6 Steps to a Good Risk Assessment Process
Effective enterprise risk management is becomingly increasingly important in today’s regulatory environment. Regulators and rating agencies expect that companies have a good understanding of their risk profiles and have implemented the appropriate governance structure to mitigate their risks. The insurance industry is ever-changing, and it can be challenging for an organization to have a complete understanding of the risks that can pose potential pitfalls to its operations.
Conducting a company risk assessment can allow an organization to obtain a holistic view of the risks it faces, allowing management to identify these risks and capitalize on opportunities.
1. Identify Your Company’s Risks
Consider what you define risk to be. A common definition of risk is any event that negatively influences your ability to achieve your business goals.
Risks affect a company’s ability to survive, successfully compete within the industry, and maintain its financial strength and positive public image as well as the overall quality of its products, services and people.
Think about risks from your point of view within the company, considering your group’s goals and objectives. You should consider anything from insurance risk, such as “Natural Catastrophe Risk,” to operational risks such as “Outsourcing and Service Provider Risk.” A good starting point is to look at your company’s presentation to the Ratings Agencies and Regulators. In which of these risks have these entities shown interest? What other risks can you think of?
2. Create Your Company’s Risk Library
Once you have analyzed your company’s risks, you should begin to establish a company risk library. The risk library provides the framework for the risk assessment process. It summarizes and defines, in a common repository, those risks to which the company is exposed. The library helps to facilitate discussions of risks and their definitions, and it promotes both consistency and a culture of risk awareness. To help streamline the process at Gen Re, our risk library is broken into four categories, with multiple risks falling into each individual category:
- Insurance Risk
- Market Risk
- Operational Risk
- Strategic Risk
3. Identify Your Risk Owners
For each of the risks within your risk library, you should identify the most appropriate person to monitor and manage those risks - in other words, the risk owner(s). The risk owner is responsible for assessing risks and identifying associated controls. This role is also responsible for implementing and maintaining appropriate controls within its associated area of responsibility, and for reporting breaches of controls or risk appetite. There can be more than one risk owner for each of the individual risks. For example, the risk owners of “Business Interruption/Disaster Recovery Risk” may include individuals from Finance, Human Resources and Business Unit managers.
4. Identify the Controls to Mitigate & Reduce Risks
Working with the risk owners, identify current controls that are in place to mitigate and/or reduce risk. For example, investment guidelines help to mitigate “Equity Risk.” Each control should also be assigned an owner or responsible party. This can be a functional responsibility, instead of an individual or specific person.
5. Assess Risk Potential and Impact
The company’s risk appetite is based on its own evaluation of the tradeoff between risk and return. Assessing the financial impact and likelihood of risk can aid management in determining whether the company is operating within its stated risk appetite and should accept, reject or reduce risk. Working with the risk owners, evaluate each of the risks in the risk library, based on:
- Financial Impact or Significance - How big of an impact would this risk have if it were to occur? This impact should be considered, taking into account the mitigating impact of the risk controls and monitoring of risk controls.
- Likelihood - Consider how likely it is that this risk would actually occur after the mitigating effects of the risk controls. The evaluation of each risk can be on either a quantitative or qualitative basis, dependent on the availability of information or the confidence in approach. For some risks, such as “Natural Catastrophe Risk,” the company may choose to use outputs from catastrophe models. For other risks it makes more sense to develop a scenario-based approach for evaluation.
6. Revisit Annually
At this point you have:
- Created a risk library and identified risk owners
- Identified mitigating controls
- Evaluated each risk for financial impact and likelihood
The risk assessment is a living process and should be conducted on at least an annual basis, and certainly more frequently if there has been a substantial change in your company’s risk profile. Additionally, it is a valuable exercise to re-visit the company risk library annually, as risks and definitions may develop and change from year to year.
Risk assessment allows management to assess the company’s risks and controls and devote resources where needed. Evaluating the financial impact and likelihood of each risk can be helpful when prioritizing the company’s risks. Identifying risk and control owners helps to clarify roles and responsibilities in the company and promotes accountability. However, for the risk assessment process to be successful, you must consider what kind of reporting would speak to your management team. A risk assessment is only as useful as how it is being used and decisions are being made. The risk assessment process takes time to do well; therefore, you want to create output that is helpful to management.
The risk assessment process is ongoing and should be revised over time. It can take several iterations before you have a complete picture of your company’s risks and truly understand the controls and processes that mitigate them. The outcome of the process gives management and its employees a better understanding of the company risk profile and the importance of the control environment in mitigating risk.