The value of enterprise risk management (ERM) in the insurance industry was given a decisive demonstration in the financial crisis. McKinsey research showed that the better their ERM systems, the better insurers performed financially in 2008 and 2009.1 In the aftermath, much industry attention focused on creating or improving ERM systems, and the focus has been sustained under pressure from regulators, rating agencies, and investors. The starting point for the industry’s ERM efforts has been, perhaps naturally, a reactive stance, with systems designed to respond to incidents and ensure compliance with existing and forthcoming regulations. Yet a few insurers have been able to develop ERM frameworks that support strategic decisions and create real business value. Over time, they have reduced the volatility of their returns and improved capital performance—results of having enabled a more penetrating view of proposed risk taking across the enterprise and embedding the ERM function as an active partner in business decision making.
What are the elements of an effective ERM framework? How can insurers move from playing defense to using ERM systematically to advance business objectives? In a recent survey we conducted, leaders of a range of insurance companies revealed that they were thinking about such questions in a focused way.2 While expressing confidence in the strength of their companies’ risk capabilities, respondents identified key areas for improvement in risk transparency and insight (Exhibit 1). Smaller companies also indicated gaps in risk culture and performance transformation. Most of the surveyed chief financial and risk officers indicated that they are enhancing ERM amid a perceived climate of heightened risk—one defined by a more uncertain macroeconomic environment, persisting low interest rates, financial-market volatility, and rising geopolitical instability.
Attaining ERM excellence: A journey to value creation
In thinking about the experience of leading institutions with enterprise risk management, McKinsey developed a framework to help capture best practices (see sidebar, “Where do you stand? The ERM framework”). The framework integrates the elements of risk management in a reinforcing cycle that supports the business strategy (Exhibit 2).
A best-practice risk function fosters a highly integrated, enterprise-wide risk culture across the organization, managing the risk profile to serve the business strategy. The path to ERM excellence involves a transformative journey, and most insurers are at its beginning stages (Exhibit 3). For the majority of companies, the risk focus is on compliance, a necessary starting point. They monitor risk, gauge risk levels against new regulations, and react appropriately to risk incidents. The ERM function at this stage is mainly backward looking, developing controls and aligning existing risks with current and forthcoming regulation. The risk function first establishes and then operates within risk-review guidelines and may have (and at times may exercise) formal veto power over business decisions.
Systematic ERM really only begins after compliance-focused capabilities have been adequately developed, including the setting of risk limits and policies and the adoption of accounting and statutory metrics. Most insurers are at this stage of development. They use their own risk and solvency assessment (ORSA), in line with US and EU regulations. This provides insurers with an internal process for assessing the effectiveness of risk-management capabilities and solvency under normal and stressed conditions. ORSA helps insurers evaluate all material risks that could affect their ability to meet policy-holder obligations, including market risks, credit and underwriting risks, liquidity risks, and operational risks.
At this stage, the ERM approach pushes the risk-management function to incorporate loss control and risk-return optimization into its role. In ongoing dialogue with other functions (such as finance) and the business, risk managers proactively identify potential issues and, where helpful, challenge common practices. The function develops an understanding of corporate strategy and the ability to model economic capital (risk capital) and conduct stress testing. The function then converts the models into strategic input for top management.
In the ultimate stage of the journey, the risk function creates value by integrating ERM with corporate strategy. The function becomes a sought-after thought partner, enabling business management to weigh risk-return implications and potential risk trade-offs in strategic and operational decisions. To become a strategic thought partner, the ERM function must be able to create the comprehensive economic-capital models needed to drive business decisions and to link advanced risk analytics to key business processes.
Improving ERM: Where insurers say they are focusing
As Exhibit 1 displayed, our survey respondents mostly cited capabilities within risk transparency and insight as the objects of their planned ERM-improvement efforts.
Risk transparency and insight
Within this ERM area, respondents noted their intentions to improve stress testing, risk reporting, and—especially—data and analytics. One-quarter of respondents cited data governance and quality and another quarter cited automation and speed of data gathering as their initial improvement priorities. In the survey and follow-up discussions, respondents shared their perceptions that the industry needs generally to invest more in analytics, recognizing the transformative power of big data. Fast, automated access to accurate data is only a prerequisite for the strategic use of advanced analytics. The broad challenge is to generate value from the data. Advanced analytics enables better decision making in pursuit of strategic objectives and increased performance transparency to improve bottom-line financial results.
Most respondents indicated that they perform stress testing and consider results in decision making, but about half revealed that not all risks are taken into account in the process. In interviews and follow-up discussions, survey participants expressed their intention to improve stress testing by properly accounting for all risks in their stress tests and by deriving more useful insights from the results. Nearly half of respondents revealed that their risk-reporting process was only partly structured and had no predefined escalation mechanisms in place.
