risk governance in uk insurers: beyond the audit committee · months into the job – she will face...
TRANSCRIPT
Centre for Risk & Insurance Studies
enhancing the understanding of risk and insurance
Risk governance in UK insurers: beyond the
audit committee
Christopher O’Brien
CRIS Discussion Paper Series – 2011.I
Page 1 of 18
Risk governance in UK insurers: beyond the audit committee
Christopher O’Brien
Centre for Risk and Insurance Studies
Nottingham University Business School
Abstract
Following the global financial crisis of 2008 a Treasury-commissioned report by Sir David Walker
recommended a strengthening of the risk governance in UK financial institutions. This paper
examines listed UK insurers and finds that many responded by establishing board risk committees as
suggested or changing the membership of existing committees to remove executive dominance.
However, while Walker recommended the committees focus on fundamental prudential risks the
committees, in practice, cover all risks, consistent with an enterprise-wide view of risk. Risk
management was typically regarded as including monitoring internal controls, although there were
inconsistencies between firms in co-ordination of the activities of risk and audit committees. We also
find that insurers differ in the emphasis they give to different elements of risk management –
monitoring, quantitative modelling and strategic risk – and there is a link between this emphasis and
the professional background of the CRO, where both actuaries and accountants play an important
role.
Keywords
Audit committees; corporate governance; insurance; risk committees; risk governance; risk
management.
1. Introduction
Early papers on risk governance were concerned with the problem of how to take decisions in public
policy areas with complex risks relating to health and the environment, and involved the role of
science and experts (van Asselt & Renn, 2011). Businesses also face the problem of decision-taking
when outcomes are uncertain, and have to recognise that multiple stakeholders are involved.
Corporate governance is often concerned with the agency problem, i.e. managers may act in their
own rather than the shareholders’ interests, and what mechanisms - such as audit committees - may
be implemented to address this. There is also a separate concern: that firms, by seeking to increase
shareholder value, may act contrary to wider societal interests: this problem is not solved by
Page 2 of 18
governance mechanisms designed to protect shareholders’ interests but, rather, regulation may be
appropriate. These issues came into sharp focus in the global financial crisis of 2008 when, among
other factors, risky decisions made by bonus-incentivised bankers impacted on taxpayers when
governments felt obliged to bail out financially distressed banks.
Ensuring that managers take risky decisions in shareholders’ interests is particularly problematic for
three reasons. First, there is a large body of evidence which indicates that individuals are subject to
biases when considering risks: for example, March & Shapira (1987) found that managers were
insensitive to estimates of probabilities of possible outcomes and their decisions were particularly
affected by their being focussed on critical performance targets; MacCrimmon & Wehrling (1990)
concluded that personal characteristics of executives affected their risk-taking; while Helliar at al.’s
(2001) findings were that managers made choices that depended on how questions were framed,
and tended to treat high probability outcomes as certain and ignore low probability outcomes.
Second, remuneration structures bias decisions about risk (Stulz, 1984): in particular, there is
evidence that managers with share options is linked with firms hedging less than otherwise (Tufano,
1996) and firms’ performance becoming more extreme (Sanders & Hambrick, 2007); and that
managers’ shareholdings affect the degree of risk in acquisitions (May, 1995) and how they buy
insurance (Aunon-Nerin & Ehling, 2008). Shareholder influence, as reflected in share ownership
structures, can play some role in mitigating managerial dominance (Mayers & Smith, 1990; Laeven &
Levine, 2009). And third, it is difficult to monitor whether decisions are taken in shareholders’ or
managers’ interests, given the problems, before the event, in judging risks and their potential
impact. Hence risk governance is an issue.
While banks have been the focus of much recent discussion on these questions, this paper examines
the insurance industry, where risk is inherent in the business: insurers are setting out to take risks
from individuals and firms and to place these on their own balance sheet. The evidence in this paper
is from the UK insurance industry, which was the third largest in the world in 2010, measured by
premiums (Swiss Re, 2011).
Previous research has shown managerial incentives in insurance firms is associated with firms’
decisions on for example, holdings of capital and portfolio risks (Cummins & Sommer, 1996), risk
exposures (Chen et al., 2001; Milidonis & Stathopoulos, 2011), and what firms set aside as provisions
for future claims (Browne et al., 2009). There are therefore reasons to think that the governance
arrangements for insurers’ risk decisions are important.
Concern about corporate governance in banks and insurers led the UK Treasury to commission a
report from Sir David Walker (2009) who, when considering risk governance, suggested that large
financial institutions establish a board risk committee, separate from the audit committee. One of
the contributions of this paper is to establish whether his recommendations for the composition and
activities of risk committees were fulfilled; the outcome indicates some differences. Following on,
the paper considers the consequences for the relationship between the risk and audit committees,
especially given the ambiguity about the relationship between internal controls and risk
management (Page & Spira, 2004). Lastly, we examine the role of professionals – notably
accountants and actuaries – in risk management, recalling Dowd & Blake’s (2006, p. 221) comment:
“the stage was set for a classic turf war”, and assess whether there is a link between the type of
Page 3 of 18
individual acting as Chief Risk Officer (CRO) and the form in which risk management is carried out,
which Mikes (2008) found to be the case in banks.
