Tag Archives: stress testing

ERM Is Ignoring 4 Key Tasks

Over the last decade, economic capital has captured the risk management spotlight. Recognizing its merits, insurers have deployed economic capital for many uses. Regulators now rely on it, too — especially internationally — and have put it at the center of their prudential regulatory agenda.

Economic capital (defined as value at risk over a year) has two unique and extremely useful characteristics. First, the concept can be applied to any event with an uncertain outcome where a probability distribution of the outcomes can be postulated. Thus, insurers can value, in a consistent and comparable manner, very different risky events — such as mortality claims, credit losses and catastrophic property damages. Second, economic capital calculated for a portfolio of risks can be readily subdivided into the economic capital attributable to each risk in that portfolio. Or, alternatively, economic capital calculated at the individual risk level can be aggregated to economic capital at the portfolio level and beyond, across portfolios to the enterprise level.

However, there are four critical enterprise risk management (ERM) tasks for which economic capital is not an effective tool; unfortunately, because of this, we have observed a tendency for risk managers to de-emphasize those tasks and sometimes ignore them altogether. We believe this should change.

See also: How to Improve Stress Testing  

In response to these shortcomings, insurers should take full advantage of stress testing, a valuable risk management tool that is on par with economic capital in terms of its potential to help solve problems and improve performance. And, because stress testing enables insurers to tackle many of the important tasks that economic capital cannot, it gives insurers the opportunity to double the size of their risk management tool kit and thereby double their ERM output.

Liquidity

By design, economic capital assumes assets and liabilities can be monetized at their formulaic values — that is, at the values derived from the probability distributions’ assumptions. But, as we saw in the credit crisis of 2008-09, credit markets can seize up under extreme stress. When that happens, many assets — regardless of their formulaic value — cannot be sold at any price. Because of this, economic capital is not an effective tool to understand and manage liquidity risk.

To address the risks posed by insufficient liquidity, insurers need to play out meaningful stress events and postulate how they might affect both the ability to monetize assets and the asset’s price if they can be monetized, as well as critically assess the ability to actually access pre-arranged credit in the event these stress events unfold. Then, with an understanding of the likely challenges these stresses may impose, insurers can test the effectiveness of the potential mitigating strategies that they can deploy immediately or when stress events begin to unfold. Selecting and documenting the most effective options can become the insurer’s liquidity risk management game plan.

Diversification

Diversification is a cornerstone of effective insurance underwriting and risk management. The industry acknowledges the benefit of diversification across similar, independent risks and is able to apply considerable mathematical rigor to measuring this benefit. However, matters become less certain when attempting to quantify diversification across dissimilar risks such as mortality, credit and catastrophe. Extending the benefits of economic capital across risks requires that the capital amounts assigned to different risk types be combined.

Recognizing that extreme outcomes for each risk type are not likely to occur simultaneously, the combined capital requirement is typically calculated as the sum across risk types, with a credit given for diversification.

Deciding how much credit should be assigned for diversification is a critical question in establishing the enterprise’s total required capital. Unfortunately, historical information about the precise interaction of disparate extreme events is sparse.

Empirically, establishing diversification credits is difficult at best and is largely impossible for some combinations. For enterprise risk capital, a best guess may have to suffice. But, just because such a guess is sufficient for the purpose of ascribing required capital, it does not follow that it is sufficient for other purposes — particularly for charting a course of action across all risk types in the event of an extreme risk occurrence.

Stress testing is useful for this purpose. Playing out the series of interactions and events that could follow from a catastrophe such as an epidemic will yield much more actionable information than guessing the magnitude of the diversification credit. Constructing a future scenario that thoughtfully considers how an extreme event in one risk type will have an impact on others is key. These impacts occasionally are asymmetric and not easily accommodated in a standard diversification credit matrix. For example, we can be fairly certain that an extreme drop in equity values will not have significant impact on mortality rates. Conversely, it would seem imprudent to assume that an extreme pandemic would not have any impact on equity values.

Business risks

In a survey of insurance company board members and CROs that PwC conducted in June, the area where board members felt more attention would be most beneficial was “searching for, understanding and finding ways to address new risks” — meaning risks outside of traditional insurance, credit and market. Upon further discussion with the survey respondents, it became clear that they are not as interested in esoteric dialogues on black swans or unknown unknowns as they are in addressing more practical questions about currently evident business risks. In particular, survey respondents want to understand how those risks could materialize in ways that have an impact on their companies and how to mitigate those impacts.

