One of the aspects of implementing ERM is putting in place an approach to consider its effectiveness. A combination of approaches are typically suggested for this purpose including a consideration of the approaches adopted and evidence of the risk culture.
An alternative would be to establish whether the implementation of ERM supports the appropriate conversations about risks are taking place in the business. The elephant the proverbial unspoken element of a discussion – about risks in this case.
An interesting paper from a working group of the UK Institute of Actuaries entitled ‘Risk: Elephants in the Room’ looks into the causes that may explain why conversations about risks have not been happening effectively in insurers. (Click here for the paper.)
The paper identifies two main reasons why these conversations may not be taking place:
1. There is limited understanding of the underlying issues.
This could result from limited knowledge depth on the relevant subject. I suppose this is the typical regulatory concern about insurers investing in new types of assets or venturing into non-core areas.
The paper offers a good list of examples of typical elephants (pages 7 to 9) which could help senior management self-check whether something has been missed. It also outlines two approaches to identify elephants – based on risk lineage and scenarios – which seem a useful starting point.
2. ‘Soft’ factors prevent risk discussions from happening or limit their effectiveness, even where risk elephants are known.
The paper identifies a number of such ‘soft’ factors:
- risk culture prevents free and open discussion about risks;
- complexity of the underlying issues can alienate audience;
- regulatory perspective sometimes associated with risk tunes out executives;
- over-reliance on quantification; after a risk is quantified the level of oversight diminishes, which is particularly risky for low-frequency and high-severity risks;
- risk universe bias; an elephant can be a risk that does not fit into one of the existing risk categories.
1. A risk function should have appropriate resources to identify relevant elephants.
This would require a combination of internal and external resources. For example, if an insurer chooses to invest in alternative assets, it should develop appropriate expertise in the area. However, the risk function may need external support to ensure that elephants in other areas are also identified.
2. Consider the ‘soft’ factors that may hamper the effectiveness of risk discussions, and risk management more generally.
This consideration of soft factors should be part of an ERM implementation. However, it should also be a consideration of any assessment of the operational effectiveness of the risk function.
What do you think? Do you have any thoughts on these suggestions about risk elephants and their identification?
You can subscribe to future posts here.