2. Background
2.1 Elements of risk management
Risk management was traditionally concerned with buying insurance, hedging financial risks with
derivatives and taking steps to ensure health and safety. More generally, if a firm’s processes did not
operate as they should or if they breached some regulation, the unplanned outcome was a risk;
hence monitoring is part of holistic risk management (Smallman, 1996). Indeed, risk teams in UK
insurers were originally set up in the late 1980s as compliance teams (Deighton et al., 2009). Mikes
(2008) explains that one role of the risk function in banks is to act as compliance champion,
delivering compliance with regulatory requirements, and building and safeguarding a risk
management framework. When the losses of UBS rogue trader Kweku Adoboli came to light, the
Financial Times (2011) reported that the CRO “is facing every risk officer’s worst nightmare just nine
months into the job – she will face tough questions about UBS’s controls”.
One approach that many UK insurers use to monitor activities is the ‘three lines of defence’ model
(Deighton et al., 2009). The first line is line managers carrying out risk management; second, a
central risk function, supported by a risk committee, interprets group policy, provides support and
collates information; and thirdly, independent assurance is provided by internal audit, and possibly
external consultants. The second level may have committees focussing on specific risk types, such as
assessing the claims-paying ability of reinsurers. We use the shorthand of ‘monitoring’ to refer to
this element of risk management, where a risk framework is built and activities are reviewed for
compliance.
The second main element of risk management is quantitative techniques, which insurers use to
calculate the premiums they charge and to make stochastic projections of their future financial
position using internal models of their own business. The techniques have become increasingly
sophisticated, involving probability distributions of future outcomes for financial markets and
insurance claims. Such models can, in principle, indicate what capital is needed to ensure the insurer
remains solvent over a given timescale with a specified probability – assuming, of course, that the
model is appropriate. Firms’ modelling abilities have been increased by improved IT capabilities and
by advances by the actuarial profession (e.g. Frankland et al., 2009; Varnell, 2011).
Further, risk management can have a third element: a role in company strategy. Mikes (2008)
commented that whether CROs were influential in the business depended on the quality and
credibility of their insights in strategic discussions. One way to link risk and strategy is when a firm
implements enterprise risk management (ERM). Effective risk management is when the activities of
the firm – its decisions and operations – are carried out with the degree and types of risk that are
consistent with the firm’s objectives. ERM is when this is carried out across the firm. What it involves
is apparent from COSO’s (2004) definition: “a process, effected by a an entity’s board of directors,
management and other personnel, applied in strategy setting across the enterprise, designed to
identify potential events that may affect the entity, and manage risk to be within its risk appetite, to
provide reasonable assurance regarding the achievement of entity objectives”. ERM has been
Page 4 of 18
stimulated by a number of high-profile company failures, by corporate governance codes and by the
increased role of shareholder value models (Dickinson, 2001).
Rochette (2009) argues that by linking risk decisions to firms’ objectives ERM can help achieve those
objectives. The reported advantages of ERM include better informed decision-taking (Gates, 2006)
and lower financing costs if there is an improved credit rating (Henry & Simkins, 2007), while Hoyt &
Liebenberg (forthcoming) found that ERM in US insurers is associated with a positive effect on
Tobin’s q, a proxy for firm value. It is the CRO’s role to oversee and co-ordinate the ERM process
(Sobel & Reding, 2004). However, while ERM looks fine in principle, there are potential pitfalls
(Fraser & Henry, 2007): there can be difficulties in evaluating some risks and in avoiding line
managers managing risks on a silo basis that conflicts with entity objectives (Deighton et al., 2009).
Some firms have over-complicated ERM and found it difficult to implement successfully (Fraser &
Simkins, 2007). One conclusion was that ERM is a managerial fad (Power, 2005) and fails to provide
the security that is expected of it (Power, 2009).
The way in which risk management involves a number of elements was confirmed by Mikes’ (2008)
survey of 15 international banks. She found there were different ways in which the CRO role was
carried out. One possible focus was as a compliance champion, concerned to build a risk framework
and deliver compliance with new rules. Senior risk officers would provide assurance to senior
management that adequate processes and controls were in place. In other banks, the risk function
was focussed on highly sophisticated risk modelling: senior risk officers led the implementation of
firm-wide risk models that could give an overall view of financial risks in the business.
Of the 15 bank CROs, 8 were highly involved in strategic activities such as board-level strategic
decision-making, and they could be divided into two groups. One group were ‘strategic controllers’,
who used the output of sophisticated risk models as their input to strategic issues. Senior risk
officers used models to advise top management on the risk-adjusted performance of business units,
influencing how capital was committed. In such risk functions, the CROs tended to be ‘quantitative
enthusiasts’, keen on financial models and replacing judgmental risk assessments with risk
quantification. The other group were ‘strategic advisers’, where models played a role in their
judgement but did not drive it; they drew on their business experience and knowledge of danger
signs to anticipate emerging risks. These CROs tended to be ‘quantitative sceptics’, viewing risk
models with caution, and complementing or overwriting the results with senior managerial
discretion, experience and judgment. This is consistent with Collier et al.’s (2007) finding that it was
common for firms to use experience, intuition, hindsight and judgement in managing risk.
Mikes (2007, 2009) refers to the ‘calculative culture’ of an organisation, which could be shaped by
senior risk officers using their discretion according to their personal convictions, which depended on
their professional backgrounds and the institutional context in which they operated. Those with an
internal audit background were more inclined to be sceptical towards a mathematical approach to
operational risk, for example. Arena et al.’s (2010) case studies are also consistent with a link
between the professional background of the CRO and the form of risk management that was
implemented.
This paper therefore looks to establish if there is a link between the way in which UK insurers
operate risk management and the professional background of the CROs.
