It’s not like the insurance industry needs to go out of its way to search for new risks to obsess over. An industry that was built on helping others avoid risk now spends as much time managing its own risk as it does helping policyholders avoid theirs. But as some carriers have found in recent years, there are plenty of new things happening in the world on which to keep a close eye.

“Enterprise risk management [ERM] at its most basic is us understanding all the risks that we face and being able to manage those risks,” says Mark Talerico, chief risk officer for Narragansett Bay Insurance. “On the one hand, you could argue any company that has ever been successful has done exactly that. I don’t think it’s always been thought about or quantified in one central location, though. We are being forced to think about it and lay it out a little more cleanly.”

In the consulting practice at Keane, Alkesh Shah examines enterprise risk in six areas: credit risk, market risk, portfolio risk, audit risk, SOX compliance, and operational risk. “These are the things we are helping our clients with to be in compliance or in better control of,” says Shah, who is senior director and client partner in Keane’s financial and insurance practice. “I would say a blanket statement is no one is doing a great job [with ERM]; some are doing a good job, and some are doing an OK job.”

Shah characterizes insurers that are doing a good job of ERM as those making strides in at least half of the six categories. “They are the ones that have gotten better control of their data and are creating intelligence around that data by building reports,” he says.

The need for better risk management increases as the financial markets go through turmoil, says Shah. “Things have been changing a lot in the last few months, especially in the financial area,” he says.

Doug French, managing principal and insurance advisory services leader for Ernst & Young, is encouraged by the industry’s efforts to grasp enterprise risk management. “If you look at our risk leadership survey [recently issued by Ernst & Young], we can see over the last couple of years insurance companies are making strides, including putting building blocks in place around their ERM initiatives,” he says.

SHARED RESPONSIBILITY

At Nationwide Insurance, enterprise risk includes all risk within the carrier’s risk classification framework, according to Al Schulman, vice president of ERM. “We have catastrophe, market and credit, interest rate, litigation, and unknown mass torte risks,” he says.

There are certain risks that naturally exist in multiple parts of the organization, explains Schulman. For an insurance company, particularly a life insurer, the most obvious one is interest rate risk. “You have [interest rate] risk with respect to your assets, your bond portfolio, and your insurance liabilities either through the discount rates on those liabilities, the time value, or money or [else] the liabilities themselves are inflation-sensitive,” he says.

Insurers have multiple entities capable of generating the risk and therefore have the responsibility of managing the risk, continues Schulman. “Those multiple parties either can be because of functional roles or responsibilities or they can be your own segregation within business units,” he says. For example, Nationwide has an excess and surplus lines business that takes interest rate risks through its underwriting operations, an admitted property/casualty business that generates interest rate risk through its operations, a life insurance company that generates interest rate risks through its operations, and an investment department that generates interest rate risks through its bond decisions. “One question is: Do you have modeling capabilities with respect to all those sources of risks?” asks Schulman. “The other question is whether you can manage that risk effectively with multiple owners.”

That is more of a governance issue than a modeling issue, points out Schulman, but in part, Nationwide’s approach is to form risk subcommittees by risk type rather than by business unit. “So, we will have a market credit risk committee responsible across the organization for all sources of market credit risk rather than have a life company risk committee and a property/casualty company risk committee,” he says. “That’s one way to make sure you are managing that risk effectively across all operations.”

STRATEGIC PLANNING

One goal of ERM is to leverage it to help make key strategic decisions for business planning, asserts French. An example of strategic risk analysis would be determining what would happen if healthcare is nationalized in the United States. “What does that do to your business?” French asks. “Risk management is a little more tactical around the day-to-day management of risk, whether it is financial or operational, rather than strategic.”

Another area of strategic planning encompasses what French calls emerging risks. In the survey conducted by E&Y, French found such planning was near the bottom in the minds of insurance carriers. “They are just not doing it,” he says. “It’s not the way the industry thinks. People aren’t doing the really deep risk analysis.”

Many of the emerging risks are just beginning to become clear, notes Shah. “I don’t know whether there’s a crystal ball out there, but we are working with clients to develop parameters and scorecards to look for these kinds of risks going forward,” he says. “The models they have to measure the risk don’t always work.”

Talerico compares emerging risks to the theory of the black swan—a large-impact, hard-to-predict event beyond the realm of normal expectations. But he stops short of calling an event such as the mortgage lending crisis a black swan.

“I don’t think it was a surprise to most people given the amount of risk some of these companies were taking,” he says. “They were giving mortgages to people who obviously couldn’t afford it and weren’t supporting it with documentation. We knew it was happening, and we chose to turn away. Was it avoidable? Yes.”

Part of the responsibility for these crises lies in what types of incentives are placed before underwriters, Talerico believes. “We compensate underwriters for simply pushing premium dollars through the door, but now we’re doing things on a risk-adjusted basis. So, it’s not about premium dollars; it’s about each dollar of premium and what it contributes to the overall risk position,” he says. “I’ll accept the premium if the risk is prudent, and I’ll compensate those people who follow those lines.”

MULTIPLE OWNERS OF RISK

Larger insurance carriers over the last couple of years have begun hiring chief risk officers, but French is not sure whether carriers are in agreement regarding exactly what the job descriptions are for those CROs. “Are they owners of risk?” he asks. “Are they monitoring risk? Are they reporting risk? People still are trying to figure out what the CROs are going to bring to the table.”

Talerico recently has moved up to the position of CRO with Narragansett, and in his opinion, the industry is moving in this direction out of necessity. “The banking industry for years took a more pragmatic view of ERM and the need to look at all the pillars of risk,” he says. “The insurance industry has been slow to recognize the similarities between our industry and theirs, but in the last five to seven years, there has been a greater appreciation.”

Talerico maintains seminal events, such as Hurricane Andrew and 9/11, created an impetus to look at multiple sources of risk. He also asserts the efforts made by the A.M. Best rating agency in interpreting what it means by ERM are helping insurers get a better picture of risk.

In E&Y’s survey, French reports carriers had multiple owners of risk and there was no correct delegation of duties. “That’s an offshoot of running insurance companies by silos or by lines of business,” he says.

For example, asks French, who within the enterprise owns responsibility for interest rate risk? “Each business unit could have responsibility for its particular interest rate risk, but that doesn’t mean any one person has responsibility across the entire enterprise,” he says.

In Shah’s view, adopting a chief risk officer approach is sound because most insurance carriers do not have a single owner of a particular type of risk or one central function that looks at risk from different business areas. “[Carriers] use different tools to assess risk,” he says. “So, when they have different measures and different tools, they can come up with different risk scores, and when the two scores are different, they don’t tell the true story. That’s been one of the issues.”

STRUGGLES

One reason some insurers are struggling with ERM is there is no regulatory imperative or rule book for insurers to follow. State regulators in the U.S. have not put any processes or procedures in place for insurers to run an ERM program, but rating agencies have taken up the challenge of imposing their will on carriers. “The rating agencies want to review [insurers’] ERM activities, but again, there is no definitive rule book,” says French. “Each rating agency is reviewing ERM on its own terms.”

As a result, insurers are building out the framework as they react to what the rating agencies are after. French suggests if the Optional Federal Charter is approved, it will include a national solvency agenda and a risk management agenda. “You will see some definitive regulatory rules around the whole issue,” he says.

Nationwide is ahead of the curve in some of its applications of capital modeling, according to Schulman, but he admits much of the impetus for improved risk modeling has come from rating agencies focusing on ERM. Carriers are working to convince the rating agencies to consider the carriers’ internal models in establishing target capital levels, he notes. “If we can convince them to use our capital models instead of their models, it