Insurance and banking business models have continued to grow in complexity over the past 50 years – from simple and local risk exposures — to the current environment of complex and global exposures. Risk management has evolved along with the business model changes, from making individual, transaction-based decisions on a combination of judgment and underwriting criteria, to looking at aggregated portfolios of risk enabled by more robust analytical tools.
While the tools and techniques available to risk professionals have continued to evolve, the interaction model between risk and the business has largely remained the same — an “us vs. them” dynamic.
In the past, risk was present to say “yes or no” to business leaders based on what was seen to be risk’s perspective and desired profile, often leading to escalation with business leaders and revenue generators having a distinct advantage.
Post financial crisis, regulators forced the increased relevance of risk organizations and risk demanded a seat at the table without changing the dialogue — which converted many groups into compliance officials with a regulatory agenda.
The challenge for today’s risk organization is clear — how to have an impactful seat at the table without turning risk management into a “check the box” regulatory exercise.
This is where the next step in the evolution of risk management starts — to reframe the debate and the role of risk within an organization. The reframing turns risk groups from being control and compliance functions into being valued business partners.
The goal is to move from “us vs. them” to just “us” — the entire organization driving toward common enterprise objectives. If structured right, the risk management organization can be involved in the pursuit of business objectives and the optimization of outcomes across all relevant constraints and lenses.
How? First, there must be buy-in from the most senior levels of the organization and the board of directors on the importance and necessity of an independent view of the risk profile. This includes both a broad enterprise view and, more narrowly, the risks within each product. Senior leaders must recognize the value provided by an effective risk function and understand that if executed properly, the value will exceed the cost of the added infrastructure.
Second, a risk organization must be staffed with talent commensurate with the highest standards for technical competence across the company. This is important to building credibility with the business and will help to ensure that opinions and views are respected and seen as adding value.
Third, but likely most important, transparency must be the central tenet of a risk management organization — one that cuts across all aspects of decision-making.
Transparency starts with the engagement of the entire organization at the beginning of the development process for models and metrics used in forming and managing the technical risk profiles. Regardless of who owns the models, their development must be open and transparent to all key constituents.
Once those three steps are completed, the role of risk, and the professional knowledge embedded within, make it a valuable participant in the collaborative process and a critical partner in moving between constraints and stakeholders.
Key to achieving this is an effective risk appetite framework that considers the balance of risks and resources across the firm and the perspectives of all relevant internal and external stakeholders. While risk will serve as the scorekeeper, the entire organization must own the risk appetite framework as a corporate asset. The framework ensures that the company remains within the desired risk profile while it pursues optimal financial outcomes.
How does this happen? First, consider establishing broad expressions of risk appetite that account for the desired balance between risks and resources across all relevant economic, regulatory, and accounting frameworks. The expressions should take into account that the balance might change when subjected to a variety of stresses over various time periods. Factors at play are the evolution of assets and liabilities through time, with varying severities. Examples of such expressions include the following:
Getting buy-in for this level of expression is usually relatively easy as most organizations have already established these, perhaps unconsciously, as they communicate with external stakeholders such as rating agencies, shareholders, customers, and regulators.
Defining the discrete metrics underlying the expressions is more difficult and should take into account the perspectives of representatives from across the organization — from sales and distribution to finance and treasury. For example, what rating does the business need in order to continue to participate in markets? What underlying metrics will drive the rating of the company in terms of capital adequacy or liquidity ratios?
The next step is to agree on what level of stress is articulated in the expression — “cyclical” and “severe” in the example above. Again, collaboration, transparency, and inclusion of all stakeholder views must be part of the development of these scenarios, as they will define and constrain risk profiles and business activities. They must be designed so that they probe sensitivities of assets and liabilities across all relevant risks, yet do so in a way that aligns with external and internal views of a reasonable definition.
Once the metrics and definitions of stress have been determined, the measurement can begin. The manifestation of risks can be complicated by the financial reporting rules, and it is important to have reliable processes with transparency into potential limitations and simplifications. For an organization to embrace the risk appetite framework and use it to inform difficult business decisions, there must be credibility of, and confidence in, the models, scenarios, assumptions, and output.
The final piece of the puzzle is the translation of the desired risk profile of the organization into meaningful limits on key risk-taking activities. This is where the broad macro and strategic expressions become operational. The objective is to align limits such that there is a comfortable likelihood that the actual outcomes in stress scenarios will be in line with expected outcomes. This doesn’t mean that all limits need to academically tie to the expressions. However, they should be set such that the business-as-usual risk-taking activities won’t materially change the shape or dimension of the risk profile.
Once the risk appetite framework is in place, it can be incorporated into business and capital planning — however with a twist on the traditional risk and business dynamic.
No longer will there be an “us vs. them” discussion, with risk having the ability to say yes or no at its discretion. Rather, risk will now provide transparency into the impact of business decisions on the commonly agreed upon limits and constraints, facilitating an open dialogue.
It is no longer risk’s role to make the “yes or no” decision, but rather the organization’s, with risk providing full transparency into the impact on the commonly agreed upon expressions. The framework provides a basis for evaluating the levers available to any organization — changing the risk profile, changing the risk capacity, or changing the risk appetite statement. The common evaluation of when and where to pull these levers will be grounded in the risk appetite framework and transparent to all parties.
Nick Silitch is senior vice president, chief risk officer of Prudential Financial and Chad Runchey is a principal in insurance advisory services at Ernst & Young. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official views of their respective employers.
Homepage Image: Getty