Page 5 of 18
2.2 Risk management and regulation
UK insurers are subject to the rules of the industry regulator, the Financial Services Authority (FSA),
whose principles require insurers to have adequate risk management systems, and effective risk
management can be rewarded with a lower regulatory capital requirement (Deighton et al., 2009).
The FSA also requires life (but not general) insurers to appoint an actuary to advise management on
the risks being run, and to monitor those risks. The FSA (2003) found that many insurers had decided
they needed separate risk assessment functions and committees, though some functions lacked
independence. In a later report (FSA, 2006) it found that insurers had improved their risk
governance, with networks of oversight committees, although they often lacked the ability to
provide effective challenge. The regulatory requirements in the EU will become tighter when the
new ‘Solvency II’ directive is implemented in the EU (expected in 2014). Article 44 requires insurers
to have “an effective risk management system comprising strategies, processes and reporting
procedures necessary to identify, measure, monitor, manage and report, on a continuous basis the
risks … to which they are or could be exposed, and their interdependencies.”
An important development in the UK was the report of Walker (2009) who, following the 2008 global
financial crisis, reviewed corporate governance in UK banks and other financial institutions (‘BOFIs’).
He recognised that regulation was necessary to constrain the risks of BOFIs because the social costs
of failure exceed the costs borne by shareholders, hence he was concerned to make governance of
risk by the boards of major BOFIs more effective alongside enhanced regulation.
Walker distinguished between a backward-looking focus of risk, overseeing and reporting on the
accounts, internal control and compliance; and a forward-looking focus with responsibilities for
determining risk appetite and, in the context of future strategy and the oversight of risk in real-time,
approving and monitoring appropriate limits on exposures and concentrations. While the audit
committee fits the former role, Walker recommended that FTSE-100 banks and life insurers establish
a separate board risk committee with responsibility for oversight and advice to the board on the
current risk exposures and future risk strategy, and ensuring that the firm’s culture supports the
management of risk. The board risk committee should be chaired by a non-executive director (NED)
with a majority of NED members, and was to focus on ‘fundamental’ prudential risks, such as
market, credit and liquidity risk; other important risks, such as operational and reputational, while
important, were said to require different focus and expertise, and may divert attention. Further, a
BOFI board should be served by a CRO who participates in the risk management and oversight
process at the highest level on an enterprise-wide basis and is independent from business units.
We might have envisaged that corporate governance concerns would have led Walker to help
ensure that firms took risks consistent with shareholders’ interests, with a focus on ERM and
shareholder value, the conflicts with society interests being addressed by separate regulation.
However, his suggestion that the board risk committee focus on certain key prudential risks and not
on operational or reputational risk is rather different, even though the enterprise-wide work of the
CRO would naturally encompass all risks.
The FSA (2010) subsequently issued guidance that regulated firms should consider establishing a
board risk committee and appointing a CRO, with FTSE-100 banks and insurers as examples of firms
whose size, nature and complexity would warrant this. Including general insurers meant this went
Page 6 of 18
beyond the Walker proposals. The FSA suggested that board risk committees should be
predominantly non-executive and chaired by a NED.
Walker’s recommendations are consistent with research findings that the workload of audit
committees had increased, and that the skills needed for risk management may be best met by a
separate body (Fraser & Henry, 2007; Brown et al., 2009, Mongiardino & Plath, 2010). A risk
committee, unlike an audit committee, could also include executives, which may be beneficial as risk
decisions may need access to executives’ knowledge of business plans and operations (Murphy,
2011) and many of the firm’s risks are best understood by executives (Brown et al., 2009).
This study seeks to ascertain if insurers have group-level CROs and board risk committees with the
responsibilities and membership that Walker recommended.
2.3 Risk, audit and controls
While Walker saw monitoring internal controls as a role for the audit committee, the relationship
between internal controls and risk management is not clear. The Combined Code of 1998 required
companies to maintain a sound system of internal control, and provision D.2.1 included “The review
*of the effectiveness of the group’s system of internal control+ should cover all controls, including
financial, operational and compliance controls and risk management.” This may imply that risk
management is part of internal control. On the other hand, the Turnbull guidance (ICAEW, 1999)
indicated that internal control will, inter alia, help companies respond to risks, so is internal control
part of risk management? Principle C.1 of the current UK Corporate Governance Code (Financial
Reporting Council, 2010) requires the board to maintain sound risk management as well as the
internal control systems referred to in 1998, while the list of controls to be included in the review no
longer includes risk management – perhaps because it warrants a higher status than merely one
element in a list of controls? Page & Spira asked, “Is control a part of risk management or is risk
management an element of control?” (2004, page 15). The distinction between risk management
and internal control remains unclear (Fraser & Henry, 2007; Deighton et al., 2009).
The Financial Reporting Council (2011) accepted that having both an audit and a risk committee may
lead to confusion, but this could be overcome by some common membership or holding joint
meetings. This study therefore seeks to find out what links there are between insurers’ audit and risk
committees and where responsibilities for controls lie.
2.4 Professionals in risk management
Professionalization of risk management is at an early stage (Mikes, 2011), with several organisations
present in this area and the potential for professional rivalry (Arena et al., 2010). The CRO role itself
requires strong managerial skills, with Deighton et al. (2009) highlighting the need for a solid
understanding of the business, good communication skills and having an independent view. They say
that while the CRO does not need to be an expert modeller, he or she should be familiar with risk
modelling; and although the CRO’s main function is not to undertake intensive quantitative research,
he or she has to understand models and raise questions (Garnier, 2009).
