How Mature is Your Insurance Company’s Enterprise Risk Management System?
Many companies are unprepared for risk. A 2019 study found that only 31% of companies had an Enterprise Risk Management (ERM) system in place.
In the study’s insurance, finance, and real estate industry group, only 29% of respondents said that they had a “mature” or “robust” risk management process in place. On the other hand, when compared to other industry groups in the study, these companies are the most likely to have designated a Chief Risk Officer (CRO) or equivalent senior officer.
A company can have the right leadership and a mature enterprise risk management process in place—but this doesn’t fully protect them if their vendors aren’t as proactive as they are. In the insurance industry, technology vendors have been relatively progressive in offering solutions that better identify and stratify risk. Even when an insurance company commits to adopting innovative risk management technologies, an ERM program is necessary. It’s like defensive driving—you’re driving with the anticipation that others are not paying attention.
Companies with an enterprise risk management plan in place are in a position to recover more quickly should the worst happen. Creating a proactive process for assessing risk is the first step.
As the word “enterprise” in the acronym implies, ERM emphasizes a top-down, organization-wide view of the set of key risk exposures that could affect a company’s ability to achieve its stability and growth objectives.
Categorizing Risk for an ERM
ERM comprises all the steps needed to monitor and minimize risk in a company. It operates on the presumption that there’s no such thing as zero risk, no matter how small or simple the business.
However, certain risks are easier to manage than others. Risk can be quantified and even accounted for in budgeting. The internal and external threats to a company and are broken into four broad categories; the risks an insurance company faces will almost inevitably fall into one or more of these categories:
-
- Operational risk – Operational risk includes any risk incurred directly as a part of doing business. Due to the nature of the insurance business, this is a more prevalent area of risk than in other industries.
-
- Financial risk – Financial risk is tied directly to the cash value of a company. In the insurance industry, an example of this is insuring a large group of homes in Southern California that are close to dry brush.
-
- Hazard – Insurance companies are themselves not exempt from the hazards that they insure their customers against. An example of a hazard risk would be an insurance company having to close one of its South Florida buildings for a month because of damage from a hurricane. A cyber attack also falls into the hazard category.
-
- Strategic risks – Strategic risks are risks that arise as the result of a plan. For example, a strategy to increase online marketing efforts could result in attracting a greater percentage of applicants who are on the higher end of the risk spectrum.
Once a company knows what risks it is facing, it can better plan for what course of action to take.
“The success of ERM depends on how well it integrates into its framework already proven and effective risk management tools, such as Asset Liability Management (ALM), which cuts across different risk categories (underwriting, asset and operational risks).”
– The Center for Insurance Policy and Research
Proactive Responses to Risk
An effective enterprise risk management program doesn’t just assess the risks facing an enterprise. It provides a plan to address risk. The plan may even be to avoid the risk entirely.
Generally, there are five different approaches a company can take with an identified risk:
-
- Avoidance – An avoidance approach to risk simply involves shutting the risk down.
For example, a commercial insurance company may consider adding new coverages to one of its sectors. But they soon learn that this offering would pose too much financial risk. As a result, they decide to not offer any new coverages to the sector, which avoids the risk entirely.
- Avoidance – An avoidance approach to risk simply involves shutting the risk down.
-
- Reduction – A reduction of risk is a way to minimize the risk to an acceptable level. In the example above, the company might decide to expand its offering to a certain sector product offering to include property & commercial auto, but to not include workers’ compensation products. In health insurance, this could include participation in programs such as smoking cessation, which are designed to improved patient outcomes and reduce cost.
-
- Alternative Actions – An alternative action means taking a similar route, but one with lower levels of risk. To continue the above example, an insurance company may look for a different sector in which to introduce workers’ comp.
-
- Share or Insure – Another method of reducing risk is to insure the risk itself. For example, an investment in Business Continuity and Data Recovery (BCDR) technology is a form of insurance against physical hazards and cyber hazards that can render a large group of employees non-productive for an extended period of time.
-
- Accept – Ultimately, the solution is to decide that the risk is worth the reward. In this case, the insurance company would accept the higher risk (at least in the short run), but it would be well-served by deploying technologies for addressing the expected higher risk levels.
With the ever changing complexity and volume of risks facing most insurance companies and with growing expectations for improved risk oversight, there is opportunity for many insurance companies to increase the level of their enterprise risk management maturity.