The Evolution of Risk Management: Taking the Next Step Toward Becoming the Coveted Business Partner
By Nick Silitch and Chad Runchey
Risk Management, June 2021
Insurance and banking business models have continued to grow in complexity over the past 50 years—from simple and local risk exposures to the current environment of complex and global exposures. Risk management has evolved along with the business model changes, from individual, transaction-based decisions based on a combination of judgment and underwriting criteria to looking at aggregated portfolios of risk enabled by more robust analytical tools. While the tools and techniques available to risk professionals have continued to evolve, the interaction model between risk and the business has largely remained the same—an “us versus them” dynamic. Risk was present to say “yes or no” to business leaders based largely on their own perspective, often leading to escalation with business leaders and revenue generators having a distinct advantage. Post financial crisis, regulators forced the increased relevance of risk organizations and demanded a seat at the table without changing the dialogue—which converted many groups into compliance officials with a regulatory agenda.
The challenge for today’s risk organization is clear—how to have an impactful seat at the table without turning into a “check the box” regulatory exercise. This is where the next step in the evolution of risk management starts—to reframe the debate and the role of risk within an organization from being a control and compliance function to being a valued business partner. The goal is to move from “us versus them” to just “us”—the entire organization driving toward common enterprise objectives. If structured right, the risk management organization can be involved in the pursuit of business objectives and the optimization of outcomes across all relevant constraints and lenses.
How? First, there must be buy-in from the most senior levels of the organization and the board on the importance and necessity of an independent view of the risk profile. This includes both a broad enterprise view and, more narrowly, the risks within each product. Senior leaders must recognize the value provided by an effective risk function and understand that if executed properly, the value will exceed the cost of the added infrastructure.
Second, a risk organization must be staffed with talent commensurate with the highest standards for technical competence across the company. This is important to building credibility with the business and will help to ensure that opinions and views are respected and seen as adding value.
Third, but likely most important, transparency must be the central tenet of a risk management organization—one that cuts across all aspects of decision making. Transparency starts with the engagement of the entire organization at the beginning of the development process for models and metrics used in forming and managing the technical risk profiles. Regardless of who owns the models, their development must be open and transparent to all key constituents.
Once those three steps are completed, the role of risk, and the professional knowledge embedded within, make it a valuable participant in the collaborative process and a critical partner in moving between constraints and stakeholders.
Key to achieving this is an effective risk appetite framework that considers the balance of risks and resources across the firm and the perspectives of all relevant internal and external stakeholders. While risk will serve as the scorekeeper, the entire organization must own the risk appetite framework as a corporate asset that ensures that the company remains within the desired risk profile while it pursues optimized financial outcomes.
How does this happen? First, consider establishing broad expressions of risk appetite that account for the desired balance between risks and resources across all relevant economic, regulatory and accounting frameworks. The expressions should take into account that the balance might change when subjected to a variety of stresses over various time frames. Factors at play are the evolution of assets and liabilities through time, with varying severities. Examples of such expressions are:
- The organization wishes to preserve its ability to participate in markets in a moderate stress environment.
- The organization seeks to remain solvent in a severe economic downturn.
- Under normal market deviations, the organization seeks to limit earnings volatility.
Getting buy-in for this level of expression is usually relatively easy as most organizations have already established these, perhaps unconsciously, as they communicate with external stakeholders such as rating agencies, shareholders, customers, and regulators. Defining the discrete metrics underlying the expressions is more difficult and should take into account the perspectives of representatives from across the organization—from sales and distribution to finance and treasury. For example, what rating does the business need in order to continue to participate in markets? What underlying metrics will drive the rating of the company in terms of capital adequacy or liquidity ratio?
The next step is to agree on what level of stress is articulated in the expression—cyclical and severe in the example above. Again, collaboration, transparency and inclusion of all stakeholder views must be part of the development of these scenarios, as they will define and constrain risk profiles and business activities. They must be designed so that they probe sensitivities of assets and liabilities across all relevant risks, yet do so in a way that aligns with external and internal views of a reasonable definition.
Once the metrics and definitions of stress have been determined, the measurement can begin. The manifestation of risks can be complicated by the financial reporting rules, and it is important to have reliable processes with transparency into potential limitations and simplifications. For an organization to embrace the risk appetite framework and use it to inform difficult business decisions, there must be credibility of, and confidence in, the models, scenarios, assumptions, and output.
The final piece of the puzzle is the translation of the desired risk profile of the organization into meaningful limits on key risk-taking activities. This is where the broad macro and strategic expressions become operational. The objective is to align limits such that there is a comfortable likelihood that the actual outcomes in stress scenarios will be in line with expected outcomes. This doesn’t mean that all limits need to academically tie to the expressions. However, they should be set such that the business-as-usual risk-taking activities won’t materially change the shape or dimension of the risk profile.
Once the risk appetite framework is in place, it can be incorporated into business and capital planning—however, with a twist on the traditional risk and business dynamic. No longer will there be an “us versus them” discussion, with risk having the ability to say yes or no at its discretion. Rather, risk will now provide transparency into the impact of business decisions on the commonly agreed upon limits and constraints facilitating an open dialogue. It is no longer risk’s role to make the “yes or no” decision, but rather the organization’s with risk providing full transparency into the impact on the commonly agreed upon expressions. The framework provides a basis for evaluating the levers available to any organization—changing the risk profile, changing risk capacity, or changing risk appetite statement. The common evaluation of when and where to pull these levers will be grounded in the risk appetite framework and transparent to all parties.
In closing, the business of risk management has changed dramatically from the days of transaction-based analysis and judgment-based decisions. Today, virtually all financial institutions have access to the necessary models and analytic frameworks to consider the broad implications of stress on their operations. And, while this expanded toolkit does provide the foundation for risk’s role in the desired business partner relationship, in many cases it is merely another reference point to continue the “yes versus no,” “us versus them” divide.
To move beyond that, an organization must establish buy-in from the most senior levels, acquire top talent and enable transparency. The challenge of clearly articulating common goals and objectives for the enterprise through a functional risk appetite framework continues to confront us all to varying degrees.
The view and opinions expressed in this article are those of the authors, Nick Silitch and Chad Runchey, and do not necessarily reflect the official views of their employers—Prudential Financial Incorporated or Ernst & Young LLP—the Society of Actuaries, or the newsletter editors.
Nick Silitch is senior vice president, chief risk officer for Prudential Financial Incorporated. He can be contacted at firstname.lastname@example.org.
Chad Runchey, FSA, MAAA, is a principal for Ernst & Young LLP. He can be contacted at email@example.com.