Collier et al. (2007) found that the finance director had a pivotal role in risk management, being
involved in analysing, assessing, monitoring and reporting risk. However, most management
Page 7 of 18
accountants felt marginalised in relation to risk management. The Chartered Institute of
Management Accountants does include subjects such as financial risk management and risk and
internal control in its examinations. However, accountants’ training is not necessarily a firm
foundation for understanding the probabilistic modelling used in risk management (see Woods et
al., 2008, in their study of the audit of banks’ Value at Risk figures), and they are not necessarily
experts in the broad subject of ERM.
Since internal auditors typically apply a risk-based approach to auditing, they need to be skilled in
risk identification. Where they are giving assurance on risk management processes, as in the third
line of defence, their risk management skills need to be greater still (although may not be possessed:
Fraser & Henry, 2007). In some cases internal auditors may be asked to design risk management
systems, or to support the risk management process directly in co-operation with line management
(Allegrini & D’Onza, 2003), although the Institute of Internal Auditors (2009) is aware of the potential
conflict with internal auditors’ independence. One possibility is that risk management roles are
undertaken by individuals with previous internal audit experience.
In insurance, actuaries have been accustomed to thinking of themselves as risk experts (Dowd et al.,
2008), based on their mathematical training and their experience of the insurance business. There
has been criticism that actuaries have not always highlighted the risks around their financial
projections (Morris, 2005) although the profession has been expanding its involvement in ERM and
introduced a new qualification: chartered enterprise risk actuary.
This study therefore seeks to find out the extent to which accountants and actuaries are involved in
UK insurers’ risk management.
3. Method
We study the 21 UK insurers listed on the London Stock Exchange at the end of 2010, being subject
to the UK Corporate Governance Code. They comprise 12 general insurers, 8 life insurers and 1
composite (which carries out both life and general insurance). Of the 21, 8 were FTSE-100, 8 were
FTSE-250 companies and 5 were smaller (see Table 1).
The annual report and accounts now contains a substantial amount of information on firms’ risks
and risk management, and is a fruitful source for research. The report and accounts is easily
available and is regarded as a credible source of information and a valuable tool for research
(Stanton & Stanton, 2002) including risk research (Abraham & Cox, 2007). Beretta & Bozolan (2004)
use firms’ annual reports as the basis for their work on risk communication and refer to the way in
which reports include information that explains figures in the accounts, and contains perspectives
(Beattie et al, 2002). There are limitations as the form of risk disclosure information is not uniform,
but it is feasible to use the content of the report and accounts as indicative of how the firm
approaches risk management. We also examine the terms of reference for risk committees and audit
committees, similar to the work of Mongiardino & Plath (2010) and Murphy (2011) in assessing risk
governance in banks.
Page 8 of 18
To ascertain the professional and employment background of directors and CROs we use, in addition
to firms’ accounts and websites, other web resources, particularly Linkedin and the Bloomberg
BusinessWeek website.
4. Results
4.1 Adoption of the Walker report recommendations
Overall, 11 of the 21 listed insurers had a board risk committee (this includes two with a board ‘risk
and capital committee’): see Table 1. Seven were newly established after Walker produced his
reports in 2009 suggesting board risk committees; in three cases an existing committee was re-
structured so that it no longer comprised mainly executives; in the other case the name was
changed from risk and regulatory committee. Walker’s expectation that all FTSE-100 life insurers
have a board risk committee with a majority of NEDs is satisfied; FSA guidance also suggested a risk
committee for the FTSE-100 general insurers, which one of the two had. In addition, three insurers
had a combined ‘audit and risk committee’.
Information is available about the composition and terms of reference of the risk committee in ten
cases. In all instances it was chaired by a NED, with a majority of NED members in nine out of ten
firms; the exception was a general insurer. In seven firms the terms of reference restricted
membership to NEDs and only 3 out of 43 members of risk committees were executives. While
executives were often in attendance, this suggests the risk committee was seen as a way to
challenge management’s view of risk, rather than working in partnership with executives to develop
an optimal risk strategy.
Walker envisaged the risk committee would pay particular attention to fundamental prudential risks
(operational and reputation risk being outside this); FSA guidance looked for particular but not
exclusive emphasis on prudential risks. In practice, the remit of the committees typically covers all
risks, although risks to solvency were naturally an important part of this. This is consistent with an
ERM framework rather than a regulator’s prudential focus.
In all cases, the risk committee terms of reference gave it a responsibility for advising the board on
risk appetite or tolerance, and for overseeing and advising on risk exposures. In seven firms there
was specific mention of stress/scenario testing, and in five the committee was involved in the report
for the regulator on capital requirements. In some cases the committee was specifically involved in
quantitative matters: for example, in Amlin it carries out governance of the firm’s internal model; in
Old Mutual, it is concerned with actuarial matters (the CRO is also Actuarial Director).
The FSA guidance follows Walker’s suggestion that risk committees should advise on risk weightings
on performance objectives for the remuneration committee, and this was in the terms of reference
of six committees. In four of those cases, and in two others, the committee had a wider brief to
examine the impact of remuneration on risk-taking, consistent with the concerns raised by the
academic evidence. Walker and the FSA also suggested a role for the risk committee in embedding
and maintaining a supportive risk culture: this was explicitly incorporated by one firm, although two
others made other comments around risk culture. Elsewhere, other committees have such a role: for
Page 9 of 18
example, Chaucer’s (executive) risk assurance group has an objective of instilling a culture of risk
awareness and controlled risk-taking.
