Hostname: page-component-78c5997874-ndw9j Total loading time: 0 Render date: 2024-11-10T22:36:23.478Z Has data issue: false hasContentIssue false

COVID-19 and the effectiveness of ERM frameworks

Published online by Cambridge University Press:  22 November 2022

Jasvir Grewal*
Affiliation:
Research Project, Institute and Faculty of Actuaries’ Covid-19 Action Taskforce, ERM Workstream, Presented to the Institute & Faculty of Actuaries
Lawrence Habahbeh*
Affiliation:
Research Project, Institute and Faculty of Actuaries’ Covid-19 Action Taskforce, ERM Workstream, Presented to the Institute & Faculty of Actuaries
Madhu Acharyya
Affiliation:
Research Project, Institute and Faculty of Actuaries’ Covid-19 Action Taskforce, ERM Workstream, Presented to the Institute & Faculty of Actuaries
Rajeev Aravind
Affiliation:
Research Project, Institute and Faculty of Actuaries’ Covid-19 Action Taskforce, ERM Workstream, Presented to the Institute & Faculty of Actuaries
Shivash Bhagaloo
Affiliation:
Research Project, Institute and Faculty of Actuaries’ Covid-19 Action Taskforce, ERM Workstream, Presented to the Institute & Faculty of Actuaries
Margaret Carey
Affiliation:
Research Project, Institute and Faculty of Actuaries’ Covid-19 Action Taskforce, ERM Workstream, Presented to the Institute & Faculty of Actuaries
Clarence Er
Affiliation:
Research Project, Institute and Faculty of Actuaries’ Covid-19 Action Taskforce, ERM Workstream, Presented to the Institute & Faculty of Actuaries
Konrad Farrugia
Affiliation:
Research Project, Institute and Faculty of Actuaries’ Covid-19 Action Taskforce, ERM Workstream, Presented to the Institute & Faculty of Actuaries
Kam Leung
Affiliation:
Research Project, Institute and Faculty of Actuaries’ Covid-19 Action Taskforce, ERM Workstream, Presented to the Institute & Faculty of Actuaries
*
*Correspondence to: Jasvir Grewal, E-mail: jasvirgrewal@yahoo.com; Lawrence Habahbeh, E-mail: TawqAlMakhater@pm.me
*Correspondence to: Jasvir Grewal, E-mail: jasvirgrewal@yahoo.com; Lawrence Habahbeh, E-mail: TawqAlMakhater@pm.me
Rights & Permissions [Opens in a new window]

Abstract

Type
Sessional Paper
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution, and reproduction in any medium, provided the original work is properly cited.
Copyright
© Institute and Faculty of Actuaries 2022

1. Introduction

1.1. Aims and Terms of Reference

The Institute and Faculty of Actuaries’ (IFoA) COVID-19 Action Taskforce, also known as ICAT (Institute and Faculty of Actuaries, 2021), was established in 2020 and is responsible for leading and coordinating the IFoA’s response to the coronavirus crisis. ICAT consists of nearly 93 workstreams covering topics relevant to finance and investment, general insurance, health and care, life, pensions, resource and environment and risk management.

This paper reports the work undertaken by the first Risk workstream looking specifically at Enterprise Risk Management (ERM) frameworks in the context of the COVID-19 pandemic. This workstream aims to provide insight on areas of ERM relevant to actuaries and risk professionals within a variety of different industries including the insurance (life and non-life) and banking industries.

The purpose of this research paper is to explore enterprise risk management lessons that can be learned from the COVID-19 pandemic in preparation for potential future pandemics, as well as other “grey rhino” or “black swan” events. This paper is not intended to be an all-encompassing solution to the issues presented by COVID-19; rather, the content has been provided to help drive discussions regarding how risk management processes may need to evolve in line with the dynamic nature of the underlying risks that they sometimes need to capture.

Furthermore, in many places throughout this paper, the reader will encounter the opinions of the authors rather than any prescriptive guidance; this paper is not intended to be original research or prescriptive risk management guidance. Rather this paper collates the experiences of the group of authors, who between them have diversity of experience, background and perspective.

Each entity’s risk profile and risk management framework will be different. Similarly, the lessons learned by each entity from the COVID-19 pandemic will also differ and the reader is encouraged to tailor any suggestions made in this paper to the context that is relevant to them.

2. Background

Our society faces a wide range of systemic risks. From the ongoing COVID-19 pandemic and its variants, to extreme weather events, geopolitical risk arising from the ongoing war between Russia and Ukraine and severe solar storms, we face constant external threats that have the potential to reap catastrophic damage. Systemic risks, when they do manifest, tend to cause common consequences as they cascade through many sectors of society, and their effects are felt across multiple dimensions such as human welfare, economic damage, disruption to essential services, environmental damage, behavioural impacts, and potential impacts on national security and international relations.

The ongoing COVID-19 pandemic was first identified in December 2019. The pandemic had a disruptive impact worldwide with severe economic repercussions. There are ongoing debates whether the pandemic is a “Black Swan”Footnote 1 or a “Grey Rhino”Footnote 2 using terms coined by Nassim Nicholas Taleb and Michelle Wucker respectively (see, e.g. the opinions given in the articles under references (Scheurwater, Reference Scheurwater2020; Fast Company, 2020; Michele, Reference Michele2020) and (Psychology Today, 2020)). The COVID-19 pandemic is an extreme emerging risk. These risks are known, but the full extent of their consequences and their interaction with other risks is not yet fully obvious. Emerging risks are generally seen as deadly surprises whose likelihood is difficult to estimate, and they can turn society upside down in a matter of days or even minutes.

It is widely acknowledged that there will be future pandemics and that a global approach will be required to effectively combat such risks; see, for example, statements made by the World Health Organisation (WHO) (World Health Organisation, Reference Baudino2020) and the UK Government (Prime Minister’s Office, 2021). Furthermore, it is also acknowledged that, “without preventative strategies, pandemics will emerge more often, spread more rapidly, kill more people, and affect the global economy with more devastating impact than ever before” (Intergovernmental Platform on Biodiversity and Ecosystem Services, 2020). In this discussion paper, we present a range of views from actuaries and risk specialists across different geographies on the topic of ERM and COVID-19. It is hoped that the discussion and views will invite more global engagement on these issues.

3. Definition of ERM & ERM Frameworks

There are multiple definitions of Enterprise Risk Management (ERM) available, and it is not within the scope of this paper to explore their many variations and nuances. The definition given below provides an example (Canadian Institute of Actuaries, 2021) which can be used when considering the context in which this paper operates.

Enterprise Risk Management (ERM) is a process by which an organisation identifies, monitors, and manages its risks, with the goal of increasing value for their stakeholders.

There are also several proposed ERM frameworks available; the COSO (COSO: The Committee of Sponsoring Organizations of the Treadway Commission, 2021) and ISO 31,000 (ISO, 2021) are two well-known examples. This paper separates its discussion points based on Lam’s 7 ERM components (Lam, Reference Lam2014), which provide a useful high-level categorisation of the important factors in an ERM framework.

In the following 7 sections, this paper considers each of Lam’s 7 components in turn (as shown in Figure 1) and explores whether COVID-19 has provided any insights into how ERM improvements could be adopted to better prepare for any future pandemics/emerging risks.

Figure 1. Lam’s 7 ERM components.

The authors appreciate that there are a number of alternative ERM frameworks. It is not within the scope of this paper to provide literature reviews or comparisons for these alternatives; this paper structures conversation points around Lam’s framework as it provides a useful and easy to follow structure for readers.

4. Portfolio Management

4.1. Importance of Portfolio Management in ERM

An important aspect of portfolio management is the process of assessing the effectiveness of the ERM framework at the portfolio level. In the context of the COVID-19 induced market stress event, it assesses the elasticity and effectiveness of existing ERM frameworks to different stages of the evolution of the pandemic curve (early development, acceleration, late accumulation, and recovery).

The portfolios can represent portfolios of assets on insurance balance sheets backing up liabilities, such as annuity liabilities, or portfolios held for trading on banks’ balance sheets. The latter cover a wide range of risk factors and instruments These range from simple vanilla products such as corporate and sovereign bonds, equity, foreign exchange, credit products, infrastructure investments, real estate, private equity placements, and various derivatives transactions used to hedge or take a directional bet to different risk factors and markets across a range of geographies.

Emerging risks or low probability, high consequence events such as pandemics, extreme weather events, cyber-attacks on critical infrastructure are known risks, but the full extent of their immediate, short and long-term implications and their interaction with other types of risks are yet not fully understood. Emerging risks are characterised as “systemic” in nature because these risks are concurrent and diversified and have the potential to cause a system-wide breakdown or significant disruption to man-made economic, financial and security systems supporting our way of life.

Similarly, each of these events is called an “extreme” risk event because they are “rare,” that is events that are generally seen as deadly surprises, happening outside everyday experience, and their likelihoods are difficult to estimate. Hence, they are perceived by banks and the insurance sector, retail, and commercial investors as important but not urgent risks due to their very low likelihood of occurring over the regulatory capital planning horizon.

Furthermore, emerging risks pose key challenges to the processes of risk assessment and risk planning because, by their very nature, these events occur only infrequently. Therefore, effective enterprise risk management frameworks should ensure ongoing review and improvements to existing structures by creating an emerging risk sub-framework. This should account for “emerging risk identification” – identifying, assessing, quantifying, representing, and communicating those types of risks and their inherent uncertainties to ensure firms minimise the strategic shocks associated with disasters that arise from these types of events.

In an article published in the Global Association of Risk Professionals, James Lam cautions against the “new normal,” where disruptive risks, of which COVID-19 is one, are no longer events that only happen once in a hundred years. Lam lists technology (artificial intelligence, blockchain, and the Internet of Things), cyber security, climate change and geopolitical events as areas to watch. Experts are encouraging risk managers to use this time for a risk management reset of sorts – they are advising them to re-prioritise risks.

4.2. Enterprise-Wide Risk Management

The objective of Enterprise-wide risk management (EWRM) is to report on a regular basis the magnitude of selected risks across the entire company under normal and extreme risk scenarios to senior management. Therefore, EWRM is a process for systematic identification, measurement, reporting and monitoring of different exposures a company faces, across all its geographic operations and businesses. As the list of potential exposures is practically infinite, judgement and understanding of the company’s business will be required to define the list of risk factors and the dynamic risk profile that will be captured within the EWRM risk register system and reported regularly.

For example, the key risk components of EWRM for the banking sector could include the following:

  1. 1. Emerging strategic risks

  2. 2. Climate change risk

  3. 3. Geopolitical risk

  4. 4. Market & ALM Risk

  5. 5. Credit risk

  6. 6. Regulatory risk

  7. 7. Operational risk

  8. 8. Cyber risk

4.2.1 Pandemic risk and business continuity planning

Operational risk planning for pandemics exhibits distinct differences compared with traditional business continuity planning (BCP). A pandemic is global in nature, and the frequency and duration occur in multiple waves. In contrast to natural disasters and malicious activity, which are often specific to a particular geographic region or facility (i.e. their occurrences are limited in scope and duration), effects of a pandemic are more difficult to plan for, as they can occur globally and in multiple waves. Financial institutions should have adequate plans to continue operations during a global pandemic such as COVID-19. To address the unique challenges posed by a pandemic, the financial institution’s BCP should feature a documented strategy that provides for scaling the institution’s pandemic efforts, so they are consistent with the effects of a particular stage of a pandemic outbreak, such as the 6 intervals described by the Centre for Disease Control and Prevention (CDS) (Pandemic Intervals Framework, 2016), shown in Figure 2. The strategy will also need to outline plans describing how to recover from a pandemic wave and proper preparations for any following wave(s). Moreover, the strategy should have a testing and an oversight programme to ensure that the organisation pandemic planning practices and capabilities are effective and will allow critical operations to continue during a pandemic.

Figure 2. Centre for Disease Controls and Prevention pandemic intervals framework (Pandemic Intervals Framework, 2016).

4.3 Portfolio Management

The portfolio management review covers all major risk management responsibilities to assess the activities, risks, concentrations and risk management approach and effectiveness of EWRM frameworks over the lifetime of the pandemic cycle.

Portfolio review key considerations

  • Assessing the effectiveness of the firm’s emerging risk framework.

  • Understanding the behaviour of the firm’s risk profile in the context of COVID-19 induced market stress and development.

  • Explanation of the firm’s risk profile generated prior, during and post-COVID-19 lockdown based on the CDC (Centers for Disease Control and Prevention, 2021) definition of pandemic cycle, highlighting the main risk and profit and loss (P&L) drivers and their evolution over the pandemic cycle.

  • Explanation of how the main risk drivers evolved during the assessment period and how regulatory market, credit, operational, and liquidity capital models responded to the COVID-19 disruption. These include: value-at-risk (VaR); stressed value-at-risk (SVaR); credit value adjustment and potential future exposure metrics for counterparty credit risk metrics (CVA/PFE); incremental risk charge metric (IRC) to capture the outright default and migration risks of credit exposures in the trading book; sensitivities (Greeks); liquidity measures such as net sufficient funding ratio (NSFR), and liquidity coverage ratio (LCR).

  • Explanation of back-testing results (hypothetical and clean P&L) to demonstrate whether the employed models are adequate.

  • Explanation of the drivers of the actual P&L relative to COVID-19 induced market conditions and the approved P&L year-to-date budget

  • Assessment of the operational robustness of the respective risk reports and risk systems.

  • Assessment of the business adherence to their approved risk limits and products, highlighting material violations.

  • Update on any issues faced during the pandemic.

  • Assessment of the effectiveness of the business continuity strategy and any specific strategy for pandemic planning, or more generally extreme emerging risks

  • Conclusions and outlook on expected new business activities and expected COVID induced market developments.

