2-Minute Q&A #7: Enterprise Risk Management

Note: This is the seventh in a series of blogs on insurance transformation by Majesco and PwC.  Today’s blog is a continuation from the 4/29/2022 featured Enterprise Risk Management podcast between Denise Garth, Chief Strategy Officer at Majesco, and Melissa Card from PwC’s Insurance Risk and Regulation practice.

Denise Garth: Thank you again for your time on the podcast.  You provided great detail about Enterprise Risk Management (ERM).  I would like to take some time to further explore the 2 risk management buckets you mentioned: Financial Related Risks; Non-Financial Related Risks.  Can you provide additional detail as to how an enterprise is structuring their ERM framework and where the 2 buckets of risk fit in?

Melissa Card: When we think about insurance companies and how they differ from other types of companies (e.g., auto manufactures, technology/digital, hospitality, etc.) it is all about how an insurance company is managing their capital/surplus.  Confirming insurers are appropriately applying their capital in a way that can provide their stakeholders with the greatest return.  When it comes to ERM, it is viewing the various levels of an insurer and building an informative risk profile to determine how much risk an organization is facing in order to determine the best use of capital.  The key is, from a forward looking perspective, to determine what headwinds are coming the organization’s way from an internal or external perspective.  Typically we will see at the top of the house specific roles and responsibilities for all parties associated with risk/risk management.  Then at the top of the house are Risk Appetite Statements (RAS), which clearly articulate the level of risk that the organization is willing to take, based on current risks that the organization is facing (i.e., Financial Related Risk and Non-Financial Related Risk from internal or external sources).  This requires a full understanding of all of the risks that an organization is facing at a given time, and denoting the most critical or emerging risks.  This is done by various processes, which provides understanding of risks at lower-levels and aggregating them to the top of the organization.  Under the RAS are metrics to measure the specific areas of risks referred to as Risk Appetite Metrics (RAMs).  RAMs are the high-level of measuring risk at an organization, in the event of a RAM limit being triggered, this will inform the organization that they have exceeded their risk tolerance.  Under RAMs and throughout the structure of an organization are Key Risk Indicators (KRIs), which are typically tied to RAMs in order to provide “early warning indications” of risk events.  This should allow the organization to measure the level of risk they face and apply capital in a way to provide stakeholders with the greatest return.  The 2 buckets of risk clearly delineate, financially how are we managing risk from a business standpoint, and non-financially, how are we supporting the business?

Denise Garth: On the topic of risk, you mentioned that threats to insurance companies’ technology and data are evolving. Can you provide us with more detail?

Melissa Card: Regulators are focused on consumer protection.  As distribution channels evolve more data will become available.  For example, what we are seeing in personal auto, where cars are collecting data based on usage and car companies are providing insurance directly to consumers, it would not be shocking if down-the-road most insurers have the ability to plug into technologies to allow them to harvest this data in order to provide the most comprehensive risk profile of a driver.  Insurance companies need to align their ERM efforts with evolving technology in order to better protect consumer data from getting into unauthorized party’s hands.  By automating data feeds and setting up proper automation to track data users location, access authority, etc., it can help provide data integrity and also inform management if there is a potential breach of data management, before the issue spreads.

Denise Garth: I hope we answered your questions on how to start thinking about Enterprise Risk Management and risks that insurance companies potentially face.  Have a question about risk management or want to learn more? Just drop it into the comments section below.