Insurance Risk Management vs. Enterprise Risk Management
- Ed McCaulley
- In Control
- minute(s)Comparing and Contrasting Two Approaches The goal of risk management, in its myriad forms, is to help organizations achieve their objectives by minimizing threats and maximizing opportunities. Prominent approaches include Insurance Risk Management and Enterprise Risk Management (ERM). In this blog, we will highlight the similarities and differences between these two strategies. Historical Perspective As a formalized discipline, the insurance industry started in the late 1600s in a popular London gathering place for shipping magnates named Lloyd’s Coffee House. Ships returning from long voyages, laden with trade goods, represented an enormous financial windfall to their owners. However, the risks were significant, and many ships never returned, becoming lost at sea due to weather, pirates, or simply poor decisions. Initially, groups of owners got together and started sharing risks, taking a stake in each other’s ships and cargo so that a successful voyage benefitted all owners, and a lost ship did not become a financial catastrophe to a single owner. Over time, these risk-sharing arrangements evolved into risk transfers. Individual investors would promise to repay the ship owner in the event of a loss, and in exchange, they would receive a premium. To formalize these arrangements, investors (insurers) would literally write their names under the text describing the possession or event for which they were assuming some risk. This gave rise to the term “written under” or underwriting. In comparison, Enterprise Risk Management does not have a storied background; in fact, the discipline is still being developed. In the mid-1990s, several high-profile company failures prompted the creation of the COSO Internal Control – Integrated Framework. Published in 1992, this initial COSO model quickly become the de facto standard to guide an organization’s internal control activities. However, in the years following its release, organizations began to realize there were gaps. In 2004, COSO came out with the Enterprise Risk Management – Integrated Framework, which broadened the scope of the model from financial reporting and fraud risks to include all risks impacting an organization’s objectives. In 2009, the International Organization for Standardization came out with ISO 31000, a family of standards related to risk management. ISO 31000 provided thought leadership on the practical side of risk management, including guidelines and practical advice for implementation. The COSO Internal Control and ERM frameworks were updated in 2013 and 2017, respectively. Insurance Risk Management At its core, Insurance Risk Management involves the treatment of risk through risk transfer. This approach leverages insurance products to shield against financial losses stemming from unforeseen events. Here are some of its defining characteristics: Risk Transfer Principle: Insurance Risk Management principally focuses on transferring risk from the insured party to the insurance provider through the payment of premiums. However, the risk must be an “insurable risk,” which requires that the loss be accidental and unintentional, determinable and measurable; the chance of loss must be calculable; and the premium must be economically feasible. Tailored Risk Coverage: This coverage is focused on specific risks, like property damage from fire or flood; personal injury to customers, consumers, or employees for failing to meet some fiduciary standard; or business losses from natural disasters. These risks are covered by various insurance policies—including property, liability, and business interruption insurance, for example. Insurers analyze specific risks and tailor coverage to address those risks explicitly, as defined in the insurance contract. Financial Safeguarding: The primary objective here is to provide financial protection in the event of unexpected occurrences, ensuring organizations can rebound from losses without severe financial repercussions. Claims Management: Whether an organization is self-insured or purchases insurance, it has a role in managing its own claims—specifically, looking at the root cause leading to a loss and determining whether policy or process changes are necessary. For self-insured organizations, additional tasks include determining the legitimacy of the claim (aka claims adjudication), settling claims, paying claims, and establishing claims reserves. Premium Reduction: An organization’s secondary objective is to reduce its premium payments by implementing other mitigants to reduce risks. For example, a policy stating that all firefighters employed by a municipality must wear protective clothing when responding to a call helps to reduce accidents and potential injury, thereby reducing claim frequency and severity, reducing an insurer’s claims costs, and (hopefully) leading to reduced insurance premiums for the municipality. Enterprise Risk Management (ERM) In contrast to Insurance Risk Management, Enterprise Risk Management (ERM) involves a holistic approach, encompassing a systematic