CONTENTS

Sr No Topic Page
numbers
1. Executive Summary
2 What Is Risk?
3 How Insurance Works?
4 Introduction To Risk Management
5 Principles Of Risk Management
6 Types Of Risks
7 Other Risks
8 Risk Assessment Process
9 Steps In The Risk Management Process
10 What Are The Benefits Of Risk Management To The
Insurance Company?
11 Potential Risk Treatments
12 Key Trends In Risk Management

13 Emerging Areas Of Risk Management

14 Key Risks Faced By Insurance Sector Globally
15 Enterprise Risk Management For Insurance Companies
16 Where Will The Indian Insurance Market Be In 2020?
17 Conclusion
18
EXECUTIVE SUMMARY
Risk, in insurance terms, is the possibility of a loss or other adverse event that has
the potential to interfere with an organization’s ability to fulfil its mandate, and for
which an insurance claim may be submitted.

Risk management ensures that an organization identifies and understands the risks
to which it is exposed. Risk management also guarantees that the organization
creates and implements an effective plan to prevent losses or reduce the impact if a
loss occurs.

A risk management plan includes strategies and techniques for recognizing and
confronting these threats. Good risk management doesn’t have to be expensive or
time consuming; it may be as uncomplicated as answering these three questions:

1. What can go wrong?

2. What will we do, both to prevent the harm from occurring and in response to
the harm or loss?
3. If something happens, how will we pay for it?

Risk management provides a clear and structured approach to identifying risks.

Having a clear understanding of all risks allows an organization to measure and
prioritize them and take the appropriate actions to reduce losses. Risk management
has other benefits for an organization, including:

• Saving resources: Time, assets, income, property and people are all valuable
resources that can be saved if fewer claims occur.
• Protecting the reputation and public image of the organization.
• Preventing or reducing legal liability and increasing the stability of operations.
• Protecting people from harm.
• Protecting the environment.
• Enhancing the ability to prepare for various circumstances.
• Reducing liabilities.
• Assisting in clearly defining insurance needs.

An effective risk management practice does not eliminate risks. However, having an
effective and operational risk management practice shows an insurer that your
organization is committed to loss reduction or prevention. It makes your organization
a better risk to insure.
WHAT IS RISK?
The Concise Oxford Dictionary defines risk as “hazard, a chance of bad
consequences, loss or exposure to mischance”. In a discussion with students taking
a course on financial risk management, ingredients which typically enter are events,
decisions, consequences and uncertainty. Mostly only the downside is mentioned,
rarely a possible upside. For financial risks, the subject of this book, we might arrive
at a definition such as “any event or action that may adversely affect an
organization’s ability to achieve its objectives and execute its strategies” or,
alternatively, “the quantifiable likelihood of loss or less-than-expected returns”. But
while these capture some of the elements of risk, no single one sentence definition is
entirely satisfactory in all contexts.

People seek security. A sense of security may be the next basic goal after food,
clothing, and shelter. An individual with economic security is fairly certain that he
can satisfy his needs (food, shelter, medical care, and so on) in the present and in the
future. Economic risk (which we will refer to simply as risk) is the possibility of
losing economic security. Most economic risk derives from variation from the
expected outcome. One measure of risk, used in this study note, is the standard
deviation of the possible outcomes. As an example, consider the cost of a car accident
for two different cars, a Porsche and a Toyota.

In the event of an accident the expected value of repairs for both cars is 2500.
However, the standard deviation for the Porsche is 1000 and the standard deviation
for the Toyota is 400. If the cost of repairs is normally distributed, then the
probability that the repairs will cost more than 3000 is 31% for the Porsche but only
11% for the Toyota.

Modern society provides many examples of risk. A homeowner faces a large

potential for variation associated with the possibility of economic loss caused by a
house fire. A driver faces a potential economic loss if his car is damaged. A larger
possible economic risk exists with respect to potential damages a driver might have
to pay if he injures a third party in a car accident for which he is responsible.

Historically, economic risk was managed through informal agreements within a

defined Community.
If someone’s barn burned down and a herd of milking cows was destroyed, the
community would pitch in to rebuild the barn and to provide the farmer with enough
cows to replenish the milking stock. This cooperative (pooling) concept became
formalized in the insurance industry. Under a formal insurance arrangement, each
Insurance policy purchaser (policyholder) still implicitly pools his risk with all other
policyholders. However, it is no longer necessary for any individual policyholder to
know or have any direct connection with any other policyholder.
HOW INSURANCE WORKS
Insurance is an agreement where, for a stipulated payment called the premium,
one party (the insurer) agrees to pay to the other (the policyholder or his
designated beneficiary) a defined amount (the claim payment or benefit) upon the
occurrence of a specific loss. This defined claim payment amount can be a fixed
amount or can reimburse all or a part of the loss that occurred.

The insurer considers the losses expected for the insurance pool and the potential
for variation in order to charge premiums that, in total, will be sufficient to cover
all of the projected claim payments for the insurance pool. The premium charged
to each of the pool participants is that participant’s share of the total premium for
the pool. Each premium may be adjusted to reflect any 3 special characteristics
of the particular policy.

As will be seen in the next section, the larger the policy pool, the more predictable
its results. Normally, only a small percentage of policyholders suffer losses. Their
losses are paid out of the premiums collected from the pool of policyholders.
Thus, the entire pool compensates the unfortunate few. Each policyholder
exchanges an unknown loss for the payment of a known premium.

Under the formal arrangement, the party agreeing to make the claim payments is
the insurance company or the insurer. The pool participant is the policyholder.
The payments that the policyholder makes to the insurer are premiums. The
insurance contract is the policy. The risk of any unanticipated losses is transferred
from the policyholder to the insurer who has the right to specify the rules and
conditions for participating in the insurance pool.

The insurer may restrict the particular kinds of losses covered. For example, a
peril is a potential cause of a loss. Perils may include fires, hurricanes, theft, and
heart attack. The insurance policy may define specific perils that are covered, or
it may cover all perils with certain named exclusions (for example, loss as a result
of war or loss of life due to suicide).

Hazards are conditions that increase the probability or expected magnitude of a

loss. Examples include smoking when considering potential healthcare losses,
poor wiring in a house when considering losses due to fires, or a California
residence when considering earthquake damage.
In summary, an insurance contract covers a policyholder for economic loss
caused by a peril named in the policy. The policyholder pays a known premium
to have the insurer guarantee payment for the unknown loss. In this manner, the
policyholder transfers the economic risk to the insurance company. Risk, as
discussed in Section I, is the variation in potential economic outcomes. It is
measured by the variation between possible outcomes and the expected outcome:
the greater the standard deviation, the greater the risk.
INTRODUCTION TO RISK MANAGEMENT
Risk management is the identification, assessment, and prioritization of risks
(defined in ISO 31000 as the effect of uncertainty on objectives, whether positive
or negative) followed by coordinated and economical application of resources to
minimize, monitor, and control the probability and/or impact of unfortunate
events or to maximize the realization of opportunities. Risks can come from
uncertainty in financial markets, project failures, legal liabilities, credit risk,
accidents, natural causes and disasters as well as deliberate attacks from an
adversary. Several risk management standards have been developed including the
Project Management Institute, the National Institute of Science and Technology,
actuarial societies, and ISO standards. Methods, definitions and goals vary widely
according to whether the risk management method is in the context of project
management, security, engineering, industrial processes, financial portfolios,
actuarial assessments, or public health and safety.

The strategies to manage risk include transferring the risk to another party,
avoiding the risk, reducing the negative effect of the risk, and accepting some or
all of the consequences of a particular risk.

Certain aspects of many of the risk management standards have come under
criticism for having no measurable improvement on risk even though the
confidence in estimates and decisions increase.

In ideal risk management, a prioritization process is followed whereby the risks

with the greatest loss and the greatest probability of occurring are handled first,
and risks with lower probability of occurrence and lower loss are handled in
descending order. In practice the process can be very difficult, and balancing
between risks with a high probability of occurrence but lower loss versus a risk
with high loss but lower probability of occurrence can often be mishandled.

Intangible risk management identifies a new type of a risk that has a 100%
probability of occurring but is ignored by the organization due to a lack of
identification ability. For example, when deficient knowledge is applied to a
situation, a knowledge risk materializes. Relationship risk appears when
ineffective collaboration occurs. Process engagement risk may be an issue when
ineffective operational procedures are applied. These risks directly reduce the
productivity of knowledge workers, decrease cost effectiveness, profitability,
service, quality, reputation, brand value, and earnings quality. Intangible risk
management allows risk management to create immediate value from the
identification and reduction of risks that reduce productivity.

