Identifying and Managing Risk

The Insurance Bureau of Canada (IBC) recently completed a survey in conjunction with management consultants Deloitte & Touche to identify what internal risk control procedures property and casualty insurers have or should be applying in evaluating strategic, operational and capital exposures. The survey results show varied approaches by companies, although they all claim to have implemented a risk management plan. However, only 70% of the respondents say they are familiar with the concept of risk management and control self-assessment, with many applying informal procedures.

Risk management is a curious concept. By the nature of business, the property and casualty insurance industry relies on evaluating external risk for the purposes of designing and pricing its product.

However, in contrast, little attention has in the past been given to procedures for managing internal risk. All business undertakings involve risk, and the p&c industry is no exception. In fact, some consider that the confluence of strategic risks, insurance risks and management risks now facing players in the p&c game make this perhaps one of the riskier businesses around.

Indeed, the number and nature of risks facing insurers has never been greater, and the question of the day has become — how to respond? To answer this, the average insurer is faced with several “types” of risk, including strategic risks surrounding the future competitive landscape, and at an operational level the areas of investments, underwriting and claims. Successful insurers know that together, operational capacity and control allows a company to confidently pursue innovative courses of action. The foundation for such control generally involves:

Making someone responsible for managing the organization’s risks;

Systematically identifying and evaluating potential risks;

Developing policies and procedures to manage known risks;

Checking to make sure that policies are in place and procedures are carried out.

Survey — identifying responsibility

Insurance legislation places responsibility of a company with its board of directors. The IBC’s risk management survey shows that 85% of companies delegate responsibility for organizational procedures and controls to the chief executive officer (CEO). CEOs typically demonstrate leadership by supporting internal audit activities, policy setting, and in the reviewing of policies, procedures and controls. However, while all insurers purport to have a process for identifying and evaluating organizational risks, only 80% consider their approach to be “active.” Half of the insurance executives interviewed point to either their strategic planning process or a separate risk-assessment process as the main vehicle for risk identification.

One-quarter of the respondents view the preparation of their company’s business plan as an important tool to identify and evaluating risk. And, more than 50% of the respondents consider such responsibility to rest with individuals throughout the organization while less than half have discussed an active role for the board and audit committee.

As mentioned before, almost all insurers have risk management plans — or sets of policies and procedures — for the business areas most central to their operations and financial management. These include: underwriting and pricing (90%), claims and loss reserving (95%), reinsurance (85%), securities (100%), capital management (90%), liquidity (75%) and credit (55%). In most cases, operational insurance policies and procedures are developed by senior staff in each functional area and approved by the CEO. In the financial area, policies and procedures are most likely to be developed by the chief financial officer and approved by the board of directors.

Finally, control requires activities to ensure that policies and procedures are actually observed. Most insurers (85%) subject their control activities to independent review either by an external group (53%) or internal group (35%), or both (12%). While control activities are routinely subject to independent review, only 40% of insurers find their current process for verification and reporting provides a satisfactory level of assurance about the company’s compliance with policies and procedures.

New perspective on controls

New initiatives in risk management, including the work of the Committee of Sponsoring Organizations of the Treadway Commission (CoSo) and the Criteria of Control Board (CoCo), emphasize building control into corporate practices rather than applying controls to operations.

In short, they advocate placing greater responsibility for corporate risk management in the hands of those directly involved in operations. These ideas have currency. Around 70% of insurers say they are familiar with the concept of risk management and control self-assessment while 40% have implemented an active corporate-wide program. A further 15% indicate that they have “somewhat active programs”. Of the companies indicating that they were not familiar with the concept, 45% say they are either “somewhat likely”, or “most likely”, to take steps in the next five years.

Although it is difficult to measure the extent which insurers are paying heed to risk management practices, many companies do consider themselves to be “in control”, even though their policies and procedures are informal. For example, in the area of capital risk management, 58% report having informal policies and procedures with another 10% having no policies and procedures.

Documenting policies

Demonstrating compliance with informal policies or procedures is harder to verify than instances where policy is documented. And yes, documentation does matter. This is because the concepts of risk management and control self-assessment have not only rocked the auditing world, but rolled into supervisory practices as well.

Throughout Canada and the world, regulators are looking to better integrate professional assessments, corporate governance and internal risk management processes into the supervision of financial institutions. Over time, regulatory resources should come to focus on only those activities where corporate risk management is either not in place, or insufficiently so.

Insurers participating in the IBC study support this trend. While support is high, insurers also realize that they will be challenged to turn internal risk management and control processes up a notch in reliability, while managing a potentially paper-intensive process of proof.

Is risk management and control important in your company? How do your activities rate against your industry peers?

Take this short quiz and find out how you compare.

Risk Management and Control Quiz November 1999

(selected questions from a forthcoming IBC study on risk management and control)

1. Does your company have an active process in place for identifying

possible threats to achieving company objectives? ____________

2. How active is your Board/Home Office with the control and internal

audit process in your company? (high, moderate, low) _________

3. Who is ultimately accountable for your company’s organizational

and procedural controls? _______________________________

4. Is there a senior management forum charged with overseeing

company risk? ________________________________________

5. How familiar is your company with control self-assessment? _____

6. To what extent are you implementing risk and control

self-assessment in Canada? ______________________________

7. Have you provided resources to the “control infrastructure” at

your company and supported related innovation and change? ____

8. Is it explicitly in the mandate of your external auditors to assess

the adequacy and effectiveness of control at your company? _____

9. Are you satisfied with the level of reporting and assurance about

compliance with controls at your company? _________________

10. In your view, what will b
e the next area requiring major risk

management attention?_________________________________

IBC survey results to the above questions

1. Yes (80%), No (15%), Don’t Know (5%)

2. Highly Active (47%), Moderately Active (16%),

Low Activity (37%)

3. CEO/President (85%), CFO (10%), COO (5%)

4. Yes (70%), No (30%)

5. Very Familiar (40%), Somewhat Familiar (30%),

Not Familiar (25%), No Response (5%)

6. Active Corporate-Wide Program (40%), Somewhat

Active (15%), Not Very Active (40%), No Response (5%)

7. Yes (35%), No (65%)

8. Yes (60%), No (40%)

9. Definitely Satisfied (40%), Adequate, But Could Be

Improved In Some Areas (45%), Needs Improvement

(10%), No Response (5%)

10. Information technology, internal processes and documentation,

finite or financial reinsurance markets, excess capacity, deeper

handling of informal controls, compliance with applicable laws

and regulations, Y2K, ethics, electronic commerce and privacy of

information, staff and employee involvement in self-assessment,

weekly operations meetings between executives and risk

management, fraud control and reinsurance costs.