Abstract
Implementing a properly functioning enterprise risk management (ERM) programme has become increasingly important for insurance companies. Unlike traditional risk management where individual risks are managed in separate silos, ERM is based on the concept of managing all relevant risks in an integrated, holistic fashion. ERM has also been growing in importance as a result of increased attention on risk management in the context of corporate governance. A recent report by The Geneva Association identified strengthening “risk management practices” as one of three key measures that “aim to strengthen financial stability”. Despite the heightened interest in ERM by insurance managers and actuaries, there is only limited empirical evidence on how insurance companies actually implement the ERM approach. The goal of our research is to examine the implementation of the ERM components by insurers. Therefore, we surveyed all German property-liability insurance companies with premiums written in excess of 40 million euros. There are 113 such insurers and 95 of them participated in our survey, leading to a response rate of 84 per cent. The questionnaire covers a comprehensive set of dimensions of an ERM system. In addition to detailed questions about specific ERM activities, the questionnaire assesses when these ERM activities were initiated. The results document significant increases in the extent to which ERM is being implemented by these firms and details the sequence of implementation of this evolving risk management process.
Similar content being viewed by others
Introduction
Enterprise risk management (ERM) has recently emerged as a widespread practice in financial institutions. It is a process, affected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.Footnote 1 ERM takes a holistic view of risk management and attempts to reduce the probability of large negative earnings and cash flows by coordinating and controlling offsetting risks across the enterprise. It is a way of measuring, understanding and controlling risks facing the firm, it is also viewed as a management tool that can identify profitable opportunities to enhance shareholder wealth.
Under the ERM framework, corporations take on risks necessary to pursue their strategic objectives, consistent with their “risk appetite”. The core of the ERM process is efficient risk integration, where inter-relations among risks and risk prioritisation are highlighted. Certain risk measures, aggregation methods or other mathematical modelling approaches are usually involved in its implementation. Effective risk reporting and communications in a well-designed organisational structure are also essential for the success of ERM. While ERM can be important to meeting ever increasing regulatory compliance standards, the ultimate goal of ERM is to move beyond the initial incentive of meeting compliance standards to achieving real economic value. In two recently released reports, Systemic Risk in Insurance and Key Financial Stability Issues in Insurance, The Geneva AssociationFootnote 2 identified strengthening “risk management practices” as one of three key measures that “aim to strengthen financial stability”. The report on Systemic Risk in Insurance explicitly concludes that principle-based group supervision “supported by sound industry risk-management practices, will mitigate potential systemic risk related to” non-core activities by insurers (such as derivatives trading and mismanagement of short-term funding).
Previous research on ERM has mainly focused on company-specific characteristics connected with ERM adoption and has sought to understand the benefits of ERM by examining the stockmarket reaction to ERM adoption, as proxied by the appointment of a Chief Risk Officer (CRO) or other equivalent activities. Kleffner et al.Footnote 3 examined characteristics of Canadian firms and their ERM adoption status. The influence of the risk manager and the encouragement from the board of directors are the two major reasons causing ERM adoption. Liebenberg and HoytFootnote 4 used CRO appointments to examine the determinants of ERM adoption. The authors found that firms appointed a CRO had higher leverage. Furthermore, Beasley et al.Footnote 5 show that the existence of a CRO, board independence, managerial involvement, firm size and auditor type are associated with a greater stage of ERM adoption. Examining a sample of 120 companies appointing CROs, Beasley et al.Footnote 6 find no significant stock price reaction to ERM adoption. However, a cross-sectional analysis finds that firms in non-financial industries that are more likely to experience costly lower tail outcomes have a positive stock price reaction around the adoption of ERM. These results are consistent with Stulz,Footnote 7 who shows that it is only firms that face these lower tail outcomes that will benefit from ERM, while other firms will see no benefit and could destroy value by spending corporate resources on risk management. In a related work, Pagach and WarrFootnote 8 examine the determinants of firms that adopt ERM. The authors show that companies that are more leveraged, have more volatile earnings and exhibit poorer stockmarket performance are more likely to initiate an ERM programme. In addition, they find that ERM is used for reasons beyond basic risk management, including offsetting CEO risk-taking incentives and seeking improved operating performance.
Otherwise, ERM can be understood as a corporate governance and management control discipline, which is advocated as a strategic management control system. A significant challenge for ERM is the need to establish its own voice and language in order to provide organisational debates with their representation of economic motive and possibilities for action.Footnote 9 With respect to that discipline, MikesFootnote 10 suggests that calculative cultures shape managerial predilections towards ERM practices, and serve as important constituents of the fit between risk control systems and organisational contexts. This conception of ERM encompasses risk that cannot be readily quantified or aggregated, for example risk of strategic failure, environmental risks, reputational risks and operational risks.
Even traditional risk management where individual risks are managed in separate silos can have positive effects on a firm's success. Empirical evidence show that firms managing risk do not have high market-to-book ratios, risk management is uncorrelated with leverage, positively correlated with dividend yield and dividend payout, and negatively correlated with liquidity.Footnote 11 AdamFootnote 12 finds that risk management can reduce a firm's dependence on external capital markets. The use of risk management instruments can moderate the volatility of cash flows, which reduces the probability of incurring bankruptcy costs.Footnote 13 Unlike traditional risk management, the ERM approach should result in synergies between different risk management activities, increase capital efficiency, decrease earnings volatility, and reduce stock-price volatility, external capital costs and marginal cost of risk reduction.Footnote 14 Despite the heightened interest in ERM by insurance managers and actuaries who usually oversee the ERM programme, there is only limited empirical evidence on how insurance companies actually implement the ERM approach.
In 2006, Tillinghast, a risk management consulting firm, surveyed senior insurance industry executives on ERM implementation. Survey respondents included direct writers of life or property-liability insurance, multiline insurers and reinsurers. Two hundred and four insurers participated in the TillinghastFootnote 15 survey. This included insurers with operations in North America, in Europe, in the Asia-Pacific region and in Latin America as well as multinational insurers with operations in multiple regions. The survey focused primarily on the risk measurement and quantification process and addressed the following topics: risk measurement and quantification, responsibility for risk management, economic capital competence, risk reporting, decision-making and satisfaction with the current risk management practices as well as the impact of Solvency II. Our study contributes to the evidence on ERM activities in several ways relative to this prior study. First, our comprehensive survey considers a broader scope of ERM components than those considered in the Tillinghast15 study. Second, by focusing on insurers operating in one market, we control for potential biases due to differences in regulatory regimes. Finally, ERM activity has continued to grow and we consider a more recent time period. As we discuss in this paper, our results offer several interesting differences in comparison to the findings of this early study.
