This discussion relates to the paper presented by members of the Institute and Faculty of Actuaries’ Covid-19 Action Taskforce, ERM (Risk 1) Workstream at the IFoA sessional event held on Monday 15 August 2022.
The Moderator (Mr P. G. Telford, F.I.A.): I am Peter Telford, the chair of the Institute and Faculty of Actuaries (IFoA)’s Risk Management Board. The speakers for today are:
Jasvir Grewal, the Head of Data and Analytics at the Global Facultative Broking Department at WTW. Prior to this, she worked at several syndicates, holding a wide range of roles, both actuarial and non-actuarial. She has a strong background in capital modelling and data science. Jasvir is a Fellow of the IFoA and is also a chief chartered enterprise risk actuary. She has been a member of the IFoA Risk Management Board and multiple working parties.
Lawrence Habahbeh, the Director of HedgeGenomics, a quantitative and strategic risk consultancy. He is an expert in geopolitical risk, enterprise risk management (ERM), traded market and counterparty risk, and climate risk modelling. Lawrence is a member of the IFoA Risk Management Board. He leads the research workstream for the board’s Climate and Sustainability working group, which focuses on integrating environmental, social and governance (ESG) factors into risk frameworks and long-term climate risk scenarios. Lawrence also chairs the Black Swan Insurance Group working party.
Dr Madhu Acharyya, a senior lecturer at Glasgow Caledonian University’s London campus, where he leads the MSc programme on Insurance and Sustainable Risk Management. He teaches and researches risk and finance topics in the banking and insurance sectors. Madhu holds a PhD in enterprise risk management. He is a Fellow of the Institute of Risk Management and an Associate of the U.K. Chartered Insurance Institute. He is a member of the IFoA Cyber Risk and Operational Risk working parties.
Ms. J. K. Grewal, F.I.A.: We will start with an introduction to the efforts and scope of the workstream. Then we will discuss the collection of thoughts and experiences from the workstream members. Given the broad background of the workstream volunteer group, we have a number of interesting case studies to consider. We will also give an update on the next steps of the workstream.
Madhu (Acharyya) will talk about the research he is carrying out academically and Lawrence (Habahbeh) will talk about the working party that he set up, the Black Swan working party.
This is an entirely voluntary project and most of the work was done during the pandemic. The key thing to mention is the diversity of the workstream group and the volunteer list. We had contributions that were geographically diverse; from members working in Singapore, Jordan, India, South Africa, and the U.K. We also had contributions from different insurance sectors – general insurance and life insurance – as well as from banking and academia. That is very important when you are looking at a global event such as COVID-19.
The purposes of the workstream were to learn from the experiences of our peers and to provide food for thought. We have all come from very different backgrounds and bringing together those experiences can be very interesting, even eye-opening in some cases. The purpose was not to provide prescriptive guidance or an overview of all COVID-19 impacts on ERM frameworks. That is a very broad topic, especially relative to the size of the volunteer workstream.
Enterprise Risk Management is widespread, as are the impacts of COVID-19. What we wanted to do was to summarise our thoughts and experiences in a way that was easy to digest.
Given the aims of the paper, Lam’s ERM framework provided a good structure for us to work from. Although dated, it has seven easy-to-understand components that we were able to structure our thinking around. We will speak about each of the seven components in turn. Figure 1 shows the seven components.
Figure 1. Lam’s 7 components.
Corporate governance sits at the top of the entire framework. It is concerned with ensuring that the board of directors and management have established the appropriate processes and controls to quantify and manage risk across the company. Figure 2 has a summary of our key thoughts relating to the COVID-19 pandemic response.
Figure 2. Corporate governance.
I want to highlight the point concerning risk management philosophies. We all know that boards have a key role to play when a company is trying to recover from a shock event, like COVID-19. If an effective ERM structure is in place, the board should be suitably prepared. We know that having training schedules in place, as well as key reporting, can also help. In the Lloyds of London environment, the Own Risk and Solvency Assessment (ORSA) process is an example of this.
The first question to raise under this risk management philosophy item is whether there is an effective organisational structure in place. For example, was succession planning included in mission critical roles? The ‘great resignation’ followed the pandemic, and not having effective succession planning in place could be a cause of recovery taking much longer than it needed to, following the shock event.
The second point to raise under this risk management philosophy heading is whether the focus is on crisis management? If the focus is on dealing with short-term problems there would be a benefit from also reviewing the medium to longer-terms plans and how they are impacted. That approach could be used to challenge business strategy, dampen impacts from an event over the longer term and help with speeding up recovery.
To illuminate that point, I want to use directors’ and officers’ insurance as an example. When the pandemic started, this was not a pressing issue. When it came to the medium and longer-term, there was an increase in claims as a result of the perceived inadequate responses to the pandemic situation as we gradually emerged from lockdowns. Some entities, rather than solely focusing on short-term firefighting, were looking for opportunities. These entities entered the contingency insurance market due to the increase in premiums as a result of COVID-19. The example highlights how entities can benefit from having effective corporate governance in place alongside a risk management philosophy as opposed to a crisis management philosophy.
Mr Habahbeh: Portfolio management is the next component to discuss. An important aspect of portfolio management is how to assess the effectiveness of the enterprise risk management function and your risk governance structure at the portfolio level. The portfolios mentioned here could be portfolios on banks’ balance sheets that are used for trading (which cover a wide range of assets, asset classes and risk factors and geographies); or portfolios of assets backing annuity liabilities on insurance balance sheets. It is important to consider extreme risk analysis and analyse the elasticity of your enterprise risk management function at the portfolio level. The COVID-19 pandemic has demonstrated that the events that we consider to be extreme, due to their impact and likelihood, do happen. For example, there was the Hong Kong pandemic from 1968 to 1969 that caused over three million deaths. Other examples include the global financial crisis, the European debt crisis and the current war in Ukraine. These events do happen, and they are not infrequent. We have to understand the consequences of these events as they spread through different systems in society. One of the key lessons of the COVID-19 pandemic is that it is important to have a sub-framework tailored towards the risk assessment of emerging risks.
In this context, emerging risk has a particular definition. We are talking about risks that are known. However, we do not fully understand the short, medium, and long-term implications of these risks, their consequences, and their interaction with other risks. To efficiently allocate resources to deal with these particular risks it is vital to create an emerging risk sub-framework to identify, assess, quantify and represent the risks and communicate this internally and externally. This is one of the lessons learned from the COVID-19 pandemic.
One way to think about these particular risks is to map their consequences. The impacts of these risks spread through different systems in society and generate unforeseen effects. We need to think about the linked and compounded risks they create so that we can understand at what level our risk profile will be impacted. You can use that information to design insurance products to mitigate the consequences of those particular risks.
One way to think about these consequences is through a feed-forward cause-consequence analysis. Taking the COVID-19 pandemic as an example, it created an initial impact that was essentially a travel disruption. Then it created secondary risks: disruptions to certain services; disruptions to supply chains; reduced availability of personal protective equipment (PPE); and so on. These effects progressed through society, impacting, for example, the amount of available oxygen minutes in hospitals’ intensive care units (ICUs). We need to be able to map these consequences to understand the range of impacts an emerging risk can create.
When we frame risks as systems, we can also consider risk characteristics such as the velocity of the risk and the higher-order change over time. These characteristics can provide information about when a risk could shift from a normal to an extreme impact risk, for example. It is important to study and analyse these kinds of attributes so that we can understand these particular types of risks.
One last thing I would like to mention is that, to understand those risks, I believe we need to move away from discrete risk analysis. Taking war as an example, a conventional approach is to assess the likelihood of war and look at its discrete impacts. I believe we need to move away from that mode of thinking and instead think about risks happening concurrently. For example, last year, during the COVID-19 pandemic, there were floods in the Netherlands and in Germany. These two risks arose together and created unforeseen consequences. These types of concurrent risk events add more stress to portfolios and to enterprise risk management.
