Centre for Risk & Insurance Studies enhancing the understanding of risk and insurance
Risk governance in UK insurers: beyond the audit committee Christopher O’Brien
CRIS Discussion Paper Series – 2011.I
Risk governance in UK insurers: beyond the audit committee
Christopher O’Brien Centre for Risk and Insurance Studies Nottingham University Business School
Abstract Following the global financial crisis of 2008 a Treasury-commissioned report by Sir David Walker recommended a strengthening of the risk governance in UK financial institutions. This paper examines listed UK insurers and finds that many responded by establishing board risk committees as suggested or changing the membership of existing committees to remove executive dominance. However, while Walker recommended the committees focus on fundamental prudential risks the committees, in practice, cover all risks, consistent with an enterprise-wide view of risk. Risk management was typically regarded as including monitoring internal controls, although there were inconsistencies between firms in co-ordination of the activities of risk and audit committees. We also find that insurers differ in the emphasis they give to different elements of risk management – monitoring, quantitative modelling and strategic risk – and there is a link between this emphasis and the professional background of the CRO, where both actuaries and accountants play an important role.
Keywords Audit committees; corporate governance; insurance; risk committees; risk governance; risk management.
1.
Introduction
Early papers on risk governance were concerned with the problem of how to take decisions in public policy areas with complex risks relating to health and the environment, and involved the role of science and experts (van Asselt & Renn, 2011). Businesses also face the problem of decision-taking when outcomes are uncertain, and have to recognise that multiple stakeholders are involved. Corporate governance is often concerned with the agency problem, i.e. managers may act in their own rather than the shareholders’ interests, and what mechanisms - such as audit committees - may be implemented to address this. There is also a separate concern: that firms, by seeking to increase shareholder value, may act contrary to wider societal interests: this problem is not solved by Page 1 of 18
governance mechanisms designed to protect shareholders’ interests but, rather, regulation may be appropriate. These issues came into sharp focus in the global financial crisis of 2008 when, among other factors, risky decisions made by bonus-incentivised bankers impacted on taxpayers when governments felt obliged to bail out financially distressed banks. Ensuring that managers take risky decisions in shareholders’ interests is particularly problematic for three reasons. First, there is a large body of evidence which indicates that individuals are subject to biases when considering risks: for example, March & Shapira (1987) found that managers were insensitive to estimates of probabilities of possible outcomes and their decisions were particularly affected by their being focussed on critical performance targets; MacCrimmon & Wehrling (1990) concluded that personal characteristics of executives affected their risk-taking; while Helliar at al.’s (2001) findings were that managers made choices that depended on how questions were framed, and tended to treat high probability outcomes as certain and ignore low probability outcomes. Second, remuneration structures bias decisions about risk (Stulz, 1984): in particular, there is evidence that managers with share options is linked with firms hedging less than otherwise (Tufano, 1996) and firms’ performance becoming more extreme (Sanders & Hambrick, 2007); and that managers’ shareholdings affect the degree of risk in acquisitions (May, 1995) and how they buy insurance (Aunon-Nerin & Ehling, 2008). Shareholder influence, as reflected in share ownership structures, can play some role in mitigating managerial dominance (Mayers & Smith, 1990; Laeven & Levine, 2009). And third, it is difficult to monitor whether decisions are taken in shareholders’ or managers’ interests, given the problems, before the event, in judging risks and their potential impact. Hence risk governance is an issue. While banks have been the focus of much recent discussion on these questions, this paper examines the insurance industry, where risk is inherent in the business: insurers are setting out to take risks from individuals and firms and to place these on their own balance sheet. The evidence in this paper is from the UK insurance industry, which was the third largest in the world in 2010, measured by premiums (Swiss Re, 2011). Previous research has shown managerial incentives in insurance firms is associated with firms’ decisions on for example, holdings of capital and portfolio risks (Cummins & Sommer, 1996), risk exposures (Chen et al., 2001; Milidonis & Stathopoulos, 2011), and what firms set aside as provisions for future claims (Browne et al., 2009). There are therefore reasons to think that the governance arrangements for insurers’ risk decisions are important. Concern about corporate governance in banks and insurers led the UK Treasury to commission a report from Sir David Walker (2009) who, when considering risk governance, suggested that large financial institutions establish a board risk committee, separate from the audit committee. One of the contributions of this paper is to establish whether his recommendations for the composition and activities of risk committees were fulfilled; the outcome indicates some differences. Following on, the paper considers the consequences for the relationship between the risk and audit committees, especially given the ambiguity about the relationship between internal controls and risk management (Page & Spira, 2004). Lastly, we examine the role of professionals – notably accountants and actuaries – in risk management, recalling Dowd & Blake’s (2006, p. 221) comment: “the stage was set for a classic turf war”, and assess whether there is a link between the type of Page 2 of 18
individual acting as Chief Risk Officer (CRO) and the form in which risk management is carried out, which Mikes (2008) found to be the case in banks. 2.