From a conceptual perspective, ERM consists of: (1) processes to identify all relevant risk categories and exposures; (2) quantitative models to measure and evaluate these risks; (3) tools like risk limits to manage them efficiently; (4) an organisational culture of risk awareness; and, (5) a management approach that integrates ERM and all of its components into operational and strategic decision-making. This paper attempts to extend the narrow focus of the ERM literature by examining the implementation of ERM components in the insurance industry empirically in a very detailed way. The goal of our research is to provide answers to the following questions: What percentage of insurance companies has already adopted ERM? How do insurance companies specifically implement the five components of an ERM system that are mentioned above? Are some of these components viewed as more important than others? If a company introduces the different components of an ERM system sequentially, which components are implemented first?
The ERM model
Many organisations are implementing ERM processes to increase the effectiveness of their risk management activities, with the ultimate goal of increasing stakeholder value. In fact, there is no agreement on what ERM is and what risk management tools make it occur. Therefore, we developed a conceptual framework for ERM which is presented in Figure 1. The framework is structured along the lines of the risk management process.
The ERM model.
The first step in the risk management process is risk identification, the second step is risk evaluation, and the third step is the selection and implementation of appropriate risk management tools. We distinguish risk management on the strategic management level and on the business process level. The success of risk management in a corporation depends crucially on how the risk management function is implemented in the organisational structure of the company. In addition, on the strategic management level the corporate governance mechanism plays a similar role and basically provides the organisational context in which strategic risk management has to work.
The survey
On the basis of our ERM model we developed a questionnaire to answer our research questions. We performed a comprehensive survey of German property-liability insurance companies with premiums written in excess of 40 million euros. There are 113 insurers in Germany with a premium volume exceeding 40 million euros, and 95 of them participated in our survey, leading to a response rate of 84 per cent; the participating insurers have a combined market share of over 90 per cent of the German property-liability insurance market. The survey was based on a questionnaire covering all five dimensions of an ERM system (as described above), and was conducted as a series of standardised telephone interviews. The underlying questionnaire is extensive; it includes 86 questions on 21 aspects of the ERM approach, and spans 16 pages.Footnote 16 In addition to detailed questions about specific ERM activities, the questionnaire also identifies the point in time when these ERM activities were implemented.Footnote 17
Strategic level results
The first section of our analysis focused on the strategic level of the ERM model presented above. Specifically, we focused on whether companies actually incorporate the concept of ERM in their overall business strategy, and whether companies have a well functioning corporate governance mechanism.Footnote 18 These two elements and the associated results from the survey are presented in this section.
Risk management strategy
Risk management is a strategic business process, where managers need to assess whether the firm's business activities are consistent with its stated strategic ambitions, and how risk management is linked to investment and performance decisions.Footnote 19 Utilising the company's resources and capabilities,Footnote 20 management needs to develop a risk management strategy based on risk environment and stakeholders’ risk appetite.Footnote 21 The overall strategy for risk management should include risk management philosophy and organisational responsibility; policy choices can range from a highly centralised controller model to a highly de-centralised and autonomous risk policy.Footnote 22 To analyse whether the insurers have a risk management strategy, we asked two questions. First, we asked whether they have defined a target rating considering the accepted risk level as a proxy for risk appetite. Second, we asked the insurers whether they have a corporate risk strategy, which basically defines how they should deal with risks. Seventy-seven per cent of the insurers have already defined a target rating, and 89 per cent of the insurers have a risk strategy within the corporate strategy. In addition, we integrated a “since when” question to assess the state of implementation of a risk management strategy. While in 2007 only 32 per cent (n=30) of the insurers had a risk strategy, this percentage increased to 82 per cent (n=78) in 2008, and to 89 per cent (n=85) in 2009. Interestingly, there is no significant increase in risk strategy implementation immediately following the adoption of the Law for Corporate Control and Transparency in Large Companies (KonTraG), which became effective in May 1998.Footnote 23 However, the increase in risk strategy implementation after 2006 is consistent with the results of the 2006 Tillinghast ERM survey: 71 per cent of the surveyed European insurance companies that plan to improve their risk management capabilities in anticipation of Solvency II place a high priority on “embedding risk management within the whole organisation”, and 64 per cent of those insurers place a high priority on “clearly defining risk appetite”.Footnote 24
The precondition for a successful risk strategy is an effective risk management culture.Footnote 25 A risk management culture describes the way in which the firm handles its individual risks and is affected by the corporate culture.Footnote 26 Since a number of empirical studies have established a link between strong corporate culture and company success,Footnote 27 we asked the companies whether they have a strategy for a risk management culture and when it was established. While in 1999 only 4 per cent (n=4) of the insurers had such a strategy, this percentage increased to 16 per cent (n=15) in 2006, 27 per cent (n=26) in 2007, and reached 44 per cent (n=42) in 2009.
Corporate governance
Corporate governance is the mechanism in which stakeholders exercise firm control over corporate insiders and management to protect their own interests.Footnote 28 The Board of Directors is central to corporate governance in market economies. Along with external markets for corporate control and institutional and concentrated shareholdings, it is viewed as a primary means for shareholders to exercise control on top management.Footnote 29,Footnote 30
In Germany, corporations have a two-board structure with a management board and a supervisory board. While the clear responsibility of the management board is the running of the business, the role of the supervisory board is not easy to describe. Its legal functions are primarily the appointment, supervision and removal of members of the management board. Thus, the supervisory board controls the management, its compliance with the law and articles of the corporation, and its business strategies. The supervisory board cannot directly become involved in managing the company, but the supervisory board must define specific types of transactions that ought to be subject to its approval.Footnote 31
Since the supervisory board gives advice to the management board and directly influences the management process, and since the monitoring and advising by the board are more effective when the board is better informed,Footnote 32 we asked the companies how often the supervisory board is informed about the risk situation of the insurer. While 31 per cent of the insurers report to their supervisory board once a year, 22 per cent report twice yearly. The majority of the insurers (47 per cent) pursue quarterly risk reporting. Interestingly, the implementation of the German Corporate Governance Code in 2002 seems to have effectively increased the number of risk reporting insurance companies. While in 2001 only 29 per cent of the companies had active risk reporting, this number reached 61 per cent in 2004.
