5 Insights into an Evolving ERM Process
At Gen Re we have had an enterprise risk management (ERM) process in place for many years. The goal has always been for our ERM discipline to be useful to the organization, such that it provides feedback and information yet doesn’t create unnecessary work or uninformative analysis. One key mantra is that plagiarism (from within our own organization) is not only acceptable but encouraged. We want to leverage any internal work that has already been done.
Before we got too deep in year-end work, we took some time to think about what we learned last year and how we want to improve our ERM process and Own Risk and Solvency Assessment (ORSA) report.
Our observations fell into five categories:
1. Align the Risk Assessment Process With Your People’s Time.
Our risk assessments had historically evaluated all risks simultaneously and at the same time each year. We chose to leverage this work to meet the ORSA requirements for discussing and documenting our “material risks.” However, in our annual risk assessments we identified a number of risks that weren't hitting the material risk threshold. From an ERM standpoint, we still believe it is important for us to understand those smaller risks from an overall risk profile perspective. These risks tend to be our operational risks and so we moved the timing of the assessment of these risks to follow the filing of the ORSA report.
Moving the timing of assessing the non-material operational risks had an unexpected benefit. We had not realized that our previous process was creating a bit of burnout by asking our “risk experts” to evaluate so much at once (i.e., the insurance, investment, strategic and operational risks). Our conversations on operational risks are much improved now that our “risk experts” have time to focus on the topic separately. We recommend spreading out the risk assessment over the course of the year.
2. Streamline the Number of Risks in Your Risk Library.
We tried for a long time to streamline our risk library. In previous years, the risk assessments included certain risks that everyone, including the risk management team, would struggle to understand and evaluate. It wasn’t until we began asking ourselves to think about the difference between actual risks and the drivers of risk (e.g., control failures) that our efforts to streamline our risk library had the proper framework. We realized that we had mistakenly identified a number of control failures as risks. The outcome was a significant reduction in the number of risks in our library, particularly operational risks. We have found this improvement to our risk assessment provides value to our organization by helping us better understand our risk profile.
3. Project Managers Are Important.
Refining an ERM process and writing an ORSA report requires a balance between risk management and project management skills. Without a good understanding of your company’s framework for managing risk and its risk profile, it would be very difficult to create an ERM process that brings value to your organization. However, this work involves a number of people in many functions across a company. Some of it is contingent on other work being completed, often by different people. Without the implementation of effective project management skills, the ERM process can get bogged down or work to its own detriment by becoming overly complex.
4. Leverage Effective Visuals.
A challenge of ERM is effectively articulating concepts and ideas that are so fundamental to your organization that they may not have ever been written down. Boiling concepts down to a simple visual can be the most effective way to communicate. It can also be one of the most difficult things to do!
One example of this challenge came when we were developing risk appetite and risk tolerance statements. Our management team was having a hard time articulating statements for certain risks, until we created this simple visual:
Developing (and agreeing on) this schematic as representation of our risk strategy enabled our team to have a framework for discussing the risks we seek for return versus the risks that we accept as a by-product of being in the insurance business. With the schematic as a reference, we were able to develop risk appetite and tolerance statements that are consistent and clear, and that provide guidance to our businesses when making risk decisions.
5. Recognize a Changing Risk Profile.
Risk profiles are dynamic, and our knowledge develops and improves with time. For example, our evaluation of cyber risk has changed in one year - both in terms of evolving cyber threats and our approach, awareness and ability to articulate our views of the risk. A year ago we identified cyber risk as one in a list of emerging risks that we faced; this year we recognize cyber risk as one of our “material risks.” We track aggregate exposures while wrestling with how to identify risk scenarios. It’s a complex risk that is rapidly changing. Looking at last year’s risk assessment reminded us that it is a snapshot in time as regards both the risks themselves and the maturity of our own ERM.
The first year of developing and writing an ORSA report was a learning experience, as it forced us to examine our ERM initiatives and processes. After we put our pencils down last year, there were some things that we immediately knew would help us improve our ERM, and others that we identified only with a bit of reflection. The key to our approach remains fostering an ERM discipline that informs our management team in the manner in which they are accustomed to thinking about our risks. Communication that is clear and understandable remains key. Our approach will evolve over time, and that’s appropriate.