is the recent tendency of rating agencies to check for ERM practices when they grade insurers. Some, such as Oldwick, N.J.-based A.M. Best and Fitch Ratings, New York, consider ERM an element of the overall quality of corporate governance and capital management. Others, notably New York-based Standard & Poor's, have specific ratings for ERM.
"At the end of the day," says Shimpi, "if we hear them correctly, what they're really saying is, 'We want to make sure ERM is not just something companies put in and do some calculations and walk away from.' We want to make sure that this becomes embedded as a management philosophy-that a culture of managing risk is embedded in the organization."
NOT APPROPRIATE FOR ALL
Although A.M. Best has issued a statement in support of ERM, Ryan notes that the presence of an ERM framework isn't something the company rates separately. "Unlike some of our counterparts, we do not have a separate rating category for it, nor is ERM a prerequisite," he says.
In fact, Ryan adds, a comprehensive ERM program isn't even appropriate for all companies. "You could have a small, single-state, single-line company that has been doing, say, inland marine for the past 75 years, and they may not need a comprehensive framework that gathers all their silos. Maybe there are only two silos, and they measure and manage that business very well and they have a track record that proves it."
While qualitative credit may be given to insurers that manage risk well, it's rolled into A.M. Best's assessment of overall quality of risk management and governance, Ryan says. "If a company has the capital level that is necessary to support the rating, and their performance is on par, and it can be determined that all the checks and balances are in place, then certainly there's going to be more qualitative credit or enhancement given to those particular companies.
"If you manage your risks in a way that we might find to be exceptional," Ryan continues, "there is an underlying perception that your earnings variability will be somewhat contained because of that. You're not going to have a level of variability because of the unknown, because you're not measuring."
It isn't necessarily A.M. Best's objective to encourage insurers, through its ratings, to adopt ERM programs, Ryan says. It all depends on the size and complexity of the organization. "We don't think it's a one-size-fits-all process. We would hope that in most cases, for larger companies, there is a process and a framework in place to capture risk across the enterprise."
QUALITATIVE, QUANTITATIVE
Fitch Ratings takes a somewhat similar approach when it appraises risk and capital adequacy among insurance companies. "We don't really have an ERM pillar," says Jeff Mohrenweiser, a senior director at the company's Chicago office. "ERM is not something we look at in isolation. It's part of the underlying fabric of our rating opinions.
"At Fitch, we don't really think ERM is anything new," he says. "It's just the next step in risk management processes. Undoubtedly, ERM will be replaced by something else several years down the road." Ultimately, Mohrenweiser says, Fitch looks at two factors when it comes to enterprise risk management. The first is qualitative: Does senior management see risk as both a problem and an opportunity? The second is quantitative: "You also have to be able to measure what you manage," he comments. "You may think there is a good profit opportunity, but you need to be able to figure out your downside risk."
To provide a consistent measure of capital adequacy and risk management, Mohrenweiser and his team at Fitch's Insurance Modeling and Statistical Application Group have devised a modeling tool called Prism. According to Mohrenweiser, Prism walks a middle path between conventional, factor-based models and stochastic models-models that run thousands of possible scenarios and arrive at a spectrum of results.
"The key advantage for us and, we believe, for investors, is that it puts all insurance companies on a single, consistent framework," he says. In-house models are like self-graded exams, and they're very hard for rating companies to evaluate. Prism, Mohrenweiser says, gives an independent, impartial view. "I'm sure every risk officer or CEO thinks he's found the best mousetrap. We have to take a somewhat skeptical view. Everybody can't be right. We need to provide that third-party objectivity."
Prism will be incorporated into Fitch's rating system the first quarter of next year. In the meantime, insurers can run their data through Prism, partly to help them evaluate the strength of their own programs, and the company's analysts are not allowed to use the results during this introductory period.
After the introductory period, companies will be able to submit a limited number of scenarios for processing by Prism. "It's not necessarily a consulting business for us," says Mohrenweiser. "We have other things to do. It's really just our tool that we're using internally, and that we're making available. We had hoped that the stronger companies would have their own models, and in those cases Prism serves as a check on what they're actually doing."
"Rating agency thinking about ERM will continue to evolve and, no doubt, the related rating criteria will change," Shimpi and co-authors Michael Belfatti and Hubert Mueller write in a recent Towers Perrin white paper ("Insurers, ERM and the Rating Agencies"). Those criteria, the authors reckon, will include an underlying philosophy behind the risks a company takes; the measures, processes and tools it uses to support that philosophy; and a clear enterprise-wide focus.
"The rating agencies are starting to apply more formal ERM reviews," Shimpi says, "and I can only expect them to get better at distinguishing between the different quality of ERM efforts that they see as they get better and more experienced themselves."
IT's Role in ERM
ERM is only partly a technology issue, and responsibility for managing enterprise risk is more likely to fall to a risk manager or chief risk officer than to a CIO. In fact, IT can sometimes be considered a risk itself-large implementations have at least some chance of failing.
IT's role, says Prakash Shimpi, practice leader for ERM at Tillinghast, Towers Perrin in New York, falls into two areas: first, assembling the modeling tools for risk, and second, building the data warehouses that supply the information that fuels the modeling tools.
So far, Shimpi says, there are no front-to-back suites that automate enterprise risk management. "There is a segment of the software industry that says, 'We've got an operational risk management system' or 'We've got an enterprise risk management system.' I think we're still in a market where the buyer has to be very careful about whether that's true."
Some systems that claim to be ERM products were originally developed for another application and repurposed or merely relabeled for risk management, Shimpi comments. "If the vendor has done the right homework, their product may be very good; if they haven't, it may not be the right thing."
Actually analyzing risk, he continues, is a different matter. "You really need specialized knowledge about how to think about risk, and the people who can do it are few and far between," says Shimpi.
Bob Mueller is a business writer based in Grand Beach, Mich.
