Skip to Content
Enterprise Risk Management

Enterprise Risk Management in the Financial Services Industry: From Concept to Management Process

Jerry Miccolis | November 1, 2000

On This Page
Risk spelled out on red blocks

This article explains how financial service companies can follow a systematic management process to help them both shape and exploit risk for their enterprise. Learn how the five-step process -- assessing risks, articulating strategies, evaluating strategies from policyholders' and owners' perspectives, and then refining them -- represents the logical flow of activities in developing ERM strategy.

As we reported in the second article in this series, "Enterprise Risk Management in the Financial Services Industry: Still a Long Way To Go," executives in the financial services industry widely believe that enterprise risk management (ERM) can help them address their major business challenges. They believe ERM can do that in theory by providing them a rigorous approach to managing risks from all sources that threaten their strategic and financial objectives or that represent opportunities for competitive advantage. Nonetheless, only a relatively small number of companies, especially in the insurance sector, have actually fully implemented ERM. Our research indicates that is because they don't believe they have the tools, techniques, and processes to manage risk holistically. In this article, we want to show how financial service companies, in particular insurers, can remedy their dissatisfaction by following a systematic management process that will help them both shape risk and exploit risk for their enterprise.

At the broadest level, the process consists of a three-part, continuous management process: develop best strategies, implement strategies, and monitor performance and the environment, which is the feedback phase that leads back to the first phase in the continuous process. In this article, we will focus on that first phase—developing best strategies. Sound strategy development answers such questions as:

  • What should be our product mix?
  • Through what channels should we distribute our products and to which markets?
  • How much capital should we hold and how should we allocate it to each product?
  • How much—and on what terms—should we reinsure or hedge?
  • How should we invest our assets?

Management's objective in answering such questions is to maximize economic value over the long term while minimizing the risks of large deviations from expected performance. The relative preferences for maximizing value versus averting risks will differ for each management team, as well as the circumstances under which the team must develop its strategy. Nonetheless, the process that management teams use to answer these questions is the same, regardless of their risk-value preferences:

  • Assessing Risks
  • Articulating Strategies
  • Evaluating Strategies from the Policyholders' Perspective
  • Evaluating Strategies from the Owners' Perspective
  • Refining Strategies

Step 1: Assessing Risks

The first step in developing best strategies is to assess the current risk environment. The assessment includes examining both financial and operational risks, using qualitative and quantitative methods. Financial risks include credit, interest rate, currency, mortality, liability, and reinvestment risks. Operational risks include people, technology, distribution, political, and regulatory risks.

Risks should be described as fully as possible, taking into account such aspects as:

  • Causal factors and consequences
  • Timing, e.g., short-term versus long term, seasonal, etc.
  • Correlation with other risks, including whether a given risk could trigger or be triggered by other risks and, importantly, whether certain risks are negatively correlated and therefore represent "natural hedges" against each other
  • Current risk mitigation strategies and their effectiveness to date
  • Either historical data on or expert assessment of a given risk's impact on financial performance

This process involves a combination of gathering historical data, reviewing documents, and conducting interviews to gather information on business processes, organization, technology, people, and culture. There are several ways to document the output of the risk identification process. A simple method is to create tables where each row represents a unique risk and each column is used to organize information gathered for each risk. An alternative method is to develop risk maps that graphically illustrate both the causes and consequences of each risk.

However they "plot" the risks, managers can then decide which risks require their greatest attention by classifying them as "manageable" or "strategic." Manageable risks are those that the organization can address with existing capabilities. These risks might include such things as weak contingency planning in critical facilities or midlevel employees dissatisfied with opportunities for advancement. The proper response to manageable risks is simply to use the existing organizational capabilities to mitigate them by assigning them to the appropriate managerial level.

Strategic risk factors, on the other hand, are those that have to be addressed with substantial expenditures and/or a change in strategic direction. These can arise, for example, when an organization enters unfamiliar business territory because of a major acquisition, or when a new competitor emerges, or when customers change their buying preferences.

Strategic risks require greater analysis and often need to be analytically modeled. The models represent the uncertainty associated with each strategic risk factor regarding how, when, and the degree to which it will manifest itself. These models may range from entirely quantitative, relying strictly on hard data, to entirely qualitative, relying almost entirely on expert testimony. In either case, the objective is to develop probability distributions for each risk factor. Models that use both qualitative and quantitative "inputs" offer the greatest potential for modeling operational risks to which financial institutions may be exposed—at least until the industry's ability to gather and maintain data on operational risks matures.

