risk governance in uk insurers: beyond the audit committee · months into the job – she will face...

Centre for Risk & Insurance Studies

enhancing the understanding of risk and insurance

Risk governance in UK insurers: beyond the

audit committee

Christopher O’Brien

CRIS Discussion Paper Series – 2011.I

of 18

Risk governance in UK insurers: beyond the audit committee

Christopher O’Brien

Centre for Risk and Insurance Studies

Nottingham University Business School

Abstract

Following the global financial crisis of 2008 a Treasury-commissioned report by Sir David Walker

recommended a strengthening of the risk governance in UK financial institutions. This paper

examines listed UK insurers and finds that many responded by establishing board risk committees as

suggested or changing the membership of existing committees to remove executive dominance.

However, while Walker recommended the committees focus on fundamental prudential risks the

committees, in practice, cover all risks, consistent with an enterprise-wide view of risk. Risk

management was typically regarded as including monitoring internal controls, although there were

inconsistencies between firms in co-ordination of the activities of risk and audit committees. We also

find that insurers differ in the emphasis they give to different elements of risk management –

monitoring, quantitative modelling and strategic risk – and there is a link between this emphasis and

the professional background of the CRO, where both actuaries and accountants play an important

role.

Keywords

Audit committees; corporate governance; insurance; risk committees; risk governance; risk

management.

1. Introduction

Early papers on risk governance were concerned with the problem of how to take decisions in public

policy areas with complex risks relating to health and the environment, and involved the role of

science and experts (van Asselt & Renn, 2011). Businesses also face the problem of decision-taking

when outcomes are uncertain, and have to recognise that multiple stakeholders are involved.

Corporate governance is often concerned with the agency problem, i.e. managers may act in their

own rather than the shareholders’ interests, and what mechanisms - such as audit committees - may

be implemented to address this. There is also a separate concern: that firms, by seeking to increase

shareholder value, may act contrary to wider societal interests: this problem is not solved by

of 18

governance mechanisms designed to protect shareholders’ interests but, rather, regulation may be

appropriate. These issues came into sharp focus in the global financial crisis of 2008 when, among

other factors, risky decisions made by bonus-incentivised bankers impacted on taxpayers when

governments felt obliged to bail out financially distressed banks.

Ensuring that managers take risky decisions in shareholders’ interests is particularly problematic for

three reasons. First, there is a large body of evidence which indicates that individuals are subject to

biases when considering risks: for example, March & Shapira (1987) found that managers were

insensitive to estimates of probabilities of possible outcomes and their decisions were particularly

affected by their being focussed on critical performance targets; MacCrimmon & Wehrling (1990)

concluded that personal characteristics of executives affected their risk-taking; while Helliar at al.’s

(2001) findings were that managers made choices that depended on how questions were framed,

and tended to treat high probability outcomes as certain and ignore low probability outcomes.

Second, remuneration structures bias decisions about risk (Stulz, 1984): in particular, there is

evidence that managers with share options is linked with firms hedging less than otherwise (Tufano,

1996) and firms’ performance becoming more extreme (Sanders & Hambrick, 2007); and that

managers’ shareholdings affect the degree of risk in acquisitions (May, 1995) and how they buy

insurance (Aunon-Nerin & Ehling, 2008). Shareholder influence, as reflected in share ownership

structures, can play some role in mitigating managerial dominance (Mayers & Smith, 1990; Laeven &

Levine, 2009). And third, it is difficult to monitor whether decisions are taken in shareholders’ or

managers’ interests, given the problems, before the event, in judging risks and their potential

impact. Hence risk governance is an issue.

While banks have been the focus of much recent discussion on these questions, this paper examines

the insurance industry, where risk is inherent in the business: insurers are setting out to take risks

from individuals and firms and to place these on their own balance sheet. The evidence in this paper

is from the UK insurance industry, which was the third largest in the world in 2010, measured by

premiums (Swiss Re, 2011).

Previous research has shown managerial incentives in insurance firms is associated with firms’

decisions on for example, holdings of capital and portfolio risks (Cummins & Sommer, 1996), risk

exposures (Chen et al., 2001; Milidonis & Stathopoulos, 2011), and what firms set aside as provisions

for future claims (Browne et al., 2009). There are therefore reasons to think that the governance

arrangements for insurers’ risk decisions are important.

Concern about corporate governance in banks and insurers led the UK Treasury to commission a

report from Sir David Walker (2009) who, when considering risk governance, suggested that large

financial institutions establish a board risk committee, separate from the audit committee. One of

the contributions of this paper is to establish whether his recommendations for the composition and

activities of risk committees were fulfilled; the outcome indicates some differences. Following on,

the paper considers the consequences for the relationship between the risk and audit committees,

especially given the ambiguity about the relationship between internal controls and risk

management (Page & Spira, 2004). Lastly, we examine the role of professionals – notably

accountants and actuaries – in risk management, recalling Dowd & Blake’s (2006, p. 221) comment:

“the stage was set for a classic turf war”, and assess whether there is a link between the type of

of 18

individual acting as Chief Risk Officer (CRO) and the form in which risk management is carried out,

which Mikes (2008) found to be the case in banks.