We can identify 17 of the 21 insurers having a group-level CRO (or similar title, although it includes
one group risk director who was also responsible for a business unit, i.e. not with the independence
of a CRO usually sought): see Table 1. Not having a group-level CRO suggests limited group-wide co-
ordination of activities, which is consistent with two of the insurers without a CRO reporting their
key performance indicators (KPIs) at segment level and not at group level. The other two cases were
general insurers outside the FTSE-350.
4.2 Risk, audit and controls in UK insurers
Walker did not set a fixed division between the responsibilities of audit and risk committees,
although he saw the need for co-ordination and overlapping membership. We examine the
evidence on this and consider the responsibilities for internal controls.
Walker’s (and FSA’s) suggested remit for a risk committee did not include assessing internal controls.
However, internal controls, such as checks on the premiums quoted by underwriters, are a part of
insurers’ risk frameworks. Risk functions and committees therefore have a natural interest. As
examples, the Old Mutual the risk committee reviews the quality and effectiveness of internal
controls; Aviva’s risk committee assists the audit committee in its review of internal controls,
including financial reporting; in Amlin that review is done jointly by the two committees.
The issues can be clearer with a ‘three lines of defence’ approach, which insurers typically adopted;
eight insurers referred to it explicitly. In some firms, such as Omega, independent external actuaries
formed part of the third line of defence, for example by reviewing estimates of future claims.
However, the typical position is that the risk functions and risk committees are second line, while
internal audit and the audit committee are third line: they give assurance on whether risks are being
managed effectively. Highlighting this distinction might help clarity. Indeed, Brit’s audit and risk
committee divides its objectives between audit and risk, and internal control policies, except for
financial reporting and accounting compliance, are among the ‘risk’ objectives, which are explicitly
‘second line’.
In some cases the risk function operates the internal model and may undertake actuarial functions
(Solvency II permits the functions to be combined). In such instances, the challenge to the modelling
is provided by the third line of defence (internal audit and, possibly, external actuaries). A more
robust approach is to regard the modelling as first line, with challenge from the risk function, whose
capabilities may be better than those of internal audit.
Walker recognised the need for liaison between the audit and risk committees. He suggested the
chairman of the former serve on the latter, which is the case in five out of ten risk committees; in
four other cases, another member provides overlap. In nine of the ten risk committees, the terms of
reference also refer to the audit committee, though in only six cases do the terms of reference of the
latter refer to the risk committee. One case without such a reference is Phoenix, even though the
audit committee duties include keeping under review strategy with regard to risk and the
effectiveness of internal controls and risk management systems (neither does it have overlap of
membership between the committees).
Page 10 of 18
Where an insurer had an audit committee only, the terms of reference mentioned risk management,
though in only a limited way, for example where Admiral’s committee reviews “the adequacy of the
Company’s internal financial controls, compliance and internal control and risk management
systems.” The evidence we have where there is a separate risk committee suggests there is room for
greater clarity and co-ordination of responsibilities.
4.3 Professionals in risk management in UK insurers
The 17 CROs include 7 actuaries, 5 accountants and 5 others. Most (five) of the actuaries were at
general insurers notwithstanding actuaries having traditionally been more predominant in life
insurers. The accountants include two who were qualified with ACCA, one with CIMA, one with ICAS
(the professional body of one was not traced). Of the ‘others’, two had long careers in general
insurance and two had previously worked at banks: one with a more quantitative emphasis (senior
roles in risk, capital markets and treasury), the other, less so (head of strategy and corporate
development). The fifth was previously compliance director at an insurer. Hence there is a variety of
CRO backgrounds. Actuaries were out-numbered by accountants among members of risk
committees, consistent with accountants also being more numerous as directors of insurance
companies (see Table 2).
4.4 Elements of risk management in UK insurers
It is possible to identify three elements to insurers’ risk management, and we go on to see what links
there are between the elements at the forefront of firms’ risk management and the professional
background of the CROs.
4.4.1 Strategic element
In nine cases the firm’s accounts or the risk committee terms of reference referred to ERM, and this
was often backed up by comments that alluded to the strategic importance of the risk framework.
For example, Lancashire describes ERM as helping ensure that the balance between risk and reward
is considered in all important business decisions, and it is the one insurer that, when disclosing its
KPIs, also sets out how the risks to those KPIs are managed. Brit is embedding its ERM framework,
expecting that it will lead to better informed decision making and help optimise the risk and reward
relationship. Aviva’s report and accounts set out its risk strategy and goals clearly, looking for an
optimum balance between risk and reward. There is some subjectivity in assessing what is the focus
of an insurer’s risk management, though it appears fair to say that there is a strategic focus if it
refers to its practising ERM. We add one other firm, Prudential, to this category, as its main board
directors include a CRO independent of business units. Prudential’s accounts also refer to examples
of enterprise-wide rather than silo risk management, for example taking advantage of natural
hedges in its worldwide business such as its US and Asian operations being exposed to interest rates
in different directions.
In all these cases there is also evidence of the monitoring role. For example, Aviva’s risk committee
reviews the adequacy and quality of the group’s compliance and risk functions. In Standard Life the
CRO prepares regular reports on regulatory compliance and on compliance with the financial crime
Page 11 of 18
policy. The Old Mutual risk committee receives reports on management’s assessment of the
effectiveness of internal controls.
The quantitative strand is present in all these cases, though more so in some than in others.
Lancashire emphasises its internal model, which has been developed extensively and is used in
monitoring risks of all types, in strategic underwriting decisions and in portfolio optimisation. In
Amlin’s accounts the first highlight of the risk management section is the process for obtaining the
FSA’s approval of its dynamic financial analysis model having begun; it has also strengthened use of
the model in business processes such as business planning and reinsurance purchase and developed
its operational risk modelling capability.