Using stress testing to map out the impact of these business risks will help insurers assess how serious the risks are. The stress projection can measure the impact on their future financial condition after a risk event. And if the impact is significant, they can further deploy stress testing to map out potential management actions to reduce the risk’s likelihood of impact or mitigate damage if the impact occurs. Having an effective course of action is far better than hoping black swans won’t materialize.

Excessive capital

If insurers use only the economic capital tool, then there is a real risk that it will become a hammer, rendering everything in its path a nail. On discovering a new risk, the most likely reaction will be to call for more required capital. However, in the case of, for example, liquidity and business risk, a more effective approach is to use stress testing to create a plan for reducing or eliminating the risk’s impact.

Likewise, seeing economic capital as the sole means of addressing insurer insolvency can lead to an overly restrictive regulatory agenda that focuses only on the economic capital formula. This unfortunately appears to be the case in the development of some required capital standards. We think a more productive approach would be to recognize that no economic capital formula will ever be perfect, nor can one formula fit all business and regulatory needs around the world. Instead, a simpler formula augmented with stress testing can form a more effective, globally consistent solvency management framework.

Moving to the next level

In the paper we published earlier this year about the results of our stress testing survey, we noted that stress testing is well established in the insurance industry. Insurers use it for many purposes, and it has had significant impact. In fact, 36% of survey respondents indicated they have made key decisions markedly differently than prior to or without stress testing. A further 29% indicate stress testing has had a measurable influence (though no single key decision came to mind). The paper also identifies areas where only a little more effort can yield substantial benefit: through a clear definition of stress testing, through more thoughtful stress construction and through building a more robust stress testing platform.

See also: Risk Management: Off the Rails?  

To get the most advantage from stress testing, we have two further suggestions: 1) Insurers should apply a governance framework commensurate with stress testing’s status, and 2) insurers should advocate its use in new areas.

A good governance framework should include policies and procedures, documentation, model validation and independent review, as well as review by internal audit. Board and senior management oversight is also important. While our survey report notes that boards usually receive stress testing results from management, we recommend that management engage the board more in the stress selection process.

While stress testing certainly can add additional insight to insurance, credit and market risk analysis, economic capital already provides a good foundation in these areas. We recommend that insurers use stress testing, in particular, to tackle business risks where economic capital is not an effective tool. This includes new threats like cyberterrorism and their reputational impact. Stress testing can also be useful for understanding the risk of missed business opportunities, such as the failure to address how emerging trends in technology and customer behavior may have an impact on future sales and earnings potential.

We believe that the scope for the application of stress testing is as significant as for economic capital. And as with economic capital, once an effective tool comes into use, many more useful risk and business management applications will ensue.

Risk Management: Off the Rails?

First, there was science…

Some sources suggest probability theory started in gambling and maritime insurance. In both cases, the science was primarily used to help people and companies make better decisions and, hence, make money. Risk management used the mathematical tools available at the time to quantity risk, and their application was quite pragmatic.

Banks and investment funds started applying risk management, and they, too, were using it to make better pricing and investment decisions and to make money. Risk management at the time was quite scientific. In 1990, Harry M. Markowitz, Merton H. Miller and William F. Sharpe won a Noble Prize for the capital asset pricing model (CAPM), a tool also used for risk management. This doesn’t mean risk management was always always accurate — just see the case of LTCM — but managers did apply the latest in probability theory and used quite sophisticated tools to help businesses make money (either by generating new cash flows or protecting existing ones).

Then, risk management became an art…

Next came the turn of non-financial companies and government entities. And that’s when risk management started becoming more of an art than a science.

Some of the reasons behind the shift were, arguably:

  • Lack of reliable data to quantify risks — Today, certainly, there is no excuse for not quantifying risks in any type of an organization.
  • Lack of demand from the business — Many non-financial organizations of the time were less sophisticated in terms of planning, budgeting and decision making. So, many executives didn’t even ask risk managers to provide quantifiable risk analysis.
  • Lack of qualified risk managers — As a result, many risk managers became “soft” and “cuddly,” not having the skills or background required to quantify risks and measure their impact on business objectives and decisions.

