engage ERM ADVISORY Insurer Management Risk Committee Practices

Transcription

1 engage ERM ADVISORY Insurer Management Risk Committee Practices 2012

2 There are three major organizational steps that insurers with significant Enterprise Risk Management programs usually consider: the appointment of a Risk Officer, the identification of Risk Owners and the founding of a Management Risk Committee. This report provides a view of the range of practices of the Management Risk Committees of major insurers. Structure of Risk Committees Major insurance groups may have one, two or many management risk committees. Most insurers have more than one risk committees. The most common structure is to have an executive level committee and an operational level risk committee. The split of duties between the two levels of committees varies among insurers. Examples of duties can be found below under Responsibilities of Risk Committees. A number of insurance groups have three or four risk committees. In most cases, this is a function of history and personalities in those groups. Usually the group had an existing committee with a function that overlapped with but did not include all of the new ERM roles and in expanding the ERM role, top management wanted to establish a new additional group instead of simply expanding the role of the existing group. In life insurers, there may have been an ALM committee or a New Product committee or both. In Non-Life groups, often had a powerful Group Underwriting Committee. Often ERM was established at the time of a heightened concern about capital level following a large loss. Many of the European ERM efforts intensified after the losses suffered from equity investments from the 2001 Tech Bubble. In some groups, Risk committees may also be split in a way that mirrors the way that the company is organized. In a non-life group, the traditional risk activity was split between insurance, investment and operational risk focus. The new ERM committee may be given a balance sheet focus because the balance sheet is an Enterprise level concept. In some cases, the Group did not have Enterprise level risk committees of any kind prior to the introduction of ERM because all risk was managed at an operating unit or country or subsidiary level. Those groups then had a wide range of choices for structure of the new enterprise level risk committees. Willis Re Inc. All rights reserved: No part of this publication may be reproduced, disseminated, distributed, stored in a retrieval system, transmitted or otherwise transferred in any form or by any means, whether electronic, mechanical, photocopying, recording, or otherwise, without the permission of Willis Re Inc. Some information contained in this report may be compiled from third party sources and we do not guarantee and are not responsible for the accuracy of same and disclaim any and all liability in connection with any such information or websites. This report is for general guidance only and is not intended to be relied upon. Any action based on or in connection with anything contained herein should be taken only after obtaining specific advice from independent professional advisors of your choice. The views expressed in this report are not necessarily those of Willis Re Inc., its parent companies, sister companies, subsidiaries or affiliates (hereinafter Willis ). Willis is not responsible for the accuracy or completeness of the contents herein and expressly disclaims any responsibility or liability for the reader s application of any of the contents herein to any analysis or other matter, or for any results or conclusions based upon, arising from or in connection with the contents herein, nor do the contents herein guarantee, and should not be construed to guarantee, any particular result or outcome. Willis accepts no responsibility for the content or quality of any third party websites to which we refer. The contents herein are provided for informational purposes only and do not constitute and should not be construed as professional advice. Any and all examples used herein are for illustrative purposes only, are purely hypothetical in nature, and offered merely to describe concepts or ideas. They are not offered as solutions to produce specific results and are not to be relied upon. The reader is cautioned to consult independent professional advisors of his/her choice and formulate independent conclusions and opinions regarding the subject matter discussed herein. Willis is not responsible for the accuracy or completeness of the contents herein and expressly disclaims any responsibility or liability for the reader s application of any of the contents herein to any analysis or other matter, nor do the contents herein guarantee, and should not be construed to guarantee, any particular result or outcome.

3 Page 2 For these groups, the main decision was whether they would have a risk oversight structure that followed the group organizational structure or whether they would develop a risk oversight structure that was organized by risk. The advantage of following the existing organizational structure is that there is already a decision-making and responsibility chain and the risk considerations can be just one more item that needs to flow through that chain. The disadvantage is that it may be difficult to get the existing structure to give the new risk consideration enough priority for there to be any real serious consideration of important risk issues. In addition, if the risk organization follows the existing organizational structure, then the recognition of excessive aggregation of risk can only be properly done by a different Group level risk department or committee that primarily deals with the issue of aggregation. This is the primary concern of the committees that have a capital focus. The advantage of organizing risk according to risk is that the group-wide aggregations of risk can be a focus for each of those group-wide risk committees. The disadvantage is that those committees will have a difficult time influencing the decisions of the existing corporate hierarchy. What will have happened is that the group will then have multiple hierarchies which will make decision making and execution more complicated. Membership of Risk Committees The Executive level Risk Committee usually has most or all of the senior level executives of the group, along with the CRO if the CRO is not already a member of that group. In many firms one or more top executives who are thought to have less financial responsibilities (from marketing or sales) are excused from this group. Most often the CEO or the CFO chairs this group. The operational level Risk Committees usually include several financial executives who are not members of the top executive management team as well as the executives from the major business units. Other functional leaders whose areas include major risks such as legal and IT may also be included. When the major focus of the risk committee is capital and risk, then the operational risk areas are often excluded.

