Announcement: SOA releases October 2019 Exam STAM passing candidate numbers.

ERM's Wave of Change

ERM's Wave Of Change

Drop-in on a conversation between ERM industry leaders and learn how to hang ten in risk management.

If you've been wondering what is going on in the ERM world, you're in luck. A panel discussion, moderated by Gaetano Geretto, shed some light on elusive questions and buoyed some interesting answers. The panelists included: Sim Segal, Grant Hardy, Dave Ingram and Doug Brooks.

Gaetano: Welcome and thank you for agreeing to serve on this panel. Why doesn't everyone give a brief introduction of themselves, tell us your background and why you're interested in participating in this call. Let's start with you, Sim.

Sim: I'm with Deloitte Consulting, where I consult nationally to insurance companies, banks and non-financial services companies primarily on Enterprise Risk Management and value-based management. I led the development of Deloitte's global point of view on insurance Enterprise Risk Management and Deloitte's U.S. point of view on economic capital. Prior to Deloitte, as an officer at MetLife, I assisted the implementation of economic capital. Today, I'm interested in sharing my thoughts on ERM, but more importantly, hearing what my fellow panelists have to say about Enterprise Risk Management–it's evolution to-date, what they're seeing now and where they think we're headed in the future.

Dave: I'm the director of Enterprise Risk Management in the Financial Services Rating Group at Standard & Poor's, where I've been working to develop an Enterprise Risk Management evaluation process that we'll be adding into insurance company ratings very soon. I've been involved in Enterprise Risk Management, both as a volunteer at the SOA and in my work for most of my career. Starting in 1980, I did a project where we developed a company's risk capital formula and incorporated that into the company's financial management processes. I'm interested in this call because I'll be able to tell people what Standard & Poor's is doing in the risk management area and also to help further the practice of Enterprise Risk Management.

Grant: I am with RBC Financial Group. I'm in the insurance operations of the enterprise and report to the Chief Risk Officer. I have been in our risk management function for the last three years. Prior to that, I had run various businesses for most of my career rather than being in a functional role. Three years ago I was asked to take on this role since the plan was to have insurance more integrated into the Enterprise Risk Management function and that the integration would be smoother having an individual with my background. My interest in the call is to better understand the developments in the insurance industry and share the developments within RBC Financial Group including the challenges, opportunities and struggles of integrating within a banking organization for an insurance business.

Doug: I'm chief risk officer at Sun Life Financial. Formerly, I was with Mutual Life of Canada, which became Clarica and then was acquired by Sun Life a little over three years ago. I was the chief actuary at Clarica, but also was responsible for developing an Enterprise Risk framework at Clarica which never came to fruition because of the acquisition by Sun Life. I moved to Sun Life after the acquisition with the responsibility of developing and implementing an Enterprise Risk framework at Sun Life. I've also been involved with various industry and actuarial committees and groups looking at various aspects of risk management as well. I'm certainly interested in the overall direction of Enterprise Risk, both with respect to the quantitative technical side–where that's going, development of economic capital both from an internal company point of view and from a regulatory rating agency point of view, but also the non-quantitative side or less quantitative side and operational risk and cultural elements, etc.

Gaetano: I'll finish the introductions off with some background on me. Before launching Pelecanus Advisory, I was president and CEO of the Gerling Global Re life reinsurance operations in North America, based in Toronto. It was called Revios Reinsurance after that the ownership change involving its German parent. I was involved in taking what should have been a compliance tool from the parent and changing it into an Enterprise Risk Management tool for the four organizations that I oversaw in North America. Building on what Doug said earlier, we looked at the non-quantitative elements and found they were as important as the quantitative elements in terms of cultural issues–cross cultural issues from cross border considerations, but also cultural issues in terms of business culture. Putting Enterprise Risk Management into an organization that at that point had been entrepreneurial and growth oriented was a significant challenge. However in the implementation, ERM helped the organization become much more profit oriented and it improved the corporate governance processes.

One of the things that I'd like to get out of this conversation is to hear from you all about the strategic element of how Enterprise Risk works in your organizations. Also, how you've been able to look at it in terms of Enterprise Risk from the different stakeholders who are involved in your Enterprise Risk Management processes. With that in mind, let's start off with the first question: What is ERM now and how is this concept different than prior risk management efforts?