Many non-financial companies quickly learned which risks to quantify and how. Other companies lost interest in risk management or, should I say, never saw the real value.

Today, it’s just a mess…

What I am seeing today, however, is nothing short of remarkable.

Instead of being pragmatic, simple and focused on making money, risk management has moved into the “land of buzz words.” If you are reading this and thinking, “Hold on, Alex. Risk velocity is important; organizations should be risk resilient; risk management is about both opportunities and risks; risk appetite, capacity and tolerances should be quantified and discussed at the board level; and inherent risk is useful,” then, congratulations! You may have lost touch with business reality and could be contributing to the problem.

See also: Risk Management, in Plain English  

I have grouped my thinking into four problem areas:

1. Risk management has lost touch with the modern science.

These days, even the most advanced non-financial organizations use the same risk management tools (decision trees, Monte Carlo, VaR, stress testing, scenario analysis, etc.) created in the ’40s and the ’60s. The latest research in forecasting, modeling uncertainty, risk quantification and neural networks is mainly ignored by the majority of risk managers in the non-financial sector.

Ironically, many organizations do use tools such as Monte Carlo simulations (developed in 1946, by the way) for forecasting and research, but it’s not the risk manager who does that. The same can be said about the latest development in blockchain technology, arguably the best tool for transparent and accurate counterparty risk management. Yet blockchain is pretty much ignored by risk managers.

It has been years since I saw a scientist present at any risk management event, sharing new ways or tools to quantify risks associated with business objectives. That can also be said about the overall poor quality of postgraduate research published in the field of risk management.

2. Modern risk management is detached from day-to-day business operations and decision making. 

Unless we are talking about a not-for-profit or government entity, the objective is simple: Make money. While making money, every organization is faced with a lot of uncertainty. Luckily, business has a range of tools to help deal with uncertainty, tools like business planning, sales forecasting, budgeting, investment analysis, performance management and so on.

Yet, instead of integrating all the tools, risk managers often choose to go their separate ways, creating a parallel universe that is specifically dedicated to risks (which is very naive, I think). Examples include:

  • Creating a risk management framework document instead of updating existing policies and procedures to be aligned with the overall principles of risk management in ISO31000:2009;
  • Conducting risk workshops instead of discussing risks during strategy setting or business planning meetings;
  • Performing separate risk assessments instead of calculating risks within the existing budget or financial or project models;
  • Creating risk mitigation plans instead of integrating risk mitigation into existing business plans and KPIs;
  • Reporting risk levels instead of reporting KPI@Risk, CF@Risk, Budget@Risk, Schedule@Risk; and
  • Creating separate risk reports instead of integrating risk information into normal management reporting.

Risk management has become an objective in itself. Executives in the non-financial sector stopped viewing risk management as a tool to make money. Risk managers don’t talk, many don’t even understand business language or how decisions are being made in the organization. Risk analysis is often outdated, and by the time risk managers capture it, important business decisions are long done.

3. Risk managers continue to ignore human nature.

Despite the extensive research conducted by Noble Prize winners Daniel Kahneman and Amos Tversky (psychologists who established a cognitive basis for human errors that are the result of biases) and others, risk managers continue to use expert judgment, risk maps/matrices, probability x impact scales, surveys and workshops to capture and assess risks. These tools do not provide accurate results (to put it mildly). They never have, and they never will. Just stop using them. There are better tools for integrating risk analysis into decision making.

Building a culture of risk awareness is critical to any organization’s success, yet so few modern risk managers invest in it. Instead of doing risk workshops, risk managers should teach employees about risk perception, cognitive biases, fundamentals of ISO31000:2009 and how to integrate risk analysis into day-to-day activities and decision making.

4. Risk managers are too busy chasing the unicorn

Instead of sticking to the basics and getting them to work, many are busy chasing the latest buzzwords and innovations. Remember how “resilience” was a big thing a few years ago? Before that, there was “emerging risks,” “risk intelligence,” “agility,” “cyber risk” — the list goes on and on. It seems we are so busy finding a new enemy every year that we forget to get the basics right.

See also: Key Misunderstanding on Risk Management

Lately , consultants seem to have too much say in how modern risk management evolves. The latest installment was the new COSO:ERM draft, created by PwC and published by COSO this June.  The authors sure did “innovate” — among other “useful ideas,” they came up with a new way to capture risk profiles. That is nice, if risk profiling was the objective of risk management. Sadly, it is not. Risk profiling in any form does little to help executives and managers make risky decisions every day. For more feedback on COSO:ERM, click here.