4 Page 3 Responsibilities of Risk Committees Between the executive risk committee and the operational risk committees, there are a number of major responsibilities that must be fulfilled for an ERM program to be effective. a) Setting Risk Appetite and Tolerance b) Approving Risk framework and policies c) Allocating Risk Appetite & Setting Risk Limits d) Monitoring compliance with limits and policies e) Setting standards for risk assessment and economic capital f) Reviewing risk decisions g) Monitoring risk profile h) Proposing risk mitigation actions i) Discussing the above with the Board of Directors as agreed j) Coordinate the risk control processes k) Identify emerging risks

5 Page 4 Example of Risk Committee Charter (from IAA Note on ERM) 1. PURPOSE The Risk Committee s primary purpose is to perform centralised oversight, policy-setting, information gathering, and communication to the Board of Directors, regarding important risks and its related risk management activities. In addition, the Committee shall assist the Board of Directors in fulfilling its oversight responsibilities related to the company s risk assessment and management processes. 2. RESPONSIBILITIES The Risk Committee shall be responsible for the following activities: Identify and monitor important existing and emerging risks to the achievement of the company s strategic and operating objectives. Formulate appropriate policies and monitoring and reporting frameworks to support effective management of important risks. Review and evaluate the effectiveness of management processes and action plans to address such risks. Advise on and recommend to senior management any significant actions or initiatives that the Committee believes necessary to effectively manage risk. Ensure that activities of discrete risk management disciplines within the company are appropriately coordinated. Report to the Board of Directors on the status of the company s important risks and related risk management processes. 3. MEMBERSHIP AND MEETINGS The Chief Executive Officer / Board hereby resolves to establish a Risk Committee consisting of representatives from the Board of Directors. The Risk Committee shall have a Chair appointed by the Board / Chief Executive Officer, who will be responsible for providing overall leadership of Committee activities and setting agendas for the Committee meetings. The Risk Committee shall meet [bi-monthly / quarterly] and additionally when needed. PERFORMANCE AND CHARTER Annually, the Risk Committee shall perform a self-assessment against the Key Performance Indicators ( KPIs ), a review of the Committee membership and recommendations as to any changes thereto. In addition, the Committee shall annually review its Charter and make any recommended changes thereto. RESOURCES AND AUTHORITY OF THE COMMITTEE The Committee shall have direct access to and open communication with senior management and liaison / assistance from internal audit, internal legal, finance function and other advisors to assist with decision making and monitoring. The Committee shall also have access to external advisors to assist if required. KEY PERFORMANCE INDICATORS FOR ASSESSMENT OF COMMITTEE PERFORMANCE Examples: Number of policies approved by the Committee per annum; Number of policies considered by the Committee per annum; Number of meetings held per annum; and /or Average number of attendees at each Committee meeting.

