ERM Prepares Carriers for (Almost) Everything
Michael P. Voelker | November 10, 2016
Thomas Dunbar, senior vice president and head of information risk management at XL Catlin, says he often draws from his experience as a Boy Scout leader in his approach to enterprise risk management (ERM).
“As a scout leader, ‘Be Prepared’ is the motto we live by,” he says. “In managing risk, being prepared is essential as well. What are ongoing risks we need to be prepared for? What are the daily risks? The 10-year events? The 100-year events? By having strong risk management at every level, it helps us understand how to minimize those risks and react and remediate if they do occur.”
Enterprise risk management is a continually evolving discipline, and the definition of ERM continues to evolve as well. According to the Risk and Insurance Management Society (RIMS), it is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. ERM encompasses all areas of organizational exposure to risk, prioritizes and manages those exposures as an interrelated risk portfolio, and evaluates that portfolio against internal and external factors.
In the heavily regulated industry that is insurance, compliance is often the starting point to risk management. “Compliance is a goal and something the business understands. Having an effective enterprise risk management program does help you when you need to talk with regulators and rating agencies. However, compliance is not the ultimate objective,” says Dunbar.
An effective ERM function also helps companies optimize the risk-taking that is central to the insurance business. McKinsey points out that companies that create and follow a risk management framework (see sidebar) outperform other companies in terms of less volatile returns and a more resilient stock price.
“Enterprise risk management benefits span from compliance and avoiding downside to outperforming other companies,” says Ari Chester, partner, McKinsey & Company. “It moves a company to better performance by helping them avoid big, unanticipated surprises.”
“We often hear from companies that they have learned more about their risk by embarking on the holistic exercise that is ERM,” says Howard Mills, global insurance regulatory leader, Deloitte Services. “It allows them to identify and remedy weak points, avoid unacceptable risks, and better understand the risks that they are willing to accept as insurers.”
Needing to report to both Swiss and U.S. regulators, Zurich’s enterprise risk management process began largely with a compliance focus. However, the company quickly realized additional benefits of having a good understanding of risk. “Over the years, Zurich has developed a framework that not only helps us comply with capital requirements of regulators and build shareholder value, but can also give us a competitive advantage,” says Linda Conrad, Zurich’s head of strategic business risk.
For instance, ERM has paid dividends at Zurich in the improvement of operational capital efficiency. In one case, switching from an asset-focused approach to a risk-based approach enabled a business unit to experience a reduction of nearly 22 percent in capital consumption, freeing up money to fund other initiatives.
“At a high level, ERM has an impact on better protecting our reputation and rating with rating agencies. On a more operational level, we use ERM to help ensure that our business strategies are aligned around our understanding of our appetite for risk. We have evolved to the point where ERM is an indispensable tool to managing our business,” Conrad says.
By definition, enterprise risk management is an evaluative process, and the most important tool in that process may well be the human brain. But when it comes to connecting the dots and running simulations, there is no substitute for the power of technology, which has taken a central role in insurers’ ERM efforts.
“Technology is a big part of risk management today,” Mills says. “Scenario planning and modeling have evolved dramatically, and the amount of data insurers use in the risk management process continues to grow.”
Zurich’s expansive portfolio of risk management tools had humble beginnings. “We started off with spreadsheets,” Conrad says. Today the company uses a variety of ERM-focused technology, including what it calls “opportunity analysis tools.”
“The real value [of ERM] comes from the predictive capabilities it can deliver,” Conrad says. “Finding opportunities, and finding them early enough to capitalize on them, starts with identifying and understanding risk.”
At the core of Zurich’s risk management function is its proprietary Total Risk Profiling, which is both a tool and a process for identification, assessment, management and tracking of risks. The product of decades of refinement, Total Risk Profiling develops risk scenarios based on components of vulnerability, risk triggers, and consequences, which allows the company to evaluate both individual risks and connections across different risk events. Zurich quantifies risk in terms of potential exposure and measures it against its risk tolerance level to help the business budget and make informed decisions.
“Total Risk Profiling is a workshop that brings members of a project initiative or business together to identify key vulnerabilities,” Conrad explains. “It is also an ongoing process. If we have a long-term project, we can use it as a ‘gate’ so we can revisit risks, determine if they have increased or decreased, and adjust accordingly. It is a powerful business or project management tool that is used nearly 200 times annually across the company and the board.”
Zurich can also incorporate “key risk indicators” into its operations to provide a potential early warning of new risks and changes to known risks in areas such as natural catastrophe exposure, credit risk, and asset allocation. The company also utilizes a custom-built ERM platform as well, which helps find correlations and aggregations of risk that would be difficult or impossible to do manually.
“As you can imagine, the volume of data we deal with is incredible, which is where software comes into play,” says Conrad.
Another key tool is the Zurich Risk Room, a software program that utilizes both Zurich data and numerous external sources to present a visual, three-dimensional overview of global risks by country and supports scenario analysis. Zurich also created a cross-functional Emerging Risk Group, which is responsible for identifying new exposures and estimating their potential impact or opportunity. Other ERM tools and methodologies in use at the company include supply chain risk assessment, business interruption modeling software, and business continuity plan gap analysis.
