An Analysis of Risk Management Terminology
Your guide to speaking ERM with different industries.
By Shinichi Kamiya, Peng Shi, Joan Schmit and Marjorie Rosenberg
As all of us associated with the insurance industry are aware, a major emphasis to manage risk within an integrated framework is underway. The commonly used term for this integrated approach is "Enterprise Risk Management." The concept is attractive, with the primary emphasis given to coordination and cooperation in managing risk across an organization's numerous departments and/or functions. The reality is somewhat more mixed as the process is time consuming and difficult.
One important challenge faced by those working towards implementation of ERM is a lack of consistency across departments, organizations and industries in risk terms, measures and models. We undertook this study, therefore, to work towards improvement in communication by identifying similarities and differences in risk terminology according to job status and industry.
To do so, we conducted a survey of risk professionals regarding their understanding of important risk terms. The results offer insight into relevant similarities and differences in risk perception by individuals. We supplemented our survey results with an analysis of firm–level information on significant risks as reported in 10–K financial statements.
Our hypothesis was that terminology for risk management would differ within and across organizations, depending on the initial impetus for implementation. We specifically considered variations between the insurance–purchasing and financial risk management areas. There are also accounting influences from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), as well as engineering and health and safety, which have active involvement in managing risks.
In addition to the insurance industry, we selected four non–insurance industries as participants in our study who were representative of considerable diversity in underlying exposures and hazards. The industries included were pharmaceuticals, hospitals, energy and information technology (IT) who were known to be actively involved in ERM. The insurance industry was included as a benchmark for comparison. The energy industry, for example, has held ERM–related conferences all over the world. Similarly, the IT industry has been active in ERM from an information security perspective as well as an ERM service provider.
Our sample was obtained through three sources. Our initial target group was the largest 20 companies in each industry. Excepting the several firms for which we could not identify an appropriate contact, the survey was distributed through e–mail to 111 initial target respondents in this initial group. Specific respondents were identified through the Risk and Insurance Management Society (RIMS). Our second source of respondents came from members of SOA and CAS. Blast e–mails were sent to about 3,000 members of the joint CAS/SOA risk management section members. Additionally, POG members generously provided assistance, with over 15 surveys distributed to POG members' contacts.
This article is a very brief snapshot of results from our survey. The process of gathering the data for our survey was as follows:
- An invitation to our survey was sent through e–mail with a link to our online survey system. For RIMS members, we followed up responses with telephone interviews to complete the survey. Time did not permit us to conduct such a follow–up for the CAS/SOA members.
- We asked respondents about 11 specific risk terms. Respondents could select among this list which risk terms they wished to define.
- Respondents were asked to offer definitions of those risks relevant to their organizations.
- We requested definitions and measures of these risk terms from the survey respondents as they would personally use the terms, rather than official definition in their organizations.
From our initial target group of 111, we obtained a total of 33 usable responses. An additional 65 usable responses were received from CAS/SOA. In total, we received 98 useable responses, with no more than half of those providing definitions for any single term.
Table 1 is the summary of responses we obtained from the survey. The table is divided into insurance and non–insurance totals, and RIMS versus actuaries. We analyzed survey responses across industries and professions. The table shows the number of responses received for each of the 11 risk terms.
Credit risk and operational risk both received large numbers of responses at 41 and 40. Risk appetite, in contrast, was defined by only 14 individuals. While the paper reported results for all 11 risk terms, here we present just four, key risk terms to highlight our research process and give some general results.
Our analysis is described as shown in the diagram in Figure 1 on page 35. We prepared two sets of data. One set of data was our survey responses, which represented definitions actually used in practice. Another set of data was to specify a reference definition (or standard), defined by an organization representing the industry such as The Society of Actuaries (SOA), Casualty Actuarial Society (CAS), the Committee of Sponsoring Organizations (COSO), the Basel Committee (Basel), and the Committee of Chief Risk Officers (CCRO).1
Since our primary interest was to observe differences and commonalities among definitions, we conducted three types of analysis:
- We compared reference definitions one to another.
- We scrutinized individual responses to our survey to identify obvious patterns. Next, we categorized responses by these patterns. We then compared the responses across industries and professions.
- Following these two analyses, we then compared individual risk definitions with standard definitions.2
We discuss four risk terms in what follows.
The reference definitions we obtained for credit risk were from SOA, Basel and CCRO. Credit risk was defined as:
SOA (2006): The economic loss suffered due to the default of a borrower or counterparty.3
Basel (2006): The risk that the counterparty to a transaction could default before the final settlement of the transaction's cash flows.4
CCRO (2002): Potential adverse occurrence of counterparty's ability to pay its obligations.5
These three standard definitions all focused on credit risk caused by a counter party's default, an external point of view, each consistent with one another. Credit risk (and later we will see operational risk) was more similar in definitions across standard sources than many others. See Table 2 below for some representative responses.