4.4. Summary

Emerging risk identification is complicated due to their rare and conjectural nature, and their potential for causing impacts beyond everyday experience. Thus, a review and improvement of ERM frameworks should consider a system level view of multiple hazards and risks, taking into account that the current practise of assessing discrete emerging risks is ineffective because of the interconnected nature of many of these risks and the common consequences they create as they rip through society. By incorporating emerging risk identification and analysis, to ensure that emerging risks are identified, analysis should focus on the full range of direct casual events that might produce a series of linked effects and risks.

Therefore, ERM frameworks should devote a section to emerging risks identification and assessment, with the following key areas suggested when considering the portfolio management component within the context of an emerging risk framework:

  1. 1. Adopting a clear definition of emerging risks over short, medium and long-term horizons, with a full range of possible emerging risks from the insignificant to the catastrophic, with more urgency around the definition of systemic risks.

  2. 2. Recognising at senior management level that emerging risks need explicit management and they need to be considered from a holistic system-based multidisciplinary approach and view of systemic risks.

  3. 3. Have processes in place for the systematic identification of emerging risks that are considered improbable, or unlikely, and have a sub-framework for understanding, assessing, pricing, modelling and mitigating emerging risks.

  4. 4. Understand the correlations between risks, whether they are all white swans, all grey swans all black swans or a combination of all types of swans

  5. 5. Augment the use of historical data to map future events, with the use of artificial intelligence and predictive analytics to forecast ahead, using the enormous amount of data that are currently available to prepare for unknown or known events as they happen in the future, as opposed to waiting for the event to happen and acting to mitigate the consequences.

  6. 6. Conduct a descriptive approach to risk assessment, both in terms of impact and likelihood, based on Renn’s (Ortwin, Reference Ortwin2008) system of risk categorisation and evaluation using the 1999 annual report of the German Advisory Council on Global Change (WBGU, 2000). Renn distinguishes three main categories of risk management: science-based, precautionary, and discursive.

  7. 7. Quantify the uncertainty in the decision-making process and reduce “epistemic risk” (Parascandola, Reference Parascandola2010) – the risk of being wrong.

  8. 8. Think of effective ways of representing the risks, such as the system developed by Renn using nine indicators such as reversibility, persistence, likelihood and impact to provide a more in-depth representation of emerging risks. Renn distilled these nine criteria into six genuine risk classes and assigned them names from Greek mythology.

  9. 9. Manage the risks by building, developing, and maintaining mitigation capabilities to mitigate the impact of such risks.

  10. 10. Develop strategies to communicate the risk to senior management in a timely manner, taking into account the importance of using the correct vocabulary when explaining emerging risks

5. Corporate Governance

5.1. Importance of Corporate Governance in ERM

How leadership models must remember key tenets to navigate the new normal

The subject of effective corporate governance and, more specifically, effective corporate risk management is by no means new. Since the early 1990s the topic has gathered momentum, particularly on the back of large-scale corporate failures that drew attention to the lack of adequate oversight and controls.

Examples of failed leadership at board level are not rare. Principles that should govern effective decision-making at the highest level (discussed throughout this section) have not changed and are extremely important to remember during the new normal of a COVID-19 world. Such extreme events create change, which should be navigated with clear decision-making responsibility. The ability for businesses to adapt effectively and quickly to the norms of working from home, exponentially growing cyber threats, increased economic uncertainty, interrupted supply chains, climate change and many others requires forward thinking stewardship by company boards and senior management.

The recently published World Economic Forum white paper on Integrated Corporate Governance (World Economic Forum, 2020) calls for, amongst other things, a shift in the models of corporate governance from the traditional shareholder centric focus to a wider stakeholder considered approach. As noted in the paper, “business value creation beyond the near term is increasingly dependent in the 21 st century upon a rigorous understanding and active management and governance oversight of these risks and opportunities.” This is an opportunity for boards to rethink strategy and capital allocation in a way that reflects a more sustainable long-term view.

Further, this is also an opportunity to remind ourselves of the key principles of corporate governance and its place within an overall enterprise risk management (ERM) framework. Whilst by no means exhaustive, the discussion below is intended to highlight key areas of consideration.

  1. 1. Risk appetite and risk policy

Potentially one of the most important questions a board should ask of itself is ‘How much risk are we willing to take for the strategic goals we want to achieve? In these times of shifting risk exposures, the actual risk profile that a company in any industry is facing is under transformation. A primary focus of effective corporate governance should be to assess whether a company is exceeding its risk appetite and risk tolerances.

The creation of this risk appetite statement and its translation into suitable risk limits at an operational level is critical. Boards must ensure that a suitable risk philosophy is developed with associated roles and responsibilities assigned, together with reporting and monitoring processes. This must occur in collaboration with the business units who are more often better placed to understand the situation on the ground.

Boards should develop a suitable risk policy that captures this ‘risk identity’ and ensure that all strategic decisions are made through consideration of this appetite. Value creation should occur only within the confines of these tolerances, in order to ensure the sustainability of the company over the long term. The intention behind such policies is to ensure that capital allocation is aligned with the risk characteristics defined by the board.

  1. 2. Organisational structure

The structure of boards, particularly within which an effective ERM framework is deployed and managed, plays a key role in their success. The establishment of a formal risk management function led by someone suitably qualified is usually a key requirement of banking and insurance regulators, who mandate the independence of this function in executing its operational responsibilities and reporting to the board. In less developed regions, compliance and internal audit are sometimes substituted for this function but this is likely to be unsuccessful over the long term.

Board risk committees are now commonplace and are essential in ensuring that the risk policies of the company are implemented appropriately and that areas of increased exposure are highlighted and remedied with minimum delay. Board approved executive and employee remuneration packages that incentivise and reward good risk management practice are to be encouraged. Ensuring that risk is a tangible target that CEOs and other executives are assessed against will support the creation of a culture of risk at the top, which will then hopefully spread across the organisation.

COVID-19 has increased the prominence of the risk committee. More attention is necessary on the quantification of low frequency, high severity risks so that the Board is accurately able to understand its exposure and the resulting effectiveness of risk mitigation strategies.

  1. 3. Performance assessment

How well is the board managing its responsibilities, particularly during this crisis? How does this compare to best practice standards?

Perhaps now more than ever, the controls and risk management practices of companies are being tested on many fronts simultaneously. Being able to accurately assess the adequacy of these controls is indeed the responsibility of the board. However, it is the board who must periodically put themselves through this same scrutiny and assessment for the purposes of best practice. The effectiveness and compliance with best practice standards of the various committees and individual directors is a health check that should itself be a component of the ERM framework.

Stakeholders deserve to know whether board members bring the skills and experience necessary to further the goals of the organisation. This includes consideration of adequate levels of training that the board receives on areas of emerging risk. These can be sensitive areas, but it is not surprising that some of the more successful large corporates place their boards under this scrutiny on an annual basis. The National Association of Corporate Directors (NACD) (National Association of Corporate Directors, 2020) provides guidance on such evaluations.

The need for the board to appoint directors with technical or risk management skills and experiences is a growing hallmark of success. Indeed, such perspectives are fundamental to navigate the technological, digital, data and other technology related risks and disruptions that companies face. Having a healthy balance of youthful, skilled directors helps to provide insights from the next generation of leaders. There is an increasing shift towards appointing directors who bring operational or academic skills and experiences related directly to understanding the company’s evolving risk profile.

Changes in board assessments during (or as a result of) COVID-19 are, as of now, still largely uncertain. We would however expect, over the longer term, a shift towards the appointment of technically strong directors with a good understanding of risk management.

  1. 4. Business continuity & resilience to crises

Boards have a critical role in providing oversight and guidance on the ability to absorb and recover from external crises and systemic shocks. The impact of these systemic risks and shocks ranges from global crises (e.g. COVID-19, climate change) to regional crises (e.g. terrorism related incidents),

These events, as 2020 has shown, are often systemic in terms of impact and beyond the control of the board. The key question for the board is how well the company is prepared to respond to such crises and how resilient it is with respect to surviving the aftermath and recovering. An effective ERM structure ensures that the Board is suitably prepared for these risks.

Succession planning is critical as a part of crisis management and contingency planning. Chair and CEO succession plans are important, but this can be developed further to include other members of the executive team and for ‘mission critical’ roles and functions at operating levels. The human resource function is also critical for crisis preparedness and planning. Board committees should review mission critical roles as well as executive succession plans on an ongoing basis.

During crises, management will be working under intense pressure and time constraints. The board should be available to serve as a sounding board and offer support, especially in the case of mission critical decisions. Supporting staff and critical functions should be the focus.

The length of time and the intensity of a crisis will vary depending on the nature of the crisis and its systemic impact. The board and management should however review medium and longer-term recovery plans and note the lessons learned to improve risk management. Recovery options and strategy should be reviewed and improved as early as possible. Boards are responsible for contributing towards the company’s strategy and support management as they implement interim solutions options if business activities have been slowed. More importantly there may need to be changes in policies and operating procedures, risk management systems, capital allocation priorities and even core business strategy.

With respect to the insurance industry, this is a reminder of the importance of ‘own risk and solvency assessments’ (ORSAs) in terms of promoting companies to think and act proactively on risk management policies, measurement of risk exposure in normal and stressed environments and the implementation of economic capital models and solvency assessment tools. Through this process, insurers get the opportunity to re-examine and improve their ERM procedures with a forward-looking mindset.

  1. 5. Public disclosure

Effective corporate governance includes effective reporting and communication with stakeholders. Leading corporations should reflect changing risk exposures and selected analyses of the effectiveness of the ERM framework in their financial disclosures. Ensuring that the company’s disclosure of its sustainability metrics and performance is independently assessed by an external third party is another step that boards can take towards a more integrated approach to reporting.

Corporations must be aware of their social responsibilities and must use the opportunity to express their commitment to the sustainability of their strategy through their disclosures. Sustainable value creation is material to business performance and should be addressed in the mainstream report and integrated into the core business strategy and governance processes. By reporting on these factors, including a discussion of their implications for company strategy and governance, a company demonstrates to all stakeholders that it has weighed all pertinent risks and opportunities in running its business, conducting its governance processes, and contributing to broader economic and social progress.

Finally, after such crises, the review of dividend policies and the communication of updated policies and decisions is a key element within these disclosures that ensures the board is mindful of the sentiments of stakeholders and the general public.

  1. 6. Dividing responsibilities

Where is the line between board and management?

Given the preceding commentary, we must recognise the criticality of management in aiding the development of board approved policies and procedures and thereafter executing them. A major aspect of corporate governance is the board’s legal responsibility in providing oversight and accountability for the business affairs of the company under all normal and extreme risk scenarios that have a direct or indirect effect on the company’s day-to-day operations. Reacting to the challenges presented by COVID-19, the advice and opinions of senior management must feed into the decisions made by the board.

John Lam (Reference Lam2014) cites the separation of the roles and responsibilities of boards versus management as being a key area of ambiguity in practice. He provides the summary in Figure 3, which is a useful reminder to prevent boards from being overly involved in the business whilst at the same time ensuring they play an active role.

Figure 3. Lam’s division of management and board responsibilities in the context of ERM.

5.2. Summary

  • Risk appetites and risk policies need to be reviewed in the context of extreme event occurrences. The transformed risk profile faced by companies and the alignment with new risk appetites requires continuous review and reporting.

  • Organisational and board structures that may not have facilitated an effective response may need to revisit whether a risk management philosophy has perhaps been largely a crisis management philosophy.

  • Aligning interests and incentives will always improve risk management and accountability by the board. Boards should embrace the need for training, development, and self-monitoring as the risk landscape continues to shift.

6. Integration of ERM with Business Lines

6.1. Importance of Having Integrated ERM Within Business Lines

Note that ‘business lines’ refers to the “revenue-producing” departments of an entity. For example, for a general insurance company, this would refer to the underwriting teams who are, by definition, the employees who are closest to the underlying risks being written by the firm. The benefits of having links between the ERM and the business writing functions of a company are well explained by Lam (Reference Lam2014), with advantages ranging from the alignment of business aims to effective risk assessment and mitigation. In particular, a key part of effective risk assessment is the adequate understanding and pricing of risk, and this is an area that will be further explored later in this section.

In response to an emerging risk, if there was an effective link between ERM and business lines in place, the following characteristics could be expected in theory:

  • Effective feedback loops

This feedback loop should be dynamic, given that an emerging risk could evolve and change rapidly, as was the case with COVID-19. Having an effective feedback loop results in a firm being able to continually monitor a risk and assess whether risk management/mitigation approaches need to be amended in light of changing risk appetite and/or continually enhancing understanding of exposures from an emerging risk.

  • An open culture that enables transparent and honest risk communication

When an emerging risk appears on the horizon, risk assessment becomes a key tool to evaluate potential exposures and gain an understanding around which areas of the business could experience material downside and upside risk. In many cases, such assessments will include a significant amount of uncertainty during the initial stages of an emerging risk (or also possibly once a risk has fully emerged, as was the case with COVID-19, due to regulatory and legal uncertainty).

An entity with an effective link between its ERM and business lines functions should have a culture that facilitates transparent and honest communication, particularly concerned with whether an emerging risk poses a threat to a firm achieving its business objectives, as well as any areas of uncertainty during the risk assessment processes; this is so that areas for further work/focus are clearly identified, rather than remaining undisclosed until opportunities for preventative actions have been missed.

  • A comprehensive and timely view of an emerging risk and potential impact

An ERM framework that is effectively integrated within the business lines of a company should enable a more comprehensive “view of risk” to be determined when continuing with “business-as-usual” work alongside an emerging risk. This could manifest in a range of ways, such as including allowances for related potential losses in pricing/exposure management or an updated understanding of the responsiveness and adequacy of risk mitigation strategies in place.

