What Insurers Can Teach Others on ERM

The risk management practices of insurance companies have been scrutinized by rating agencies, regulators, analysts and others for years because insurers are financial institutions that deal with high levels of risk that, improperly managed, could not only hurt their creditworthiness but damage the financial well-being of their customers. As a result of this scrutiny, insurers have developed robust and comprehensive risk management processes, increasingly known as enterprise risk management (ERM). The ERM process covers the entire company, from strategy setting to core business operations and even relationships with external stakeholders. The maturity of insurers’ models means that there are some best practices worthy of emulation or adaptation by other industries. A selection of these is presented in this article: aggregation of risk, correlation of risk and opportunity risk management. Aggregation of risks Within the ERM process step of “risk identification,” insurers pay special attention to aggregation of risk. How much of the same risk can be prudently taken, and how much risk is represented by one catastrophic event? A simple example would relate to how much property insurance is being written in Florida, which is prone to hurricane losses. Or, how much workers' compensation is being written for one industry group that could be affected by a pervasive occupational health hazard such as mesothelioma. A proper assessment requires: 1) knowledge of what business is being written (sold), 2) fine-tuned understanding of that business (e.g., not all property in the state of Florida is subject to the same degree of hurricane loss), 3) recognition of what could be a potential risk issue within a book of business (e.g., workers in industries that still handle asbestos or operate in older buildings that have not been remediated). Having taken account of accumulations, insurers proceed to reduce their exposure to them. This can take many forms, including: 1) writing less business within the geography, customer segment or type of coverage making up the accumulation, 2) adding exclusions or sub-limits into the insurance policy to eliminate or reduce what is covered if the risk produces a loss, 3) requiring/ helping customers to make themselves less vulnerable to the risk and 4) developing rapid responses to minimize the extent of loss after the risk has created a loss. Moving outside the insurance company realm, any company can be subject to a variety of types of aggregations that can be above a normal, acceptable range of risk. Some examples might include: • Shopping center management companies with many centers in neighborhoods with poor economic outlooks • Banks with loan portfolios too heavily balanced toward governments or businesses in countries with low ratings for economic or political stability • OEM manufacturers that supply parts to only one industry -- one that may be in the process of technological obsolescence or some other life cycle dip • Consumer goods manufacturers with narrow product lines that are tied to one demographic group that is fickle or is becoming economically pinched Consider a large company with many silos, one that is not very good at sharing information and not tightly managed. What would happen if: 1) one unit of that company placed its call center in one of the BRIC countries (Brazil, Russia, India and China), 2) another unit opened a major manufacturing plant in that country, 3) another unit outsourced its IT code development to that country and 4) the finance unit invested in bonds from that same country -- and that country suddenly had a debilitating natural catastrophe, the government or currency collapsed or a nationwide problem developed? The point is that the company in the example should be aware that it is creating an aggregated risk potential by having so many ties to that country with varying exposures. Any significant concentration of geography, market segmentation or product offering can pose a risk to a business. What makes ERM so powerful is that all important risks get identified, whether insurable or not, especially strategic risks, and that these risks get addressed through mitigation action plans. It is surprising how often companies do not see the magnitude or variations of risks they are facing; an effective ERM process should prevent that blindness. Having identified an aggregation risk, companies can create mitigation plans for managing the risk. Mitigation tactics for aggregation risks in non-insurance businesses could include: • Diversification in geographic spread • Diversification in product portfolio • Diversification in customer segmentation • Innovation around uses of current products • Innovation around ways to be more profitable with current products such that margins could increase while sales decrease • Growth limits in risky areas; growth goals in less risky areas Correlation of risks Insurers have also become adept at identifying correlated risks. These are risks that may not appear to be connected but could be realized as part of the same event. Or they could be risks that have a cause and effect relationship on each other -- a domino effect. Correlated risks could dramatically strain an insurer’s ability to pay claims or remain fiscally viable. A hurricane, for example, might not only trigger covered property damage but also business interruption, supply chain, losses from canceled event and so on. Unless the insurer understands the totality of correlated losses, it cannot determine how much business it should write in any single hurricane-prone territory. Also correlated to the hurricane is an increase in the cost of repair and rebuilding property because of what is termed “storm surge” -- when goods or services are in greater demand after a major event. So, the insurer is not only paying out on claims from different policies (or lines of business) but may also be paying more than usual because of inflated costs. The concept of correlated risk is not very prevalent in non-insurance companies but could be just as serious an exposure. Consider an electrical power company. It knows that its dependence on an adequate supply of water leads to a risk that drought could affect its output capabilities and its customer satisfaction. The utility may not be fully cognizant of the correlated risks. Therefore, its risk mitigation and contingency planning may not include those risks. These might include: 1) the risk that government subsidies or support could be cut as the government attends to other issues arising from drought; 2) the risk that the cost of water or expense for routing the water supply will increase because of low water levels; 3) the risk that malfunctions will occur with power plant equipment because of lower or inconsistent water supply feeds, or 4) the risk that business customers that do not get sufficient water for their operations may sue the supplier. Without a robust ERM process to help identify both insurable and non-insurable risks, these risks may go unrecognized and unmitigated and without an effective response plan. In fact, all companies fear that “perfect storm” where many risks materialize at once that could damage and destabilize the business. Yet, some correlations might have been identifiable and action taken to ameliorate the risks, had an effective ERM strategy been in place. Opportunity risks There is risk in both taking and missing a potential opportunity. It may be too much to ask businesses to identify the risks and calculate the cost of not taking every opportunity that management decides against for strategic, risk-related or other reasons. However, it is expected, within an ERM oriented business, that the risks of taking or avoiding an opportunity are considered and addressed. When an insurer offers a new type of coverage for exposures such as supply chain, or cyber or reputation for the first time, the risk is great. That is because there is often no historical loss data upon which to estimate losses and price the product. For initial losses, there is no historical data to use in setting up an adequate reserve. Additionally, there is no guarantee that enough business will be written to create a large enough pool of policy holders (law of large numbers) to spread the odds of loss enough to produce favorable outcomes. The ERM process that insurers employ compels them to look for opportunity risks and to devise ways to ameliorate the risks. How do insurers do this? They build their risk mitigation action plans using expertise across their many functions. For new product risk, insurers might start out by: 1) offering low limits, 2) requiring higher deductibles or self-insured retentions, 3) buying more reinsurance or partnering with a reinsurer on the new book of business, or 4) charging prices that may appear to be high but that take into account the risk-adjusted cost of capital. In other industries, new products also pose opportunity risks. Key questions to ask include: Will the new product reach the required ROI set for it within the timeframe set? Will the new product cannibalize some existing product or products? Will the new product create issues related to product recall, patent infringement or other lawsuits? Through the application of a robust ERM process, all or most of the risks can be identified and mitigation action plans developed. This creates a safety net for the company and makes it more likely that it will get more comfortable and proficient at product innovation. There are so many types of opportunity risk beyond new products. ERM can help with each of them.