Dave: There are two differences that we see between Enterprise Risk Management now and historical risk management efforts. One is the scope and comprehensiveness of Enterprise Risk Management. While many things have always been done in the insurance industry in risk management, with Enterprise Risk Management there's an effort to make sure that risk management ideas are applied across the entire organization. The other piece is the focus on the strategic aspects of risk management–the idea of focusing the strategy of the company on optimizing risk adjusted returns and using the information that comes out of the risk management process, particularly things like economic capital, to drive strategic decision making.

Grant: From my perspective, I think there is a lot more focus on operational risk and reputation risk and their potential impact on organizations than in the past. If you start by looking at some of the issues around Basel, including the plan that some of the largest players in the banking industry are assessing whether a calculated operational risk capital or a factor-based capital is better, then you begin to understand organizations looking for strategic advantage around capital deployment and results. I think there is a lot more focus on trying to determine, "how much are these operational problems costing us?" We have not done a very good job of quantifying these costs. If you look specifically at insurance, particularly related to underwriting issues, the evidence would suggest we are paying some claims that we should not have paid related to breakdowns in our operational processes. Also, I think the growing focus on the reputation risk issue, whether it be by Enron or other issues within the corporate community, and including the Canadian regulator's focus on reputation risk processes is causing organizations to have healthier debates on the potential for this risk.

Sim: I agree with Grant that this is a big change from the past–looking at all the sources including operational risk, which includes strategy, reputation, etc. ERM now encompasses all risks. The upside opportunity is also something very new in ERM. Risk management used to be about saying, "no," a lot, focusing only on downside risk mitigation. But now, ERM includes looking at the upside opportunity, for example, strategy–here's our strategic plan, how could it fail? That's a key change that has energized many CROs, because now they can see how they can help the business units achieve their goals. It's transformed the role of the CRO.

Gaetano: Doug, do you actually see that your role is being transformed, based on what Sim said?

Doug: Definitely. A couple of additional comments in regard to that: I think one of the key aspects, it factors into one of Dave's comments in terms of scope and comprehensiveness, it's also the consistency across the organization of looking at risk from a consistent and comprehensive point of view. Whereas, typically in the past, risk tended to be managed on a somewhat siloed basis. You had experts on a specific risk, but they talked a different language than others. They often tended to focus on the downside and minimizing the downside, rather than trying to optimize the overall result on a risk adjusted basis, which is really the overall goal of risk management. I think that consistent, comprehensive view of risk across the organization is a key aspect of Enterprise Risk Management as opposed to functional risk management. That also allows you to ensure that you're devoting your resources consistently with the risk profile of the organization rather than using a sledgehammer to drive in a thumbtack on one side and missing something on the other side that might represent a larger risk. Those are some of things that Enterprise Risk Management brings that functional, siloed risk management doesn't.

Sim: Another point about integration–a lot of companies are looking at risks on an integrated correlation-adjusted basis, and you've got the diversification benefits and the opportunity to hold less capital. But, on the other side is the compounding of the risks. Some risks will interact, they'll exacerbate each other. Recognizing that is important. In a study done by Deloitte Research, we found that over 80 percent of "value killers"–events that resulted in the largest 100 losses in shareholder value–were the result of two or more risks interacting. So, this is very important to look at.

Gaetano: That's a good point, Sim, and I'm glad you brought it up because we will be getting into that in more detail through the call. Maybe this is a good point to bring in, certainly among the risk managers who are on the call, with Grant and Doug, but also David looking at it from a rating agency perspective: is that a bigger issue in terms of the decision making? I'll use a concrete example: if you're in that chief risk officer's position, and we talked about Enron before, people would have had exposure to Enron from their equity portfolio, maybe from their bond portfolio, and depending on the business they're in, maybe their business relationship. Does that play a bigger part in your decision when you're looking at how your business unit should be looking at the whole spectrum of risk?

Grant: From our perspective, on our insurance business, is that we would be working towards better quantification of the risk in insurance and then asking ourselves the question, "if it reaches a certain threshold amount, then we should certainly be raising it up to the enterprise level." It is a recognition that there may be greater correlation opportunities at the top of the enterprise.

Gaetano: Doug, do you see the same thing between the business units at Sun Life of Canada and leading into the overall Sun Life Financial?