Ultimately, an effective integration should result in a more in-depth and timely appreciation of how business lines – as well as the company as a whole – may be impacted so that proactive, rather than reactive, business decisions can be made. Importantly, this would also include considerations regarding secondary impacts (in the case of COVID-19, this was a deep global economic downturn) as well as potential for losses being triggered across business lines/non-business functions at the same time.

6.2. Key Lessons Learned from the COVID-19 Pandemic

With ERM functions having developed significantly in some industries – particularly in the financial sector – over the last decade, it is important to acknowledge that there were several successes in company responses to COVID-19. A good example is the business continuity plans that have been tested and prepared for many years but with such a scenario (over such a long timeframe) previously largely unexpected. Sizeable proportions of the workforce working from home has largely been successful, with minimal impacts for many companies operating in the insurance and financial/professional services industries and this is an element of ERM to be celebrated; of course, the level of success does differ by geographical region and industry (Lund et al., Reference Lund, Madgavkar, Manyika and Smit2020).

One key successful risk management technique employed in the pandemic response was horizon-scanning performed – to monitor COVID-19, and subsequent government guidance, as it developed in case of potential business disruption – early on, which enabled the effective dispatch of business continuity plans. However, as with most experiences, there are lessons that can be learned with the benefit of hindsight in preparation for future pandemics and/or emerging systemic risks. When specifically looking at this ERM/business line integration component, the following four examples are suggested:

  1. 1. Deeper appreciation of the potential for emerging risks to become systemic

Again, from the perspective of the financial sector, horizon-scanning triggering the monitoring of an emerging risk is of obvious importance. Given that such scanning is likely to happen across many companies at similar times due to the increasing maturity of ERM frameworks within the industry, it is the subsequent work that is performed (to understand and manage the risk) that will differentiate a company’s response relative to its peers.

One element of the COVID-19 pandemic that was potentially underestimated was the full extent of the systemic nature of the risk. Many entities were previously considering the impact of pandemics on business lines/operational risks but how many had considered such losses being triggered at the same time (rather than considering impacts in silos during separate parameterisation exercises) as well as secondary impacts such as market and liquidity risk consequences? That is, was the risk assessment truly holistic and are emerging risks considered as systemic risks when they are on the horizon? Additionally, was the potential of pandemic impacts emerging differently across different business lines considered? For example, the impact on the contingency general insurance class of business was relatively quick to appear with many high-profile event cancellations globally, but what about the more delayed impact such as that on D&O insurance as a result of perceived inadequate responses to the pandemic situation.

Within risk management, a range of approaches incorporating “top-down” and “bottom-up” methods are adopted but the quality of such assessments needs to be reviewed to consider how much value they provided when COVID-19 was emerging and whether there are areas for improvement. In the case of an emerging risk, where there is usually a high degree of uncertainty, many risk professionals would agree that a “bottom-up” approach is necessary where risk impacts are considered at a granular risk type/business line level and then aggregated to determine potential company exposures. Furthermore, in such situations assessments are usually highly dependent on the judgements of the relevant personnel involved with the various risk types/business functions; this is not inappropriate, given these would be the employees with the greatest expertise in those areas, but does leave the potential for behavioural biases to enter the assessment process.

  1. 2. Understanding exposures/unlocking a data-driven response

One of the key reasons that judgements are required in such assessments is due to the lack of data that can be used during attempts to assess the potential exposures to an emerging risk. Due to the nature of an emerging risk (i.e. one that is previously unknown!), a lack of information particularly in the early stages will likely remain a common issue. However, the reader is encouraged to consider whether there is data that is available in their companies that could be “unlocked” so that a previously solely judgement-driven response could also be blended with a data-driven response.

Expert judgements from relevant personnel will remain vital in risk management processes but data could provide an otherwise non-existent source with which to challenge assumptions (e.g. those being set by business lines regarding impacts on their classes) or supplement sensitivity analysis to understand the range of losses that could happen. A good example of how data can be “unlocked” and what “data-driven” means is given in 3. as an illustration of how this suggestion can be implemented in practice.

  1. 3. Risk assessment & sensitivity testing based on contract clauses

An important characteristic that can be seen in many firms with a good, shared risk culture in place is the effective alignment of business aims between business lines and the ERM function. In practice, when considering the pandemic, what this characteristic resulted in was the shared ambition, when COVID-19 appeared on the horizon, to assess and limit potential exposures – both in the current book but also within any upcoming business. Furthermore, in some businesses, there was also the additional aim of how to optimise business returns and seize opportunities considering the pandemic and the impact it was having on the market (whether opportunities were due to reduced exposures on underlying risks, improved terms due to new exclusions in place, increased premiums being charged or the limited capacity and damaged reputation of competitors).

However, there are many limitations in the work done to assess such downside and upside risks adequately and this can result in adverse business decisions being made as a consequence – for example exiting classes of business that were later not as deeply impacted as initially anticipated (such as the impact of working from home on the cyber-insurance class); or perhaps even some classes being entered (such as contingency insurance) to benefit from the significant increase in rates without any consideration for the potential of COVID-19 becoming an ongoing event that could last for months.

There are two key elements within business lines that can drive some uncertainty in emerging risk assessments:

  1. (1) Lack of capability to process contracts and log policy clauses/wordings within each contract in an easy and non-manual manner.

  2. (2) Uncertainty in the response of contract wordings to the losses triggered because of the emerging risk.

Technological developments – particularly in the financial sector – should mean that the first item is soon to be a limitation of the past. Considering the example of general insurance, there are now a range of software solutions available to read (e.g. via the use of optical character recognition) and log contract clauses embedded in business contracts.

The second item above is a larger issue to tackle and a key area of uncertainty is how contract wording will respond in cases of emerging risks that have previously never tested contract clauses – a perfect example of how this can materially impact business is the Financial Conduct Authority’s (FCA) business interruption (BI) test case result. This specific example is explored in detail as a case study 1 later in the paper.

COVID-19 has shown that arbitrarily maintaining “pandemic” risk scenarios on risk registers parameterised with high-level parameters is not necessarily the most effective approach – sensitivity of the robustness of contract clauses within a ground-up approach is something that may now need to be embedded within risk management considerations and communication.

A good example of how this could be done in practice is explored in a non-affirmative cyber risk. These are unknown or unquantified systemic cyber risk exposures originating from cyber perils that may trigger traditional property and liability insurance. The paper by the Cyber Risk working party provides a framework with which to generate non-affirmative cyber scenarios by considering, amongst other items, the potential range of contract clauses and their associated “contract confidences” when quantifying potential loss amounts (Subgroup, 2019). Although that framework was developed specifically with non-affirmative cyber perils in mind, the general overarching principles are relevant to any emerging risk.

Setting up such “contract clause” sensitivity testing frameworks will also have an additional bonus of being easily fed back into underwriting/business pricing functions to assist in the business-as-usual assessment of risk. An enhanced understanding of exposures/contract terms is not only a benefit from a “risk management” perspective but also from a “line management” perspective if it enables information to be fed back into pricing and capital considerations so that profitability can be adequately assessed.

  1. 4. Identifying and removing behavioural bias from the emerging risk response

An interesting final question that is posed to the reader in this section is whether behavioural biases exacerbated (or limited the ability of companies to react to) issues presented by the emerging pandemic. For example, was the scale of the pandemic underestimated because something similar had never been experienced before (availability heuristic)? Was there underestimated risk in how contract wordings would react due to previous challenges to contract clauses (overconfidence bias)?

Behavioural biases in risk/business processes need to be identified and removed to avoid “human behaviour” adding an additional layer of complexity to an already uncertain emerging business risk situation. Developing “data-driven” approaches that can challenge human judgements – as mentioned earlier – is one way in which this could be achieved. Other ways could be generated based on the behavioural bias being tackled.

6.3. Summary

ERM frameworks have developed significantly over the last decade, particularly in the financial sector, and items such as having “business continuity plans” in place and adequate risk “horizon-scanning” processes are still very much required but seen as standard procedures. Going forward, as was shown in responses to the COVID-19 pandemic, there are areas that can be further developed in order to generate a more effective integration of ERM within business lines. Many of these are focused on developing a deeper understanding of the potential risk and augmenting processes to enable business lines to be able to provide the most informed judgements (based on minimal human biases).

The following key areas are suggested when considering the integration of ERM within business writing functions:

  1. 1. Deeper appreciation of the potential for emerging risks to become systemic.

  2. 2. Understanding exposures/unlocking a data-driven response.

  3. 3. Risk assessment & sensitivity testing based on contract clauses.

  4. 4. Identifying and removing behavioural bias from the emerging risk response.

7. Risk Transfer

7.1. Importance of Risk Transfer in ERM

The insurance industry has a long history of managing, extremely well, financial risks that can be modellable. The COVID-19 pandemic, solar storms, large-scale cyber-attacks, and climate catastrophes are emerging risks, characterised as rare and systemic risk events. By their very nature these risks are considered improbable or unlikely. The insurance industry finds it very hard to insure those risks because of modelling limitations and difficulty in pricing those risks, resulting in a high price that renders the insurance product insuring against these events unaffordable, but also because they involve human interaction. Moreover, when these risks manifest, the size and severity of losses associated with these events can exceed the amount of premiums collected, or even the market capitalisation of the insurance industry. Therefore, they come with certain uninsurabilities.

There is limited historical data on these events with which to draw solid conclusions about their true dynamics. Therefore, different rare, systemic risks have different characteristics and different risk profiles, and this leads to different assumptions for modelling the frequency and severity of the risk and ultimately affects the risk-reflective pricing and the pure premium charged for these products.

The lack of awareness of these types of risks and the extremely low take-up rates of standard insurance products insuring against these risks, such as standard business interruption insurance, creates very low demand for these products and therefore affects their pricing, by making these products expensive to buy due to their important but not urgent nature, as a result of the perceived low likelihood of the occurrence of these events, and therefore they are not prioritised in risk registers.

Rare, systemic risks are not traditionally included in standard business interruption cover insurance, and as experienced during the pandemic, the uncertainty over different policy applicability to cover the risks associated with the pandemic has led to legal challenges for businesses trying to access policy pay-outs.

For these reasons, we have set up the Black Swans Insurance Working Party at the Institute and Faculty of Actuaries, with an overarching objective of being the leading source of knowledge and expertise on matters relating to systemic risk planning and insurance. One of the strategic goals of the working party is to structure and develop a model to allow for comprehensive and affordable systemic risk insurance to be offered, protecting the UK economy, and safeguarding society and livelihoods from these extreme risks.

The working party will explore solutions to set up a construct that is fit for purpose and works for designing either a single product for each systemic risk event or an all-encompassing product covering tail events, through the equitable sharing of systemic risks between the parties to the transaction, including the insurance industry, reinsurance industry, capital markets, the insured, and government as the insurer of the tail risk, by designing a product for the sharing economy that is:

  1. 1. Affordable: reasonable cost of delivering the product at an affordable price.

  2. 2. Available: high confidence that the product is fit for purpose, and it will perform when it is needed.

  3. 3. Relevant

For the risk transfer, the working party will explore whether the Pool RE model of public private partnership (PPP) is (OECD International Platform on Terrorism Risk, 2015) effective and sufficient and could be expanded to cover other types of systemic risks. The framework will achieve the following strategic goals:

  • To develop a framework for the risk assessment of rare, systemic risks that is dynamic and data-driven, and to robustly identify systemic risks that are considered improbable or unlikely events.

  • To identify and build robust methodologies for understanding, assessing, pricing and modelling different systemic risks with different characteristics, risk profiles and assumptions for modelling the frequency and severity of the risk; and coming up with a range of risk-reflective pricing charged for these products to reflect a long-term black swan risk premium.

  • Designing and risk-sharing a systemic risk, black swan product, covering either each systemic risk event or an all-encompassing product covering tail events in general, taking into account:

  • type of product

  • the limits of indemnity – whole loss or part of it

  • is the product index, parametric, or modelled loss, or some hybrid in between?

  • is it mandatory or optional?

  • taking into account behavioural aspects so the product incentivises behaviour rather than making it compulsory to affect premium rates

8. Risk Analytics

8.1. Importance of Risk Analytics in ERM

Risk analytics is a key component of any ERM framework. To quote James Lam (Reference Lam2014), “trying to manage risk without appropriate analytical tools is like flying an aeroplane without instrumentationwhile the weather is good everything is fine and the organisation may not experience substantial losses. But in bad weather the organisation can be put in grave danger without any sense of where it lies.

Organisations adopting an ERM framework apply risk measurement tools to estimate all material risks facing the organisation including extreme (tail) events such as pandemics. With the onset of an extreme event such as the COVID-19 pandemic, risk analytics tools are instrumental for measuring and assessing its impact and helping to plan under uncertainty. Several analytical tools are available to measure risks. For risks that are quantifiable, mathematical models are usually applied. Where data is scarce, or risks cannot be numerically quantified, other tools such as risk maps or scenario analysis could be applied.

8.2. Key Lessons Learned from the COVID-19 Pandemic

We analyse a number of risk analytics tools, their benefit to organisations during the COVID-19 crisis, and point out areas to monitor and improve:

  1. 1. Scenario analysis

Scenario analysis is a top-down what-if analysis that measures the impact that a hypothetical event or combination of events will have on the organisation. In a crisis such as COVID-19, scenario analysis is an important tool for organisations to assess its impact. A number of scenarios that can be considered are (Risk, 2020):

  • Impact on production/ability to serve customers

  • The duration of lockdowns, their severity and impact on the business

  • How are new work arrangements are impacting the organisation?

  • Once the virus is under control, how long will it take for the business and customers to return to a pre-COVID behaviour level, if at all?