2. Background

2.1 Elements of risk management

Risk management was traditionally concerned with buying insurance, hedging financial risks with

derivatives and taking steps to ensure health and safety. More generally, if a firm’s processes did not

operate as they should or if they breached some regulation, the unplanned outcome was a risk;

hence monitoring is part of holistic risk management (Smallman, 1996). Indeed, risk teams in UK

insurers were originally set up in the late 1980s as compliance teams (Deighton et al., 2009). Mikes

(2008) explains that one role of the risk function in banks is to act as compliance champion,

delivering compliance with regulatory requirements, and building and safeguarding a risk

management framework. When the losses of UBS rogue trader Kweku Adoboli came to light, the

Financial Times (2011) reported that the CRO “is facing every risk officer’s worst nightmare just nine

months into the job – she will face tough questions about UBS’s controls”.

One approach that many UK insurers use to monitor activities is the ‘three lines of defence’ model

(Deighton et al., 2009). The first line is line managers carrying out risk management; second, a

central risk function, supported by a risk committee, interprets group policy, provides support and

collates information; and thirdly, independent assurance is provided by internal audit, and possibly

external consultants. The second level may have committees focussing on specific risk types, such as

assessing the claims-paying ability of reinsurers. We use the shorthand of ‘monitoring’ to refer to

this element of risk management, where a risk framework is built and activities are reviewed for

compliance.

The second main element of risk management is quantitative techniques, which insurers use to

calculate the premiums they charge and to make stochastic projections of their future financial

position using internal models of their own business. The techniques have become increasingly

sophisticated, involving probability distributions of future outcomes for financial markets and

insurance claims. Such models can, in principle, indicate what capital is needed to ensure the insurer

remains solvent over a given timescale with a specified probability – assuming, of course, that the

model is appropriate. Firms’ modelling abilities have been increased by improved IT capabilities and

by advances by the actuarial profession (e.g. Frankland et al., 2009; Varnell, 2011).

Further, risk management can have a third element: a role in company strategy. Mikes (2008)

commented that whether CROs were influential in the business depended on the quality and

credibility of their insights in strategic discussions. One way to link risk and strategy is when a firm

implements enterprise risk management (ERM). Effective risk management is when the activities of

the firm – its decisions and operations – are carried out with the degree and types of risk that are

consistent with the firm’s objectives. ERM is when this is carried out across the firm. What it involves

is apparent from COSO’s (2004) definition: “a process, effected by a an entity’s board of directors,

management and other personnel, applied in strategy setting across the enterprise, designed to

identify potential events that may affect the entity, and manage risk to be within its risk appetite, to

provide reasonable assurance regarding the achievement of entity objectives”. ERM has been

of 18

stimulated by a number of high-profile company failures, by corporate governance codes and by the

increased role of shareholder value models (Dickinson, 2001).

Rochette (2009) argues that by linking risk decisions to firms’ objectives ERM can help achieve those

objectives. The reported advantages of ERM include better informed decision-taking (Gates, 2006)

and lower financing costs if there is an improved credit rating (Henry & Simkins, 2007), while Hoyt &

Liebenberg (forthcoming) found that ERM in US insurers is associated with a positive effect on

Tobin’s q, a proxy for firm value. It is the CRO’s role to oversee and co-ordinate the ERM process

(Sobel & Reding, 2004). However, while ERM looks fine in principle, there are potential pitfalls

(Fraser & Henry, 2007): there can be difficulties in evaluating some risks and in avoiding line

managers managing risks on a silo basis that conflicts with entity objectives (Deighton et al., 2009).

Some firms have over-complicated ERM and found it difficult to implement successfully (Fraser &

Simkins, 2007). One conclusion was that ERM is a managerial fad (Power, 2005) and fails to provide

the security that is expected of it (Power, 2009).

The way in which risk management involves a number of elements was confirmed by Mikes’ (2008)

survey of 15 international banks. She found there were different ways in which the CRO role was

carried out. One possible focus was as a compliance champion, concerned to build a risk framework

and deliver compliance with new rules. Senior risk officers would provide assurance to senior

management that adequate processes and controls were in place. In other banks, the risk function

was focussed on highly sophisticated risk modelling: senior risk officers led the implementation of

firm-wide risk models that could give an overall view of financial risks in the business.

Of the 15 bank CROs, 8 were highly involved in strategic activities such as board-level strategic

decision-making, and they could be divided into two groups. One group were ‘strategic controllers’,

who used the output of sophisticated risk models as their input to strategic issues. Senior risk

officers used models to advise top management on the risk-adjusted performance of business units,

influencing how capital was committed. In such risk functions, the CROs tended to be ‘quantitative

enthusiasts’, keen on financial models and replacing judgmental risk assessments with risk

quantification. The other group were ‘strategic advisers’, where models played a role in their

judgement but did not drive it; they drew on their business experience and knowledge of danger

signs to anticipate emerging risks. These CROs tended to be ‘quantitative sceptics’, viewing risk

models with caution, and complementing or overwriting the results with senior managerial

discretion, experience and judgment. This is consistent with Collier et al.’s (2007) finding that it was

common for firms to use experience, intuition, hindsight and judgement in managing risk.

Mikes (2007, 2009) refers to the ‘calculative culture’ of an organisation, which could be shaped by

senior risk officers using their discretion according to their personal convictions, which depended on

their professional backgrounds and the institutional context in which they operated. Those with an

internal audit background were more inclined to be sceptical towards a mathematical approach to

operational risk, for example. Arena et al.’s (2010) case studies are also consistent with a link

between the professional background of the CRO and the form of risk management that was

implemented.

This paper therefore looks to establish if there is a link between the way in which UK insurers

operate risk management and the professional background of the CROs.

of 18

2.2 Risk management and regulation

UK insurers are subject to the rules of the industry regulator, the Financial Services Authority (FSA),

whose principles require insurers to have adequate risk management systems, and effective risk

management can be rewarded with a lower regulatory capital requirement (Deighton et al., 2009).