To be completely fair, the global team currently working on the update for the ISO31000:2009 also has a few consultants who have a very limited understanding about risk management application in day-to-day decisions and in helping organizations make money.

I think it’s time to get back to basics and turn risk management back into the tool to help make decisions and make money.

I am interested to hear your thoughts. Please share and like the article and comment below.

How to Improve Stress Testing

In spring 2016, PwC investigated the current state and future direction of stress testing. We surveyed 55 insurers operating in the US about their stress testing framework and the specific stresses that they test. We also engaged in more detailed dialogue with a number of insurers in the US and globally, as well as with some North American insurance regulators. Our principal conclusion is that stress testing, though well established, would benefit significantly from a modest amount of additional effort. Borrowing terminology from the Pareto principle, we think less than 20 percent more effort would yield 80 percent more value.

A brief history

Thanks to the requirements of the Dodd Frank Act of 2010, we expect that stress testing is the most widely recognized and understood risk management tool. The basic concept is relatively simple and most people in business and government readily accept the notion that if a specified future unfolded –say a repeat of the last economic crisis –it would be good to know ahead of time if banks would remain financially viable. After its initial introduction, stress testing continues to maintain a high level of attention via the ongoing publication of results from the Federal Reserve Board’s Comprehensive Capital Analysis and Review (CCAR) which the media, financial commentators, and the banks themselves eagerly anticipate.

It is easy to see how stress testing concepts in the Dodd Frank Act could apply to insurers. And, indeed the insurance industry (more specifically, its actuaries) has widely used stress testing and scenario analysis for decades.

More recently, 2013 was especially noteworthy for insurance stress testing, with publications on the subject by the North American CRO Council, the CRO Forum and the International Actuarial Association. From a regulatory perspective, the National Association of Insurance Commissioner’s (NAIC’s) Own Risk and Solvency Assessment (ORSA) calls for a prospective solvency assessment to ascertain that the insurer has the necessary available capital to meet current and projected risk capital requirements under both normal and stressed environments. In Canada, the Office of the Superintendent of Financial Institutions (OSFI) has provided clear direction on stress testing governance and methodology in its 2009 publication on Sound Business and Financial Practices (Guideline E-18). It also is noteworthy that, in Europe, despite all of the attention lavished on Solvency II and internal capital models, the European Insurance and Occupational Pensions Authority (EIOPA) launched a Europe-wide stress test for the insurance sector in May 2016.

Equally as important as the regulatory initiatives are the business applications and benefits of stress testing. As we address in more detail below, survey results show that insurers make good use of this risk management tool and are looking to expand its application even further.

A little more effort

We see three areas where only a little more effort can yield substantial benefit: 1) a clearer definition of stress testing, 2) more thoughtful stress construction, and 3) a more robust stress testing platform.

As a start, it will be useful to clarify what we mean by stress testing. As we use the term here, we mean a projection of income statements, balance sheets and –most importantly –projected available and required capital over a multiyear business planning timeframe (including new business over the planning timeframe). Typically the test is done for the entire enterprise and includes a base case and a number of stressed future states. This definition of stress testing is consistent with how both insurance (ORSA Guidance Manual) and banking (FRB CCAR) regulators use the term. It contrasts with risk-specific stress testing. Risk-specific stress testing typically looks at a single risk, often only for the part of the enterprise susceptible to that risk. And, it frequently assesses the impact over a range of stochastically determined scenarios. Distinguishing between stress testing and risk-specific stress testing needs little effort but can help companies avoid considerable confusion as they enhance and apply stress testing capabilities. Only with clear definitions can an insurer evaluate whether or not it has deployed the tool effectively. A vague notion of stress testing taking place somewhere in the organization typically means that there is unawareness of potential gaps in the enterprise risk management (ERM) framework.

