Management of Risk by Individual - Insurance Business And Market, Principles of Insurance, B com | Principles of Insurance PDF Download

Risk Drivers

In an insurance company, the cash flows are organized along two streams: a) Inflows— premiums, investment income, refunds, and so on and b) Outflows—claim payments, reinsurance premium, agent remuneration, salaries, interest and dividends to investors, and so forth. Thus, risks could be considered along these two flows. In addition, insurance products rely on models dealing with longevity/mortality, morbidity, economic conditions, or market conditions. There is a large risk that any of these assumptions or models could be incorrect, leading to first the pricing risk (that price charged was incorrect) and then the solvency risk—risk that arises from inadequate reserves, and company runs out of capital. As many insurance companies have large fixed income holdings or equity position, there is also credit risk and market risk associated with their investment portfolio. Moreover, the processes, people, and systems of an insurance company are also exposed to risks. These are operational risks and are present throughout the company. Additionally, like other corporations, an insurance company is exposed to other strategic risks, such as liquidity, reputation, legal, business planning, and so on. The time lag between the selling of an insurance coverage and the claim payments can be extremely long. This lag makes insurance a particularly difficult business to manage. There are also a variety of cultural reasons that complicate insurance risk management. For example, there is a perception by some insurance managers that the insurance business is strictly an underwriting game. This essentially means that if an insurance company underwrites “the right risks at the right prices,” the other key insurance activities (i.e. investment, claims handling, reinsurance, and so on) “can take care of themselves.” In this situation risk management obviously takes a back seat.

Risk Framework

A good risk framework should have a strong governance structure so that the board and the management should know how risks are being managed. This involves appointing a chief risk officer (CRO) for risk management and the organizational culture too should support it. In large companies, it is common to form a separate risk management unit, staffed by a multi-disciplinary team. The work of this team is typically facilitated by designated persons in each of the various departments, such as underwriting, legal/compliance, actuarial, finance, marketing and sales, policy servicing, claims, IT, and so on. The management should always be aware about the dangers of undermining the independence of the department and should ensure that the risk-taking and risk monitoring roles are independent. To ensure this, there are a few well-known frameworks available such as ISO 31000 risk management standard and the COSO ERM.. There is another framework used by S&P and A&M Best in their ratings as well. Few of the governance structures are given below.

Figure 1 – An ERM framework (based on COSO, ISO 31000 & S&P frameworks)

A CRO should ensure that risk management in the organization is centralized rather than being carried out from silos. He should functionally report to someone like the risk & audit committee while administratively he could report to a CxO, such as the chief financial officer (CFO). This gives the CRO the independence and ability to ask tough questions to the top management. Structurally, there are several choices on where the CRO should be placed in the organization.

Franchise vs Policyholder interest

To appreciate the risk environment better, a CRO should understand the nuances among the policyholders’ interests, franchisee interests, and other stakeholders’ interests. The policyholder interest represents the objectives behind insurance policy purchases by policy buyers; regulators enforce the protection of policyholder’s interest. Franchisee interests are the objectives of the investors or owners who have provided money to capitalize the company and would want the insurance company to grow and make profits. Mostly policyholder and franchisee interests are not in conflict, but there are times when they can diverge. For example when investors are looking to exit the company, the interests definitely could diverge. What is good for the company may not necessarily be good for existing policyholders. A CRO should understand this difference and should track risks separately if required.

Three Lines of Defence Model

The three-line defence model is one of the most popular governance models. It lays down very specific responsibilities for each line of defence while ensuring independence.

Table 1. -Three lines of defence governance model

First line of defence

The first line of defence is the primary management responsibility for strategy, performance management, and risk control, which lies with the board, the chief executive officer and the senior management.

Second line of defence

The second line of defense is oversight of the risk framework by the risk committee, CRO, and the risk management functionaries working with their counterparts in other areas.

Third line of defence

The third line of defence is stringent internal audit that ensures the independence and effectiveness of the group’s risk management systems.

CRO Role

Ideally, as CRO is the main risk facilitator of the company, all risk-related decisions should have his inputs. However, at the very least, a CRO should have the following elements in his role:

• Enterprise risk management (ERM)
• View of the key risk control programmes
• Ensuring common risk language across organization
• Managing the risk view through the risk dashboard

Enterprise Risk Management

Through enterprise risk management (ERM) risks in a company are understood, managed, and used for decision making. In a robust implementation, a CRO becomes the focal point of the ERM universe.

In the ERM role, a CRO then becomes the owner of the risk management in the company. The following set of accountabilities should become a part of his/her KPIs.

• Ensure that company has the right risk framework
• There is sufficient management buy-in, and the company has provided resources with the right quality and in the quantity.
• There is a process and rigour to risk assessments.
• All key risks are understood and analysed.
• All risk mitigation strategies and tactics are adequate. Wherever there are gaps, a CRO should ensure that there are action plans to fix them up.
• Risk factors become central to all key decisions.
• Ensure that the perceptions about risks in the organization are the same and that there is a common risk language in the organization.
• There are sufficient key risk indicators (KRI) to monitor risks regularly.