  • Different scenarios for supply chain impacts, particularly if business is global

  • Any emerging risks from the pandemic and how these will impact the business. For example, how might moving to an online distribution platform generate new risks/opportunities?

  • Assess the impact on the organisation’s cash inflows and outflows

  • Analyse the impact of recessionary economic outcomes on asset values

  • Specific scenarios for financial institutions. For example, (re)insurance companies could assess the impact of the pandemic on their value of liabilities in terms of both the frequency and severity of claims. For banks the impact of a higher probability of default on their loan book can be assessed.

The above scenarios could be tested for at the base, mid-range, optimistic and pessimistic impacts.

Scenario analysis looks at the impacts of hypothetical events under various scenarios. On the other hand, stress tests focus only on the extreme scenarios or on significant variations in the input assumptions. The latter are discussed further below.

  1. 2. Stress tests

Stress testing measures losses that arise due to significant jumps in the underlying risk factors driving the risk processes or due to tipping points shifting the trajectory of the risk processes into extreme states. It is during crisis situations, when historical data and analysis is limited, that stress tests prove to be useful; due to their forward-looking nature and the ability to allow for expert judgement. This makes stress testing a useful tool for modelling adverse scenarios and quantifying the impact of such tail events on the organisation.

The paper titled: Stress-testing banks during the COVID-19 pandemic (Baudino, Reference Baudino2020) states that stress tests can be useful in the:

  • short term – as a tool to analyse and communicate how the pandemic can affect the banking sector as a whole. For this, the stress test exercises need to be changed to accommodate the specific features of the pandemic shock.

  • long term – as more time and a greater understanding of the pandemic’s impact on the economy is understood, there may be scope for a more ambitious use of these tests. Further refinements of these tools can make them suitable to identify specific pockets of vulnerability and firm-specific supervisory action.

Stress tests can be top-down or bottom-up. In a top-down approach, the crisis is known, that is, the pandemic, and stresses are applied on various areas of the organisation that may be impacted by the extreme event. A bottom-up approach involves looking at one or more stress variables and analysing the impact such stresses have on the organisation.

For organisations adopting an ERM framework, the development of stresses might involve tweaking existing stresses/scenarios and assessing the impact using the available modelling methods. For example, an organisation modelling the impacts of the pandemic applying pre-COVID-19 assumptions may apply market stresses that assume a prolonged period of high credit spreads and low stock market prices (Dardis et al., Reference Dardis, Lau and Weis2021). Figure 4 show that credit spreads widened significantly in Q1 2020, but then started narrowing again from Q2 onwards. Similarly, equity markets showed volatile movements rather than a prolonged period of downward stock prices in 2020. These movements call for caution when using existing models and assumptions. Organisations should investigate whether stress test variables and scenarios need to be updated based on recent information/results available.

Figure 4. Credit spread levels in 2020 for selected markets. Source: All Bloomberg Barclays indices: Global Aggregate Credit index, Emerging Market USD Aggregate Index, USD Aggregate A and BBB Corporate Index, EUR Aggregate A and BBB rated Corporate Index, Asia Pacific Aggregate A and BBB rated corporate index, US Securitised ABS and CMBS indices and US Corporate High Yield Index as of 30 September 2020 (Vanguard, 2020).

However, this may only partially solve the issue as new types of risks affecting the organisation may need to be included, such as cyber risks. We outline a few stress tests that organisations could perform as part of their COVID-19 analytics (Thomä, 2021):

  • Permanent reduction in demand for goods sold by x% or a permanent increase in demand of y%.

  • Drop in the country/countries’ GDPs where the organisation operates or has a market.

  • Impact on organisation’s liquidity due to an increase in cash outflows for three consecutive months.

  • Reduction in labour supply due to illness.

  • Specific impact on the balance sheet (e.g. shocks in real estate or stock market prices decreasing).

  • Assessing stress Impacts on economic factors such as yields, credit spreads and inflation.

  • Stress tests applicable to financial institutions. For example, for (re)insurance companies and banks a stress test could be a specific reduction in asset values or a downgrade of assets by one credit quality step.

3. Reverse Stress Tests

Reverse stress tests are stress tests that require a firm to assess scenarios and circumstances that would make their business models unworkable, identifying potential business vulnerabilities (Bank of England, 2021).

Reverse stress tests are a key part of an organisation’s ERM framework to assess the impact of an adverse event. In this case, the exercise starts from the point where the COVID-19 pandemic makes the organisation insolvent or illiquid or renders its business model unsustainable. Following this, a number of scenarios leading to these outcomes are developed. The final step would be for the organisation to identify weaknesses/problem areas and decide how these can be mitigated.

Examples of reverse stress test scenarios include:

  • The organisation runs out of cash, or otherwise experiences cashflow issues that mean that it is unable to settle liabilities as they fall due

  • Operating cash outflows exceed cash inflows

  • There is a demand for immediate repayment of a loan or loans

  • Loan covenants are breached due to asset valuations falling due to COVID-19, and the lender does not waive the covenants

  • A sole or principal source of funding is lost

  • Failure to meet a regulatory solvency requirement.

4. Economic capital

Lam describes economic capital as the amount of capital required to meet regulatory capital requirements and cover insurance liabilities as they arise under normal and adverse outcomes, with a given confidence level and given the organisation’s risk profile (Lam, Reference Lam2014). Economic capital is calculated based on two quantities: the solvency standard and the risk profile of the organisation. The solvency standard is the desired creditworthiness of an organisation – if it has a target solvency standard of 99.5 percent, this implies that it would default on average once every 200 years.

The Solvency II Directive (2021) requires (re)insurance companies to hold sufficient capital to cover the market-consistent losses that may occur over the next year’s capital horizon with a confidence level of 99.5%. The solvency capital ratio (SCR) can be calculated using either a ‘standard formula’ or an internal model. The standard formula consists of prescribed stress tests of factors that are aggregated using regulatory-prescribed correlation matrices to reflect the behaviour of assets under normal and extreme stress conditions. An internal model can also be used to estimate all or some risk sub-modules within the SCR. This must be approved by the (re)insurance company’s regulatory authority.

A number of issues to consider when assessing the impact of COVID-19 on economic capital:

  • The efficacy with which economic capital impacts could be generated

  • Do models require recalibration? For example, for insurance companies, are the assumptions on the frequency and severity of claims still valid? If assumptions require recalibration is sufficient information available to provide credible results?

  • When modelling such extreme events, attention will focus on the tails of the distributions. Organisations may consider the application of extreme value theory as a risk measurement tool

  • Interdependencies between risks – these are likely to change during an extreme event and may require revision

  • If correlations between risks change, is the method used to measure interdependencies still appropriate? For example, a correlation matrix approach does not capture complex dependency structures such as pandemics, and more sophisticated tools such as copulas may need to be used

  • Careful interpretation of the output of economic capital results – the model output is only as good as its inputs.

Many economic capital models use the value-at-risk (VaR), which measures the maximum loss that is not exceeded with a given high probability over a given time period. VaR has a number of advantages including its simplicity of understanding and expression and its applicability to all types of risks and uses across the industry. However, the main disadvantage that is amplified by an extreme event such as COVID-19 is that it can under-estimate asymmetric and fat-tail risks. Also, it gives no information on the loss amounts beyond VaR. Where organisations use VaR, the results should be interpreted with caution. Alternatively, organisations may consider using alternative measures such as TVaR which considers losses beyond VaR (Sweeting, Reference Sweeting2017).

In the banking sector, stressed VaR (SVaR) is used. It measures the VaR at portfolio and risk factor levels taking into account diversification under stressed market conditions. The SVaR is calibrated to a period of significant market stress that is reflective of the organisation’s balance sheet. The SvaR is measured based on ad-hoc simulation of a more involved model, such as applying alpha stable law to estimate the index of stability for a given risk factor to identify the period of excessive market stress.

The Solvency II directive (Solvency II Directive, 2021), which is applicable to most (re)insurance companies with their head offices in the European Union, and the solvency capital requirement (SCR) metric, are determined on the basis of a 99.5% VaR measure over one year.

8.3. Risk Indicators

Risk indicators are designed to give timely information about changes in risk conditions to allow the management of an organisation take appropriate action. These can take the form of either external metrics such as economic indicators (GDP/employment/inflation rates/interest rates) or metrics developed internally.

In the banking sector risk indicators are the outputs from both prescriptive regulatory models and internal models developed by the banks, which have been subject to regulatory approval. These models compute, monitor, and assess daily the behaviour of market risk capital at both the trading book and desk level. They inter alia produce risk indicators to assess, measure, and monitor on a daily basis the behaviour of risk and the capital impact on a financial institution’s balance sheet.

In the insurance sector, risk indicator examples include: an increase in loss ratios; increases in the number of policyholder complaints; breaches of investment limits or liquidity limits; and an increase in staff turnover. Outputs from economic capital and/or regulatory models may also serve as key risk indicators. These may include: reduction in the SCR below a certain risk tolerance limit; an increase in counterparty default risk due to reduction in the credit rating of the reinsurer/s; and an increase in market risk capital as a result of credit spreads widening.

Organisations could assess whether the risk indicators were appropriate to detect the impact of COVID-19. A solution could be to develop an emerging risk register to allow organisations to detect the signs of a pandemic and its impacts early in its lifespan, and adopt systems for pandemic risk planning.

  1. 5. The challenge of COVID-19 on risk analytics

There are aspects of COVID-19 that organisations may not have included in their risk analytics tools. For example, several sectors benefited from government intervention. This means that some organisations have not defaulted due to government support, but the question is what will happen once that supports stops. How can such scenarios be modelled? This may require expert judgement to try to calibrate the model to simulate as close to real-life results as possible.

Another challenging area that is difficult to model is the speed at which various industries/sectors hit hard by COVID-19 will bounce back to levels pre-COVID-19, if at all. ERM risk analytics tools may require updating to ensure that the stress impacts are correctly estimated, or similar scenarios properly predicted. As with any other emerging risk this presents a significant level of uncertainty.

However, an appropriate ERM framework should be well placed to manage low frequency, high severity adverse events and ensure that appropriate risk mitigation measures are in place. As more data about the impact of COVID-19 becomes available organisations can use the data to assess the impacts and incorporate them in their risk measurement tools. This will allow them to react more appropriately to similar future events. There is also the added limitation that the results of scenario analysis and stress testing may not reflect the real-world practical output. For extreme events, the experience of the decision-makers and their ability to interpret the results are key requirements of risk analytics.

8.4. Summary

  • With the onset of an extreme event such as the COVID-19 pandemic, risk analytics tools are instrumental for measuring and assessing its impact and helping to plan ahead under uncertainty.

  • A number of analytical tools are available to measure risks. For risks that are quantifiable, mathematical models are usually applied. We discussed how several risk analytics tools such as stress tests, reverse stress tests, economic capital and risk indicators could be used to assess the impact of the COVID-19 impact on an organisation.

  • Where data is scarce, or risks cannot be numerically quantified, other tools such as scenario analysis could be applied.

  • To reflect a real-world output of the COVID-19 pandemic, risk analytics tools may require updating to ensure that, for example, the stress impacts are correctly estimated, or similar scenarios properly predicted.

  • In conclusion, an appropriate ERM framework with robust risk analytics tools should be well placed to measure the impact of low frequency, high severity adverse events.

9. Data & Technology Resources

9.1. Importance of Data and Technology Resources in ERM

The technological landscape has been very volatile during the current pandemic. Many companies and some industries were severely underprepared in areas such as hybrid or flexible working. Following an initial scramble to put things in place, most have now found a new outlook on the technological base required to navigate their companies through future uncertainties. Financial institutions have been ahead of the curve when compared too many other industries and were quick to adapt to the new normal. In this section, we discuss what steps should be considered from a data and technology perspective to help update an ERM framework.

9.2. Key Lessons Learned from the COVID-19 Pandemic

  • Regulators have played an active role in guiding companies towards improving or implementing robust technology risk management frameworks

  • During times of volatility, quality of data collected could be impacted. Companies should take remedial measures to ensure data integrity

  • A successful upgrade of risk management systems in light of the pandemic would require risk management and IT professionals to work closely to establish new standards.

First, we look at the technological aspects before delving into the data resources in ERM.

9.3. Technology Resources

The last few decades have seen significant technological progress. The exponential increase in computing capacity provided by rapid and incremental improvements in micro-processors has helped in shaping a new world. These advances have helped in improving data capture, storage and analytics while also improving the user interface to help implement systems (risk management being one of them) that assist senior management in taking appropriate decisions.

Financial institutions have been at the forefront of technological improvements during this period and have adapted their operations to take advantage of these opportunities. Risk management and IT professions have been tested in conceptualising, implementing, and upgrading their systems to keep pace with technological advancements. The current pandemic may have acted as a proverbial spanner in the works for many, helping refresh or reset their views on technology risk. Guidance from regulators, trade associations or external risk consultants helped companies adapt to the new circumstances they found themselves in.

An example of steps taken to educate and provide a framework for companies is the Technology Risk Management Guidelines issued by Monetary Authority of Singapore (MAS) (Monetary Authority of Singapore, 2021). The revised version of these guidelines issued in January 2021 set out risk management principles and best practices to guide financial institutions to establish sound and robust technology risk governance and oversight, as well as maintaining IT and cyber resilience.

The guidelines aim to provide a holistic view on technology risk management by providing both high-level essentials and an in-depth review of current IT systems, their resilience and how secure they are to cyber threats. The topics covered in the guidelines are:

  • Technology risk governance and oversight

  • Technology risk management framework

  • IT projects management

  • Software application development and management

  • IT service management

  • IT resilience

  • Access control

  • Cryptography

  • Data and infrastructure security

  • Cyber security operations

  • Cyber security assessment

  • Online financial services

  • IT audit

Financial institutions should have an efficient feedback loop to help maintain and improve the risk framework within the organisations. Areas such as governance and oversight are critical for every company aiming to revise their risk management framework in light of the changes to the economic and work environment following the pandemic. An example to consider may be remote working. Does your company have a robust policy for the majority of employees are working remotely? If policies were implemented with working in office as the norm, technology risk management aspects should be modified to allow for any hybrid working policies in the present and future.