Risk management also faces difficulties in allocating resources. This is the idea
of opportunity cost. Resources spent on risk management could have been spent
on more profitable activities. Again, ideal risk management minimizes spending
and minimizes the negative effects of risks.
PRINCIPLES OF RISK MANAGEMENT

The International Organization for Standardization (ISO) identifies the following

principles of risk management:

Risk management should:

• Create value
• Be an integral part of organizational processes
• Be part of decision making
• Explicitly address uncertainty
• Be systematic and structured
• Be based on the best available information
• Be tailored
• Take into account human factors
• Be transparent and inclusive
• Be dynamic, iterative and responsive to change
• Be capable of continual improvement and enhancement
TYPES OF RISK

A) Pure versus Speculative Risk Exposures

Some people say that Eskimos have a dozen or so words to name or describe
snow. Likewise, professional people who study risk use several words to
designate what others intuitively and popularly known as “risk.” Professionals
note several different ideas for risk, depending on the particular aspect of the
“consequences of uncertainty” that they wish to consider. Using different
terminology to describe different aspects of risk allows risk professionals to
reduce any confusion that might arise as they discuss risks.

As we noted in Table 1.2, “Examples of Pure versus Speculative Risk Exposures”,

risk professionals often differentiate between pure risk that features some chance
of loss and no chance of gain (e.g., fire risk, flood risk, etc.) and those they refer
to as speculative risk. Speculative risks feature a chance to either gain or lose
(including investment risk, reputational risk, strategic risk, etc.). This distinction
fits well into Figure 1.3, “Roles (Objectives) Underlying the Definition of Risk”.
The right-hand side focuses on speculative risk. The left-hand side represents pure
risk. Risk professionals find this distinction useful to differentiate between types
of risk.

Some risks can be transferred to a third party—like an insurance company. These

third parties can provide a useful “risk management solution.” Some situations,
on the other hand, require risk transfers that use capital markets, known as
hedging or securitizations. Hedging refers to activities that are taken to reduce or
eliminate risks. Securitization is the packaging and transferring of insurance risks
to the capital markets through the issuance of a financial security. We explain
such risk retention in Chapter 4, Evolving Risk Management: Fundamental Tools
and Chapter 5, The Evolution of Risk Management: Enterprise Risk
Management. Risk retention is when a firm retains its risk. In essence it is self-
insuring against adverse contingencies out of its own cash flows. For example,
firms might prefer to capture up-side return potential at the same time that they
mitigate while mitigating the downside loss potential.

In the business environment, when evaluating the expected financial returns from
the introduction of a new product (which represents speculative risk), other issues
concerning product liability must be considered. Product liability refers to the
possibility that a manufacturer may be liable for harm caused by use of its
product, even if the manufacturer was reasonable in producing it.

Table 1.2, “Examples of Pure versus Speculative Risk Exposures” provides

examples of the pure versus speculative risks dichotomy as a way to cross classify
risks. The examples provided in Table 1.2, “Examples of Pure versus Speculative
Risk Exposures” are not always a perfect fit into the pure versus speculative risk
dichotomy since each exposure might be regarded in alternative ways.
Operational risks, for example, can be regarded as operations that can cause only
loss or operations that can provide also gain. However, if it is more specifically
defined, the risks can be more clearly categorized.

The simultaneous consideration of pure and speculative risks within the

objectives continuum of Figure 1.3, “Roles (Objectives) Underlying the
Definition of Risk” is an approach to managing risk, which is known as enterprise
risk management (ERM). ERM is one of today’s key risk management
approaches. It considers all risks simultaneously and manages risk in a holistic or
enterprise-wide (and risk-wide) context. ERM was listed by the Harvard Business
Review as one of the key breakthrough areas in their 2004 evaluation of strategic
management approaches by top management.[9] In today’s environment,
identifying, evaluating, and mitigating all risks confronted by the entity is a key
focus. Firms that are evaluated by credit rating organizations such as Moody’s or
Standard & Poor’s are required to show their activities in the areas of enterprise
risk management. As you will see in later chapters, the risk manager in businesses
is no longer buried in the tranches of the enterprise. Risk managers are part of the
executive team and are essential to achieving the main objectives of the
enterprise. A picture of the enterprise risk map of life insurers is shown later in
Figure 1.5, “A Photo of Galveston Island after Hurricane Ike”.
Table 1.2. Examples of Pure versus Speculative Risk Exposures

Pure Risk—Loss or No Loss Only Speculative Risk—Possible

Gains or Losses

Physical damage risk to property (at the enterprise level) Market risks: interest risk,
such as caused by fire, flood, weather damage
foreign exchange risk, stock
market risk
Liability risk exposure (such as products liability,
premise liability, employment practice liability) Reputational risk

Innovation or technical obsolescence risk Brand risk

Operational risk: mistakes in process or procedure that Credit risk (at the individual
cause losses enterprise level)

Mortality and morbidity risk at the individual level Product success risk

Intellectual property violation risks Public relation risk

Environmental risks: water, air, hazardous-chemical,

and other pollution; depletion of resources; irreversible Population changes
destruction of food chains

Natural disaster damage: floods, earthquakes, Market for the product risk
windstorms
Man-made destructive risks: nuclear risks, wars,
unemployment, population changes, political risks Regulatory change risk

Mortality and morbidity risk at the societal and global

level (as in pandemics, social security program Political risk
exposure,
Nationalize health care systems, etc.)
Accounting risk
 Longevity risk at the societal
level

Genetic testing and genetic

engineering risk

Pure Risk—Loss or No Loss Only Speculative Risk—Possible

Gains or Losses

Investment risk

Research and development

risk

Within the class of pure risk exposures, it is common to further explore risks by
use of the dichotomy of personal property versus liability exposure risk.

B) Personal Loss Exposures—Personal Pure Risk

Because the financial consequences of all risk exposures are ultimately borne by
people (as individuals, stakeholders in corporations, or as taxpayers), it could be
said that all exposures are personal. Some risks, however, have a more direct
impact on people’s individual lives. Exposure to premature death, sickness,
disability, unemployment, and dependent old age are examples of personal loss
exposures when considered at the individual/personal level. An organization may
also experience loss from these events when such events affect employees. For
example, social support programs and employer-sponsored health or pension plan
costs can be affected by natural or man-made changes. The categorization is often
a matter of perspective. These events may be catastrophic or accidental.

C) Property Loss Exposures—Property Pure Risk

Property owners face the possibility of both direct and indirect (consequential)
losses. If a car is damaged in a collision, the direct loss is the cost of repairs. If a
firm experiences a fire in the warehouse, the direct cost is the cost of rebuilding
and replacing inventory. Consequential or indirect losses are nonphysical losses
such as loss of business. For example, a firm losing its clients because of street
closure would be a consequential loss. Such losses include the time and effort
required to arrange for repairs, the loss of use of the car or warehouse while
repairs are being made, and the additional cost of replacement facilities or lost
productivity. Property loss exposures are associated with both real property such
as buildings and personal property such as automobiles and the contents of a
building. A property is exposed to losses because of accidents or catastrophes
such as floods or hurricanes.

D) Liability Loss Exposures—Liability Pure Risk

The legal system is designed to mitigate risks and is not intended to create new
risks. However, it has the power of transferring the risk from your shoulders to
mine. Under most legal systems, a party can be held responsible for the financial
consequences of causing damage to others. One is exposed to the possibility of
liability loss (loss caused by a third party who is considered at fault) by having to
defend against a lawsuit when he or she has in some way hurt other people. The
responsible party may become legally obligated to pay for injury to persons or
damage to property. Liability risk may occur because of catastrophic loss
exposure or because of accidental loss exposure. Product liability is an illustrative
example: a firm is responsible for compensating persons injured by supplying a
defective product, which causes damage to an individual or another firm.

E) Catastrophic Loss Exposure and Fundamental or Systemic Pure Risk

Catastrophic risk is a concentration of strong, positively correlated risk exposures,

such as many homes in the same location. A loss that is catastrophic and includes
a large number of exposures in a single location is considered a no accidental risk.
All homes in the path will be damaged or destroyed when a flood occurs. As such
the flood impacts a large number of exposures, and as such, all these exposures
are subject to what is called a fundamental risk. Generally these types of risks are
too pervasive to be undertaken by insurers and affect the whole economy as
opposed to accidental risk for an individual. Too many people or properties may
be hurt or damaged in one location at once (and the insurer needs to worry about
its own solvency). Hurricanes in Florida and the southern and eastern shores of
the United States, floods in the Midwestern states, earthquakes in the western
states, and terrorism attacks are the types of loss exposures that are associated
with fundamental risk. Fundamental risks are generally systemic and no
diversifiable.
Accidental Loss Exposure and Particular Pure Risk

Many pure risks arise due to accidental causes of loss, not due to man-made or
intentional ones (such as making a bad investment). As opposed to fundamental
losses, non-catastrophic accidental losses, such as those caused by fires, are
considered particular risks. Often, when the potential losses are reasonably
bounded, a risk-transfer mechanism, such as insurance, can be used to handle the
financial consequences.