methodology to identify, assess, prioritize, and manage risks across an entire organization. Key aspects include: Holistic Perspective: ERM casts a wide net, considering risks across all organizational facets—spanning financial, operational, strategic, information technology, and compliance realms. It involves evaluating how these risks interconnect and influence an organization's overarching objectives. Strategic Integration: ERM seamlessly integrates risk management into an organization's strategic planning, aligning risk considerations with decision-making processes and value creation. ERM is a method for aligning risk with acceptable tolerance, starting with the organization’s strategy, which requires thinking through and identifying risks they are willing to accept, those they wish to avoid, and those for which they have an appetite. Risk Culture and Governance: ERM emphasizes nurturing a risk-aware culture within the organization and establishing robust governance structures for effective risk oversight at all levels. Contrasting Features While both Insurance Risk Management and ERM aim to mitigate risks, they differ in scope, application, and the treatment of risks. Scope: Insurance Risk Management is more confined and specific, concentrating on particular risks covered by insurance policies. ERM takes a comprehensive view, considering risks holistically across an entire organization. Purpose: Insurance Risk Management primarily seeks to transfer risk and provide financial protection, while ERM aims to integrate risk management into strategic decision-making and bolster overall organizational resilience. Approach: Insurance Risk Management operates within the boundaries of insurance contracts, claims, and premiums, while ERM adopts a strategic approach, embedding risk considerations into daily operations and decision-making. While both Insurance Risk Management and ERM play pivotal roles in mitigating risks within organizations, they operate on different scales and serve distinct purposes. Recognizing the nuances and intricacies of both approaches is crucial for organizations to effectively navigate the complex landscape of risk they encounter. It is important to note that while transferring risk through insurance is a vital aspect of risk treatment, ERM offers a more comprehensive toolkit, encompassing various strategies beyond mere risk transfer, thus enhancing an organization's capacity to handle risks proactively. A robust risk management strategy often incorporates elements from both Insurance Risk Management and ERM to create a comprehensive framework that addresses a wide array of potential threats while aligning with an organization's strategic goals. Read how to develop risk appetite/tolerance statements
Learn the similarities and differences between Insurance Risk Management and Enterprise Risk Management.
READ MORE
ERM Toolbox – How to Develop Risk Appetite/Tolerance Statements
- Ed McCaulley
- In Control
- minute(s)Risk Appetite and Risk Tolerance Statements One of the key steps in developing an organization’s enterprise-wide risk management (ERM) framework is establishing written statements regarding its risk appetite and tolerance. These statements serve as guideposts to help employees make both strategic and tactical decisions; thresholds for risk metrics; and benchmarks for assessing whether the organization is comfortable with its own risk profile. They are vastly important. So, who should be involved in developing them and what does that process look like? As discussed in the first blog in our ERM Toolbox series, "Why Do I Need Risk Appetite and Tolerance Statements?, establishing an organization’s risk appetite and risk tolerance statements is a vital step. Once an organization has seen the light and made the business case for setting these guidelines, the follow-up question is, “How are these statements developed?” For an organization that has not yet defined its risk appetite and risk tolerance statements, this question can seem intimidating. So, I’ll break it down into three smaller questions: 1. Who should be involved in developing the statements? 2. What is the best way to elicit information from participants? 3. Who should be involved in approving them? STEP 1: DECIDING WHO SHOULD BE INVOLVED Invitees to the party usually include the organization’s top level of management—AKA its executive team, senior leadership, or C-suite. This core group of individuals is going to be most familiar with and responsible for achieving the organization’s mission and strategic objectives. Add to this group any subject matter experts that provide necessary insight into certain risks that the organization faces. If an individual’s voice must be heard, either because they are instrumental in achieving strategic objectives or they manage the mitigation of a key risk, invite them. Lastly, include members of the risk management group—whether they’re assigned to a formal, independent risk management function or given ad hoc responsibility. As a pragmatic concern, the group should not be too large as it is harder to develop consensus with larger groups. Up to 