Ms Grewal: The third component is integration of enterprise risk management with business lines. When we talk about business lines, we refer to the revenue generating departments of an entity. In the paper, we talk about the considerations highlighted by the COVID-19 pandemic. The paper looks both at areas for improvement and brings out examples of successes. One example of success that I have seen is horizon scanning and how it was used to monitor COVID-19 as well as the subsequent government policies to limit the potential for business disruption. In my experience it is effective in many cases, although of course this will vary by region and industry. Another example of a success is how Lloyds of London converted to digital operation and, in terms of the day-to-day underwriting of risks, there was not substantial business disruption.
We have also identified areas where there could be room for improvement in Figure 3 and I can focus on a couple of examples.
Figure 3. Integration of ERM with business lines.
When the COVID-19 pandemic happened, in terms of quantifying exposures, many syndicates had to get people to manually go through contracts and read the contract clauses and exclusions. Some syndicates did have better data-recording processes in place and the industry is moving towards having technological solutions to remove those kinds of issues. However, there is still some uncertainty after you have collected that information around contract clauses and exclusions. There is still uncertainty around where the losses will be triggered as a result of emerging risk. The robustness of contract clauses is something to consider embedding within risk management considerations and communications. That is a theme that is touched upon throughout the paper.
Finally, I want to mention how behavioural biases need to be considered when thinking about how the COVID-19 pandemic impacted the effectiveness of an ERM framework. In Figure 3, I question whether the scale of the pandemic and its effect on business lines, and subsequent business strategy, was underestimated. I am referring to overconfidence bias as, while the COVID-19 pandemic was evolving, something similar had not happened before. In the paper we have some examples of behavioural biases and how they play out within an ERM framework.
Mr Habahbeh: The next component to consider is risk transfer. The idea behind the Black Swan working party is based on the fact that only 5% of U.K. businesses hold business interruption insurance. There are a few reasons for the low take-up rate. One is that businesses think a lot about urgent risks. For example, they think about buying insurance to cover against things that usually happen. They do not think about, for example, the impact of an event that could cause a government to take binary decisions, such as choosing to enforce a lockdown or social distancing measures.
We wanted to set up a working party to tackle that particular problem and come up with a structure that considers the risk profiles of different emerging risks. By emerging risks we mean extreme weather events, another pandemic, another geopolitical risk event such as the ongoing war in Ukraine, or another nuclear accident similar to the Fukushima nuclear accident, for example. We want to have a range of emerging risks, and understand the risk profile of each one, so we can try to establish risk-reflected pricing for those events, taking the different parties to the transaction into account.
To clarify, the insurance industry has been good at dealing with financial risks that can be modelled. Emerging risks cannot be modelled because there is a lack of historical data. In addition, it seems that one important assumption at this time is that the future will not be based on the past. The future trajectories or states of the world will be completely different to what we are experiencing now, or what we have experienced in the past. Therefore, it is important to think about exploring the different structures that can provide insurance against those types of events.
There are many avenues to explore. It could be, for example, based on a public-private partnership, whereby you have the government as the last backstop, or the insurer of tail risk. Perhaps we could explore a global solution whereby you have countries as policyholders. Each country could pay, for instance, a percentage of their GDP into a fund, which provides insurance or compensation when they face catastrophe. There are many ways to explore this. The aim is to structure something that is affordable, available, and relevant to the emerging risks we face.
Ms Grewal: The fifth component is data and technology resources. There are some obvious points around working from home capabilities and we look at these in the paper. I am going to bring out one of the more interesting updates that came from a volunteer who worked at a bank in Singapore. They were told that a paper was issued jointly by the Monetary Authority of Singapore and the Association of Banks. The paper was issued because banks were having to adopt a remote working setup due to the COVID-19 pandemic. The paper urged senior management to improve their risk management resilience and it provided a lot of material on best practice for this kind of risk management. It is useful and interesting to compare this with my own experiences working in general insurance in the U.K. where there was regulatory intervention and support, but of a very different nature. This example demonstrates the power of having a truly diverse volunteer workstream.
Mr Habahbeh: Risk analytics is the sixth component. Some of the major issues during the COVID-19 pandemic were due to the specific nature of the pandemic and due to government intervention. We have talked about the binary decisions that governments needed to implement, and how these binary decisions impacted firms’ risk profiles and risk metrics at the portfolio level. The scenario analysis, stress testing, reverse stress testing and regulatory capital metrics did not really capture the discontinuity that occurred in March 2020, when the U.K. government enforced a lockdown. Therefore, we need to think about scenario narratives. What we mean by scenario narratives is that we need to consider sociological, behavioural, financial, economic and psychological aspects when dealing with events that can have impacts with unpredictable direction and unknowable magnitude. For example, from a public concern point of view, the dread factor for different types of risks is different. Death from radiation versus death from the flu has a different dread factor, and that has an impact on the behaviour of the population when they are faced with these particular catastrophes. We need to create those narratives in what we call scenario labs. The risk metrics must include some form of regime shift. This means that the value at risk metrics, the stressed value at risk metrics, or the expected shortfall models that banks use to quantify the market or credit risk in trading portfolios, are based on historical data that is calibrated to 300 or 500 days’ worth of data. That does not really tell us much, even if you calibrate your stress value at risk to a period of excessive market stress. For example, even using the 2008–2009 financial crisis period didn’t capture the immediate discontinuity resulting from the COVID-19 pandemic, or the after-effects of it.
We need to come up with models that reflect this regime shift. Under normal market conditions the models will work in a particular way when there are particular indicators. For example, we can consider the velocity and higher order time change of different variables or indicators. When these indicators start flashing red, we shift to an excessive market stress regime. These are some of the important issues to explore moving forward, particularly when we are thinking about extreme emerging risks.
Ms Grewal: The final component is stakeholder management. This component is concerned with meeting stakeholder expectations, communicating adequately and reporting risk information to key stakeholders appropriately. This component was interesting because we had lots of discussions with volunteer workstream members who were based abroad. There are obvious points here relating to customer-employee retention that I won’t dwell on. I could mention the talent crisis, and I have already touched on the great resignation. Instead, I am going to briefly touch on adjusting to accommodate regulatory changes.
The obvious example here, if you are familiar with the U.K. market, is the COVID-19 claims case that went to the Supreme Court. Another example that was provided by one of the volunteer workstream members was the action taken by the Saudi Arabian Monetary Authority. The authority issued a declaration that all retail motor insurance policies were guaranteed an extension of two months for free. This was argued to be appropriate because, due to lockdowns, insurers were enjoying lower exposure levels as policyholders were driving less. The authority wanted to make sure that the benefit seen by the insurers was passed on to the policyholders. This was an interesting piece of regulation to hear about, and the volunteer suggested that this was a very sudden and unexpected intervention for that market in question. Similar actions were taken across other global markets and courts ruled in favour of policyholders in a number of different geographical regions. The question I pose here is whether enough preparation has been done, alongside building up ERM framework resilience, to ensure that unexpected regulatory intervention doesn’t cripple a business.
Stakeholder management was the seventh and final component. This leads us to touch on the case studies included in the paper. These case studies are not meant to capture the complete international scope. The purpose of this work scheme was to collate experiences and relay them back as food for thought.
The first case study focuses on capital model completeness. The scope of this case study rests entirely on solvency for internal capital models, as you would find within the Lloyds of London environment. Pandemic risk events feature on many risk registers and would have done so even prior to the COVID-19 pandemic. As part of the operational risk parameterisation processes, pandemic risk events would have been captured within capital models, albeit at a very high level. The COVID-19 pandemic made us question whether these high-level allowances were adequate, especially when we look at the potential for future pandemic or shock events. To provide some context for those who are not familiar with capital modelling, particularly within the Solvency II environment, there were certain elements that were underestimated, and a good example of this was the secondary impacts. The widespread lockdowns, and the subsequent global economic downturn after the COVID-19 pandemic, constitute secondary impacts. These impacts triggered losses across many different risk types. What that highlighted was that a systemic risk, or a shock event, has the potential to trigger losses that are not insignificant. There were concurrent losses related to, for example, investment return risk, operational risk, premium risk, reserve risk and so on.