Background
2.1
Elements of risk management
Risk management was traditionally concerned with buying insurance, hedging financial risks with derivatives and taking steps to ensure health and safety. More generally, if a firm’s processes did not operate as they should or if they breached some regulation, the unplanned outcome was a risk; hence monitoring is part of holistic risk management (Smallman, 1996). Indeed, risk teams in UK insurers were originally set up in the late 1980s as compliance teams (Deighton et al., 2009). Mikes (2008) explains that one role of the risk function in banks is to act as compliance champion, delivering compliance with regulatory requirements, and building and safeguarding a risk management framework. When the losses of UBS rogue trader Kweku Adoboli came to light, the Financial Times (2011) reported that the CRO “is facing every risk officer’s worst nightmare just nine months into the job – she will face tough questions about UBS’s controls”. One approach that many UK insurers use to monitor activities is the ‘three lines of defence’ model (Deighton et al., 2009). The first line is line managers carrying out risk management; second, a central risk function, supported by a risk committee, interprets group policy, provides support and collates information; and thirdly, independent assurance is provided by internal audit, and possibly external consultants. The second level may have committees focussing on specific risk types, such as assessing the claims-paying ability of reinsurers. We use the shorthand of ‘monitoring’ to refer to this element of risk management, where a risk framework is built and activities are reviewed for compliance. The second main element of risk management is quantitative techniques, which insurers use to calculate the premiums they charge and to make stochastic projections of their future financial position using internal models of their own business. The techniques have become increasingly sophisticated, involving probability distributions of future outcomes for financial markets and insurance claims. Such models can, in principle, indicate what capital is needed to ensure the insurer remains solvent over a given timescale with a specified probability – assuming, of course, that the model is appropriate. Firms’ modelling abilities have been increased by improved IT capabilities and by advances by the actuarial profession (e.g. Frankland et al., 2009; Varnell, 2011). Further, risk management can have a third element: a role in company strategy. Mikes (2008) commented that whether CROs were influential in the business depended on the quality and credibility of their insights in strategic discussions. One way to link risk and strategy is when a firm implements enterprise risk management (ERM). Effective risk management is when the activities of the firm – its decisions and operations – are carried out with the degree and types of risk that are consistent with the firm’s objectives. ERM is when this is carried out across the firm. What it involves is apparent from COSO’s (2004) definition: “a process, effected by a an entity’s board of directors, management and other personnel, applied in strategy setting across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”. ERM has been
Page 3 of 18
stimulated by a number of high-profile company failures, by corporate governance codes and by the increased role of shareholder value models (Dickinson, 2001). Rochette (2009) argues that by linking risk decisions to firms’ objectives ERM can help achieve those objectives. The reported advantages of ERM include better informed decision-taking (Gates, 2006) and lower financing costs if there is an improved credit rating (Henry & Simkins, 2007), while Hoyt & Liebenberg (forthcoming) found that ERM in US insurers is associated with a positive effect on Tobin’s q, a proxy for firm value. It is the CRO’s role to oversee and co-ordinate the ERM process (Sobel & Reding, 2004). However, while ERM looks fine in principle, there are potential pitfalls (Fraser & Henry, 2007): there can be difficulties in evaluating some risks and in avoiding line managers managing risks on a silo basis that conflicts with entity objectives (Deighton et al., 2009). Some firms have over-complicated ERM and found it difficult to implement successfully (Fraser & Simkins, 2007). One conclusion was that ERM is a managerial fad (Power, 2005) and fails to provide the security that is expected of it (Power, 2009). The way in which risk management involves a number of elements was confirmed by Mikes’ (2008) survey of 15 international banks. She found there were different ways in which the CRO role was carried out. One possible focus was as a compliance champion, concerned to build a risk framework and deliver compliance with new rules. Senior risk officers would provide assurance to senior management that adequate processes and controls were in place. In other banks, the risk function was focussed on highly sophisticated risk modelling: senior risk officers led the implementation of firm-wide risk models that could give an overall view of financial risks in the business. Of the 15 bank CROs, 8 were highly involved in strategic activities such as board-level strategic decision-making, and they could be divided into two groups. One group were ‘strategic controllers’, who used the output of sophisticated risk models as their input to strategic issues. Senior risk officers used models to advise top management on the risk-adjusted performance of business units, influencing how capital was committed. In such risk functions, the CROs tended to be ‘quantitative enthusiasts’, keen on financial models and replacing judgmental risk assessments with risk quantification. The other group were ‘strategic advisers’, where models played a role in their judgement but did not drive it; they drew on their business experience and knowledge of danger signs to anticipate emerging risks. These CROs tended to be ‘quantitative sceptics’, viewing risk models with caution, and complementing or overwriting the results with senior managerial discretion, experience and judgment. This is consistent with Collier et al.’s (2007) finding that it was common for firms to use experience, intuition, hindsight and judgement in managing risk. Mikes (2007, 2009) refers to the ‘calculative culture’ of an organisation, which could be shaped by senior risk officers using their discretion according to their personal convictions, which depended on their professional backgrounds and the institutional context in which they operated. Those with an internal audit background were more inclined to be sceptical towards a mathematical approach to operational risk, for example. Arena et al.’s (2010) case studies are also consistent with a link between the professional background of the CRO and the form of risk management that was implemented. This paper therefore looks to establish if there is a link between the way in which UK insurers operate risk management and the professional background of the CROs.