12 members should suffice. STEP 2: DRAFTING THE STATEMENTS Theoretically, risk appetite and risk tolerance statements could be drafted and agreed upon through an iterative series of questionnaires or through software that allows for deep collaboration. However, in my experience, a workshop is the most efficient way. Methods may be dictated by what you are hoping to achieve, namely a consensus on which risks are acceptable and which are not. Running a Risk Appetite & Risk Tolerance Workshop Workshops do present their own challenges. However, participant training, competent workshop facilitation, and clear workshop objectives will help address those challenges. Many of the following steps might seem self-evident, but my advice for holding a successful workshop is as follows: 1. Schedule it so that everyone can participate. This is easier said than done, as these people are BUSY! 2. Ensure all participants know what is expected of them during the workshop—as workshop participants and as a group. This can be handled simply by providing a meeting invitation that includes an agenda and location, and establishes workshop “rules” (e.g., no phone calls, texting, or email during the session). 3. Establish a base level of ERM concept knowledge for participants. Understanding of the terms risk appetite; risk tolerance; risk mitigation; and inherent and residual risk; as well as risk types, is important. This training can be provided separately but can be very effective if provided on the same day, ahead of the actual workshop. The goal is full participation from all workshop attendees, not just those who are “in the know.” 4. Request that all participants bring copies of the corporate policies for which they are responsible. For example, the treasurer might bring the banking policy and the CIO might bring the acceptable use policy. These policies often serve as a starting point for risk tolerance statements. 5. Consider hiring a professional facilitator. The facilitator’s job is complex; they must be mindful of assessment bias, prevent or negotiate conflict among attendees, dissuade individuals from dominating the conversation, and encourage participation by those inclined to be wallflowers. Knowing when to table a discussion and move on is also a valuable skill. Rabbit holes explored by just a few individuals can cause the larger group to lose focus. 6. If the number of workshop participants is large or is having trouble reaching consensus, consider using break-out sessions based on topic (e.g., risk type), then bringing recommendations back to the full group. 7. At the conclusion of the workshop, summarize outstanding items (there will be some), assign ownership, discuss next steps, and communicate a timeline. Follow up in a timely manner with an email to the participants, providing this same information. Ensure that each individual understands their required deliverables and timeline. 8. About a week after the session, reach out to participants to gauge their impressions of the workshop. Ask if they think the workshop was effective in building consensus around the risks the organization is willing to accept, those that it will not accept, and a delineation between the two. 9. Don’t seek perfection. There is no need for endless debate over each metric—like whether a 3, 4, or 5 percent ROI is ideal. It is natural that, like a new pair of shoes, these initial metrics may need to be adjusted. STEP 3: OBTAINING APPROVAL Obtaining approval of the risk appetite and risk tolerance statements is the “blessing” that puts them into practice. They then become the rulebook, the guidebook, the playbook for risk taking. However, the task of gaining approval may reveal additional risk threshold questions that must be answered by management. Organizations usually have some form of supervisory body on which approval of risk appetite and tolerance statements will fall. In a corporation, this is their board of directors. In a public sector organization, it may be their council. To prepare the board/council for this responsibility and to ensure everyone is in alignment with expectations, they should be given the same baseline ERM training as management. And management should be prepared to respond and adapt to the board/council’s oversight. CONCLUSION For an organization looking to define and publish their initial risk appetite and risk tolerance statements, the process can seem intimidating. However, involving the right individuals, holding an effective workshop, and seeking the right approvals, can make this process achievable. The key is to effectively channel senior management’s time to discuss, debate, and come to a consensus on enterprise-wide risk constraints. The clarity gained will equip employees to manage their individual risks and empower the organization as a whole to respond to risk more confidently and consistently. Read the first blog in our ERM Toolbox series.
Learn how to develop risk appetite and tolerance statements, who should be involved in drafting them, and tips for holding an effective workshop.
READ MORE
ERM Toolbox – Why Do I Need Risk Appetite and Tolerance Statements?