Old Mutual refers to significant progress in 2010 in implementing a model framework where risk,
capital and value are aligned with commercial objectives. The accounts disclose data on the marginal
impact of extra exposure on economic capital for each main risk type. The risk committee evaluates
the group’s risk measurement systems, monitors the management of actuarial risk and oversees the
allocation of capital; it is explicitly concerned with the optimisation of risk. When we read that the
board risk committee recommends targets for risk-adjusted performance measures to the board and
remuneration committee, this reminds us of Mikes’ ‘strategic controller’ role. Similarly, the Brit audit
and risk committee reviews the risk-adjusted performance of business units, and their capital
requirements, and the CRO is responsible for catastrophe and capital modelling.
4.4.2 Quantitative element
Of the remaining insurers, all used quantitative methods in an important way, but we can identify
two where the firm’s own review of risk management in 2010 highlights a quantitative initiative.
Omega improved its modelling capabilities to help manage catastrophe exposures, while Beazley has
cascaded its risk appetite from eight risk categories to 54 underlying risk events to help the business
operate within the required tolerances. Beazley regards the risk quantification skills in its risk
management team as helping provide a more consistent and holistic view of risk. Monitoring was
also part of risk management activities: Omega established a risk management function “with
responsibilities for the risk and control framework across the group”, while Beazley developed its
global assurance function and, from 2011, established a risk and regulatory committee of executives,
meeting monthly, with quarterly attendance of NEDs.
4.4.3 Monitoring element
Having identified ten firms with a strategic focus to risk management, and two others with a
quantitative focus that is highlighted, that leaves eight others. These firms clearly operate
quantitative techniques to manage risk, and they may have aspects of ERM, but these are not
reported as high profile in risk management compared to some other firms. We can, however, draw
attention to the monitoring focus of these firms with some examples.
In Admiral (where there is no group-level CRO or board risk committee), the risk function reports to
the head of Compliance. Resolution has an audit and risk committee, where the section on risk is
headed ‘risk and controls’. At Novae, the first duty of the board risk committee is to assess risk
management procedures. At St James’s Place the central risk function’s primary role is to ensure that
an appropriate risk framework is in place; among reports reviewed by the risk committee in 2010
Page 12 of 18
were those from the money laundering officer and from the group legal director, and there was no
mention of the committee being involved in the quantification of capital requirements.
4.4.4 Link between focus of risk management and the professional background of the CRO
It is possible to identify a link between the background of the CRO and the role that risk
management plays in the firm. The seven CROs who are actuaries all work for insurers with a
strategic or quantitative focus, consistent with their professional skills. Hardy states that appointing
a CRO who was previously group actuary has facilitated a co-ordinated approach to risk
management in view of the increasing reliance on sophisticated models for risk management.
However, it may be that, rather than the CRO’s skills determining the form that risk management
takes, the firm appoints the CRO consistent with the type of risk management it wishes to have.
It is useful to see examples of firms where there was neither a strategic nor a quantitative focus.
Phoenix’s CRO oversees the group’s relationship with the FSA and supports the board committee in
oversight of the risk management framework: the CRO is an accountant with previous experience of
compliance, audit and risk roles. Similarly, the CRO at Resolution previously worked for the FSA and
Department of Trade and Industry (regulators) and at another insurer where she had responsibility
for regulatory compliance. In none of the four cases without a CRO is there a strategic focus to the
risk management, which suggests some support for the way the focus for risk management was
determined.
5. Discussion and Conclusions
Walker was clearly influential, with some insurers attributing strengthening their risk governance to
his report. However, insurers have gone beyond Walker’s remit for risk committees to focus on
fundamental prudential risks. Instead, they recognise the need to act in shareholders’ interests by
taking an enterprise-wide rather than prudential view of risk. Firms then address the need to control
managers’ interests by having NEDs on risk committees (with a greater dominance than perhaps
Walker envisaged) and, in many cases, by taking a wider view of the potential for remuneration
structures to affect managers’ risk decisions than risk weightings on performance objectives. Indeed,
with many insurers restricting board risk committee membership to non-executives, this emphasises
‘control’ rather than a board that is a partnership using the executives’ skills to help determine
which risks to take. Since the FSA guidance on risk committees was formulated before many risk
committee were formed, the variety of practices suggests it would be suitable to review that
guidance.
Some researchers have referred to potential confusion between the roles of internal control and risk
management, and the need for audit/risk committee co-ordination. The evidence suggests different
practices and raises some concerns. In practice, risk managers have to be concerned by internal
controls: if they fail, that is a risk. Brit differentiated between the risk responsibility being second line
of defence and audit the third line. This suggests a solution to the confusion where the audit
committee’s responsibility for risk management is at third line, providing assurance to the board,
and with the risk function and risk committee co-ordinating risk management, including monitoring
internal controls, perhaps (as in the case of St James’s Place) except for those relating to accounting
and financial information. Hence both risk and audit are responsible for internal controls (which are
part of risk management) but in different ways.
Page 13 of 18
Insurers’ risk management has elements of monitoring, quantitative modelling and strategy. Under
Solvency II, insurers have an incentive to develop models as they can use them to set their capital
requirements, though one of the regulators’ requirements is that the model be used in the firm’s
decision-taking. Quantitative enthusiasts may welcome this and there is potentially a ‘strategic
controller’ role for CROs. However, the variety of approaches to risk management – such as that
taken by quantitative sceptics - suggests that this should not be an automatic conclusion. Morris
(2005) said too much had been expected of actuaries, and Zaman (2001) warned us not to expect
too much of audit committees. Given the inherent difficulties of managing risk in large organisations,
we should perhaps keep our expectations of risk committees at a modest level.