Our greatest surprise was to observe that some respondents looked internally rather than externally. In addition, some respondents specifically mentioned rating downgrade rather than default. While the general concept was the same as the reference definitions, inclusion of rating downgrades allowed for losses caused by less extreme events.
While the responses overwhelmingly took a view consistent with standard definitions, i.e., an external (counterparty) perspective, nearly half of the non–insurance responses looked internally while only one of 31 insurance respondents took an internal view. Insurers often referenced reinsurance performance as a key element of credit risk.
Hazard risk was commonly used to refer to the same concept as pure risk in traditional risk management, and also known as insurable risk. The reference definition from the SOA (2006) stated: "Risk from property damage, theft, business interruption, liability claims, etc." The SOA definition was not closed form, allowing for other types of risk factors to be included in the definition.
The summary of definitions provided by our respondents offered a variety of causes of loss under the umbrella of hazard risk. These are summarized in the table below.
The internal view involved an organization's own activities (e.g., production, manufacturing, services, operations) that resulted in harm. The external view saw hazard risk as involving factors that were out of the control of the organization, such as a natural disaster.
One notable pattern we detected was the lack of responses from actuaries (only six responses). Other risk terms typically had responses three times more than this risk. These definitions also focused more on natural and large–scale catastrophic events rather than those due to internal action. Likely this view related to the role of the insurer as a risk taker. It also could relate to the actuary's profession in pricing risk rather than managing it.
We found three reference definitions for market risk:
SOA (2006): The exposure to potential loss that would result from changes in market prices or rates.
Basel (2006): The risk of losses in on– and off–balance–sheet positions arising from movements in market prices.
CCRO (2002): Potential fluctuations in prices, volumes exchanged, and market rules that may affect a company's buying and selling activities. Usually, this is composed of: price risk, credit risk, performance risk, volumetric risk.
All three definitions were similarly defined in that market price movement was identified as the primary cause of loss. One of the most important differences between the SOA/Basel definitions and the CCRO definition was the implied market. The SOA definition referred to the insurance market, the CCRO definition referred to the energy–related commodity market, while the Basel definition referred to the banking industry.
We identified three types of characterization of market risk from the survey. The first type of definition identified market price/rate movement as the key risk factor, typically focusing on financial markets. The second type identified the competitive (i.e., own industry) market as the risk factor. In this definition, loss of market share due to intense competition was considered as market risk. The third type described the effect of, or on, a firm's marketing strategy. These are summarized in the table below. For example, an inappropriate marketing strategy may cause the organization to fail to attain its performance objectives. This third category was not found in standard definitions and represents an internal view. See Table 4 below.The dominant response to our survey on market risk focused on financial markets, which we found interesting given that the standard definitions considered industry markets. Other survey terms, such as financial risk and price risk, might seem better places to define financial market risks. Furthermore, while the vast majority of responses were external, the only internal responses were from the non–insurance industry, with more than one–third of their responses looking internally.6
Three standard definitions were provided for operational risk and all were very similar.
SOA (2006): The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.
Basel (2006): The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.
CCRO (2002): The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. (Operations risks are the risks associated with physical asset or delivery of energy commodities.)
Among these definitions, four factors were identified: internal process, people, system and external events. The Basel definition stated that strategic risk and reputational risks were excluded from operational risk.
A common characteristic in definitions was that all responses, just like the standard definitions, looked at internal risk factors. The actual definitions provided by our respondents varied, but three consistent patterns were observed. These were failure to provide expected service/product, failure in internal process, and human error. The last two factors closely followed the standard definitions, while the first was not included in standard definitions.
Operational risk appeared to be well defined in all areas of risk management, with highly consistent standard definitions, and a great deal of commonality among our survey respondents. As with the terms already discussed, our surprise came from deviations to the standard definition. Five respondents reported some version of operational risk as related solely to the failure to provide expected services or products, which seems to relate to external effects even though the cause might be internal (the cause was not always provided). Six others offered this view as part of the definition. See Table below.
In addition to personal interpretations of risks as provided by our survey of risk management professionals and practitioners, we were also interested in broad organizational perspectives. A corporation's 10–K form is the annual statement filed with the SEC and is required for all U.S. domiciled publicly traded companies. All publicly traded companies are required to provide primary risk factors and any substantial changes from that previously reported. We reviewed 10–K reports of the largest 10 companies from each of the non–insurance industries and from that we extracted the list of important risks. From these lists, we observed similarities and differences across the industries and with our survey results.
