Taking Root

Enterprise Risk Management Becoming a Driving Force for Rating Agency Analysis

By Jon Gorman

Risk management comes in all forms and functions. From teaching children to stop, drop, and roll; to protecting investments and retirement by hiring a certified financial plannerl, risk management is an essential element in preparing for and protecting many aspects of our daily lives.

While the insurance industry doesn’t frequently adopt business lexicons into its standard language or practices, one term taught to business students across the country has taken root in the insurance industry. Enterprise risk management – or ERM – has become a hot topic of conversation among insurance company executives, boards of directors, and senior-level management.

The trigger for many of these conversations is generally an upcoming rating agency presentation. Documenting and presenting ERM for analysts at A.M. Best, Standard & Poor’s, Fitch Ratings, Moody’s, and Demotech, is becoming commonplace for many insurance company managers, officers, and executives. ERM presentations have gained so much traction that an effective and comprehensive – or poor or non-existent – presentation on a company’s ERM capabilities can impact its overall financial rating.

A.M. Best and Standard & Poor’s began evaluating ERM in late 2005. According to David Ingram, director of enterprise risk management in the insurance ratings group at Standard & Poor’s, almost a year later, the financial market intelligence provider began seeing ERM mentioned as a major driver in ratings decisions.

“We had about 15 ratings in the last three or four months of the year that were either ratings changes – up or down – or changes in our outlook – positive or negative – that reference ERM as one of the major drivers in the decision to do that,” said Ingram.

Email to Accolades

The discussion began as most discussions do, with a question. But we’re not talking about a roundtable discussion, a teleconference, or even an informal standup meeting. All the questioner had to do was address the message, type her question in the body of the message, hit send, and watch the responses come roaring back.

“Roaring” may be an exaggeration, but to say that the discussion was lively and informed would be accurate.

We have a meeting coming up with A.M. Best. Does anyone have any words of wisdom relating to how you structure your ERM section of your materials? Any recent experiences?
Any and all help appreciated!

Judy Jackson
NLC Insurance Companies

Jackson, president and CEO of NLC Insurance Companies in Norwich, Conn., used technology and a NAMIC Online Discussion Forum to help her formulate, theoretically and with practical examples, the presentation for NLC Insurance Companies’ enterprise risk management section of its materials.

“NLC had developed strategic plans for many years that involved the critical elements of enterprise risk management,” said Jackson. “However, as the topic became more focused, we wanted to find out what other carriers were doing to make ERM an even more integral part of our decision making.”

The responses covered a gamut of experience from individuals trying to figure it all out prior to meeting with their companies’ analysts; to other CEOs and presidents who had been there before, presented their plans with varying sophistication and detail, and received mixed reaction from A.M. Best about what they were looking.

The result:

We went to AM Best last week. They said they were pleasantly surprised by our ERM presentation. They wanted to know why we were so well prepared. I told them that attending Preview/Review had been important, but our relationship with NAMIC had been instrumental in helping us find good ways to develop a presentation on the subject.

Membership in a trade association and taking advantage of forums with professionals who may find themselves in similar circumstances and dealing with similar issues is of significant importance. Not only are educational events offered and grassroots lobbying efforts made available, membership in a trade association provides channels for communicating and networking with peers.

In this case, a simple online discussion forum to which NAMIC-member companies may subscribe assisted Jackson in receiving a favorable reaction to her ERM presentation from A.M. Best..

“With the forum, we were able to get immediate, timely information from a variety of carriers,” added Jackson. “Before the discussion forum, we either would have had to wait for the CEO Roundtables in March, or we would have had to make a large number of time consuming, intrusive phone calls trying to find others who had recently updated their ERMs.”

Joseph L. Petrelli, president of financial analysis and actuarial services company Demotech, Inc., Columbus, Ohio, says that membership in a national trade association is not only beneficial to an insurance company, but instrumental in developing and maintaining an ERM plan.

“NAMIC, through its committee structure and educational programs, provides the infrastructure for distilling every external influence down to a manageable number of critical external influences, and then provides direction on how to address those influences,” said Petrelli. “From Demotech, Inc.’s perspective, an insurance company that does not belong to or participate in a trade association cannot fully practice ERM.”

Ready or not—ERM is here

“I think that the buzz word ‘ERM’ has the attention of our industry,” said Steve Knutson, president of RAM Mutual Insurance Company, Esko, Minn. “Originally, I thought it was nothing other than a buzz word, but now I believe that ERM is an important risk management process.”