As well as a syndicate’s own risk processes, the regulator provided fairly strong direction. There were rumours of suggested loadings that would have been applied to capital if prioritisation was not loaded, or COVID-19 was not adequately allowed for. Many syndicates did update their capital model parameters. This may have been through altering distribution parameters or loadings, increasing correlation assumptions, stressing ESG assumptions, and so on. Capital model parameters were changed in a variety of ways in light of the pandemic unfolding.
The point I am trying to make in this capital model case study is that many of these parameterisation loadings were slowly unwound as COVID-19 experience became better understood. Capital models, by definition, are meant to help quantify the 1 in 200-year risk measure. The question I have posed is whether we should be allowing for a more general, widespread, systemic risk event more broadly, especially if we are expecting the frequency of these very high impact events to increase over time. My argument is that surely we should be allowing for general systemic risk events more broadly and not just reactively.
Mr Habahbeh: The second case study we want to discuss is titled “Acts of God.” For historical reasons the legal systems in the U.K. and Jordan are quite similar. For context, the way banks in Jordan operate is that they give out loans. These are personal loans, credit card loans, car loans, mortgages and so on. When they give out these loans, they insure against the default of the underlying obligor with local insurance companies. As a result of the COVID-19 pandemic, and because of government policy, a lot of these obligors defaulted. When the banks started labelling these events as 'COVID related’ the insurance companies could not make the full payments, so the banks stopped labelling them as 'COVID related.' As the COVID-19 pandemic is considered to be an Act of God, the insurance company is not responsible for the liability. We wanted to ask 'What is the definition of an Act of God in the English legal system?' We settled on the definition given in Figure 4.
What is interesting about this definition is the phrase 'these events are directly and exclusively without human intervention.' This begs the question – what about climate change, for example, where the major cause is human action?
Where does the definition fit in the picture of pandemics? Scientists are saying that 1.7 million known viruses exist. They can jump from animals to humans, and the impact could be orders of magnitude greater than the current COVID-19 pandemic. There is a relationship between the environment and those viruses. Where does that fit into the definition that Acts of God are 'directly and exclusively without human intervention'? I think it would be quite interesting to dig deeper into this, to see the legal interpretation of the words “directly” and “exclusively”, and consider the real meaning of “without human intervention”. The second part of the definition says that an Act of God 'cannot be prevented by any amount of foresight, pains and care.' Currently, we are working on a global pandemic modelling institution and we are looking at carbon capture. We are intervening to minimise the impact of human intervention on the environment. Is the definition of what constitutes an Act of God still valid in these contexts?
Ms Grewal: I will now hand over to Madhu (Acharyya) who is going to provide an update on the academic research he is undertaking around assessing effectiveness. In light of the COVID-19 pandemic, assessing the effectiveness of ERM frameworks is not trivial, and constitutes its own research field.
Dr M. Acharyya: I will present the findings of my research study on the effectiveness of ERM. In particular, I will focus on a model to measure the performance of ERM with a combination of financial and non-financial variables, such as ESG variables.
Within an organisation, ERM is viewed as a management function, not a direct profit-generating function. It can be compared with companies’ research and development functions. ERM covers all key significant risks, including emerging risks. It combines them in a framework that includes risk modelling, governance and risk reporting. It is very hard to measure the performance of ERM in monetary terms.
Our research takes a very narrow focus of managing the value of ERM. We have two aims. The first is to examine whether ERM adds value to a firm. The second is to investigate the significant factors that influence the helpfulness or effectiveness of ERM. In the literature there are two types of performance metric. The first type is derived from accounting-based measures, for example return on investment (ROI). The second type is derived from capital market-based measures, for example market to book value ratio, Tobin’s Q (the ratio between the market value of the lead assets and the replacement value of these lead assets), economic value added (EVA) and market value added.
During this study, we used the capital market-based measures as variables to measure the performance of ERM, in particular Tobin’s Q. We developed and tested two models. The first model is a multivariate linear regression model, set out in Figure 5, to estimate the effect of insurers adopting ERM implementation on the value of the Tobin’s Q.
Figure 5. Multivariate linear regression model.
The second model is a logistic regulation model to determine the significant factors that influence ERM adoption. We ran both models in two phases. In the first phase, we regressed both Tobin’s Q and ERM adoption against only financial variables. In the second phase, we added non-financial variables, such as ESG variables. The financial variables are company size (for which we took the logarithm of the value of total assets), market capitalisation, revenue, profit and loss and other similar variables. The non-financial variables are the environmental disclosure score (0 to 100), social disclosure scores, and other social variables like number of employees, social supply chain management, corporate responsibility and governance disclosure scores.
From the first model, only using the financial variables, we found that ERM implementation creates positive value for the firm’s performance. As the firm adopts ERM, Tobin’s Q is increased by 3.68%. Using the reduced variables it is increased by 3.75% if they adopt ERM in the framework.
Modelling using both financial and non-financial variables, we noticed slightly better results. If we include the ESG variables, Tobin’s Q is increased by 5.21% with the full model and 5.02% with the reduced model. This means that if we include both financial variables and non-financial variables with the ERM framework then the efficiency or effectiveness of ERM increases. From this, we conclude that ESG plays a vital role in the effectiveness of ERM. Thereafter, we use the second model (the logistic regression model), to determine the significant factors that influence adoption of ERM. We regress the ERM score, which can be 1 or 0, depending on whether the insurers adopt ERM implementation. The score is 1 if the insurer adopted ERM and 0 if ERM is not adopted. We noted that company size was a significant predictor of ERM adoption.
In addition, the effectiveness of ERM increases if the company size increases. This indicates that the larger the insurer is, the more likely they are to engage in ERM adoption. This is not surprising. The insurers that adopt ERM are more likely to produce a higher return on assets (ROA). That is also a good result. Interestingly, we found that the insurers who did not adopt ERM produced a higher return on equity (ROE) compared to insurers that engaged with ERM. This indicates that shareholders may not value the management initiatives of adopting ERM.
Another interesting result is the negative relationship between the loss ratio and ERM adoption. Again, this favours the shareholder perspective. Not surprisingly, only one non-financial, ESG factor (social disclosure) was found to be significant and positively related to ERM adoption. This means that ESG was not adequately integrated with the insurer’s ERM adoption from the shareholders’ point of the view. This is a very interesting result but there is a caveat. We conducted this study several years ago, around 2015, and subsequent and future data may behave different. Going forward, we intend to broaden the study and include the impact of COVID-19 on insurers’ ERM components.
We plan to conduct an event study to investigate the performance of ERM adopters during the COVID-19 pandemic. We will divide the COVID-19 period, between 2020 and 2022, into three windows, as seen in Figure 6. We will also investigate the performance of the insurers with ERM scores that are captured in this study, compared to the pre-COVID-19 period, which is before 2020. This will help us to see if ERM performs better in normal or abnormal times.
Figure 6. Results and interpretation.
Mr Habahbeh: Moving on to our next steps and future work, I want to talk about the kind of work that we need to do to better understand and anticipate extreme events. We need to develop a new approach and theory for extreme risk analysis that looks for new statistical methods and irregularities in the data and creates scenario narratives that take into account a multitude of impacts generated by those particular risks. For example the economic and financial impacts, the behavioural aspects and the psychological and sociological factors. In addition, we have to push for more sharing of information and collaboration with scientists and practitioners. This will enable us to have a better understanding when we talk about setting the emerging risk assumptions and judgments. We also need to create horizon-scanning systems and systemic procedures for early warning of possible events.
One issue that we need to work on is that we tend to think in terms of the likelihood of these events. This can be a bit misleading. We need to focus on understanding the drivers of the risks.
We know that the risk can manifest because of known and unknown causes. We need to be able to understand the drivers of the risk and which causes make the risk more likely to manifest. If we frame risk in terms of a risk system, we also need to do research to understand the other aspects or attributes of those particular risks. For example, their velocity, their acceleration, the tipping points at the risk system level and the risk component level, and the cycles that exist within the risk system. Over the past decade or so, we have had a nuclear accident, a war and two financial crises, one in Europe and one across the world. Now we are dealing with the COVID-19 pandemic and another war. These types of events happen regularly. When we think about risk registers, maybe we can start to think in terms of likelihood and impact and consider if we need to have more detailed assessment of the impacts. We could potentially also include other dimensions such as resilience and capabilities.