Step 2: Articulating Strategies

The next step in developing best strategies is to articulate financial and operational strategies in a way that allows measurement of their impact on the risks identified in the preceding step. For an insurer, these strategies represent a set of basic decisions regarding core business activities, including product mix, asset-class allocation, the structure of reinsurance programs, design of business processes, performance-incentive systems, and risk mitigation. The objective of this step is to propose alternative financial and operational strategies and to develop a financial model that will be used in later steps to evaluate these strategies.

These strategies are intended to maximize value in light of the risk environment. The "value" or "values" being maximized may include earnings growth, return on capital, and consistency of financial performance. These objectives are often in conflict with each other. Some decisions may grow earnings at the expense of return on capital while others may increase return in the long term but create short-term instability. Thus, financial and operational strategies must be carefully coordinated to optimize the trade-offs and maximize overall value based on management objectives.

In order to make those choices, management needs to evaluate the various potential financial and operational strategies in light of the risk environment identified in the risk assessment stage. A stochastic financial model is constructed for this purpose. The model is designed to generate pro-forma financial statements. It is constructed by breaking down each item on the financial statement into its operational and financial components. Each risk and strategy affects one or more of these components that are then rolled up into the financial statement.

Risks affect elements of the financial statements or their constituent variables by making their value uncertain. These variables are replaced by the probability distributions for the corresponding risk that were developed in the risk assessment step. For example, the number of policies sold in a given period is a constituent variable in calculating revenue. Risk of competition makes the number of policies sold uncertain. Risk of competition can be modeled in the risk assessment step as a probability distribution on the number of policies sold. This distribution is used to represent the uncertainty associated with the number of policies sold in the financial model. In this manner, all strategic risks modeled in the risk assessment step, and their correlation, are reflected in the financial model—making this a stochastic financial model. The output of this stochastic financial model is a probability distribution on key financial metrics such as net earnings.

The first two steps in the strategy development process—assessing risk and articulating strategies—constitute the bulk of the analytical effort. The remaining steps use the risk models and the stochastic financial model to evaluate strategies.

Step 3: Evaluating Strategies from the Policyholders' Perspective

To select the best strategies, management at insurance companies needs to evaluate the alternatives from the standpoint of both customers (policyholders) and owners (shareholders). Generally, policyholders are concerned with the solvency of the business, whereas shareholders are concerned with returns on their investment. This step focuses on the interests of policyholders, while the next step shifts emphasis to shareholders. Policyholders' interests are reflected in the amount of capital the company holds against adverse performance. The greater the level of capital, the lower the risk of insolvency, all else equal. However, too high a level of capital will dilute the returns to shareholders. Therefore, the objective is to establish the minimum level of capital that will achieve the desired level of policyholder protection.

From the standpoint of policyholders, an insurer can determine its overall economic capital requirement by using a concept known as "economic cost of ruin" (ECOR), which reflects both the probability and the severity of ruin—the risk that most concerns policyholders. ECOR goes beyond simple percentile-value measures of solvency risk, such as "value at risk," by taking into account not only the likelihood of insolvency but also how devastating an insolvency would be. In a severe insolvency, there would be less surplus remaining after liquidation to distribute to policyholders. The proper amount of economic capital is the amount sufficient to reduce ECOR to a targeted level, based on the insurer's level of solvency risk tolerance.

The same principle and concept is then used to allocate capital to the company's different business segments. First, senior managers apply a common "ECOR ratio" (ECOR divided by the present value of expected customer payments) to their various business segments so that each policyholder effectively "pays for" the same amount of protection against insolvency. Next, managers use dynamic financial analysis to make sure the capital allocated to each segment also reproduces the company's solvency risk tolerance measure—assuring that the parts and the whole are aligned. Finally, because the sum of all segment capital allocations at this point will generally exceed the organization's overall capital requirement, each segment's capital is adjusted further to reflect the organization's "diversification benefit" philosophy.

Step 4: Evaluating Strategies from the Owners' Perspective

While the determination of economic capital is focused on the needs of the policyholders, this step primarily focuses on the interests of the owners of the enterprise. Owners are primarily interested in three objectives: growth of the business, return on their investment, and consistency of financial performance—the three pillars of the value edifice.