We also asked for an age limit for members of the supervisory board. Consistent with the empirical literature,Footnote 33 the majority of the companies (59 per cent) neglect to specify age limits. Twenty-eight per cent of the insurers set the age of 70 as the limit, while only 5 per cent have higher limits up to the age of 75.
We assume that the more additional mandates a supervisory board member has, the lower is the quality of the supervisory board and the lower is the probability that the member will fulfil his or her function. For this reason we asked the companies whether they defined restrictions regarding the additional number of mandates. Only 32 per cent of the insurers have such restrictions. Except for one insurer, the stated number of additional mandates is ten.
To analyse the independency of the supervisory board more closely, we asked about how insurers deal with feasible conflicts-of-interest of individual supervisory board members. Most companies have more than one way of dealing with conflicts. The majority (55 per cent) declares that the members have to disclose their conflicts-of-interest to the chairman. Thirty-seven per cent of the companies do not perform any sanctions; conflicted members could attend discussions and vote without any restrictions. Only 16 per cent of the insurers exclude conflicted members from voting and merely 4 per cent of them reported that the members have to give up the mandate in case of a conflict. Some insurers (9 per cent) conduct bilateral conversations with conflicted members to find an individual solution.
Another characteristic of an independent supervisory board is its ability to hold meetings without the attendance of executive directors.32 Thirty-four insurers answered that their supervisory board members can hold meetings on their own. It appears to be widespread practice for supervisory directors to meet with managing directors to prepare the meetings. The majority (n=57) reported that their supervisory directors meet with managing directors before each meeting.
The exclusion of the supervisory board from management and its limited rights to obtain information directly from executives can make it difficult for its members to develop an objective picture of the company's performance. We therefore asked the companies whether they have written instructions about which information the management board has to provide to the supervisory board. Interestingly, 76 per cent of the companies have written instructions about which information the supervisory directors obtain, and 80 per cent of the companies have also written instructions in which time interval the supervisory board has to be informed.
Operational level results
In the next portion of the questionnaire we reviewed the operational level elements of the ERM model. These included: risk identification, risk evaluation, risk management tools and implementation, and organisational structure. The results related to those elements are discussed in the following sections.
Risk identification
In the context of ERM, all risks of a firm have to be structured systematically. In mapping the risks, the firm has to define each risk consistently and the firm should also classify the risks in terms of risk tolerance. The risk identification process mainly encompasses the definition of internal (e.g., business activity and internal structure of the firm) and external (e.g., industry-specific changes, technical development) factors influencing the risks (so-called risk driver) as well as the reference values, which in turn are affected by risks (so-called risk reference value: e.g., equity capital, premiums and other revenue parameters). In addition to risk assessment the process also includes the detection of dependencies between the risk drivers to ensure an efficient risk evaluation process.
There are several techniques available for risk identification. We first asked the companies which methods they use to identify risk. Figure 2 presents the risk identification methods used by companies. Almost all companies use checklists and monitoring of the business environment to identify risk. Interestingly, simple identification techniques like screening of news media, brainstorming and group discussions are less frequently used while advanced analytic techniques such as statistical analysis of claims data and business process analysis are widely used methods. Some insurers also use other techniques such as independent expert assessments, stress tests and scenario analysis as well as risk surveys among staff members.
Risk identification methods. Note: The percentages are based on total respondents (n=95).
Except for one insurer, risk identification takes place regularly in all companies. The majority of insurers perform risk identification quarterly (39 per cent) or once a year (36 per cent), while 18 per cent of the companies perform it every six months and 5 per cent every month. Only one insurer reported that its risk identification process is performed every five months.
Remarkable is, that only 9 per cent of the companies had a systematic risk identification process before 1999. In 1999, the year after KonTraG went in force,Footnote 34 the percentage increased to 21 per cent. In 2001, 57 per cent of the insurers had implemented a risk identification process. Implementation continued to rise after 2001 reaching 71 per cent in 2003, 88 per cent in 2006 and 100 per cent in 2009.
Risk evaluation
We then asked the companies about their risk evaluation efforts. Ideally, all risks would be quantified, but some risks are hard to quantify. Therefore, we asked the companies whether they evaluate risks mainly qualitatively or quantitatively. Figure 3 shows that investment risk, underwriting risk and catastrophe claim risk are mainly evaluated quantitatively, while operational risk, strategic risk and reputation risk are mainly evaluated qualitatively. Two-thirds of the insurers quantify liquidity risk and concentration risk. Three companies assess their catastrophe claim risk qualitatively as well as quantitatively. Two insurers do not evaluate the reputation risk at all and one insurer does not evaluate strategic risk.
Quantitative vs. qualitative evaluation of risks. Note: The percentages are based on the insurers that evaluate the corresponding risk at all: n=92 for catastrophe claim risk, n=93 for reputation risk, n=94 for strategic risk and n=95 for all other risks.
We also asked the insurers whether they estimate the probability of loss events and the severity of these events for qualitatively evaluated risks. Interestingly, 74 per cent of the companies estimate the probability and severity of losses for these risks; 21 per cent of the companies do not quantify qualitative risks, and the remaining 5 per cent evaluate all risks on a quantitative basis.
We then asked the insurers which methods they use to model quantitative risks. Multiple answers were possible. Seventy-seven per cent of the companies apply approximations using a standardised approach (e.g., Qis 4). Seventy-three per cent of the companies use parametric and statistical distributions and 41 per cent of the companies apply relative frequency models (empirical distribution). Moreover, 12 per cent of the companies use other approaches, such as scenario analysis (n=3), internal models (n=2) and other approaches (n=6), such as simplified factor analysis and gross-net calculations.
