Comparing and Contrasting Two Approaches
The goal of risk management, in its myriad forms, is to help organizations achieve their objectives by minimizing threats and maximizing opportunities. Prominent approaches include Insurance Risk Management and Enterprise Risk Management (ERM). In this blog, we will highlight the similarities and differences between these two strategies.
Historical Perspective
As a formalized discipline, the insurance industry started in the late 1600s in a popular London gathering place for shipping magnates named Lloyd’s Coffee House. Ships returning from long voyages, laden with trade goods, represented an enormous financial windfall to their owners. However, the risks were significant, and many ships never returned, becoming lost at sea due to weather, pirates, or simply poor decisions. Initially, groups of owners got together and started sharing risks, taking a stake in each other’s ships and cargo so that a successful voyage benefitted all owners, and a lost ship did not become a financial catastrophe to a single owner.
Over time, these risk-sharing arrangements evolved into risk transfers. Individual investors would promise to repay the ship owner in the event of a loss, and in exchange, they would receive a premium. To formalize these arrangements, investors (insurers) would literally write their names under the text describing the possession or event for which they were assuming some risk. This gave rise to the term “written under” or underwriting.
In comparison, Enterprise Risk Management does not have a storied background; in fact, the discipline is still being developed. In the mid-1990s, several high-profile company failures prompted the creation of the COSO Internal Control – Integrated Framework. Published in 1992, this initial COSO model quickly become the de facto standard to guide an organization’s internal control activities. However, in the years following its release, organizations began to realize there were gaps.
In 2004, COSO came out with the Enterprise Risk Management – Integrated Framework, which broadened the scope of the model from financial reporting and fraud risks to include all risks impacting an organization’s objectives.
In 2009, the International Organization for Standardization came out with ISO 31000, a family of standards related to risk management. ISO 31000 provided thought leadership on the practical side of risk management, including guidelines and practical advice for implementation. The COSO Internal Control and ERM frameworks were updated in 2013 and 2017, respectively.
Insurance Risk Management
At its core, Insurance Risk Management involves the treatment of risk through risk transfer. This approach leverages insurance products to shield against financial losses stemming from unforeseen events. Here are some of its defining characteristics:
- Risk Transfer Principle: Insurance Risk Management principally focuses on transferring risk from the insured party to the insurance provider through the payment of premiums. However, the risk must be an “insurable risk,” which requires that the loss be accidental and unintentional, determinable and measurable; the chance of loss must be calculable; and the premium must be economically feasible.
- Tailored Risk Coverage: This coverage is focused on specific risks, like property damage from fire or flood; personal injury to customers, consumers, or employees for failing to meet some fiduciary standard; or business losses from natural disasters. These risks are covered by various insurance policies—including property, liability, and business interruption insurance, for example. Insurers analyze specific risks and tailor coverage to address those risks explicitly, as defined in the insurance contract.
- Financial Safeguarding: The primary objective here is to provide financial protection in the event of unexpected occurrences, ensuring organizations can rebound from losses without severe financial repercussions.
- Claims Management: Whether an organization is self-insured or purchases insurance, it has a role in managing its own claims—specifically, looking at the root cause leading to a loss and determining whether policy or process changes are necessary. For self-insured organizations, additional tasks include determining the legitimacy of the claim (aka claims adjudication), settling claims, paying claims, and establishing claims reserves.
- Premium Reduction: An organization’s secondary objective is to reduce its premium payments by implementing other mitigants to reduce risks. For example, a policy stating that all firefighters employed by a municipality must wear protective clothing when responding to a call helps to reduce accidents and potential injury, thereby reducing claim frequency and severity, reducing an insurer’s claims costs, and (hopefully) leading to reduced insurance premiums for the municipality.
Enterprise Risk Management (ERM)
In contrast to Insurance Risk Management, Enterprise Risk Management (ERM) involves a holistic approach, encompassing a systematic methodology to identify, assess, prioritize, and manage risks across an entire organization. Key aspects include:
- Holistic Perspective: ERM casts a wide net, considering risks across all organizational facets—spanning financial, operational, strategic, information technology, and compliance realms. It involves evaluating how these risks interconnect and influence an organization's overarching objectives.
- Strategic Integration: ERM seamlessly integrates risk management into an organization's strategic planning, aligning risk considerations with decision-making processes and value creation. ERM is a method for aligning risk with acceptable tolerance, starting with the organization’s strategy, which requires thinking through and identifying risks they are willing to accept, those they wish to avoid, and those for which they have an appetite.
- Risk Culture and Governance: ERM emphasizes nurturing a risk-aware culture within the organization and establishing robust governance structures for effective risk oversight at all levels.
Contrasting Features
While both Insurance Risk Management and ERM aim to mitigate risks, they differ in scope, application, and the treatment of risks.
- Scope: Insurance Risk Management is more confined and specific, concentrating on particular risks covered by insurance policies. ERM takes a comprehensive view, considering risks holistically across an entire organization.
- Purpose: Insurance Risk Management primarily seeks to transfer risk and provide financial protection, while ERM aims to integrate risk management into strategic decision-making and bolster overall organizational resilience.
- Approach: Insurance Risk Management operates within the boundaries of insurance contracts, claims, and premiums, while ERM adopts a strategic approach, embedding risk considerations into daily operations and decision-making.
While both Insurance Risk Management and ERM play pivotal roles in mitigating risks within organizations, they operate on different scales and serve distinct purposes. Recognizing the nuances and intricacies of both approaches is crucial for organizations to effectively navigate the complex landscape of risk they encounter.
It is important to note that while transferring risk through insurance is a vital aspect of risk treatment, ERM offers a more comprehensive toolkit, encompassing various strategies beyond mere risk transfer, thus enhancing an organization's capacity to handle risks proactively. A robust risk management strategy often incorporates elements from both Insurance Risk Management and ERM to create a comprehensive framework that addresses a wide array of potential threats while aligning with an organization's strategic goals.