One of the
aspects of implementing ERM is putting in place an approach to consider its effectiveness. A combination of approaches are typically
suggested for this purpose including a consideration of the approaches adopted
and evidence of the risk culture.
An
alternative would be to establish whether the implementation of ERM supports
the appropriate conversations about risks are taking place in the
business. The elephant the proverbial
unspoken element of a discussion – about risks in this case.
An
interesting paper from a working group of the UK Institute of Actuaries entitled
‘Risk: Elephants in the Room’ looks into the causes that may explain why
conversations about risks have not been happening effectively in insurers. (Click here
for the paper.)
The paper
identifies two main reasons why these conversations may not be taking place:
1. There
is limited understanding of the underlying issues.
This could
result from limited knowledge depth on the relevant subject. I suppose this is the typical regulatory
concern about insurers investing in new types of assets or venturing into
non-core areas.
The paper
offers a good list of examples of typical elephants (pages 7 to 9) which could
help senior management self-check whether something has been missed. It also outlines two approaches to identify
elephants – based on risk lineage and scenarios – which seem a useful starting
point.
2. ‘Soft’
factors prevent risk discussions from happening or limit their effectiveness,
even where risk elephants are known.
The paper
identifies a number of such ‘soft’ factors:
- risk culture prevents free and open discussion about risks;
- complexity of the underlying issues can alienate audience;
- regulatory perspective sometimes associated with risk tunes out executives;
- over-reliance on quantification; after a risk is quantified the level of oversight diminishes, which is particularly risky for low-frequency and high-severity risks;
- risk universe bias; an elephant can be a risk that does not fit into one of the existing risk categories.
1. A
risk function should have appropriate resources to identify relevant elephants.
This would
require a combination of internal and external resources. For example, if an insurer chooses to invest
in alternative assets, it should develop appropriate expertise in the
area. However, the risk function may
need external support to ensure that elephants in other areas are also
identified.
2. Consider
the ‘soft’ factors that may hamper the effectiveness of risk discussions, and
risk management more generally.
This
consideration of soft factors should be part of an ERM implementation. However, it should also be a consideration of
any assessment of the operational effectiveness of the risk function.
What do you
think? Do you have any thoughts on these
suggestions about risk elephants and their identification?
No comments:
Post a Comment