Risky Business

Carriers have struggled to accurately calculate their operational and financial risks. Getting to the heart of the matter is essential for long-term prosperity.The financial success or failure of a property & casualty carrier largely depends on the company's ability to manage risk. Based on sophisticated actuarial models, carriers can formulate a risk model for virtually every type of physical risk exposure, and through these assumptions decide whether the risk is worth bearing.

But physical risk, while at the heart of a carrier's due diligence, represents just a fraction of the overall risk to which the company is exposed. Other types of risk-predominantly ones that deal with financial and operational governance-lurk beneath the surface of Corporate America. Understanding the magnitude of such risks depends on effective corporate policymaking, but implementing this effectively is often the exception rather than the rule.

A textbook example of operational risk that slipped through the cracks occurred in the mid-1990s when a derivatives trader for Barrings Investment Bank, which was based in London, pocketed tickets from a number of would-be investor trades rather than processing them. Barrings incurred significant losses and was forced out of business.

A smear campaign against a financial services provider can have a short- or long-term effect on a reputation. A blow to one's reputation can have an adverse effect on revenue, profits, ability to secure credit and long-term prosperity.

A carrier faces liquidity risk, for example, if it can't meet a financial obligation in a timely fashion. The end result is that is may have to "sell off part of its investment portfolio to raise the cash to pay the bills," says an industry analyst.

Risk challenged

These examples aren't dramatized, but are actual predicaments that have plagued many insurance carriers. All of them can be avoided if companies do their due diligence ahead of time. Industry observers well-versed in risk management say that carriers have been less than astute at parlaying their strength in physical risk management to the other varieties of risk.

"Carriers have been very good at understanding their flood exposure or catastrophic risk in Florida. They are oriented that way; they have taken a good look at this stuff forever," says Richard Roby, a senior analyst who tracks insurance IT initiatives for consulting firm The TowerGroup, Newton, Mass.

However, insurers "need to make more progress in capital markets risk and strategic business risks," he adds. "Recent experience in global markets has shown us that understanding your physical risk isn't enough. You need to understand what your foreign exchange risks are and you have to have a central repository of risk information that speaks to the organization from top to bottom."

The solution, Roby states, is a robust framework that encompasses both financial and operational strategies through an initiative known as enterprise risk management (ERM).

ERM is a "rigorous approach to identifying, prioritizing, quantifying, mitigating and financing risks from all sources (financial and operational) that threaten the achievement of an organization's strategic and financial objectives," according to Tillinghast-Towers Perrin, a Stamford, Conn.-based global consulting firm, which released a study last year titled, "Enterprise Risk Management in the Insurance Industry."

An intricate concept that has proved difficult to quantify, ERM tries to achieve three objectives-improving capital efficiency, supporting strategic decision-making and building investor confidence.

Onus on operations

Of the three benefits that ERM can bring to a carrier's enterprise value, stock companies that participated in the Tillinghast report stated that building investor confidence was their top priority.

To foster investor confidence, most companies focus on financial strategies, closely scrutinizing their financial risks every business day. Mastering financial strategies is viewed as an ideal way to grow revenue and earnings, which in turn sparks investor confidence.

But operational risk control is the unsung entity of helping grow revenue and earnings, and with it, investor confidence. However, the management tools and techniques "are relatively undeveloped in the area of operational risk," Tillinghast states. Operational risks are those relating to both business and events, and take into account areas such as technology, people, distribution and competition.

Operationwide risk management can be traced to the 1990s when financial institutions began focusing attention on risks associated with their back-office operations, says TowerGroup's Roby. Having already focused on managing market and credit risk, a number of institutions broadly defined operational risk as all risks other than market or credit risks, he adds.

Hard To Quantify

However, defining it wasn't the same as mastering it. The root of poor operations risk management, says Roby, is that it's extremely hard to "represent this risk with numbers. There's no generally accepted vocabulary in which to talk about it. If there's no vocabulary for it, it's very hard to quantify operational risk. It's a grab bag.

"To give an example, in the context of market risk, you have interest rates that are published on a daily basis. Market risk can therefore be represented with numbers, but operational risk can't," says Roby.

With the hurdles high, carriers need support to get a handle on their business risks. Establishing a "centralized risk function" is the most logical jumping off point for carriers.

"You have to have an organizational process in place to bring together all the significant risks, focusing on those that could have a higher likelihood and severity, and making sure effective mitigation actions are in place," says Rudy Trevino, assistant vice president, corporate risk management for Los Angeles-based Farmers Insurance Group. "When you boil it all down, enterprise risk management is really about avoiding surprises."

Formalized initiatives

Farmers is just one of several carriers, including AIG Corp., The St. Paul Cos., The Prudential and New York Life, that are regarded as having developed an expertise in ERM. Because it's an investment where even the industry leaders are still trying to establish solid footing, most carriers-not surprisingly-are hesitant to discuss even the most generic details of an ERM program.