We then asked the companies to provide significance ratings on a seven-point Likert scale (from 1=not at all to 7=very much) with statements about the extent they use specific methods evaluating single risks. Table 1 presents the results. More than two-thirds of the companies assign ratings of five or higher for expert assessments, stress tests and sensitivity analysis. In contrast, structured assessments, using a closed formula and Monte-Carlo simulation are deployed to a minor degree (most ratings below 4). Five companies responded that they also use other methods like SWOT analysis, scenario techniques and statistical analysis.
In 1999 only three insurers had a systematic risk evaluation process. By 2004, 47 per cent of the companies had implemented a risk evaluation process. After 2004 the percentage increased to 67 per cent in 2005, 76 per cent in 2006 and 93 per cent in 2007.
The insurance business is frequently conducted in a silo structure, which is an organisational design wherein value drivers are generally operated independently from each other.Footnote 35 One indication of the existence of ERM is when a company coordinates the single risks within an overall corporate risk management framework.Footnote 36 Therefore, we asked the companies whether they aggregate single risks to an overall corporate risk model. Consistent with the previous result, 74 per cent of the companies (n=70) use such a corporate risk model. We also wanted to know which risks were included in that model. Figure 4 shows the results. Interestingly, liquidity risk, strategic risk and reputation risk do not appear in each case,Footnote 37 while the other risk categories are in most instances a consistent part of a risk model.Footnote 38 Another aspect is the method in which the companies model interdependencies between risks when aggregating. Some companies use more than one method. While the majority (n=53) uses linear correlations to identify interdependencies, there are also companies (n=24) that use copulas. The fraction of insurers using copulas (34 per cent) has increased substantially compared to the 3.9 per cent reported in theFootnote 39 Tillinghast study for the year 2006. Only eight insurers do not model interdependencies between risks when aggregating.
Risk categories in the overall corporate risk model. Note: The percentages are based on those 70 insurers that have a corporate risk model.
Since there are different ways to quantify the overall corporate risk, we asked the companies which risk measures they use in their corporate risk model. The majority (n=63) use value-at-risk, 20 insurers additionally use tail-value-at-risk concept and 18 insurers use standard deviation. Some insurers (n=3) use earnings-at-risk and only one insurer uses an internal concept for calculating net risk.
In addition, we wanted to know how companies calculate their aggregate corporate risk. The majority of the companies (n=41) use a closed formula based on parametric distributional assumptions. Twenty insurers use standard models like Q is 4, the others use mainly internal models. Monte-Carlo simulation is used by many insurers (n=20). There are also companies using a combination of methods (n=15), mainly combining Monte-Carlo simulation and stress tests (n=12). Stress tests are implemented by 12 companies and only five use historical simulations. Three companies indicate using other methods like scenario analysis or a combination of correlation analysis and maximum likelihood. The results show how popular Monte-Carlo simulation is when quantifying risk.
Regarding the year of implementation, we observe that in 1999 only one company had implemented a model calculating overall corporate risk. Through 2004 the number of companies with such a model is relatively low: in 2000 only two companies, in 2002 only eight companies and in 2004 17 companies used these methods. A sharp increase occurred in 2005 and 2006. Forty companies calculated their overall corporate risk in 2006. By 2007, 60 insurers were aggregating single risks to an overall corporate risk model; this number increased to 70 companies (74 per cent) in 2009. This increase in use of an overall corporate risk model is consistent with the increase in use of the economic capital approach documented in the 2004 and 2006 Tillinghast ERM surveys:Footnote 40 In 2004, 53 per cent of the international insurers participating in the Tillinghast survey said that their organisations calculate economic capital; in 2006, 65 per cent of insurers said that their organisations calculate economic capital.
Risk management tools and their implementation
Risk capital allocation
The determination of economic capital and the allocation of capital to lines of business is an important part of the financial and risk management of an insurance company. The allocation of capital is often used to measure the financial performance of a line of business in terms of its expected return on allocated capital.Footnote 41 Since risk capital allocation is a powerful management tool, we asked the insurers whether they allocate their capital to business divisions. Interestingly, before 2002 none of the insurers allocated capital. In 2002, only two companies started with capital allocation. In 2004, this number increased to nine companies. While in 2005 and 2006 a slow rise occurred to 14 per cent and to 18 per cent, the percentage of companies allocating capital achieved 34 per cent in 2007, and 45 per cent (n=43) in 2009.
We then asked these companies under which criteria they allocate risk capital and to how many different units they allocate risk capital. Twenty two insurers allocate risk capital to departments; the majority of these insurers (n=15) allocates risk capital to 5–6 different departments; only one insurer allocates capital to ten departments, the others (n=6) use less than five departments. Interestingly, many companies (n=39) allocate capital to risk categories; 25 of these companies allocate to three to five different risk categories and 14 companies allocate to six to eight categories. Only two companies allocate risk capital to regions; they allocate capital to six or ten regions. And two insurers said that their capital allocation is at the product level, where they allocate to ten or even 34 products. There are also insurers (n=10) allocating capital to lines of business or a combination of lines of business and departments, the number of units they allocate capital to varies from two to 50 divisions. However, the majority of them (n=7) allocates to five–14 units. Only one insurer allocates capital to a single unit, which is the investment department.
We then asked the insurers which risk categories are considered within the capital allocation process. Figure 5 presents the results. As expected, the categories that play a prominent role are the same categories that are important for the corporate risk model (see Figure 4). While liquidity risk, strategic risk and reputation risk do not appear in every case, the other risk categories are in most instances an important part of the capital allocation process. Investment risk, underwriting risk and catastrophe claim risk seem to be of particular importance.
Risk categories in the capital allocation process. Note: The percentages are based on those 43 insurers that allocate risk capital.
The last aspect in our survey related to capital allocation is the allocation method. Twenty-three insurers allocate capital proportional to a risk measure. While 16 of these companies allocate capital proportional to the risk capital requirement of each business unit, five insurers allocate capital proportional to the volatility or variance, and two insurers proportional to the tail-value-at-risk. Interestingly, none of the companies allocates capital proportional to the business unit's CAPM beta.