Page 4 of 18
2.2
Risk management and regulation
UK insurers are subject to the rules of the industry regulator, the Financial Services Authority (FSA), whose principles require insurers to have adequate risk management systems, and effective risk management can be rewarded with a lower regulatory capital requirement (Deighton et al., 2009). The FSA also requires life (but not general) insurers to appoint an actuary to advise management on the risks being run, and to monitor those risks. The FSA (2003) found that many insurers had decided they needed separate risk assessment functions and committees, though some functions lacked independence. In a later report (FSA, 2006) it found that insurers had improved their risk governance, with networks of oversight committees, although they often lacked the ability to provide effective challenge. The regulatory requirements in the EU will become tighter when the new ‘Solvency II’ directive is implemented in the EU (expected in 2014). Article 44 requires insurers to have “an effective risk management system comprising strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report, on a continuous basis the risks … to which they are or could be exposed, and their interdependencies.” An important development in the UK was the report of Walker (2009) who, following the 2008 global financial crisis, reviewed corporate governance in UK banks and other financial institutions (‘BOFIs’). He recognised that regulation was necessary to constrain the risks of BOFIs because the social costs of failure exceed the costs borne by shareholders, hence he was concerned to make governance of risk by the boards of major BOFIs more effective alongside enhanced regulation. Walker distinguished between a backward-looking focus of risk, overseeing and reporting on the accounts, internal control and compliance; and a forward-looking focus with responsibilities for determining risk appetite and, in the context of future strategy and the oversight of risk in real-time, approving and monitoring appropriate limits on exposures and concentrations. While the audit committee fits the former role, Walker recommended that FTSE-100 banks and life insurers establish a separate board risk committee with responsibility for oversight and advice to the board on the current risk exposures and future risk strategy, and ensuring that the firm’s culture supports the management of risk. The board risk committee should be chaired by a non-executive director (NED) with a majority of NED members, and was to focus on ‘fundamental’ prudential risks, such as market, credit and liquidity risk; other important risks, such as operational and reputational, while important, were said to require different focus and expertise, and may divert attention. Further, a BOFI board should be served by a CRO who participates in the risk management and oversight process at the highest level on an enterprise-wide basis and is independent from business units. We might have envisaged that corporate governance concerns would have led Walker to help ensure that firms took risks consistent with shareholders’ interests, with a focus on ERM and shareholder value, the conflicts with society interests being addressed by separate regulation. However, his suggestion that the board risk committee focus on certain key prudential risks and not on operational or reputational risk is rather different, even though the enterprise-wide work of the CRO would naturally encompass all risks. The FSA (2010) subsequently issued guidance that regulated firms should consider establishing a board risk committee and appointing a CRO, with FTSE-100 banks and insurers as examples of firms whose size, nature and complexity would warrant this. Including general insurers meant this went
Page 5 of 18
beyond the Walker proposals. The FSA suggested that board risk committees should be predominantly non-executive and chaired by a NED. Walker’s recommendations are consistent with research findings that the workload of audit committees had increased, and that the skills needed for risk management may be best met by a separate body (Fraser & Henry, 2007; Brown et al., 2009, Mongiardino & Plath, 2010). A risk committee, unlike an audit committee, could also include executives, which may be beneficial as risk decisions may need access to executives’ knowledge of business plans and operations (Murphy, 2011) and many of the firm’s risks are best understood by executives (Brown et al., 2009). This study seeks to ascertain if insurers have group-level CROs and board risk committees with the responsibilities and membership that Walker recommended. 2.3
Risk, audit and controls
While Walker saw monitoring internal controls as a role for the audit committee, the relationship between internal controls and risk management is not clear. The Combined Code of 1998 required companies to maintain a sound system of internal control, and provision D.2.1 included “The review *of the effectiveness of the group’s system of internal control+ should cover all controls, including financial, operational and compliance controls and risk management.” This may imply that risk management is part of internal control. On the other hand, the Turnbull guidance (ICAEW, 1999) indicated that internal control will, inter alia, help companies respond to risks, so is internal control part of risk management? Principle C.1 of the current UK Corporate Governance Code (Financial Reporting Council, 2010) requires the board to maintain sound risk management as well as the internal control systems referred to in 1998, while the list of controls to be included in the review no longer includes risk management – perhaps because it warrants a higher status than merely one element in a list of controls? Page & Spira asked, “Is control a part of risk management or is risk management an element of control?” (2004, page 15). The distinction between risk management and internal control remains unclear (Fraser & Henry, 2007; Deighton et al., 2009). The Financial Reporting Council (2011) accepted that having both an audit and a risk committee may lead to confusion, but this could be overcome by some common membership or holding joint meetings. This study therefore seeks to find out what links there are between insurers’ audit and risk committees and where responsibilities for controls lie.