Technology is important to an effective enterprise risk management process, but technology also presents risk that must be managed.
“Cyber risk is a hot issue for any company and can be a key vulnerability if not well managed,” Conrad says. “Assessing and managing cyber risk is essential so that we can focus our IT resources on protecting confidential data and create resiliency plans to help us quickly recover if we are subjected to disruptions.”
“Cyber is one of the key risks we face—it’s not a matter of if we have cyber event, it’s when,” XL Catlin’s Dunbar says. “The benefit of having a true ERM process around cyber is understanding the risk and knowing how to plan, prepare, and react.”
Dunbar says that the company’s risk management process around cyber was challenged by the merger of XL Group and Catlin Group in 2015. “Each company had robust cybersecurity programs, but when you put two companies together, the new entity becomes a different risk exposure. There were some significant projects we had to quickly undertake,” he says.
One of those projects involved data loss prevention (DLP). “Each company had different data centers with different strategies and security architecture around DLP. We needed to evaluate which of those approaches was right for the whole company so that on day one [after the merger] we were at the same level of risk management across the enterprise, not just from a technology standpoint, but from a staff education and training standpoint as well.”
Dunbar sits on a cyber risk task force headed up by David Brooks, senior vice president and chief risk officer. In addition to evaluating the company’s own controls around cyber and emerging cyber risk, the task force helps the business identify opportunity.
“As cyber risk changes, we look at how that affects what we’re writing,” Dunbar says. “For instance, what does the growing Internet of Things mean to a company like us? What is our internal exposure, what is our exposure across the various lines of business that we write, and are there any changes to policies or products that we can make as a result?”
A top priority the company identified for 2016 was addressing the cyber risk of third-party administrators (TPAs) and managing general agents (MGAs). “We have gradually shifted over time from a more introspective approach to looking at cyber risk more broadly,” Dunbar says. “With the merger of the two companies, we also realized that we now have a lot more third parties partnering with us than we have before. We are looking more deeply at how we manage them, because they are managing data for us.”
As a result of that risk identification, XL Catlin put in place a new risk assessment process for any new MGA or TPA. “Internally, we follow ISO standards, which is a good way to tell our customers about our level of cybersecurity. We realize that small companies may not be able to be totally ISO-compliant around data security, but we need to measure them against that standard and demand the same level of security around data as if we managed that data ourselves,” Dunbar says.
XL Catlin developed a detailed evaluation process that scores third parties on a low-to-high scale around areas such email security, data transmission protocols, and overall data center controls. The process involves personnel from the task force, the external vendor, and the internal business unit that is using or considering using the services of that vendor.
“The evaluation process is based on the same one we use to measure ourselves in terms of program maturity. We help [third parties] address any deficiencies and report that information back to the business units so that they can make informed decisions,” Dunbar says.
He adds that one of the most important features of XL Catlin’s overall ERM program is an enterprise-level risk register.
“The benefit of the register is that it allows us to know who risk owners are,” Dunbar says. “When we look at cyber risk, even though it is a technology risk, it is ‘owned’ by the business side. Having that knowledge and accountability provides for more effective management of risks, and is particularly important to a company of our size.”
Another key benefit insurers have achieved from enterprise risk management is the ability to take the knowledge gained through their own processes and apply it to the services they offer to customers.
Zurich can provide its customers ERM diagnostic services that identify strengths, weaknesses, and strategies for improving processes and filling gaps that exist in a company’s current risk management infrastructure. The company also provides a version of its Risk Room in app form for Apple and Android devices.
“Risk Room gives customers insight into key risk elements by country, including the fact that risk exposure may not be evenly distributed by country or may be linked or compounded by other exposures,” Conrad says.
For instance, U.K. weather is often characterized by rain, but aging infrastructure that does not allow water to flow where it is most needed may in fact be the biggest water-based risk that companies in the U.K. face. “Many areas in the U.K. have a water shortage,” Conrad says. “Understanding a risk and how it interconnects with other risks can be hard to identify and visualize, but can have a significant impact on a company.”
Zurich also offers an online ERM Healthcheck Assessment. Initially designed for financial institutions, the online assessment provides customized recommendations for creating a more risk-aware internal culture and management framework.
Companies that are further along than others on the enterprise risk management evolutionary scale view ERM as more than just a compliance or one-off activity.
“One of our biggest realizations over time is how important it is to embed enterprise risk management into our day-to-day operations,” Conrad says.
“When risk is discussed as much as profit is, that’s where the real value lies,” she adds. “You need to take risk to make a profit and increase shareholder value. The earlier you can identify risk, the less expensive it is to mitigate it and the more likely it is that you can leverage the opportunity for growth.”
"The role of ERM is not to take away risk. It doesn’t even necessarily reduce risk in all circumstances,” says Chester. “But, ERM does help you anticipate risk. As long as you have a good understanding of the risks you face, and as long as you can project a reasonable quantitative estimate of what this risk might be under different scenarios, you’ll be well prepared to take action.”