Doug: Yes, very much. To give one example, one issue that we've been spending some time on recently is the whole area of catastrophe, whether it be natural or terrorism. We're making sure we understand the company's full potential exposure, rather than looking at it on a business-by-business basis. It's necessary, for example, if we're looking at exposure to an event in the United States, we'd have to look at a mortality exposure, both from our U.S. group operation in particular, but also our reinsurance business which reports to a different part of the organization and also our outside exposure because we may invest in the buildings that we have people insured in. We have mortgages, we may have loans to those companies and we may also have some of them as key business partners for other respects. So, aggregating that exposure across the organization is a key element and something that hadn't existed in the past–to cross the lines of business in both the liability and asset side.

Dave: That is definitely something that is an issue that a number of the large multi-national players are becoming aware of and concentrating on. It's not as big of an issue if you are a much more concentrated company–it's a lot easier to get your hands around what your exposures are. A number of large multi-nationals have told us they have major projects they have recently completed or are in the middle of to enable them to track their exposures across the different operations of their group. Some of them are going as far as trying to understand the exposures they have from multiple sources. For instance, multi-lines that have exposures because they're writing liability coverage. If you have a large liability claim, the bond or the stock of that same company may be threatened. So, recognizing that they have multiple exposures from the same event is a way that companies are going even further.

Gaetano: It seems that it's coming back to an earlier comment that Doug had made–it's not a siloed approach anymore, it's a much broader approach. Although there's a lot of science in it, there's an awful lot of art involved as well, in terms of managing the processes and also anticipating some of the events that might be coming up now or in the future. This leads me to another question: Why is there now a sudden interest in ERM as a practice area?

Sim: There are three main drivers of the sudden interest in ERM: regulation, the public and opportunities for management. With regulation, you have, for example, Sarbanes- Oxley, Solvency II, SEC requirements and New York Stock Exchange requirements. One of the more interesting components of this is that there is now personal liability for members of the Board of Governors–up to 20 percent of their net worth can be tapped. Actually, I think there was a recent court decision, which went against the general trend, where one board member was held even more liable because of his expertise in the area. That was an interesting move. The public, in general, is also a factor–in the wake of the business scandals and the general heightened risk awareness, post 9/11 and Homeland Security. It's interesting in a way, because the Homeland Security issue, post Katrina, what we're seeing now is people looking to Homeland Security for protection from all risks. It's like an Enterprise Risk Management approach, but for society rather than a company–which gets into a whole other discussion of what metrics do you use to prioritize. The third driver is management. Internally, in terms of management opportunities, what's driving this interest is that there are better tools and techniques available now. The calculation run time is one example–some of the models required for ERM now have more feasible run times. Hearing competitors' success stories is another example. I can't stress enough the upside potential here. I see management really getting excited when they see that ERM can actually be used to help achieve enterprise and business unit goals, rather than just downside mitigation. That's a key driver here. CROs can see how this gets them involved in strategy discussions, in governance and in helping the business segments do their jobs.

Grant: I do not see it as a sudden interest in ERM. From RBC Financial Group's perspective, I see it as an evolving process. As you improve your understanding of the issues then you are capable of applying the learning in seemingly unrelated areas to optimize your opportunities.

Gaetano: Does that come from the fact that the banks have traditionally been further ahead on the whole scope of ERM than the insurance companies until most recently?

Grant: Yes, I would say they are further ahead. Although as you go through it you say, "there is still a lot of work to be done, even within the banking structure as it relates to ERM. I think it is very well developed on the credit side and the market risk side. Operational is probably not any better developed. Reputation may be a little further advanced, however, I do not think that it is a dramatic difference. Banks may have an advantage on managing the reputation risk side since there is generally a captive distribution system as opposed to most insurance organizations relying on third party distribution systems. So, you may have less influence over the third party than you do a captive distribution.

Gaetano: This is a good place to bring in Doug in a different way. Doug, Sun Life Financial has the sixth or seventh largest mutual fund company in the United States–do you see with the various business lines that market conduct issues and proactive nature with which the SEC has been investigating apparent abuses is impacting the interest in this topic?

