Follow Us



ERM Prepares Carriers for (Almost) Everything

Michael P. Voelker | November 10, 2016

Thomas Dunbar, senior vice president and head of information risk management at XL Catlin, says he often draws from his experience as a Boy Scout leader in his approach to enterprise risk management (ERM).

“As a scout leader, ‘Be Prepared’ is the motto we live by,” he says. “In managing risk, being prepared is essential as well. What are ongoing risks we need to be prepared for? What are the daily risks? The 10-year events? The 100-year events? By having strong risk management at every level, it helps us understand how to minimize those risks and react and remediate if they do occur.”

Enterprise risk management is a continually evolving discipline, and the definition of ERM continues to evolve as well. According to the Risk and Insurance Management Society (RIMS), it is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. ERM encompasses all areas of organizational exposure to risk, prioritizes and manages those exposures as an interrelated risk portfolio, and evaluates that portfolio against internal and external factors.

In the heavily regulated industry that is insurance, compliance is often the starting point to risk management. “Compliance is a goal and something the business understands. Having an effective enterprise risk management program does help you when you need to talk with regulators and rating agencies. However, compliance is not the ultimate objective,” says Dunbar.

An effective ERM function also helps companies optimize the risk-taking that is central to the insurance business. McKinsey points out that companies that create and follow a risk management framework (see sidebar) outperform other companies in terms of less volatile returns and a more resilient stock price.

“Enterprise risk management benefits span from compliance and avoiding downside to outperforming other companies,” says Ari Chester, partner, McKinsey & Company. “It moves a company to better performance by helping them avoid big, unanticipated surprises.”

“We often hear from companies that they have learned more about their risk by embarking on the holistic exercise that is ERM,” says Howard Mills, global insurance regulatory leader, Deloitte Services. “It allows them to identify and remedy weak points, avoid unacceptable risks, and better understand the risks that they are willing to accept as insurers.”

Needing to report to both Swiss and U.S. regulators, Zurich’s enterprise risk management process began largely with a compliance focus. However, the company quickly realized additional benefits of having a good understanding of risk. “Over the years, Zurich has developed a framework that not only helps us comply with capital requirements of regulators and build shareholder value, but can also give us a competitive advantage,” says Linda Conrad, Zurich’s head of strategic business risk.

For instance, ERM has paid dividends at Zurich in the improvement of operational capital efficiency. In one case, switching from an asset-focused approach to a risk-based approach enabled a business unit to experience a reduction of nearly 22 percent in capital consumption, freeing up money to fund other initiatives.

“At a high level, ERM has an impact on better protecting our reputation and rating with rating agencies. On a more operational level, we use ERM to help ensure that our business strategies are aligned around our understanding of our appetite for risk. We have evolved to the point where ERM is an indispensable tool to managing our business,” Conrad says.

Technology’s Role

By definition, enterprise risk management is an evaluative process, and the most important tool in that process may well be the human brain. But when it comes to connecting the dots and running simulations, there is no substitute for the power of technology, which has taken a central role in insurers’ ERM efforts.

“Technology is a big part of risk management today,” Mills says. “Scenario planning and modeling have evolved dramatically, and the amount of data insurers use in the risk management process continues to grow.”

Zurich’s expansive portfolio of risk management tools had humble beginnings. “We started off with spreadsheets,” Conrad says. Today the company uses a variety of ERM-focused technology, including what it calls “opportunity analysis tools.”

“The real value [of ERM] comes from the predictive capabilities it can deliver,” Conrad says. “Finding opportunities, and finding them early enough to capitalize on them, starts with identifying and understanding risk.”

At the core of Zurich’s risk management function is its proprietary Total Risk Profiling, which is both a tool and a process for identification, assessment, management and tracking of risks. The product of decades of refinement, Total Risk Profiling develops risk scenarios based on components of vulnerability, risk triggers, and consequences, which allows the company to evaluate both individual risks and connections across different risk events. Zurich quantifies risk in terms of potential exposure and measures it against its risk tolerance level to help the business budget and make informed decisions.

“Total Risk Profiling is a workshop that brings members of a project initiative or business together to identify key vulnerabilities,” Conrad explains. “It is also an ongoing process. If we have a long-term project, we can use it as a ‘gate’ so we can revisit risks, determine if they have increased or decreased, and adjust accordingly. It is a powerful business or project management tool that is used nearly 200 times annually across the company and the board.”

Zurich can also incorporate “key risk indicators” into its operations to provide a potential early warning of new risks and changes to known risks in areas such as natural catastrophe exposure, credit risk, and asset allocation. The company also utilizes a custom-built ERM platform as well, which helps find correlations and aggregations of risk that would be difficult or impossible to do manually.

“As you can imagine, the volume of data we deal with is incredible, which is where software comes into play,” says Conrad.

Another key tool is the Zurich Risk Room, a software program that utilizes both Zurich data and numerous external sources to present a visual, three-dimensional overview of global risks by country and supports scenario analysis. Zurich also created a cross-functional Emerging Risk Group, which is responsible for identifying new exposures and estimating their potential impact or opportunity. Other ERM tools and methodologies in use at the company include supply chain risk assessment, business interruption modeling software, and business continuity plan gap analysis. 

Technology’s Risk

Technology is important to an effective enterprise risk management process, but technology also presents risk that must be managed.

“Cyber risk is a hot issue for any company and can be a key vulnerability if not well managed,” Conrad says. “Assessing and managing cyber risk is essential so that we can focus our IT resources on protecting confidential data and create resiliency plans to help us quickly recover if we are subjected to disruptions.”