The FSA also requires life (but not general) insurers to appoint an actuary to advise management on

the risks being run, and to monitor those risks. The FSA (2003) found that many insurers had decided

they needed separate risk assessment functions and committees, though some functions lacked

independence. In a later report (FSA, 2006) it found that insurers had improved their risk

governance, with networks of oversight committees, although they often lacked the ability to

provide effective challenge. The regulatory requirements in the EU will become tighter when the

new ‘Solvency II’ directive is implemented in the EU (expected in 2014). Article 44 requires insurers

to have “an effective risk management system comprising strategies, processes and reporting

procedures necessary to identify, measure, monitor, manage and report, on a continuous basis the

risks … to which they are or could be exposed, and their interdependencies.”

An important development in the UK was the report of Walker (2009) who, following the 2008 global

financial crisis, reviewed corporate governance in UK banks and other financial institutions (‘BOFIs’).

He recognised that regulation was necessary to constrain the risks of BOFIs because the social costs

of failure exceed the costs borne by shareholders, hence he was concerned to make governance of

risk by the boards of major BOFIs more effective alongside enhanced regulation.

Walker distinguished between a backward-looking focus of risk, overseeing and reporting on the

accounts, internal control and compliance; and a forward-looking focus with responsibilities for

determining risk appetite and, in the context of future strategy and the oversight of risk in real-time,

approving and monitoring appropriate limits on exposures and concentrations. While the audit

committee fits the former role, Walker recommended that FTSE-100 banks and life insurers establish

a separate board risk committee with responsibility for oversight and advice to the board on the

current risk exposures and future risk strategy, and ensuring that the firm’s culture supports the

management of risk. The board risk committee should be chaired by a non-executive director (NED)

with a majority of NED members, and was to focus on ‘fundamental’ prudential risks, such as

market, credit and liquidity risk; other important risks, such as operational and reputational, while

important, were said to require different focus and expertise, and may divert attention. Further, a

BOFI board should be served by a CRO who participates in the risk management and oversight

process at the highest level on an enterprise-wide basis and is independent from business units.

We might have envisaged that corporate governance concerns would have led Walker to help

ensure that firms took risks consistent with shareholders’ interests, with a focus on ERM and

shareholder value, the conflicts with society interests being addressed by separate regulation.

However, his suggestion that the board risk committee focus on certain key prudential risks and not

on operational or reputational risk is rather different, even though the enterprise-wide work of the

CRO would naturally encompass all risks.

The FSA (2010) subsequently issued guidance that regulated firms should consider establishing a

board risk committee and appointing a CRO, with FTSE-100 banks and insurers as examples of firms

whose size, nature and complexity would warrant this. Including general insurers meant this went

of 18

beyond the Walker proposals. The FSA suggested that board risk committees should be

predominantly non-executive and chaired by a NED.

Walker’s recommendations are consistent with research findings that the workload of audit

committees had increased, and that the skills needed for risk management may be best met by a

separate body (Fraser & Henry, 2007; Brown et al., 2009, Mongiardino & Plath, 2010). A risk

committee, unlike an audit committee, could also include executives, which may be beneficial as risk

decisions may need access to executives’ knowledge of business plans and operations (Murphy,

2011) and many of the firm’s risks are best understood by executives (Brown et al., 2009).

This study seeks to ascertain if insurers have group-level CROs and board risk committees with the

responsibilities and membership that Walker recommended.

2.3 Risk, audit and controls

While Walker saw monitoring internal controls as a role for the audit committee, the relationship

between internal controls and risk management is not clear. The Combined Code of 1998 required

companies to maintain a sound system of internal control, and provision D.2.1 included “The review

*of the effectiveness of the group’s system of internal control+ should cover all controls, including

financial, operational and compliance controls and risk management.” This may imply that risk

management is part of internal control. On the other hand, the Turnbull guidance (ICAEW, 1999)

indicated that internal control will, inter alia, help companies respond to risks, so is internal control

part of risk management? Principle C.1 of the current UK Corporate Governance Code (Financial

Reporting Council, 2010) requires the board to maintain sound risk management as well as the

internal control systems referred to in 1998, while the list of controls to be included in the review no

longer includes risk management – perhaps because it warrants a higher status than merely one

element in a list of controls? Page & Spira asked, “Is control a part of risk management or is risk

management an element of control?” (2004, page 15). The distinction between risk management

and internal control remains unclear (Fraser & Henry, 2007; Deighton et al., 2009).

The Financial Reporting Council (2011) accepted that having both an audit and a risk committee may

lead to confusion, but this could be overcome by some common membership or holding joint

meetings. This study therefore seeks to find out what links there are between insurers’ audit and risk

committees and where responsibilities for controls lie.

2.4 Professionals in risk management

Professionalization of risk management is at an early stage (Mikes, 2011), with several organisations

present in this area and the potential for professional rivalry (Arena et al., 2010). The CRO role itself

requires strong managerial skills, with Deighton et al. (2009) highlighting the need for a solid

understanding of the business, good communication skills and having an independent view. They say

that while the CRO does not need to be an expert modeller, he or she should be familiar with risk

modelling; and although the CRO’s main function is not to undertake intensive quantitative research,

he or she has to understand models and raise questions (Garnier, 2009).

