Today, most large organisations have assessed, or at least identified, the risks that they face across their business, often in response to regulation.
The challenge many now face is to continue to use the output from this assessment to deliver value for their business that extends beyond compliance.
The same large organisations typically employ full-time insurance buyers.
This team faces challenges of its own, in ensuring that its organisation continues to buy levels of insurance that are appropriate for its exposures, minimises its costs, reduces volatility and reflects the attitude of the organisation to risk.
In practice, few organisations have yet fully integrated business risk assessment into the design of their insurance and risk financing strategies.
This could be because risk and insurance are treated as separate disciplines and end up being managed within silos in the organisation. It could be that the rationale for managing business risk has been driven purely by corporate governance obligations, with senior management failing to recognise any possible additional returns, or that insurance is seen as offering little protection against strategic risks. Yet by aligning the two processes, the challenges outlined above can often be addressed.
The rationale
Theoretically there are a host of reasons why integrating business risk assessment into the design of corporate insurance programmes makes good sense:
- How will your organisation know it is adequately insuring against its major risks, until it has understood all of its exposures across the business?
- How else can your organisation answer the question 'to what extent does insurance mitigate my company's risk profile'?
- How will your organisation continue to reassure its stakeholders that it has not only identified its principal business risks, but it has taken an appropriate course of action to finance potential losses?
- How will your organisation be able to confidently state its total cost of risk, when the cost of risk assessment, management and financing is being absorbed in different parts of the business?
- How will your organisation know where to focus its risk mitigation and management activity and resource if the risk and insurance functions are not more closely aligned?
- How will your organisation be able to make a case to insurers for optimum terms without clear risk information from a risk assessment?
- How will your organisation create competition and differentiation in the insurance market without demonstrating it has assessed its risks and is managing them?
- How will your organisation know if its insurance represents value for money?
- How will your organisation be able to avoid acknowledged pricing volatility typical in a number of insurance lines without a clearly articulated commitment to managing its principal risks, or without considering buying protection at a higher level?
- How will your organisation justify expenditure on insurance? How will decisions on alternative risk financing be reached without a full understanding of the range of business risks?
- What effect could unidentified, large, uninsurable exposures have on the confidence of your organisation in retaining more risk on its balance sheet?
- How else will your organisation know which risks are driving the cost of insurance cover, and therefore how to allocate premium spend over business units and operating companies?
There appears, therefore, to be a clear justification - in principle - for ensuring that the output from a business risk assessment be used as the foundation for all subsequent decisions on risk management, risk retention and the purchase of insurance. But with only a minority of companies currently buying insurance in such a scientific way, it is important to support theory with evidence that it can actually deliver value in practice.
Rationale in practice
Last year, a FTSE 100 company approached our own organisation to carry out a review of the appropriateness of its insurance programme, and its overall approach to buying insurance. There were a number of reasons why the company thought it the right time to carry out this review, which included increased requirements to demonstrate corporate governance and a major restructure within the business. A recently-appointed risk manager also acted as a catalyst for the initiative.
The starting place for the review was to undertake a risk assessment with business leaders across the company in order to build a risk register.
This exercise was undertaken in several steps, through:
- Reviewing existing risk management documentation, processes and procedures against previous major losses in the company
- Undertaking telephone interviews and aggregating the results in a risk database
- Supplementing this with our perspective on best practice, from practitioners that had worked with other companies in the sector.
Using this information, we were able to compare the client's perceived exposures to their actual insurance cover, identifying major gaps along the way. Having also calculated a revised risk tolerance level for the company, we were able to design the optimum risk transfer programme and negotiate renewed coverage with the insurance markets.
This exercise ended up saving the company millions of pounds in its total cost of risk. It would have been significantly less accurate, effective and achievable had it not have been for the overall assessment of the client's business risks at the outset and a consideration of its corporate risk appetite.
Six practical steps
Given the potential benefits that can be gained from reviewing the design of an insurance programme in light of a business-wide risk assessment, how can companies implement it in their businesses?
STEP 1. EDUCATE THE DECISION-MAKERS
The culture, behaviours and attitudes that senior management demonstrate towards risk management and insurance buying will be a major contributor to the success of an integrated approach. Sometimes it will be worth running short training programmes for them at the outset, to help them understand how business risk management and insurance fit together, and the benefits that can be achieved from mapping insurance buying against risk assessment.
It may also be worth considering a pilot scheme in one area of the business to help demonstrate the potential benefits.
STEP 2. UNDERTAKE A BUSINESS RISK ASSESSMENT
To get a true understanding of their principal risks, companies should follow a structured approach to risk assessment, which begins with the creation of a risk register. This can be developed through interviews with divisional units across every business unit or operating company, and aggregated down following analysis. The risk register can then be used as a basis to quantify and prioritise risks, typically through a workshop run at board level. If a risk register already exists, professional assistance can be brought in to ensure the insurance component overlays sufficiently on these risks (see step 4).
STEP 3. RE-EVALUATE RISK RETENTION LEVELS
Before considering ways in which risk can be managed and transferred, companies can re-evaluate their ability to retain risk on their balance sheet, making their capital work harder for them rather than overspending on insurance. The benefits of doing this need to be considered in light of the risk of materially affecting performance or reputation. A variety of indicators can be followed to determine risk appetite and the willingness or ability of the company to pay for losses from their own liquid reserves.
These include credit ratings, materiality thresholds, benchmarked retention levels by industry or 'rules of thumb'. In addition to ensuring more effective deployment of capital, this process can help companies reduce the volatility attached to insurance market cycles, by buying protection at higher levels.
STEP 4. CROSS CHECK INSURANCE COVERS
Once principal exposures have been determined from the business risk assessment, a cross check can be undertaken to ensure the correct insurance is in place, and at appropriate levels with the optimum wordings.
STEP 5. DEVELOP MANAGEMENT CONTROLS
A clear picture of key risks, their likelihood and probable impact, will help risk managers to further justify investment in risk management controls and initiatives. This investment could take the form of improved processes and procedures, management training, and risk measurement and reporting mechanisms. The benefit from this focused investment can be significant.
Companies may find that their ability to manage risk reduces the need to insure at previous levels. Management activity that can demonstrate a commitment to reducing exposures and claims should have a positive effect on the terms received by the company at its insurance renewal. And those risks that are uninsurable, such as changes in competitive and market dynamics, can be monitored and respond to with a more co-ordinated management focus.
STEP 6. RE-DESIGN INSURANCE PROGRAMME
Using the information gained from the steps above, companies can design the optimum risk transfer programme, and a programme to implement it that includes developing underwriting submissions and reviewing the placement options against a designated list of insurer performance criteria.
Making it happen
Companies can generate significant value from this approach. The fact that more do not follow it reflects the difficulties that some face in making it happen in practice. Risk and insurance managers must be open to learning more about their respective functions and sharing information.
A risk committee, comprising risk manager, insurance buying function and key risk owners can help ensure common goals and integrated activity.
And professional advisers should be able to combine skills and experience in business risk assessment and risk financing strategy, with knowledge of, and access to, the insurance markets.
These factors can help to ensure that investment in business risk assessment delivers bottom line value beyond compliance and that companies are offsetting appropriate levels of risk financing against their principal risks.
- Richard Waterer is vice president marketing and Eddie McLaughlin is a managing director in the Risk Consulting Practice at Marsh, E-mail: Richard.Waterer@marsh.com
