Recently, there is an increased focus by many regulators, industry associations and insurers to enhance the role of risk management in a company’s strategic decision making. While this remains to be a trend, some key challenges continue to hinder the development of the risk function in Asia as a genuine strategic partner to businesses.
To help provide a richer understanding of the risk management function, Milliman conducted a study involving interviews with leading multinational life insurers operating in Asia. This study mapped the journey towards global best practices of risk management capabilities, from viewing risk management as a control function to becoming a provider of value-added insights to the business to assuming a leadership role as a business partner facilitating strategic decision-making.
Key findings and observations
Globally, many companies are integrating more robust risk management frameworks into strategy and capital planning for insights into decision making. This is in response to regulatory requirements, demands from boards of directors for better risk oversight, increased industry volatility and in pursuit of greater competitive advantage. Regulators are also encouraging the inclusion of risk considerations in senior management performance measurement.
In Asia, while risk management is gaining wider visibility and appreciation, board members and senior executives continue to look for evidence to justify the financial and business costs of upgrades to their risk management processes. Even where senior sponsorship exists, many companies struggle with driving the effort through to completion, and risk management processes are in need of substantial improvement to deliver a more appealing value-addition proposition.
From our study, we highlight five key challenges that inhibit the development of the risk function and an enterprise-wide risk culture.
1. Senior ownership and sponsorship for risk management
For the risk function to be a value-adding, decision-making partner to the business, it needs to have board and executive management sponsorship. Risk management is a key responsibility of the boards of insurance companies because it is fundamental to their responsibilities to their shareholders and is key to the execution of their business strategies.
Group offices of multinational insurers in Europe or North America tend to have group risk functions more advanced in performing forward-looking assessments than the regional Asian risk function. The primary reasons identified were limited sponsorship for an independent regional risk function, and limited risk representation at key committees, restricting the ability to make input into strategic decisions.
The capability to perform a forward-looking role is also limited by resource and skill shortage. Resources are allocated instead to “firefighting” or resolving operational issues with insufficient allocation to adequately understand strategic and emerging risks.
Consequently, the risk function’s ability to add value as a strategic business partner is also limited. Sponsorship is required to allow enhancements of processes to efficiently identify, measure, monitor and report risks.
2. Senior management remuneration incentives
It is important to have a balanced scorecard with risk assessment established for key risk performance indicators (KPIs) of senior management. This helps permeate a risk culture and embed it firmly into the organisation.
Integrating enterprise risk management (ERM) with performance management incentivises top management to view risk as an evaluator of the company’s overall health and helps link activities to risk appetite.
One common tactic to tackle the cultural transformation is to merge risk-adjusted performance into incentive compensation structures. According to our study, companies are still struggling to evolve their ERM programmes beyond a qualitative state and this level of sophistication is rare. This is a necessary interim step before ERM efforts can be integrated into capital and strategy analytics that will help drive behaviours.
In Asia, companies are increasingly implementing at least qualitative measures when assessing management performance in respect of risk management. Chief risk officers (CROs) typically have some say in remuneration and performance review but are not directly involved in the setting of KPIs. A few companies are considering or have already adopted internal economic capital as a management KPI.
3. Risk authority and responsibility
Responsibilities should be documented to ensure that roles are clearly defined throughout the organisation. Separation of duties prevents conflicts of interest among associates rewarded for risk-taking and those responsible for identifying excess risks. Under regulatory guidance, the separation of roles and responsibilities is interpreted as implementing and embedding a clearly defined three lines of defence (3LOD) model.
While 3LOD is practiced by companies in Asia, the tendency is that, the greater the number of stakeholders involved, the greater the need for a mature and transparent framework.
Commonly within companies in the region, there is at least some documentation that exists around 3LOD, with roles defined at a structural level for each line of defence. Each of the three lines can communicate formally in management meetings and in informal settings. However, in practice, the implementation of the framework varies across companies, with some lacking the specificity to make it meaningful. There is still dissonance on individual roles in the process.
The challenge is for companies to diagnose whether their organisations are truly embedding a 3LOD framework that assists risk considerations at each decision-making stage, and to define a risk culture across the organisation.
4. Identification and management of material risks
Risk management processes require established risk appetite statements and limits, with a monitoring process that actively manages and reports risk exposures. Risk reporting tools such as a risk checklist, risk register, risk heat map and risk dashboards should be adopted to ensure timeliness and quality of risk reporting to senior management, along with periodic risk reports such as the Own Risk and Solvency Assessment (ORSA).
In Asia, despite some risk tools and structures being in place, there is a high level of dependency on staff skills and availability for risk identification. A lack of technical ability and understanding of organisational priorities results in key periodic risk reports being limited to numeric updates on what is known, and emerging risks are not sufficiently reported.
Whilst quantitative risks have more focus, still greater focus is required in managing qualitative risks such as reputational and regulatory risks, operational and emerging risks, including cyber risk. This includes the ability to assess these risks, facilitate a resolution and recovery strategy, embed a holistic view of enterprise-wide risks and understand their interactions. Despite recent investments to manage operational risk, it continues to be an area that requires more dedicated focus due to the existence of legacy systems and manually-intensive processes (eg, claims management). Change or project management and information technology (IT) development will help better manage operational risk exposures.
Cyber risk is receiving greater management focus in Asia and resources are being allocated to train staff, build controls and seek advice. However, greater development is still required.
5. Staff expertise and skills
Investment in talent is critical to develop the risk function. An embedded risk culture and sponsorship from senior leadership, with defined strategic priorities, are regarded as key areas to identify needs for the development, training and recruitment of skilled staff. A lack of sponsorship restricts the ability of the function to invest even where known skill gaps exist.
A lack of technical and actuarial expertise increases the level of dependency of the risk function on other first-line defence functions. This reduces its ability to consolidate and investigate the root causes of risk issues and restricts the function to risk reporting rather than evolved forward-looking risk management. Companies frequently express difficulty in the ability to recruit and train staff with balanced skill sets between technical and softer skills, where staff are able to complement technical skills with an understanding of business dynamics and operations. A
Mr Shoaib Javed Hussain is Consulting Actuary at Milliman.