Log in / My SOA

Align ERM to the Company

By Dave Ingram

Reinsurance News, February 2025

rsn-2025-02-ingram-hero.jpg

I used to think that there was one best way to do ERM and that when insurers adopted that approach, it would end up transforming the way that they did their business. That was 25 years ago, and the experiences of hearing most of the world's largest insurers talk coherently about their ERM programs definitely moved me off of that opinion. That was because those large company ERM programs were significantly different from one another and the cases where the ERM program had any success was when the ERM program fit with the business, rather than transforming the business to fit with the ERM program. Over the succeeding decades, I worked with well over 100 different insurers on their ERM programs and saw over and over the situation where a company tried to adopt the “best” approach to ERM only to have the company reject that system sooner or later. 

There are a couple of key differences in how parts of ERM fit with particular insurers. 

Aggregate Risk Tolerance—this is considered by many to be absolutely essential to true ERM. But some high surplus insurers in the US are not interested in even considering this concept. They just don’t see themselves ever having to worry about how much capital they have. They fully expect to maintain their high capital position under all circumstances. 

Individual Risk Limits—Some of the same companies will also be reluctant to have limits for individual risks. They fear that the existence of the limit will actually encourage more risk-taking because it is seen by their employees as approval to take that much risk.

There is a solution to both of those situations. The Aggregate Risk Tolerance and individual risk limits can both be replaced by Plan values. Then risk both in total and for individual risks will be managed mostly like everything else—with a target. In both cases, management can also treat those plan targets as checkpoints; a place where when they are met, they can pause and decide what to do next. 

Another company might object to the formal Governance structure of ERM. ERM is seen as creating needless bureaucracy. Adding costly overhead to an otherwise lean operation. While working with one such insurer, there was strong resistance when I suggested that they needed to write down their risk management processes in a Risk Management Framework, no matter how brief it would be. They just did not want to be constrained by what was written on a piece of paper. In the end, all we ended up creating for their ERM program was a quarterly report that showed their risk positions compared to plans. I was never sure that they even considered it. 

Emerging Risk management is a troubling concept for some companies. It turns out that often the people who are best at operating a risk management program that was focused on risk measurement and risk limit enforcement are just not the kind of person needed to imagine how risks that had never happened before might cause future harm. One such company had decided in 2018 that developing a work from home plan was just not feasible or necessary. They were faced with creating a work from home program from scratch while most employees were out of the office and under COVID quarantine. That included buying laptops for all their customer service staff, installing needed software and paying for them to be delivered to everyone’s home and then training folks to adopt mostly new protocols. 

And my “favorite” objectors to ERM are the business unit heads who are caught blindsided when a newly developed capital model shows that their business has the worst risk adjusted returns of any of the company’s activities. It then becomes that business unit head’s purpose in life to undermine the credibility of the capital model. This makes for a great burden of extra work to defend the model and often results in the model project being rejected because management is just not sure what to believe because before the model showed that result the product line had been thought of as successful. 

On the other hand, a company that puts great value on data and careful analysis will not be happy with their ERM program until it is tied to a state-of-the-art model. However, that same company may also be reluctant to take risks seriously that are difficult to quantitatively model, such as operational risks. 

A company that highly values innovation will want to use their emerging risks analysis to both identify risks and to help them to find new opportunities. 

And a company that values well-managed processes will find a formal ERM governance process to their liking. They will see that it provides up-to-date information on how well their businesses are holding to the ERM program and that their risk exposures are in the range that they planned for. This would allow them to react to deviations in a timely manner and avoid any end-of-year surprises. 

I follow these four steps to better tailor an ERM program to a company. First, clarify the company’s main objective for ERM.  Is it a focus on capital adequacy, on managing year-by-year losses or improving returns for risks taken or something else? Second, examine the company’s risk culture and the underlying risk culture beliefs. Third, build off of the company’s existing risk management strengths. All insurers have significant risk management strengths, that is a fact, not survivor bias. And finally, instill the expectation that the company needs to expect to have an iterative process for developing a good ERM program with changes every year to trim away or fix what is not working and strengthen what is. 

By aligning ERM to your company's unique needs and traits, you can create a risk management program that is embraced by the business, influences strategic decision-making, and helps your organization navigate an increasingly complex risk landscape. The key is tailoring, not trying to force a generic "best practice" approach. With the right customized ERM, you can substantially improve your company’s ERM practices and resilience.

Statements of fact and opinions expressed herein are those of the individual authors and are not necessarily those of the Society of Actuaries, the newsletter editors, or the respective authors’ employers.

David N. Ingram, CERA, FRM, PRM, FSA, MAAA, is senior ERM consulting actuary, ARM. Dave is also an elected member of the Board of Directors, SOA, and can be contacted at daveingram@optonline.net.