Collier et al. (2007) found that the finance director had a pivotal role in risk management, being

involved in analysing, assessing, monitoring and reporting risk. However, most management

of 18

accountants felt marginalised in relation to risk management. The Chartered Institute of

Management Accountants does include subjects such as financial risk management and risk and

internal control in its examinations. However, accountants’ training is not necessarily a firm

foundation for understanding the probabilistic modelling used in risk management (see Woods et

al., 2008, in their study of the audit of banks’ Value at Risk figures), and they are not necessarily

experts in the broad subject of ERM.

Since internal auditors typically apply a risk-based approach to auditing, they need to be skilled in

risk identification. Where they are giving assurance on risk management processes, as in the third

line of defence, their risk management skills need to be greater still (although may not be possessed:

Fraser & Henry, 2007). In some cases internal auditors may be asked to design risk management

systems, or to support the risk management process directly in co-operation with line management

(Allegrini & D’Onza, 2003), although the Institute of Internal Auditors (2009) is aware of the potential

conflict with internal auditors’ independence. One possibility is that risk management roles are

undertaken by individuals with previous internal audit experience.

In insurance, actuaries have been accustomed to thinking of themselves as risk experts (Dowd et al.,

2008), based on their mathematical training and their experience of the insurance business. There

has been criticism that actuaries have not always highlighted the risks around their financial

projections (Morris, 2005) although the profession has been expanding its involvement in ERM and

introduced a new qualification: chartered enterprise risk actuary.

This study therefore seeks to find out the extent to which accountants and actuaries are involved in

UK insurers’ risk management.

3. Method

We study the 21 UK insurers listed on the London Stock Exchange at the end of 2010, being subject

to the UK Corporate Governance Code. They comprise 12 general insurers, 8 life insurers and 1

composite (which carries out both life and general insurance). Of the 21, 8 were FTSE-100, 8 were

FTSE-250 companies and 5 were smaller (see Table 1).

The annual report and accounts now contains a substantial amount of information on firms’ risks

and risk management, and is a fruitful source for research. The report and accounts is easily

available and is regarded as a credible source of information and a valuable tool for research

(Stanton & Stanton, 2002) including risk research (Abraham & Cox, 2007). Beretta & Bozolan (2004)

use firms’ annual reports as the basis for their work on risk communication and refer to the way in

which reports include information that explains figures in the accounts, and contains perspectives

(Beattie et al, 2002). There are limitations as the form of risk disclosure information is not uniform,

but it is feasible to use the content of the report and accounts as indicative of how the firm

approaches risk management. We also examine the terms of reference for risk committees and audit

committees, similar to the work of Mongiardino & Plath (2010) and Murphy (2011) in assessing risk

governance in banks.

of 18

To ascertain the professional and employment background of directors and CROs we use, in addition

to firms’ accounts and websites, other web resources, particularly Linkedin and the Bloomberg

BusinessWeek website.

4. Results

4.1 Adoption of the Walker report recommendations

Overall, 11 of the 21 listed insurers had a board risk committee (this includes two with a board ‘risk

and capital committee’): see Table 1. Seven were newly established after Walker produced his

reports in 2009 suggesting board risk committees; in three cases an existing committee was re-

structured so that it no longer comprised mainly executives; in the other case the name was

changed from risk and regulatory committee. Walker’s expectation that all FTSE-100 life insurers

have a board risk committee with a majority of NEDs is satisfied; FSA guidance also suggested a risk

committee for the FTSE-100 general insurers, which one of the two had. In addition, three insurers

had a combined ‘audit and risk committee’.

Information is available about the composition and terms of reference of the risk committee in ten

cases. In all instances it was chaired by a NED, with a majority of NED members in nine out of ten

firms; the exception was a general insurer. In seven firms the terms of reference restricted

membership to NEDs and only 3 out of 43 members of risk committees were executives. While

executives were often in attendance, this suggests the risk committee was seen as a way to

challenge management’s view of risk, rather than working in partnership with executives to develop

an optimal risk strategy.

Walker envisaged the risk committee would pay particular attention to fundamental prudential risks

(operational and reputation risk being outside this); FSA guidance looked for particular but not

exclusive emphasis on prudential risks. In practice, the remit of the committees typically covers all

risks, although risks to solvency were naturally an important part of this. This is consistent with an

ERM framework rather than a regulator’s prudential focus.

In all cases, the risk committee terms of reference gave it a responsibility for advising the board on

risk appetite or tolerance, and for overseeing and advising on risk exposures. In seven firms there

was specific mention of stress/scenario testing, and in five the committee was involved in the report

for the regulator on capital requirements. In some cases the committee was specifically involved in

quantitative matters: for example, in Amlin it carries out governance of the firm’s internal model; in

Old Mutual, it is concerned with actuarial matters (the CRO is also Actuarial Director).

The FSA guidance follows Walker’s suggestion that risk committees should advise on risk weightings

on performance objectives for the remuneration committee, and this was in the terms of reference

of six committees. In four of those cases, and in two others, the committee had a wider brief to

examine the impact of remuneration on risk-taking, consistent with the concerns raised by the

academic evidence. Walker and the FSA also suggested a role for the risk committee in embedding

and maintaining a supportive risk culture: this was explicitly incorporated by one firm, although two

others made other comments around risk culture. Elsewhere, other committees have such a role: for

of 18

example, Chaucer’s (executive) risk assurance group has an objective of instilling a culture of risk

awareness and controlled risk-taking.