Strategies will distinguish themselves based on their relative impact on each of these value drivers. Some strategies are meant to primarily focus on growing the business, while others focus on return. Yet others focus on reducing variability. A combination of financial and operational strategies will likely affect all three objectives in positive and negative ways. Therefore, evaluating strategies will require optimizing the trade-offs among the objectives based on the preferences of managers who represent owners' interests.

In order to evaluate strategies against management preferences, each objective must be defined in terms of measures that are generated by the stochastic financial model developed earlier. Note that the financial model generates projections of financial statements—specifically, it generates probability distributions on each major element of the financial statement.

Growth is typically measured as the expected value of the average percent change in revenue over the time horizon. The return for a business segment is measured as the expected value of average net earnings over the time horizon as a percent of allocated economic capital. Consistency, however, can be measured in several ways. Consistency typically refers to net earnings but can also apply to return on capital, revenue growth, growth in embedded value, or any other financial metric that the owners consider important. In all cases, consistency can be represented by risk metrics, such as standard deviation, variance, shortfall risk, VAR, and Below-Target-Risk, or BTR. We prefer BTR-type measures for this step because they are designed to capture the risk characteristics (e.g., what is the probability of not meeting the expected return?) of most concern to enterprise owners.

Once management selects the measures that define each objective, the management team can evaluate the various alternative strategies to achieve those objectives. The simplest method is to plot all combinations of financial and operational strategies on a two-dimensional chart representing risk and value. Then either growth-based or return-based measures can be used to analyze risk and value.

A more sophisticated approach uses mathematical optimization technology to automatically evaluate and eliminate some of the strategy options. Given the number of alternatives proposed in Step 2 for each independent financial and operational strategy, there may be hundreds or possibly thousands of possible combinations of strategies that must be evaluated. In this case, it's practical to subject some strategies to mathematical evaluation rather than a manual evaluation.

In any case, the final evaluation and selection of the best combination of strategies is accomplished through discussion by management decision-makers, armed with insight into the risks and values of each strategy.

Step 5: Refining Strategies

Although alternative financial and operational strategies were developed in Step 2, often, promising new strategies come to light in the process of discussion and analysis of strategies in Steps 3 and 4. Therefore, management may need to loop back to Step 2 to ensure that the financial model can model the new strategy and then repeat Steps 3 and 4 to evaluate the new alternatives against the best candidates from prior analysis.

This additional evaluation step involves decomposing the prior analysis into root causes. That is done by turning the uncertainty associated with a variable in the financial model "on" or "off." Turning "on" a variable means converting it from a deterministic variable to a stochastic variable. This is done by replacing it with the probability distribution of the risk source that it is associated with. Turning "off" a variable means replacing the probability distribution with the expected value of the variable, i.e., the mean of the distribution.

The difference in the values represents the contribution of that risk source to the uncertainty of return on capital. Repeating this exercise with each risk source provides information that can be used to compare each source of risk. Similarly, evaluating results based on changes to an isolated strategy, e.g., reinsurance, can be used to determine the relative impact of each strategy within the complete set of financial and operational strategies. By constantly applying this iterative process of decomposing risk and isolating the impact of each strategy, management can not only refine its strategies, but be assured that it is selecting the best strategies.


The five-step process we've outlined in this article represents the logical flow of activities in developing strategy. The risk assessment process establishes the complete risk environment by considering both financial and operational risks. Manageable risks are assigned to appropriate managerial levels, while strategic risks are quantified and included in the financial analysis. Alternative financial and operational strategies are overlaid on the risk environment and modeled using an extension of existing financial models.

Strategies are evaluated in consideration of both customers' interests and owners' interests. Customers' interests are reflected in establishing capital based on the Economic Cost of Ruin (ECOR), the premium needed to insure against ruin. ECOR-based allocation methods are used to allocate capital to business segments as a charge for protection against insolvency against which to evaluate returns. Owners' interests are reflected by evaluating each combination of strategies in terms of its impact on growth, return on capital, and consistency of results.

The difference in policyholder concerns versus owners' interests is captured by the use of Below-Target-Risk measures to evaluate strategies. The evaluation process can be computationally intensive but relies ultimately on the analysis and discussion among decision-makers who voice their relative preferences for multiple objectives. Finally, decomposition of risk can provide opportunities to develop potentially better strategies.

At this point, insurance managers can be confident that they have, in fact, developed a set of "best strategies" to manage risk at the enterprise level and increase the value of their enterprise.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.