In light of the current financial crisis, many shareholders have lost confidence in the ability of companies to manage their exposure to risk. Companies are thus turning to risk management as a critical skill among their executives and an important part of their business strategy to survive the economic downturn. It is a complex process that will increasingly gain in importance in 2009 as new regulations come into force.
Today's senior-level executives, also known as 'C-level' executives, face risks from an increasing number of sources. On the one hand, they are trying to anticipate and respond to dynamic financial markets. On the other hand, they must stay in touch with investor expectations. At the same time, companies must comply with new and changing regulations, from international financial reporting standards like IAS and IFRS to the Sarbanes-Oxley Act. And in fact many experts believe more regulations will be introduced during the upcoming year as a result of the financial crisis, which has caused the financial bailout of several companies.
Financial risk is typically a top concern, which can be subdivided into several distinct categories: market risk, credit risk, liquidity risk and portfolio risk.
Dealing effectively with these multi-dimensional challenges requires a risk management framework that covers the entire enterprise. Enterprise risk management (ERM), enterprise performance management (EPM), and governance, risk and compliance (GRC) are three corporate strategies that inter-relate to improve risk measurement, risk controls and risk mitigation.
GRC, a term first coined by Forrester Research, involves governance (the controls to manage risk overrides and processes), risk management (catastrophe risk models) and tracking compliance with local regulations.
EPM tracks and monitors overall company performance. It includes an assessment of risk, which is now a critical component for managing risk and reward incentives.
Due to the recent liquidity crisis, which has negatively affected companies globally, enterprise risk management has quickly gained the attention of regulators, shareholders and insurers. In Europe, regulators have proposed Solvency II regulation to apply key learnings and improve risk management. This, in turn, will increasingly influence the Canadian market.
ERM addresses all aspects of the business and helps outline strategic risk management activities through:
• risk identification -- outlines various sources of risk;
• risk measurement -- measures the amount of risk and how it might affect the company's financial position;
• risk management -- lists actions taken to meas- ure and mitigate risks so as to minimize their impact.
ERM should not be viewed simply as insurance against the negative consequences of decisions or actions. The right ERM system can help enhance a firm's performance and satisfy its shareholders. Once the risks have been identified and parameters defined, an organization can effectively leverage the risk management system to meet compliance requirements and provide timely and efficient regulatory reporting.
ERM can increase value for shareholders. Shareholders demand better control of risks and are looking to executive boards to become more accountable. Many companies have failed recently because they underestimated their risk. Managers need to balance their mandate to generate revenue with a careful consideration of the risks associated with new business opportunities. ERM can help insurers reach this balance and ultimately help their businesses survive and thrive in any economic cycle.
So how can you effectively implement ERM? Consider the following four-step program:
ERM foundation phase
Making decisions about risk requires a solid foundation of clean and trusted data related to risk and finance. The data usually consists of information collected over the past five years or more and needs to be integrated and maintained.
In addition to preparing and organizing data, the foundation phase includes the establishment of governance structures, as well as risk policies and resources to track and monitor policies. Establish the position of a chief risk officer, who will report to the chief financial officer and consult frequently with people in the fields of finance, actuarial, investment, law, IT and other lines of business. Educate stakeholders on risk management, whether in the form of self-learning or face-to-face sessions.
Risk identification and assessment
In this phase, each regional or line of business manager needs to identify key risks and control weaknesses. Internal auditors, external agencies and regulators will oversee how these are identified and measured. Forming a loss history of operational or external events is important to run simulations or models.
Risk measurement and reporting
Historically, companies retained a lot of data in their computer systems that were difficult to access or read, or that weren't stored in the right format for cross-disciplinary use. That meant data couldn't be accessed for use in important stress tests or to help model "what-if" scenarios. In other words, many companies that suffered huge losses during the recent economic meltdown could not foresee the extreme situations we are experiencing now.
It's important to ensure that any chosen ERM program has the technological capacity to analyze data in complex risk models. Simulations and stress testing can create different, extreme business scenarios; key risk indicators, risk reports and dashboards can be created from the risk model output. These need to be distributed to key executives in easy-to-use reports to help them better monitor and track exposures in their lines of business.
New reports can be created to react to certain situations without access to IT, empowering managers to take action to mitigate risk. Risk dashboards create effective visualization of complex calculations and information. Many regulators require a system to monitor and track operational risk, and key risk indicator (KRI) dashboards allow this.
How does this play out in the real world?
Being able to investigate, drill down and form an answer quickly and easily can make or break a company. Let's use the current credit crisis as an example. One minute you are drinking your morning coffee and perusing your emails, when all of a sudden your office becomes frenzied: another bank is about to go down in the United States! Within seconds, your manager comes to you and demands to know: "What is our exposure if that bank goes down tomor row? Tell me by lunchtime." That's only a few short hours away.
Before your company's sophisticated ERM system was deployed, it would have taken you weeks to analyze the counter-party risks of that bank -- searching, investigating, formating reports and sending them to the manager so he can take action. With ERM, you can quickly mobilize the relevant teams, get the most up-to-date information, identify key information, put it into a report and take action quickly, helping mitigate your company's risk exposure.
Risk mitigation and management
This involves issue resolution, adjusting pricing decisions to reflect the true risk of the client or the deteriorating position of the counterparty. This also entails allocating capital to the most profitable areas and analyzing scenarios for changes in key drivers such as interest rates, currency changes and credit default rates.
There are several other components worth looking at when considering an ERM system. Look for applications that are not point solutions for risk management but have wider ability to do controls and compliance.
Make sure the vendor has experience in the insurance sector and that the system complies with insurance-specific requirements. As trends in the marketplace evolve, make sure the chosen system complies with local regulations and provides standard and templated reports, frameworks and other information required by the local regulator. Insurers can also reduce costs and IT complexity by choosing fully functional ERM systems that can be deployed out of the box.
ERM systems can help insurers balance business opportunities with financial, legal and operational risks, increase transparency and achieve regulatory compliance. By adopting effective enterprise risk management strategies and solutions, insurers can confidently anticipate and respond to changing market conditions and be well ahead of the game.