We can identify 17 of the 21 insurers having a group-level CRO (or similar title, although it includes

one group risk director who was also responsible for a business unit, i.e. not with the independence

of a CRO usually sought): see Table 1. Not having a group-level CRO suggests limited group-wide co-

ordination of activities, which is consistent with two of the insurers without a CRO reporting their

key performance indicators (KPIs) at segment level and not at group level. The other two cases were

general insurers outside the FTSE-350.

4.2 Risk, audit and controls in UK insurers

Walker did not set a fixed division between the responsibilities of audit and risk committees,

although he saw the need for co-ordination and overlapping membership. We examine the

evidence on this and consider the responsibilities for internal controls.

Walker’s (and FSA’s) suggested remit for a risk committee did not include assessing internal controls.

However, internal controls, such as checks on the premiums quoted by underwriters, are a part of

insurers’ risk frameworks. Risk functions and committees therefore have a natural interest. As

examples, the Old Mutual the risk committee reviews the quality and effectiveness of internal

controls; Aviva’s risk committee assists the audit committee in its review of internal controls,

including financial reporting; in Amlin that review is done jointly by the two committees.

The issues can be clearer with a ‘three lines of defence’ approach, which insurers typically adopted;

eight insurers referred to it explicitly. In some firms, such as Omega, independent external actuaries

formed part of the third line of defence, for example by reviewing estimates of future claims.

However, the typical position is that the risk functions and risk committees are second line, while

internal audit and the audit committee are third line: they give assurance on whether risks are being

managed effectively. Highlighting this distinction might help clarity. Indeed, Brit’s audit and risk

committee divides its objectives between audit and risk, and internal control policies, except for

financial reporting and accounting compliance, are among the ‘risk’ objectives, which are explicitly

‘second line’.

In some cases the risk function operates the internal model and may undertake actuarial functions

(Solvency II permits the functions to be combined). In such instances, the challenge to the modelling

is provided by the third line of defence (internal audit and, possibly, external actuaries). A more

robust approach is to regard the modelling as first line, with challenge from the risk function, whose

capabilities may be better than those of internal audit.

Walker recognised the need for liaison between the audit and risk committees. He suggested the

chairman of the former serve on the latter, which is the case in five out of ten risk committees; in

four other cases, another member provides overlap. In nine of the ten risk committees, the terms of

reference also refer to the audit committee, though in only six cases do the terms of reference of the

latter refer to the risk committee. One case without such a reference is Phoenix, even though the

audit committee duties include keeping under review strategy with regard to risk and the

effectiveness of internal controls and risk management systems (neither does it have overlap of

membership between the committees).

of 18

Where an insurer had an audit committee only, the terms of reference mentioned risk management,

though in only a limited way, for example where Admiral’s committee reviews “the adequacy of the

Company’s internal financial controls, compliance and internal control and risk management

systems.” The evidence we have where there is a separate risk committee suggests there is room for

greater clarity and co-ordination of responsibilities.

4.3 Professionals in risk management in UK insurers

The 17 CROs include 7 actuaries, 5 accountants and 5 others. Most (five) of the actuaries were at

general insurers notwithstanding actuaries having traditionally been more predominant in life

insurers. The accountants include two who were qualified with ACCA, one with CIMA, one with ICAS

(the professional body of one was not traced). Of the ‘others’, two had long careers in general

insurance and two had previously worked at banks: one with a more quantitative emphasis (senior

roles in risk, capital markets and treasury), the other, less so (head of strategy and corporate

development). The fifth was previously compliance director at an insurer. Hence there is a variety of

CRO backgrounds. Actuaries were out-numbered by accountants among members of risk

committees, consistent with accountants also being more numerous as directors of insurance

companies (see Table 2).

4.4 Elements of risk management in UK insurers

It is possible to identify three elements to insurers’ risk management, and we go on to see what links

there are between the elements at the forefront of firms’ risk management and the professional

background of the CROs.

4.4.1 Strategic element

In nine cases the firm’s accounts or the risk committee terms of reference referred to ERM, and this

was often backed up by comments that alluded to the strategic importance of the risk framework.

For example, Lancashire describes ERM as helping ensure that the balance between risk and reward

is considered in all important business decisions, and it is the one insurer that, when disclosing its

KPIs, also sets out how the risks to those KPIs are managed. Brit is embedding its ERM framework,

expecting that it will lead to better informed decision making and help optimise the risk and reward

relationship. Aviva’s report and accounts set out its risk strategy and goals clearly, looking for an

optimum balance between risk and reward. There is some subjectivity in assessing what is the focus

of an insurer’s risk management, though it appears fair to say that there is a strategic focus if it

refers to its practising ERM. We add one other firm, Prudential, to this category, as its main board

directors include a CRO independent of business units. Prudential’s accounts also refer to examples

of enterprise-wide rather than silo risk management, for example taking advantage of natural

hedges in its worldwide business such as its US and Asian operations being exposed to interest rates

in different directions.

In all these cases there is also evidence of the monitoring role. For example, Aviva’s risk committee

reviews the adequacy and quality of the group’s compliance and risk functions. In Standard Life the

CRO prepares regular reports on regulatory compliance and on compliance with the financial crime

of 18

policy. The Old Mutual risk committee receives reports on management’s assessment of the

effectiveness of internal controls.

The quantitative strand is present in all these cases, though more so in some than in others.

Lancashire emphasises its internal model, which has been developed extensively and is used in

monitoring risks of all types, in strategic underwriting decisions and in portfolio optimisation. In

Amlin’s accounts the first highlight of the risk management section is the process for obtaining the

FSA’s approval of its dynamic financial analysis model having begun; it has also strengthened use of

the model in business processes such as business planning and reinsurance purchase and developed

its operational risk modelling capability.