Now we move to the question and answer session.
Question: There was mention of a Supreme Court case, could somebody go back to that in a bit more detail?
Ms Grewal: This was to do with business interruption claims. Six to eight insurers were involved in a Financial Conduct Authority (FCA) test case. It was based around seeking clarity about whether certain non-damage business interruption policy wordings applied to losses. Lockdowns caused widespread disruption and insurers were arguing that their contracts did not cover those losses. The Supreme Court did rule in favour of policyholders and there was widespread media coverage that resulted in reputational damage for the insurance industry. There is more detail in the paper.
Question: You referred to capital modelling implications of extreme risks like the COVID-19 pandemic and you suggested that maybe the way in which we build capital models using historical data might not completely capture extreme event characteristics. Do you have an idea of how we might do that better?
Ms Grewal: I touch on this in the paper. We can consider how events not included in historical data are included in parameterisation at the moment. For example, if you are looking at underwriting risk distribution and you think that the tail, or a part of the distribution, isn’t adequately being allowed for, you prop it up with an event that you deem not to be in the data but that could feasibly occur. With capital, you are setting a 1 in 200-year risk measure so you do top it up with events not in historical data. This is why I pose the question of whether there should be a more generic, systemic risk distribution allowed for in capital models. You’ll see that there are some entities that do this, albeit perhaps not for pandemic risks or systemic risks, to allow for things such as a far-reaching cyber-attacks, for example. This would be a general systemic risk distribution that simultaneously triggers losses within risk types but also across risk types, and that could allow for events that are otherwise missing from the calibration processes. It is allowing for shock events much more holistically in capital models, rather than including events in the model as they happen, and taking the allowances out as the impacts dissipate.
Mr Habahbeh: Capital add-ons could be a way forward. Basically, make additive adjustments to the existing models that you use to quantify your market, liquidity and credit risks. One way is to map your scenario narratives into monetary terms, for example, to see how your capital is affected by these particular scenarios and simulations. It is important to remember that, sometimes, the cost associated with those particular events can exceed the total premium collected, or even the market capitalisation of the whole insurance industry. Take the U.K. as an example. The cost from the pandemic is about £500 billion. The total market capitalisation of the insurance industry in the U.K. stands at about £3 trillion. That is why we need government intervention. No insurance company, and no insurance sector, in any part of the world, can deal with those kinds of events on their own.
Question: Is the problem here that you can have the same event not appearing in multiple data sets? In other words, this is an operational risk, but it is not in that data. Similarly, it is a market risk, but it is not in that data, and it is an insurance risk, but it is not in that data. We can adjust each of those, but what we have missed is that it is the same event. Therefore, when you correlate your risk drivers with anything less than 100%, you have not made the full allowance that you might have intended to.
Ms Grewal: That is a perfect summary. The idea of a general systemic risk distribution that simultaneously triggers losses is to counter that issue. When the COIVD-19 pandemic happened, some syndicates saw themselves being hit in terms of investment return risk. Their investment returns were much lower than expected, and the global economic downturn changed their forecasts when it came to economic scenario generators as well. They could also see that there was increased operational risk because everyone was working from home. There was also an increased risk from the differing classes of business within premium risk, as well as the reserve risk implications. There was also uncertainty around reinsurance and around whether or not recoveries would happen. This was all being triggered by the same event, so the idea of allowing for pandemics or shock events adequately in capital models is all about capturing that simultaneous triggering. It is all about capturing it as one true event, not one small event that can be diversified away when you are calculating your capital.
Question: There are probably two ways of addressing a modelling challenge like that. One which you might call ex ante – to try to get your inputs right. The other one is ex post. This would be to make the adjustments to the model and see from the outputs if the 1 in 200-year loss generated is big enough to cover the known impact of a specific event. Back-testing validation is another way to tackle that. In your analysis of how ERM is adding value, you said that company size was a factor. How do you decide which variables to analyse? Could there be some compounding going on?
Dr Acharyya: We use a technique that highlights the variables that are most important. When we have the full model that includes all variables, we see which variables we can ignore. We consider the difference between two models, one with and one without the variables that we consider unimportant, and if the model outputs are similar that means that those variables do not have a significant impact.
With your previous question, one of the important things for ERM is the diversification benefits. This is very important because we cannot model every weakness in isolation. One of the important things that is challenging for ERM is to re-group things and see what the effects are, which basically accounts for the correlation.
Question: Can you talk a bit more about how the event study on the COVID-19 specific impact is going to be structured?
Dr Acharyya: We have looked at ERM from 2000 and beyond, and we want to see whether the established patterns continued during the COVID-19 pandemic. We divided the COVID-19 pandemic into three periods. The first is the crisis moment, which is the first few months of the first year. It then reaches recovery mode, and then business as usual. For example, in the crisis moment, we might consider the lockdown and how it impacted on organisations. The recovery period includes the period of vaccinations and in the final, business as usual period, there are no lockdowns. We tried to see in which phase ERM works best. ERM does not allow business as usual during the crisis and recovery periods, but it can make the crisis response better.
Question: In a competitive market, how do you increase prices for the Black Swan risks, especially if you are the first to try? Is the solution always going to be to transfer the risk back to the customers or to the government?
Mr Habahbeh: When you are dealing with those types of risks, there are always different parties to the transaction. As I said before, the losses that are generated by these particular events can sometimes exceed the premium collected, or even the market capitalisation of the whole insurance industry. Therefore, we need a backstop. We need an insurer of last resort for the tier of the particular risk. Therefore, the Black Swan insurance product can take these aspects into account when designing the particular products.
Question: You spoke in your presentation about analysing risks discretely or by system. What do you think is the essential difference between a discrete view and a system view?
Mr Habahbeh: When you think in terms of risk systems, you have to consider events that happen concurrently. The consequences of the impact can propagate in the system from two different linked risks. For example, last year the world was still dealing with the COVID-19 pandemic and vaccine rollout. Suddenly, we had flash floods in the Netherlands and Germany. These were two separate events, but they arose together. This amplified their consequences. When you think about these discretely you can think about the likelihood of another COVID pandemic happening over the next five years, let’s say for a one year capital horizon, because that’s how banks set their capital. You need to forget the likelihood assumption and start thinking about consequences, because when you think about a discrete risk, the likelihood is immersed in uncertainty. These are high-uncertainty risks because we do not have sufficient data to robustly make a conclusion about their likelihoods. Therefore, we tend to focus a lot on the likelihood and put these particular risks at the bottom of the risk register. You do not pay attention to them, but when they do happen, they tend to dominate the calculation of total risk through their impact. Therefore, when you think in terms of systems, you have to think about these risks happening concurrently. You have to consider the consequences, the linked and the cascading higher-order risks, and see the range of paths, how the risks might manifest, and understand at each level how your risk reacts.
Question: It sounds like a reverse stress-testing regime. The question is, what can we survive as an organisation and, if things get as bad as that, what can we do to improve our survivability? You said that we should forget the likelihood assumption as something that bad is going to happen sooner or later. Are we ready for the impact?
Mr Habahbeh: Every day, you have a chance of an emerging risk happening, and a chance of it not happening. That is the best you can do. You have to plan for it.
Question: We have set out quite clearly the ways in which firms and industries, particularly in insurance, need to strengthen ERM with regards to the lessons learned from the COVID-19 pandemic. What can actuaries do to help?
Ms Grewal: Over time I have gradually gone into more commercial roles. My role is all about understanding events and appreciating the impact they could have on business strategy, not only in the short-term, but also in the medium to long-term. It is about making sure that we are the ones challenging the business strategy, and not just relying on senior management to do that without the skill set that we bring to the table.
Dr Acharyya: I am not an actuary, so I see ERM from an external point of view. ERM is not just about capital management or modelling, it is about broader issues and it is about management. Actuaries can help other organisations to not view ERM from a narrow or measurement perspective. It is a management tool that brings together corporate governance, reporting and other areas.