2.4
Professionals in risk management
Professionalization of risk management is at an early stage (Mikes, 2011), with several organisations present in this area and the potential for professional rivalry (Arena et al., 2010). The CRO role itself requires strong managerial skills, with Deighton et al. (2009) highlighting the need for a solid understanding of the business, good communication skills and having an independent view. They say that while the CRO does not need to be an expert modeller, he or she should be familiar with risk modelling; and although the CRO’s main function is not to undertake intensive quantitative research, he or she has to understand models and raise questions (Garnier, 2009). Collier et al. (2007) found that the finance director had a pivotal role in risk management, being involved in analysing, assessing, monitoring and reporting risk. However, most management Page 6 of 18
accountants felt marginalised in relation to risk management. The Chartered Institute of Management Accountants does include subjects such as financial risk management and risk and internal control in its examinations. However, accountants’ training is not necessarily a firm foundation for understanding the probabilistic modelling used in risk management (see Woods et al., 2008, in their study of the audit of banks’ Value at Risk figures), and they are not necessarily experts in the broad subject of ERM. Since internal auditors typically apply a risk-based approach to auditing, they need to be skilled in risk identification. Where they are giving assurance on risk management processes, as in the third line of defence, their risk management skills need to be greater still (although may not be possessed: Fraser & Henry, 2007). In some cases internal auditors may be asked to design risk management systems, or to support the risk management process directly in co-operation with line management (Allegrini & D’Onza, 2003), although the Institute of Internal Auditors (2009) is aware of the potential conflict with internal auditors’ independence. One possibility is that risk management roles are undertaken by individuals with previous internal audit experience. In insurance, actuaries have been accustomed to thinking of themselves as risk experts (Dowd et al., 2008), based on their mathematical training and their experience of the insurance business. There has been criticism that actuaries have not always highlighted the risks around their financial projections (Morris, 2005) although the profession has been expanding its involvement in ERM and introduced a new qualification: chartered enterprise risk actuary. This study therefore seeks to find out the extent to which accountants and actuaries are involved in UK insurers’ risk management.
3.
Method
We study the 21 UK insurers listed on the London Stock Exchange at the end of 2010, being subject to the UK Corporate Governance Code. They comprise 12 general insurers, 8 life insurers and 1 composite (which carries out both life and general insurance). Of the 21, 8 were FTSE-100, 8 were FTSE-250 companies and 5 were smaller (see Table 1). The annual report and accounts now contains a substantial amount of information on firms’ risks and risk management, and is a fruitful source for research. The report and accounts is easily available and is regarded as a credible source of information and a valuable tool for research (Stanton & Stanton, 2002) including risk research (Abraham & Cox, 2007). Beretta & Bozolan (2004) use firms’ annual reports as the basis for their work on risk communication and refer to the way in which reports include information that explains figures in the accounts, and contains perspectives (Beattie et al, 2002). There are limitations as the form of risk disclosure information is not uniform, but it is feasible to use the content of the report and accounts as indicative of how the firm approaches risk management. We also examine the terms of reference for risk committees and audit committees, similar to the work of Mongiardino & Plath (2010) and Murphy (2011) in assessing risk governance in banks.
Page 7 of 18
To ascertain the professional and employment background of directors and CROs we use, in addition to firms’ accounts and websites, other web resources, particularly Linkedin and the Bloomberg BusinessWeek website.
4.
Results
4.1
Adoption of the Walker report recommendations
Overall, 11 of the 21 listed insurers had a board risk committee (this includes two with a board ‘risk and capital committee’): see Table 1. Seven were newly established after Walker produced his reports in 2009 suggesting board risk committees; in three cases an existing committee was restructured so that it no longer comprised mainly executives; in the other case the name was changed from risk and regulatory committee. Walker’s expectation that all FTSE-100 life insurers have a board risk committee with a majority of NEDs is satisfied; FSA guidance also suggested a risk committee for the FTSE-100 general insurers, which one of the two had. In addition, three insurers had a combined ‘audit and risk committee’. Information is available about the composition and terms of reference of the risk committee in ten cases. In all instances it was chaired by a NED, with a majority of NED members in nine out of ten firms; the exception was a general insurer. In seven firms the terms of reference restricted membership to NEDs and only 3 out of 43 members of risk committees were executives. While executives were often in attendance, this suggests the risk committee was seen as a way to challenge management’s view of risk, rather than working in partnership with executives to develop an optimal risk strategy. Walker envisaged the risk committee would pay particular attention to fundamental prudential risks (operational and reputation risk being outside this); FSA guidance looked for particular but not exclusive emphasis on prudential risks. In practice, the remit of the committees typically covers all risks, although risks to solvency were naturally an important part of this. This is consistent with an ERM framework rather than a regulator’s prudential focus. In all cases, the risk committee terms of reference gave it a responsibility for advising the board on risk appetite or tolerance, and for overseeing and advising on risk exposures. In seven firms there was specific mention of stress/scenario testing, and in five the