 | Enterprise Risk Management And The Smaller Insurer | |
| | | Publication date: 26-Nov-07, 09:27:55 EST | |
Reprinted from
RatingsDirect
|
|
|
| |
| | | |
Standard & Poor's Ratings Services introduced enterprise risk management (ERM) as one of the eight main categories of its analysis of insurers in October 2005. Prior to that, however, risk management had always been the focus of the analysis, although in a less explicit form. This is because risk is at the heart of what insurers do and what Standard & Poor's assesses in its credit ratings. For most insurers, ERM resulted in a reorganization of pre-existing analysis rather than the introduction of many new requirements. Since the introduction, ERM evaluation has provided a more disciplined tool to understand how the insurer manages its risks as part of the rating rationale. ERM is substantially aligned with Solvency II in Europe and it is also aligned with the recent paper published by the International Association of Insurance Supervisors (IAIS) in October 2007, titled "Guidance Paper On Enterprise Risk Management For Capital Adequacy And Solvency Purposes". Insurers may find that ERM analysis will help in their preparation for any reviews of risk management practice by regulators. While Standard & Poor's has published a vast library of criteria that define how we evaluate an insurer's ERM capabilities, we do not expect to bring all of that material to bear with most insurers. For the smaller insurer, our primary objective is to make sure that we have a discussion of the methods that management uses to control the primary risks of the insurer. We have prepared a brief summary of our ERM criteria that a smaller insurer can use. (For more information, see "Criteria: Summary Of Standard & Poor's Enterprise Risk Management Evaluation Process For Insurers," published on Nov. 26, 2007, on RatingsDirect.) While this guide does describe all five of the categories of our ERM review--risk management culture, risk controls, emerging risks management, risk models, and strategic risk management--we expect that the discussions with smaller insurers will focus mainly on the first two categories. Insurers can normally achieve adequate ERM overall, provided these two categories are assessed as adequate. Higher scores for ERM typically require positive assessments of the remaining three categories.
The Smaller Insurer |
For a smaller insurer, Standard & Poor's would expect that the ERM review would take place primarily as a portion of the annual management meeting, typically to take up an hour or two of that meeting in the year of implementation (at subsequent reviews, updates will likely consume less time as they will focus on changes since the last review). The objective of that discussion will be to verify the primary risks of the insurer and to ascertain whether management has processes to control those primary risks. If that discussion reveals indications of a high degree of management commitment to a more formalized risk management program, then further discussions might be warranted. This would allow Standard & Poor's to gather the information about the degree to which the insurer has progressed, beyond the basic loss control aspects of risk management, to develop and use processes that allow the insurer to gain value from active management of returns and risks. ERM evaluation is applied to all the insurers and reinsurers we rate. All insurers, independent of their size and complexity, need to have capabilities to limit their risk exposure and losses to within appropriate tolerances. Those capabilities do not need to sophisticated. Our approach for evaluating ERM is tailored to the risks of each insurer and to the complexity of the risks. In addition, our expectations for risk management programs may vary with the size and complexity of the organization. For example, we recognize that smaller insurers might have an inherent advantage over larger groups in the risk management area. The limited organizational distance between the executives and the employees who perform the day-to-day tasks in the insurer that would change the insurer's risk position means that controls are easier to implement and oversee. We also recognize that these smaller insurers do not need to have a separate formal risk management function, and the tasks of this function can be performed by the management with some form of independent review. However, the firm should be able to articulate who among senior management are responsible for risk management decisions for each risk. Similarly, the investment required, in terms of time and money, to develop a risk-capital model can be substantially lower than more complex and larger insurers. Simple solutions may well be an appropriate approach rather than an industrialized fully stochastic model that some international firms are developing. |
 |
Importance Of Enterprise Risk Management To The Insurer Rating |
In addition, as with all areas of analysis by Standard & Poor's, the importance of ERM to the rating varies with each insurer. For example, if an insurer's business is simple and management is risk adverse, our assessment of ERM is less likely to have a material impact on the final rating conclusion. For the vast majority of small to midsize insurers, an adequate ERM score is appropriate for their business. An adequate score means that the insurer has fully functioning risk controls for all their important risks, albeit looking at their risks separately, and therefore is likely to be able to prevent losses greater than their risk tolerance--but might be exposed to extreme losses from unexpected accumulations of risks. These requirements are not overly complex and are what well run insurers have been doing for many years. This explains why at this stage about 85% of insurers globally have been assessed has having adequate ERM. |
|
Smaller Insurers Could Gain From Stronger Enterprise Risk Management Processes |
However, in Standard & Poor's opinion, these smaller insurers, like their larger peers, could benefit from a strong ERM process as over time they are more likely to produce better results due to the impact of strategic risk management. While risk controls provide the downside protection, strategic risk management produces the upside pay-off from risk management. Strategic risk management needs a consistent basis for the comparison of all risks and for the majority of insurers--this is some form of risk-based capital. Through the strategic risk management processes, the insurer works to optimize their risk-adjusted returns. In the management of an insurer, there are a number of choices to be made. These decisions are relevant to all insurers as there will always be decisions to be made that will have a different impact on the risk profile and potentially the expected returns of the insurer. A life insurer will have to choose whether to structure their products with equity risk, interest rate risk, or mortality/morbidity/longevity risk. A general insurer will have to decide which lines of business to write, and what the mix of business should be. All insurers will have to choose how much risk to cede, and in which form and all insurers, even the smaller and less complex ones, will have to choose how to invest their assets, for example, bonds, equities, real estate, and hedge funds. If an insurer has a process to assess these decisions based on risk and reward information, where the risk is measured using risk-based capital models or formulae that is linked to the actual risks of the insurer, this is strategic risk management. Over time, Standard & Poor's expects that an insurer that consistently makes decisions that maximizes its risk and reward profile will produce better operating results over time. Standard & Poor's has highlighted in a number of publications that Solvency II should be an important consideration for European firms now and not be put off until the last minute. An ERM review by Standard & Poor's can help an insurer identify areas where their risk management practices can be improved in advance of a regulatory review for Solvency II. This information can allow insurers to develop the required processes or make decisions in plenty of time. The recent publication by the IAIS also highlights a global desire to increase the focus on a company's risk management practices and also on their own risk and solvency assessment. |
|
|
Analytic services provided by Standard & Poor's Ratings Services (Ratings Services) are the result of separate activities designed to preserve the independence and objectivity of ratings opinions. The credit ratings and observations contained herein are solely statements of opinion and not statements of fact or recommendations to purchase, hold, or sell any securities or make any other investment decisions. Accordingly, any user of the information contained herein should not rely on any credit rating or other opinion contained herein in making any investment decision. Ratings are based on information received by Ratings Services. Other divisions of Standard & Poor's may have information that is not available to Ratings Services. Standard & Poor's has established policies and procedures to maintain the confidentiality of non-public information received during the ratings process.
Ratings Services receives compensation for its ratings. Such compensation is normally paid either by the issuers of such securities or third parties participating in marketing the securities. While Standard & Poor's reserves the right to disseminate the rating, it receives no payment for doing so, except for subscriptions to its publications. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees. |
|
|