To this end, the MAS and The Association of Banks in Singapore also issued a paper on managing new risks that could emerge from extensive remote working arrangements adopted by financial institutions amid the COVID-19 pandemic. The paper titled “Risk Management and Operational Resilience in a Remote Working Environment” (Monetary Authority of Singapore, 2021) highlights four key risks of remote working to the operations of financial institutions:

  1. 1. Operational risks

  2. 2. Information security and technology risk

  3. 3. Fraud and staff misconduct risks

  4. 4. Legal and regulatory risks

For each of the risks, the paper delves into the details of the following aspects:

  1. a. What has changed?

  2. b. What are the risks?

  3. c. What are the key risk management actions required?

  4. d. Examples of mitigation controls

This paper again urges senior management to ask the right questions of their operations and improve risk management resilience. Companies often use technology as a competitive advantage, especially to be first to market on certain products. While this trend is expected to continue, risk management professionals and management must keep in mind the risks while leveraging such technologies.

9.4. Data Resources

Good risk management always starts with good data collection. The nature of data collected is usually complex and unique to the risk management process in question. For example, a trading risk management system would have a very different outlook to data when compared to an insurance risk management system. The inherent complexity in understanding and recording the correct data are magnified under stressed scenarios such as COVID-19. A few keys areas to consider when reviewing data management are:

  1. 1. Review data sources and its use

An effective risk management system helps to monitor and record losses or events that cause significant distress to a company or industry (or both). A detailed record of how the company’s risk management framework reacted to a pandemic should be noted. Any failures should be corrected for the future and successes should be implemented in areas where they were not applied before.

Apart from internal sources, data from external sources such as industry associations, peers or regulators may also be collected to enhance risk registers and allow for ‘events not in data’ (ENIDs). This information should be used in determining the effectiveness of key risk indicators (KRIs) and revise them if required. COVID-19 may provide new perspectives on risk that have previously been deemed as too extreme. Companies may consider a more frequent review of their KRIs in the short to medium term as the true impact of the pandemic emerges.

Dashboard reporting is a popular way to represent risk information. A risk dashboard may try to incorporate adverse scenarios and impacts more prominently to help ensure that the senior management understand the risk better. As with all data, communicating the right message to the right audience is of utmost importance.

  1. 2. Review data standards and reduce subjectivity

In addition to collecting data, data quality should be reviewed on an ongoing basis to ensure that information collected is compliant to all standards, including any subjective measures. The data collected during a pandemic is expected to be skewed when compared to normal conditions. Companies should aim not to ignore outliers but incorporate them in a structured manner (probabilistic approach) to help quantify and mitigate the downside risk.

Any additional subjectivity should be minimised to ensure that the data is fit for use in the future. Companies may opt to review any areas of data collection that rely heavily on manual processes. A good audit trail and a structured data collection framework may be provided to employees to ensure maintenance of the integrity of data.

  1. 3. Embedding data collection practices

Many companies follow a decentralised approach to data collection within business units. This may lead to discrepancies in measures taken on risk mitigation as data may not be available at a level that is required to make appropriate decisions. Companies may review the data collection practices adopted by various business units and embed practices that ensure that the most critical pieces of information are collected for effective policy making. Again, successes and failures should be discussed to ensure that the best practices are followed throughout the organisation.

  1. 4. Data privacy and governance

In recent years, regulations such as the Prudential Regulation Authority (PRA) and GDPR have put more focus on data collection and governance. Disclosure and transparency in data sharing are expected by regulators, especially from financial institutions such as banks and insurers. With hybrid working arrangements being implemented across the globe there is increased threat from cyber-attacks. Steps taken by regulators to reduce the risks include the Technology Risk Management Guidelines issued by MAS (Monetary Authority of Singapore, 2021). These provide guidance for companies to take steps to assess cyber security and implement appropriate measures to reduce the probability of data breach.

  1. 5. Updates and feedback loops

Feedback loops are an essential part of any risk management system. This should also be reflected in the data management function. Companies tend to collect a lot of data on customers, suppliers, competitors, and other sources. A frequent review of the integrity and validity of data may be required to ensure optimal use of data in making decisions.

  1. 6. Use of qualified risk management and IT professionals

The current pandemic provides a completely new data point with which to compare worst-case scenarios. Any decision-making for a future-ready system must be forward-looking while learning from past mistakes or successes. Seasoned risk management professionals are more attuned to the growing needs of businesses (and the industry) and should helm the transformation process. IT professionals must be a critical part of the transition process to help minimise disruption, understand the new technology and its pitfalls and provide effective integrations to current processes.

  1. 7. Establishing consistent data standards

Any changes to internal or external data sources following a systemic event may impact the data collection and storage protocols. As risk management systems often collect data from sources within or outside a company, care must be taken to review such data standards following any significant events (internal or external) to ensure the integrity of data in databases. As noted in the previous section, data quality is critical in maintaining a healthy risk management framework. Appropriate steps should be considered to ensure data capture and reporting to senior management for decision-making purposes.

  1. 8. Scalability

One of Lam’s (Reference Lam2014) suggestions was to use a structured and modular approach to build scalable systems. This is a vital part of the process to ensure the whole system/process is not reengineered at each update. COVID-19 taught us that lockdowns can be quickly implemented, and businesses should be flexible to adapt to new working conditions. A modular approach would provide an ideal solution to implement new risk parameters as the scenario evolves. We must however also take care not to over-engineer the systems to allow for extremely unlikely scenarios, making such systems less effective.

  1. 9. Updating key risk indicators

The risk appetite for an organisation determines its Key Risk Indicators (KRIs). Risk-averse companies may look towards minimising the risk while the strategies or objectives of risk takers would look for opportunities during risky periods to enhance their business. Black swan/grey rhino events provide good real time scenarios with which to test risk appetite and understand if previously set KRIs and risk thresholds still hold true for the future.

9.5. Summary

The importance of data and technology resources in ERM during COVID-19 is recognised, with the following areas discussed:

  1. 1. Regulators play a key role in providing guidance and framework to maintain data integrity (especially to small and medium firms) and to navigate the volatile risk landscape.

  2. 2. Firms should consider a proactive approach to updating databases within their risk management systems by utilising the right combination of resources.

  3. 3. Collection and data management are critical aspects of good risk management and firms should aim to revise these practices in light of observed grey swan events.

10. Stakeholder Management

10.1. Importance of Stakeholder Awareness and Engagement with in ERM

One of the keys to any successful relationship is communication. As the working world struggles to rebalance after two years of COVID-19, there are clues as to why some of the more successful companies are stabilising more quickly than others.

Within the framework of Enterprise Risk Management (ERM) the principles that govern how best to manage stakeholder risk are useful to remember. The key stakeholders that concern most corporate entities include:

  • Employees

  • Customers

  • Regulators

  • Rating Agencies

  • Business Partners

1. Employees

A recent estimate (World Economic Forum, 2020) by the World Economic Forum was that 2 out of every 5 jobs lost for COVID-19 related reasons (i.e. lockdowns, travel restrictions etc.) are unlikely to return. This is a staggering figure to digest, particularly given the expected impact on the viability of some industries as a whole. Employees are (or at least should be viewed as) the main asset of any company, especially for those industries that depend on intellectual or human capital. The Aon Global Risk Management Survey 2019 (AON, 2020) ranked ‘Failure to attract or retain top talent’ as the 11th highest risk as viewed by respondents. Going forward how will this risk (or rank) evolve? With mass layoffs occurring, companies may select shorter term gains but sacrificing valuable longer-term benefits but letting go of key talent.

It should be no surprise that employees’ and employers’ do not always align. Since employees have a high impact on profitability it is critical that they are managed well. This should flow through recruitment, training and organisational development.

Good talent is not as ubiquitous as we would like. With the current turmoil there is a general lack of appetite towards hiring as companies play it safe. It is important to remember however that onboarding talent should be encouraged to the extent that longer team strategy is facilitated. Dedicating additional resources towards screening and recruiting talent has historically shown to have its benefits. Perhaps the pool of talented candidates available has grown since the onset of the pandemic and it may be worth considering how a company can benefit from onboarding such talent.

Training and developing staff are key retention tools but it not always given due consideration. Staff turnover is costly. Losing talent can be even more painful when lost to competitors. Studies on the cost of employee turnover vary however the conclusion is the same – these costs are not well understood by companies. Another question that needs to be answered – does training offer value to both employees and employers. Retention, productivity and morale all improve and thus reduce the risk to the employer of high turnover. In addition to this companies should value and recognise employees. Promotions should be based on merit in order to create a culture where staff see a longer-term horizon for themselves within the company.

Particularly at a time when so many employees are working from home, the culture of the company in communicating and supporting staff is a key ingredient towards maintaining morale and productivity.

The inverse is obvious – letting go of large number of staff simultaneously reduces morale and can impact employee resignations. Singular terminations are however a common part of the life of a business and if managed well they can remind the other staff of a strong work culture that rewards talent and hard work. When employees resign this is also a useful learning opportunity for the business. Understanding what has prompted someone to leave the company so that the root causes can be fixed for the remaining staff is a lesson which companies can leverage off.

  1. 2. Customers

Customer needs evolve continuously and companies who proactively track, assess and act on these changes are in a better position to manage the risk of a diminishing customer base (or even turn it into an opportunity by acquiring new ones). Preferences are also shifting due to a multitude of factors other than the product itself, such as ethical sourcing and production, compliance to General Data Protection Regulation (GDPR) and privacy laws, ESG (environmental, social and governance) issues etc. A recent McKinsey study (McKinsey & Company, 2020) discusses ‘Shock to Loyalty’ where customers tried other brands during the pandemic. Value and availability were the key drivers for the change. Customer acquisition and retention strategies must keep pace with the changing trends and the review of these strategies should be embedded within the risk management frameworks to help ensure they are up to date. To have an open channel of communication with clients and effective implementation of suggestions received through a feedback loop would also help improve brand perception.

During the current crisis, communications via social media platforms have provided companies with a critical lifeline in keeping customers engaged. Companies often follow and participate in popular trends on platforms and some even provide support to key social issues locally and globally. Companies should also consider the following:

Do companies have adequate policies and measures in place to ensure the right messages are communicated to their current and prospective clients?

Do they also have procedures in place to mitigate any impact to their business due to negative publicity?

While it is good to have quick and easy access to customers, the rules of engagement should be clearly defined and updated periodically. This also puts focus on a more customer centric approach to business rather than a product centric one which has prevailed for most of last century. The Aon Global Risk Management Surveys in 2017 (Global Risk Management Survey, 2017), 2019 (AON, 2020) and projected risks in 2022 all show Damage to Reputation, Failure to Innovate/Meet customer needs and Increasing Competition as three of the top 10 risks.

We must also give equal or even more weight to crises arising from within the organisation that can significantly alter consumer’s perception of a certain product. We can have better controls put in place to prevent these and have procedures in place in the event of one materialising. A crucial risk for many companies is a product recall. We have seen instances in recent times in many industries such as automobile, electronics, food & beverages, pharmaceuticals etc. involving large-scale recalls and a range of measures taken to restore customer confidence. An example of this is the recent decision by Hyundai to recall 82,000 electric vehicles because a reported 15 vehicles caught fire (Keith, Reference Keith2020).

A procedure manual or response plan incorporating key learnings from prior recalls (including that of peers) may help provide valuable inputs to the teams facing such a recall. The risk function in a company should take responsibility for such initiatives.

  1. 3. Regulators

Since the global financial crisis of 2008, the role of regulators within the financial sector has increased significantly. Managing regulatory responsibilities, developments and expectations is a critical part of ERM structure. Aon’s Global Risk Management Survey in 2019 (AON, 2020) ranked regulatory and legislative changes as the 10th largest risk.

The onset of the pandemic has further accelerated the need for regulatory involvement. In May 2020 the Saudi Arabian Monetary Authority (i.e. the Saudi insurance regulator) issued a declaration that all retail motor insurance policies in-force and to be sold within a 1-month period would be guaranteed an extension of 2 months on the original motor policy, at no additional cost to currently insured policyholders (Saudi Arabian Monetary Authority, 2020). The rationale being that due to low levels of driving, policyholder reasonable expectations should be considered in passing on some of the benefit that motor insurers received during the lockdown. Insurers were not given time to prepare for this regulation and had to adapt immediately.

Similar actions were taken in other parts of the globe where regulators realised the extremely important role they had to play in managing policyholder expectations at a time of unprecedented strain. The perils covered under business interruption cover have been the subject of intense public discussion and insurers are finding it more difficult to reject claims based on policy wordings and conditions. Regulation may likely be introduced to protect the interests of the insured with less concern about the potential impacts on insurers. How does the ERM framework of an insurer allow insurers to absorb these regulatory losses without crippling the business?

Indeed, such is the uncertainty around insurers denying coverage for losses caused by COVID-19 closures, the Insurance Council of Australia (ICA) started proceedings recently to test the application of certain infectious diseases exclusions in business interruption (BI) policies. To quote the ICA, “The Insurance Council initiated this test case on behalf of insurers that sell commercial property policies with business interruption cover. The ICA believes this test case is an important step towards providing greater clarity to insurers and small business customers in the treatment of pandemic-related claims” (Wood, 2020).

Current ERM frameworks must rapidly adjust to accommodate regulatory changes that are desperately being lobbied for by the general public.

