The economic globalisation as well as the digital revolution and associated consequences have led organisations in all industries to put risk management at the heart of their governance. They have done so by implementing Enterprise Risk Management (ERM) frameworks and increasing their Chief Risk Officer’s (CRO) role and responsibilities.
ERM is a continuous process that calls for adopting a holistic approach to identify, assess, mitigate, and monitor short-term to long-term risks. Its aim is to create value and opportunities for an organisation’s stakeholders, through an appropriate risk-reward balance.
The recent collapse of Silicon Valley Bank, Signature Bank, and First Republic Bank has reminded financial institutions that having effective ERM systems capable of preventing such disasters is crucial.
Furthermore, emerging risks and challenges—the pandemic, cyber threats and climate change—as well as the environmental, social and governance (ESG) considerations are significantly increasing the ERM’s role within organisations.
Don’t have time to read the whole blog entry? Then watch our “Blog in 1 minute” video for a quick summary of its main points:
In this context, actuaries, as risk management professionals and specialists, are naturally equipped to help organisations in all industries and all sizes to implement robust and effective ERM frameworks. It seems only natural then that we share in this blog our Actuarial team’s take on the best practices to delineate and carry out such frameworks.
Risk and uncertainty: The ERM solution
The concept of ERM has been around for a while, but in today’s dynamic environment it has become even more critical for the effective risk management of any organisation including yours.
A robust ERM framework takes into account risks from all sources—internal and external, quantitative and qualitative—that negatively affect an organisation’s performance targets. Examples of such risks are financial, strategic, operational, reputational, as well as regulator, compliance and legal risks.
Such a framework, if defined and managed properly, can help your organisation achieve its strategic objectives, while also building strong risk resilience. But the benefits don’t end here:
1. Optimal risk-reward strategyEnterprise Risk Management has evolved over the years as a value-adding strategic initiative from a traditional risk management tool for protection against downside risk. Today, your ERM framework should encompass an optimal risk-reward strategy by capturing the interplay and trade-off between risk and reward.
Consequently, it should foster a strong risk management culture throughout the organisation while also balancing the demands of various stakeholders. Moreover, it should contribute to increasing long-term stakeholder value by improving the organisation’s risk-return profile.
ERM can help you manage earnings volatility, which in turn reduces the risk capital the organisation requires, improving shareholder value as you can invest the freed-up capital to generate higher profit margins.
As we mentioned, ERM adopts a holistic approach to risk management, instead of an individual silo-based approach. This means that it captures the aggregate effect of various risks while allowing for concentration and diversification between them.
This way your organisation benefits from risk diversification while ensuring that the overall risk exposure stays within identified risk tolerances. This is especially critical in the current risk landscape, where you simply can’t ignore the interconnectivity of risks, as the high magnitudes of one risk event can have a ripple effect on other risks.
When you have in place an effective ERM programme, you can manage risk more dynamically since it enables you to monitor the rapidly changing internal and external landscape—at economic, operational, societal, geopolitical, technological and environmental levels. This prepares your organisation to proactively respond to emerging risks or changes in the existing risk profile.
According to the World Economic Forum’s ‘Global Risk Report 2023,’ climate change, geoeconomic confrontation and cybersecurity are among the top ten long-term risks facing us today.
Undoubtedly, environment, social and governance (ESG) and cybersecurity are currently hot topics of discussion at boardrooms in any industry. That’s why incorporating them as risks in your ERM framework can help you integrate and streamline them within your organisation’s strategy.
Keep in mind that a well-defined ERM framework embeds proper governance and controls in the business processes, which reduces the operational risks, but also provides useful management information for strategic and business planning purposes.
Having the proper governance and controls also helps you comply with the regulators’ increased scrutiny—for example, the Own Risk and Solvency Assessment (ORSA) requirements, which is the Solvency II directive’s second pillar—and justify the embeddedness of internal models.
The Actuaries’ role in implementing ERM
Actuaries are regarded as risk management specialists, and are valued for their professional integrity as well as analytical and quantitative skills. Moreover, they have the necessary tools, models and processes, and problem-solving skills for quantifying risks of all types, frequencies, and magnitudes and their impact on an organisation’s profitability and solvency.
These proven tools and processes can also be used in other industries. The Own Risk and Solvency Assessment (ORSA) process is a good example of an integrated risk management system, using holistic and forward-looking assessment approaches, that can easily be transposed to other industries as a part of the ERM framework.
There are several recent examples where actuaries at PwC Luxembourg have supported various European Institutions and Intergovernmental organisations in addition to other financial institutions in (re-)designing and enhancing their ERM frameworks.
With actuaries now venturing into newer fields, such as data analytics, environmental and ethical finance, they are developing appropriate tools and models to quantify the emerging risks we mentioned before . To do so, they are actively harnessing the power of data science, machine learning, AI and robotics to analyse risks and generate key insights for strategic and business decision-making.
In sum, actuaries can help you in every aspect of your organisation’s risk management and control framework.
How to develop and calibrate an ERM framework
1. Building a risk culture
Defining an organisation’s risk culture is a prerequisite for an effective ERM programme. Risk culture outlines how the different individuals and groups in your organisation understand, approach and manage risks. It contributes to informed risk-taking that aligns with your organisation’s risk appetite to create sustainable value.
To make it work, you should clearly communicate and cascade the risk culture from the highest level (the senior leadership and board members) to get the buy-in for ERM from all levels of your organisation.