See also: The Key Role for Stress Tests in ERM

Another area where we believe a little more attention would pay major benefits is the development of comprehensive stress scenarios. When describing future states, insurers have many factors to consider in order to articulate the risks that can impact their business. As an indication of the range of these factors, the section of our survey that addressed stresses had 32 questions, many with sub-parts, each covering a different risk. However, rather than starting with an effort to combine all of these risks, stress testing benefits from starting instead with a narrative that articulates a potential future and then addresses how that future would impact the insurer through various risk factors. For example, a stress narrative could be based on a prognosis of an ongoing steady decline in the price of oil and other commodities, then a postulation of the resulting impact on economic growth, interest rates, equity valuation, employment rate, etc. The narrative then could move to an analysis of the impact of these factors on the insurer’s risks, leading to a projection of how the company’s income statement, balance sheet, available and required capital would fare if this future, in fact, unfolded.

Lastly, we note that despite the considerable attention and utilization of stress testing as a management tool, it appears that, for many insurers, the infrastructure that produces results is ad hoc and likely inefficient. Our survey indicates that only 10% of respondents have built a bespoke platform for stress testing. 78% of them use spreadsheets alone or spreadsheets combined with actuarial/projection software. In terms of how long it takes to conduct stress tests, 42% of respondents indicate the process takes between one and two months. A further 35% report that it takes more than two months, and sometimes longer than three months.

While systems infrastructure updates do not normally result in major improvements from little effort, many insurers, particularly in the life sector, have already embarked on a process of modernization. As they are looking to address their risk, actuarial, and financial reporting needs in a comprehensive manner, we recommend that stress testing capabilities receive high priority. With a modest amount of extra effort, insurers should be able to incorporate significant enhancement to their stress testing platform as part of this modernization. This in turn will yield the benefit of more timely, accurate and insightful stress testing results.

A lot more value

Insurers already use their stress testing for many purposes. Survey results show that respondents currently utilize their stress testing for an average of almost five different uses. Additionally, respondents indicated they each had plans to add almost four new uses in the future. More than half of the respondents reported using their stress testing work for strategic planning, calibrating their risk tolerances and limits, assisting with dividend, share-repurchase and similar capital planning, and regulatory impact assessments. These are critical business decisions and further highlight the value of stress testing.

Furthermore, stress testing usage has had a positive impact at a significant majority of respondents’ companies. 36% reported instances where key decisions have been made very differently compared to the process prior to stress testing. An additional 29% reported that the results of stress testing has a measureable influence on decision making, though no specific decisions were cited.  

See also: New Approach to Risk and Infrastructure?

More benefits

We see a few additional areas where better articulated stress testing processes and procedures could result in significant benefits.

  • Recognize that stress testing is a separate tool in the risk manager’s tool kit–Frequently, publications and discussions on insurance stress testing describe it as something that supplements other risk management tools. We believe that relegating stress testing to supplementary status undervalues its benefits and contribution. It would be more productive to recognize stress testing for what it truly is: a separate tool with different strengths and applicability compared to VAR-based economic capital.

Some risks –for example, liquidity risk –can be addressed only via a stress test. Adding more required capital does not effectively address the problem; liquidity risk needs to be addressed by developing a preplanned course of action, including accessing prearranged liquid funds. Likewise, reputational risk –and in particular the reputational impact of a cyber event –is better addressed via the stress test tool than via the economic capital route (and the potential addition of more required capital).

Similarly, for some risks where economic capital looks like a satisfactory tool, it can give misleading information. Often pertinent risks only reveal themselves fully via stress testing. New business is a good example. Economic capital can include one or more years of new business, typically by assuming new business premium, claims, expenses, etc. are a replica of previous years’ values. But this fails to provide a platform to study how external factors could impact the insurer’s fundamental business model, leading to little or no sales of any new business that resembles prior years’ business.

Lastly, we note that most other measures, especially traditional economic capital, concern themselves primarily with very extreme, “in the tail” events. Stress testing is useful not only for high impact, low probability events. More likely events warrant attention –in fact, they may warrant more attention because they often represent more tangible and practical problems that management needs to address immediately.

  • Use stress testing to “war game” management action and prepare in advance for risk crises –In our survey, we asked insurers if stress testing incorporates management actions. In other words, as stress events unfold, presumably management would take some form of corrective action in response, and that corrective action would impact future financial results. Almost half said they do not incorporate management actions. We believe this is a significant oversight.

Stress testing provides a ready platform to prepare in advance for risk crises. Insurers can use the tool to test different responses and select the one that yields the most effective resolution. They then can put in place a contingency plan and pre-event corrections appropriate to the event.