- Enterprise Architecture in an Agile World
- Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data
- Industry Insight: 4 Global Insurance Trends in Digital, Data, Content Services and Security
- Diving Deeper into Prioritizing Your Strategic Digital investments
- Why Content Rules
- How Mass Personalization Will Open the Small Business Benefits Market
- At Year End 2017, Will Your Organization Be Protected from Cyber Risks?
- Do Insurance Bots Dream of Mitigating Risk?
- Conditioned to Respond
- Managing & Mobilizing Insurance Data in a Connected World
- Race to the Finish Line
- New Tools, New Opportunities in Claims
- ITA LIVE: Reaching Insurance Industry Crossroads
- Advice to Insurance IT Leaders: Keep Your Eye on the Ball
- New Date, Venue for ITA LIVE 2017
- Guidewire Makes Major Push to Small and Midtier Market by Acquiring ISCS
- Insurance Disruption is Happening Right Now
- Insurity Adds Strategic Investment Partner, General Atlantic
- Beyond Transformation: The Convergence of Finance, Risk, and Actuarial Functions
- The Rapid Evolution of Consumer Protection Regulation
- Talent Hunt: Finding, Attracting, Retaining Top People
- Insurers Flexing Their Distribution Models
- Technology Driving Disruption in Insurance
- Fear of ‘Next Bubble’ Challenges Life, Annuity Carriers
- Technology Allows Commercial Lines Insurers to Stand Out
- Single Sign-on Viewed as Biggest Tech Challenge for Agencies
- ISCS Observes 20th Anniversary; Scurto Predicts Major Changes Ahead
- Policyholders and Their First Impressions
- Progressive Making Progress on the UBI Front
- High and Dry: Insurers Search for Disaster Recovery Plans
- Insurers Sign The (Un)Dotted Line
- Reflections of a Retired Insurance CIO
- Mobile Device Management Just One Answer to BYOD Issue
- Lessons from GEICO and Progressive on Winning the Critical Buying Stage
- You Are a Target for a Cyber Attack
- Web-based Systems are the Next Evolution in Claims Technology
- Gaining a “Wow” Experience from Web Users
- Time to Shift from Business/IT Alignment to Business/IT Alliance
- Healthcare Insurers Changing to Consumer Model
- Organization is the Key for Selecting Software Vendors
- Analysts Expound on the Needs of the Mid-tier Insurance Market
- Finding the Cure for Obamacare’s Website
- New Software Solutions Benefit Insurers on the Inside and Outside
- Products, Market Impede Investment in Systems for Life Insurers
- Combatting Cyber Threats: Predict, Prevent, Persist
- The Future of Telematics Heads Beyond Insurance
- The Shame in Cyber Security Lapses
- Building Policy Administration Systems for the Future
- Insurers Look Into The Eyes of Their Policyholders
- It’s a New Dawn for the ITA
INSURANCE IT NEWS
- Visioning, Setting Scope, and Execution Planning Critical for Successful Digital Strategies, Says Novarica
- ITS Implements QA Best Practices for Rockford Mutual
- FireLight® by Insurance Technologies Features New Advanced User Experience Capabilities and Wizard Designer
- InsurTech Startup Betterview Launches New AI Driven Roof Report to Immediately Identify Roof Condition & Characteristics
- Larger Insurers Extending their Analytics Leads and Piloting Artificial Intelligence, says 3rd Annual Novarica New Normal 100 Benchmark
- 360Globalnet Augments Services and Implementation Capabilities
- TechCanary Incorporates in Canada as TechCanary Insurance Software of Canada ULC
- XL Catlin to Build World’s First On-Demand Cyber Insurance Solution with Slice ICS
The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.
ITA is pleased to present the 2014 Webinar Series. We have many topics for you to choose from and attendance is open to all ITA members. The webinar topics are current and exciting — ranging from predictive analytics to telematics and will focus on the direction insurance carriers need to follow for the future. All webinars are presented by insurance IT professionals along with some of the leading analysts and consultants in the field. There is no cost to attend an ITA webinar. For more information and to register for the webinar, click the “title” of the webinar below.
BLOGS AND COLUMNS
It has become a common refrain over the past few years to view the practice of enterprise architecture (EA) as something that time has passed by, much... READ MORE
One important trend in society over the past decade is our increasing ability to create and consume a seemingly unlimited amount of digital content... READ MORE
You have surely heard it said that small businesses are the growth engine for America. Today, the phrase has a special ring to it for benefits... READ MORE
With stagnant growth and lingering low interest rates, the life insurance industry faces a challenging future... READ MORE
Finding insurance carriers willing to write commercial lines risks has always been a challenge for producers... READ MORE
As Guidewire Software prepares for the start of Connections, its 11th annual user conference that begins on Nov. 2, Brian Desmond, chief marketing... READ MORE
Fraud detection has always been and will continue to be a critical component of claims management. Learning the lessons from current claims Straight... READ MORE
- Vendor Views