Strategic Risk Management—The Once and Future ERM Objective

By Dave Ingram

Risk Management, December 2023

Almost 20 years ago, when I was helping S&P to create their first rating criteria for insurers’ Enterprise Risk Management programs, we used this picture to illustrate our vision of insurer ERM.

At the top of the ERM structure was Strategic Risk Management. In a 2006 article for this newsletter, I described Strategic Risk Management as …

“Strategic risk management is the process that an insurer uses to incorporate the ideas of risk, risk management and return for risk into the corporate strategic decision-making processes. Risk capital is usually a key concept in these processes. Standard & Poor’s analysis of strategic risk management will start with understanding the risk profile of the insurer and getting management explanation of the reasons for recent past changes in the risk profile as well as expected future changes. Risk profile can be expressed in terms of risk capital for various risks or for each of the businesses of the insurer. Insurers might also be able to express an understanding of the sensitivities of that risk profile to the time view and the loss tolerance of the metric used. Standard & Poor’s looks at the method used for the allocation of any diversification benefit that is incorporated into the risk profile and the impact of the allocation choice on the strategic decisions made using the risk capital.

“Strategic processes that could be affected by risk and risk management thinking include capital budgeting, strategic asset allocation, product risk/reward standards, risk-adjusted financial targets, and performance measurement, dividend practices and incentive compensation. The degree to which risk capital is vital to these processes and to which risk and risk management are a consideration on these process is indicative of the quality of strategic risk management.”[1]

To get an Excellent ERM rating out of S&P then, an insurer needed to show how they were doing some version of Strategic Risk Management. But only about 15% of insurers were ever found to practice Strategic Risk Management.

Flash forward to 2023. We did a poll[2] asking insurer risk management folks to tell us which of a list of different ERM objectives were more important in their companies. The list came from an examination of about 60 Risk Appetite statements that we collected in the late 2010s. 

ERM Objectives	Score[3]
1. Identify risks, measure & monitor risks	76
2. Alignment of risk & strategy	68
3. Keep the company fully diversified—avoid risk concentrations & balance across risks	67
4. Transparency of risk taking and risk mitigation—Reporting	63
5. Consistency of risk taking and mitigation—policing/controlling	55
6. Adaptability/resilience—ready for next crisis or major loss event	52
7. Assure compliance with regulatory & rating agency requirements	52
8. Participate in Strategic Planning and decision-making	49
9. Take a major role in Capital Management	47
10. Get better returns for risks taken	38
11. Assure prices for insurance sold are adequate for risks accepted	37
12. Support growth and innovation	25

This was not the ranking that I had expected going in. But after some reflection, I decided that it should not have been so surprising. Note that items 9, 10 and 11 are most closely aligned with Strategic Risk Management. 

Unspoken so far is the fact that Strategic Risk Management work is the most intensely actuarial part of insurer ERM. It has a very high dependence upon highly sophisticated actuarial models.  At the time when I was first working with S&P on the definition of Strategic Risk Management, many actuaries, if asked, would have said that Strategic Risk Management WAS ERM. 

I would suggest that the priorities for ERM at an insurer are shaped by four main items:

1. The degree to which general management and risk management staff understand the concepts underlying risk management, especially the significance of the ideas of statistical risk and uncertainty that can be applied to risks where a large volume of experience data is available. In addition, knowledge of the tools and techniques that have been developed to apply these concepts to manage the risks of an insurer.
2. The expectations of general management and risk management staff regarding the level of uncertainty in the near future. These expectations are usually formed based upon recent experience and the degree to which previous choices about past business strategies have turned out to be correct. The expectations of how powerful that ERM practices might be in determining future success (or avoidance of failure) is also a major factor. The most extreme version of this factor is when a modeler finds that even when they seem to have a large enough set of data to draw upon to calibrate a model, changes in the environment make that model less predictive than needed. 
3. Input from outside forces such as the S&P ERM rating process and mentioned above. Regulatory expectations fall into this category as well. 
4. Insurer strategy, especially growth expectations.

A major reason why there are so many different approaches to ERM is the high number of combinations of the above four items. Let’s think about how interest in Strategic Risk Management (SRM) might be depressed under each item:

1. Understanding—Many non-technical management teams do not fully understand the concepts or the tools of SRM and to the extent that they do understand them, they often do not like them. A common refrain is that the risk model would take over management decision making at the company. In the few cases where that has been permitted to happen, the model led the company into taking too much of whatever risk that it underestimated.[4].
2. Uncertainty—Right now, expectations are highly uncertain. COVID threw a monkey wrench into everyone’s plans and many are waiting for things to settle out again. But wars in Ukraine and now Israel are keeping the uncertainty level high for almost everyone. With high uncertainty, even if the uncertainty is more perceived than real, few want to rely upon modeled projections any more than they have to, especially about the usually somewhat uncertain extreme loss events that are the usual focus of risk models. 
3. Outside Forces—have all moved away from or never got behind SRM. S&P has de-emphasized their ERM evaluations and other rating agencies and regulators never got behind the concept of SRM. Meanwhile, regulatory pressure for risk management has increased, making ERM into a compliance exercise.
4. Insurer Strategy—Insurers with high growth expectations are often not interested in high amounts of technical analysis and SRM fits into that bucket. In the several decades of the Great Moderation, highly analytical approaches were developed and were seen to be an effective support for insurer strategy development.[5] Insurers with high growth expectations are looking to maximize profits, while SRM seeks to optimize return for risks taken, which is likely to be a very different approach. 

With those ideas in mind, let’s look at the 12 ERM Objectives. 

12. Support growth and innovation—This is the ERM Objective that was often mentioned by CROs in the years right before the Global Financial Crisis. Growth was the top company objective so for a risk manager to be relevant, they had to support growth.