In summary, exposures are units that are exposed to possible losses. They can be
people, businesses, properties, and nations that are at risk of experiencing losses.
The term “exposures” is used to include all units subject to some potential loss.

Another possible categorization of exposures is as follows:

Risks of nature

Risks related to human nature (theft, burglary, embezzlement, fraud)

Man-made risks

Risks associated with data and knowledge.

Risks associated with the legal system (liability)—it does not create the risks but
it may shift them to your arena.

Risks related to large systems: governments, armies, large business organizations,

political groups.

Intellectual property

Pure and speculative risks are not the only way one might dichotomize risks.
Another breakdown is between catastrophic risks, such as flood and hurricanes,
as opposed to accidental losses such as those caused by accidents such as fires.
Another differentiation is by systemic or non-diversifiable risks, as opposed to
idiosyncratic or diversifiable risks; this is explained below.
 F) Diversifiable and Non diversifiable Risks

As noted above, another important dichotomy risk professionals use is between

diversifiable and non-diversifiable risk. Diversifiable risks are those that can have
their adverse consequences mitigated simply by having a well-diversified
portfolio of risk exposures. For example, having some factories located in non-
earthquake areas or hotels placed in numerous locations in the United States
diversifies the risk. If one property is damaged, the others are not subject to the
same geographical phenomenon causing the risks. A large number of relatively
homogeneous independent exposure units pooled together in a portfolio can make
the average, or per exposure, unit loss much more predictable, and since these
exposure units are independent of each other, the per-unit consequences of the
risk can then be significantly reduced, sometimes to the point of being ignorable.
These will be further explored in a later chapter about the tools to mitigate risks.
Diversification is the core of the modern portfolio theory in finance and in
insurance. Risks, which are idiosyncratic (with particular characteristics that are
not shared by all) in nature, are often viewed as being amenable to having their
financial consequences reduced or eliminated by holding a well-diversified
portfolio.

Systemic risks that are shared by all, on the other hand, such as global warming,
or movements of the entire economy such as that precipitated by the credit crisis
of fall 2008, are considered non diversifiable. Every asset or exposure in the
portfolio is affected. The negative effect does not go away by having more
elements in the portfolio. This will be discussed in detail below and in later
chapters. The field of risk management deals with both diversifiable and non-
diversifiable risks. As the events of September 2008 have shown, contrary to
some interpretations of financial theory, the idiosyncratic risks of some banks
could not always be diversified away. These risks have shown they have the
ability to come back to bite (and poison) the entire enterprise and others
associated with them.

Table 1.3, “Examples of Risk Exposures by the Diversifiable and Non

diversifiable Categories” provides examples of risk exposures by the categories
of diversifiable and non-diversifiable risk exposures. Many of them are self-
explanatory, but the most important distinction is whether the risk is unique or
idiosyncratic to a firm or not. For example, the reputation of a firm is unique to
the firm. Destroying one’s reputation is not a systemic risk in the economy or the
market-place. On the other hand, market risk, such as devaluation of the dollar is
systemic risk for all firms in the export or import businesses
In Table 1.3, “Examples of Risk Exposures by the Diversifiable and Non
diversifiable Categories” we provide examples of risks by these categories. The
examples are not complete and the student is invited to add as many examples as
desired.

Table 1.3. Examples of Risk Exposures by the Diversifiable and Non

diversifiable Categories
Diversifiable Risk— Non diversifiable Risks—Systemic Risk
Idiosyncratic
Risk
• Reputational risk • Market risk

• Brand risk • Regulatory risk

• Credit risk (at the individual

enterprise level) • Environmental risk

• Product risk • Political risk

• Legal risk • Inflation and recession risk

• Physical damage risk (at the

enterprise level) such as fire, • Accounting risk
flood,
weather damage
• Liability risk (products
liability, premise liability, • Longevity risk at the societal level
employment practice liability)

• Innovation or technical • Mortality and morbidity risk at the societal and

obsolesce risk global

Level (pandemics, social security program

exposure, nationalize health care systems, etc.)
• Operational risk

• Strategic risk
• Longevity risk at the
individual level

Diversifiable Risk— Non diversifiable Risks—Systemic Risk

Idiosyncratic
Risk
• Mortality and morbidity risk at
the individual level

G) Enterprise Risks
As discussed above, the opportunities in the risks and the fear of losses encompass
the holistic risk or the enterprise risk of an entity. The following is an example of
the enterprise risks of life insurers in a map in Figure 1.6, “Life Insurers’
Enterprise Risks”

Since enterprise risk management is a key current concept today, the enterprise
risk map of life insurers is offered here as an example. Operational risks include
public relations risks, environmental risks, and several others not detailed in the
map in Figure 1.4, “Risk Balls”. Because operational risks are so important, they
usually include a long list of risks from employment risks to the operations of
hardware and software for information systems.
Figure 1.6. Life Insurers’ Enterprise Risks

OTHER RISK

A) ASSET RISK

Both life and general insurers hold investments to support their policy liabilities
and capital and are subject to a range of asset risks. These risks include:

• Concentration risk – arising from inadequate diversification (or excessive

exposure to a particular asset or obligor);

• Credit risk – the risk of default by obligors, counterparties or reinsurers;

• Liquidity risk – the risk of insufficient liquidity to meet obligations when

required;
• Market risk – the risk of an adverse movement in the market value of assets
not matched by an equal and offsetting reduction in the market value of
liabilities; and

• Realization risk – where asset values are dependent on the continuing operation
of the business.

These risks are common to other types of financial institution also. While each of
these risks requires management, different sectors of the financial system need to
focus on those risks that are most important for them. In banking, the most
significant risk is the credit risk stemming from banks’ lending activities. The
liquidity risk that flows from banks’ deposit-taking business is also important. In
the insurance sector, the characteristic asset risk is market risk. This is because
insurers can, and often do,

Choose to invest policyholders’ money in ways that do not match policy

obligations. The extent of this mismatching behaviour differs across insurers.
Some insurers do not mismatch at all, while others may mismatch on a large scale
and in doing so introduce substantial market risk.

The ‘resilience’ of an insurer in the face of market risk can be usefully examined
with the help of a simple model .Of course, focusing only on those risks that are
characteristic of a given industry is unwise. For this reason, the banking sector is
now sharpening its focus on the risks involved in other areas such as trading.
Similarly, as insurers become more involved in lending, and more exposed to
counterparty risks in their use of derivatives for asset management, the insurance
sector will need to improve its credit risk management practices.

B) Operational Risk
Like any business, insurance companies face a number of other risks, mainly
operational in nature (or else arising through the premium rating process which
requires assumptions to be made about operational matters, such as the level of
expenses or the rate of policy attrition).

These risks include:

• Mistakes in promotional material or poor sales practices;

• Unsound product design;

• Errors in premiums or unit prices;

• Errors in effecting reinsurance;

• High rates of policy attrition;

• Unanticipated expense overruns; systems failure;

• Ill-disciplined investment activity; and fraud.

As with insurance and asset risks, both good management and capital are needed
to cope with risks such as these.
RISK ASSESSMENT PROCESS AND GUIDING
PRINCIPLES

Four Elements of Risk Guiding Principles

the Management
Process
1. Identify total assets and resources of
organizations.
Risk Assessment 2. Identify major exposures to loss.
3. Calculate values of assets and
resources.
4. Measure current risk.
5. Project and communicate future losses
and potential risk.
6. Support proactive risk and loss control
Risk Control programs.
7. Provide maximum incentive for
participation in risk control program.
8. Monitor effectiveness of risk control
activities.
9. Finance risk, taking advantage of all
Risk Financing available financial resources.
10. Maintain appropriate catastrophe
protection.
11. Create and sustain management
commitment to risk management.
12. Adopt a clearly defined risk
Administration
management structure.
13. Develop clearly targeted annual
objectives.
14. Maintain sound communications with
all affected levels of management.
STEPS IN THE RISK MANAGEMENT PROCESS
According to C. Arthur Williams Jr. and Richard Mr. Heins in their book Risk
Management and Insurance, the risk management process typically includes six
steps. These steps are

1) Determining the objectives of the organization,

2) Identifying exposures to loss,

3) Measuring those same exposures,

4) Selecting alternatives,

5) Implementing a solution, and

6) Monitoring the results.

The primary objective of an organization—growth, for example—will determine

its strategy for managing various risks. Identification and measurement of risks
are relatively straightforward concepts. Earthquake may be identified as a
potential exposure to loss, for example, but if the exposed facility is in New York
the probability of earthquake is slight and it will have a low priority as a risk to
be managed.