Old Mutual refers to significant progress in 2010 in implementing a model framework where risk,

capital and value are aligned with commercial objectives. The accounts disclose data on the marginal

impact of extra exposure on economic capital for each main risk type. The risk committee evaluates

the group’s risk measurement systems, monitors the management of actuarial risk and oversees the

allocation of capital; it is explicitly concerned with the optimisation of risk. When we read that the

board risk committee recommends targets for risk-adjusted performance measures to the board and

remuneration committee, this reminds us of Mikes’ ‘strategic controller’ role. Similarly, the Brit audit

and risk committee reviews the risk-adjusted performance of business units, and their capital

requirements, and the CRO is responsible for catastrophe and capital modelling.

4.4.2 Quantitative element

Of the remaining insurers, all used quantitative methods in an important way, but we can identify

two where the firm’s own review of risk management in 2010 highlights a quantitative initiative.

Omega improved its modelling capabilities to help manage catastrophe exposures, while Beazley has

cascaded its risk appetite from eight risk categories to 54 underlying risk events to help the business

operate within the required tolerances. Beazley regards the risk quantification skills in its risk

management team as helping provide a more consistent and holistic view of risk. Monitoring was

also part of risk management activities: Omega established a risk management function “with

responsibilities for the risk and control framework across the group”, while Beazley developed its

global assurance function and, from 2011, established a risk and regulatory committee of executives,

meeting monthly, with quarterly attendance of NEDs.

4.4.3 Monitoring element

Having identified ten firms with a strategic focus to risk management, and two others with a

quantitative focus that is highlighted, that leaves eight others. These firms clearly operate

quantitative techniques to manage risk, and they may have aspects of ERM, but these are not

reported as high profile in risk management compared to some other firms. We can, however, draw

attention to the monitoring focus of these firms with some examples.

In Admiral (where there is no group-level CRO or board risk committee), the risk function reports to

the head of Compliance. Resolution has an audit and risk committee, where the section on risk is

headed ‘risk and controls’. At Novae, the first duty of the board risk committee is to assess risk

management procedures. At St James’s Place the central risk function’s primary role is to ensure that

an appropriate risk framework is in place; among reports reviewed by the risk committee in 2010

of 18

were those from the money laundering officer and from the group legal director, and there was no

mention of the committee being involved in the quantification of capital requirements.

4.4.4 Link between focus of risk management and the professional background of the CRO

It is possible to identify a link between the background of the CRO and the role that risk

management plays in the firm. The seven CROs who are actuaries all work for insurers with a

strategic or quantitative focus, consistent with their professional skills. Hardy states that appointing

a CRO who was previously group actuary has facilitated a co-ordinated approach to risk

management in view of the increasing reliance on sophisticated models for risk management.

However, it may be that, rather than the CRO’s skills determining the form that risk management

takes, the firm appoints the CRO consistent with the type of risk management it wishes to have.

It is useful to see examples of firms where there was neither a strategic nor a quantitative focus.

Phoenix’s CRO oversees the group’s relationship with the FSA and supports the board committee in

oversight of the risk management framework: the CRO is an accountant with previous experience of

compliance, audit and risk roles. Similarly, the CRO at Resolution previously worked for the FSA and

Department of Trade and Industry (regulators) and at another insurer where she had responsibility

for regulatory compliance. In none of the four cases without a CRO is there a strategic focus to the

risk management, which suggests some support for the way the focus for risk management was

determined.

5. Discussion and Conclusions

Walker was clearly influential, with some insurers attributing strengthening their risk governance to

his report. However, insurers have gone beyond Walker’s remit for risk committees to focus on

fundamental prudential risks. Instead, they recognise the need to act in shareholders’ interests by

taking an enterprise-wide rather than prudential view of risk. Firms then address the need to control

managers’ interests by having NEDs on risk committees (with a greater dominance than perhaps

Walker envisaged) and, in many cases, by taking a wider view of the potential for remuneration

structures to affect managers’ risk decisions than risk weightings on performance objectives. Indeed,

with many insurers restricting board risk committee membership to non-executives, this emphasises

‘control’ rather than a board that is a partnership using the executives’ skills to help determine

which risks to take. Since the FSA guidance on risk committees was formulated before many risk

committee were formed, the variety of practices suggests it would be suitable to review that

guidance.

Some researchers have referred to potential confusion between the roles of internal control and risk

management, and the need for audit/risk committee co-ordination. The evidence suggests different

practices and raises some concerns. In practice, risk managers have to be concerned by internal

controls: if they fail, that is a risk. Brit differentiated between the risk responsibility being second line

of defence and audit the third line. This suggests a solution to the confusion where the audit

committee’s responsibility for risk management is at third line, providing assurance to the board,

and with the risk function and risk committee co-ordinating risk management, including monitoring

internal controls, perhaps (as in the case of St James’s Place) except for those relating to accounting

and financial information. Hence both risk and audit are responsible for internal controls (which are

part of risk management) but in different ways.

of 18

Insurers’ risk management has elements of monitoring, quantitative modelling and strategy. Under

Solvency II, insurers have an incentive to develop models as they can use them to set their capital

requirements, though one of the regulators’ requirements is that the model be used in the firm’s

decision-taking. Quantitative enthusiasts may welcome this and there is potentially a ‘strategic

controller’ role for CROs. However, the variety of approaches to risk management – such as that

taken by quantitative sceptics - suggests that this should not be an automatic conclusion. Morris

(2005) said too much had been expected of actuaries, and Zaman (2001) warned us not to expect

too much of audit committees. Given the inherent difficulties of managing risk in large organisations,

we should perhaps keep our expectations of risk committees at a modest level.