You should also define the key accountabilities and ownership for the ERM programme at this stage. This includes setting up a specific project team for its implementation and a risk management team led by the CRO to ensure the ERM integration within the organisation’s strategy and operating model.
2. Developing an ERM framework
Actuaries often use the actuarial control cycle, a problem-solving and decision-making framework applicable to any industry, at different stages of the risk management process—such as identifying, modelling, mitigating, and monitoring risks. This cycle’s components are:
- Define the problem;
- Design the solution;
- Monitor the results.
You can use and modify this approach to define, implement and manage a robust ERM framework through five key steps:
The first step in an ERM programme is to clearly define and grasp your organisation’s business objectives and strategy. It will help you design a suitable risk management strategy to tackle the risks that could potentially hinder their achievement.
In this step, you will also need to define your organisation’s risk appetite and tolerance as it will help you set the risk criteria for the strategic decision-making. By doing so, you will ultimately form the basis for informed risk-taking, which will encourage your organisation to accept a certain level of risks to achieve business objectives while taking actions to avoid, mitigate or transfer other risks.
This step typically involves qualitative risk assessment based on interviews, discussions and workshops with a broad group of individuals from management and different departments in your organisation.
Through the Risk Categorisation and Definition (RCD) tool, you can create a Risk Register to identify, define and categorise all the risks that may negatively (or positively) impact your organisation. The Risk Register should be periodically updated to include newly emerging risks and changes in the existing risk profile.
Once you identify all the risks, each one of them should be evaluated in terms of both exposure (financial and non-financial consequences) and probability (likelihood of occurrence), and taking into account the effectiveness of existing controls and mitigation strategies. You should then rank these risks, prioritising top risks for further assessment, quantification, and mitigation.
Risk analytics and assessment is the most critical step of an ERM framework as it generates useful information for the board and senior management to make more informed business and risk management decisions.
In this step, you want to use a risk model to quantify the total enterprise risk exposure. We recommend you use a modified ‘Risk or Economic Capital’ model to capture the combined effect of various risks and their interactions on the key performance metrics, such as the profitability, required capital and economic value of your organisation.
The model could either be deterministic, run with a baseline and a range of risk scenarios (both downside and upside, and multiple, simultaneous risk events), or stochastic, run with a broad range of scenarios (generally 1,000 to 10,000) to allow for random variation in one or more risk parameters.
For a deterministic model, you coordinate with subject matter experts from different business departments to establish the risk scenarios, while for a stochastic model, they are created using a scenario generator.
A number of sophisticated Economic Scenario Generators are already available in the market to facilitate the stochastic modelling of various financial and economic risk drivers.
Moreover, actuaries have already developed several risk models as part of their traditional role in the insurance industry—for example, the Solvency II Internal Risk Models and ORSA and Economic Capital models.
An efficient ERM programme aims to devise an optimal risk management strategy that maximises rewards. This is done by exploiting profitable opportunities within the organisation’s risk appetite, which is what the risk treatment step is all about.
First, you should review the risk exposure output generated in the risk assessment step, and use a risk-budgeting approach to define the risk limits beyond which a risk management action is triggered.
The aim here is to assess each risk against the specified risk tolerances to determine which risks already fit within the risk appetite and which ones require additional treatment. Accordingly, you should choose one of the following risk treatments for each individual risk: acceptance, mitigation (hedging), transfer ([re]insurance) or avoidance.
This is the final step of an ERM framework and provides useful management information on key risks to support strategic decision-making.
In this step, you want to monitor your organisation’s risk exposure and the effectiveness of various risk management strategies, and communicate the outcomes regularly to relevant business units and senior management, using, for instance, risk dashboards. This ensures that the ERM framework is well embedded within the organisation’s processes and strategic planning.
On a final note, the ERM framework is based on a control cycle approach that requires continuous monitoring of internal and external environments and repeating the above steps for any changes in the organisation’s risk profile.
Conclusion
Over the years, implementing a robust ERM framework has become crucial for all organisations due to the emergence of new risks, ESG issues and global interdependence. Moreover, prudential regulations such as Solvency II or Basel III also strengthen the vital role of ERM processes within organisations.
In addition, organisations also appreciate the benefits that ERM can provide to stakeholders, as a good risk management system can also mean opportunity and value creation. This is especially true since the ERMs’ robustness and effectiveness can be significantly enhanced with technology such as blockchain, artificial intelligence, and machine learning.
Actuaries can support other industries in the implementation, audit, and improvement of ERM processes.
At PwC Luxembourg, our Actuarial and Risk Modelling Services team has the necessary experience to measure the challenges and constraints your organisation may encounter when implementing and managing a robust and efficient ERM.
What we think
Today’s ever changing risk landscape, where the social and economic costs of risk management failures are so high, mandates a holistic enterprise-wide approach to risk management. Organisations across industries benefit from the actuarial expertise to implement an optimal ERM framework to be better positioned to exploit emerging opportunities and gain competitive advantage while keeping their risk exposure under check.
Harshita Jain, Manager, Actuarial and Risk Modelling Services at PwC Luxembourg
Actuaries are uniquely positioned as risk management specialists due to their analytical prowess, quantitative skills, and deep understanding of financial mechanisms. Our ability to quantify various risks and assess their impact on an organisation’s financial health equips us to play a pivotal role in the implementation and enhancement of ERM frameworks.
Timothée Muller, Manager, Actuarial and Risk Modelling Services at PwC Luxembourg