6 Page 5 Relationship to board & board committees Many groups will automatically assign all responsibility for oversight of ERM to the audit committee. This may be problematic, since Audit committees are already overloaded in many cases. Some boards have taken the steps to create a new Risk Committee on the board. However, in some groups, the responsibility for risk is split within the board to multiple board committees. This commonly happens when there already existed significant amounts of risk oversight and the advent of ERM primarily meant that the management and the board worked together to make sure that any areas of risk oversight that were previously missed would be added to the agenda of some board committee. For example, some boards had Investment committees that oversee investment risk and Audit committees that oversee operational risk. An Executive committee might have been highly involved with oversight of the balance sheet including the adequacy of capital. Such a group might then look at its risk profile and decide how the board might oversee other risks and in addition, which group on the board would consider such issues as risk policy. When there are multiple management risk committees, usually only one (the executive risk committee) interacts directly with the board. One common way that the management risk committees split their duties is for the Executive Risk Committee to focus on all of the risk related items that require discussion with the board and the operational risk committee to deal with all of the issues that are not necessarily expected to come before the board. Many groups organize these interactions is a clear hierarchy of importance of topics and issues. This is spelled out as part of the Risk Management Framework into several levels: 1. Risks, Policies, Decisions and Situations that must be approved by the Board 2. Risks, Policies, Decision and Situations that must be approved by the top management group (or Executive Risk Committee). Usually the Board should be informed about these. 3. Risks, Policies, Decisions and Situations that must be approved by a senior management individual or group. (Group CFO, Group CRO, Business Unit Head, Group Chief Underwriter, Group Chief Investment Officer, etc. or the Group Operating Risk Committee) Usually the top management group (or Executive Risk Committee) should be informed about these. 4. Risks, Policies, Decisions and Situations that must be approved at another level (Business Unit CRO, BU CFO, etc or BU Risk Committee). Usually the Operating Risk Committee or other senior management individual or group should be informed about these. The criteria for assigning the level usually has several elements. For example, matters relating to the aggregate level of the top 5 risks of the group might always go into level 1. Individual risks where the size exceeds a certain amount might always go into level 2. Risks that are new to the company might automatically go to one level higher than

7 Page 6 the size might otherwise suggest. Policies might always go to level 1. Violations of policies and limits in some groups go to level 2 and in others go to level 1. But most often, instead of spelling out the criteria, Risks and Policies and Situations that fall into each level are simply listed and the criteria are not written. Relationship to other company risk management efforts The Risk Committee at some groups has a coordination role. In those groups the Risk Committee will make sure that it is aware of all of the risk management activities throughout the group and arrange for those with the best expertise in one part of the group to train others with a similar risk and less expertise but less expertise. In other groups the Risk committee has a role as a major part of the group wide risk control process. The Risk Committee will closely monitor the aggregate level of each major risk and the amount of risk taken compared to the assigned risk limits. If there is a breach of limit in one area, the Risk Committee may be the place where there are then negotiations to transfer limit from someplace where it is underutilized to the place that is over limit. The Risk Committee may also be the enforcer, identifying limit breaches that cannot be resolved through trading limits and requiring remedial actions to either offset the excess risk or to at least stop further assumption of risk The Risk Committee is in many groups the place where the risk managers bring their problem situations where group risk policy is inadequate for a changing situation. The Risk Committee is often responsible for developing a recommendation for fixing the risk policy. In many groups the Risk Committee is also responsible for setting and maintaining the standards for risk measurement that are then fundamental to the risk management practices in all of the operating areas. Meetings Most company Management Risk Committees meet monthly or quarterly. There is a very broad list of topics that different companies risk committees discuss,

8 Page 7 Agenda Topics for Risk Committees (Sample items from various company risk committee agendas) 1. Cross Functional financial and risk matters 2. Management of the Overall Risk Profile 3. Remedial actions needed when Risk Profile reveals potential deviation from Risk Tolerance 4. Review of M&A transactions 5. Reviews and development of recommendations for changes to Risk Policy and Risk Measurement Policy 6. Decisions on changes to internal risk and capital methodology 7. React to issues brought to the committee by the ALM, Investment, Underwriting, Reinsurance committees. 8. Methods and processes for identifying, assessing and monitoring risk on quantitative and qualitative basis 9. Group risk management framework 10. Group risk policy 11. Minimum requirements for ERM practices of operating units 12. Adherence of operating units to minimum requirements 13. Setting limits and monitoring accumulations 14. Periodic meetings of group risk staff and other activities to develop staff and maintain consistency throughout the group 15. Investment Risk Limits. 16. Grant reinsurance limits 17. Approve large or non-standard transactions 18. The strategies, processes and controls pertaining to the Company s determination of appropriate levels of retention of insured risk and appropriate levels and types of reinsurance for its insurance subsidiaries, as well as the financial strength of the reinsurers with whom they conduct business; 19. The implementation, execution and performance of the Company s enterprise risk management program; 20. The credit risks in the Company s insurance operations and its ceded reinsurance program; 21. The strategies, processes and controls pertaining to business continuity and executive crisis management for the Company and its business operations; and 22. Specific operational segments of the Company that may be posing unusual significant risks that could have a material impact on the risk profile of the Company.

9 engage ERM ADVISORY For Further Information: David Ingram, CERA, FRM, PRM