This discussion relates to the paper presented by members of the Institute and Faculty of Actuaries’ Covid-19 Action Taskforce, ERM (Risk 1) Workstream at the IFoA sessional event held on Monday 15 August 2022.
The Moderator (Mr P. G. Telford, F.I.A.): I am Peter Telford, the chair of the Institute and Faculty of Actuaries (IFoA)’s Risk Management Board. The speakers for today are:
Jasvir Grewal, the Head of Data and Analytics at the Global Facultative Broking Department at WTW. Prior to this, she worked at several syndicates, holding a wide range of roles, both actuarial and non-actuarial. She has a strong background in capital modelling and data science. Jasvir is a Fellow of the IFoA and is also a chief chartered enterprise risk actuary. She has been a member of the IFoA Risk Management Board and multiple working parties.
Lawrence Habahbeh, the Director of HedgeGenomics, a quantitative and strategic risk consultancy. He is an expert in geopolitical risk, enterprise risk management (ERM), traded market and counterparty risk, and climate risk modelling. Lawrence is a member of the IFoA Risk Management Board. He leads the research workstream for the board’s Climate and Sustainability working group, which focuses on integrating environmental, social and governance (ESG) factors into risk frameworks and long-term climate risk scenarios. Lawrence also chairs the Black Swan Insurance Group working party.
Dr Madhu Acharyya, a senior lecturer at Glasgow Caledonian University’s London campus, where he leads the MSc programme on Insurance and Sustainable Risk Management. He teaches and researches risk and finance topics in the banking and insurance sectors. Madhu holds a PhD in enterprise risk management. He is a Fellow of the Institute of Risk Management and an Associate of the U.K. Chartered Insurance Institute. He is a member of the IFoA Cyber Risk and Operational Risk working parties.
Ms. J. K. Grewal, F.I.A.: We will start with an introduction to the efforts and scope of the workstream. Then we will discuss the collection of thoughts and experiences from the workstream members. Given the broad background of the workstream volunteer group, we have a number of interesting case studies to consider. We will also give an update on the next steps of the workstream.
Madhu (Acharyya) will talk about the research he is carrying out academically and Lawrence (Habahbeh) will talk about the working party that he set up, the Black Swan working party.
This is an entirely voluntary project and most of the work was done during the pandemic. The key thing to mention is the diversity of the workstream group and the volunteer list. We had contributions that were geographically diverse; from members working in Singapore, Jordan, India, South Africa, and the U.K. We also had contributions from different insurance sectors – general insurance and life insurance – as well as from banking and academia. That is very important when you are looking at a global event such as COVID-19.
The purposes of the workstream were to learn from the experiences of our peers and to provide food for thought. We have all come from very different backgrounds and bringing together those experiences can be very interesting, even eye-opening in some cases. The purpose was not to provide prescriptive guidance or an overview of all COVID-19 impacts on ERM frameworks. That is a very broad topic, especially relative to the size of the volunteer workstream.
Enterprise Risk Management is widespread, as are the impacts of COVID-19. What we wanted to do was to summarise our thoughts and experiences in a way that was easy to digest.
Given the aims of the paper, Lam’s ERM framework provided a good structure for us to work from. Although dated, it has seven easy-to-understand components that we were able to structure our thinking around. We will speak about each of the seven components in turn. Figure 1 shows the seven components.
Figure 1. Lam’s 7 components.
Corporate governance sits at the top of the entire framework. It is concerned with ensuring that the board of directors and management have established the appropriate processes and controls to quantify and manage risk across the company. Figure 2 has a summary of our key thoughts relating to the COVID-19 pandemic response.
Figure 2. Corporate governance.
I want to highlight the point concerning risk management philosophies. We all know that boards have a key role to play when a company is trying to recover from a shock event, like COVID-19. If an effective ERM structure is in place, the board should be suitably prepared. We know that having training schedules in place, as well as key reporting, can also help. In the Lloyds of London environment, the Own Risk and Solvency Assessment (ORSA) process is an example of this.
The first question to raise under this risk management philosophy item is whether there is an effective organisational structure in place. For example, was succession planning included in mission critical roles? The ‘great resignation’ followed the pandemic, and not having effective succession planning in place could be a cause of recovery taking much longer than it needed to, following the shock event.
The second point to raise under this risk management philosophy heading is whether the focus is on crisis management? If the focus is on dealing with short-term problems there would be a benefit from also reviewing the medium to longer-terms plans and how they are impacted. That approach could be used to challenge business strategy, dampen impacts from an event over the longer term and help with speeding up recovery.
To illuminate that point, I want to use directors’ and officers’ insurance as an example. When the pandemic started, this was not a pressing issue. When it came to the medium and longer-term, there was an increase in claims as a result of the perceived inadequate responses to the pandemic situation as we gradually emerged from lockdowns. Some entities, rather than solely focusing on short-term firefighting, were looking for opportunities. These entities entered the contingency insurance market due to the increase in premiums as a result of COVID-19. The example highlights how entities can benefit from having effective corporate governance in place alongside a risk management philosophy as opposed to a crisis management philosophy.
Mr Habahbeh: Portfolio management is the next component to discuss. An important aspect of portfolio management is how to assess the effectiveness of the enterprise risk management function and your risk governance structure at the portfolio level. The portfolios mentioned here could be portfolios on banks’ balance sheets that are used for trading (which cover a wide range of assets, asset classes and risk factors and geographies); or portfolios of assets backing annuity liabilities on insurance balance sheets. It is important to consider extreme risk analysis and analyse the elasticity of your enterprise risk management function at the portfolio level. The COVID-19 pandemic has demonstrated that the events that we consider to be extreme, due to their impact and likelihood, do happen. For example, there was the Hong Kong pandemic from 1968 to 1969 that caused over three million deaths. Other examples include the global financial crisis, the European debt crisis and the current war in Ukraine. These events do happen, and they are not infrequent. We have to understand the consequences of these events as they spread through different systems in society. One of the key lessons of the COVID-19 pandemic is that it is important to have a sub-framework tailored towards the risk assessment of emerging risks.
In this context, emerging risk has a particular definition. We are talking about risks that are known. However, we do not fully understand the short, medium, and long-term implications of these risks, their consequences, and their interaction with other risks. To efficiently allocate resources to deal with these particular risks it is vital to create an emerging risk sub-framework to identify, assess, quantify and represent the risks and communicate this internally and externally. This is one of the lessons learned from the COVID-19 pandemic.
One way to think about these particular risks is to map their consequences. The impacts of these risks spread through different systems in society and generate unforeseen effects. We need to think about the linked and compounded risks they create so that we can understand at what level our risk profile will be impacted. You can use that information to design insurance products to mitigate the consequences of those particular risks.
One way to think about these consequences is through a feed-forward cause-consequence analysis. Taking the COVID-19 pandemic as an example, it created an initial impact that was essentially a travel disruption. Then it created secondary risks: disruptions to certain services; disruptions to supply chains; reduced availability of personal protective equipment (PPE); and so on. These effects progressed through society, impacting, for example, the amount of available oxygen minutes in hospitals’ intensive care units (ICUs). We need to be able to map these consequences to understand the range of impacts an emerging risk can create.
When we frame risks as systems, we can also consider risk characteristics such as the velocity of the risk and the higher-order change over time. These characteristics can provide information about when a risk could shift from a normal to an extreme impact risk, for example. It is important to study and analyse these kinds of attributes so that we can understand these particular types of risks.
One last thing I would like to mention is that, to understand those risks, I believe we need to move away from discrete risk analysis. Taking war as an example, a conventional approach is to assess the likelihood of war and look at its discrete impacts. I believe we need to move away from that mode of thinking and instead think about risks happening concurrently. For example, last year, during the COVID-19 pandemic, there were floods in the Netherlands and in Germany. These two risks arose together and created unforeseen consequences. These types of concurrent risk events add more stress to portfolios and to enterprise risk management.
