Ratings

In a positive risk-management culture, risk and risk management are important considerations in the everyday aspects of corporate decision-making. To evaluate the strength of an insurer's risk-management culture, we look at organizational and governance structures for the management of risks, and at communication of risk and risk management.

The risk-management culture and size of the group will influence the staffing and organizational structure of the people who are charged with executing the risk-management function. They will also affect governance structures for risk management. Structures will indicate the degree of influence that risk-management staff exert on decision-making.

An insurer with a strong risk-management culture will have a very transparent risk-management process within the company and with other interested parties through their public communications.

We also examine whether an insurer has clearly articulated its risk tolerance. An insurer that has not done so would be judged to have a less favorable risk-management culture. Insurers able to show how their risk tolerance and risk limits have developed from an overall risk appetite reflecting their risk preferences are considered to have a more favorable risk-management culture than those that set arbitrary risk limits for various risks.

Risk control is achieved through identifying, measuring, and monitoring risks. Firms set and enforce risk limits and meet them through risk-management processes such as avoiding, transferring, and offsetting risks.

We evaluate risk-control processes for each of an insurer's important risks. It is important that the overall corporate risk tolerances are consistent with the specific risk limits.

We also review summary descriptions of risk-control programs and examples of how the programs are executed. We are looking for insurers whose programs are structured to effectively deliver the risk control needed to maintain the exposures and losses within the risk tolerances. The programs should be executed consistently and be sufficiently embedded in everyday practices that future execution can be reliably inferred.

A solid risk-management program must consider risks that do not currently exist or are not currently recognized, but that might emerge following changes in the environment. For these risks, normal risk identification and monitoring will not work because the frequency and impact is usually completely unknown. Nevertheless, experience shows that when they materialize, they have a significant impact on insurers and therefore cannot be excluded.

Emerging risks may appear slowly, are difficult to identify, and represent an idea more than existing circumstances. They often result from changes in the political, legal, market, or physical environment, but the link between cause and effect is not proven. Asbestos is a good example from the past; other examples could derive from nanotechnology, genetically modified food, or climate change.

Specific strategies and approaches must be considered to cope with these risks properly. Common emerging risks control practices include trend analysis, stress testing, contingency planning, problem post mortem, and risk transfer.

We look for evidence that insurers are managing emerging risks in anticipation of problem events. We also look at how effective emerging risks management was during and after adverse events. For example, was information on the exposure of the insurer to loss from the event available promptly, was the insurer response to the event surefooted and timely, were losses moderated in some fashion, and can the insurer point to a clear set of lessons learned and adjustments made to procedures.

Risk and economic capital models are an important part of a strong ERM program. Effective risk management requires a smooth flow of information about risk positions and their possible impact on the insurer. Standard & Poor's assesses the insurer's risk models in relation to its risks and to how it processes the information from its models.

An insurer with effective risk models will be able to show that the models produce the information needed to perform the basic risk-control functions that are needed to sustain losses to within their risk tolerances. Its management should also understand the models clearly.

The risk models need to produce information that is sufficiently accurate, up to date, and timely to drive correct and well-timed risk-management decisions and actions. The insurer should also undergo a regular process to validate its models, and a process to update both the data about the business activity being modeled and the assumptions used in the models. If the firm uses different models to meet different objectives, then the two models need to be reconciled regularly.

The models need to be sufficiently robust to produce insight into all of the risks that are retained, as well as the risks that are written but not retained. They also need to provide information that is both descriptive of the size of the risk and actionable in managing the risks.

To accomplish strategic risk management (SRM), insurers need to determine the risk capital that is associated with their products, investments, and operations. Evaluation of an insurer's processes for developing risk capital involves looking at the underlying assumptions, data flows, validation, and calculation processes.

We request that insurers that use regulatory or rating agency risk-based capital formulas without modification demonstrate that those models appropriately capture the risks of their specific business. We consider insurers that modify those formulas appropriately to reasonably approximate the capital needed to support their risk positions to have adequate practice in this area.

Economic capital models are sophisticated and detailed models that produce spot values for capital needs, often linked closely to specific market values on the exact day of the calculation. For very complex risks, economic capital models might be the only reasonable way to identify capital needs.

Standard & Poor's looks for evidence that processes:

• Appropriately develop risk capital amounts consistent with the insurer's risks and risk-management programs;
• Have an update and validation process that produces a result consistent with the intent of the insurer; and
• Are produced on a schedule that will support usage in the insurer's SRM processes.

Standard & Poor's continue to develop robust methodologies to help us evaluate insurers' economic capital processes and to inform our overall view, particularly of the financial strength and capitalization of insurers. This review will only be performed for companies that are found to have effective and coordinated processes for risk control, business continuity, risk-management culture, and risk models.

SRM is the process that an insurer uses to incorporate the ideas of risk, risk management, and return for risk into the corporate strategic decision-making processes. Risk capital is usually a key concept in these processes. Standard & Poor's analysis of SRM starts with understanding the risk profile of the insurer and getting management to explain the reasons for recent changes in the risk profile and the changes it expects to make in future.