References
Abraham, S., Cox, P., 2007. Analysing the determinants of narrative risk information in UK FTSE 100
annual reports. The British Accounting Review. 39, 227-248.
Allegrini, M., D’Onza, G. 2003. Internal auditing and risk assessment in large Italian companies: an
empirical survey. International Journal of Auditing. 7, 191-208.
Arena, M., Arnaboldi, M., Azzone, G., 2010. The organizational dynamics of enterprise risk
management. Accounting, Organizations and Society. 35, 659-675.
Auron-Nerin, D., Ehling, P., 2008. Why firms purchase property insurance. Journal of Financial
Economics. 90, 298-312.
Beattie, V.A., McInnes, B., Fearnley, S., 2002. Through the eyes of management: a study of narrative
disclosures, an interim report. London: ICEAW.
Beretta, S., Bozzolan, S., 2004. A framework for the analysis of risk communication. The International
Journal of Accounting. 39, 265-288.
Brown, I., Steen A., Foreman, J., 2009. Risk management in corporate governance; a review and
proposal. Corporate governance: an International Review. 17, 546-558.
Browne, M.J., Ma, Y-L., Wang, P., 2009. Stock-based executive compensation and reserve errors in
the property and casualty insurance industry. Journal of Insurance Regulation. 27. 35-54.
Chen, C.R., Steiner, T.L., White, A.M., 2001. Risk taking behavior and managerial ownership in the
United States life insurance industry. Applied Financial Economics. 11, 165-171.
Collier, P.M., Berry, A.J., Burke, G.T., 2007. Risk and management accounting. Elsevier, Oxford.
Committee of Sponsoring Organisations of the Treadway Commission (COSO), 2004. Enterprise Risk
Management-Integrated Framework. AICPA, New York.
Cummins, J.D., Sommer, D.W., 1996. Capital and risk in property-liability insurance markets. Journal
of Banking & Finance. 20, 1069-1092.
Deighton, S.P., Dix, R.C., Graham, J.R., Skinner, M.E., 2009. Governance and risk management in
United Kingdom insurance companies. Paper presented to the Institute of Actuaries, 23 March.
Page 14 of 18
Dickinson, G., 2001. Enterprise risk management: its origins and conceptual foundations. Geneva
Papers on Risk and Insurance. 26, 360-366.
Dowd, K. & Blake, D., 2006. After VaR: the theory, estimation, and insurance applications of quantile-
based risk measures. Journal of Risk and Insurance. 73, 193-229.
Financial Reporting Council, 2010. UK Corporate Governance Code.
Financial Reporting Council, 2011. Boards and risk.
Financial Services Authority, 2003. Review of UK insurers’ risk management practices.
Financial Services Authority, 2006. Risk management in insurers.
Financial Services Authority, 2010. Effective corporate governance. Policy Statement 10/15.
Financial Times, 2011. In the firing line: the cult of Oswald Grübel. 17/18 September, 16.
Frankland, R., Smith, A.D., Wilkins, T., Varnell, E., Holtham, A., Biffis, E., Eshun, S. & Dullaway, D.,
2009. Modelling extreme market events; a report of the benchmarking stochastic models working
party. British Actuarial Journal. 15, 1, 99-201.
Fraser, I., Henry, W., 2007. Embedding risk management: structures and approaches. Managerial
Auditing Journal. 22, 392-409.
Fraser, J.R.S., Simkins, B.J., 2007. Ten common misconceptions about enterprise risk management.
Journal of Applied Corporate Finance. 19, 75-81.
Garnier, M., 2009. Black holes in risk governance. Journal of Risk Management in Financial
Institutions. 2, 116-120.
Gates, S., 2006. Incorporating strategic risk into enterprise risk management: a survey of current
corporate practice. Journal of Applied Corporate Finance. 18, 81-90.
Helliar, C.V., Lonie, A.A., Power, D.M., Sinclair, C.D., 2001. Attitudes of UK managers to risk and
uncertainty. Institute of Chartered Accountants of Scotland.
Henry, J.R.S., Simkins, B.J., 2007. Ten common misconceptions about enterprise risk management.
Journal of Applied Corporate Finance. 19, 75-81.
Hoyt, R.E., Liebenberg, A.P., forthcoming. The value of enterprise risk management. Journal of Risk
and Insurance. DOI: 10.1111/j.1539-6975.2011.01413.x
Institute of Chartered Accountants in England & Wales (ICAEW), 1999. Internal control. Guidance for
directors on the combined code.
Institute of Internal Auditors, 2009. IIA position paper: the role of internal auditing in enterprise-
wide risk management
Laeven, L., Levine, R., 2009. Bank governance, regulation and risk taking, 2009. Journal of Financial
Economics. 93, 259-275.
Page 15 of 18
Maccrimmon, K.R., Wehrling, D.A., 1990. Characteristics of risk taking executives. Management
Science. 36, 422-435.
March, J.G., Shapira, Z., 1987. Managerial perspectives on risk and risk taking. Management Science.
33, 1404-1418.
May, D.O., 1995. Do managerial motives influence firm risk reduction strategies? Journal of Finance.
50, 1291-1308.