Ms Grewal: The third component is integration of enterprise risk management with business lines. When we talk about business lines, we refer to the revenue generating departments of an entity. In the paper, we talk about the considerations highlighted by the COVID-19 pandemic. The paper looks both at areas for improvement and brings out examples of successes. One example of success that I have seen is horizon scanning and how it was used to monitor COVID-19 as well as the subsequent government policies to limit the potential for business disruption. In my experience it is effective in many cases, although of course this will vary by region and industry. Another example of a success is how Lloyds of London converted to digital operation and, in terms of the day-to-day underwriting of risks, there was not substantial business disruption.
We have also identified areas where there could be room for improvement in Figure 3 and I can focus on a couple of examples.
Figure 3. Integration of ERM with business lines.
When the COVID-19 pandemic happened, in terms of quantifying exposures, many syndicates had to get people to manually go through contracts and read the contract clauses and exclusions. Some syndicates did have better data-recording processes in place and the industry is moving towards having technological solutions to remove those kinds of issues. However, there is still some uncertainty after you have collected that information around contract clauses and exclusions. There is still uncertainty around where the losses will be triggered as a result of emerging risk. The robustness of contract clauses is something to consider embedding within risk management considerations and communications. That is a theme that is touched upon throughout the paper.
Finally, I want to mention how behavioural biases need to be considered when thinking about how the COVID-19 pandemic impacted the effectiveness of an ERM framework. In Figure 3, I question whether the scale of the pandemic and its effect on business lines, and subsequent business strategy, was underestimated. I am referring to overconfidence bias as, while the COVID-19 pandemic was evolving, something similar had not happened before. In the paper we have some examples of behavioural biases and how they play out within an ERM framework.
Mr Habahbeh: The next component to consider is risk transfer. The idea behind the Black Swan working party is based on the fact that only 5% of U.K. businesses hold business interruption insurance. There are a few reasons for the low take-up rate. One is that businesses think a lot about urgent risks. For example, they think about buying insurance to cover against things that usually happen. They do not think about, for example, the impact of an event that could cause a government to take binary decisions, such as choosing to enforce a lockdown or social distancing measures.
We wanted to set up a working party to tackle that particular problem and come up with a structure that considers the risk profiles of different emerging risks. By emerging risks we mean extreme weather events, another pandemic, another geopolitical risk event such as the ongoing war in Ukraine, or another nuclear accident similar to the Fukushima nuclear accident, for example. We want to have a range of emerging risks, and understand the risk profile of each one, so we can try to establish risk-reflected pricing for those events, taking the different parties to the transaction into account.
To clarify, the insurance industry has been good at dealing with financial risks that can be modelled. Emerging risks cannot be modelled because there is a lack of historical data. In addition, it seems that one important assumption at this time is that the future will not be based on the past. The future trajectories or states of the world will be completely different to what we are experiencing now, or what we have experienced in the past. Therefore, it is important to think about exploring the different structures that can provide insurance against those types of events.
There are many avenues to explore. It could be, for example, based on a public-private partnership, whereby you have the government as the last backstop, or the insurer of tail risk. Perhaps we could explore a global solution whereby you have countries as policyholders. Each country could pay, for instance, a percentage of their GDP into a fund, which provides insurance or compensation when they face catastrophe. There are many ways to explore this. The aim is to structure something that is affordable, available, and relevant to the emerging risks we face.
Ms Grewal: The fifth component is data and technology resources. There are some obvious points around working from home capabilities and we look at these in the paper. I am going to bring out one of the more interesting updates that came from a volunteer who worked at a bank in Singapore. They were told that a paper was issued jointly by the Monetary Authority of Singapore and the Association of Banks. The paper was issued because banks were having to adopt a remote working setup due to the COVID-19 pandemic. The paper urged senior management to improve their risk management resilience and it provided a lot of material on best practice for this kind of risk management. It is useful and interesting to compare this with my own experiences working in general insurance in the U.K. where there was regulatory intervention and support, but of a very different nature. This example demonstrates the power of having a truly diverse volunteer workstream.
Mr Habahbeh: Risk analytics is the sixth component. Some of the major issues during the COVID-19 pandemic were due to the specific nature of the pandemic and due to government intervention. We have talked about the binary decisions that governments needed to implement, and how these binary decisions impacted firms’ risk profiles and risk metrics at the portfolio level. The scenario analysis, stress testing, reverse stress testing and regulatory capital metrics did not really capture the discontinuity that occurred in March 2020, when the U.K. government enforced a lockdown. Therefore, we need to think about scenario narratives. What we mean by scenario narratives is that we need to consider sociological, behavioural, financial, economic and psychological aspects when dealing with events that can have impacts with unpredictable direction and unknowable magnitude. For example, from a public concern point of view, the dread factor for different types of risks is different. Death from radiation versus death from the flu has a different dread factor, and that has an impact on the behaviour of the population when they are faced with these particular catastrophes. We need to create those narratives in what we call scenario labs. The risk metrics must include some form of regime shift. This means that the value at risk metrics, the stressed value at risk metrics, or the expected shortfall models that banks use to quantify the market or credit risk in trading portfolios, are based on historical data that is calibrated to 300 or 500 days’ worth of data. That does not really tell us much, even if you calibrate your stress value at risk to a period of excessive market stress. For example, even using the 2008–2009 financial crisis period didn’t capture the immediate discontinuity resulting from the COVID-19 pandemic, or the after-effects of it.
We need to come up with models that reflect this regime shift. Under normal market conditions the models will work in a particular way when there are particular indicators. For example, we can consider the velocity and higher order time change of different variables or indicators. When these indicators start flashing red, we shift to an excessive market stress regime. These are some of the important issues to explore moving forward, particularly when we are thinking about extreme emerging risks.
Ms Grewal: The final component is stakeholder management. This component is concerned with meeting stakeholder expectations, communicating adequately and reporting risk information to key stakeholders appropriately. This component was interesting because we had lots of discussions with volunteer workstream members who were based abroad. There are obvious points here relating to customer-employee retention that I won’t dwell on. I could mention the talent crisis, and I have already touched on the great resignation. Instead, I am going to briefly touch on adjusting to accommodate regulatory changes.
The obvious example here, if you are familiar with the U.K. market, is the COVID-19 claims case that went to the Supreme Court. Another example that was provided by one of the volunteer workstream members was the action taken by the Saudi Arabian Monetary Authority. The authority issued a declaration that all retail motor insurance policies were guaranteed an extension of two months for free. This was argued to be appropriate because, due to lockdowns, insurers were enjoying lower exposure levels as policyholders were driving less. The authority wanted to make sure that the benefit seen by the insurers was passed on to the policyholders. This was an interesting piece of regulation to hear about, and the volunteer suggested that this was a very sudden and unexpected intervention for that market in question. Similar actions were taken across other global markets and courts ruled in favour of policyholders in a number of different geographical regions. The question I pose here is whether enough preparation has been done, alongside building up ERM framework resilience, to ensure that unexpected regulatory intervention doesn’t cripple a business.
Stakeholder management was the seventh and final component. This leads us to touch on the case studies included in the paper. These case studies are not meant to capture the complete international scope. The purpose of this work scheme was to collate experiences and relay them back as food for thought.
The first case study focuses on capital model completeness. The scope of this case study rests entirely on solvency for internal capital models, as you would find within the Lloyds of London environment. Pandemic risk events feature on many risk registers and would have done so even prior to the COVID-19 pandemic. As part of the operational risk parameterisation processes, pandemic risk events would have been captured within capital models, albeit at a very high level. The COVID-19 pandemic made us question whether these high-level allowances were adequate, especially when we look at the potential for future pandemic or shock events. To provide some context for those who are not familiar with capital modelling, particularly within the Solvency II environment, there were certain elements that were underestimated, and a good example of this was the secondary impacts. The widespread lockdowns, and the subsequent global economic downturn after the COVID-19 pandemic, constitute secondary impacts. These impacts triggered losses across many different risk types. What that highlighted was that a systemic risk, or a shock event, has the potential to trigger losses that are not insignificant. There were concurrent losses related to, for example, investment return risk, operational risk, premium risk, reserve risk and so on.