committee was involved in the report for the regulator on capital requirements. In some cases the committee was specifically involved in quantitative matters: for example, in Amlin it carries out governance of the firm’s internal model; in Old Mutual, it is concerned with actuarial matters (the CRO is also Actuarial Director). The FSA guidance follows Walker’s suggestion that risk committees should advise on risk weightings on performance objectives for the remuneration committee, and this was in the terms of reference of six committees. In four of those cases, and in two others, the committee had a wider brief to examine the impact of remuneration on risk-taking, consistent with the concerns raised by the academic evidence. Walker and the FSA also suggested a role for the risk committee in embedding and maintaining a supportive risk culture: this was explicitly incorporated by one firm, although two others made other comments around risk culture. Elsewhere, other committees have such a role: for
Page 8 of 18
example, Chaucer’s (executive) risk assurance group has an objective of instilling a culture of risk awareness and controlled risk-taking. We can identify 17 of the 21 insurers having a group-level CRO (or similar title, although it includes one group risk director who was also responsible for a business unit, i.e. not with the independence of a CRO usually sought): see Table 1. Not having a group-level CRO suggests limited group-wide coordination of activities, which is consistent with two of the insurers without a CRO reporting their key performance indicators (KPIs) at segment level and not at group level. The other two cases were general insurers outside the FTSE-350. 4.2
Risk, audit and controls in UK insurers
Walker did not set a fixed division between the responsibilities of audit and risk committees, although he saw the need for co-ordination and overlapping membership. We examine the evidence on this and consider the responsibilities for internal controls. Walker’s (and FSA’s) suggested remit for a risk committee did not include assessing internal controls. However, internal controls, such as checks on the premiums quoted by underwriters, are a part of insurers’ risk frameworks. Risk functions and committees therefore have a natural interest. As examples, the Old Mutual the risk committee reviews the quality and effectiveness of internal controls; Aviva’s risk committee assists the audit committee in its review of internal controls, including financial reporting; in Amlin that review is done jointly by the two committees. The issues can be clearer with a ‘three lines of defence’ approach, which insurers typically adopted; eight insurers referred to it explicitly. In some firms, such as Omega, independent external actuaries formed part of the third line of defence, for example by reviewing estimates of future claims. However, the typical position is that the risk functions and risk committees are second line, while internal audit and the audit committee are third line: they give assurance on whether risks are being managed effectively. Highlighting this distinction might help clarity. Indeed, Brit’s audit and risk committee divides its objectives between audit and risk, and internal control policies, except for financial reporting and accounting compliance, are among the ‘risk’ objectives, which are explicitly ‘second line’. In some cases the risk function operates the internal model and may undertake actuarial functions (Solvency II permits the functions to be combined). In such instances, the challenge to the modelling is provided by the third line of defence (internal audit and, possibly, external actuaries). A more robust approach is to regard the modelling as first line, with challenge from the risk function, whose capabilities may be better than those of internal audit. Walker recognised the need for liaison between the audit and risk committees. He suggested the chairman of the former serve on the latter, which is the case in five out of ten risk committees; in four other cases, another member provides overlap. In nine of the ten risk committees, the terms of reference also refer to the audit committee, though in only six cases do the terms of reference of the latter refer to the risk committee. One case without such a reference is Phoenix, even though the audit committee duties include keeping under review strategy with regard to risk and the effectiveness of internal controls and risk management systems (neither does it have overlap of membership between the committees). Page 9 of 18
Where an insurer had an audit committee only, the terms of reference mentioned risk management, though in only a limited way, for example where Admiral’s committee reviews “the adequacy of the Company’s internal financial controls, compliance and internal control and risk management systems.” The evidence we have where there is a separate risk committee suggests there is room for greater clarity and co-ordination of responsibilities.
4.3
Professionals in risk management in UK insurers
The 17 CROs include 7 actuaries, 5 accountants and 5 others. Most (five) of the actuaries were at general insurers notwithstanding actuaries having traditionally been more predominant in life insurers. The accountants include two who were qualified with ACCA, one with CIMA, one with ICAS (the professional body of one was not traced). Of the ‘others’, two had long careers in general insurance and two had previously worked at banks: one with a more quantitative emphasis (senior roles in risk, capital markets and treasury), the other, less so (head of strategy and corporate development). The fifth was previously compliance director at an insurer. Hence there is a variety of CRO backgrounds. Actuaries were out-numbered by accountants among members of risk committees, consistent with accountants also being more numerous as directors of insurance companies (see Table 2). 4.4
Elements of risk management in UK insurers
It is possible to identify three elements to insurers’ risk management, and we go on to see what links there are between the elements at the forefront of firms’ risk management and the professional background of the CROs. 4.4.1
Strategic element
