MATURING: YEARS 1 AND 2
In the spring of 2011 a new tool was added to the ERM program with the introduction of the risk register (RR). Although this did not replace the risk list and heat maps, it consolidated all that information into one Excel file (see Exhibit 11.3) and added new elements necessary to properly manage risk. This is the primary document WCF uses to monitor enterprise risks.
The first cell contains each risk's assigned number and designation reflecting whether it is assigned to the IRC or to senior management. There are currently about 25 of each. A description of each risk is in the next cell, which is refined from time to time. The next cell captures risk correlation by listing the number of other risks in the document believed to be likely to occur at the same time or to be interrelated in some way. For example, a prolonged economic downturn affects other risks such as market cycle risk and pricing risk.
The next six cells in the RR deal with how the risk is scored and the potential loss to the company. The probability and severity scores are listed as currently scored. These are subject to modification to reflect changing conditions or successful mitigation. The risk score is listed and the cell is filled with light gray/medium gray/dark gray indications. The risk matrix gives ranges for both probability and severity, and selections are made for both and entered as AP (actual probability) and severity potential. These two cells are multiplied to produce a potential loss value. In a separate chart produced for the board, this cell is graphed into a tornado chart (see Exhibit 11.4) to give a representation of total potential losses at any one time. The CRO also prepares for them a separate modified heat map that shows only the most critical risks and opportunities with indications of whether we feel they are increasing or decreasing (see Exhibit 11.5).
The remaining five cells include space for probability and severity-reduction targets, mitigations recommended by the IRC or senior management, the risk owners, and who originally identified the risk. Formal mitigation steps are entered for higher-scoring risks. Usually at least a dozen or so risks have mitigation plans. A mitigation plan could be a set of active steps designed to reduce or control a risk or simply those steps that have been taken and are deemed adequate. Where this field is blank it represents a consensus that the risk is appropriately mitigated by current WCF guidelines and protocols. The risk owners are primarily responsible for actively monitoring the risk and suggesting changes or actions. The origination column just gives a record of where the concern started. Multiple people or WCF departments can appear in both cells.
In late 2011 the CRO suggested to the CEO and board that at some time a third- party review of the program might by helpful in reviewing progress to date, as well as providing some benchmarks for future improvements through the following two to three years. The board agreed, and allocations were made in the 2012 budget to engage a recognized thought leader with experience in the field to review WCF's ERM program. This was completed in the first quarter of 2012 and proved to be very helpful. The ERM expert thus engaged was Sim Segal, a Fellow of the Society of Actuaries (FSA), a Chartered Enterprise Risk Analyst (CERA), and president of Simergy Inc.
The engagement included a review of all documents relating to ERM at WCF to date, including matrices and heat maps in all their iterations. The risk register was
Exhibit 11.3 WCF Risk Register
Exhibit 11.4 Internal Risk Committee Risks: Probable Cost
reviewed along with minutes of all the IRC and Board Risk Oversight Committee meetings. This document review was followed by a lengthy discussion with the CRO responding to questions about the process, personalities, and content. A full day was spent by Sim Segal in one-on-one discussion with WCF's president and CEO, the board chairman, other WCF executives, and members of the IRC.
The final report with recommendations was given to and reviewed with all parties and discussed at the 2012 annual board retreat. The report was helpful in verifying WCF's initial steps and pointing it toward several key future steps with some action items. These included more rigorous risk analysis of key risks using sophisticated process safety tools, engaging more closely with the affiliates and moving toward a more formalized approach to risk/opportunity issues.
The action items have been a primary focus throughout 2012 and 2013, and two are worth specifically addressing. The most consistent failure mode for property- casualty insurance carriers is reserve failures. Workers' compensation claims have a very long tail in that costs are not finalized for many years. In fact, WCF is still paying on claims dating back to the 1950s. Case reserving involves an adjuster's considered estimate of all costs to the end of the claim and an actuary's judgment of the cumulative expected development on those claims. Some will close for less
Exhibit 11.5 Senior Management Risks: Threat/Opportunity Matrix (Top 10 by Risk Score)
than the estimate whereas many will ultimately exceed the estimates by a considerable margin. If a carrier gets this wrong, it will become insolvent. The same is true for pricing workers' compensation insurance. It is based on a volatile estimate of cost of goods sold and is subject to fluctuation and pricing error. While this does not usually result in insolvency, it can dramatically impact profitability. Therefore, claim reserving error and pricing error seem to be the best candidates for a more rigorous risk analysis.