Seventeen insurers use the Shapley approach, which is based on the theory of co-operative games.Footnote 42 Six insurers allocate capital to a specific unit using the difference between the total risk capital of the firm and the total risk capital of the firm without considering this specific unit. Five insurers use the so-called stand-alone approach and allocate capital based on the units’ individual risk capital requirements.Footnote 43 There are nine insurers that report using an individual approach; they basically use a slightly modified version of one of the basic methods. Almost all insurers that allocate risk capital (n=41) consider diversification effects.
Incentive contracts
Shareholders want managers to take particular actions—for example, invest in a project—whenever the expected return on the action exceeds the expected costs. But a self-interested manager only maximises his personal utility. A compensation policy that ties the manager's utility to shareholder wealth can help to align the manager's and shareholders’ interests. Therefore, we asked whether insurance companies use performance measures to determine “business success”, and whether managerial compensation is linked to these performance measures. Ninety-two per cent of the insurers use performance measures to determine success, and 80 per cent of them use these measures not just for the company as a whole, but also for business units or departments. We also wanted to know to what extent the assumed risks affect measured performance. We asked the survey participants to evaluate the influence on a seven-point Likert scale (from 1=no influence to 7=very strong influence). For the majority of the insurers (n=70) the influence is at a range of 4–6, while nine insurers have values from 1 to 3 and eight insurers have the highest value of 7. The mean is 4.74. Unlike the implementation of capital allocation, performance measures seem to be used well before 1999. Three insurers use performance measures since 1978. In 1998, 17 per cent of the companies used performance measures. This percentage increased in 2000 to 31 per cent, in 2003 to 53 per cent, in 2006 to 84 per cent and in 2009 to 92 per cent.
An interesting question is whether managerial compensation is linked to performance measures. In 66 per cent of the cases, insurers link managerial compensation to performance measures. We asked the insurers to evaluate the influence of assumed risks on managerial compensation on a seven-point Likert scale (from 1=no influence to 7=very strong influence). Interestingly, the mean is 3.79 and less than the mean in the previous question, which is consistent with the performance-based compensation literature.Footnote 44 Like the performance measures, their linkage with managerial compensation seems to be used well before 1999; in 1998 the percentage of companies with a linkage was 9 per cent. The percentage increased in 2000 to 20 per cent, in 2003 to 34 per cent, in 2006 to 51 per cent and in 2009 to 66 per cent.
Risk management of particular risks
Underwriting risk To get a better understanding of how insurance companies manage their underwriting risk, we asked the insurers whether direct risk limits exist when they underwrite insurance policies. In 87 per cent of the cases, risk limits exist, but only in 14 per cent of the companies these limits are derived from the risk capital budget. Seventy-two per cent of the insurers break the limits down to units, lines of business and regions. We also wanted to know whether insurers have sanctions in case of limit violations and which kind of sanctions they practice. Seventy-five per cent of the insurers apply sanctions. Sixty-six per cent of insurers said that if an employee violates a risk limit his boss gets notified. In 12 per cent of the companies limit violations have a negative effect on bonus payments, and in 17 per cent of the companies limit violations may lead to disciplinary actions.
When the insurers were asked about how often they evaluate and if necessary adjust the risk limits, the majority of the companies (n=60) answered once a year. Sixteen insurers evaluate risk limits every one to four months, and seven insurers evaluate their limits every six months. Most insurance company implemented underwriting risk limits well before 1999. Twelve companies implemented risk limits before or with the beginning of the 1980s. In 1999, the percentage of insurers with risk limits for underwriting risk was 45 per cent, in 2003 63 per cent, in 2006 73 per cent and in 2009 87 per cent.
Investment risk Asset choices made by insurers have major effects on insurer risk and the need to hold capital. Therefore, we wanted to know whether insurance companies coordinate their asset management with their insurance operations. Asset Liability Management (ALM) exists in 80 of the companies. Either the investment strategy is set up to fit to the insurance portfolio (n=59) or ALM is a simultaneous process (n=21), where investment strategy and guidelines for the insurance portfolio are simultaneously determined. In no case is the insurance portfolio structured to fit the investment strategy. Almost all insurers performing ALM (n=78) explicitly consider the liquidity requirements of the insurance portfolio. When the companies were asked about how often they evaluate and if necessary adjust the mismatch between investment strategy and insurance portfolio, 36 insurers answered once a year. Forty one insurers evaluate the mismatch every one to four months and three insurers evaluate it every six months. Except for one insurer that implemented an ALM framework in 1980, the implementation of ALM began in 1999. In that year, three insurers had ALM, this number increased to 25 in 2001, to 62 in 2005 and to 80 in 2009.
We then asked the insurers whether they have investment limits that are more stringent than the regulatory requirements. Interestingly, 94 per cent of the insurers have such investment limits, and 48 insurers explicitly consider risk from other parts of the firm (e.g., underwriting risk) when determining investment limits. Another interesting point is the use of risk limitation techniques, like dynamic trading strategies and hedge instruments. Seventy-five per cent of the insurers have policies for using dynamic trading strategies to reduce investment losses, and 65 per cent of the insurers have such policies for hedging instruments. In addition, 86 per cent of the insurers have mechanisms in place to avoid that individual traders create positions that undermine the investment strategies of the company. In 1998, 11 insurers (12 per cent) had investment limits in place. This number increased to 28 per cent in 2000, 64 per cent in 2003 and to 93 per cent in 2006.
Operational risk In our study we focus on operational risk by specifying principles and structures that can reduce operational risk. We asked the insurers to provide severity ratings on a seven-point Likert scale (from 1=not at all to 7=very much) with statements about the extent they use these principles or structures to manage operational risk. Table 2 presents the results. The four eyes principle is the most commonly used principle to reduce operational risk with a mean score of 6.33. All other principles also have relatively high scores averaging around 5. Using “proper job instructions” has the lowest mean value of 4.86.
Organisational structure of risk management
Our survey also captures how risk management is organised in insurance companies. We first asked the insurers who is responsible for the implementation of risk management. As shown in Figure 6, the majority of companies said that the CEO is responsible. Interestingly, in some companies the department heads also assume responsibility. The answer “Other” consist either of branch office managers of German branches of insurers from other EU countries (n=3), or companies in which the entire management board is responsible for the implementation (n=2).
Responsibility for risk management implementation. Note: The percentages are based on total respondents (n=95).