In nine cases the firm’s accounts or the risk committee terms of reference referred to ERM, and this was often backed up by comments that alluded to the strategic importance of the risk framework. For example, Lancashire describes ERM as helping ensure that the balance between risk and reward is considered in all important business decisions, and it is the one insurer that, when disclosing its KPIs, also sets out how the risks to those KPIs are managed. Brit is embedding its ERM framework, expecting that it will lead to better informed decision making and help optimise the risk and reward relationship. Aviva’s report and accounts set out its risk strategy and goals clearly, looking for an optimum balance between risk and reward. There is some subjectivity in assessing what is the focus of an insurer’s risk management, though it appears fair to say that there is a strategic focus if it refers to its practising ERM. We add one other firm, Prudential, to this category, as its main board directors include a CRO independent of business units. Prudential’s accounts also refer to examples of enterprise-wide rather than silo risk management, for example taking advantage of natural hedges in its worldwide business such as its US and Asian operations being exposed to interest rates in different directions. In all these cases there is also evidence of the monitoring role. For example, Aviva’s risk committee reviews the adequacy and quality of the group’s compliance and risk functions. In Standard Life the CRO prepares regular reports on regulatory compliance and on compliance with the financial crime
Page 10 of 18
policy. The Old Mutual risk committee receives reports on management’s assessment of the effectiveness of internal controls. The quantitative strand is present in all these cases, though more so in some than in others. Lancashire emphasises its internal model, which has been developed extensively and is used in monitoring risks of all types, in strategic underwriting decisions and in portfolio optimisation. In Amlin’s accounts the first highlight of the risk management section is the process for obtaining the FSA’s approval of its dynamic financial analysis model having begun; it has also strengthened use of the model in business processes such as business planning and reinsurance purchase and developed its operational risk modelling capability. Old Mutual refers to significant progress in 2010 in implementing a model framework where risk, capital and value are aligned with commercial objectives. The accounts disclose data on the marginal impact of extra exposure on economic capital for each main risk type. The risk committee evaluates the group’s risk measurement systems, monitors the management of actuarial risk and oversees the allocation of capital; it is explicitly concerned with the optimisation of risk. When we read that the board risk committee recommends targets for risk-adjusted performance measures to the board and remuneration committee, this reminds us of Mikes’ ‘strategic controller’ role. Similarly, the Brit audit and risk committee reviews the risk-adjusted performance of business units, and their capital requirements, and the CRO is responsible for catastrophe and capital modelling. 4.4.2
Quantitative element
Of the remaining insurers, all used quantitative methods in an important way, but we can identify two where the firm’s own review of risk management in 2010 highlights a quantitative initiative. Omega improved its modelling capabilities to help manage catastrophe exposures, while Beazley has cascaded its risk appetite from eight risk categories to 54 underlying risk events to help the business operate within the required tolerances. Beazley regards the risk quantification skills in its risk management team as helping provide a more consistent and holistic view of risk. Monitoring was also part of risk management activities: Omega established a risk management function “with responsibilities for the risk and control framework across the group”, while Beazley developed its global assurance function and, from 2011, established a risk and regulatory committee of executives, meeting monthly, with quarterly attendance of NEDs. 4.4.3
Monitoring element
Having identified ten firms with a strategic focus to risk management, and two others with a quantitative focus that is highlighted, that leaves eight others. These firms clearly operate quantitative techniques to manage risk, and they may have aspects of ERM, but these are not reported as high profile in risk management compared to some other firms. We can, however, draw attention to the monitoring focus of these firms with some examples. In Admiral (where there is no group-level CRO or board risk committee), the risk function reports to the head of Compliance. Resolution has an audit and risk committee, where the section on risk is headed ‘risk and controls’. At Novae, the first duty of the board risk committee is to assess risk management procedures. At St James’s Place the central risk function’s primary role is to ensure that an appropriate risk framework is in place; among reports reviewed by the risk committee in 2010 Page 11 of 18
were those from the money laundering officer and from the group legal director, and there was no mention of the committee being involved in the quantification of capital requirements. 4.4.4
Link between focus of risk management and the professional background of the CRO
It is possible to identify a link between the background of the CRO and the role that risk management plays in the firm. The seven CROs who are actuaries all work for insurers with a strategic or quantitative focus, consistent with their professional skills. Hardy states that appointing a CRO who was previously group actuary has facilitated a co-ordinated approach to risk management in view of the increasing reliance on sophisticated models for risk management. However, it may be that, rather than the CRO’s skills determining the form that risk management takes, the firm appoints the CRO consistent with the type of risk management it wishes to have. It is useful to see examples of firms where there was neither a strategic nor a quantitative focus. Phoenix’s CRO oversees the group’s relationship with the FSA and supports the board committee in oversight of the risk management framework: the CRO is an accountant with previous experience of compliance, audit and risk roles. Similarly, the CRO at Resolution previously worked for the FSA and Department of Trade and Industry (regulators) and at another insurer where she had responsibility for regulatory compliance. In none of the four cases without a CRO is there a strategic focus to the risk management, which suggests some support for the way the focus for risk management was determined. 5.