According to a report issued in February 2007, Standard & Poor’s completed 241 ERM evaluations through year-end 2006, including life, property/casualty, health, and reinsurance companies and groups based in the U.S., Canada, Bermuda, Europe, the Middle East, Africa, Asia, Latin America, and Australia. Standard & Poor’s assesses ERM capabilities as weak, adequate, strong, or excellent; with most insurers – 81 percent as of year-end 2006 – currently falling in the adequate category.

A.M. Best doesn’t publish a rating specific to ERM. Instead, the focus is on a company’s approach to risk management. “We’re going to evaluate where they stand in their risk management in general, and consider that relative to their performance and their track record,” said Matthew Mosher, group vice president at A.M. Best.

Some skeptics believe that ERM is nothing more than a repackaging of SWOT Analysis – a strategic planning tool used to identify and analyze strengths, weaknesses, opportunities, and threats to a project or business venture. However, ERM takes the practice of identifying and analyzing risks to a different level.

Like SWOT Analysis, ERM identifies and analyzes risks associated with a business venture, but it sets itself apart in that it isn’t designed to determine or be used to make a decision on a single objective or desired outcome. ERM is meant to be designed as a continual analysis of a company’s risk management program.

Joseph Petrelli, president of Demotech, Inc., says that the difference is in the nuances. “If you’re looking at a SWOT Analysis, there’s the idea that there are chronological benchmarks, whether quarterly reviews or annual reviews, while the concept of ERM is more of a continuous process,” said Petrelli. “The nuance is more of a mindset than it is structural.”

“ERM is ingrained throughout the process that any company has in terms of doing business, and it’s something that is evolving in terms of the risk management that companies have had,” said Mosher. “It started with managing your underwriting risks over the cycle, through investment risk in the 1980s, catastrophe risks in the 1990s after Andrew, and just continued to evolve through the silos that have been built up.

“Now, we’re to the point that companies are beginning to bring risks together and evaluate them in a holistic manner to look at the different correlations across those risks,” explained Mosher. “That’s the next step to enterprise risk management, and it’s going to be something that evolves over time, but risk management itself and the evolution of enterprise risk management is a continuation of the process.”

In defining ERM from a rating agency perspective, Ingram described how Standard & Poor’s focuses on two fundamental components. “One is the component that concentrates on managing the risks or losses of the company that stay within the company’s risk tolerance,” explained Ingram. “The other major component is where the company makes major choices in such a way as to look at risks and reward for risks in such a way that it puts together a portfolio of its major strategic choices that optimize the risk-reward characteristics of the business.”

Ingram defined risks as the foreshadowing of potential losses, and defines losses as those that will have a financial impact. “But there are certainly some losses that will have an impact that are not immediately obvious, such as reputation risk or losses that occur in terms of people or other things,” said Ingram.

Risks that should be included in a comprehensive ERM plan include financial risks like cycle management strategies, policyholder behavior, investment risk from alternate investments, mergers and acquisitions, and regulatory risks as well as less obvious risks including losing key employees to a competitor, business competition, business reputation loss, IT system failures, employee dishonesty, natural disaster risks to company offices, institutional memory loss as a result of leadership succession, and pandemic flu.

“Management succession issues, for example, should become part of an enterprise risk management program because now you’re looking for the capabilities of sustaining an effort that a current manager has in place,” said Demotech’s Petrelli in sharing examples of risks other than explicit financial risks. “The manager who succeeds that individual must also be familiar with the procedures and practices that have permitted that company to survive and prosper for as long as it has. There are inter-relationships between the human resources and the company’s ability to continue its operations. The whole idea of human resources is to have a process that’s documented as opposed to institutional memory.”

Real work to do

“How I would generalize it is that there’s a small but significant minority of companies that have jumped on the ERM idea and are seeing it as a major competitive advantage that they have or are developing, and those are the companies that are generally falling into the strong and excellent categories,” said Ingram.

The fundamental purpose of ERM is to ensure a company’s ability to survive and prosper, and Petrelli suggests that an insurance company that has been in existence for a significant amount of time, whether it is presenting documented ERM plans to rating agencies or not, is practicing ERM.

However, many insurance company senior managers, especially at smaller companies, argue against developing an ERM plan, document, or rating-agency presentation by saying that it doesn’t generate the company any revenue.

