ERM is catching on with Insurers
A new survey shows that enterprise risk management programs are catching on, but
operational risk management tops the list of areas needing better methodologies and tools.
By Carrie Burns
April, 2006 - Since the business of insurance is risk management, it's not
surprising that the majority of insurers have standards of practice for
monitoring, managing and mitigating risk. What's more surprising, is that
enterprise risk management (ERM)-identifying, prioritizing, quantifying,
mitigating and financing risks from all sources across an enterprise-seems to
be catching on fairly quickly.
That's a conclusion of a recent survey by New York-based Ernst & Young's
Insurance and Actuarial Advisory Services (IAAS), which found that 67% of
insurers have a formal ERM committee. Of that 67%, 33% formed their ERM
committee within the last three years. Another 21% of respondents say their
organizations are considering establishing such a committee.
What's more, more than half of the current operational risk and
compliance/regulatory committees have been formed in the last three years,
and chief risk officers (CRO) now have more input in overall company
decisions, whereas CROs didn't even exist a few years ago.
Ernst & Young recognized the shift and asked a group of 24 companies-a mix
of life/health lines (46%), property/casualty lines (21%) and multi-lines
(33%)-to participate in its Insurance Industry Risk Leadership survey. Ernst
& Young in November 2005 held a roundtable meeting of survey participants
to gain insight into the current state and future plans of insurers when it
comes to ERM.
Several areas are demanding attention. For example, aggregation and
diversification of risk measurement were mentioned by participants, and
operational risk was identified as the most significant issue insurers face,
though most are in the early days of addressing it.
Why so significant?
Perhaps one of the first obstacles is that the definition of operational risk
differs from industry to industry-and more importantly, from company to
"There have been a number of attempts to define it. The one that most
people tend to gravitate toward is one that has been raised by bank
regulators," says Prakash Shimpi, global enterprise risk management practice
leader at the Tillinghast division of Towers Perrin, New York. The Risk
Management Association, Philadelphia, identifies the definition of operational
risk management used by the banking industry as "the risk of direct or
indirect loss resulting from inadequate or failed internal processes, people
and systems or from external events."
No matter what the exact definition, managing operational risks is fairly new
to insurers, and because of that, they often don't have structured approaches
for risk identification, risk prioritization, and risk measurement, for example,
notes Mike Hughes, a principal with Ernst & Young's IAAS practice.
"So, part of what companies are starting to deal with is putting the processes
in place to help assess the key risks they should be focusing on-and even
more so on the operational side," he says. "And the measurement of
operational risk is really in its infancy."
In fact, measuring operational risk has proved to be a major setback in ERM
implementation. "[Measuring operational risk] is not so much a technology-
enabled process as it is a qualitative process," Hughes says. " You need to
get the business people to think about what the inherent risks are in their
market and in their processes."
Positive results expected
Even with the work that needs to be done, half of the E&Y survey
respondents expect positive results. While 33% of survey respondents only
partially measure operational risk across the enterprise and 29% reported
operational risk is not measured at all, a full 54% of survey respondents
expect to measure operational risk across the enterprise by 2007.
Key to that success is internal development of ERM, according to John
Phelps, director of risk management at Blue Cross and Blue Shield of Florida
(BCBSF), a Jacksonville-based health insurer with $6.49 billion in revenue
and 9,500 employees. Phelps says time spent with consultants can actually
be a setback. "Enterprise risk management is very focused on the operations
of a particular business, and I've found it took a lot of time to get consultants
up to speed. [ERM] is something that should be grown inside an
organization. It's an organic process."
A broader problem of operational risk management is the amount of data and
the number of business areas-some with no experience assessing this type of
risk-that need to be involved. BCBSF's Phelps, for instance, tried taking a
strategic list of risks into the operational areas, but that didn't work.
"It was at such a high level, people in those areas couldn't relate to it," he
says. "I was handing them something that may have well have been in
This forced him and his group to start working on risk profiling, which he
says is at the operational risk level.
Tillinghast's Shimpi concurs that methodology-how insurers identify risks and
what effect they have on the financial performance of the firm-and tools are
still lacking to assess and manage operational risk.
"Many operational risks are small and insignificant but frequent, so [it's
possible to gather lots of data and fine-tune that]," he says.
In addition, there are operational risks that are significant but infrequent. As
a result, "event databases" may be helpful, but they may not necessarily
provide a good measurement of future outcomes. "These tools and models
are in development, but methodology is still evolving," he says.
The fundamental shift in thinking for the operational areas to go from risk
management to enterprise risk management obviously will require education
and training, but it also will require some tools too, notes BCBSF's Phelps.
"If you aren't supplying these tools, whether it's a system or a simple Excel
spreadsheet, you're not giving people what they need, so you're not going to
get to where enterprise risk management needs to be," he says.
The system is also providing root causes of risk, according to Phelps. "It tells
me where most of my risk is coming from. So we can go back to those areas
in a proactive way-or go back to those departments and work with them to
mitigate those risks."
Even mitigation is improved by using this tool, says Phelps. It provides a
method for tying risk mitigation steps with evaluation by creating risk
indices. "We'll be able to compare before and after the mitigation, and the
system provides a metric for us to see if the bang is worth the buck," Phelps
Standards Needed, But No Concerted Push
Could standardization be another aid in managing operational risk? Industry
experts believe it may be a part of the future. Respondents to an Ernst &
Young LLC Insurance Industry Risk Leadership survey expressed strong
support for standard definitions, metrics and methodologies.
But at a subsequent roundtable held by Ernst & Young, some of them
commented that, unlike Basel II for banks or Solvency II for insurers in
Europe, there is no concerted push for insurance industry standards either by
governing bodies or industry groups in the United States. Several roundtable
attendees commented that while U.S. regulators have yet to make risk
measurement standardization a front-burner issue, the rating agencies have
"opened the door."
Prakash Shimpi, global practice leader at the Tillinghast division of Towers
Perrin sees standards in the future. "With Solvency II in Europe, those kinds
of rules that require firms to look at risks and do simulations are coming," he
says. "So it's only natural that the scope of risks will embrace operational
risk as well. The only questions are how specific, how precisely and what
methods will be acceptable."
Courtesy of Insurance Networking News www.insurancenetworking.com