ERM for All
CIOREVIEW >> Enterprise Risk Management >>

ERM for All

Henry Essert, Managing Director, PwC
Henry Essert, Managing Director, PwC

Henry Essert, Managing Director, PwC

I’ve spent most of the last 20 years of my career in enterprise risk management (ERM), focusing primarily on financial services (mostly insurance) and to a lesser degree on other sectors (power generation, infrastructure development, retail). I’ve been an industry practitioner (CRO of a major insurance company) and a consultant (now PwC insurance risk practice leader). During those 20 years, I’ve started almost all introductions to ERM by explaining that, when considering risk management, there are two types of institutions: financial services companies (primarily insurance companies and banks) that take on risk as a business and all the rest. And ERM is very different between them. However, ERM at insurers and other financial services companies now has a lot more in common with ERM at other kinds of companies. This could have profound implications for what insurers can learn from the others and vice versa.

  ​For the last 20 years, ERM in insurance has used pooling and hedging to manage insurance, credit and market risk  

Let me explain:

An insurer is in the business of taking on risk to make a profit. The insurer takes on a policyholder’s insured event, with its uncertain outcome and cost, and replaces it with a guaranteed cost (i.e., the insurance premium). How does the insurer do that and expect to make money? By insuring many similar policyholders and utilizing pooling, also called the law of large numbers. Insurers use this to predict that the total premium they charge across all policyholders will be enough to pay all policyholders’ claims, with a little left over for their own profit. This simple idea, and another one called hedging–placing an opposite bet that’s priced so that, again, there will be something leftover for their profit–is how insurers manage their risk-taking. Whether the risk is insurance, credit, or market, pooling and hedging help determine that total income will be more than enough to pay total costs.

For the last 20 years, ERM in insurance has used pooling and hedging to manage insurance, credit and market risk. Insurers also have used mathematical concepts like the central limit theorem to address not just the average of all the claims but also the likelihood that the average will be higher or lower than expected. (Insurers don’t want claims to be higher than expected.) Using a concept called value at risk, or VAR, they assign a riskiness measure based on how big a really bad deviation can be. Because insurers want to be certain that they have enough premium in total to pay claims, types of coverage or subgroups of policyholders with a low VAR are more attractive (and pay lower premiums) than those with a higher VAR.

Well run insurance companies have become very good at using these tools, and they no doubt will continue to improve their effectiveness and efficiencies. But many insurers are realizing that they also need to turn their attention to other risks and other tools. VAR and the risks insurers have traditionally managed are unique to risk-taking companies. But other risks and other tools are not.

There are two reasons insurers are focusing their attention on other risks and tools:

• First, as we noted, they have a good handle on insurance, credit, and market risk using the tools they have already developed. These risks, along with operational risks, are sometimes called “capital risks.” Insurers hold capital, in amounts often stipulated by regulators, to make sure they can cover claims even in the unlikely event costs significantly exceed the premiums they set.

But these are not the only risks an insurer faces. Like other businesses, they now, unlike they ever have before, face strategic risk, the risk that the business strategy they are currently pursuing will cease to be viable in the future. They face business risks, the risk that the pursuit of their current viable business model will be derailed by (for example) events that harm their reputation and reduce their attractiveness to existing and potential customers. They face liquidity risk, the risk they won’t be able to raise enough cash to pay their claims. Lastly, they face model risk, the risk that the information and algorithms they use to run their business are flawed.

• Second, market forces are such that these “new” risks, especially strategic risk, have never been more critical than they are now. Many observers believe that the viability of many parts of the traditional insurance business model is in serious jeopardy. For example, self-driving cars and trucks will have a profound and lasting impact on auto insurance. So will telematics that can measure how far, fast and safely customers drive. On the life and annuity side, persistently low interest rates have made many products unattractive and provide little room to pay costly distribution channels. Other, more inexpensive options for accumulating retirement savings abound. For all types of insurance, customer needs and buying patterns are changing in unprecedented ways. Many potential customers have virtually no experience with a personal sales pitch, much less one done face-to-face over the kitchen table.

Insurers can’t address strategic risks and other new risks with VAR, and their other tools, like stress testing, need enhancement. Moreover, the model risk of the information and algorithms they use to build and manage their new types of business will need the same attention as in their traditional business. As insurers look to address these new risks they would do well to look outside of the financial services sector. The experience and expertise of the business world can help them solve their new ERM issues. For example: insurance is not the first industry to have faced the strategic risk of disruption from new technology and new entrants who better understand that technology. How did the “winners” in those industries behave? What are the pitfalls that the “losers” should have avoided? At a more operational level, many insurers are noticing an uptick in organized fraudulent behavior. And, the fraudster isn’t just a single actor looking to make a quick gain but an organized business using modern online interactive tools. Other industry sectors have dealt with this and insurers are applying what they’ve learned from them to address this risk.

Read Also

Transformation to Fit an Agile Future

Maria Luisa Inofre, CHRO at AboitizPower Human Resources

Gender and Racial Diversity in Australia's Senior Technology Leadership

Subha Chari, Head of Digital Product Delivery, LendLease

Impact of Digital Transformation in Retail Space

Robert Sjostrom, President Global Operational Services, Essity

Challenges Over The Past 18 Months

Marc Ashworth, Chief Information Security Officer, First Bank

Information Technology Thought Leadership And The Challenges

Christopher Nichols, Director IT/OT Resiliency & Support, Stanley Black & Decker

Security Architecture In Theory And In Practice: Why Security Should...

Marco Morana, Head of Security Architecture, JPMorgan Chase & Co