Doug: I would say it certainly has had some effect, in particular on the reputational side, developing a better framework for the management of reputational issues and potential reputational issues. I would say that the interest and resource allocation to Enterprise Risk Management pre-dated those types of issues. But they've put an increased emphasis on the operational side of things and the risks to reputation. So, it certainly had that impact and probably broadened people's thinking about the whole risk management idea and the effort involved. When Sun Life started, the emphasis was very much on the financial side, in particular interest rate equity exposure. But, certainly increased the recognition that issue around market conduct and other reputational issues are also very significant, perhaps as significant as the financial issues. I would say that recognition hadn't fully existed previously. Although it's interesting if you look at the history of failures that have taken place in organizations and financial institutions, almost all of them really stem from operational issues, the manifestation comes out financially, but there's an operational breakdown that takes place at some point that leads to it. So, it's extremely important to focus on the operational aspect.

Gaetano: Can you give an example of operational risk?

Doug: I'm sure different people define it differently, but it really incorporates risks of process breakdowns, people risks–whether it be inadequate experience, fraud, etc., in our definition it includes political, legal and regulatory risk. It's a broad category of risk. In particular, internal processes are important and the strength of those processes.

Gaetano: Dave, you were talking earlier about the interest that S&P among other rating agencies would have, you mentioned that it was almost like a new interest in it, how do you see going forward that you'll be advising your colleagues when it comes to the evaluation of a company from an ERM perspective?

Dave: The way I describe it internally here, is that ERM is both completely new and something that we've been doing forever. What a rating agency does, fundamentally, and always has done is evaluate the risks of a company and evaluate the company's ability to deal with those risks. Which is exactly what ERM's about. So, what we see going on with our use of ERM, is we're using the power of the organizing principle or ERM to make our analysis of companies better, to improve our process. So, what we're telling our analysts is that this is not a whole new field, this is just a way of organizing the way we talk to companies and the way we tell people what we've found.

Gaetano: Let me ask the question that probably any CRO is dying to ask you, since I'm independent I can ask the question: will that enhance or negate from a potential rating that a company would get. In other words, if someone like a Sun Life or an RBC has a very good ERM process, will that actually get them an "up-tick" and if someone has an abysmal ERM process does that get them a "down-tick?"

Dave: We're not expecting, on the average, for this to change our ratings much, if any. We believe we have been looking at risk and risk management for companies already. Companies that have significant weaknesses, we hope we've identified all those already. Though by this process, because of it being more systematic, we may identify more and those may lead to downgrades. We believe, because of the systematic process, we may get more confidence in being able to judge a company's risk management as being superior, which could lead to upgrades. We see it as something that will affect our process and the ratings in that way. There will be a relatively small number of companies at both extremes that might be affected.

Gaetano: So, if I'm understanding you correctly, you're saying that S&P is looking at this as means to an end and not necessarily as end unto itself.

Dave: We're looking at this as a way of improving our ratings, if that's what you mean by a means to an end.

Gaetano: So, if I'm understanding you, all of this will help enhance the overall operating efficiency of the company and that in turn will lead to a stronger balance sheet and a stronger income statement and then in turn that will position the organization better when they're being rated by an independent third party.

Dave: No, I think we're seeing this as having a fundamental value of its own within the rating process. We really see the Enterprise Risk Management as a way for us to improve our time-base view of the company. We do look at the company strategy now and say, "does the company have a business model that produces business going into the future?" We look at the financial management structure and say is that something that we think is going to produce profitable business in the future. With Enterprise Risk Management, what we're going to be more comfortable saying we think this company has a system in place to be able to avoid unexpected adverse situations over the future. We think that is something that should fundamentally support higher ratings.

Gaetano: I see. I think that approach will be quite interesting. Moving on, we've addressed some of the benefits that ERM offers, obviously avoiding impacts, reputational risks, improving operating risks, having to look at correlation of risks, having a common definition of economic capital in an organization–what other benefits would we see that ERM offers?

Doug: I would say the key to successful risk management in an organization is cultural–in that the culture has to support and there needs to be a culture of people believing that the people making the business decisions are the ones accountable for making the right business decisions on a risk adjusted basis. There needs to be that awareness and culture of thinking about risk as business decisions are being made. One of the roles of Enterprise Risk Management is to stimulate that awareness, provide education around it and then provide the tools for managing the risks that are then identified in business processes. So I see the cultural element as being a particularly important part of the whole process.

Gaetano: Thank you so much for being part of this first discussion on ERM. We look forward to continuing our discussion with you next issue.

The second part of this discussion will be in the February/March issue of The Actuary.