Enterprise risk management (ERM) has moved from a relative rarity just three years ago to common practice among insurers today. At least initially, adoption of ERM for many carriers grew from decisions among rating agencies, especially Standard & Poor's, to include the discipline as a rating category. But other forces also have helped move it forward-terrorist attacks, hurricanes and, more recently, the storms in the financial markets.
"There were a couple of leading institutions that practiced ERM because they thought it was good business," says Paul Horgan, partner and leader of the Global Insurance Risk and Capital Team at PricewaterhouseCoopers (PWC) in New York. "But in the United States, it wasn't until the rating agencies really upped the bar on ERM two-and-a-half or three years ago that insurers across the board started investing in it."
But investing in ERM and getting real benefits from it-besides satisfying the rating agencies-are two different things. Banks and investment companies have bought heavily into ERM, and have done so over a longer period of time than most insurance companies. Yet, that investment failed to prevent headline-making disasters for some of them. That's led to questions about ERM's effectiveness and value, but it's also provided a few lessons.
Although insurers have made strong progress in some aspects of ERM implementation, many are still struggling to extend its reach across their enterprises and develop risk data and models in which they have confidence, according to a 2008 PWC study called "Does ERM Matter?"
"I think ERM can matter where it's adopted as a management discipline and if it's driven to making better decisions, as opposed to being adopted primarily for rating agency or regulatory purposes," says Horgan. "More importantly, we saw proof in our data that insurers believe it can matter, as evidenced by their desire to continue to invest in driving ERM down into the business, and their fair self-assessment of their progress."
BEYOND TRADITIONAL MEASURES
In fact, according to a survey conducted earlier this year by Stamford, Conn. consultants Towers Perrin, only 7% of life insurance CFOs considers compliance for regulatory and reporting purposes to be a primary purpose of ERM tools. Thirty-two percent name identifying and quantifying risk across the organization as a primary purpose, and the same percentage cite driving management actions on risk mitigation and value creation.
"What we're seeing in the insurance industry is that carriers who implement ERM are not only improving their management processes, but they're starting to see an improvement in their results," says Towers Perrin Principal John Thomson. "For example, one of the advanced techniques of ERM is the application of more quantitative models for making strategic decisions about deploying capital and then monitoring the return they're getting on those decisions. In an insurance company, that's allocating capital between product lines.
"What companies have found is that some of the areas they may have been supporting from a traditional standpoint, because of historical involvement, may produce returns that are below their corporate expectations, Thomson says. "They may also see other areas where returns are actually better than they'd thought. That allows them to make informed strategic decisions based not on just cost/benefit analysis, but also on risk/reward, so that they can move capital to areas where the returns are more attractive and steer themselves away from areas that have been drags on their organization over time."
Allstate, in Northbrook, Ill., was one of the early ERM adopters. ERM's roots at the carrier go back to 2000, when Thomas Wilson-now chairman, president and CEO of the company-was CFO. Wilson was interested in taking a closer look at capital requirements, and allocating and determining risk-adjusted returns by business units, recalls Larry Moews, VP and corporate risk officer. "There wasn't any crisis," he says. "It was just a CFO asking questions a CFO should ask, and us determining the best way to go about doing that."
Allstate always considered risk, Moews says, but always considered it in silos. "We were taking equity risk in the variable annuities we'd sell in the life operation. The investment department would have an equity portfolio, and we'd have equities funding our defined benefit pension plan. So, we'd have equity risk sprinkled throughout the company, but we never looked at it holistically. When you look at it holistically, different things pop up."
AT THE BUSINESS UNIT LEVEL
To some extent, says Moews, enterprise risk management is the aggregation of risk at the business unit level. But for the most part, ERM at Allstate concerns itself with risk that affects the organization as a whole. Moews calls it "material risk." "When it comes to enterprise risk management, you only want to concern yourself with risks that are really material to the organization," he says. "Way down deep in the organization someone's performance may be judged on certain risks that are insignificant when you aggregate them for the enterprise. What we try to do from an enterprise perspective is look at the major risks, define them and constantly challenge ourselves that we have the right risk."
Allan Dudek, senior consultant of enterprise risk management at Nationwide Mutual Insurance Co. in Columbus, Ohio, comments that his company's ERM practice takes business-unit risk into account, but has substantially left it alone. "We're in the risk management business," he says. "A lot of very good risk management was being done" before ERM came on the scene, "but a standard way of measuring and stating the risk posture at the top of the house with all of the subsidiaries didn't really exist." When ERM was introduced at the company, it focused on standardization and issues that affected the organization as a whole, he notes, and not on the details of how the business units handled risk. Apart from exploiting good risk management practices that already existed, the move made ERM more palatable to business unit managers.