To make this analysis, a simple fault tree methodology was selected (see Exhibits 11.6 and 11.7).
The fault trees were developed through consultation with subject experts. They consist of an end point failure that WCF is seeking to avoid and levels of precipitating errors built upon each other that would lead to that top-level outcome. The final bottom end points would be factors for which WCF needs to build mitigation plans. In both cases significant variables are system malfunctions, human errors, and oversight failures. The finalized analyses are then reviewed with both risk committees.
Finally, the other major focus in 2013 is on developing both a robust risk/opportunity assessment tool and determining the parameters for its use. For WCF an acceptable tool has been difficult to agree on. An initial form was developed and experimented with on a voluntary basis (see Exhibit 11.8). The form contained a restatement of WCF's risk appetite/tolerance statement guiding the users in regard to when it should be used. A description of the proposed action was required along with cost and expected value explanations.
Identified risks to successful implementation were listed and scored using a matrix embedded in the tool. Mitigation strategies for risk scoring at a certain level were completed.
Information regarding the risk owner and approvals completed the form. The usefulness of the process seemed to lie in three areas:
1. The process could help users to cover all the bases in considering their plans.
2. It could also be helpful in creating a management review and oversight circuit breaker that many companies that fared poorly in 2007-2010 might today wish they had.
3. Finally, it provides a record of risk taking. We often look back on failures and ask: How did that happen? A good risk record might show us whether the issue was an unidentified, unforeseen risk, an execution failure, or just a failure in judgment.
The question seems to come down to whether present systems are adequate or is additional formalization worth the effort and extra work? After further consultation with the Board Risk Oversight Committee in late 2013, management decided to adopt a "principle-based guideline that could be used on a voluntary basis or required by management as desired." (See pp. 223-224.) This approach gives maximum flexibility along with simplicity. Simple but fundamental questions are used to elicit understanding of a proposed action. Examples of ventures that might be suitable for an analysis are given and a simple follow-up process is described. So far, this approach has been successfully used several times and seems to meet the needs of the organization at this time.
Exhibit 11.6 Claim Reserving Error Fault Tree
Exhibit 11.7 Pricing Error Fault Tree
Exhibit 11.8 Risk Analysis Worksheet
WCF Group – Risk Assessment Framework February 2014
In order to protect our assets, our employees and our customers, WCF is committed to excellence and consistency in risk assessment and risk management. We are creating a risk assessment process that is transparent, scalable and productive. An effective process is one that promotes a thorough analysis and provides a framework for successful execution of the initiative.
Principle Based Format
The following questions should be addressed in a single document for new ventures or initiatives meeting the risk assessment "trigger":
1. Why do we need to take this step at this time and what are the expected costs and benefits?
2. What are the key risks (financial, operational, market, strategic, etc.) involved in the initiative?
3. How will each risk be mitigated? (Identify the specific controls to be applied.)
4. What are the most likely outcomes of the venture, as well as, the worst and best case scenarios?
Examples of initiatives triggering a risk assessment
1. Significant pricing changes, e.g. refiling Loss Cost Modifiers.
2. Legislative initiatives proposed by WCF.
3. Changes in commission structure.
4. IT software or hardware purchases in excess of $500,000.
5. Changes in claim reserving methodology or claims settlement policy.
6. Investment initiatives requiring a change in investment policy and/or including a commitment of assets of $20,000,000 or more.
7. Other non-investment initiatives requiring a financial commitment greater than $500,000.
8. Significant changes to our reinsurance structure or policy.
Approval and follow up
1. The risk assessment should be completed prior to the initiative's presentation to senior management or the Board for approval with a copy provided to the Chief Risk Officer.
2. At reasonable milestones, and at the conclusion of the project, the CRO will follow up with the project leaders to assess:
(A) Are the original goals of the initiative being met?
(B) Are actual costs in line with expected costs?