References

Abraham, S., Cox, P., 2007. Analysing the determinants of narrative risk information in UK FTSE 100

annual reports. The British Accounting Review. 39, 227-248.

Allegrini, M., D’Onza, G. 2003. Internal auditing and risk assessment in large Italian companies: an

empirical survey. International Journal of Auditing. 7, 191-208.

Arena, M., Arnaboldi, M., Azzone, G., 2010. The organizational dynamics of enterprise risk

management. Accounting, Organizations and Society. 35, 659-675.

Auron-Nerin, D., Ehling, P., 2008. Why firms purchase property insurance. Journal of Financial

Economics. 90, 298-312.

Beattie, V.A., McInnes, B., Fearnley, S., 2002. Through the eyes of management: a study of narrative

disclosures, an interim report. London: ICEAW.

Beretta, S., Bozzolan, S., 2004. A framework for the analysis of risk communication. The International

Journal of Accounting. 39, 265-288.

Brown, I., Steen A., Foreman, J., 2009. Risk management in corporate governance; a review and

proposal. Corporate governance: an International Review. 17, 546-558.

Browne, M.J., Ma, Y-L., Wang, P., 2009. Stock-based executive compensation and reserve errors in

the property and casualty insurance industry. Journal of Insurance Regulation. 27. 35-54.

Chen, C.R., Steiner, T.L., White, A.M., 2001. Risk taking behavior and managerial ownership in the

United States life insurance industry. Applied Financial Economics. 11, 165-171.

Collier, P.M., Berry, A.J., Burke, G.T., 2007. Risk and management accounting. Elsevier, Oxford.

Committee of Sponsoring Organisations of the Treadway Commission (COSO), 2004. Enterprise Risk

Management-Integrated Framework. AICPA, New York.

Cummins, J.D., Sommer, D.W., 1996. Capital and risk in property-liability insurance markets. Journal

of Banking & Finance. 20, 1069-1092.

Deighton, S.P., Dix, R.C., Graham, J.R., Skinner, M.E., 2009. Governance and risk management in

United Kingdom insurance companies. Paper presented to the Institute of Actuaries, 23 March.

of 18

Dickinson, G., 2001. Enterprise risk management: its origins and conceptual foundations. Geneva

Papers on Risk and Insurance. 26, 360-366.

Dowd, K. & Blake, D., 2006. After VaR: the theory, estimation, and insurance applications of quantile-

based risk measures. Journal of Risk and Insurance. 73, 193-229.

Financial Reporting Council, 2010. UK Corporate Governance Code.

Financial Reporting Council, 2011. Boards and risk.

Financial Services Authority, 2003. Review of UK insurers’ risk management practices.

Financial Services Authority, 2006. Risk management in insurers.

Financial Services Authority, 2010. Effective corporate governance. Policy Statement 10/15.

Financial Times, 2011. In the firing line: the cult of Oswald Grübel. 17/18 September, 16.

Frankland, R., Smith, A.D., Wilkins, T., Varnell, E., Holtham, A., Biffis, E., Eshun, S. & Dullaway, D.,

2009. Modelling extreme market events; a report of the benchmarking stochastic models working

party. British Actuarial Journal. 15, 1, 99-201.

Fraser, I., Henry, W., 2007. Embedding risk management: structures and approaches. Managerial

Auditing Journal. 22, 392-409.

Fraser, J.R.S., Simkins, B.J., 2007. Ten common misconceptions about enterprise risk management.

Journal of Applied Corporate Finance. 19, 75-81.

Garnier, M., 2009. Black holes in risk governance. Journal of Risk Management in Financial

Institutions. 2, 116-120.

Gates, S., 2006. Incorporating strategic risk into enterprise risk management: a survey of current

corporate practice. Journal of Applied Corporate Finance. 18, 81-90.

Helliar, C.V., Lonie, A.A., Power, D.M., Sinclair, C.D., 2001. Attitudes of UK managers to risk and

uncertainty. Institute of Chartered Accountants of Scotland.

Henry, J.R.S., Simkins, B.J., 2007. Ten common misconceptions about enterprise risk management.

Journal of Applied Corporate Finance. 19, 75-81.

Hoyt, R.E., Liebenberg, A.P., forthcoming. The value of enterprise risk management. Journal of Risk

and Insurance. DOI: 10.1111/j.1539-6975.2011.01413.x

Institute of Chartered Accountants in England & Wales (ICAEW), 1999. Internal control. Guidance for

directors on the combined code.

Institute of Internal Auditors, 2009. IIA position paper: the role of internal auditing in enterprise-

wide risk management

Laeven, L., Levine, R., 2009. Bank governance, regulation and risk taking, 2009. Journal of Financial

Economics. 93, 259-275.

of 18

Maccrimmon, K.R., Wehrling, D.A., 1990. Characteristics of risk taking executives. Management

Science. 36, 422-435.

March, J.G., Shapira, Z., 1987. Managerial perspectives on risk and risk taking. Management Science.

33, 1404-1418.

May, D.O., 1995. Do managerial motives influence firm risk reduction strategies? Journal of Finance.

50, 1291-1308.

Mayers, D., Smith, C.W., 1990. On the corporate demand for insurance: evidence from the

reinsurance market. Journal of Business. 63, 19-40.

