Site Search

Financial Modelling Analysis & Opinion The Key Points Glossary of Terms Key Players About EMB Home

 

 

Subscribe to our Solvency II newsletter
Please enter your e-mail address here:


Â

Solvency II and Risk Management

Part 2: What Does risk Management Mean in Practice?


Part 1 | Part 2 | Part 3 | Part 4


What does a risk framework look like?

A firm’s risk framework is, in essence, a set of documents, processes and systems that enable an organisation to understand, measure, monitor and manage its risks. A risk framework can be simple or complex, small or very long, depending on the nature of size and complexity of the organisation and its risk profile.

The heart of the risk framework is the risk strategy (See Figure 2). 

 


This document is closely linked to the company’s business strategy and defines the overall approach to risk management, and it includes the statement of risk appetite. Many organisations find risk appetite difficult to articulate in a meaningful way. Initial attempts are often either banal or bland or both. The two aspects that should be considered are: (i) points of principle, such as “what is our corporate attitude to this type of risk”; and (ii) “how much are we prepared to lose” whilst bearing in mind that you are working towards a definition that may wish to allow differing appetites within different areas of the business. For instance, some risks will be actively sought out as a business opportunity and therefore the appetite is likely to be higher than for risks that are a by-product of doing business.

The second key element of the risk strategy is defining the firm’s approach to risk management, the overall framework and the key accountabilities and responsibilities within it. Within the overall strategy, it is possible – and often desirable – for different types of risk to be treated in different ways, depending on the risk appetite. This, then, provides the basis for all subsidiary documentation, procedures, etc.

The second level of the risk framework is the set of risk policies. Depending on the size, scale and complexity of the organisation, there may be few or many risk policy documents, but each category of risk needs to be addressed within them. The implementation of the risk policies is in two main parts: quantitative and qualitative.

  • Quantitative: The quantitative element is about risk measurement. Every organisation faces many hundreds – or thousands - of risks, so it is very easy for a risk register to get out of hand if everything is to be included. For practical purposes, the risk register should be at an appropriate level for the organisation to be able to manage it effectively and identify – and mitigate - the main risks to the organisation. At the same time, it needs to be comprehensive. In the UK, this has gone through a few cycles and we have worked with insurers to structure their risk registers to provide a more solid foundation for the quantification process.
  • Qualitative: The qualitative element is about managing the risks. The key components to be defined within the risk framework are:
    • Risk prioritisation and mitigation
    • Controls and procedures
    • Governance and oversight
    • Training and competency regime
    • Reporting and MI
    • Record-keeping
    • Data quality
    • Roles and responsibilities

Most insurers – some more than others - will already have a number of these documents and processes in place. Unfortunately, these are entirely likely to be scattered around the organisation, with different ownership and authorship, rather than linked together within the overall framework. This means that, however close-knit the organisation, there will be gaps, contradictions and issues with communication.

All these elements need to be integrated to form a holistic risk framework and must be supported by an appropriate corporate culture and, crucially, executive awareness and sponsorship. It is the Board’s responsibility to own the organisation’s risks and the risk framework. However, the implementation and maintenance of the risk framework is a significant undertaking and most organisations find they need an individual who has accountability for driving it - the Chief Risk Officer, or equivalent. 


What is the Chief Risk Officer? 

The CRO is part policeman, part teacher, part counsellor and part business leader.
  • Policeman: The role of the CRO has grown up over the last few years and developed largely in response to a combination of business failures, corporate scandals and new regulatory developments such as Sarbanes-Oxley and Basel II. This aspect of the role provides assurance that the business is following good systems and controls with regard to identifying, assessing, mitigating and reporting its risks
  • Teacher: The CRO has a responsibility to educate the people within the business to ensure that risk is properly understood across the organisation and that objectives, business procedures, controls, data and reporting reflects this understanding
  • Counsellor: The CRO acts as advisor to the Board and management on risk issues and will tend to present and comment on the key risks to the business on a regular basis. S/he will also have an advisory capacity across the business and provide oversight and co-ordination to ensure a consistent approach.
  • Business leader: A key aspect of the role, and arguably the one that adds most value to an organisation, is ensuring a more effective approach to measuring risk and reward, enabling the business to make better investment decisions. This requires a commercial view of risk, completely aligned to the goals of the business.

CROs come from a variety of backgrounds. Some are actuaries, others accountants or auditors, operations specialists, strategy planners or compliance experts. We are now also starting to see career specialists in risk management in the role.

 


Part 1 | Part 2 | Part 3 | Part 4
Terms & Conditions Home News & Views The Key Points Glossary of Terms Links