When asked about the level of accountability for risk-related matters in their organization, 38 percent of respondents declared that risks in daily business are not always considered with the support of both qualitative judgment and quantitative tools. This implies that a plurality of the industry is not achieving available levels of risk transparency that could improve business decisions.
With respect to frontline functions, participants indicated that risk is most engrained in people’s minds in the following areas: investment management (the first choice for 56 percent of participants) and corporate and commercial nonlife (22 percent). Room to improve frontline risk culture seems to exist in retail life and nonlife businesses.
Discussions and interviews with insurance leaders highlighted that some players are making significant investments in risk-culture programs, in particular launching dedicated actions to increase risk culture in retail businesses where third parties (that is, brokers and independent financial advisers) are often the main distribution channel.
Approaching ERM transformation
ERM transformations can be focused on selected priority areas or the overall ERM program. Experience has shown that successful transformations have key traits in common. Direct board and top-management sponsorship and participation is the first requirement. Second, a chief risk officer (CRO) should be elevated from the usual technical-advisory status to play a true leading role. As leader, the CRO should drive the initiatives and set the direction of the effort. In planning the transformation, the CRO-led team must take an integrated perspective, above all ensuring consistency across all core ERM elements. This is even more important than achieving excellence in any one area. The CRO should communicate the core messages of the transformation and ensure that they are cascaded to all levels of the organization. The CRO-led effort must also influence risk management throughout the organization, using such leverage as material incentives and role modeling optimal behavior.
A targeted intervention
In a targeted ERM intervention, particular elements—such as risk-appetite definitions, stress testing, or reporting, for example—are addressed as priority challenges. Such interventions are efficient when the overall ERM framework has been thoroughly evaluated and determined to be robust. They can also be helpful in addressing particular external constraints, such as regulatory findings or new rules (and rulings). Success depends on a well-defined starting point and clearly articulated set of priorities.
The targeted transformation begins with a diagnostic evaluation of the ERM framework. This will scan each segment and identify and prioritize improvement initiatives. The development of advanced capabilities can be an ideal choice for a targeted intervention. Machine learning, for example, allows companies truer visibility into their customers’ risk profiles. It improves existing models and helps companies avoid unseen risks while potentially allowing them to underwrite completely new risks. The future profitability of the sector depends on such differentiating insights from new sources and types of data. To obtain these insights, leading companies are investing in innovative capabilities such as advanced analytics and machine learning.
An overall ERM transformation
An overall transformation program will cut across all or most of the ERM framework’s segments and their constituent elements, and it could take up to two years to complete. Insurers undertake such transformations when a diagnostic evaluation reveals that the ERM framework requires general improvement; when the company is undergoing a strategic change of course, such as a modified risk appetite or a significant change in the business mix; or when the improvement areas indicated in the diagnostic require interventions that cut across the entire organization or involve cross-functional elements in the framework.
An overall ERM transformation is shaped in three steps. First, an independent diagnosis of the current ERM status is undertaken, based on best-practice knowledge and insights, with peer-performance benchmarking. The results are discussed with top management and the board, in order to define the target ERM state and prioritize the needed array of initiatives. Finally, an integrated action program is built, with clearly defined milestones and deadlines, incorporating early experiences and making needed improvements and adjustments as the transformation progresses.
Exhibit 4 presents a brief outline of the results of an actual diagnostic evaluation of a large insurer’s ERM framework and proposed transformation program.
The evaluation is the beginning of the journey to build a new ERM foundation and to formalize risk strategy and processes. In each part of the framework, actions are identified and implemented to focus the transformation effort on a defined target ERM state. Actions are rolled out strategically, according to prioritized needs. In the example diagnostic, priority actions for transparency and insight would include a review of reporting and stress testing and the development and implementation of new governance and models. The approach to stress testing would be shaped by the insurer’s specific situation and needs. It would involve deep analysis on a consistent set of scenarios, a comprehensive assessment of implications, identification of tailored strategic actions and mitigating decisions, and deep dives on specific risk exposures (Exhibit 5).
As the transformation proceeds within each area of the ERM framework, and as gaps with the target end state are closed and connections across the risk function are strengthened, priorities can be reassessed and realigned in light of new insights and accomplishments.
With a broad consensus among insurers that the environment has become riskier and the regulatory atmosphere more complex, greater and more systematic attention is being afforded to the state of enterprise risk management. As improvement areas in the ERM framework are identified, leading insurers are taking this opportunity to move beyond plugging the gaps. Commanding new capabilities and techniques, they are defining a target state for ERM and cultivating an organization-wide risk culture that could become sources of real competitive value.