Mayers, D., Smith, C.W., 1990. On the corporate demand for insurance: evidence from the
reinsurance market. Journal of Business. 63, 19-40.
Mikes, A., 2007. Convictions, conventions and the operational risk maze: the cases of three financial
services institutions. International Journal of Risk Assessment and Management. 7, 1027-1054.
Mikes, A., 2008. Chief risk officers at crunch time: compliance champions or business partners?
Journal of Risk Management in Financial Institutions. 2 (1), 7-25.
Mikes, A., 2009. Risk management and calculative cultures. Management Accounting Research. 20,
18-40.
Mikes, A., 2011. From counting risk to making risk count: Boundary work in risk management.
Accounting, Organizations and Society. doi: 10,1016/j.aos2011.03.002
Milidonis, A., Stathopoulos, K., 2011. Do U.S. insurance firms offer the “wrong” incentives to their
executives? Journal of Risk and Insurance. 78, 643-672.
Mongiardino, A., Plath, C., 2010. Risk governance at banks; have any lessons been learned? Journal
of risk management in Financial Institutions. 3, 116-123.
Morris, D., 2005. Morris review of the actuarial profession. HM Treasury, London.
Murphy, E., 2011. Assuring responsible risk management in banking: the corporate governance
dimension. Delaware Journal of Corporate Law. 36, 121-164.
Page, M., Spira, L.F., 2004. The Turnbull report, internal control and risk management: the
developing role of internal audit. Institute of Chartered Accountants of Scotland.
Power, M., 2005. Organizational responses to risk: the rise of the chief risk officer. In Hutter, B., Power, M. (Eds.), Organizational encounters with risk. Cambridge, Cambridge University Press, pp. 132-148. Power, M., 2009. The risk management of nothing. Accounting, Organisations and Society. 34, 849-555. Rochette, M., 2009. From risk management to ERM. Journal of Risk Management in Financial
Institutions. 2, 394-408.
Sanders, W.G., Hambrick, D.C., 2007. Swinging for the fences: the effects of CEO stock options on
company risk taking and performance. Academy of Management Journal. 50, 1055-1078.
Page 16 of 18
Smallman, C., 1996. Risk and organizational behaviour: a research model. Disaster Prevention and
Management. 5, 12-26.
Sobel, P.L., Reding, K.F., 2004. Aligning corporate governance with enterprise risk management.
Management Accounting Quarterly. 5, 29-37.
Stanton, P. & Stanton, J., 2002. Corporate research reports: research perspectives used. Accounting,
Auditing & Accountability Journal. 15, 478-500.
Stulz, R.M., 1984. Optimal hedging policies. Journal of Financial and Quantitative Analysis. 19, 127-
140.
Swiss Re, 2011. World insurance in 2010. Sigma 2/2011.
Tufano, P., 1996. Who manages risk? An empirical examination of risk management practices in the
gold mining industry. Journal of Finance. 51, 1097-1137.
Van Asselt, B.A., Renn, O., 2011. Risk governance. Journal of Risk Research. 14, 431-449.
Varnell E., 2011. Economic scenario generators and Solvency II. British Actuarial Journal, 16, 121-159.
Walker, D., 2009. A review of corporate governance in UK banks and other financial industry entities.
Final recommendations. Treasury, London.
Woods, M., Dowd, K., Humphrey, C., 2008. The value of risk reporting: a critical analysis of value-at-
risk disclosures in the banking sector. International Journal of Financial Services Management. 8, 45-
64.
Zaman, M., 2001. Turnbull – generating undue expectations of the corporate governance role of
audit committees. Managerial Auditing Journal. 16, 5-9.
Table 1. Listed insurers
Insurer Board
committees* CRO ERM†
Admiral Group plc General FTSE-100 AC only No No
Amlin plc General FTSE-250 AC and RC Yes Yes
Aviva plc Composite FTSE-100 AC and RC Yes Yes
Beazley Group Plc General FTSE-250 AC only Yes No
BRIT Insurance Holdings Plc General FTSE-250 ARC Yes Yes
Catlin Group Ltd General FTSE-250 AC only Yes Yes
Chaucer Holdings plc General Other AC and RC No No
Chesnara plc Life Other ARC No No
Hardy Underwriting Bermuda Limited General Other
AC only Yes Yes
Hiscox Ltd General FTSE-250 AC and RC Yes No
Lancashire Holdings Ltd General FTSE-250 AC only Yes Yes
Page 17 of 18
Legal & General Group plc Life FTSE-100 AC and RC Yes No
Novae Group plc General Other AC and RC Yes No
Old Mutual plc Life FTSE-100 AC and RC Yes Yes
Omega Insurance Holdings Ltd General Other
AC only No No
Phoenix Group Holdings Life FTSE-250 AC and RC Yes No
Prudential plc Life FTSE-100 AC and RC Yes No
Resolution Ltd Life FTSE-100 ARC Yes No
RSA Insurance Group plc General FTSE-100 AC and RC Yes Yes
St. James's Place plc Life FTSE-250 AC and RC Yes No
Standard Life plc Life FTSE-100 AC and RC Yes Yes
*AC = Audit Committee, RC = Risk Committee, ARC = Audit and Risk Committee
† Referred to in report and accounts or terms of reference for board risk committee
Table 2. Average composition of boards and board committees
Actuaries Accountants Others Total
Boards 0.6 3.2 7.0 10.8
Board audit committees 0.2 1.0 3.1 4.3
Board risk and audit committees 1.0 1.7 1.7 4.3
Board risk committees 0.3 1.5 2.2 4.0