Discussion and Conclusions
Walker was clearly influential, with some insurers attributing strengthening their risk governance to his report. However, insurers have gone beyond Walker’s remit for risk committees to focus on fundamental prudential risks. Instead, they recognise the need to act in shareholders’ interests by taking an enterprise-wide rather than prudential view of risk. Firms then address the need to control managers’ interests by having NEDs on risk committees (with a greater dominance than perhaps Walker envisaged) and, in many cases, by taking a wider view of the potential for remuneration structures to affect managers’ risk decisions than risk weightings on performance objectives. Indeed, with many insurers restricting board risk committee membership to non-executives, this emphasises ‘control’ rather than a board that is a partnership using the executives’ skills to help determine which risks to take. Since the FSA guidance on risk committees was formulated before many risk committee were formed, the variety of practices suggests it would be suitable to review that guidance. Some researchers have referred to potential confusion between the roles of internal control and risk management, and the need for audit/risk committee co-ordination. The evidence suggests different practices and raises some concerns. In practice, risk managers have to be concerned by internal controls: if they fail, that is a risk. Brit differentiated between the risk responsibility being second line of defence and audit the third line. This suggests a solution to the confusion where the audit committee’s responsibility for risk management is at third line, providing assurance to the board, and with the risk function and risk committee co-ordinating risk management, including monitoring internal controls, perhaps (as in the case of St James’s Place) except for those relating to accounting and financial information. Hence both risk and audit are responsible for internal controls (which are part of risk management) but in different ways. Page 12 of 18
Insurers’ risk management has elements of monitoring, quantitative modelling and strategy. Under Solvency II, insurers have an incentive to develop models as they can use them to set their capital requirements, though one of the regulators’ requirements is that the model be used in the firm’s decision-taking. Quantitative enthusiasts may welcome this and there is potentially a ‘strategic controller’ role for CROs. However, the variety of approaches to risk management – such as that taken by quantitative sceptics - suggests that this should not be an automatic conclusion. Morris (2005) said too much had been expected of actuaries, and Zaman (2001) warned us not to expect too much of audit committees. Given the inherent difficulties of managing risk in large organisations, we should perhaps keep our expectations of risk committees at a modest level. References Abraham, S., Cox, P., 2007. Analysing the determinants of narrative risk information in UK FTSE 100 annual reports. The British Accounting Review. 39, 227-248. Allegrini, M., D’Onza, G. 2003. Internal auditing and risk assessment in large Italian companies: an empirical survey. International Journal of Auditing. 7, 191-208. Arena, M., Arnaboldi, M., Azzone, G., 2010. The organizational dynamics of enterprise risk management. Accounting, Organizations and Society. 35, 659-675. Auron-Nerin, D., Ehling, P., 2008. Why firms purchase property insurance. Journal of Financial Economics. 90, 298-312. Beattie, V.A., McInnes, B., Fearnley, S., 2002. Through the eyes of management: a study of narrative disclosures, an interim report. London: ICEAW. Beretta, S., Bozzolan, S., 2004. A framework for the analysis of risk communication. The International Journal of Accounting. 39, 265-288. Brown, I., Steen A., Foreman, J., 2009. Risk management in corporate governance; a review and proposal. Corporate governance: an International Review. 17, 546-558. Browne, M.J., Ma, Y-L., Wang, P., 2009. Stock-based executive compensation and reserve errors in the property and casualty insurance industry. Journal of Insurance Regulation. 27. 35-54. Chen, C.R., Steiner, T.L., White, A.M., 2001. Risk taking behavior and managerial ownership in the United States life insurance industry. Applied Financial Economics. 11, 165-171. Collier, P.M., Berry, A.J., Burke, G.T., 2007. Risk and management accounting. Elsevier, Oxford. Committee of Sponsoring Organisations of the Treadway Commission (COSO), 2004. Enterprise Risk Management-Integrated Framework. AICPA, New York. Cummins, J.D., Sommer, D.W., 1996. Capital and risk in property-liability insurance markets. Journal of Banking & Finance. 20, 1069-1092. Deighton, S.P., Dix, R.C., Graham, J.R., Skinner, M.E., 2009. Governance and risk management in United Kingdom insurance companies. Paper presented to the Institute of Actuaries, 23 March.
Page 13 of 18
Dickinson, G., 2001. Enterprise risk management: its origins and conceptual foundations. Geneva Papers on Risk and Insurance. 26, 360-366. Dowd, K. & Blake, D., 2006. After VaR: the theory, estimation, and insurance applications of quantilebased risk measures. Journal of Risk and Insurance. 73, 193-229. Financial Reporting Council, 2010. UK Corporate Governance Code. Financial Reporting Council, 2011. Boards and risk. Financial Services Authority, 2003. Review of UK insurers’ risk management practices. Financial Services Authority, 2006. Risk management in insurers. Financial Services Authority, 2010. Effective corporate governance. Policy Statement 10/15. Financial Times, 2011. In the firing line: the cult of Oswald Grßbel. 17/18 September, 16. Frankland, R., Smith, A.D., Wilkins, T., Varnell, E., Holtham, A., Biffis, E., Eshun, S. & Dullaway, D., 2009. Modelling extreme market events; a report of the benchmarking stochastic models working party. British Actuarial Journal. 15, 1, 99-201. Fraser, I., Henry, W., 2007. Embedding risk management: structures and approaches. Managerial Auditing Journal. 22, 392-409. Fraser, J.R.S., Simkins, B.J., 2007. Ten common misconceptions about enterprise risk management. Journal of Applied Corporate Finance. 19, 75-81. Garnier, M., 2009. Black holes in risk governance. Journal of Risk Management in Financial Institutions. 