We then asked the companies how the risk management function is integrated in the organisational structure of the company. Figure 7 presents the results for the 2000–2009 period. In 2000, 32 per cent of the companies did not have a central risk management department; instead each department was responsible for managing its own risks. This percentage decreased substantially over time and in 2009 only did 7 per cent of the companies (n=7) still did not have a central risk management department. In 2009, 41 companies had a department that was responsible for risk management; however, this department handled risk management in addition to its core duties. Forty seven companies had an independent risk management department in 2009, and this number increased substantially since 2000 when only 13 companies had an independent risk management department. These rates show how important an independent risk management department has become over time.
Risk management function and its organisational context over time. Note: The percentages are based on 91 insurers in 2000, 93 insurers in 2003 and 95 insurers in 2006 and 2009.
We then asked the 41 insurers that reported to have a “part-time” risk management department, which department was responsible for risk management in addition to its core duties. In the majority of cases (n=30) the accounting department has the responsibility for risk management. In some cases (n=6), the corporate development or planning department is responsible for risk management. Two insurers reported that the actuarial department has the responsibility for risk management, while two other insurers reported that the management board is responsible. In one case, the finance department is responsible.
To evaluate the influence of the risk management department within the company, we asked several questions about the authority of the risk management department. We distinguished between “part-time” risk management departments and independent risk management departments in these questions. The results are presented in Table 3.
All insurers with an independent risk management department have precise guidelines on the timing and the type of information that has to be reported to the risk management department. The risk management department has also the authorisation to request additional information. The influence of an independent risk management department on the firm's business process has a mean score of 5.23. This score is only 4.12 for “part-time” risk management departments.
We also asked the seven insurers that do not have a central risk management department, but let the individual departments manage their own risks, whether they have a risk committee that coordinates risk management across departments. All seven insurers have a risk committee. We then asked these insurers about the influence of the risk committee on the business process measured on a seven-point Likert scale (from 1=not at all to 7=very much). The mean score is 3.28; except for one insurer that rated the influence as 7, all others rated it 3. Almost all companies have their risk committee structure since 2000; only one insurer reported that it adopted the risk committee in 2008.
We lastly asked the insurers whether they have an IT system that supports the information flow between the different units of the firm regarding the firm's risks (e.g., electronic risk management pool). Only 60 per cent of the insurers have a risk management IT system, which is surprising given the increasing importance of that topic in commentaries of insurance practitioners.
Risk management culture
The goal of building a risk management culture is to influence employees and other stakeholders to almost automatically consider risks in their decisions.Footnote 45 To characterise the risk management culture of insurance companies, we asked the insurers to categorise statements about the communication of risk management- related topics within the company on a seven-point Likert scale (from 1=not at all to 7=very much). Table 4 presents the results. The statement “Employees consider risks in their decisions” got the highest value with a mean score of 5.10. Other statements “There is an employee suggestion system on RM” received the lowest rating with a mean score of 2.15.
Process control
The last part of our survey deals with the subject of process control. To improve efficiency, firms should establish a mechanism to monitor and adjust the level of resource utilisation in their business processes.Footnote 46 Therefore, we asked the companies whether they evaluate their risk management process regularly. Interestingly, 97 per cent of the insurers actually evaluate their risk management process, and this percentage has increased substantially from 18 per cent in 1999. Except for one insurer, the evaluation is performed by an independent department such as the internal audit department. For most insurers (n=82), this independent department directly reports to the management board. Two companies answered that the department conducting the evaluations is subordinate to the accounting department, and seven insurers answered that the evaluating department is subordinate to another department. In all cases, however, the department's right to conduct evaluations is unrestricted.
We then wanted to know which aspects of the risk management process are evaluated. Figure 8 presents the results. While all insurers evaluate the compliance with legal and regulatory requirements, the efficiency of the risk management process receives less attention.
Process control: What is evaluated? Note: The percentages are based on 91 insurers in 2000, 93 insurers in 2003, and 95 insurers in 2006 and 2009.
ERM self-assessments
We also asked about the companies’ self-perception on whether they have a holistic ERM approach spanning all risk management activities in the company. Table 5 presents the t-tests of differences in group means. Group 1 consists of insurers that indicate that they bundle each risk management activity within an ERM framework, while Group 2 consists of those that do not. We can see that there are significant differences in most dimensions across the two groups. Almost all insurers in Group 1 have a defined target rating and, on average, the supervisory board is better informed in Group 1 companies compared to Group 2 companies. These insurers also use a number of risk identification techniques more frequently. Ninety per cent of insurers in Group 1 have a corporate risk model; they use simulation techniques and advanced statistical methods more frequently when evaluating risk. More than 60 per cent of these insurers allocate risk capital. Almost all insurers in Group 1 use performance measures and these performance measures impact managerial compensations. Interestingly, Group 1 companies are more likely to have an independent risk management department, they are more likely to use an ERM IT system, and their risk management culture is further developed compared to Group 2 companies. Overall, the results suggest that companies who say that they have ERM do actually have many of the elements that are fundamental to the value proposition of ERM. However, there is still room for improvement.
Summary
Implementing a properly functioning ERM programme has become increasingly important for insurance companies. The emerging literature on ERM has primarily focused on studying determinants of ERM adoption and the value of ERM. However, the very important question of how insurance companies actually implement ERM is hardly addressed in prior literature. On the basis of survey data from 95 German property-liability insurance companies, we examine the implementation of ERM components in insurance companies in a very detailed way.
Our survey data documents significant increases in the extent to which ERM is being implemented by German property-liability insurers. In 2009, almost all insurers in our sample (89 per cent) have a risk strategy that defines how the firm should handle risks. Just two years earlier, in 2007, only 32 per cent of insurers had a risk strategy. We observe a similar increase in the use of an overall corporate risk model. Back in 1999, only one of the sample insurers had implemented a model to quantify overall corporate risk. However, by 2009, 74 per cent of the insurers aggregate risks in an overall corporate risk model. Overall, our analysis suggests that, while challenges remain, ERM is evolving into a vital business process and successful firms will be those that manage the challenges and reap the benefits of effective ERM implementation.
Notes
Stulz (1996, 2003).
The original German questionnaire as well as an English translation are available from the authors upon request.
Other research in the area of enterprise risk management that utilises a survey approach similar to the method in this study includes Colquitt et al. (1999) and Tillinghast (2006).