Mosher warns that ERM isn’t something that is going to automatically boost a company’s earnings. In some cases, it may reduce earnings. However, what it’s doing is it’s eliminating the risks and can lead to more consistent earnings over the long haul. “It might get rid of some of the lucky years because you won’t be taking those huge risks that you didn’t necessarily know about if you’re doing true risk management and you’re dealing with some of the correlations that you have,” said Mosher.

Petrelli believes the greatest resistance to ERM on the part of insurers is the time commitment to develop ERM as opposed to living it, but by documenting ERM plans and programs, the company can elevate its level of sophistication from the perspective of the rating agencies.

“You can’t be around 100 years without having ERM in your genes,” explained Petrelli. “It’s hard to believe that anybody would have 520 consecutive quarters of survival without having some sort of enterprise risk management somewhere in their genes.”

In other words, whether or not a company has a documented ERM program, has a formalized presentation that it’s giving to rating agency analysts, or is talking about ERM internally, longevity is one piece of evidence that the company is practicing ERM. That company simply needs to take the next step.

Knowing the answers to a test, but not taking the test

The process of formalizing a company’s ERM documentation is as easy as collecting the information that it already has and putting it in a central location. “Each company has a claims manual, an underwriting-procedures manual, pricing guidelines, investing guidelines,” explained Petrelli. “To a large extent, the first step in ERM is kind of to get them all in the same place and properly aligned with one another. That, from my perspective, would be a very practical first step for those that are resisting because of time constraints.

“ERM is the book and functional departments within the company are the chapters,” added Petrelli. “I would speak to insurance company decision makers who are resisting embracing enterprise risk management, and I would encourage them to rethink that position, that, in fact, it is probably easier to get started than they think.”

Petrelli says that the process could be as simple as consolidating the guidelines, the marketing sales, underwriting claims, IT – basically, collecting a company’s different guidelines from its functional departments and creating a centralized document, which could lead to an ERM plan, program, or rating agency presentation.

“Just get it started, put it all in one place, update it, make it consistent with what you’re doing in 2007, and I think if nothing else, it can become something for the rating agencies, something for the auditors, something for the regulators,” said Petrelli. “Companies that fail to do this aren’t getting credit for having that documentation within their offices now; they’re not getting credit for what they already have. It’s a little bit like knowing all the answers to a test but not taking the test.”

RAM Mutual’s Knutson says that the important exercise with ERM is to identify and formalize risk management efforts for different risk areas impacting a company. At RAM, company leaders have identified 13 risk areas and have listed mitigating items to properly address risk management for each area.

“As insurance carriers, we are in the risk management/risk transfer business, but internally, we had never formalized our approach to our own risks,” said Knutson. “I found this process to be helpful in addressing risk management for our organization.”

Many insurance companies have found value of the ERM process through its requirements of categorizing risks, making assessments and probabilities, and developing mitigation strategies.

“We certainly appreciate an ERM process that strives to achieve a holistic appreciation and understanding of corporate risk,” said Steve Miller, CPCU, vice president and general manager of PEMCO Mutual Insurance Company, Seattle, Wash. “It yields value in bringing focus, attention, and action to eliminate, mitigate, and/or balance risk for our organization’s operations and planning.”

Regarding what Standard & Poor’s is broadly looking at, Ingram notes that there are several common themes in companies that have received higher ratings and higher ERM opinions.

“In the risk management culture area, for instance, the company having a broad risk tolerance is a key element,” explained Ingram. “In the risk control areas, we see companies that are using multiple ways of paying attention to their risks, multiple views of risks, and multiple pools of managing risks. When we look at the emerging risks area, we’re looking for companies that have had a conscious and if not exactly regular or frequent internal discussion about emerging risks in some form or another.”

According to Ingram, the strategic risk management area is where the majority of insurers in North America are falling short of strong criteria, and what Ingram is seeing is only a small number of companies having developed a way of thinking about all of their risks at the same time. “The vast majority of companies are either still in or slowly emerging from a long-term situation where they focus on each of their risks separately,” said Ingram. “We see the idea of making strategic choices about risks as an entry point to be able to start doing that; you have to think of them all at the same time, so you usually have to have some kind of risk measures that you can apply across all your risks.”

A simple example of a tool to help a company understand its multiple risks is the one-page summary, including identification of the company’s risks, where they were last year, what’s happened with regard to them during the current year, where they are now, and what they’re going to look like in the coming year.