Risk profile can be expressed in terms of risk capital for various risks or for each of the insurer's businesses. Insurers might also be able to express an understanding of the sensitivities of that risk profile to various factors. We consider the method used to allocate any diversification benefit that is incorporated into the risk profile and the impact of this choice on the strategic decisions made using the risk capital.

Strategic processes that could be affected by risk and risk-management thinking include capital budgeting, strategic asset allocation, product risk/reward standards, risk-adjusted financial targets, and performance measurement, dividend practices, and incentive compensation. The degree to which risk capital is vital to these processes and to which risk and risk management are a consideration on these process is indicative of the quality of SRM.

Definitions Of ERM Classifications
Classification	Definition
Excellent	Insurer has extremely strong capabilities to consistently identify, measure, and manage risk exposures and losses within the company's predetermined tolerance guidelines. There is consistent evidence of the enterprise's practice of optimizing risk-adjusted returns. Risk and risk management are always important considerations in the insurer's corporate decision-making. Excellent ERM programs share all the criteria for programs considered Strong but are more advanced in their development, implementation, and execution effectiveness. An Excellent ERM insurer will have developed its process more fully over time, may have implemented it throughout a higher percentage of its group, or may be executing the process more effectively.
Strong	Strong ERM insurers have exceeded the Adequate criteria for risk control and have a vision of their overall risk profile, an overall risk tolerance, a process for developing the risk limits from the overall risk tolerance that is tied to the risk-adjusted returns for the various alternatives, and a goal to optimize risk-adjusted returns. In addition, Strong programs have robust processes to identify and prepare for emerging risks. Standard & Poor's expects ERM to be a competitive advantage for these insurers over time. The process of selecting choices that have the best risk-adjusted returns should result in lower losses per unit of income over time, allowing these insurers to choose between offering lower prices, paying higher dividends, retaining higher capital, or obtaining capital at a lower net cost than competitors without the ERM advantage.
Adequate	Adequate insurer ERM programs have fully functioning risk control systems in place for all major risks. The risk management process is solid, classical, and silo-based. Most insurers fall into this category. These insurers often lack a clear vision of their overall risk profile and often lack overall risk tolerance. Risk limits for various risks have usually been set independently, and systems for each risk element usually function completely separately, without any significant coordination across silos of its risks. Adequate insurers also lack a robust process for identifying and preparing for emerging risks. Since neither cross-risk view nor overall risk tolerance exists, no process to optimize risk-adjusted return can exist. Standard & Poor's does not expect these companies to experience any unusual losses outside their separate risk tolerances unless a rapid, major change occurs in the environment related to one or more of their major risks. Insurers can also have Adequate ERM if the insurer has developed a cross-risk view and an overall risk tolerance, uses risk-return considerations for its business decisions, and has a process for envisioning the next important emerging risk, but does not have fully developed controls.
Weak	Insurer has limited capabilities to consistently identify, measure, and manage risk exposures across the company and thereby limit losses. Execution of its risk-management program is sporadic, and losses cannot be expected to be limited in accordance with a set of predetermined risk/loss tolerance guidelines. Risk and risk management are sometimes considered in the insurer's corporate decision-making. Business managers have yet to adopt a risk-management framework, are satisfying regulatory minimums without regularly applying risk management to their business decisions, or have very recently adopted a risk-management system that has yet to be tested.

We combine our evaluation of each of the five areas discussed above into a single classification (see table) indicating the quality of the insurer's ERM. We give each factor a weighting according to the specific situation each individual insurer is facing. The weighting given to ERM in our evaluation depends on the insurer's risks and its capacity to absorb losses.

For an insurer with a high capital position and/or excellent access to capital (financial flexibility) and a business plan that concentrates on retaining only those risks that are less complex and well understood by the company, ERM will be less important in forming the overall rating decision for the company. For insurers with tight capital and/or limited access to capital that are exposed to very complex risks, ERM will be a very important part of the rating decision.

That said, capital is not a substitute for ERM. A company with a high capital position still needs to be able to demonstrate that it can maintain that position by limiting future losses and we still consider an insurer with more capital to be more secure than an insurer with less capital.

The definitions of our ERM classifications demonstrate that we place a high value on SRM. Other aspects of ERM mainly focus on limiting downside. But SRM focuses on the upside. This is where ERM can add real value. An insurer practicing SRM will use its risk insights and take a portfolio management approach to look at all of its risks at the same time using the same measure for risk. It will look at the possible combinations of risks that it can take and the earnings that it can achieve from the different combinations of risks taken and risks retained. It will undertake to "optimize" its risk-reward result from a very quantitative approach.

For life insurers, that means making strategic trade-offs between products with credit, interest rate, equity, and insurance risks, based on a long-term view of risk-adjusted returns from products with those risks. It means choosing which to write, how much to retain, and which to offset. Life insurers using SRM set limits that will form the boundaries for their day-to-day risk selection. These limits allow them to adjust the exact amount of these risks based on short-term fluctuations in the insurance and financial markets.

For non-life insurers, SRM involves making strategic trade-offs between insurance risk, credit risk (on reinsurance ceded), and all aspects of investment risk based on a long-term view of risk-adjusted return for all of those risks. SRM practitioners recognize the significance of investment risk to their total risk profile.