Mikes, A., 2007. Convictions, conventions and the operational risk maze: the cases of three financial

services institutions. International Journal of Risk Assessment and Management. 7, 1027-1054.

Mikes, A., 2008. Chief risk officers at crunch time: compliance champions or business partners?

Journal of Risk Management in Financial Institutions. 2 (1), 7-25.

Mikes, A., 2009. Risk management and calculative cultures. Management Accounting Research. 20,

18-40.

Mikes, A., 2011. From counting risk to making risk count: Boundary work in risk management.

Accounting, Organizations and Society. doi: 10,1016/j.aos2011.03.002

Milidonis, A., Stathopoulos, K., 2011. Do U.S. insurance firms offer the “wrong” incentives to their

executives? Journal of Risk and Insurance. 78, 643-672.

Mongiardino, A., Plath, C., 2010. Risk governance at banks; have any lessons been learned? Journal

of risk management in Financial Institutions. 3, 116-123.

Morris, D., 2005. Morris review of the actuarial profession. HM Treasury, London.

Murphy, E., 2011. Assuring responsible risk management in banking: the corporate governance

dimension. Delaware Journal of Corporate Law. 36, 121-164.

Page, M., Spira, L.F., 2004. The Turnbull report, internal control and risk management: the

developing role of internal audit. Institute of Chartered Accountants of Scotland.

Power, M., 2005. Organizational responses to risk: the rise of the chief risk officer. In Hutter, B., Power, M. (Eds.), Organizational encounters with risk. Cambridge, Cambridge University Press, pp. 132-148. Power, M., 2009. The risk management of nothing. Accounting, Organisations and Society. 34, 849-555. Rochette, M., 2009. From risk management to ERM. Journal of Risk Management in Financial

Institutions. 2, 394-408.

Sanders, W.G., Hambrick, D.C., 2007. Swinging for the fences: the effects of CEO stock options on

company risk taking and performance. Academy of Management Journal. 50, 1055-1078.

of 18

Smallman, C., 1996. Risk and organizational behaviour: a research model. Disaster Prevention and

Management. 5, 12-26.

Sobel, P.L., Reding, K.F., 2004. Aligning corporate governance with enterprise risk management.

Management Accounting Quarterly. 5, 29-37.

Stanton, P. & Stanton, J., 2002. Corporate research reports: research perspectives used. Accounting,

Auditing & Accountability Journal. 15, 478-500.

Stulz, R.M., 1984. Optimal hedging policies. Journal of Financial and Quantitative Analysis. 19, 127-

140.

Swiss Re, 2011. World insurance in 2010. Sigma 2/2011.

Tufano, P., 1996. Who manages risk? An empirical examination of risk management practices in the

gold mining industry. Journal of Finance. 51, 1097-1137.

Van Asselt, B.A., Renn, O., 2011. Risk governance. Journal of Risk Research. 14, 431-449.

Varnell E., 2011. Economic scenario generators and Solvency II. British Actuarial Journal, 16, 121-159.

Walker, D., 2009. A review of corporate governance in UK banks and other financial industry entities.

Final recommendations. Treasury, London.

Woods, M., Dowd, K., Humphrey, C., 2008. The value of risk reporting: a critical analysis of value-at-

risk disclosures in the banking sector. International Journal of Financial Services Management. 8, 45-

64.

Zaman, M., 2001. Turnbull – generating undue expectations of the corporate governance role of

audit committees. Managerial Auditing Journal. 16, 5-9.

Table 1. Listed insurers

Insurer Board

committees* CRO ERM†

Admiral Group plc General FTSE-100 AC only No No

Amlin plc General FTSE-250 AC and RC Yes Yes

Aviva plc Composite FTSE-100 AC and RC Yes Yes

Beazley Group Plc General FTSE-250 AC only Yes No

BRIT Insurance Holdings Plc General FTSE-250 ARC Yes Yes

Catlin Group Ltd General FTSE-250 AC only Yes Yes

Chaucer Holdings plc General Other AC and RC No No

Chesnara plc Life Other ARC No No

Hardy Underwriting Bermuda Limited General Other

AC only Yes Yes

Hiscox Ltd General FTSE-250 AC and RC Yes No

Lancashire Holdings Ltd General FTSE-250 AC only Yes Yes

of 18

Legal & General Group plc Life FTSE-100 AC and RC Yes No

Novae Group plc General Other AC and RC Yes No

Old Mutual plc Life FTSE-100 AC and RC Yes Yes

Omega Insurance Holdings Ltd General Other

AC only No No

Phoenix Group Holdings Life FTSE-250 AC and RC Yes No

Prudential plc Life FTSE-100 AC and RC Yes No

Resolution Ltd Life FTSE-100 ARC Yes No

RSA Insurance Group plc General FTSE-100 AC and RC Yes Yes

St. James's Place plc Life FTSE-250 AC and RC Yes No

Standard Life plc Life FTSE-100 AC and RC Yes Yes

*AC = Audit Committee, RC = Risk Committee, ARC = Audit and Risk Committee

† Referred to in report and accounts or terms of reference for board risk committee

Table 2. Average composition of boards and board committees

Actuaries Accountants Others Total

Boards 0.6 3.2 7.0 10.8

Board audit committees 0.2 1.0 3.1 4.3

Board risk and audit committees 1.0 1.7 1.7 4.3

Board risk committees 0.3 1.5 2.2 4.0

risk governance in uk insurers: beyond the audit committee · months into the job – she will face...

Documents