Businesses have several alternatives for the management of risk, including

avoiding, assuming, reducing, or transferring the risks. Avoiding risks, or loss
prevention, involves taking steps to prevent a loss from occurring, via such
methods as employee safety training. As another example, a pharmaceutical
company may decide not to market a drug because of the potential liability.
Assuming risks simply means accepting the possibility that a loss may occur and
being prepared to pay the consequences. Reducing risks, or loss reduction,
involves taking steps to reduce the probability or the severity of a loss, for
example by installing fire sprinklers.
Transferring risk refers to the practice of placing responsibility for a loss on
another party via a contract. The most common example of risk transference is
insurance, which allows a company to pay a small monthly premium in exchange
for protection against automobile accidents, theft or destruction of property,
employee disability, or a variety of other risks. Because of its costs, the insurance
option is usually chosen when the other options for managing risk do not provide
sufficient protection. Awareness of, and familiarity with, various types of
insurance policies is a necessary part of the risk management process. A final risk
management tool is self-retention of risks— sometimes referred to as "self-
insurance." Companies that choose this option set up a special account or fund to
be used in the event of a loss.

Any combination of these risk management tools may be applied in the fifth step
of the process, implementation. The final step, monitoring, involves a regular
review of the company's risk management tools to determine if they have obtained
the desired result or if they require modification. Nation's Business outlined some
easy risk management tools for small businesses: maintain a high quality of work;
train employees well and maintain equipment properly; install strong locks,
smoke detectors, and fire extinguishers; keep the office clean and free of hazards;
back up computer data often; and store records securely offsite.
What Are the Benefits of Risk Management to the
Insurance Company?
Insurance companies are in the business of managing risk. Insurance companies
live and die by prudent risk management. The purpose of an insurance company
is to determine the probabilities of risk and to design a premium structure
ensuring that the company has a high chance of profiting in the future. The higher
the risk, the larger the premium, and vice versa. In addition, insurance companies
need to differentiate risks posed by different individuals, companies, asset
classes, and other tasks. The more precise the risk model, the better an insurance
company can serve its customers and derive profit.

A) Fair Premium

With solid risk management procedures, an insurance company can determine

how high of a premium to certain customers charge during a particular period.
For example, if the insurance company knows the probability that a male of a
certain age who smokes has a certain likelihood of contracting a lethal cancer,
that company knows it should charge a higher premium to the insured person.
The charge reflects the risk of insurance. This protects the insurance company
from insolvency, and increases the chances that healthier insurance customers can
afford the premiums.

B) Long Term Solvency

The nature of the insurance business is such that small errors in a risk management
model can lead to long-term insolvency. An insurance company builds its
reputation on a long record of paying just claims. Insurance companies write
contracts and uphold them. Miscalculations in risk management models can lead
to severe losses at an insurance company over an extended period. It's important
for companies to use accurate data to determine their models and assure they stay
in business over the long run.
 C) Lower Costs

When an insurance company has a more competitive risk management

methodology relative to its competitors, it can afford to lower the costs of
coverage. This increases the insurance pool, improving the level of capitalization
for the firm. In general, the more people signed up for an insurance program, the
lower the premiums. The virtuous cycle in the insurance business occurs when a
risk management system is accurate, because the insurance company is likely to
make a profit on the vast majority of customers.
POTENTIAL RISK TREATMENTS

Once risks have been identified and assessed, all techniques to manage the risk
fall into one or more of these four major categories

• Avoidance (eliminate, withdraw from or not become involved)

• Reduction (optimize - mitigate)
• Sharing (transfer - outsource or insure)
• Retention (accept and budget)

Ideal use of these strategies may not be possible. Some of them may involve trade-
offs that are not acceptable to the organization or person making the risk
management decisions. Another source, from the US Department of Defence,
Defence Acquisition University, calls these categories ACAT, for Avoid,
Control, Accept, or Transfer. This use of the ACAT acronym is reminiscent of
another ACAT (for Acquisition Category) used in US Defence industry
procurements, in which Risk Management figures prominently in decision
making and planning.

A) Risk avoidance

This includes not performing an activity that could carry risk. An example would
be not buying a property or business in order to not take on the legal liability that
comes with it. Another would be not flying in order not to take the risk that the
airplane were to be hijacked. Avoidance may seem the answer to all risks, but
avoiding risks also means losing out on the potential gain that accepting
(retaining) the risk may have allowed. Not entering a business to avoid the risk of
loss also avoids the possibility of earning profits.

Hazard Prevention - Hazard prevention refers to the prevention of risks in an

emergency. The first and most effective stage of hazard prevention is the
elimination of hazards. If this takes too long, is too costly, or is otherwise
impractical, the second stage is mitigation.
 B) Risk reduction

Risk reduction or "optimization" involves reducing the severity of the loss or the
likelihood of the loss from occurring. For example, sprinklers are designed to put
out a fire to reduce the risk of loss by fire. This method may cause a greater loss
by water damage and therefore may not be suitable. Halon fire suppression
systems may mitigate that risk, but the cost may be prohibitive as a strategy.

Acknowledging that risks can be positive or negative, optimizing risks means

finding a balance between negative risk and the benefit of the operation or
activity; and between risk reduction and effort applied. By an offshore drilling
contractor effectively applying HSE Management in its organisation, it can
optimise risk to achieve levels of residual risk that are tolerable.

Modern software development methodologies reduce risk by developing and

delivering software incrementally. Early methodologies suffered from the fact
that they only delivered software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often jeopardized the
whole project. By developing in iterations, software projects can limit effort
wasted to a single iteration.

Outsourcing could be an example of risk reduction if the outsourcer can

demonstrate higher capability at managing or reducing risks.[11] For example, a
company may outsource only its software development, the manufacturing of
hard goods, or customer support needs to another company, while handling the
business management itself. This way, the company can concentrate more on
business development without having to worry as much about the manufacturing
process, managing the development team, or finding a physical location for a call
centre.

C) Risk sharing

Briefly defined as "sharing with another party the burden of loss or the benefit of
gain, from a risk, and the measures to reduce a risk."

The term of 'risk transfer' is often used in place of risk sharing in the mistaken
belief that you can transfer a risk to a third party through insurance or outsourcing.
In practice if the insurance company or contractor go bankrupt or end up in court,
the original risk is likely to still revert to the first party. As such in the terminology
of practitioners and scholars alike, the purchase of an insurance contract is often
described as a "transfer of risk." However, technically speaking, the buyer of the
contract generally retains legal responsibility for the losses "transferred",
meaning that insurance may be described more accurately as a post-event
compensatory mechanism. For example, a personal injuries insurance policy does
not transfer the risk of a car accident to the insurance company. The risk still lies
with the policy holder namely the person who has been in the accident. The
insurance policy simply provides that if an accident (the event) occurs involving
the policy holder then some compensation may be payable to the policy holder
that is commensurate to the suffering/damage.

Some ways of managing risk fall into multiple categories. Risk retention pools
are technically retaining the risk for the group, but spreading it over the whole
group involves transfer among individual members of the group. This is different
from traditional insurance, in that no premium is exchanged between members of
the group up front, but instead losses are assessed to all members of the group.

D) Risk retention

Involves accepting the loss, or benefit of gain, from a risk when it occurs. True
self-insurance falls in this category. Risk retention is a viable strategy for small
risks where the cost of insuring against the risk would be greater over time than
the total losses sustained. All risks that are not avoided or transferred are retained
by default. This includes risks that are so large or catastrophic that they either
cannot be insured against or the premiums would be infeasible. War is an example
since most property and risks are not insured against war, so the loss attributed
by war is retained by the insured. Also any amounts of potential loss (risk) over
the amount insured is retained risk. This may also be acceptable if the chance of
a very large loss is small or if the cost to insure for greater coverage amounts is
so great it would hinder the goals of the organization too much.
KEY TRENDS IN RISK MANAGEMENT

The Risk and Insurance Management Society (RIMS), the primary trade group
for risk managers, predicts that the key areas for risk management in the 21st
century will be operations management, environmental risks, and ethics. RIMS
also believes more small- and medium-size companies will focus on risk
management and will hire risk managers or assign risk management tasks to
treasurers or CFOs.

As RIMS predicted, corporate risk managers began concentrating more on

ensuring their companies' compliance with federal environmental regulations
during the 1990s. According to Risk Management, risk managers started to assess
environmental risks such as those associated with pollution, waste management,
and environmental liability in order to help companies bolster profitability and
competitiveness. In addition, stricter environmental regulations also prompted
companies to have risk managers review their compliance with environmental
policies to avoid any penalties for failing to comply.

Furthermore, Risk Management indicated that there were five times as many
natural disasters in the 1990s as the 1960s and that insurers paid 15 times what
they paid in the 1960s. For instance, there were a record 600 catastrophes
worldwide in 1996, which caused 12,000 deaths and $9 billion in losses from
insurance. Some experts attribute the increase in natural disasters to global
warming, which they believe will lead to more and fiercer crop damage, droughts,
floods, and windstorms in the future.