“Cyber is one of the key risks we face—it’s not a matter of if we have cyber event, it’s when,” XL Catlin’s Dunbar says. “The benefit of having a true ERM process around cyber is understanding the risk and knowing how to plan, prepare, and react.” 

Dunbar says that the company’s risk management process around cyber was challenged by the merger of XL Group and Catlin Group in 2015. “Each company had robust cybersecurity programs, but when you put two companies together, the new entity becomes a different risk exposure. There were some significant projects we had to quickly undertake,” he says.

One of those projects involved data loss prevention (DLP). “Each company had different data centers with different strategies and security architecture around DLP. We needed to evaluate which of those approaches was right for the whole company so that on day one [after the merger] we were at the same level of risk management across the enterprise, not just from a technology standpoint, but from a staff education and training standpoint as well.”

Dunbar sits on a cyber risk task force headed up by David Brooks, senior vice president and chief risk officer. In addition to evaluating the company’s own controls around cyber and emerging cyber risk, the task force helps the business identify opportunity.

“As cyber risk changes, we look at how that affects what we’re writing,” Dunbar says. “For instance, what does the growing Internet of Things mean to a company like us? What is our internal exposure, what is our exposure across the various lines of business that we write, and are there any changes to policies or products that we can make as a result?”

A top priority the company identified for 2016 was addressing the cyber risk of third-party administrators (TPAs) and managing general agents (MGAs). “We have gradually shifted over time from a more introspective approach to looking at cyber risk more broadly,” Dunbar says. “With the merger of the two companies, we also realized that we now have a lot more third parties partnering with us than we have before. We are looking more deeply at how we manage them, because they are managing data for us.”

As a result of that risk identification, XL Catlin put in place a new risk assessment process for any new MGA or TPA. “Internally, we follow ISO standards, which is a good way to tell our customers about our level of cybersecurity. We realize that small companies may not be able to be totally ISO-compliant around data security, but we need to measure them against that standard and demand the same level of security around data as if we managed that data ourselves,” Dunbar says.

XL Catlin developed a detailed evaluation process that scores third parties on a low-to-high scale around areas such email security, data transmission protocols, and overall data center controls. The process involves personnel from the task force, the external vendor, and the internal business unit that is using or considering using the services of that vendor.

“The evaluation process is based on the same one we use to measure ourselves in terms of program maturity. We help [third parties] address any deficiencies and report that information back to the business units so that they can make informed decisions,” Dunbar says.

He adds that one of the most important features of XL Catlin’s overall ERM program is an enterprise-level risk register.

“The benefit of the register is that it allows us to know who risk owners are,” Dunbar says. “When we look at cyber risk, even though it is a technology risk, it is ‘owned’ by the business side. Having that knowledge and accountability provides for more effective management of risks, and is particularly important to a company of our size.”

Outward ERM

Another key benefit insurers have achieved from enterprise risk management is the ability to take the knowledge gained through their own processes and apply it to the services they offer to customers. 

Zurich can provide its customers ERM diagnostic services that identify strengths, weaknesses, and strategies for improving processes and filling gaps that exist in a company’s current risk management infrastructure. The company also provides a version of its Risk Room in app form for Apple and Android devices.

“Risk Room gives customers insight into key risk elements by country, including the fact that risk exposure may not be evenly distributed by country or may be linked or compounded by other exposures,” Conrad says.

For instance, U.K. weather is often characterized by rain, but aging infrastructure that does not allow water to flow where it is most needed may in fact be the biggest water-based risk that companies in the U.K. face. “Many areas in the U.K. have a water shortage,” Conrad says. “Understanding a risk and how it interconnects with other risks can be hard to identify and visualize, but can have a significant impact on a company.” 

Zurich also offers an online ERM Healthcheck Assessment. Initially designed for financial institutions, the online assessment provides customized recommendations for creating a more risk-aware internal culture and management framework.

Well Prepared

Companies that are further along than others on the enterprise risk management evolutionary scale view ERM as more than just a compliance or one-off activity.

“One of our biggest realizations over time is how important it is to embed enterprise risk management into our day-to-day operations,” Conrad says.

“When risk is discussed as much as profit is, that’s where the real value lies,” she adds. “You need to take risk to make a profit and increase shareholder value. The earlier you can identify risk, the less expensive it is to mitigate it and the more likely it is that you can leverage the opportunity for growth.”

"The role of ERM is not to take away risk. It doesn’t even necessarily reduce risk in all circumstances,” says Chester. “But, ERM does help you anticipate risk. As long as you have a good understanding of the risks you face, and as long as you can project a reasonable quantitative estimate of what this risk might be under different scenarios, you’ll be well prepared to take action.”

Featured articles


Majesco MR


The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.


The tide is up! It's time to register for ITA LIVE 2019, our annual educational and networking conference! Our theme is "The InsurTech Revolution: Cutting Through the Hype." and we'll be bringing in a torrent of industry thought leaders, amazing insight and wonderful perspectives on the world of insurtech and its impact on the insurance landscape.

ITA LIVE 2019 will present real-life examples of true startup technologies that are helping insurers gain real advantage -- and a competitive edge -- in the marketplace. We’ll highlight the more successful InsurTech partnerships, while offering case studies that demonstrate exciting innovation and cutting-edge techniques impacting all aspects of the insurance ecosystem.

Ride the wave to LIVE 2019. Sign up today! We look forward to seeing you in May, 2019!


only online

Only Online Archive

ITA Pro Buyers' Guide

Vendor Views

Partner News