The impact of business strategies on the performance of insurance companies is well established in the empirical literature (see, e.g., Berry-Stölzle et al., 2010).
See, for example, Desender (2007); Pagach and Warr (2008); Nocco and Stulz (2006).
A significant reform of German company law was effected through the Law for Corporate Control and Transparency in Large Companies (KonTraG), which modifies the Joint Stock Company Law of 1965 (“Aktiengesetz”). The law was initiated as a political response to a number of major failures of supervisory board oversight. The primary goals of the KonTraG, which became effective in May 1998 and implemented by most insurance companies in 1999, were to improve the monitoring effectiveness of German supervisory boards and corporate disclosure to the investment community. In addition, legal liability of the management board in case of dishonest or fraudulent behaviour was also tightened. In order to provide the management with proper performance-based incentives, the KonTraG also simplifies the use of stock option programs through share buybacks and capital increases, allowing German companies to adopt “typical” Anglo-Saxon practices (Nowak, 2001).
Tillinghast (2006, p. 25).
See, for example, Ouchi and Price (1978); Schall (1983); Weick (1985).
In Germany, attempts have been made through the German Corporate Governance Code of 26 February 2002 to provide a regulatory framework for this concept, apart from its already existing embodiment in the Stock Corporation Act (“Aktiengesetz”), and the code of Commercial Law (“Handelsgesetz”). The new code follows the self-regulatory comply-or-explain approach. Companies are obliged by law to publish a statement of their compliance with the code on their homepage or in other similar ways. Since its inception, the German Corporate Governance Code has found a high level of basic acceptance by the insurance companies. In particular, companies welcomed its soft-law character, which allows them to adjust the stipulations flexibly to the respective enterprise and, in the individual case, also to be able to deviate from them for specific reasons.
In corporate governance, a typical German issue is the relevance of codetermination in company management. This form of codetermination, by the mandatory nature of employee participation in decisions, profoundly affects the interaction between the management board and the supervisory board and thus also affects a central element of corporate governance. Almost all insurance companies are subject to codetermination; the majority of large-scale companies have supervisory boards made up of equal numbers of members from management and labour.
For example, v. Werder et al. (2005).
See footnote 4.
The fact that liquidity risk is only included in about 55.7 per cent of the corporate risk models is consistent with Lehmann and Hofmann's (2010, p. 74) observation that “liquidity risk management has not received sufficient attention in the past”. Lehmann and Hofmann's comment refers to both liquidity needs of insurance companies as well as changes in the liquidity of capital markets and their impact on insurance companies’ investments (see, e.g., Berry-Stölzle, 2008a, 2008b).
Ninety-one per cent of insurance companies that have a corporate risk model include catastrophe claim risk in their risk model. This result underscores the importance of low frequency high severity claims in the context of risk management activities of insurance companies as discussed by O’Brien (2010).
Tillinghast (2006, p. 16).
Tillinghast (2006, p. 11).
See, for example , Baker et al. (1988); Jensen and Murphy (1990).
References
Adam, T. (2002) Why firms use non-linear hedging strategies, Working Paper, Hong Kong University of Science and Technology.
Adams, R.B. and Ferreira, D. (2005) Do directors perform for pay? Working Paper, Stockholm School of Economics.
Baker, G.P., Jensen, M.C. and Murphy, K.J. (1988) ‘Compensation and incentives: Practice vs. theory’, Journal of Finance 43: 593–616.
Beasley, M.S., Clune, R. and Hermanson, D.R. (2005) ‘Enterprise risk management: An empirical analysis of factors associated with the extent of implementation’, Journal of Accounting and Public Policy 24 (6): 521–531.
Beasley, M.S., Pagach, D. and Warr, R. (2008) ‘Information conveyed in hiring announcements of senior executives overseeing enterprise-wide risk management processes’, Journal of Accounting, Auditing and Finance 23 (3): 311–332.
Berry-Stölzle, T.R. (2008a) ‘Evaluating liquidation strategies for insurance companies’, Journal of Risk and Insurance 75 (1): 207–230.
Berry-Stölzle, T.R. (2008b) ‘The impact of illiquidity on the asset management of insurance companies’, Insurance: Mathematics and Economics 43 (1): 1–14.
Berry-Stölzle, T.R. and Altuntas, M. (2010) ‘A resource-based perspective on business strategies of newly founded subsidiaries: The case of German Pension Fonds’, Pensionsfonds, Risk Management and Insurance Review 13 (2): 173–193.
Berry-Stölzle, T.R., Hoyt, R.E. and Wende, S. (2010) ‘Successful business strategies for insurers entering and growing in emerging markets’, The Geneva Papers on Risk and Insurance—Issues and Practice 35 (1): 110–128.
Buehler, K., Freeman, A. and Hulme, R. (2008) ‘The new arsenal of risk management’, Harvard Business Review 86 (9): 93–100.
Calandro, J. and Lane, S.L. (2002) ‘Bringing value to the insurance industry: The insurance performance measure’, Journal of Applied Corporate Finance 14 (4): 94–99.
Chorafas, D.N. (2004) Operational Risk Control with Basel II: Basic Principles and Capital Requirements, Amsterdam: Elsevier.
Clarke, C.J. and Varma, S. (1999) ‘Strategic risk management: The new competitive edge’, Long Range Planning 32 (4): 414–424.
Colquitt, L.L., Hoyt, R.E. and Lee, R.B. (1999) ‘Integrated risk management and the role of the risk manager’, Risk Management and Insurance Review 2 (3): 43–61.
COSO (Committee of Sponsoring Organizations of the Treadway Commission) (2004) ‘Enterprise Risk Management—Integrated Framework’, New York: COSO, from www.coso.org/publications.htm.
Cumming, C.M. and Hirtle, B.J. (2001) ‘The challenges of risk management in diversified financial companies’, Federal Reserve Bank of New York, Economic Policy Review March: 1–17.
Dent, J.F. (1991) ‘Accounting and organizational cultures: A field study of the emergence of a new organizational reality’, Accounting, Organizations and Society 16 (8): 705.
Desender, K. (2007) On the determinants of enterprise risk management implementation, Working Paper, Autonomous University of Barcelona, 2007.