Best practices

Everyone agrees that ERM is a developing discipline, and rating agencies are apt to not make recommendations on best practices in ERM. In fact, Petrelli and Ingram suggested that ERM should be personalized to the company, and that rating agencies aren’t looking for presentations designed toward a checklist of items regarding ERM.

“We have not tried to standardize what we’re asking companies to give us or to specifically talk to us about,” said Ingram. “What we’re hoping the company does is talk to us about their risks and their risk management in the way that they think about them.

“We do have some broad themes that we are going to try to capture with everybody and those are represented in what we think of as the five major sub categories of what we’re looking at in ERM,” Ingram added. The five sub-categories are risk management culture, risk controls, emerging risk management, risk models, and strategic risk management.

“We’re looking for the details of how they’re actually going about controlling risks and that’s the part of risk management that’s always existed in the insurance sector,” said Ingram. “We’re also looking at how companies might be paying attention to new risks that might develop, which we call emerging risk management; and we also spend a little bit of time hearing how companies are using computers and risk models and economic capital models to help manage risks. And then obviously we look for that strategic aspect of risk management. We want to hit on those themes but we definitely want to hear it the way the company thinks about it.”

Yet, there are still those company executives and managers who believe ERM is nothing more than just one of many planning tools developed to manage business, and the process needs appropriate balance in decision making and must also be scalable to the organization’s activities, size, and market environment.

“Our ERM process is evolving as we have learned what components bring value and which do not and how these are kept in dynamic balance from year to year,” said PEMCO’s Miller. “As to best practices, we’d suggest development of reliable data and strive to understand it so it will enhance your reporting metrics (the science), balance the analytical results (the art) with other planning tools and processes, and use the ERM process as a learning opportunity. Beware of becoming risk adverse as, after all, our business is all about taking on reasonable risk.”

A.M. Best’s Mosher identifies three key elements to enterprise risk management – risk management culture, identification and management of risks, and the measurement of risk, including data quality. “The most important piece is the focus from senior management,” said Mosher. “Secondly, how does it get down through the ranks in terms of understanding from their employees?

“In order to understand and analyze your risks, you have to have a focus on quality of data,” added Mosher. “As a rating agency, we don’t audit data, what we do look for from senior management is how they ensure the quality of data that’s there so that they can understand their risks. That aspect of the focus on quality is an important piece to enterprise risk management.”

Just do it—before someone requires it be done

Whether through legislation, regulation, or requirements from rating agencies, Petrelli believes that, eventually, everybody is going to have to do something. “It’s not going to be something where companies can say indefinitely ‘we’re not going to do it.’ It’s something that they can postpone; it’s something they can procrastinate; but at some point in time, they’re likely going to have to have some documentation that they have an ERM plan.

“There are still a lot of companies that haven’t begun that accumulation of how they deal with risks,” explained Mosher. “We have seen a lot of companies that although they’ve had strong performances during the past few years, they don’t really have anything demonstrating risk management, and ratings haven’t moved to higher levels that they think they deserve because of our concern over where their risk management is and what’s going to happen to them when the market turns into a weaker cycle.”

In addition to potentially affecting overall financial ratings, Petrelli sees benefits to developing ERM plans beyond identifying and monitoring a company’s risks. “Developing a documented ERM process will help companies,” continued Petrelli. “They could just leverage it in so many ways. It becomes sort of like a mission statement for your whole company in that, ultimately, they’ll realize that we do what we do to try to make money for the company, and we have to do it right. The whole idea of ERM is to have that central guiding process for the whole company to look at.”

ERM has taken on a significant level of importance with rating agencies, but it may not end there. Companies are already seeing evidence of state regulatory departments and auditors having an interest in ERM documentation. ERM appears to be something that won’t be going away…it’s not a fad. The buzz is real and getting louder.

Posted: Thursday, May 31, 2007 12:00:00 AM. Modified: Thursday, May 31, 2007 3:01:24 PM.

(317) 875-5250 - Indianapolis | (202) 628-1558 - Washington, D.C.

Contact NAMIC | Press | Advertise | Sponsor

We are 1,400 property/casualty insurance companies serving more than 135 million auto, home and business policyholders, with more than $196 billion in premiums accounting for 50 percent of the automobile/homeowners market and 31 percent of the business insurance market. We are the largest and most diverse property/casualty trade association in the country, with regional and local mutual insurance companies on main streets across America joining many of the country’s largest national insurers who also call NAMIC their home. More than 200,000 people are employed by NAMIC members.