ERM in Hong Kong – A Practical View

part two

In an earlier blogpost I wrote about setting risk appetite for insurance companies under the evolving Hong Kong ERM framework. My focus is on firms that develop their own ERM-framework.

In this blogpost, I “continue” the journey to building an ERM-framework and ponder about risk mapping. Whilst occasionally making reference to Hong Kong,  most of the scribble is applicable to every insurer who wants to take its nascent ERM-framework to a next level.

I will share my thoughts about some key steps, write about challenges and, of course, how Megrow Consulting can support your ERM-journey. And most importantly, I keep advertising ERM as a strategic tool to support your business and not to paralyze it.

risk mapping

I like doing risk mapping! However, there is a significant risk (hahaha pun intended…) of getting lost along the journey when engaging an entire company in a comprehensive risk mapping exercise.

Plenty of competent bodies, such as COSO, describe risk mapping at great length and detail, hence I will not dwell on the methodology here. Instead, I share a number of practical aspects, pitfalls, successes and other considerations here.

When I lead or coach risk mapping work, I prefer to do it in small groups and over several iterations. Depending on the circumstances, some initial “ice breaking” might be needed. Generally speaking though, insurance practitioners LOVE to talk about risk, so there is little to worry about. That is good news! Having said that, there are a few points to bear in mind.

watch-out

Firstly, we need to ensure that the involved teams cover risks across ALL major business activities. In my experience, operational risk often tends to rank highest in terms of risk “count”. Your risk officer or an experienced third party will need to moderate the mapping efforts to bring balance to the risk universe of your company. Secondly, we also need to ensure that the thinking is current and prospective, looking into the back mirror is important, but only looking backward will not get us very far. Thirdly, quantification efforts need to consistent across the entire risk catalogue, otherwise we compare the proverbial apples with oranges.

prioritise

Last but not least, probably the hardest step on the mapping journey is prioritization of risks. One “must have item” is a list containing the few, all important strategic and key operational risks. Senior management and the directors will give all their TLC to that all-important set of risks. Yes, every risk is important, but depending on expected frequency and impact, it is handled at the appropriate level of the company! No CEO or board risk committee member wants to look at a risk register with 5000 entries, trust me on this one!

local and global perspective

Good risk mapping focuses on what matter most for the current and prospective market environment. Hence, a focus on Hong Kong (in our example) certainly makes sense. However, other risks, such as “Cyber” are prime examples where good risk mapping must take a bigger picture, global view. Quantification and mitigation of risks that are outside well-known “home turf” are a challenge. The good news is: there are ways and means to deal with that.

and then?

Senior management and the directors will sign off the risk map. Subsequently, the register enters its next phase. The risk officer will need to maintain it! After all, good risk management is all about mitigation of existing risks and detecting new risks (and opportunities). An important caveat, enlarging the risk register four times a year by adding new considerations isn’t best practice. Ideally, some risks should disappear from the list over time, otherwise the list will get bloated to an extend that nobody can distinguish the chaff from the wheat any longer.

Stay tuned for more blogposts about ERM in Hong Kong here @megrow.asia !


 

ERM in Hong Kong – A Practical View

ERM for Insurers in Hong Kong – the Journey has Started

This series of blogposts ponders about the ERM in Hong Kong as it unfolds for Hong Kong based insurers. I chose Hong Kong for a number of reasons. First, the Insurance Authority (“IA”) launched the ERM process over the course of 2017/2018, so the implementation is in full swing. Second, Megrow has been fortunate to do quite a bit of ERM-related consulting work for companies in Hong Kong. And finally, the Hong Kong approach is a good example of a measured, gradual implementation of ERM, so it might serve well for both practical and theoretical considerations.

I will share my thoughts about some key steps, write about challenges and, of course, how Megrow Consulting can support your ERM-journey.

And most importantly, I keep advertising for ERM as a strategic tool to support your business and not to paralyze it.

All Set to Go?

Hong Kong’s IA has released draft ERM-guidelines for industry consultation. The document is comprehensive and doesn’t contain any surprises per se. However, a myriad of cogwheels needs to fall in place to make ERM work and add value to your company. Definitely, you have some well-established risk management practices already in your company and most certainly, ‘your’ board of directors has its own ideas about risk as well.

How to put this all together in an efficient and effective manner? Certainly, an experienced third party will make your journey efficient and effective. And: you can keep your focus on running your business.

step 1 – the tone from the top

In 2017 Hong Kong IA mandated insurers to establish a board risk committee and assign a risk officer function to a suitably qualified staff. Starting at the top was the right thing to do. Insurers have completed this step over the course of 2017 and early 2018 already. Time to move on.

step 2 – risk appetite

Now with the risk officer and the risk committee in place, what is the next step? In line with the philosophy of “starting from the top”, ideally companies move their attention to comprehensive risk appetite definitions and the implementation thereof. That is exactly what the proposed ERM guidelines suggest doing next on the Hong Kong ERM journey.

what is risk appetite?

I like to use the famous half-full glass analogy to describe my preferred definition of risk appetite.

 

the size of the glass = available capital

The capacity of the glass represents the total maximum net risk – across all business activities – your company can bear with the current capital, reinsurance and other hedging mechanisms in place.

Simply, the glass cannot hold more water than its volume.  (let’s omit surface tension and other considerations here, it’s not a science class….).

This capacity is largely given by the available capital and regulatory constraints, such as minimum solvency levels. This “capacity” is relatively stable.

