Tag Archives: risk tolerance

Immediate Vault

Linking ERM and the Insurance Underwriting Process

Posted on by

Enterprise Risk Management (ERM), in one form or another, has been around for almost two decades. The number of publicly traded companies, especially those in highly regulated industry sectors, have been deploying the ERM process primarily because they were pushed (explicitly or implicitly) to do so by the major credit rating agencies, government mandates such as SEC 33-9089 or Dodd-Frank, their internal/external auditors, or members of the board of directors.  No matter where the spark came from, however, the number of companies utilizing the ERM process continues to grow.

CFOs, CROs, and risk managers that have been practicing ERM for years have been incurring the expenses for doing so. As ERM programs mature it might be time to consider, in monetary terms, the value the company and its insurers places on all the work that has been done over the years. CFOs ask questions about return on investment (ROI) all the time – why not about ERM? Linking enterprise risk management and the insurance underwriting process is one approach to produce a tangible result. Because the vast majority of commercial insurance renewals are Jan. 1, CROs and risk managers should consider initiating a discussion with some of their insurers to determine the potential credits for having a functioning ERM program.

Brokers typically represent the vast majority of larger middle-market and Fortune 1000 publicly traded accounts. Brokers start to work with their larger accounts months before renewal dates and assemble a submission package for insurance underwriters. The inclusion of a timely and relevant ERM report to the underwriting submission that demonstrates the changes to the risk profile of the company should make a stronger case for favorable rate considerations for their clients. The general headings that we recommend for discussion within the underwriting submission include:

• Risk organization and governance

• Risk appetite, tolerance and limits

• Risk metrics and measurement

• Risk management process, procedures and controls

• Risk monitoring, reporting and communication

These are the same general areas that insurers themselves are being asked to discuss with their own regulators as part of the new Own Risk and Solvency Assessment (ORSA) soon to be issued by the National Association of Insurance Commissioners. If the broker or insurer does not think that having a functioning ERM program does not merit a price reduction – especially for directors & officers liability insurance – investigate further and dig deeper. Early in the renewal process is a good time for the risk manager, CRO, or CFO to meet directly with underwriters to discuss their ERM from two different perspectives: the amount of rate reduction, or the steps that could be taken to improve the risk profile enough to warrant a premium reduction.

Executive management of a company that adopted and implemented an ERM program five years ago should be considering the return on the investment that the company has made over the years. It will be up to the CFO and risk manager to demonstrate how the ERM process has been used to either change or improve the company’s risk profile from what it had been. We suggest a close working collaboration between the company and their insurance broker to craft an underwriting submission that details the benefits of the ERM program.

The collaboration would also be enhanced by including a company representative such as the CFO on the team, to represent the company in front of underwriters that may be encountering this negotiating tactic for the first time. Since the majority of corporate insurance renewals take place on Jan. 1, initiating a conversation in the summer with the insurance broker(s) involved would not be a bad idea. One caveat however, ERM in one company is not ERM in another. Completing a risk identification and assessment does not an ERM program make.

RMORSA Part 4: Risk Monitoring, Control & Action Plans

Posted on by

The fourth step of ORSA implementation, risk monitoring, control, and action plans illustrates the importance of adhering to best practices when executing risk culture and governance, identification and prioritization, and risk appetite and tolerances.

With the necessary structure in place to track and collect risk intelligence, the next step involves orchestrating a plan for improvement. Why is a plan for improvement so critical? Besides limiting the risk exposure of your organization, consider that under the SEC Rule Proxy Disclosure Enhancements, boards of directors and executive leadership can be found negligent for having inadequate or ineffective ERM programs. Having a demonstrable plan for improvement, however, can greatly reduce or even exempt companies from penalties under the Federal Sentencing Guidelines.

The Right Way to Monitor Control Activities

Boards and CEOs are depending on risk managers to monitor key risk indicators at the business process level. This can be accomplished one of two ways: testing or business metrics.

Testing provides a high level overview of whether a control is occurring, usually in the form of a simple pass/fail. Testing does not, however, provide actionable steps to take in order to improve a mitigation activity. The result is that many organizations are only testing compliance with internal policies, which may or may not tie back to the specific risks that the policies were designed to mitigate.