- Ed McCaulley
- In Control
- minute(s)Risk Appetite and Tolerance Statements: Identifying the Risk You’re Prepared to Accept Have you ever been skydiving? I have not. To quote Clint Eastwood, “Jumping out of a perfectly good airplane is not a natural act.” Yet the US Parachute Association reported that in 2021, around 39,412 of its members made 3.57 million jumps. Do you have an adjustable-rate (ARM) or fixed-rate mortgage? When I was younger and poorer, I considered an ARM before choosing a fixed rate. Back then, ARMs were trendy. They became less popular in the low-interest rate environment of our recent past. Perhaps they’ll gain popularity once again. Do you drive faster than the speed limit? As a young man, I was clocked at 65 mph in a 35-mph zone. My defense? I was driving a straight-away on a clear, country road. The officer didn’t buy it, and I ended up spending two hours in remedial driving school for “aggressive drivers.” Why all the questions? To make a point. Both the ways in which each of us measures risk and the amount of risk we’re willing to assume can vary widely. We are individual and unique humans, with awareness and risk tolerance built into our DNA. Brain chemicals like dopamine impact our perception of risk—as do age, gender, race, stress, upbringing, etc. RISK APPETITE & TOLERANCE FOR ORGANIZATIONS In 1987, Nick Leeson, a currency trader with Barings Bank, made failed bets on Nikkei futures totaling approximately $1.3 billion. His bets exceeded the total value of his employer’s capital and reserves. As a result, the 233-year-old bank was forced into bankruptcy. One audacious individual brought down a sophisticated and mature organization that most certainly did not share his appetite for risk. To align risk, it’s important to develop risk appetite and risk tolerance statements—written documentation of the risks an organization is and is not willing to accept. Risk appetite statements serve as guidelines for developing strategic plans, operational processes, and business continuity plans. An excellent example is TD Bank’s statement, which reads as follows: TD takes risks required to build its business, but only if those risks: Fit its business strategy, and can be understood and managed. Do not expose the enterprise to any significant single-loss events. Do not risk harming the TD brand. Here’s another example from the Office of the Comptroller of the Currency (OCC): The OCC has no appetite for unauthorized access to systems and confidential data, and will maintain strong controls to mitigate external threats against its technology infrastructure. The OCC has a low appetite for losing continuity of business operations stemming from unreliable telecommunications or system availability. Business resiliency planning and execution must be aligned with strategic objectives. The OCC has a moderate appetite for innovative technology solutions to meet user demands in a rapidly changing environment. The agency will exercise appropriate governance and discipline when considering and adopting new technology. Risk tolerance statements further refine and “operationalize” broader appetite statements to provide specific context. They serve as tangible risk limits, setting clear boundaries within which a business must operate. Risk tolerance statements must be measurable, realistic, and capable of being monitored. For example: At all times, the [organization] will maintain a rating of [xx] from [rating agency] Annual employee turnover will not exceed [xx%] Operational losses will not exceed [xx%] of [transaction type] Minimum investment grade of no less than “A” for investment securities For many risks, there is a range of acceptable levels. Let’s take information security risk as an example. We want to avoid this risk, right? What is the easiest way to do so? Disconnect all your computers from the internet. But taking this extraordinary step has consequences—no (external) email, no cloud computing, and no working from home. In other words, requiring zero risk can hamper or even prevent us from accomplishing our objectives. Recognizing the benefits of being interconnected, most organizations have chosen to accept some level of information security risk. Some level of risk is fine, but too much risk is not. Over time, navigation of these risks starts to resemble a road, with edge lines and guard rails; the acceptable place to drive is in the middle. WHAT DO I DO WITH RISK APPETITE AND RISK TOLERANCE STATEMENTS? Use them. Ensure that individuals who make decisions affecting the organization’s risk profile understand these statements. Decision makers should consider how their choices affect an organization’s risk level—specifically, whether their decisions leave the organization within its established risk appetite and tolerance parameters or push the organization outside those limits. Report on them. Senior executives and risk committees should require regular updates on their organization’s status related to risk appetite and risk tolerance statements. Discussions might include: Is the organization within its risk tolerance for 15 of its 16 metrics? If so, what does the organization feel about the final metric? If the organization is uncomfortable accepting this level of risk, then the metric effectively identifies an area that needs attention. Risks in this area need to be reduced. In contrast, if the organization does not feel that current risks are unacceptable, then risk metrics might need adjustment. This is common. Initial risk metrics are like a new pair of shoes; you need to experience them for a while to see if they pinch. Don’t let them get stale. The last thing you want to do is create these statements, then put them on the shelf to forget. Just as organizations change over time, so does risk appetite. Periodically revisit your organization’s risk appetite and risk tolerance statements to determine whether they are still appropriate and relevant or need to be adjusted. Also consider whether the statements are understood by everyone or require additional context. We recommend conducting this evaluation while developing a strategic plan. After all, where we want our organization to go and where we don’t want it to go are interrelated considerations. CONCLUSION Risk appetite and risk tolerance statements provide important guidance to employees about which risks are acceptable and which are not. They help align individual employee tolerances to organization-wide tolerances, for more consistent risk response across the board.
Risk appetite and tolerance statements help align individual and organizational tolerance for consistent risk response.
READ MORE