DEVELOPING AN ERM PROGRAM
ERM at Nationwide also began with the CFO. About eight years ago, Dudek says, the company got a new CEO who brought a new CFO with him. The CFO wanted to standardize financial reporting and integrate financial systems. A sub-project of that effort was developing an ERM program. "The new CEO wanted to make sure we were optimizing the use of capital and not being arbitrary in the way we deployed our excess capital. Part of that also was to get more risk capital so that we would be able to take on the different initiatives the CEO wanted to take on."
That, says Dudek, was the principal driver behind ERM. Another was to make better sense of the carrier's overall capital adequacy. To do so, the company purchased a solution from Cary, N.C.-based SAS that provided an end-to-end view of enterprise risk. "We were, at the time, dealing with a diverse set of companies," he comments. "We had several mutual companies. We had a holding in one of the mutual companies that was half-owned by the mutual company and half publicly traded, so we were dealing with different ways of stating our capital adequacy. We had to do that for statutory and GAAP reasons, so we wanted to be able to pull all those together and make good sense of them."
As at Nationwide and Allstate, ERM usually starts as a top-down process, and one of the biggest challenges ERM faces in many organizations is integrating what may seem to some like a rather abstract exercise into day-to-day business activity. "Ultimately, this lack of integration means that ERM programs may simply be perceived as an additional layer of bureaucracy within the business rather than being integral to how it is run," PWC's survey concludes. The key to meeting this challenge, Horgan says, is to recognize and train people in ERM's real purpose. Often, business units aren't educated on ERM, and this keeps them from learning what goes into it, providing input and understanding how to make decisions based on it.
RIGHT FROM THE TOP
Success with ERM has to start with top management embracing its philosophy and concepts, says Towers Perrin's Thomson. Then, the question becomes, "How is that decision and spirit and culture and those processes being established by the corporate leadership? How is that being pushed down and embraced by the line leaders in the organization and those who actually execute strategy and actually manage the areas of business? It takes a long time. It's a growing process."
Complicating acceptance of ERM is the fact that compensation schemes often reward risk-taking in pursuit of short-term gains. Dudek notes that long-term compensation for Nationwide's executives is based on both enterprise and business unit risk results. Allstate has addressed the issue by setting risk limits and evaluating performance based on achievement of risk limits. "We have limits in terms of how much exposure we want to interest rate movements, credit defaults, equity movements and so forth," Moews says. "All of that is embedded within incentive compensation. Is it perfect? I would say, no. Is it better than it was? Absolutely."
Ultimately, Moews continues, he'd like to see incentives based on risk-adjusted return, essentially risk-adjusted earnings divided by economic capital. But until shareholders, accountants and auditors are prepared to judge corporate performance the same way, it's hard to give managers incentives that differ much from shareholder incentives.
Horgan agrees on the value of risk-adjusted return as a measure of both corporate and individual performance.
Enterprise risk management isn't just about avoiding risk; it's also about optimizing returns within the limits of the organization's tolerance for risk, Moews says. A few years ago, Allstate renamed ERM "enterprise risk and return management." The idea behind the change was that the company wanted to downplay the perception of ERM as something that prohibits risk-taking and promote its efforts to exploit reasonable risk. "We want to get the idea embedded in our culture that our business is all about risk and return. You can't have one without the other," he says.
Although technology by itself doesn't guarantee success with ERM, it's hard to imagine ERM without it. "We can do things today we couldn't do a decade ago," says Allstate's Moews. "For example, we have systems that model the enterprise and simulate various environments to see how the enterprise runs under various conditions. We have modeling software for investments. We have models that simulate natural disasters. We use models for asset liability management on the life insurance side of the house, and there's an economic capital model, which is part of my organization where we simulate the entire enterprise."
Nationwide's approach to technology essentially mirrors the carrier's approach to ERM. Requirements included handling all the risk types the company faces, aggregating risk data from various parts of the organization and collecting and analyzing information across different types of risk management activity. Finally, the technology had to work across the entire risk management lifecycle-from planning, assessment, issuing an action plan and tracking through reporting and capital calculations. "We wanted to make sure that that what we did in the assessment phase actually informed what we did in the capital calculation phase. We wanted to make sure that planning was informed by assessments, and we wanted to make sure that issues and action plans could also inform the other phases of risk management," Dudek says.
But technology has its pitfalls. Moews warns against "modelitis." "Don't fall in love with the model," he cautions. "A model will only simulate what you tell it to. If you forget a certain risk or you don't have the risk properly modeled, you can end up with some recommendations or answers that may not be in the best interests of the firm."
"A fool with a tool is still a fool," PWC's Horgan remarks, and while technology tools are important, "if you don't have a consistent way of doing a self-assessment across the business, and you're not driving that close to the business, you won't end up with useful information from those tools."
Thomson agrees: "If you don't change your approach, your philosophy, your underlying business practices and the way in which you make strategic decisions, deploy capital and so forth, there isn't a tool in the world that is actually going to turn your results around in any meaningful way over the long term."
Bob Mueller is a business writer based in Grand Beach, Mich.
(c) 2008 Insurance Networking News and SourceMedia, Inc. All Rights Reserved.