The trend towards mergers in the 1990s also affected risk management. More and
more companies called on risk managers to assess the risks involved in these
mergers and to join their merger and acquisition teams. Buyers and sellers both
use risk managers to identify and control risks. Risk managers on the buying side,
for instance, review a selling company's expenditures, insurance policies, loss
experience, and other aspects that could result in losses. After that, they develop
a plan for preventing or controlling the risks they identify.

A final trend in risk management has been the advent of non-traditional insurance
policies, providing risk managers with a new tool for preventing and controlling
risks. These insurance policies cover financial risks such as corporate profits and
currency fluctuation. Consequently, such policies ensure a level of profit even if
a company experiences unexpected losses from circumstances beyond its control,
such as natural disasters or economic problems in other parts of the world. In
addition, they guarantee profits for companies operating in international markets,
preventing losses if a currency appreciates or depreciates.
EMERGING AREAS OF RISK
MANAGEMENT
In the 1990s, new areas of risk management began to emerge that provide
managers with more options to protect their companies against new kinds of
exposures. According to the Risk and Insurance Management Society (RIMS),
the main trade organization for the risk management profession, among the
emerging areas for risk management were operations management,
environmental risks, and ethics.

As forecast by RIMS, risk managers of corporations started focusing more on

verifying their companies' compliance with federal environmental regulations in
the 1990s. According to Risk Management, risk managers began to assess
environmental risk such as those arising from pollution, waste management, and
environmental liability to help make their companies more profitable and
competitive. Furthermore, tighter environmental regulations also goaded
businesses to have risk managers check their compliance with environmental
policies to prevent possible penalties for noncompliance.

Companies also have the option of obtaining new kinds of insurance policies to
control risks, which managers and risk managers can take into consideration when
determining the best methods for covering potential risks. These non-traditional
insurance policies provide coverage of financial risks associated with corporate
profits and currency fluctuation. Hence, these policies in effect guarantee a
minimum level of profits, even when a company experiences unforeseen losses
from circumstances it cannot control (e.g., natural disasters or economic
downturns). Moreover, these non-traditional policies ensure profits for
companies doing business in international markets, and hence they help prevent
losses from fluctuations in a currency's value.

Risk managers can also help alleviate losses resulting from mergers. Stemming
from the wave of mergers in the 1990s, risk managers became a more integral
part of company merger and acquisition teams. Both parties in these transactions
rely on risk management services to determine and control or prevent risks. On
the buying side, risk managers examine a selling company's expenditures, loss
history, insurance policies, and other areas that indicate a company's potential
risks. Risk managers also suggest methods for preventing or controlling the risks
they find.

Finally, risk managers have been called upon to help businesses manage the risks
associated with increased reliance on the Internet. The importance of online
business activities in maintaining relationships with customers and suppliers,
communicating with employees, and advertising products and services has
offered companies many advantages, but also exposed them to new security risks
and liability issues. Business managers need to be aware of the various risks
involved in electronic communication and commerce and include Internet
security among their risk management activities.
KEY RISK FACED BY INSURANCE SECTOR
GLOBALLY
Capital and solvency
The first risks I want to highlight today relate to capital and solvency. Because
although the economic environment is more benign than this time last year, there
are still many short and longer-term prudential risks facing firms in this sector.

While our central scenario is one of steady recovery, there is still uncertainty
around the shape and pace of that recovery.

I joined the FSA in July, and since then the FTSE has risen by about 34% and
bond spreads are making their way back to pre-crisis levels. This has eased the
immediate pressure, but we’re not necessarily out of the woods yet.

As we travelled down the curve, the macroeconomic changes affected insurers in

different ways. The most marked difference being between the impact on the life
sector, where capital levels came under pressure and the non-life sector, where
reserve releases continued to support results, cushioning the impact of investment
and underwriting losses.

But this is only half of the story. And even though we are now recovering, this
economic crisis has left behind a hangover for both parts of the sector, which will
affect capital and solvency positions for some time to come.

As Jon Pain highlighted in his earlier speech, when combined with the regulatory
developments coming this way in the next few years, without a change in firms’
strategies and plans, many UK businesses will find it difficult to ever return to
the levels of income and profitability enjoyed before the crisis. I will return to
this longer term picture later.

Life insurers
In the life sector, the greatest challenges have been for those most exposed to falls
in asset values, widening bond spreads and low interest rates. In other words –
annuity providers and with-profits firms.
Although some of these pressures have now eased, in the event of a further
economic decline, some of these firms may find it difficult to take actions to
further conserve or raise additional capital. So a key priority is to pay careful
attention to capital management and planning, with a particular focus on the risk
of a further downturn in the economy.

And what might that look like?

Firstly, it’s about monitoring your solvency position. Conditions can change very
quickly and being slow to realise what’s happening and slow to respond could
make a big difference to both the capital conserving options available and the
opportunity cost – to shareholders and policyholders – of taking those actions. As
Jon mentioned earlier, regular and on-going stress testing is an important part of
planning ahead.

Secondly, you need to exercise care in the valuation of assets and liabilities, and
ensure they are appropriately matched by duration. Annuity providers in
particular remain exposed to renewed widening of bond spreads.

Under Solvency II, a key issue is the extent to which annuity writers are able to
reflect the illiquid nature of their liabilities in their valuation. The recent
industry/CEIOPS joint task-force report on this thorny question suggests it should
be possible to find prudentially sound approaches to incorporating an allowance
for illiquidity into the Solvency II framework. The report is a positive step and
gives the European Commission a good basis on which to put forward proposals
that will ensure future retirees receive a fair deal.

And while not related to economic conditions, it is also important that annuity
providers continue to keep pace with changes in life expectancy. Although most
have already strengthened assumptions in this area, we expect that you will need
to continue to do so.

Thirdly, guarantees and options must be appropriately valued and your stress and
scenario testing needs to show to what extent they remain affordable as economic
conditions change.

And finally, in raising additional capital, insurers considering innovative ways of

leveraging capital need to ensure that there is genuine risk transfer and that
Mergers and Acquisitions (M&A) transactions financed through debt don’t
diminish the overall quality of capital. We’ve already seen examples in some
insurers and intermediaries of how leveraged transactions have put pressure on
cash flows, particularly in stressed conditions, and we do not want to see this
replayed across the sector.

So for the life sector as a whole, prudential challenges continue to loom large for
2010. Capital management and capital planning are key to restoring the sector’s
strength and for preparation to withstand any further economic shocks.

General insurers
The impact of the financial crisis on the general insurance sector was less
immediate and less significant, but the prolonged recession and the slow and
uncertain recovery have increased the prudential risks in this sector.

Firstly, the long-term structural changes to the economy arising from the financial
crisis may fundamentally alter the characteristics of risks insured by the industry.
Pressure on corporate clients to drive down costs and squeeze out margins could
increase their risks, which could in turn lead to a pick-up in insurance claims
across commercial lines, from business interruption to product and employers’
liability. Given that pricing decisions rely on backward-looking data, how are you
going to take account of the changes to the trading environment in making future
decisions on reserving, pricing and underwriting?

Secondly, an economic downturn also tends to have an impact on people’s

propensity to claim, with increases in the number, size and type of claims.

This happens for a number of reasons:

• Increases in fraudulent claims by policyholders in financial difficulties;

• An increase in social crime leading to higher claims on property-related
insurance; or
• Decisions by commercial customers to self-finance fewer insured events.

Firms should take care not to underplay this risk, they should ensure they are
monitoring trends and building this into decisions on reserving.

In this context then, the third risk I want to highlight is the re-emerging issue of
reserving adequacy. Recent years have seen record reserve releases, but this is
likely to be unsustainable in the claims environment I’ve just described coupled
with lower investment returns and competitive pressures on price.

A more limited scope for reserve releasing, combined with lower investment
returns across the asset classes, will require firms to focus more on underwriting
for profit. Any loss of pricing discipline in this kind of environment could quickly
eat into capital, and firms need to be vigilant against the temptation to under-price
new business to remain competitive.

And finally, further sizeable movements in exchange rates remain a risk to

profitability and capital. Any firm with a significant currency mis-match either
on its balance sheet or its P&L must continue to be prepared for the possibility of
major shifts in either direction – especially given the uncertain macroeconomic
conditions.

So while the journey into recession was less risky for the General Insurance (GI)
sector, some significant hangover effects remain.

Solvency II
But of course, as important as all these prudential risks are, the single biggest
prudential challenge for all firms in the insurance sector is Solvency II. As Jon
mentioned, Solvency II will radically alter the capital adequacy regime for the
European insurance industry.

The Individual Capital Adequacy Standards regime in the UK is a strong

foundation on which to make the transition to Solvency II, but the new directive
goes much further. The requirements for delivering and demonstrating the
standards of risk management and governance will be challenging, and especially
so for groups that operate in multiple countries. Solvency II will require greater
disclosure and transparency, together with additional and more frequent
reporting.