As well as a syndicate’s own risk processes, the regulator provided fairly strong direction. There were rumours of suggested loadings that would have been applied to capital if prioritisation was not loaded, or COVID-19 was not adequately allowed for. Many syndicates did update their capital model parameters. This may have been through altering distribution parameters or loadings, increasing correlation assumptions, stressing ESG assumptions, and so on. Capital model parameters were changed in a variety of ways in light of the pandemic unfolding.
The point I am trying to make in this capital model case study is that many of these parameterisation loadings were slowly unwound as COVID-19 experience became better understood. Capital models, by definition, are meant to help quantify the 1 in 200-year risk measure. The question I have posed is whether we should be allowing for a more general, widespread, systemic risk event more broadly, especially if we are expecting the frequency of these very high impact events to increase over time. My argument is that surely we should be allowing for general systemic risk events more broadly and not just reactively.
Mr Habahbeh: The second case study we want to discuss is titled “Acts of God.” For historical reasons the legal systems in the U.K. and Jordan are quite similar. For context, the way banks in Jordan operate is that they give out loans. These are personal loans, credit card loans, car loans, mortgages and so on. When they give out these loans, they insure against the default of the underlying obligor with local insurance companies. As a result of the COVID-19 pandemic, and because of government policy, a lot of these obligors defaulted. When the banks started labelling these events as 'COVID related’ the insurance companies could not make the full payments, so the banks stopped labelling them as 'COVID related.' As the COVID-19 pandemic is considered to be an Act of God, the insurance company is not responsible for the liability. We wanted to ask 'What is the definition of an Act of God in the English legal system?' We settled on the definition given in Figure 4.
Figure 4. Acts of god.
What is interesting about this definition is the phrase 'these events are directly and exclusively without human intervention.' This begs the question – what about climate change, for example, where the major cause is human action?
Where does the definition fit in the picture of pandemics? Scientists are saying that 1.7 million known viruses exist. They can jump from animals to humans, and the impact could be orders of magnitude greater than the current COVID-19 pandemic. There is a relationship between the environment and those viruses. Where does that fit into the definition that Acts of God are 'directly and exclusively without human intervention'? I think it would be quite interesting to dig deeper into this, to see the legal interpretation of the words “directly” and “exclusively”, and consider the real meaning of “without human intervention”. The second part of the definition says that an Act of God 'cannot be prevented by any amount of foresight, pains and care.' Currently, we are working on a global pandemic modelling institution and we are looking at carbon capture. We are intervening to minimise the impact of human intervention on the environment. Is the definition of what constitutes an Act of God still valid in these contexts?
Ms Grewal: I will now hand over to Madhu (Acharyya) who is going to provide an update on the academic research he is undertaking around assessing effectiveness. In light of the COVID-19 pandemic, assessing the effectiveness of ERM frameworks is not trivial, and constitutes its own research field.
Dr M. Acharyya: I will present the findings of my research study on the effectiveness of ERM. In particular, I will focus on a model to measure the performance of ERM with a combination of financial and non-financial variables, such as ESG variables.
Within an organisation, ERM is viewed as a management function, not a direct profit-generating function. It can be compared with companies’ research and development functions. ERM covers all key significant risks, including emerging risks. It combines them in a framework that includes risk modelling, governance and risk reporting. It is very hard to measure the performance of ERM in monetary terms.
Our research takes a very narrow focus of managing the value of ERM. We have two aims. The first is to examine whether ERM adds value to a firm. The second is to investigate the significant factors that influence the helpfulness or effectiveness of ERM. In the literature there are two types of performance metric. The first type is derived from accounting-based measures, for example return on investment (ROI). The second type is derived from capital market-based measures, for example market to book value ratio, Tobin’s Q (the ratio between the market value of the lead assets and the replacement value of these lead assets), economic value added (EVA) and market value added.
During this study, we used the capital market-based measures as variables to measure the performance of ERM, in particular Tobin’s Q. We developed and tested two models. The first model is a multivariate linear regression model, set out in Figure 5, to estimate the effect of insurers adopting ERM implementation on the value of the Tobin’s Q.
Figure 5. Multivariate linear regression model.
The second model is a logistic regulation model to determine the significant factors that influence ERM adoption. We ran both models in two phases. In the first phase, we regressed both Tobin’s Q and ERM adoption against only financial variables. In the second phase, we added non-financial variables, such as ESG variables. The financial variables are company size (for which we took the logarithm of the value of total assets), market capitalisation, revenue, profit and loss and other similar variables. The non-financial variables are the environmental disclosure score (0 to 100), social disclosure scores, and other social variables like number of employees, social supply chain management, corporate responsibility and governance disclosure scores.
From the first model, only using the financial variables, we found that ERM implementation creates positive value for the firm’s performance. As the firm adopts ERM, Tobin’s Q is increased by 3.68%. Using the reduced variables it is increased by 3.75% if they adopt ERM in the framework.
Modelling using both financial and non-financial variables, we noticed slightly better results. If we include the ESG variables, Tobin’s Q is increased by 5.21% with the full model and 5.02% with the reduced model. This means that if we include both financial variables and non-financial variables with the ERM framework then the efficiency or effectiveness of ERM increases. From this, we conclude that ESG plays a vital role in the effectiveness of ERM. Thereafter, we use the second model (the logistic regression model), to determine the significant factors that influence adoption of ERM. We regress the ERM score, which can be 1 or 0, depending on whether the insurers adopt ERM implementation. The score is 1 if the insurer adopted ERM and 0 if ERM is not adopted. We noted that company size was a significant predictor of ERM adoption.
In addition, the effectiveness of ERM increases if the company size increases. This indicates that the larger the insurer is, the more likely they are to engage in ERM adoption. This is not surprising. The insurers that adopt ERM are more likely to produce a higher return on assets (ROA). That is also a good result. Interestingly, we found that the insurers who did not adopt ERM produced a higher return on equity (ROE) compared to insurers that engaged with ERM. This indicates that shareholders may not value the management initiatives of adopting ERM.
Another interesting result is the negative relationship between the loss ratio and ERM adoption. Again, this favours the shareholder perspective. Not surprisingly, only one non-financial, ESG factor (social disclosure) was found to be significant and positively related to ERM adoption. This means that ESG was not adequately integrated with the insurer’s ERM adoption from the shareholders’ point of the view. This is a very interesting result but there is a caveat. We conducted this study several years ago, around 2015, and subsequent and future data may behave different. Going forward, we intend to broaden the study and include the impact of COVID-19 on insurers’ ERM components.
We plan to conduct an event study to investigate the performance of ERM adopters during the COVID-19 pandemic. We will divide the COVID-19 period, between 2020 and 2022, into three windows, as seen in Figure 6. We will also investigate the performance of the insurers with ERM scores that are captured in this study, compared to the pre-COVID-19 period, which is before 2020. This will help us to see if ERM performs better in normal or abnormal times.
Figure 6. Results and interpretation.
Mr Habahbeh: Moving on to our next steps and future work, I want to talk about the kind of work that we need to do to better understand and anticipate extreme events. We need to develop a new approach and theory for extreme risk analysis that looks for new statistical methods and irregularities in the data and creates scenario narratives that take into account a multitude of impacts generated by those particular risks. For example the economic and financial impacts, the behavioural aspects and the psychological and sociological factors. In addition, we have to push for more sharing of information and collaboration with scientists and practitioners. This will enable us to have a better understanding when we talk about setting the emerging risk assumptions and judgments. We also need to create horizon-scanning systems and systemic procedures for early warning of possible events.
One issue that we need to work on is that we tend to think in terms of the likelihood of these events. This can be a bit misleading. We need to focus on understanding the drivers of the risks.
We know that the risk can manifest because of known and unknown causes. We need to be able to understand the drivers of the risk and which causes make the risk more likely to manifest. If we frame risk in terms of a risk system, we also need to do research to understand the other aspects or attributes of those particular risks. For example, their velocity, their acceleration, the tipping points at the risk system level and the risk component level, and the cycles that exist within the risk system. Over the past decade or so, we have had a nuclear accident, a war and two financial crises, one in Europe and one across the world. Now we are dealing with the COVID-19 pandemic and another war. These types of events happen regularly. When we think about risk registers, maybe we can start to think in terms of likelihood and impact and consider if we need to have more detailed assessment of the impacts. We could potentially also include other dimensions such as resilience and capabilities.