Here’s an example: an insurance organization with an online customer service system is experiencing unacceptable downtimes, and the appropriate staff members never seem to be available to fix the problem. The organization implements what would appear to be a reasonable control activity, by insisting that every member of the support team be trained to refresh the system.

The company tests internal compliance with this policy by tracking whether the online training has been completed. Unfortunately, even if everyone takes the training, the company has no idea whether this control is fulfilling its purpose.

In testing compliance to the policy, the organization has lost sight of the risk. If they had tracked a business metric, like system downtime, however, they would have realized that the controls in place made no difference to the impact or likelihood of system failure. Business metrics may have indicated that the system was going down during peak usage hours, like lunch, when staff was unavailable. With no business metric tracking, the organization continued with a Band-Aid approach when money might have been better spent upgrading system memory.

Developing the Action Plan

To avoid this common pitfall, your key business metrics need to be aligned not only with the control activities you’ve designed, but the risks they were designed for. Keeping track of these linkages can be impossible with two dimensional spreadsheets, but is critical to monitoring the risks you’ve identified so that your action plans and control activities are meaningful and measurable.

As a risk manager, approach process owners in need of assistance with mitigation plans geared toward their most severe risks. As you develop actionable plans for improvement, don’t lose sight of the end goal or fall into the trap of testing controls rather than monitoring risks.

Interested in the best way to monitor or audit your risk management program?

buy tadalista online medilaw.com/wp-content/uploads/2015/03/jpg/tadalista.html no prescription pharmacy

Check out the RIMS Risk Maturity Model Audit Guide, also available through the RIMS Risk Maturity Model.

RMORSA Part 3: Risk Appetite and Tolerance Statement

Posted on by

The third step in the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) is the implementation of a risk appetite and tolerance statement. This step is meant to sets boundaries on how much risk your organization is prepared to accept in the pursuit of its strategic objectives.

An organization-wide risk appetite statement provides direction for your organization and is a mandatory part of your assessment. As defined by COSO (one of the risk management standards measured in the RIMS Risk Maturity Model umbrella framework), the risk appetite statement allows organizations to “introduce operational policies that assure the board and themselves that they are pursuing objectives within reasonable risk limits.” A risk appetite statement should be reflective of your organization’s strategic objectives and serve as a starting point for risk policies and procedures.

Once your organization has documented your risk appetite (and received the Board’s approval), the question becomes how do you measure whether your organization is adhering to it? The answer is to implement risk tolerances.

While risk appetite is a higher level statement that broadly considers the levels of risk that management deems acceptable, risk tolerances set acceptable levels of variation around risk. For example, a company that says it does not accept risks that could result in a significant loss of its revenue base is expressing appetite.  When the same company says that it does wish to accept risks that would cause revenue from its top 10 customers to decline by more than 1%, it is expressing a tolerance.

Why Set Tolerance Levels?

Operating within risk tolerances provides management with greater assurance that the company remains within its risk appetite, which in turn provides a higher degree of comfort that the organization will achieve its objectives.

The second step of RMORSA, Risk Identification and Prioritization, outlines a risk assessment process for your organization that provides quantitative language for risk based decision making. This standardized scale allows you to discuss the resulting assessment indexes to determine a uniform tolerance throughout the organization. It may not be possible to set accurate tolerances until risk intelligence has been collected over a period of time, but eventually you’ll be able to prioritize resources to the risks with the highest variation.

The process of articulating a risk appetite statement and setting tolerances brings your ERM program into alignment. Every day, process owners make operational decisions about risk far from the organization’s risk appetite statement, which is set at a senior executive level. By setting tolerances, process owners are provided benchmarks they can use to measure their performance.

Align with Strategic Goals

When risk tolerances are aligned with both overall risk appetite and strategic goals, they will improve risk mitigation effectiveness and contribute to achieving your strategic goals. It is important to remember that risk appetite and tolerance levels are not static. They should be reviewed and reconsidered periodically by senior executives to keep your organization moving in the right direction.

To learn more about risk appetite and risk tolerance statements, look for the complimentary LogicManager webinar, “ORSA Compliance: 5 Steps You Need to Take” in 2014.

http://info.logicmanager.com/918-orsa-compliance-erm-framework