  1. 4. Rating agencies

“Whilst we understand the underlying factors that are pointed out by the ratings agencies, we think that during such a time of crisis, where the whole world is recalibrating and redefining its economic status, for any downgrades to be issued during this time is like kicking us when we’re down.” These are the words of the South African Revenue Service Commissioner in an online interview in May 2020 (Naidoo, Reference Naidoo2020). This followed a downgrade of South Africa’s debt by S&P to its worst status in 26 years over concerns that COVID-19 will have a significant negative impact on growth and places even more strain on the country’s ability to recover from the pandemic. The expectations of rating agencies are that several countries, particularly in Africa, will face exceedingly tough futures in the short to medium term and, from a risk management point of view, the resilience of these countries to survive the coming headwinds is severely diminished. Perhaps it’s time for countries and corporates to rethink how to address the risks they face in a climate where the action of rating agencies can contribute significantly to these headwinds.

As anyone who has been involved in a rating exercise knows, an effective ERM framework and a strong credit rating usually go hand in hand. ERM is a key part of the considerations of any rating agency that essentially provides to the broader public a ‘probability of default’ for a corporate entity. A strong framework that demonstrates the ability of an organisation to protect its capital base from unexpected losses is a critical criterion for a strong rating.

In assessing the control processes of a company, the rating agency scores the ability to identify, monitor and manage different categories of risk. These include market risk, credit risk, insurance risk and operational risk. The ability to weather rare but extreme events is also considered and assessed.

As of August 2022, none of the rating agencies have announced material adjustments to methodologies or rating criteria because of COVID-19 to date. However, it is likely there will be discussion on what should be measured going forward by the relevant rating criteria and what the real risk profile looks like.

Rating agencies must also balance communicating short-term credit risks to the market with the need to determine whether any of the short-term credit pressures lead to long-term enduring issues for the issuers. A distinguishing factor in the credit analysis compared to the 2008 market collapse is how apparent the current credit risks are to investors, particularly the short-term risks. This is unlike the complex asset-backed mortgage securities that were much less transparent and difficult to evaluate during the prior recession.

Rating agencies, actuaries, economists, and the world at large will learn from the recent quarter and the upcoming quarters. Soul-searching questions will be asked, such as

  • What preparation could have been taken?

  • What should have been reasonably expected?

  • Should ratings have been adjusted in the short-term due to rating pressure, or is a different rating structure needed to capture risks to investors that are related to short-term liquidity?

Perhaps the questions themselves will also change.

  1. 5. Business partners

Business partners are a cornerstone for companies where many have long standing business agreements and a finely tuned supply chain that optimises profits. But how well do you know your partners, and will they be around during or after a crisis?

This was a pressing question within the automobile industry in Asia following the Tohoku earthquake. Manufacturers faced severe disruptions, and many had to rethink the ‘Just-in-time’ philosophy. Some asked prospective suppliers to include alternative sourcing plans to ensure they can deliver the required goods under new contracts. Many stuck to their current approach to maintain competitiveness. Disasters (natural or man-made) are imminent and supply chain disruptions are bound to follow any such events. It is up to companies to either strengthen or diversify their procurement policy to ensure smooth operations. Contracts with key partners should be evaluated at frequent intervals (both internally and by third parties) to ensure they are fit for purpose.

Business partnerships are also critical for sales. Well established distribution channels help generate steady income while also providing an opportunity to explore new avenues of sales without significantly impacting revenue. Technological advancements and the evolving consumer needs have led to a proliferation of online marketplaces. Would companies prefer to use such established channels or build their own network? Either approach require careful planning and contracts with these entities are vital to ensure that they help enhance the company’s position in the long term. An ERM framework should provide adequate guidance to the management on risks under various distribution channels to help them take an informed decision.

While consumers preferred the digital channels to purchase products and services during the current pandemic, the recent Digitization Acceleration Grant by the Monetary Authority of Singapore also shows the intent from regulators to use this opportunity to push companies to have a more digital mindset in the future (both to increase efficiency and to make companies future-ready).

Most companies perform due diligence before onboarding new business partners. While this is adequate for many partners, is there a need to perform a more in-depth review of the business agreements in place under stressed scenarios? Scenario testing your business plans may help assess the health of current business partners and also plan for alternative arrangements to ensure business continuity. For many outsourced support centres for global financial institutions, Business Continuity Plans are regularly monitored and updated with frequent tests at remote working locations to ascertain the viability of current arrangements. For many, such tests may have provided a glimpse of managing employees remotely and be better prepared for events like COVID-19.

However, how proactive are companies in reviewing business continuity and is this process just on a piece of paper or tested meticulously to ensure preparedness? Business Interruption is and will always be one of the key risks for any company. While they may be an integral part of any risk register, as Neil Cantle explains in his blog (Cantle, Reference Cantle2020), we need to make these discussions more active and the ERM framework should consider appropriate communication channels to help stakeholders understand the risks.

10.2. Summary

  • Employees are (or at least should be viewed as) the main asset of any company, especially for those industries that depend on intellectual or human capital. Commitment to staff retention in a stressed economic climate will have significant advantages post-crisis.

  • Customer acquisition and retention strategies must keep pace with the changing trends and the review of these strategies should be embedded within the risk management frameworks.

  • Current ERM frameworks must rapidly adjust to accommodate regulatory changes that are desperately being pushed for by the general public.

11. Assessing “Effectiveness”?

11.1. Practicalities around Assessing Effectiveness of ERM Frameworks

ERM is a corporate function that aims to manage and reduce enterprise-wide risks based on a holistic framework. In this context, ERM is a concept or approach rather than a unique tool that applies equally to all organisations across several industries. Every industry operates with a key set of risks and the characteristics of each risk differ from time to time depending on internal and external factors driving the total risk in each industry. Further, firms’ ERM initiatives are a support function rather a direct profit generating activity.

Consequently, the effectiveness of ERM is a time and context driven issue and cannot be measured in absolute terms that applies uniformly under all circumstances. Historically, there has been a long debate on the purpose of a commercial firm – whether it is solely profit making for its stockholders or contributes to society. In line with Milton Friedman’s Reference Milton1970 doctrine (Milton, Reference Milton1970), classical economic theory in the context of a free market advocates that profit making, which integrates social responsibility, should be the only objective of commercial firms. In contrast, from the moral and ethical perspective, Edward Freeman (Reference Freeman1984) argued that corporations should actively focus on meeting the needs of society rather than maximising profit solely for their stockholders. Although the tension between shareholder value versus stakeholder value is yet to be resolved, there is a recent move towards the environmental, social and governance (ESG) frameworks of large corporations to measure their corporate performances. However, unlike financial measures of corporate performance, such as Tobin’s Q, cumulative abnormal returns, return on assets (ROA) and excess stock market returns, non-financial measures like ESG contributions are still voluntary.

In this context, one can argue that insurers’ ERM effectiveness can be measured in an integrated framework combining both the traditional financial and the non-traditional ESG disclosures. As mentioned earlier, every industry has a unique way of designing their ERM programmes depending on the preferred set of key risks and opportunities in line with their revenue generating functions. In theory, the outcome of these functions should be captured in both financial and ESG performances. However, ESG reporting is comparatively new, and it is evident that the insurance industry only started reporting their ESG performance in 2007. Moreover, the ESG disclosures are not formally audited and in many cases the data are incomplete.

11.2. Methods of Effectiveness

Classical finance theories suggest that a firm’s current stock market performances represent a prediction of its accumulated future activities. This means that a firm’s stock price integrates the risk and opportunities arising from its operational and strategic functions in the presence of uncertainty. It is evident that insurance companies’ corporate performances are influenced by major events like natural catastrophes, financial crises and pandemics (as can be seen in Figure 5). In the literature the link between insurance prices and natural catastrophe events is well explained by the underwriting cycle. However, the impact on insurer’s stock price by the COVID-19 pandemic is not well explored. The following is a description of the method used to measure the impact of COVID-19 on selected ERM-practising insurers’ stock market performance compared to a range of other events that affected their earnings and profitability. Considering the practical limitations of the non-financial data, as explained above, the model accommodates only financial data to predict the effectiveness of ERM compared to the following events.

  • 2001 September 11th incident: World Trade Centre losses in 2001 impacted the insurance industry by over $22 billion (Terrorism risk: A reemergent threat, 2004). As a result, there was a significant increase in reinsurance rates despite the government’s bailout.

  • 2001–2002 credit crises: Following the long bull market from 1982 to 2000, the world stock market crashed in 2002. The market capitalisation plunged by billions of dollars. Price losses in the US capital market were calculated at $7 trillion beginning in March 2000. In the insurance sector, life insurers in particular struggled to generate cash from their businesses. Consequently, many life insurers were forced into a fire sale of their equity portfolios and withdrew unprofitable businesses.

  • 2002: Insurers settled a substantial amount of losses for D&O related losses arising from the collapse of Enron and WorldCom. Thereafter the cost of D&O insurance went up by 260% from mid-2001 to mid-2003, driven by the lawsuits that arose from the accounting scandals of these companies.

  • 2004: Insured losses from hurricanes Charley, Frances, Ivan, and Jeanne were priced at $28 billion and the economic losses were calculated at $56 billion (Call for Reform in the Residential Insurance Market after Hurricane Katrina, 2010; Macroeconomic and Budgetary Effects of Hurricanes Katrina and Rita, 2005).

  • 2005: KRW worst-ever insurance loss from hurricanes Katrina, Rita, and Wilma (KRW) in 2005 was estimated at $65 billion and total damage to the economy was calculated at $170 billion (Ten-Year Retrospective of the 2004 and 2005 Atlantic Hurricane Seasons, 2014). The loss resulted in higher insurance prices and restricted coverage in the areas likely to be hit by natural catastrophes. A recent study conducted by Aon Insurance of stock price reaction to KRW found that insurance companies were more sensitive to a single large loss than to an aggregation of loss events (Catastrophe Risk Tolerance Survey: Public disclosures by sector Year-end, 2022).

  • 2007–2008: Sub-prime mortgage crisis and subsequent financial meltdown threatened some renowned insurance companies that had exposure to structured financial products (e.g. collateralised debt obligations (CDOs)). The insurance industry as a whole did hold significant exposure to the financial market, and the life insurance industry was affected by the fall in interest rates. In addition, the industry was negatively impacted by the 2008 equity market disruption that resulted in the erosion of investment income and a reduction in capital reserves.

  • 2008: Hurricane Ike, a Category 2 storm, and the biggest to hit Texas in nearly 50 years, cost $23 billion to the insurance industry (Dismukes and Peters, Reference Dismukes and Peters2011; Swiss Re, 2017).

  • 2011–12: Hurricane Sandy and an earthquake and tsunami in Japan cost the insurance industry approximately $69 billion (Yoshiaki, Reference Lund, Madgavkar, Manyika and Smit2017).

  • 2017: Hurricanes Harvey, Irma, Maria occur and there are losses of $92 billion (Kerjan and Taglioni, Reference Kerjan and Taglioni2017).

  • 2020–2022: Insurers are exposed to COVID-19 losses in both household and commercial insurance policies including commercial property and business interruption, travel, life, health, and liability (OECD, 2020). Although the insurability of pandemics is not fully understood (Richter and Wilson, Reference Richter and Wilson2020), it is expected that the COVID-19 related loss could exceed $100 billion.

$$\matrix{ {Stock\;Market\;Performance\;\left( {ERM\;\;effectiveness} \right)\; = \;{\beta _0} + {\beta _1}Insurance\;Risk\; + \;{\beta _2}Financial\;Risk} \cr {\quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad + \;{\beta _3}Operational\;Risk\; + \;{\beta _4}Hazard\;Risk\;} \cr {\quad \quad \quad \quad \quad \quad \quad \quad \quad + \;\varepsilon \;\left( {Error} \right)} \cr} $$

In the model, ERM is defined within four types of risk, that is, insurance risk, financial risk, operational risk, and hazard risk (CAS, 2003).

Figure 5. Insurers’ stock market performances from 2000 to 2020.

The model is set to predict the effectiveness of each insurer’s ERM framework in terms of their respective stock market returns (the dependent variable). This will eventually help us to observe responses of the ERM of practising insurers to the listed events, including the COVID-19 pandemic. This benchmarking method of assessing the effectiveness of ERM will eventually help the insurers to revise their ERM tools, with limitations, to address the COVID-19 type pandemic risks.

11.3. Summary

Based on classical finance theories, firms’ current stock market performances represent a prediction of their accumulated future activities. This means that firms’ stock prices integrate the risk and opportunities arising from its operational and strategic functions in the presence of uncertainty. Insurance stock market return during the early stages of the COVID-19 pandemic was impacted negatively. The conclusion reached is that insurance companies’ corporate performances are influenced by major events like natural catastrophes, financial crises and ongoing pandemics. The model accommodates only financial data to predict the effectiveness of ERM, considering the market perception of the companies’ insurance risk profiles, financial risk profiles, operational risk profiles and their exposures to hazard risk.

12. Case Studies

In this section, a number of case studies are presented to drive discussions on how risk frameworks and ERM functions across the world are dealing with the ongoing pandemic. These case studies range across topics, geographies, and industries, reflecting the geographic spread and varied experience of the paper’s authors. The authors acknowledge the difficulty in capturing a complete international scope in the case studies and it is not the aim of this paper to provide this completeness. However, any readers who can offer additional global commentary are encouraged to reach out to the authors so that this information can be shared with the wider risk management community.

12.1. Case Study 1: Capital models (Solvency II – Lloyd’s of London) model completeness – adequate allowances for extreme events?

This case study considers the treatment of extreme events within a Solvency II (SII) context. Moreover, this case study looks at the Lloyd’s of London market response to COVID-19 and whether lessons can be learned from a model completeness perspective.