Although there are some material technical issues that are not yet finalised, firms
should not be waiting for these to be resolved. There are bigger risks associated
with inadequate engagement than with managing through the uncertainty.

That’s all I want to say on Solvency II for now, because after the coffee break
there is a panel session on how far the UK has come in preparing for Solvency II
and how much there is still left to do. This is a chance for us to discuss and debate
what material challenges remain and what the FSA and you can do to ensure we
manage this risk.

Insurance intermediaries
My final comments on risks to capital and solvency concern intermediaries
operating in the insurance markets.
There is a risk that some firms in this sector don’t have a realistic assessment of
the amount of financial resources required to run their business and that as a result
some firms are not meeting our threshold condition requirements. We published
a Dear CEO letter about this risk last month and later today it will be the subject
of a panel discussion.

This is an ongoing issue in this sector, but one we are now more concerned about
given the continuing challenges in the economic environment.

Another source of risk in this sector, which is also exacerbated by market

conditions, is the reliance of the broker business model on growth through
acquisitions financed through debt. In the current environment increased risks
abound: servicing debt or interest payments; the availability and cost of
refinancing maturing debt; and goodwill write-downs, pose a real challenge to the
future viability of this business model.

Consumers
The second set of risks I want to highlight today are to do with consumers.

Across many parts of the life sector, the financial crisis and the following
recession appear to have reduced consumer demand for insurance products.

In the life sector, UK new business levels were down for the major groups in 2009
and cash outflows from the existing book continue to exceed new inflows. At the
same time, the savings rate is up from -0.7% at the start of 2008 to 8.6% at the
end of Q3 last year. So although people are saving more, there is not much
evidence that savings are flowing into the insurance sector.

In the non-life sector there is also evidence to show consumers are becoming more
willing to drop incidental or non-compulsory insurance cover in order to save
money. ABI data from research carried out in June 2009 suggested that 22% of
consumers surveyed had stopped taking out home contents insurance and 17%
had stopped taking out buildings insurance.

And for intermediaries competing for commercial business, the drop in economic
activity in areas like construction and shipping has left the same number of firms
chasing less business.

2012 and beyond

The final risks I want to mention today are those associated with the level of
change and uncertainty in the regulatory environment. Never is a discussion on
risk complete without a section on regulatory risk, but these risks are particularly
relevant today. On this occasion, last is most definitely not least.

With a significant number of policy initiatives converging in 2012 – the Retail

Distribution Review (RDR), pension reform under the guise of the government’s
National Employment Savings Trust (NEST) and Solvency II – you could be
forgiven for thinking the Mayan ‘end of an era’ predictions were made in relation
to the UK life sector rather than the ending of an astrological cycle.

And it doesn’t end there. As Jon outlined this morning, you’re also on the
receiving end of intensive supervision, which means a number of changes, not
least in terms of the kind of stress testing we expect of you. You can also look
forward to taxation changes necessitated by Solvency II, a review of the Insurance
Mediation Directive, and European Commission proposals on packaged retail
investment products. Oh and there’s always the small matter of a potential change
in government, which may bring with it a change in the UK’s regulatory
approach. And whichever political party wins the day, a tougher taxation
environment also appears inevitable.

You don’t need me to tell you that the combination of all of these changes and all
this uncertainty, together with the uncertainty in the macroeconomic outlook,
make for extremely challenging times at the moment. But for the life sector in
particular, they give rise to a significant question over the sustainability of certain
business models.

The agents of change are the 2012 trio of RDR, NEST and Solvency II. Both the
RDR and NEST will change the deal between consumers and the industry.
Potentially leading to changes in consumer behaviour and preferences, and
changes in the kinds of products and markets attractive to firms. Solvency II
invites a much closer relationship between the kind of business a firm does and
how much capital it holds. And this will lead, in some cases, to certain types of
business being more expensive to write than under the existing regime.

Each of these initiatives has very good reasons for being and presents a wealth of
opportunity as well as risk. But of course it is the risks that I am focused on today.

In order to rise to these challenges and keep your business viable, you’ll need to
undertake regular and challenging reassessments of your strategy and the
adequacy of your resources to deliver that strategy. Ask yourself if your strategy
remains fit for purpose among all this change. If not, re-evaluate.
We’ll be doing some analysis of our own of what the world might look like for
the life sector in 2012 and beyond. And if you’ve chosen to attend ‘The future of
life insurance’ panel after lunch you will have the chance to share your views on
the issue.

ENTERPRISE RISK MANGEMENT FOR INSURANCE

COMPANY

Risk in Non-life Insurance Underwriting

Introduction

This chapter addresses the risks inherent in non-life underwriting from the
perspective of the Risk Officer. It covers risk issues such as mitigating
unintended concentrations, evaluating correlations between risks, ensuring an
adequate underwriting infrastructure to measure and manage exposures, and
ensuring adequate data for quantifying risk accumulations and measuring
diversification. The underwriting process itself is not addressed as that subject is
amply covered in underwriting texts.

Risks in Underwriting Individual accounts

A non-life insurance company is in the business of assuming risk from individuals

and businesses. Underwriting is the discipline of understanding and evaluating
which risks to intentionally assume. Minimizing unintended underwriting risk
and the risk to the enterprise from unintended risk accumulations is generally a
responsibility shared between Underwriting and Risk Management (“RM”); both
disciplines are critical.

The underwriting function needs to ensure that a robust infrastructure is in place

so when individual accounts are underwritten the underwriter has: adequate
information on the risk, such that the exposures can be reasonably known and
understood, the skills and experience required to analyse the risk, and the ability
and incentive to design coverage and price the account properly. Underwriting
authority needs to be granted based on skills and experience and not on
managerial hierarchical level. Referral authorities need to be in place, as well as
effective auditing to ensure compliance with delegated authorities, in order to
minimize opportunities for “rogue” activities. The underwriting infrastructure
also needs to provide training and oversight such that applicable laws, statutes,
regulations, filings and so forth are rigorously followed. Adherence to filed rates,
forms and similar measures is intended to reduce the opportunity for money
laundering, terrorism funding, and so forth, and to ensure that customers are
treated fairly.

An underwriting infrastructure also needs to be in place to allow for the

meaningful capture of data on the risks underwritten. This is necessary to monitor
concentrations, meet any regulatory reporting requirements and have the ability
to manage the underwriting of individual accounts to remain within agreed limits
on aggregate concentrations.

Concentration Risk from Insurance Activities

The insurance and reinsurance mechanisms work most effectively when dealing
with risks that are not correlated with one another. By this we mean that the
likelihood of a claim occurring is not impacted by the fact that another claim has
occurred. In cases where risks are correlated with one another, the (re)insurer
must be cognizant of potential concentration risk.

Concentration risk arises in multiple forms and is the area where RM generally
has the greatest involvement. Concentration risk arises from systemic risks,
stacking risk, and clash risks. A particular form of systemic risk comes from
natural and man-made catastrophic exposure.

Systemic risk is the accumulation of losses triggered by a single event or cause,

affecting one or more industry segments rather than a single risk. Asbestos is the
classic example of a systemic risk affecting multiple industries and policyholders,
lines of business and policy years. RM and Underwriting need to ensure
processes are in place to identify similar potential risks and to monitor and
effectively control accumulations.

A current risk with potential systemic impact is nanotechnology. Underwriting

and RM need to determine the economic risks, which lines of business might be
exposed to loss (i.e., products liability, workers compensation), the likely
effectiveness of coverage restrictions in policy wordings, the probability of
different economic risk outcomes and the aggregate limit to expose the enterprise.

Stacking is another aspect of concentration risk. Stacking refers to the

accumulation of net (after reinsurance) retentions within the same line of business
on the same insured. Here the risk arises, for example, from multiple business
units providing coverage for the same policyholder plus participation in a
reinsurance program from a policyholder’s reinsurance captive. Procedures such
as a name and location clearance system are typical ways to prevent such an
unintended accumulation.

Clash is a similar concentration risk that occurs when one or more business units
insure more than one line of business for the same policyholder which could be
affected by the same claim or incident. This could lead to a higher than intended
aggregate loss. Reasonable foresee ability and a large dose of common sense,
together with an effective name clearance system and an agreed exposure limit
are the keys for Underwriting and RM in managing these exposures.

Exposure to systemic risk arises from both natural and man-made catastrophic
events. Monitoring and managing risk accumulations requires detailed data (see
below), models and an underwriting infrastructure that spans all lines of business
and all business units that write policies in potentially exposed locations. Critical
from a RM perspective is the ability to monitor accumulations across lines of
business and locations and to intervene when aggregate limit boundaries are
breached. Mitigation actions might include simply abstaining from additional
underwriting commitments (or no renewing existing commitments upon expiry)
or purchasing additional treaty or facultative reinsurance for peak exposures. The
critical element is having the infrastructure to identify unintended accumulations
across multiple business units and all lines of business.