How much water you actually decide to pour into the glass is almost entirely the company’s decision. If you overfill, the company will have challenges. If you leave it (almost) empty, then you are not making use of the capital that shareholders gave you. In other words, how full you want the glass to be is your specific risk appetite setting. The great thing is that the water level can vary over time, i.e. companies have some entrepreneurial freedom to accept more or less risk (as long as it doesn’t overflow).

how to set risk appetite?

Two challenges arise for management and the board. First, how full is the glass with the current business and second, how full (or empty…) do we want it to be going forward? In other words, is the glass big enough to support the company’s expansion strategy? The forward-looking angle is very important: that is the linkage of good ERM with strategy!

How to go about determining the “level of water” in the glass? All companies have risk appetite statements readily available. However, these statements might sometimes be insular and sometimes not of recent date. For instance, the investment department might use a different language to describe risk compared to the underwriting department. The true value of risk appetite definitions emerges, once the statements are quantified, comparable and the statements link risk taking to capital.

Ultimately, the best way of going about it to use a capital model, which allocates capital in a consistent way to the main business activities of the company. However, a few years will pass before RBC is mature enough in Hong Kong. So, what is an interim solution for Hong Kong based insurers?

options available
  1. purchase a third-party capital model (I won’t advertise for free here…)
  2. and/or you develop your own capital model
  3. and/or you find an interim, discrete solution and implement HK-RBC capital model along the way.

Every company is unique; hence it is difficult to make general recommendations. A practical view on risk appetite definitions: if you have a credit rating, using the rating agency’s capital model is certainly a way to go. If not, then taking the route via an interim solution would be my preference.

value proposition

Megrow is well-positioned to support you through the decision-making process and the subsequent development and implementation of the chosen path. We follow industry-standard good ERM-practice, always ensuring that our work is efficient and of practical use. The wheel has been invented, so we focus on other things!

If you would like to know more about putting ERM in place contact me via the buttons shown below and stay tuned for more blogposts about ERM in Hong Kong and elsewhere.


 

How to ERM: Part Four, Know Your Appetite and Tolerance!

An Exiting Journey Lies Ahead – Where and How Do We Start?

You have decided to implement  good ERM-practice in your firm because you believe in the value of ERM as a strategic tool – that is great news!

Let’s assume that some risk mapping and some mitigation measures are in place and that these efforts are reported to senior management and the board, but NOW you want to boost ERM to the next level.

So where and how to start this voyage?

Should you deploy the most recent ERM-software or invest in modelling capabilities or put more emphasis on cyber risk or worry about reputation risk that your company might be exposed to? The answer is: NONE of it, for now!

it starts with risk tolerance and risk appetite

Before getting into any work that propels you up the risk maturity ladder, I’d strongly recommend you ensure that the risk tolerance and risk appetite is explained to and signed off by the board. Most companies would have such limits in place, however a fresh look and an update never harms! Additionally, ensure that everybody in the company understands those limits and uses them to generate profitable business.

Setting risk limits and determining risk appetite is often guided by the regulatory framework and rating agencies’ views. Regardless whether you deploy a sophisticated capital model or a simpler, yet more tangible rule of thumb approach, it all starts with this step!

Once these limits are set, then you kick off your journey to ERM 2.0.

My mission is to make this journey smooth for you and your company. Want to know more? Contact me vis the social media buttons at the bottom of the page.

insert

What is the relationship between risk tolerance and risk appetite?
Risk tolerance is the maximum risk you can take, risk appetite is the maximum risk you want to take. Ideally, tolerance and appetite should be close. If  appetite is much smaller than tolerance, chance is that capital deployment is inefficient, if appetite on an aggregated basis outdoes tolerance your company is at risk. If want to be more comprehensive, you can add risk bearing capacity to the consideration. Risk bearing is roughly equivalent to the firms equity (more on that in another post).

The drawing below illustrates the interlude of “bearing”, “tolerance” and “appetite”.

 

risk appetite, risk tolerance and risk bearing capacity

 

PS: my multi-part “how to ERM” series started here

Spreading Our Wings

expanding our network!

I’m very happy to announce that my fellow director at Megrow, Margaret Lim, has been accepted by the Singapore Institute of Directors as a member. This is a another great step for our company and Margaret. 

The Singapore Institute of Directors promotes the professional development of directors and corporate leaders.  The institute also encourages the highest standards of corporate governance and ethical conduct.

Visit www.sid.org.sg – it has all about the institute’s various interesting offerings!

ERM increases company valuation

Enterprise Risk Management is viewed favorably by rating agencies, stock exchanges, regulators and other stakeholders – this is all good news.

But some boards and CEOs remain skeptical about ERM’s value: sometimes a perception reigns that ERM is a pure cost, a governance exercise, some box-ticking event, doesn’t deliver any topline and produces nothing but a thick report that nobody reads. The ERM-journey up the risk maturity ladder requires board and management commitment, hence the question arises: what is the return on this investment, in other words how does a CRO convince the board and the CEO that ERM creates value for the company?

Over the past two years two independent, reasonably comprehensive studies have shown that there is a good correlation between good ERM-practice and a company’s valuation – in other words: it pays to do ERM !

Study No.1 says […our results suggest that firms that have reached mature levels of ERM are exhibiting a higher firm value ….] and study No. 2 comes to a similar conclusion stating that […results confirm a significant positive impact of ERM on shareholder value…].

This is very good news for all ERM practitioners, boards and executives of all companies!!


Risk Maturity Ladder is defined here

The valuation implication of ERM maturity. Mark Farrell & Ronan Gallagher, 2014

Determinants and value of ERM. Nadine Gatzert & Michael Martin; 2016