The Origins of Risk Management

Risk management in the United States has been developing as a profession for 175 years. With the creation of the first factory mutual insurer in 1835, insurance was available to protect against risks of fire and related perils. Over the next 100 years, the commercial insurance market developed and the job title of insurance clerk was recognized for policy administration. The formation of the National Association of Insurance Buyers, a predecessor of RIMS, helped to formalize insurance administration as a profession. The evolution continued with the transformation of the NAIB to ASIM (the American Society of Insurance Managers) in 1955, and the subsequent formation of RIMS in 1975. The last thirty-five years, as seen in Figure 1, have seen dramatic changes in risk and its management.

During the same time frame, the insurance industry was undergoing a similar evolution. The time line shown in Figure 1 illustrates qualitative type changes within the insurance industry over the same time frame. From 1835 to 1960 insurance was primarily a transaction-oriented process. You bought it and they paid the claims. There was little complexity or definition of quality. Customer expectations were unknown. The primary sales method was to push the product. The buyer was unsophisticated, lacked knowledge of how insurance worked, and didn't know how risk related to cost.

The Integration of Quality into Risk and Insurance Management

From 1960 to 1980 things started to change. The buyer began to gain a better understanding of how insurance worked and began to ask for changes in products and services (Voice of the Customer - See Figure 2). The insurance industry began expanding products and services to keep up with buyers' requests. During the 1970s, retros, deductibles, and self-insurance retentions were introduced. The definition of risk expanded as workers' compensation grew and new liability exposures were uncovered by new legislative rulings. The buyer began asking for more.  The 1980s saw significant changes in the world of insurance. "Unbundled" and "value-added" services were introduced due to customer demand. Captives and rent-a-captives became popular. The Product Liability Risk Retention Act was amended and allowed businesses to pool together all types of liability risk in risk retention and purchasing groups. Moral of the story: The customer said, "We are not and have not been satisfied. We'll do it ourselves."

The Beginning of Enterprise-wide Risk Management (ERM)

The 1990s have seen significant change as well. Companies now face increased environmental liability exposures that are hard to define beyond "extremely expensive." Workers' compensation costs have skyrocketed and are only beginning to be brought under control. Buyers routinely request agents and brokers to disclose and negotiate commissions and fees. The role of broker and agent is being forced to change. It is becoming less transaction oriented and more consultative in practice. We can see that both the pace and scope of change in the risk management and insurance industries have been growing at an ever increasing rate. To keep up with that rate of change, companies have been forced to be more efficient, to react more quickly, to be more productive in less time-and usually to do so with fewer resources (The Basic Concepts of Lean).

Organizations in the risk management and insurance industries had a choice to make. They could continue using the same wasteful, duplicative, inefficient ways of doing things, or they can choose to reinvent the wheel by changing the system itself. The following section introduces a basic conceptual tool that will pave the way for this kind of systemic change.

Enterprise Risk Management as defined by COSO the Committee of Sponsoring Organizations of the Treadway Commission is:

“a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

 
This definition exposes several basic fundamental concepts. Enterprise risk management is:

1. A process that encompasses the entire organization

2. Effected by people at all levels of the organization

3. Applied from a strategic perspective

4. A process for examining an organizational-wide portfolio view of risk

5. Designed to identify potential event drivers that, if and when they occur, will impact the organization by causing deviations in expected outcomes.

6. Capable of providing reasonable assurance to an organization’s management and board of directors that their risk tolerance levels will not be exceeded.

7. Designed to achievement organizational-wide objectives across all business units and product/services lines

Components of Enterprise Risk Management

Enterprise risk management is system comprised of seven integrated management subsystems. These subsystems result from the means by which management runs an organization and are part of an integrated management approach. These subsystems include:

Internal Environment – The internal environment encompasses the business processes for which the organization has direct control. This includes the cultural aspects for how risk is viewed and addressed by the organization’s people, including the risk management approach and determining the organization’s risk tolerance level, integrity and ethical values, and the environment in which they function.

Strategy Determination – Organizational strategies, goals and objectives must be present before management can identify impending events affecting their attainment. Enterprise risk management forces management to have in place a process to set objectives and the chosen objectives must sustain and support the organization’s mission and be consistent with the organization’s risk tolerance level.

Risk Identification – Internal and external risk events impacting the achievement of the organization’s objectives must be identified and differentiated between risks and opportunities. Opportunities are then sent back through management’s strategy development process.

Risk Assessment – Risks are analyzed qualitatively and/or quantitatively, taking into consideration likelihood and impact, as a basis for determining how they should be managed.

Risk Response – Management selects risk responses – avoidance, acceptance, mitigation, or transference – developing a set of actions to align risks with the organization’s risk tolerances level.

Control/Monitoring Activities –Objectively evaluate adherence of the monitoring and control process against its process description, standards, and procedures, and address noncompliance.

Information and Communication –Information and data requirements are identified, captured, and disseminated in a form and timeframe that enables people to perform their responsibilities.

Enterprise risk management is not strictly a serial or sequential process, where one subsystems affects only the next. Enterprise risk management is a multidirectional, iterative process in which almost any component can and does influence another.

Summary

The notion of a holistic approach or enterprise risk management traces its roots back to the early 1970s when Gustav Hamilton of Sweden’s Statsforetag outlined the “risk management circle” to depict the relationships of all components in the risk management process (identification, assessment, control, financing and communication).

In the 20th century, risk managers were primarily responsible for managing “pure” risks through the purchase of insurance, though the concept of risk management soon became associated with financial risk management with the use of derivative financial products. There has been a growing need from organization to permanently link their risks across their business units and adopt a more comprehensive framework. Full linkage – the integration of risk, capital and financial management – allows for a continuous recognition of the array of risks facing an organization, their individual and collective impact on shareholder value, leading to well-defined strategic actions.

Importance of ERM - Organizations have a growing need to permanently link their risks across their business units and adopt a more comprehensive framework. There are several checkpoints that drive the need for enterprise risk management, which include:

1. Greater transparency
2. Financial disclosures with more strict reporting and control requirements
3. Security and technology issues
4. Business continuity and disaster preparedness in a post-9/11 world
5. Focus of rating agencies
6. Regulatory compliance
7. Globalization in a continuously competitive environment

Benefits of ERM Framework - Using the enterprise risk management framework can help an organization achieve its objectives. Enterprise risk management offers a number of benefits:

1. Align risk appetite and corporate strategy
2. Links growth, risk and returns
3. Improves risk responses
4. Reduces operational surprises and losses
5. Recognizes and acts upon opportunities
6. Deploys resources effectively

With the increasingly complex and fast-changing business environment, organizations are seeking risk management professionals to join their teams. As these new roles in enterprise risk management continue to grow, actuaries are becoming leaders in the practice, which takes a 360-degree view of an organization’s risk profile.

Bibliography

Higdon, S. (2006). Enterprise Risk Management Shareholder Value Deloitte & Touche LLP

Enterprise Risk Management — Integrated Framework, (2004). Committee of Sponsoring Organizations of the Treadway Commission

Enterprise Risk Management — Integrated Framework, (2004). Committee of Sponsoring Organizations of the Treadway Commission (2004).

Adapted from Risk Management Reports, Vol. 26, No. 12, December 1999.

Return to the Risk Management Technical Committee main page.