The concentration risk of natural catastrophes arises primarily from exposure to

earthquakes, floods and windstorms. Property damage and business interruption
accumulations are typically modelled by using sophisticated commercial
modelling tools (RMS, AIR, EQECAT, etc.). Systemic risk also includes
additional lines of business, such as workers compensation, employer’s liability,
accident and health, group life, marine, and automobile physical damage. These
exposures may not be coded to location in the same detail as property policies,
nor be subject to the same modelling capability. As such, RM needs to be
comfortable that processes are in place and effective to identify peak property
exposures through name and location clearance systems in order to allow for
identification of significant exposures to non-property lines of business at the
same location.

Man-made catastrophic events can similarly impact all lines of business. This
category includes events ranging from terrorism, primarily, to a train accident
involving toxic chemicals. Terrorism exposures are generally divided into two
categories: conventional attacks (conventional bomb, aircraft used as a missile)
and nonconventional (nuclear, chemical, biological, radiological “NCBR” e.g. a
“dirty bomb”). Property and business interruption policies may or may not
include coverage for a terrorist act or coverage for NCBR. Policies covering
worker compensation or employers liability, by their nature, may provide
coverage for all such events. From a RM perspective, it’s important that data be
captured identifying policies with NCBR coverage. It is also vital that the same
infrastructure and modelling capability for monitoring and managing
accumulations noted for natural catastrophes be in place for man-made
catastrophic exposures.

Stress Scenarios

Stress scenarios are especially necessary for determining aggregate limit

boundaries for natural and man-made catastrophic events and guiding decisions
on purchasing reinsurance protections. For example, in addition to considering
the results generated from the modelling tools, the ERM framework for Lloyd’s
includes consideration of specific Realistic Disaster Scenarios as a test of
exposures under extraordinary circumstances.

Further, RM is uniquely positioned in many insurance organizations to consider

the interaction of risks from different organizational silos in stress scenarios. Very
low probability events, like a 1 in 250 year windstorm or earthquake, a significant
terrorism incident, or a pandemic will require RM to have considered not just the
underwriting risk but to have incorporated the potential impact on the investment
portfolio, liquidity, reinsurance recoverable, and business continuity both from a
holding company and individual subsidiary legal entities level. Mitigation
actions may then involve internal or commercial reinsurance, standby credit,
and/or similar arrangements to balance the potential exposures and financial
stress the organization faces.
Concentration Risk from Credit-Related Exposures

Another aspect of concentration risk arises from multiple financial-related

exposures to an individual policyholder. A significant event, such as a fraud or
severe downturn in profitability, might lead to losses from a D&O policy, surety
and fiduciary coverage’s, and/or financial guarantees, plus losses on any debt or
equity investments, securities lending, reinsurance recoverable from a captive,
and exposure as a counterparty to a derivative transaction. In addition, third-party
liability and/or retrospectively rated insurance programs may generate exposure
due to large deductibles, retrospective premium adjustments or other credit risk.

From a RM perspective, tools to monitor and evaluate peak exposures bridging

insurance commitments and financial holdings need to be in place, as well as
assurance that assessments of the creditworthiness of the policyholder are
effective and guiding collateral negotiations. Correlations between the various
insurance and financial exposures under stress scenarios need to be determined
with limits set reflecting both underwriting and credit rating considerations.

Data Capture

Accurate, thorough, relevant, detailed data capture is key to measuring, modelling

and managing the risks of unintended exposure accumulations. RM needs to
ensure that adequate auditing is in place to allow reliance on the data collected.
Similarly, RM needs to be comfortable that underwriting has the processes in
place to monitor and manage individual account underwriting across multiple
business units, policyholders and lines of business to stay within agreed risk
limits. Name clearance systems, allowing each underwriter participating on a
policyholder’s program to see all the commitments to that policyholder, are an
effective tool in this regard, as are systems to monitor accumulations by class and
line of business.

Detailed data capture is especially critical for monitoring property accumulations

for catastrophic exposure to both natural and man-made events. Granular data
including the policyholder’s type of business, number of employees, construction
type and age, values insured, business interruption coverage and limits, and so
forth, for each precise location (street address, latitude and longitude) are critical.
Experience from many insurers examining losses from Katrina has shown that
modelled catastrophic exposures were understated. One reason for this was
incomplete data capture of insured locations. Risk needs to be comfortable that
data capture is complete and audited as necessary for the modelled accumulations
to be meaningful.

RM must also be forward thinking about data capture. It is not sufficient to think
about capturing data for risks that are current and obvious, but to also think about
where the emerging risks are arising and what data is necessary to assess these
risks.

Reinsurance Risk

Reinsurance is a widely used and valuable tool for mitigating peak risks on both
individual accounts and portfolios. Inherent in reinsurance are several risks of
concern to the Risk Officer.

First and foremost RM must be attentive that the reinsurance purchased is actually
providing the appropriate coverage to mitigate the peak risks. In this regard, there
needs to be strong communication between underwriting and the reinsurance
buying function to ensure that underwriters are aware of the provisions of the
reinsurance treaties being purchased. In particular, awareness of exclusions or
special acceptance criteria is vital. On the facultative side, underwriters or
facultative buyers must be trained to have coverage afforded by the facultative
reinsurance be concurrent with the terms of the underlying policy.

The insurance enterprise is exposed to various risks when purchasing reinsurance.

These include: Credit Risk, Regulatory Risk, Operational Risk (including
NonConcurrency (mentioned above) Lack of Contract Certainty, and
Accounting/Tax Risk) and potentially Reputational Risk.

Credit risk has numerous aspects which must be managed. The starting point is
the assessment of the credit worthiness of the reinsurer. This process generally
leads to an “approved list” of acceptable reinsurers and a limit on the aggregate
credit exposure to an individual reinsurer which is linked to its credit rating.
Reinsurance may be purchased locally on a facultative basis by underwriters for
individual accounts with peak exposures and also in multiple business offices on
a portfolio, or treaty, basis. RM needs to ensure that adequate controls are in place
so accumulations by reinsurer are monitored with actions taken to mitigate peak
exposures.

Accounting risk arises as accounting for reinsurance transactions can be complex.

Reinsurance transactions need to have risk transfer characteristics in totality
support insurance/reinsurance accounting (to be included in financial results as
reinsurance) and these characteristics need to be appropriately analysed and
documented. In particular, the accounting must consider all aspects of the
agreement, including any written or verbal side agreements

Also of concern is ensuring that reinsurance transactions are not structured to

obfuscate the true financial results of the company. Overly complex transactions
and certain “circular” transactions can lead to accounting difficulties. For
example, policyholders may have captive insurers or reinsurers involved in their
risk management program. Sometimes the structure of these transaction becomes
extremely complicated with the captive being the insurer, a reinsurer and/or a
retrocession ire. With many moving parts, it becomes difficult to assess the true
nature of the transactions and to record all of the necessary accounting entries in
an accurate and timely manner. This operational risk is one on which the Risk
Officer’s organization must focus, ensuring that appropriate controls are in place
to mitigate the risk.

For both commercial reinsurance and captive arrangements, training and

oversight need to be emphasized and sufficiently robust to ensure that there is a
significant degree of risk transfer (underwriting and timing risk), any fees are
reasonable, no side agreements, verbal or written, the financial records of both
parties reflect the transaction the same way, and similar measures. The Risk
Officer needs to be comfortable that procedures are in place so all such
arrangements receive appropriate oversight and monitoring.

Facultative reinsurance purchased locally to protect individual policies and treaty

reinsurance has significant measures of operational risk. These include delays in
agreeing policy wording and a resulting lack of contract certainty, non-concurrent
terms and a simple failure to execute as intended. The Risk Officer needs to
ensure that the operational risk measures developed enterprise-wide extend to the
placement of reinsurance.
Alternative Risk Transfer

Large natural catastrophe losses in 2004 and 2005 and enhancements to

catastrophe accumulation models have increased the demand for reinsurance and
retrocessional protections. In turn, this demand has led to increased utilization of
alternative risk transfer mechanisms to supplement the traditional reinsurance
markets. In particular catastrophe bonds, industry loss warranty protections,
hedge funds and so-called “sidecars” have grown in popularity. These facilities
provide much needed fully collateralized capacity to insurers and reinsurers but
may include basis risk which must be included in risk capital determinations.

Catastrophe bonds typically involve a special purpose vehicle which provides

protection to the insurer/reinsurer. This is done through traditional, indemnity
reinsurance coverage based on the insurer’s ultimate net loss, or, more typically,
a recovery is determined based on a derivative (or parametric) measure of the
loss. For example, one based on the industry loss or the modelled loss from an
event. The SPV, in turn, develops its capitalization through the issuance of bonds
to investors. In the event the reinsurance is triggered, the bondholder will not
receive all or any of their principle at maturity. The parametric coverage
approach, while more attractive to the investor in the catastrophe bonds as the
investor doesn’t have to underwrite the individual company, includes basis risk
the Risk Officer needs to evaluate. That is, it is possible that the buyer could have
a loss to which the coverage does not respond.