Now we move to the question and answer session.
Question: There was mention of a Supreme Court case, could somebody go back to that in a bit more detail?
Ms Grewal: This was to do with business interruption claims. Six to eight insurers were involved in a Financial Conduct Authority (FCA) test case. It was based around seeking clarity about whether certain non-damage business interruption policy wordings applied to losses. Lockdowns caused widespread disruption and insurers were arguing that their contracts did not cover those losses. The Supreme Court did rule in favour of policyholders and there was widespread media coverage that resulted in reputational damage for the insurance industry. There is more detail in the paper.
Question: You referred to capital modelling implications of extreme risks like the COVID-19 pandemic and you suggested that maybe the way in which we build capital models using historical data might not completely capture extreme event characteristics. Do you have an idea of how we might do that better?
Ms Grewal: I touch on this in the paper. We can consider how events not included in historical data are included in parameterisation at the moment. For example, if you are looking at underwriting risk distribution and you think that the tail, or a part of the distribution, isn’t adequately being allowed for, you prop it up with an event that you deem not to be in the data but that could feasibly occur. With capital, you are setting a 1 in 200-year risk measure so you do top it up with events not in historical data. This is why I pose the question of whether there should be a more generic, systemic risk distribution allowed for in capital models. You’ll see that there are some entities that do this, albeit perhaps not for pandemic risks or systemic risks, to allow for things such as a far-reaching cyber-attacks, for example. This would be a general systemic risk distribution that simultaneously triggers losses within risk types but also across risk types, and that could allow for events that are otherwise missing from the calibration processes. It is allowing for shock events much more holistically in capital models, rather than including events in the model as they happen, and taking the allowances out as the impacts dissipate.
Mr Habahbeh: Capital add-ons could be a way forward. Basically, make additive adjustments to the existing models that you use to quantify your market, liquidity and credit risks. One way is to map your scenario narratives into monetary terms, for example, to see how your capital is affected by these particular scenarios and simulations. It is important to remember that, sometimes, the cost associated with those particular events can exceed the total premium collected, or even the market capitalisation of the whole insurance industry. Take the U.K. as an example. The cost from the pandemic is about £500 billion. The total market capitalisation of the insurance industry in the U.K. stands at about £3 trillion. That is why we need government intervention. No insurance company, and no insurance sector, in any part of the world, can deal with those kinds of events on their own.
Question: Is the problem here that you can have the same event not appearing in multiple data sets? In other words, this is an operational risk, but it is not in that data. Similarly, it is a market risk, but it is not in that data, and it is an insurance risk, but it is not in that data. We can adjust each of those, but what we have missed is that it is the same event. Therefore, when you correlate your risk drivers with anything less than 100%, you have not made the full allowance that you might have intended to.
Ms Grewal: That is a perfect summary. The idea of a general systemic risk distribution that simultaneously triggers losses is to counter that issue. When the COIVD-19 pandemic happened, some syndicates saw themselves being hit in terms of investment return risk. Their investment returns were much lower than expected, and the global economic downturn changed their forecasts when it came to economic scenario generators as well. They could also see that there was increased operational risk because everyone was working from home. There was also an increased risk from the differing classes of business within premium risk, as well as the reserve risk implications. There was also uncertainty around reinsurance and around whether or not recoveries would happen. This was all being triggered by the same event, so the idea of allowing for pandemics or shock events adequately in capital models is all about capturing that simultaneous triggering. It is all about capturing it as one true event, not one small event that can be diversified away when you are calculating your capital.
Question: There are probably two ways of addressing a modelling challenge like that. One which you might call ex ante – to try to get your inputs right. The other one is ex post. This would be to make the adjustments to the model and see from the outputs if the 1 in 200-year loss generated is big enough to cover the known impact of a specific event. Back-testing validation is another way to tackle that. In your analysis of how ERM is adding value, you said that company size was a factor. How do you decide which variables to analyse? Could there be some compounding going on?
Dr Acharyya: We use a technique that highlights the variables that are most important. When we have the full model that includes all variables, we see which variables we can ignore. We consider the difference between two models, one with and one without the variables that we consider unimportant, and if the model outputs are similar that means that those variables do not have a significant impact.
With your previous question, one of the important things for ERM is the diversification benefits. This is very important because we cannot model every weakness in isolation. One of the important things that is challenging for ERM is to re-group things and see what the effects are, which basically accounts for the correlation.
Question: Can you talk a bit more about how the event study on the COVID-19 specific impact is going to be structured?
Dr Acharyya: We have looked at ERM from 2000 and beyond, and we want to see whether the established patterns continued during the COVID-19 pandemic. We divided the COVID-19 pandemic into three periods. The first is the crisis moment, which is the first few months of the first year. It then reaches recovery mode, and then business as usual. For example, in the crisis moment, we might consider the lockdown and how it impacted on organisations. The recovery period includes the period of vaccinations and in the final, business as usual period, there are no lockdowns. We tried to see in which phase ERM works best. ERM does not allow business as usual during the crisis and recovery periods, but it can make the crisis response better.
Question: In a competitive market, how do you increase prices for the Black Swan risks, especially if you are the first to try? Is the solution always going to be to transfer the risk back to the customers or to the government?
Mr Habahbeh: When you are dealing with those types of risks, there are always different parties to the transaction. As I said before, the losses that are generated by these particular events can sometimes exceed the premium collected, or even the market capitalisation of the whole insurance industry. Therefore, we need a backstop. We need an insurer of last resort for the tier of the particular risk. Therefore, the Black Swan insurance product can take these aspects into account when designing the particular products.
Question: You spoke in your presentation about analysing risks discretely or by system. What do you think is the essential difference between a discrete view and a system view?
Mr Habahbeh: When you think in terms of risk systems, you have to consider events that happen concurrently. The consequences of the impact can propagate in the system from two different linked risks. For example, last year the world was still dealing with the COVID-19 pandemic and vaccine rollout. Suddenly, we had flash floods in the Netherlands and Germany. These were two separate events, but they arose together. This amplified their consequences. When you think about these discretely you can think about the likelihood of another COVID pandemic happening over the next five years, let’s say for a one year capital horizon, because that’s how banks set their capital. You need to forget the likelihood assumption and start thinking about consequences, because when you think about a discrete risk, the likelihood is immersed in uncertainty. These are high-uncertainty risks because we do not have sufficient data to robustly make a conclusion about their likelihoods. Therefore, we tend to focus a lot on the likelihood and put these particular risks at the bottom of the risk register. You do not pay attention to them, but when they do happen, they tend to dominate the calculation of total risk through their impact. Therefore, when you think in terms of systems, you have to think about these risks happening concurrently. You have to consider the consequences, the linked and the cascading higher-order risks, and see the range of paths, how the risks might manifest, and understand at each level how your risk reacts.
Question: It sounds like a reverse stress-testing regime. The question is, what can we survive as an organisation and, if things get as bad as that, what can we do to improve our survivability? You said that we should forget the likelihood assumption as something that bad is going to happen sooner or later. Are we ready for the impact?
Mr Habahbeh: Every day, you have a chance of an emerging risk happening, and a chance of it not happening. That is the best you can do. You have to plan for it.
Question: We have set out quite clearly the ways in which firms and industries, particularly in insurance, need to strengthen ERM with regards to the lessons learned from the COVID-19 pandemic. What can actuaries do to help?
Ms Grewal: Over time I have gradually gone into more commercial roles. My role is all about understanding events and appreciating the impact they could have on business strategy, not only in the short-term, but also in the medium to long-term. It is about making sure that we are the ones challenging the business strategy, and not just relying on senior management to do that without the skill set that we bring to the table.
Dr Acharyya: I am not an actuary, so I see ERM from an external point of view. ERM is not just about capital management or modelling, it is about broader issues and it is about management. Actuaries can help other organisations to not view ERM from a narrow or measurement perspective. It is a management tool that brings together corporate governance, reporting and other areas.