For each firm, we counted the number of risks and the categories of risks listed and then combined these for all firms within each of the four non–insurance industries. The IT industry listed far more risks and categories than the other three industries. Pharmaceuticals listed 75 risks in 15 categories, hospitals 71 risks in 14 categories, energy 67 risks in 13 categories. The IT industry, however, listed more than 125 risks in more than 21 categories.
From the primary risk factors of these four non–insurance industries, market price/competition and legal/regulatory risks were always near the top. Risk factors cited frequently tended to be of an external perspective, with some exceptions such as investment in Research and Development. In addition, the order of these risk factors differs across the lists. For instance, skilled labor force is at the top of the list for hospitals, in the middle of the list for IT, but mentioned only once for energy and three times for pharmaceuticals.
Figures 2, 3, 4, and 5 show the frequency of the main risk factors in each industry. As you can see for the energy industry, market price and legislation risks are at the top. Legal and market competition risks are of the highest frequency for the IT industry. Price and regulation risks are among the top risks in pharmaceuticals. Competition, human resources (an internal factor) and regulation are at the top of the list for hospitals.
The impetus for the research reported here was to observe similarities and differences in risk terminology for the ultimate purpose of improving communication across and within organizations. We approached this objective by conducting a survey of risk management professionals from six industries: pharmaceuticals, hospitals, information technology, energy, life and health insurance, and property and liability insurance. Survey responses were supplemented with a review of risk factors listed as being significant in the 10–K reports of our non–insurance industry sample.
Survey responses clearly demonstrated high differences in risk definitions. Not only did our respondents differ significantly among themselves, but also when compared with standard definitions provided by trade groups, regulators and other general sources. While the group offered significant variability, we feel confident in highlighting one particular theme, which is the dichotomy between internal and external perspectives. Insurance industry respondents, mostly representatives from the CAS/SOA risk management section, typically focused on external perspectives. Respondents from the other four industries, typically members of the national Risk Management and Insurance Society (RIMS), more often provided internal perspectives.
At least two explanations appear plausible to us. One is that the CAS/SOA group is comprised primarily of individuals with financial risk management responsibilities while the RIMS group focused on the traditional, insurable, risks. A second explanation is the very nature of the insurance business, which is heavily dependent on estimates of external outcomes. Actuaries must anticipate and estimate changes in interest rates, loss conditions, and expense loadings, which most often are not controllable by the insurer. Members of our non–insurance industries, however, undertake operations where tremendous control over their own outcomes does exist.
Following our presentation of these results at the 2007 Bowles Symposium, Mr. David Cummings, the director of Enterprise Risk Management with State Farm Insurance Companies, discussed our paper in which he offered many excellent observations. Among those observations was the suggestion that the risk management terminology survey be repeated, at least in another two to four years, and potentially every two to four years. The survey and method should be identical to what was reported here to identify any emerging/diverging consensus within and across industries.
We thank the Society of Actuaries and Casualty Actuarial Society for financial support and for assistance in obtaining survey responses, our Project Oversight Group (POG) members for excellent suggestions and support throughout the project, all the survey respondents, and the Bowles Symposium sponsors and discussants. Without their help and participation, we could not have done this pioneer work.
Margie Rosenberg is Associate Professor, University of Wisconsin School of Business. She can be contacted at firstname.lastname@example.org
This article is a summary of work completed in response to a Request for Proposals from the Joint Casualty Actuarial Society (CAS)/Society of Actuaries (SOA) Risk Management Research Team to identify similarities and differences in risk management terminology as used within the insurance industry and across several other major industries. The results have been published in a report available at SOA.org/research. A portion of those results were presented at the 2007 Bowles Symposium.
- After completing our work we learned of another excellent source from the Comite' Europeen des Assurances (CEA) and Group Consultatif Actuariel Europeen, titled CEA—Group Consultatif Solvency II Glossary.
- It was only in this third analysis that we observed the internal/external dichotomy. Upon further investigation, variations with the standard definitions followed the internal/external dichotomy across industries, insurance following external perspectives and non–insurance following internal perspectives.
- SOA (2006): Enterprise Risk Management Specialty Guide May 2006.
- Basel (2006): International Convergence of Capital Measurement and Capital Standards: A Revised Framework, June 2006.
- CCRO (2002): Committee of Chief Risk Officers; Volume 6 of 6 Glossary, Nov. 2002.
- Note: For all of the terms, the number of non–insurance responses was typically much lower than for the insurance industry, and also small so that our confidence in reporting patterns was somewhat limited.