Prior to COVID-19, many risk registers allowed for pandemic risk events. COVID-19 has likely prompted many of these organisations to assess the value of such high-level allowances and whether these considerations were sufficient in covering the liabilities that arose from COVID-19, in order to prepare an entity for a future pandemic event. More specifically, characteristics that may have previously been underestimated include secondary impacts (e.g. the subsequent global economic downturn and widespread lockdowns) resulting in losses across many risk types, the timing of cascading impacts resulting in timescales of months/years rather than weeks, as well as the truly global scale of the event with variations across geographies due to differing political interventions.

Whilst it may be impractical – or even impossible – for an entity to consider a truly complete range of potential extreme events that may happen, events like the COVID-19 pandemic are now anticipated to occur more frequently than has been observed historically (Intergovernmental Platform on Biodiversity and Ecosystem Services, 2020). Moreover, lessons learned from the ongoing pandemic can be applied to extreme events in general. In this case study, we briefly consider specifically the allowance for pandemic/extreme events in capital models and what key lessons can be learned and whether there is an argument for allowing for widespread risks more generally in internal models to enable the conversation (and subsequent preparation) for an extreme event with complex characteristics that may not have previously been observed.

Under SII, capital models consider the 200-year risk measure; to parameterise such a return period, extreme scenarios are considered that may be unlikely to occur but, if they do manifest, they could have a material impact on an entity’s results. Prior to 2020, pandemic risks may have already featured in some capital models, even those who do not operate directly within the life/health insurance sector, through other means, for example the risk registers that generally feed into the operational risk calibration.

However, as the COVID-19 pandemic has highlighted, a systemic risk has the potential to trigger losses across an entity’s risk spectrum simultaneously (for example investment return risk, premium risk, reserve risk, operational risk, credit risk, liquidity risk and regulatory risk) and not just independently within risk types (e.g. across different elements of operational risk or different business classes within underwriting risk).

Many capital models will likely have already conducted reviews in light of COVID-19 and a good example of this is the work carried out by many syndicates over the summer of 2020 in response to Lloyd’s of London setting the pandemic as an explicit “Focus Area” (Lloyd’s of London MRC Syndicate Capital, 2021). Lloyd’s made it clear that “penal” loadings would be applied “to any syndicates that have not made appropriately logical or comprehensive” considerations and responses to the “the implications of recent/ongoing experience on their risk profile.”

Model updates of course would have varied on a syndicate basis but included reviews and updates to items such as distribution parameters across all risk types, volatility assumptions, dependency assumptions, any third-party data sources (such as any economic scenario generator (ESG) data due to the ongoing economic downturns) as well as allowances for extreme tail events/events not in data (ENIDs). Further details split by risk type can be found in Lloyd’s’ February 2021 capital briefing slides (Lloyd’s Capital Briefing, 2021).

In particular, there was a focus on determining not only the direct impacts but also the secondary effects of COVID-19 (shown in the exhibit - Figure 6) as well as conversations relating to whether model changes should be “temporary” or whether the pandemic should be treated as a “near-miss event,” which can be used to prepare for other events that “may have similar impacts,” for example, prolonged cyber-attacks, climate change or other global lockdowns.

Figure 6. Lloyd’s of London COVID-19 response best practice guidelines for secondary impacts.

Furthermore, one of the areas of focus for 2021 is looking more deeply at “model completeness.” After all, in the context of capital setting, syndicates take the 1:200 from the full uSCR (ultimate solvency capital requirement) distribution, which by definition should include allowances for ENIDs.

Following on with this train of thought, this case study investigates whether there is an argument to allow for a generic systemic risk distribution in internal capital models to help with this “model completeness” point. Practically, all potential ENIDs cannot be accounted for in capital models but a systemic risk distribution allowance that simultaneously triggers losses within and across risk types, like the impact of COVID-19, could allow for events that are otherwise materially missing from current calibrations.

The need to “load” or materially “update” parameters and assumptions during 20202022 reflected the fact that current solvency capital models had insufficient allowance for an event with such characteristics as those discussed. “Temporary” allowances may be suitable while this pandemic is ongoing, but once those losses move from being previously an ENID to instead being within the historical data set used for calibration, proactive attention needs to be given to whether there are sufficient allowances for other potential ENIDs with similar profiles.

This shifts the focus from reactive capital models to more proactive ones. This should not be seen as an unnecessary capital loading but rather a catch-all allowance for ENIDs that can capture losses or at least simultaneous risk triggering that would otherwise be missing from models.

For this to be a meaningful distribution that can help an entity assess the impact of such events on its business but also drive the discussion regarding the extent to which exposures to these events are understood, parameters would need to be selected in a meaningful way, relevant to the entity in question. Practically speaking, this may be set up simply by having a loss that triggers simulated losses across various parts of the model (across and within loss types) with a certain frequency. Alternatively, this functionality could be expanded to instead be set up as a distribution parameterised by considering a series of key potential events (their associated losses and return periods) and fitting a distribution (albeit crudely) through these points in order to give a “systemic risk allowance” distribution.

Of course, there are many areas of parameterisation that would need to be considered and it falls outside the scope of this case study to elaborate on all such features. However, to illustrate, one good example would be the volatility of losses, which was another key feature seen during COVID-19. Loss estimates varied dramatically over 2020–2022 and indeed even now industry loss estimates are still fluctuating.

In the context of general insurance, one driver of fluctuations in loss estimates was contract disputes, as was seen in the case of the FCA test case (Guy Carpenter, 2021). Due to the nature of having little data with which to parameterise, many extreme systemic events are parameterised using “expert judgement,” which may implicitly contain assumptions regarding how a regulator may react – the FCA test case has demonstrated the need to consider potential volatility around loss parameters as such events may trigger material contract uncertainty and disputes.

12.1.1. Summary

Many syndicates in the Lloyd’s of London environment responded to COVID-19 with focussed updates to their pandemic/extreme event allowance in their internal capital models; updates were made to capital model distribution parameters, intra and inter risk dependency assumptions as well as any third-party data sources such as economic scenario generation assumptions.

This case study proposed whether there is perhaps an argument to also allow for a generic systemic risk distribution in internal capital models to help with “model completeness”; a distribution that simultaneously triggers losses within and across risk types that could allow for events that are otherwise materially missing from current calibration.

12.2. Case Study 2: Climate Change – What Can We Learn from COVID-19?

Climate change has been at the forefront of the global political agenda in recent years. Despite the emergence of COVID-19 in early 2020, the risks associated with climate change are still very much a concern, as highlighted by the World Economic Forum’s 2021–2022 Global Risk Report (World Economic Forum, 2021), where environmental risks still feature prominently.

While the implications of COVID-19 are well documented, it does provide us with additional food for thought on how the risks from a changing climate could impact different regions of the world. In this case study, we examine how we can learn from the ongoing economic implications of the pandemic and its relationship with the expected economic ramifications from climate change risks. Despite both risk sources having very different time horizons and magnitudes, they both share similar economic consequences.

12.2.1. Required effort to meet Paris agreement goals

One of the immediate impacts of the pandemic was the reduction in global travel, which resulted in a significant reduction in global carbon dioxide emissions (McGrath, Reference McGrath2020; International Energy Agency, 2020). While this may be seen as a positive development against the backdrop of the pandemic, it helps to put into context the amount of effort required globally to achieve the targets set out by the Paris Agreement. To that effect, it has been estimated that a similar reduction is required every year for a decade to be able to meet these ambitious targets; clearly a significant amount of collaboration and effort will be required from all parties to achieve this.

12.2.3. Potential impact of climate change

Despite the attention that has been given to climate change, the main challenge is to understand, and perhaps visualise, the potential impacts of climate change on the economy. This has similarities to being asked a question on the economic ramifications of a global pandemic, prior to the onslaught of the ongoing COVID-19 pandemic in early 2020. However, the pandemic has led to an increase in unemployment rates and redundancies (shown in Figure 7), and an increase in government spending (shown in Figure 8) to help businesses and individuals pull through this difficult time, alongside a negative impact on global real economic growth (GDP). These are the same macroeconomic risks that we can expect to happen from climate change, so to some extent it helps to put into context the potential economic impacts from delayed action in tackling climate change. It should be noted that while the consequences might be similar, the magnitudes could be very different, with climate change risks expected to be more severe than what we have historically experienced. More importantly, climate change is also expected to be an event that is potentially irreversible.

Figure 7. (a) Unemployment (BBC, 2020) and (b) Redundancies (BBC, 2020) in the UK over time.

Figure 8. (a) Public sector net debt in the UK over time (Gov.uk, 2020) and (b) Real GDP growth globally in 2020 (International Monetary Fund, 2020).

12.2.4. Impacts will be disproportionate across sectors

The pandemic has caused disruption to financial markets where significant falls in share prices were observed during the pandemic peak in March 2020. However, shares seem to have largely recovered as seen by looking at how equity indices such as the FTSE 100 in UK have recovered.

However, when we start to dig deeper into the different sectors, we observe some variations. For example, sectors such as oil and gas have been affected significantly, while sectors such as tech, hardware and equipment have proven to be resilient and even experienced positive movements. This resembles how we expect climate change to affect the financial markets, where different sectors, particularly the ones that rely heavily on fossil fuels, will be affected differently. This highlights the importance of assessing the resilience of investment portfolios to different risks, even those that are challenging to model such as climate change risks.

Another interesting observation is that the Prudential Regulation Authority (PRA) in the UK previously ran a stress test exercise in 2019 where they specified climate change stresses versus asset values for different sectors (shown in Figure 9). One of the sectors considered was oil and gas where the PRA proposed a stress ranging between −30% to −48% for the oil sector and −15% to 25% for the gas sector. This may seem like an extremely onerous stress but the actual experience from the COVID-19 pandemic has already exceeded the PRA’s proposed stress scenarios.

Figure 9. Yield to date changes in share price found by extracting FTSE 100 index data (Shares Magazine, 2020) and the stresses from the PRA as part of the 2019 Life Insurance Stress Test exercise (Bank of England, 2019).

12.2.5. Increasing investor focus on environment, social and governance (‘ESG’) considerations

There has undoubtably been an increase in investor focus on ESG considerations over recent years and the pandemic has helped to place more attention on ESG. As we have seen, the airline industry has been quite significantly affected by the COVID-19 pandemic and there have been headlines that highlight governments being pressured to put climate-related conditions on any bailouts provided. This decision by the government reinforces to investors that the long-term sustainability of these companies is linked to their environmental efforts. In addition, we have also seen a number of analyses that show that ESG focused funds have outperformed their non-ESG counterparts during the course of the pandemic. As shown in Figure 10, sustainable funds have outperformed traditional funds, which further highlights the importance of sustainable investing.

Figure 10. Morgan Stanley sustainability reality: 2020 update. The analysis is based on January 2020 to June 2020 data (Morgan Stanley, 2020).

12.2.6. Conclusion

While it is hard to claim that the impact from climate change will be similar to the impacts from the pandemic, what we have observed over the last two years has helped to put the following into perspective:

  1. 1. Tackling climate change risks and their associated consequences is a significant task and will require a global effort.

  2. 2. The impacts we expect from climate change risks, such as various disruptions to the global economy due to physical and transition climate risks and the economic implications for different sectors are not an academic exercise, as observed from the ongoing consequences of the pandemic.

  3. 3. Sustainability considerations and ESG risk factors are gaining momentum and becoming more significant risk drivers in assessing the risk profile of companies worldwide.

12.3. Case Study 3: COVID and Acts of God using Jordan as a Case Study

COVID-19 and the resulting public health measures taken by the public authorities in Jordan have caused heavy financial losses to businesses. Many of these businesses have insurance policies which cover them against losses arising from interruption of business due to various causes. The general nature of clauses within these policies provides insurance cover for business interruption loss caused by occurrence of a variety of risks, such as a notifiable disease; or business interruption losses resulting from measures taken by public authorities to prevent the spread of a disease, such as lockdown measures that prevent access to business premises. Likewise, they provide insurance cover against business interruption losses resulting from fate or loses that are a hybrid or combination of previous causes.

Over the past year an interesting development has been brewing in Jordan between the banking and insurance sectors. As a result of the COVID-19 pandemic, and the economic effects that followed, thousands of borrowers in Jordan have found themselves without income. This situation created a significant rise in bank credit risk exposures across both the retail and corporate sectors. The actual default experience from bank credit exposures due to COVID-19 related economic and mortality risks has risen to elevated levels. Therefore, insurance companies are no longer taking the responsibility to cover claims on defaulted debt instruments that arise due to the death of the borrower from COVID-19. Consequently, thousands of claims by the banking industry made under such policies have not been honoured by the insurance sector on the grounds that the policies do not cover certain effects of the COVID-19 pandemic.

Banks in Jordan buy insurance policies from insurance companies that protect them against credit risk where obligors (borrowers) are unable to meet their contractual obligations due to unforeseen circumstances or death. Banks pay a premium to the insurance provider and receive an agreed amount or compensation if the borrower dies or defaults prior to the maturity of the debt. The underlying debt that is insured takes many forms, such as personal loans, mortgages, car loans, credit card loans etc. As a result of the COVID-19 induced credit and liquidity stress in the banking and insurance sector, insurance companies found themselves unable to meet the COVID-19 induced excess claims due to COVID-19 related deaths and business interruption. The Actual excess deaths and business interruption caused by COVID-19 far exceed their base and stressed actuarial assumptions, and therefore they do not have the sufficient capital to meet the rise in COVID-19 related claims arising from their business interruption policies. Hence, they began to brand COVID-19 related deaths as Acts of God to limit the liquidity and capital erosion damage caused by the pandemic and to stop honouring their obligations to banks. Banks in turn, and the government, reacted by not labelling deaths in Jordan as caused by COVID-19 as they did earlier in the pandemic.