Industry loss warranty protections are structured similarly but the protection
triggers are typically based on relatively narrowly defined risks and regions and
a resulting aggregate industry loss. Industry loss warranties are attractive to
investors for simplicity but include considerable basis risk for the insurer which
needs to be evaluated.

Another alternative source of reinsurance capacity is reinsurance provided by

thinly capitalized reinsurers backed by hedge funds. These reinsurers provide
reinsurance on a fully collateralized basis, meaning that the full limit of the
reinsurance is collateralized at the inception of the contract. Risks with these
vehicles include operational risks, risks pertaining to the collateral and failure to
satisfy statutory requirements. The RM should also be aware that these vehicles
typically do not include the reinstatement coverage available in traditional
reinsurance.

Finally, so-called “side cars” are special purpose reinsurance vehicles similar to
those vehicles that facilitate Catastrophe Bonds. These vehicles are funded by
both debt and equity and typically provide quota share reinsurance to the sponsor
(re)insurer. The SPV has limited capital resources and this limitation acts to cap
the quota share coverage provided by the facility. This structure has the potential
of “tail risk”, which is the risk that the sidecar cannot meet its reinsurance
obligations to the cadent in an extreme event.

RM should consider and be aware that many alternative sources of reinsurance

are transacted with capital that may be more opportunistic than traditional
reinsurance. This capital may disappear if terms and conditions are not ideal.

Post –Event Large Loss Reviews

Insight into the effectiveness of the myriad individual account underwriting

processes, concentration monitoring and management, data collection and
operational risk can be gained through a systematic review of large losses in a
collaborative effort between underwriting and RM. Incidents that lead to insured
losses happen. That’s why people and companies buy insurance. But insight into
adherence to relevant guidelines when the risk was underwritten and the impact
the risk has had on the various concentration management measures can provide
Underwriting and RM with valuable information.

Emerging Risks
Emerging risks are exposures which may develop or already exist. They are
difficult to quantify, may have a high loss potential and are marked by a high
degree of uncertainty. Risks involving emerging technologies or environmental
changes require identification, assessment, monitoring and mitigation. Examples
of such emerging risks would include nanotechnology, pandemics, genetically
modified foods, changes in weather patterns, and so forth. RM needs to ensure
that Underwriting identifies coverage triggers, lines of business potentially
exposed, limits, accumulation potential across lines of business and policy years,
reinsurance applicability and monitors developments broadly in the insurance,
healthcare and legal arenas. Mitigation actions need to be agreed with
Underwriting regarding coverage, limit and volume restrictions, reinsurance
protection and monitoring of potential accumulations. RM is a key driver in
determining the importance of identifying emerging risks, designing actions to
contain unintended accumulations and monitoring that risk measures are
effectively in place.

Correlated Risk

Assessing the degree of correlation between lines of business and for each line to
other risk types is a critical requirement. It is necessary to determine risk capital
and optimize the mix by line, limits exposed and volume in order to minimize
required capital through diversification. Relevant experience may well be very
limited for analysing correlations, especially at the critical stress levels most
important to risk capital determinations. Hence, RM generally needs to work
closely with Underwriting to judgmentally assess and agree the degree of
correlation.

As an example, property and business interruption coverage’s may generally be

seen as having a very low correlation with casualty coverage’s. An incident
causing a loss may not typically affect both coverage’s, exposure to inflation in
loss costs in future years is far less in property, reinsurance costs tend to have
different trends, and so forth. The actual situation is more subtle, however, for
the more extreme scenarios. A large factory explosion may lead to losses to
policies that protect workers and to liability if neighbouring buildings are
damaged. Potential for a D&O exposure also exists if the explosion was found
to be the result of management negligence. Similarly, one would expect a higher
degree of correlation between D&O exposure, surety, financial guarantees and
the investment portfolio under stress scenarios. Operational risk might be seen as
more strongly correlated with property exposures due to the complications with
monitoring aggregate catastrophe accumulations and placing facultative
reinsurance than casualty exposures. RM and Underwriting need to ensure that
adequate consideration is given to stress scenarios intended to mirror the
probabilities and correlations underlying the risk capital calculations, especially
as respects individual subsidiary legal entities.

Risks in the Underwriting “Cycle”

Price levels in non-life insurance tend to move in multi-year cycles as the result
of varying levels of industry capital, economic outlook, competition and similar
considerations (see diagram below). Theoretically, an actuarially correct price
for each account can be consistently determined based on desired ROE and
anticipated loss trends. Actual prices, terms and conditions will deviate from the
actuarial price based on marketplace conditions.

Increased risk results from a failure to systematically measure deviations from the
actuarial price and to fully recognize such deviations in current financial results,
particularly during times when marketplace pricing is less than the actuarial price.
RM needs special attention that actual pricing, terms and conditions are
monitored and that loss reserves and current financial results reflect deviations
from actuarial pricing. Risk capital is required for uncertainty in this measurement
due to the increased risk of understated loss reserves and added volatility as a
consequence.
Where Will The Indian Insurance Market Be In 2020?

Vision 2020 identified the following factors as the engines of economic growth
in India: Rising education level, rates of technological innovation, cheaper and
faster communication, availability of information, and globalization. It makes no
mention of the financial sector. Economic growth does not take place in vacuum.
There are two critical

Ingredients needed. First, there has to be a well-defined legal environment. Legal

framework has big impact on the development of the financial sector. As a result,
it also

Has a huge impact on economic growth (see La Porta et al., 1998). Second, there
has to be a well-functioning financial market (see Sinha, 2001). Vision 2020
document mentions “insurance” eight times in the 108 pages. On the other hand,
it mentions banking only once! Given that services sector will become the largest
in India, both insurance and banking will play a critical role along with the stock
market. This document does, however, contain a paragraph about a particular area
of insurance: health insurance. “Health insurance can play an invaluable role in
improving the overall health care system. The insurable population in India has
been assessed at 250 million and this number will increase rapidly in the coming
two decades. This should be supplemented by innovative insurance products and
programmes by panchayats with reinsurance backup by companies and
government to extend coverage to much larger sections of the population.”
(Planning Commission, 2003, page 55). At present, health insurance is not being
discussed much. But, Indians spend close to 5% of their income

Out of pocket for health related issues. Thus, it is easy to see why this is an easy
pick. So is the pension market. At present, private pension is its infancy in India.
It will not remain so in the coming decades. Let us conduct the following thought
experiment using Table 1 for getting an idea of where the Indian market might be
in 2020. First, let us follow an extremely conservative projection: insurance
demand goes exactly in line with income. In this case, we are assuming that in
2020, even in the face of rising income, the penetration of insurance
(premium/GDP) stays exactly the same as in 2002. In that case, we will simply
multiply the current premium volume figure four-fold. In Sigma 8/2003, such
figures are available for 2002 for India. In such a case, the premium volume will
be USD 67 billion. Of course, evidence from other countries show that rising
income below certain threshold has a nonlinear impact on insurance demand (the
so-called S curve of insurance demand). So, insurance penetration is not likely to
stay at 3.2% for India (the figure for 2002) in 2020. If the penetration rises to 5%
(more plausible if we believe in the S curve), then the premium volume will rise
to USD 105 billion. If it rises to 6%, then the premium volume would rise to USD
121 billion. This thought experiment above does not even address the two future
potential growth drivers: private pensions and health insurance. Given that
Indians are already spending 5% of their income out of pocket for health care,
this could easily add another USD 30 to 40 billion by 2020. This will raise the
premium volume to USD 135 to USD 160 region by 2020.

The insurance business is at a critical stage in India. Over the next two decades
we are likely to witness high growth in the insurance sector for three reasons.
Financial deregulation always speeds up the development of the insurance sector.
Growth in income also helps the insurance business to grow. In addition,
increased longevity and aging population will also spur growth in health and
pension segments.
Conclusion

Insurance is a valuable risk-financing tool. Few organizations have the reserves

or funds necessary to take on the risk themselves and pay the total costs following
a loss. Purchasing insurance, however, is not risk management. A thorough and
thoughtful risk management plan is the commitment to prevent harm. Risk
management also addresses many risks that are not insurable, including brand
integrity, potential loss of tax-exempt status for volunteer groups, public goodwill
and continuing donor support.

An organization should have a risk management strategy because:

• People are now more likely to sue. Taking the steps to reduce injuries could
help in defending against a claim.
• Courts are often sympathetic to injured claimants and give them the benefit
of the doubt.
• Organizations and individuals are held to very high standards of care.
• People are more aware of the level of service to expect, and the recourse
they can take if they have been wronged.
• Organizations are being held liable for the actions of their
employees/volunteers.
• Organizations are perceived as having a lot of assets and/or high insurance
policy limits.