11. Assure prices for insurance sold are adequate for risks accepted—This is another ERM objective that ought to be important in a (rational) high growth phase. But sometimes, high growth phases are not entirely rational.  

10. Get better returns for risks taken—This is the central objective of SRM. Risk management often works on this by helping to find ways to reduce risk without significantly reducing returns.

9. Take a major role in Capital Management—That role could be as the point person in a capital budgeting process, where final decisions are often based upon ranking return on capital. Capital allocations provided by the risk management team are the key to this. Determining the quantitative impact of diversification is the most challenging aspect of this role, both in execution and explanation.

8. Participate in Strategic Planning and decision-making—Not only is the CRO in the room where it happens, they are expected to be a part of the discussion as well as having a key role for follow up to the planning discussions in situations where business units are told to modify plans in a way that will be validated by risk management. 

7. Assure compliance with regulatory and rating agency requirements—This is the objective that we have heard the most often over the years. Requirements of rating agencies and regulators are significant and provide plenty of work to support. However, many experienced CROs have admitted that risk management information created to satisfy an outside voice will rarely be used by management to drive important decisions.

6. Adaptability/resilience—preparing for the next crisis or major loss event—This objective is new for many, initiated following the COVID-19 pandemic. That event showed us all how something unexpected can seem to come out of nowhere and turn everything on its head. With 20-20 hindsight, having more adaptability and resilience would have resulted in a real leg up on competitors who started out on their heels.

5. Consistency of risk taking and mitigation—policing/controlling—This is an important role that risk managers do not usually like doing since it often makes them unpopular with the business management folks. The Three Lines of Defense model for ERM relegates this to the auditors. But whether risk managers like it or not, this is something that is a high priority activity in many insurers. If this important role is passed to auditors, that is likely to end up making the risk management function less important in the eyes of top management.

4. Transparency of risk taking and risk mitigation—Reporting—This is another fundamental risk management activity that supports the idea of the Risk Control Cycle. Reporting on risk taking and mitigation would include a comparison of actual activity to a risk management plan. The risk management plan will clearly state intentions regarding risk taking and mitigations consistent with the business plan and the risk reporting can track actual activity compared to that plan. Risk limits provide a systematic approach to identifying situations where the risk manager needs to draw attention to risk taking that is approaching or has gone significantly beyond plan.

3. Keep the company fully diversified—avoid risk concentrations and balance across risks—While diversification is the cornerstone of the insurance business, it becomes a strategic imperative during chaotic times when the future seems less predictable. Insurers today, by rating this objective so high, seem to be more concerned with surviving their risks and less with exploiting them. Interest in this objective could wane once the environment starts to seem more stable.

2. Alignment of risk and strategy—At least half of insurers will say that they want this alignment explicitly in their Risk Appetite statement. With an ERM program that produces a reliable and consistent measure of risk, an insurer can create a risk profile that then allows company planners to see whether corporate priorities are aligned with the risk profile and whether growth of risk is supporting the highest priorities or if risk growth is supporting high-risk, low-priority, endeavors.

1. Identify risks, measure and monitor risks—Everything needs to start somewhere and this trio of risk management practices is, in many ways, the very lightest touch way to start an ERM program. These three practices can be added almost totally without any impact on the existing operations of the insurer. It is, however, not going to have much impact on the risk taking of the firm, so it is not a failure of ERM if a company with this as its primary ERM objective still experiences unexpected outsized losses. If you are choosing this as your priority reason/objective/other? for a new ERM program, you need to keep looking at the items above to see if there is anything that might have a more substantial impact that you can imagine adding to your list of ERM priorities.

My advice is to keep alert. While the current situation with high levels of uncertainty may not be favorable, things will change and probably without warning.[6] The change in objectives will probably not be fully articulated until sometime after when it is first needed. The Risk Management program needs to be ready for a coming time when these priorities need to shift and activities will need to follow that shift quickly.

Strategic Risk Management will have its day again. 

Statements of fact and opinions expressed herein are those of the individual authors and are not necessarily those of the Society of Actuaries, the newsletter editors, or the respective authors’ employers.

---

David N. Ingram, CERA, FRM, PRM, FSA, MAAA, is senior ERM advisor, Actuarial Risk Management. Dave is a researcher, writer and part-time consultant on risk and risk management. He is a frequent writer and speaker on ERM at actuarial and other insurance industry programs. Dave is also an elected member of the SOA Board of Directors. Dave can be contacted at dingram@actrisk.com.

Endnotes

[1] Standard & Poor’s Enterprise Risk Management Evaluation of Insurers. Risk Management, March 2006 https://www.soa.org/globalassets/assets/library/newsletters/risk-management-newsletter/2006/march/rmn0603.pdf

[2] Why Insurers Do ERM, Strategies & Risk Solutions for Executives, 3Q2303 Issue 7. https://www.actrisk.com/wp-content/uploads/2023/08/ARM-SRSE-Issue7.pdf

[3] The survey presents two of the 13 ERM Objectives at a time and asks the respondent which was more important. The score is determined from the percentage of times that each individual objective is chosen as the most important.  This survey question was answered over 1200 times by 70 respondents. 

[4] Risk and Light, Risk Management. March 2010 https://www.soa.org/493555/globalassets/assets/library/newsletters/risk-management-newsletter/2010/march/jrm-2010-iss18-ingram.pdf

[5] The Fabric of ERM, The Actuary. December 2010. https://www.soa.org/493564/globalassets/assets/library/newsletters/risk-management-newsletter/2011/march/jrm-2011-iss21-ingram.pdf

[6] Changing Seasons of Risk Attitudes, The Actuary. February 2011 https://www.soa.org/globalassets/assets/library/newsletters/the-actuary-magazine/2011/february/act-2011-vol8-iss1-ingram.pdf