2, 116-120. Gates, S., 2006. Incorporating strategic risk into enterprise risk management: a survey of current corporate practice. Journal of Applied Corporate Finance. 18, 81-90. Helliar, C.V., Lonie, A.A., Power, D.M., Sinclair, C.D., 2001. Attitudes of UK managers to risk and uncertainty. Institute of Chartered Accountants of Scotland. Henry, J.R.S., Simkins, B.J., 2007. Ten common misconceptions about enterprise risk management. Journal of Applied Corporate Finance. 19, 75-81. Hoyt, R.E., Liebenberg, A.P., forthcoming. The value of enterprise risk management. Journal of Risk and Insurance. DOI: 10.1111/j.1539-6975.2011.01413.x Institute of Chartered Accountants in England & Wales (ICAEW), 1999. Internal control. Guidance for directors on the combined code. Institute of Internal Auditors, 2009. IIA position paper: the role of internal auditing in enterprisewide risk management Laeven, L., Levine, R., 2009. Bank governance, regulation and risk taking, 2009. Journal of Financial Economics. 93, 259-275. Page 14 of 18
Maccrimmon, K.R., Wehrling, D.A., 1990. Characteristics of risk taking executives. Management Science. 36, 422-435. March, J.G., Shapira, Z., 1987. Managerial perspectives on risk and risk taking. Management Science. 33, 1404-1418. May, D.O., 1995. Do managerial motives influence firm risk reduction strategies? Journal of Finance. 50, 1291-1308. Mayers, D., Smith, C.W., 1990. On the corporate demand for insurance: evidence from the reinsurance market. Journal of Business. 63, 19-40. Mikes, A., 2007. Convictions, conventions and the operational risk maze: the cases of three financial services institutions. International Journal of Risk Assessment and Management. 7, 1027-1054. Mikes, A., 2008. Chief risk officers at crunch time: compliance champions or business partners? Journal of Risk Management in Financial Institutions. 2 (1), 7-25. Mikes, A., 2009. Risk management and calculative cultures. Management Accounting Research. 20, 18-40. Mikes, A., 2011. From counting risk to making risk count: Boundary work in risk management. Accounting, Organizations and Society. doi: 10,1016/j.aos2011.03.002 Milidonis, A., Stathopoulos, K., 2011. Do U.S. insurance firms offer the “wrong� incentives to their executives? Journal of Risk and Insurance. 78, 643-672. Mongiardino, A., Plath, C., 2010. Risk governance at banks; have any lessons been learned? Journal of risk management in Financial Institutions. 3, 116-123. Morris, D., 2005. Morris review of the actuarial profession. HM Treasury, London. Murphy, E., 2011. Assuring responsible risk management in banking: the corporate governance dimension. Delaware Journal of Corporate Law. 36, 121-164. Page, M., Spira, L.F., 2004. The Turnbull report, internal control and risk management: the developing role of internal audit. Institute of Chartered Accountants of Scotland. Power, M., 2005. Organizational responses to risk: the rise of the chief risk officer. In Hutter, B., Power, M. (Eds.), Organizational encounters with risk. Cambridge, Cambridge University Press, pp. 132-148. Power, M., 2009. The risk management of nothing. Accounting, Organisations and Society. 34, 849555. Rochette, M., 2009. From risk management to ERM. Journal of Risk Management in Financial Institutions. 2, 394-408. Sanders, W.G., Hambrick, D.C., 2007. Swinging for the fences: the effects of CEO stock options on company risk taking and performance. Academy of Management Journal. 50, 1055-1078.
Page 15 of 18
Smallman, C., 1996. Risk and organizational behaviour: a research model. Disaster Prevention and Management. 5, 12-26. Sobel, P.L., Reding, K.F., 2004. Aligning corporate governance with enterprise risk management. Management Accounting Quarterly. 5, 29-37. Stanton, P. & Stanton, J., 2002. Corporate research reports: research perspectives used. Accounting, Auditing & Accountability Journal. 15, 478-500. Stulz, R.M., 1984. Optimal hedging policies. Journal of Financial and Quantitative Analysis. 19, 127140. Swiss Re, 2011. World insurance in 2010. Sigma 2/2011. Tufano, P., 1996. Who manages risk? An empirical examination of risk management practices in the gold mining industry. Journal of Finance. 51, 1097-1137. Van Asselt, B.A., Renn, O., 2011. Risk governance. Journal of Risk Research. 14, 431-449. Varnell E., 2011. Economic scenario generators and Solvency II. British Actuarial Journal, 16, 121-159. Walker, D., 2009. A review of corporate governance in UK banks and other financial industry entities. Final recommendations. Treasury, London. Woods, M., Dowd, K., Humphrey, C., 2008. The value of risk reporting: a critical analysis of value-atrisk disclosures in the banking sector. International Journal of Financial Services Management. 8, 4564. Zaman, M., 2001. Turnbull – generating undue expectations of the corporate governance role of audit committees. Managerial Auditing Journal. 16, 5-9.
Table 1. Listed insurers
Insurer Admiral Group plc Amlin plc Aviva plc Beazley Group Plc BRIT Insurance Holdings Plc Catlin Group Ltd Chaucer Holdings plc Chesnara plc Hardy Underwriting Bermuda Limited Hiscox Ltd Lancashire Holdings Ltd
General General Composite General General General General Life
FTSE-100 FTSE-250 FTSE-100 FTSE-250 FTSE-250 FTSE-250 Other Other
General General General
Other FTSE-250 FTSE-250 Page 16 of 18
Board committees* AC only AC and RC AC and RC AC only ARC AC only AC and RC ARC
CRO No Yes Yes Yes Yes Yes No No
ERM†No Yes Yes No Yes Yes No No
AC only
Yes
Yes
AC and RC AC only
Yes Yes
No Yes
Legal & General Group plc Novae Group plc Old Mutual plc Omega Insurance Holdings Ltd Phoenix Group Holdings Prudential plc Resolution Ltd RSA Insurance Group plc St. James's Place plc Standard Life plc
Life General Life
FTSE-100 Other FTSE-100
General Life Life Life General Life Life
Other FTSE-250 FTSE-100 FTSE-100 FTSE-100 FTSE-250 FTSE-100
AC and RC AC and RC AC and RC
Yes Yes Yes
No No Yes
AC only
No
No
AC and RC AC and RC ARC AC and RC AC and RC AC and RC
Yes Yes Yes Yes Yes Yes
No No No Yes No Yes
*AC = Audit Committee, RC = Risk Committee, ARC = Audit and Risk Committee †Referred to in report and accounts or terms of reference for board risk committee Table 2. Average composition of boards and board committees
Boards Board audit committees Board risk and audit committees Board risk committees
Actuaries Accountants 0.6 3.2 0.2 1.0 1.0 1.7 0.3 1.5
Page 17 of 18
Others 7.0 3.1 1.7 2.2
Total 10.8 4.3 4.3 4.0