Farmers' executives were not willing to discuss chapter-and-verse capital investment figures, but they did provide some insights about the process. Although it has always engaged in risk management, albeit in a more informal manner, Farmers established a formal corporate risk analysis division in 1998.

"There are many benefits to looking at risks from an enterprise standpoint," says Trevino. "It brings management attention to the risks that are the most significant to the organization, which warrant priority of action plans and monitoring. The more we can keep managers thinking about their business risks, the less likely we'll be hit with surprises, which in turn impact earnings."

Headed by Robert Downer, Farmers' vice president of corporate actuarial and risk management, the division uses a variety of leading-edge statistical, actuarial and financial analysis tools to measure and gain key insights into its risks.

"For example, we use a couple of state-of-the-art probability-based catastrophe modeling tools to help us measure and better manage our overall exposure to natural catastrophe risks, such as earthquakes and hurricanes," Trevino says. "Capital allocation and risk tolerance models have also been developed and will continue to be refined."

In Farmers' quest to comprehend its risk exposure, Trevino says the division has adopted a mantra-"de-risk"-which acts as a reminder of the unit's ongoing mission.

"Around here, de-risk means to think through potential risks, keep an eye on the risks, and be ready with an action plan in case it is needed. As we better understand our risks, we are in a much better position to determine what mitigation strategy will work best."

At Farmers, strategic, financial, operational and reputational risks all fall into the category of "business risks." With these criteria, the unit follows a systematic process where it identifies, assesses, quantifies and treats these risks.

"With financial risk, we have regular and ongoing discussions between the investment department and the operational units to ensure proper alignment of the investment and operational plans," Trevino says.

Operational, strategic and reputation sources of risks, on the other hand, "are very hard to create models for, due to the more intangible and unpredictable nature of the risk," says Trevino.

To improve its competencies in this area, Farmers' corporate risk management team engages in scenario analysis. "The important point is the enterprise risk management approach surfaces these risks," says Trevino. "And, once surfaced, the management team can look at these risks and agree on the best strategies to manage them."

Trevino declined to provide specifics about the various strategies.

Program empowerment

As with other successful initiatives, senior management support and unit empowerment is a catalyst for Farmers' corporate risk management unit. Downer reports directly to Farmers' CEO, and gets access to both internal and external support.

"We have found that some companies try to implement the program themselves, but the trouble is: they're so close to their operation that they fail to see the forest for the trees," says Charles Lee, a principal with Tillinghast-Towers Perrin.

To avoid this and other obstacles, Farmers works closely with the Zurich Financial Services Group's risk management function, which has had an "empowered" executive in charge of risk management for more than five years, Trevino says.

"Zurich has developed an excellent risk policy manual which provides broad guidelines for the effective management of risk throughout the group," says Trevino. "Besides consultation with Zurich, we also use external risk specialists as needed to supplement our internal capabilities."

Internally, Farmers' IT department is actively involved in ongoing risk assessments. "With IT being such an integral part of the organization's strategies, the enterprise risk assessment effort must consider areas of risk emanating from the IT environment," Trevino says. "Additionally, the IT management team goes through their own exercise to identify, assess, manage and monitor top IT risks."

The group reports quarterly to Farmers' audit committee that reports to the board of directors. "The executive team has set the right risk awareness tone for the organization," says Trevino.

"We are progressing from a position of strength," he adds. "It has to be stressed, though, that through this whole business of risk management, the most important thing is what we can do for our customers-individuals, families and small businesses. We help people solve their worries, such as protection from downside risks, and achieve their dreams, such as making sure we capitalize on upside risks."

The scarcity of meaningful data on ERM in the financial services industry isn't surprising, given the lack of attention it has received. But that situation ultimately will have to change, says Lee of Tillinghast-Towers Perrin.

"Most carriers are moving in this direction or at least thinking about it," he says. "They are considering hiring consultants, forming internal committees and advising their boards that this is a front-burner issue."

Embarking on ERM could logically begin by establishing an office of risk management, where a company appoints a risk manager or a chief risk officer, who reports to the CEO.

No magic bullet

About 20% of insurance companies polled by Tillinghast have installed a chief risk officer (CRO). The consulting firm found this practice more prevalent outside North America, where nearly 40% of companies indicated they have a chief risk officer, whereas only 8% of North American companies indicated they have one.

Appointing a CRO is not a magic bullet, Lee says. Rather, the first thing a corporation must install is not an executive or an operating unit but a mindset surrounding risk. "You have to start by building a corporate culture from the top down to the bottom up," says Lee. "You have to make a commitment to managing risk without limiting your ability to service your clients."

For reprint and licensing requests for this article, click here.
MORE FROM DIGITAL INSURANCE