Easternbrook, F. and Fischel, D. (1991) The Economic Structure of Corporate Law, Cambridge, MA: Harvard University Press.
Eckles, D., Hoyt, R. and Miller, S.M. (2010) The impact of enterprise risk management on the marginal cost of reducing risk: Evidence from the insurance industry, Working Paper, University of Georgia.
Froot, K.A., Scharfstein, D.S. and Stein, J.C. (1993) ‘Risk management: Coordinating corporate investment and financing policies’, Journal of Finance 48 (5): 1629–1658.
Hopwood, A.G. (1987) ‘The archaeology of accounting systems’, Accounting, Organizations and Society 12 (3): 207.
Jensen, M.C. and Murphy, K.J. (1990) ‘Performance pay and top-management incentives’, Journal of Political Economics 98: 225–264.
Kleffner, A.E., Lee, R.B. and McGannon, B. (2003) ‘The effect of corporate governance on the use of enterprise risk management: Evidence from Canada’, Risk Management and Insurance Review 6 (1): 53–73.
Kunda, G. (1995) ‘Engineering culture: Control and commitment in a high-tech corporation’, Organization Science 6 (2): 228–230.
Lam, J. (2001) ‘The CRO is here to stay’, Risk Management 48 (4): 16–20.
Lehmann, A.P. and Hofmann, D.M. (2010) ‘Lessons learned from the financial crisis for risk management: Contrasting developments in insurance and banking’, The Geneva Papers on Risk and Insurance—Issues and Practice 35 (1): 63–78.
Liebenberg, A.P. and Hoyt, R.E. (2003) ‘The determinants of enterprise risk management: Evidence from the appointment of chief risk officers’, Risk Management and Insurance Review 6 (1): 37–52.
Meulbroek, L.K. (2002) ‘Integrated risk management for the firm: A senior manager's guide’, Journal of Applied Corporate Finance 14: 56–70.
Mian, S.L. (1996) ‘Evidence on corporate hedging policy’, Journal of Financial and Quantitative Analysis 19: 419–439.
Mikes, A. (2009) ‘Risk management and calculative cultures’, Management Accounting Research 20 (1): 18–40.
Moeller, R.R. (2007) COSO Enterprise Risk Management—Understanding the New Integrated ERM Framework, New Jersey, USA: John Wiley & Sons.
Nocco, B.W. and Stulz, R.M. (2006) ‘Enterprise risk management: Theory and practice’, Journal of Applied Corporate Finance 18 (4): 8–20.
Nowak, E. (2001) ‘Recent Developments in German capital markets and corporate governance’, Journal of Applied Corporate Finance 14 (3): 8–21.
O’Brien, C. (2010) ‘Insurance regulation and the global financial crisis: A problem of low probability events’, The Geneva Papers on Risk and Insurance—Issues and Practice 35 (1): 35–52.
Ouchi, W. and Price, R. (1978) ‘Hierarchies, clans, and theory Z: A new perspective on organizational development’, Organizational Dynamics 7 (2): 25–44.
Pagach, D. and Warr, R. (2008) The effects of enterprise risk management on firm performance, Working Paper, North Carolina State University.
Pagach, D. and Warr, R. (2011) ‘The characteristics of firms that hire chief risk officers’, Journal of Risk and Insurance 78 (1): 185–211.
Powell, S.G., Schwaninger, M. and Trimble, C. (2001) ‘Measurement and control of business processes’, System Dynamics Review 17 (1): 63–91.
Roberts, J. (1990) ‘Strategy and accounting in a U.K. conglomerate’, Accounting, Organizations and Society 15 (12): 107.
Scapens, R.W. and Roberts, J. (1993) ‘Accounting and control: A case study of resistance to accounting change’, Management Accounting Research 4 (1): 1.
Schall, M.S. (1983) ‘A communication-rules approach to organizational culture’, Administrative Science Quarterly 28 (4): 557–581.
Shapley, L.S. (1953) ‘A value for n-person games’, in H.W. Kuhn and A.W. Tucker (eds.), Ann. Math. Studies 28, Contributions to the Theory of Games, Vol. 2, Princeton: Princeton University Press, pp. 307–317.
Sherris, M. (2006) ‘Capital allocation, and fair rate of return in insurance’, Journal of Risk and Insurance 73 (1): 71–96.
Shleifer, A. and Vishny, R.W. (1997) ‘A survey of corporate governance’, Journal of Finance 52 (2): 737–783.
Smith, C.W. and Stulz, R.M. (1985) ‘The determinants of firms’ hedging policies’, Journal of Financial and Quantitative Analysis 31: 419–439.
Stulz, R. (1996) ‘Rethinking risk management’, Journal of Applied Corporate Finance 9 (3): 8–24.
Stulz, R. (2003) Rethinking Risk Management: The Revolution in Corporate Finance, 4th ed., Oxford: Blackwell Publishing, pp. 367–384.
The Geneva Association (2010a) Systemic Risk in Insurance—An Analysis of Insurance and Financial Stability, Geneva: The Geneva Association.
The Geneva Association (2010b) Key Financial Stability Issues in Insurance—An Account of the Geneva Association's Ongoing Dialogue on Systemic Risk with Regulators and Policy-Makers, Geneva: The Geneva Association.
Tillinghast (2006) ‘Risk management’, Risk Opportunity, The 2006 Tillinghast ERM Survey.
v. Werder, A., Talaulicar, T. and Kolat, G.L. (2005) ‘Compliance with the German corporate governance code: An empirical analysis of the compliance statements by German listed companies’, Corporate Governance: An International Review 13 (2): 178–187.
Weick, K. (1985) ‘The significance of corporate culture’, in P. Frost, L. Moore, M. Louis, C. Lundberg and J. Martin (eds.) Organizational Culture, Beverly Hills, CA: Sage, pp. 381–389.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Altuntas, M., Berry-Stölzle, T. & Hoyt, R. Implementation of Enterprise Risk Management: Evidence from the German Property-Liability Insurance Industry. Geneva Pap Risk Insur Issues Pract 36, 414–439 (2011). https://doi.org/10.1057/gpp.2011.11
Published:
Issue Date:
DOI: https://doi.org/10.1057/gpp.2011.11