Here again stress testing can provide a different perspective than economic capital and similar measures. Economic capital works well as a tool to quantify the impact of taking certain types of action in the present. For example, it can help determine the reduction in required capital if a particular reinsurance treaty were implemented. On the other hand, faced with a multifactor, multiyear stress event (perhaps including changes in interest rates, inflation and equity values, with increases in unemployment and deteriorating buying patterns), stress testing would be a more effective tool in judging if and when to reconfigure the asset portfolio, alter products and prices, and the cost and manner of reconfiguring staffing models.

It is worth noting that, in our discussions with regulators about the merits of including the impact of management actions, their expectations are that, yes, insurers should include them. They recognize the benefit that stress testing can provide as an opportunity for planning ahead. However, they indicated that it would be appropriate to show the stressed result both before and after the application of management action. Showing both results can help promote thoughtfully developed post-management action results, not just a broad assumption that management will take appropriate actions.

  • Take advantage of the board’s and senior management’s broad business insights to construct more insightful stress narratives –Our survey shows that most boards receive the results of the stress test either directly or via the risk committee of the board. However, only 11% report asking either the board or board risk committee to approve the stresses the company uses. We believe this represents a missed opportunity to gain board members’ insights and benefit from their engagement in the stress testing process. Not all directors will necessarily have detailed knowledge of the range of potential outcomes of all of the risks that can impact an insurer or the potential stochastic distributions of those risks, but directors typically are experienced and knowledgeable, often with a high level of business and economic acumen. Utilizing their individual and collective skills to contribute ideas on the types of stresses that merit study seems like a good fit for their role and an effective complement to managements’ efforts.
  • Stress testing represents a potential avenue for global capital consistency –As a final potential benefit, we note again that stress testing seems to have a role in all major insurance and other financial services regulatory regimes. At the same time, the global insurance industry is challenged by the task of agreeing to a capital adequacy ratio, presumably based on an economic capital VAR-like foundation. A simpler capital formulation coupled with a robust stress testing regime may hold more promise for a globally agreeable approach.

See also: Key Regulatory Issues in 2016 (Part 2)

A bright future

Based on survey results and various discussions we had with insurers and other stakeholders, stress testing is universally accepted as a useful tool. We suspect that this is a consequence of its being directly related to the common business practice of preparing a financial plan. Including a few more future states or stresses and incorporating a measure of required and available capital in the financial plan are not major steps. Accordingly, the transition from planning to stress testing should be easy to accommodate. We note how sharply this contrasts with the introduction of economic capital, especially in the US insurance industry. Though its usage is growing, economic capital is not a uniformly accepted regulatory and business tool even after two decades. On the other hand, stress testing is already actively and universally used as a management and regulatory tool. With a little more effort, we believe it can yield very substantial benefits for all.

10 Shortcomings of SWOT Analysis

If you think that the analysis you use to identify the strengths, weaknesses, opportunities and threats (SWOT) in your business is adequate, beware. It is intended to provide a 360-degree view of your risks and opportunities but often fails to fill that requirement because of superficial applications and failure to look at risks from connected systems.

If your risk and opportunity analysis techniques are lacking, you could be very unprepared for the next recession, disruptive technology or game-changing way of thinking that could soon affect you. Too often, the last domino that struck in the last crisis is the main focus of all future risk-mitigation efforts. The whole string of triggers and threatening signals that led up to that last publicized tipping point and bursting bubble are ignored.

Here are the 10 most common shortcomings for SWOT analysis:

  1. Underestimating the role that vertical and lateral cascading human factors can play and having fragile back-up plans
  2. Absence of war gaming, stress testing and disruptive failure mode analysis testing of your leadership mindset, strategy, work culture, processes, products and services
  3. Lack of focus on disruptive innovations; you respond to them but do not create them with proven innovation-on-demand techniques
  4. Assumptions that cyber security and patents are safe, so they aren’t stress tested with advanced cyber-circumvention and patent-busting techniques
  5. “Taboo talk rules”; uncomfortable discussion topics are avoided or not identified with focused and anonymously solicited inputs from employees
  6. Ignoring “Trojan horse” risks that are secretly lurking in the hearts and minds of your employees or piggy-backing on purchased technology, software, products or services
  7. Lack of use of “gamification” techniques to address the most sensitive threats in a disciplined, humane, engaging and effective manner
  8. Failure to include effective strategies to attract and retain key human talent
  9. Failure to identify low-profile threats that create unstoppable cascading risks — from leadership to culture to processes to bad performance to weak responses to critical situations
  10. Lack of use of external perspectives to challenge group-think assumptions of perceived safety and robustness

