Enterprise Risk Management

Jerry Miccolis | September 1, 2003

This enterprise risk management column explains how to model the integration of risks from various sources, describing the process using the insurance industry as an example. The most critical step in integrating risks of disparate types, and from various sources, is to express each risk in terms of its potential impact on the key performance indicators (KPIs) used to manage the organization. Once built, the structural financial model can be used to create a probability distribution of KPI outcomes by means of simulation.

Earlier articles in this series have treated certain "Practical ERM Applications," specifically, "Assessing Capital Adequacy" (September 2002) and "Capital Allocation" (November 2002). This article describes an application that logically precedes those two in the overall enterprise risk management (ERM) process, i.e., how to model the integration of risks from various sources.

Consistent with previous articles, and to keep the discussion grounded in practical reality, we will describe the process in terms of an example that is specific to a certain industry, namely, the insurance industry.

Our discussion of the risk integration stage of the ERM process assumes that individual risk factors already will have been identified and prioritized through an *enterprise risk assessment* exercise. It also assumes that probability distributions for certain risk factors will have been determined. It is not assumed that probability distributions will have been determined around all risk factors, only those that have been determined to be (1) high priority and (2) of specific relevance to the question under study, e.g., capital management.

For capital management purposes, one would expect to have probability distributions around such risk factors as claim cost trends, natural catastrophe frequency and severity, asset values, and investment returns, for example.

A discussion of both the risk assessment exercise and the determination of probability distributions can be found in the Tillinghast-Towers Perrin monograph, RiskValueInsights: Creating Value Through Enterprise Risk Management.

Perhaps the most critical step in integrating risks of disparate types, and from various sources, is to express each risk in terms of its potential impact (favorable or unfavorable) on the key performance indicators (KPIs) used to manage the organization. For any given organization, these KPIs may be one or more of such measures as revenue growth, earnings growth, earnings per share, growth in surplus, growth in embedded value, customer satisfaction, and brand image, for example.

For publicly traded companies, the KPIs are often explicitly or implicitly defined by the market (i.e., they are the measures focused upon by the organization's stock analysts). Ideally, the prioritization of risks that emerge from the organization's enterprise risk assessment exercise will have been done in terms of each risk's impact on these KPIs.

Most organizations will have at least a simple financial model of their operations that describe how various inputs (i.e., risk factors, conditions, strategies, and tactics) will impact their KPIs. These models are often used in developing strategic and operational plans. For example, insurance companies typically make assumptions regarding future trends in claim costs by business segment (e.g., by line of business, by region), which are used to determine needed rate levels by segment. These rate level projections are then combined with assumptions on volume growth and other relevant inputs to derive a pro forma estimate of overall corporate earnings (or some other KPI).

Often, business decisions (e.g., rate level, volume growth) are fine-tuned to produce the desired expected KPI result. Because these models explicitly capture the structure of the cause-and-effect relationships linking inputs to outcomes, they are termed *structural (or causal) financial models.*

While some organizations develop more sophisticated structural financial models than others, these models represent an excellent tool for integrating individual risk factors. We will return to this idea momentarily.

The structural financial models described above are generally *deterministic* models, i.e., they describe expected outcomes from a given set of inputs without regard to the probabilities of outcomes above or below the expected values. These models can be transformed into *stochastic* (or *probabilistic*) models by treating certain inputs as variable. For example, an expected future claim cost trend might be an input to a deterministic model of corporate earnings; recognizing that there is uncertainty in this trend, a probability distribution around the expected trend would be an input to a stochastic model. The model output (corporate earnings, in this case) would then also be a probability distribution.

Some of the variable inputs may be correlated with one another. For example, economic inflation (a driver of claim cost trends across multiple lines of business) is highly correlated with interest rates (a driver of asset values and investment returns). It is important to capture these correlationsâ€"indeed, this is the essence of ERM. A structural financial model of the enterprise is a practical way to do this.

In essence, a structural financial model allows one to capture the correlations among variable inputs in a simple, accurate, and logically consistent way by virtue of the model's cause-and-effect linkages of these inputs to common higher-level inputs. How this works can be seen in the sidebar examples given in Chapter V of RiskValueInsights: Creating Value Through Enterprise Risk Management. To the extent that certain inputs are not related to a common higher-level input, yet one believes that correlation exists between them, these correlations can be stated explicitly in terms of a covariance matrix, whose values can be determined through data analysis and/or expert opinion.

Once built, the structural financial model can be used to create a probability distribution of KPI outcomes by means of simulation. Such a model is termed a *structural simulation model*. A class of structural simulation models specific to the property/casualty insurance sector are termed *Dynamic Financial Analysis* (DFA) models. The KPI distributions that result from a structural simulation model can then be used for a number of purposes, including strategy optimization and capital management; the latter was described in the earlier two "Practical ERM Applications" articles cited above.

The marginal contribution of each individual risk factor to the overall risk profile of the organization can be determined by "turning off" that risk factor (i.e., by changing that particular input from stochastic to deterministic) and examining the impact on the KPI probability distribution. This technique provides a straightforward way of isolating the impact of a particular risk factor (such as natural catastrophes) on overall capital adequacy, for example. In this way, the prioritization of risk factors, which is typically done by informed judgment in the risk assessment step, can be more rigorously validated.

It should be noted that an alternative to the structural simulation approach is the statistical analytic approach. Statistical analytic approaches make a number of simplifying, often restrictive, assumptions that allow the user to generate results quickly by solving equations "in closed form", i.e., without the need for simulations. These models therefore generally sacrifice structure and realism for speed and simplicity. They also are designed around a getting an answer to a specific narrowly defined question and thus lack the flexibility and robustness of structural simulation models.

Moreover, statistical analytic models also require that the correlations between all risk factors be explicitly stated in a covariance matrix, without regard to cause-and-effect relationships; spurious results are therefore more likely. Statistical analytic models are more prevalent and relevant in the banking sector than in the insurance sector; in the banking sector, risks are more "symmetric" and well-behaved, and speed of calculation is more critical. Within the insurance sector, statistical analytic models are more appropriate for industry oversight bodies than for individual companies; they can generally be run using publicly available data.

A fuller comparison of these two approaches is contained in an earlier article in this series, The Language of Enterprise Risk Management: A Practical Glossary and Discussion of Relevant Terms, Concepts, Models, and Measures (May 2002).

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.