Simple SWOT analysis and risk-management techniques will not offer the protection required to survive the next economic crisis or disruptive technology. KISS concepts (keep it simple, stupid) have lost their ability to identify and protect against complex cascading risks. The world is a fragile, hyper-connected and cascading system full of surprises that will punish casual optimists and reward those who hope for the best but seriously plan for worst-case scenarios.

The World Economic Forum’s 2014 World Risk Report describes the global risks that can quietly cascade across borders and affect organizations in unsuspecting and surprising ways from a variety of threatening and linked factors. The complex dynamics that exist between developed, developing and emerging world markets is further complicated by the fact that many organizations know very little about the cascading system dynamics within their own four walls.

Classic methods that attempt to describe the risk and opportunity landscape for individuals and organizations have not kept pace with the rising complexity and interactions between highly networked workplaces, global economies and internal and external threats. We have now entered a new era where we need new ways to describe and understand the complex world we have created, which has outgrown the simple tools we like to describe it with.

Modernization: CRO Faces New ‘Unknowns’

Internal and external demands have resulted in the clarification and expansion of the role of the chief risk officer and the risk management function. Internally, senior management and the board see the merit of using key risk information. Ensuring the company is managed within its risk appetite enables it to best utilize its resources to take advantage of changing competitive needs and strategic opportunities. Externally, U.S. and global regulators are articulating clear expectations for the role of the CRO and governance of the risk function, as well as the role of the board in risk management and the CRO’s and risk function’s relationship with the board. These demands emphasize the need for clear policies and processes with appropriate documentation and governance.

As little as 10 years ago, the risk function was novel at most companies, and there were almost as many models of how to organize and manage the function as there were insurers. This has changed. Leading practice is becoming clearer, and expectations are now more consistent and defined. However, boards and regulators are increasingly inquiring about new “unknowns”: data security, cyber terrorism, reputational risk and competitive obsolescence. All of these also fall under the CRO’s purview and increase demands on risk resources.

The case for change

The risk function is the newest among the direct stakeholders that insurance modernization directly affects, and there are a number of important implications and outcomes.

  • No existing “pipes” – For the majority of North American risk functions, many risk calculations and resulting reports are very recent creations. Very few have a solid network of pipes that transmit data and input through models and calculations onward to result in verifiable and controlled information. Therefore, compared with many other functions that modernization affects, the risk function does not need to dismantle existing pipes. However, it is critically important that, as insurers plan and develop these new pipes, they do so in cooperation with other stakeholders. If they do not, then the risk function may find itself unnecessarily tearing up what should be a common roadway.
  • From build to oversee – While internal and external changes affect all stakeholders, the risk function is unique in that its very nature also is changing. When the risk function originally came into being, it was the CRO’s and his staff’s responsibility to create the models and capability needed to support the function. Now, as risk infrastructure takes shape, management, boards and other stakeholders are asking the CRO and risk function to play a key role in governance and control. This brings into question how best to manage and oversee both the risk and overall corporate infrastructure. Can and should these be responsibilities of the risk function, and, if not, who should be responsible for managing this infrastructure?
  • Process and documentation – Much of the newly built infrastructure was constructed quickly and in a “learn by doing” mode. Much of it is parallel to but not coordinated with activity in other areas, especially actuarial. As companies have mapped processes and documented assumptions, models and output, functional overlaps have become clearer. In many cases, clarification and resolution of the overlaps will be necessary to enable rational enterprise level mapping and non-duplicative documentation.
  • Demonstrated engagement – The CRO and risk management staff (with input from actuarial, investment, finance and others) support the foundation on which risk information is built Increasingly, the board and regulators are asking for holistic engagement in agreeing on assumptions and methodologies, not just siloed input from subject-matter experts. The risk function increasingly is being asked: Are the business managers – the first line of defense –in agreement? And, is their collective engagement substantive and verifiable?
  • Governance – As the board’s role in risk management and risk taking becomes clearer, many boards and regulators recognize the need to include major risk and strategic initiatives under the oversight umbrella. They look to the CRO to be the conduit of information between them and the insurer. This strongly suggests that the CRO should have insight into modernization initiatives that go beyond just the risk function.

In a modernized company, a synergy of efficient processes with clearly defined stakeholder expectations exists among risk, actuarial, finance and technology (RAFT). The modernized risk function will share a common foundation of data, methods and assumptions and tools and technology with the other RAFT functions. (Naturally, the risk function will have certain unique processes that build on this foundation.) Finally, enterprise compatible business management, HR, reporting and governance all channel the process to its apex: intelligent decision making.

  • Data – The organization, with significant risk input, clearly defines its data strategy via integrated information from commonly recognized sources. The goal of this strategy is information that users can extract and manipulate with minimal manual intervention at a sufficient level of detail to allow for on-demand analysis.
  • Methods and analysis – Modern risk organizations emphasize robust methods and analysis, particularly the utilization of different approaches to arrive at insight from more than one perspective. Key to proper utilization of multiple methods is confidence that different outcomes are not the result of inconsistent inputs but rather truly reflect new insight.
  • Tools and technology – Up-to-date tools and technology help the risk function gather, analyze and share information faster, more accurately and more transparently than ad hoc end-user computing analysis. With modern tools and technology, risk personnel can devote the majority of their time to understanding and managing risk rather than programming and running risk models.
  • Stress testing – Stress testing has become a key weapon in the risk management arsenal. Test results convey risk information to senior management, the board and regulators. Resulting impacts on capital under stress scenarios become key to capital planning and calibrating economic capital (EC) models. Moreover, these tests are fully integrated in financial planning and the finance function’s agenda.
  • EC/Capital modeling – Economic capital calculations continue to be an important tool for decisions at all levels, from strategic to micro-level asset trading and product design. A modernized organization fully integrates these models with key actuarial activities, and the process and results help the company more effectively plan for and manage risk. Results are available quickly, and efficiency of the process allows for extensive “what if” testing.
  • Validation – A comprehensive model risk management structure is in place. The company routinely validates new models and model changes. Assumption consistency is transparent across risk, actuarial and finance. The company verifies data integrity and uses a model inventory to weed out duplication and overlap. Savings more than pay for model risk management (MRM) costs.
  • Human capital – Risk functions employ more inquisitive and analytical analysts. The emphasis is on managing risk, not running models. A significant portion of the group devotes its time to understanding emerging trends and investigating potential new threats to the organization. Clear organizational design facilitates working in a collaborative manner with other control functions and business managers.
  • Governance – Risk plays a key role in governance and risk appetite is well established. Decision making throughout the organization incorporates risk in a transparent manner. This is in large part because of confidence in risk output because data and input is consistent with finance and actuarial analytics, models are validated and senior management and the board understand key assumptions and limitations.

The benefits

Realizing ERM’s promise requires more than just complex economic capital and value at risk (VAR) models. It requires confidence in these models and an understanding of their key assumptions and limitations. This confidence and understanding need to be pervasive – from risk, finance and actuarial personnel themselves, through line of business leadership, up to senior management and the board.

With a modernized platform in place, CROs and risk functions can turn their attention to managing risk, not calculating and reconciling numbers, as well as providing management and board with the best tools for intelligent decision making, confidence in capital deployment and competitive strategies consistent with risk appetite and capacity.

Critical success factors

Plan ahead and in concert with other stakeholders. The risk function is in the unique position of not having to dismantle infrastructure, but it definitely does need to build on it. The function’s relative youth and lack of legacy encumbrances mean it is in an ideal position to be a leader in modernization initiatives.

Moreover, the risk function has both an opportunity and an obligation to raise concerns about the risks involved in modernizing in an uncoordinated way or the risk to the insurer’s competitiveness from not modernizing at all.

Call to action – Next steps

Look for quick wins, like faster processing, more transparency, deeper insight, but stay true to the long-term plan. Some of these quick wins can be cost savings opportunities. For example, an inventory of documented models can reduce the number of models (and associated maintenance cost) by weeding out redundancies. In addition, the company can streamline internal reports when all areas use the same foundational data and calculations. Moreover, the company may be able to rationalize multi-jurisdictional, external and regulatory reporting.