From a risk perspective, pandemics such as COVID-19 and extreme weather events driven by a changing climate such as storms, floods, heat waves, droughts, wildfires, and cyclones are characterised as “systemic” in nature. This is because they have the potential to cause a system-wide breakdown or significant disruption to man-made economic, financial, and security systems supporting our way of life. Similarly, each of these events is called an “extreme” risk event because they are “rare,” that is, events that are generally seen as deadly surprises, happening outside everyday experience, and their likelihoods are difficult to estimate. These events can cause a huge change in everyday life, at least locally, and they do have the momentum to turn society upside down in a few months, days or even minutes by causing massive destruction to human life and property.

There have been warnings that 1.7 million unidentified viruses known to infect people are estimated to exist in mammals and water birds (Scientists warn worse pandemics are on the way if we don’t protect nature, 2020). The transmission of any one of these viruses to humans may be more disruptive and lethal than COVID-19. Likewise, according to the Swiss-Re sigma report in 2021 (Bevere and Weigel, Reference Bevere and Weigel2021), global economic losses from natural and man-made catastrophes were $202 billion in 2020, up from $150 billion in 2019. Furthermore, according to EM-DAT (2021), the international global database on natural and technological disasters, in 2020, there were 384 global disasters including droughts, earthquakes, extreme temperatures, floods, landslides, storms, wildfires and volcanic activity, affecting 95,214,166 people, and claiming the lives of 14,856 worldwide.

Moreover, extreme weather events are projected to worsen over the next century, as the global annual mean temperature is expected to increase by as much as 4 degrees Celsius. In a 2007 study by two US national security think-tanks, it was concluded that 3 degrees Celsius of warming and a 0.5 m sea-level rise would likely lead to outright chaos” causing severe economic disruptions, likely to lead to social instability.

Acts of God provisions, also called “Force Majeure” clauses, relate to events outside human control, like flash floods, earthquakes and other natural disasters. Generally, these provisions eliminate or limit liability for injuries or other losses resulting from such events. According to a ruling in the United Kingdom House of Lords (Transco plc (formerly BG plc and BG Transco plc, Reference Richter and Wilson2022) “‘Act of God’ was always a common law exception. It was metaphorical phrase (like ‘fate’) with a religious origin used to describe those events which involved no human agency and which it was not realistically possible for a human to guard against: an accident which the defendant can show is due to natural causes, directly and exclusively, without human intervention and could not have been prevented by any amount of foresight, pains and care, reasonably to be expected of him.

Many of the processes in life can be approximated using a bell-shaped distribution. The bell shape indicates that most outcomes or events will be concentrated in the centre and some events will happen away from the centre but with lower probability. High impact, low probability events happen in the hidden part of the distribution, or what we call the tail or wing. Over the past several years, what we used to consider “rare and extreme events,” manifesting in the hidden part of the “distribution” (the tail), are becoming more frequent and slowly moving to the centre of the distribution (or even changing the shape of the distribution). It seems that from very recent history, true extreme events, occurring in the new tail of the distribution, are yet to be experienced. In other words, under the current global emerging risk landscape, a future 1 in 100-year loss may exceed today’s 1 in 1000-year loss. Consequently, the associated loss may more than double.

Therefore, based on the new evidence on the frequency and severity of emerging risks and the definition of Acts of God in law, a question arises as to what legally and statistically constitutes an “Act of God” event. This is defined as a rare risk event with low probability, causing severe consequences for human built systems in the old risk trajectory. This seems to be different from what is contained in the current risk trajectory, particularly when the totality of scientific evidence indicates that the climate and biodiversity crises and recent pandemics are all a direct consequence of human activity. Since these events are rising in frequency and severity, their characterisation as being improbable or rare, and that the underlying cause is directly and exclusively, without human intervention, seems to be no longer valid. For this reason, we need to explore the statistical and probabilistic pillars of what constitutes an Act of God in the new risk environment and whether the old definition is still a valid definition. In doing so we must take into account the updated distribution of the frequency of outcomes of emerging risks that were previously considered under the old risk environment to be rare and under the new risk trajectory are becoming more frequent and severe.

12.4. Case Study 4: The impact of the COVID-19 pandemic on stress and scenario testing – an insurance industry perspective

The risk management function within insurance and reinsurance companies (hereafter referred to collectively as “insurance companies”) gained a central role due to an increasingly onerous regulatory environment and also due to dealing with ongoing emerging risks such as the COVID-19 pandemic and severe weather events among others. In recent years, insurance companies strengthened their risk management frameworks by learning from past emerging risk events such as the global financial crisis and catastrophic events such as windstorms, earthquakes, and wildfires, and developed more sophisticated approaches to stress and scenario testing.

With the onset of the COVID-19 pandemic, risk management functions had to adopt new processes to monitor both existing and new risks. The pandemic led organisations to test the effectiveness of their ERM frameworks and to investigate whether their stress testing scenarios were sufficient in capturing extreme risk events. For example, have ERM frameworks adequately captured the occurrence of a range of economic and risk scenarios occurring simultaneously due to an extreme risk event? The latter aspect concerns the material accumulation of risks across the life, health, property and casualty and investment risks. These risks were largely uncorrelated in pre-COVID-19 scenarios. However, it has become more important for risk analytics to be able to measure the correlations between these risks and understand how these fit within the insurance company’s risk appetite and tolerance limits.

A special report by A.M. Best (Reference Best2020) highlighted that stress testing and assessment of non-modelled risks were areas of weakness, in particular where stress testing is not mandated by supervisory authorities. As Figure 11 sourced from this report illustrates, both areas are the least developed components of the Risk Framework Evaluation.

Figure 11. A.M. Best Special Report: COVID-19 Highlights Weaknesses in Insurers’ Enterprise Risk Management (Best, Reference Best2020).

12.4.1. What are the lessons learned?

Stress and scenario testing

In the United Kingdom, the Prudential Regulation Authority (2020) performed a COVID-19 stress test for both general and life insurance companies. The key findings were:

  • Life insurance companies: the stress tests focused on a further economic deterioration, above that experienced during the first three months of 2020, and in particular aimed to capture the impact of credit downgrades as a key risk for life insurers with matching adjustment portfolios. The results indicated that most life insurance companies are sensitive to a severe downgrade stress. However, there are several management actions that can be implemented to absorb such losses.

  • General insurance companies: the stress tests applied were on: [i] underwriting losses based on the Gross Domestic Product path and length of lockdown in the Monetary Policy Report scenario (Bank of England, 2020); [ii] revenues and earnings due to premium holidays, lower economic activity, and/or an increase in bad debts; and [iii] liabilities, including those from business interruption claims. The results show that general insurance companies are resilient to these stresses under the assumption that the insurance policies work in line with insurers’ current expectations. The key uncertainty noted by the PRA was: “the difference between insurers and policyholders as to the interpretation of some business interruption contract wordings in the context of the COVID-19 pandemic. To test this sensitivity, we stressed the assumptions made by firms around the robustness of their policy wordings. This showed that the sector was in aggregate resilient, but the level of uncertainty is high and some more severe scenarios could have a significant impact on the capital positions of a few firms.”

The analysis showed that the: “(insurance) sector was robust to downside stresses, with the highest uncertainty centred on certain general insurers’ liabilitiesparticularly those arising from business interruption claims” (Prudential Regulation Authority, 2020). The PRA requested insurance companies to closely monitor any additional risks presented by the COVID-19 pandemic, update their risk and capital assessments as the situation evolves and take appropriate management actions where necessary.

At a European Union Level, the European Insurance and Occupational Pensions Authority (“EIOPA”), on 22nd December 2020 issued a consultation paper titled “Consultation on the Supervisory Statement on ORSA in the context of COVID-19” (European Insurance and Occupational Pensions Authority, 2020). The ‘Own Risk and Solvency Assessment’ (“ORSA”) is designed and considered as an important and effective tool for risk management. The ORSA as a risk management tool should provide an assessment of the potential impact the COVID-19 pandemic on an insurance company’s risk profile. It should also ensure that an insurance company has sufficient capital to absorb possible losses and help steer the business through periods of adversity. A component of the ORSA process is the forward-looking stress tests (including reverse stressing) and scenario analysis. This document inter alia proposes that the forward-looking stress tests/scenarios/reverse stress tests reflect the impact of the COVID-19 pandemic in the ORSA and should:

  • “Consider the conditions observed at a given moment and any expected stresses, for example on capital markets, claims development for both non-life business (e.g. business interruption, travel, event cancellation, medical malpractice) and life business (e.g. claims arising from higher mortality and sickness rates), and the impact on operational risks (e.g. digital resilience, business continuity).

  • Include an assessment of the soundness of the business model from a forward-looking perspective.”

The above stances taken by the supervisory authorities indicate that it is likely that the role of stress testing will be increased in the future, with reverse stress testing taking prominence. These tests will not replace the traditional stress tests but are aimed at providing an additional set of stresses/scenarios that insurance companies should consider when assessing the impact of extreme events. The COVID-19 pandemic is putting additional requirements on risk management functions to produce stress testing results that are realistic and practical in a rapidly changing economic environment. An example of this is an assessment of the impact of legal and reputational risks resulting from the claims directly related to COVID-19.

Pandemic risk and their interdependencies

It is likely that there are accumulations of risk that insurance companies have not previously considered, and which have been exposed by the COVID-19 pandemic. For example, the increased globalisation and movement of people meant that pandemics cannot be mitigated through geographic diversification. Also, the pandemic affected both the liabilities (for example through additional reserves held following an increase in claims) side and the assets side through a reduction in asset values of an insurance company’s balance sheet. Both areas have been deemed relatively uncorrelated in the past. As a result, insurance companies were unable to mitigate the impact of the COVID-19 pandemic through diversification. In future, actions that could be taken to ensure diversification include:

  • insurance companies have a better understanding of the interrelations between risks,

  • when performing stress and scenario testing, insurance companies should apply more sophisticated modelling and measurement tools to model and assess pandemic risk, and its impact on the business

  • Insurance companies should have the tools to ensure that low frequency and high severity risks are appropriately managed and mitigated.

12.4.2. Summary

The COVID-19 pandemic challenged the insurance industry’s resilience in the face of extreme events. Although there is a consensus that the insurance industry is well capitalised to withstand the costs related to the COVID-19 pandemic, there are lessons to be learned. A key finding is that insurance companies should equip themselves with tools to allow them to robustly identify extreme risk events and quantify their exposures to these types of events, based on robust risk management frameworks. Frameworks such as stress and scenario testing should be sufficiently dynamic to react to surprising and sudden changes in the risk environment.

12.5. Case Study 5: Hong Kong’s Insurance Industry Reaction to COVID-19

Hong Kong residents will never forget how the Severe Acute Respiratory Syndrome (SARS) outbreak struck the city in 2003. Around two thousand people were infected, and another 286 people lost their lives (Hung, Reference Hung2003). The economy of the city was badly hit with economic growth (GDP) falling by 3.1% (Census and Statistics Department Hong Kong Special Administrative Region, 2020) during that year along with a surging unemployment rate reaching 8.8% during May–August 2003 (Census and Statistics Department: The Government of the Hong Kong Special Administrative Region, 2021). The memory of this incident and lessons learned from it paved the way for Hong Kong’s government and local industries to take swift and decisive actions to minimise the effects of the ongoing COVID-19 pandemic.

This case study focuses on the insurance industry, a sector that is adversely affected by the pandemic in terms of revenue (an agency-intensive model that heavily depends on face-to-face interactions with clients) and the expenses (the expected excess claims outgo due to extra mortality and medical expenditures caused by the pandemic). Here we describe how the local Hong Kong insurance regulator and the industry reacted to the pandemic in terms of risk-mitigations strategies.

This case study illustrates how an insurance regulator, insurers and insurance intermediaries can prepare and respond to a future wave of COVID-19 pandemic and its variants, or to a completely new pandemic outbreak. Such information can also be used as a reference in designing the ERM policy of an insurance company for constructing and building future pandemic scenarios.

12.5.1. Measures adopted by insurance authority

The Insurance Authority (“IA”) is the local regulator of the insurance industry in Hong Kong. It was established under the Insurance Companies (Amendment) Ordinance in 2015 (“IC(A)O”) (Insurance Authority, 2020). The IA is independent from the Government, and it complies with the requirements of the International Association of Insurance Supervisors. Insurance regulators should be financially and operationally independent of the government and industry. It aims to maintain the regulatory infrastructure to facilitate a stable development of the insurance industry in the region, while safeguarding the interests of policyholders. Since the early stages of the COVID-19 outbreak, the IA has been very vigilant in observing developments on the spread of the pandemic to mitigate large-scale community transmission and its associated impacts on the business continuity of insurance companies. Here we list three main initiatives the IA has put in place to ensure that the authorised insurers and insurance intermediaries in Hong Kong can continue their operations with social-distancing and quarantine measures in place.

  1. 1. Temporary facilitative measures regarding the regulated transaction process

During the pandemic outbreak, it was not easy for licensed insurance intermediaries (both agency forces and brokers) to have face-to-face marketing activities to approach potential clients or communicate with existing customers. This was an obstacle for new business sales, and it affected the quality of service delivered to policyholders. To minimise the risk of viral infections in the insurance sales process, while at the same time not jeopardising the interests of policyholders, IA swiftly issued a set of Temporary Facilitative Measures (TFM) starting in February 2020 (Insurance Authority, 2021; Insurance Authority, 2020; Insurance Authority, 2021).

Not all insurance products are covered in the scheme. Only simple protection products listed below are covered. Complicated products (e.g. Investment-Linked Assurance Schemes (ILAS)) are excluded from the scheme.

  1. (i) Qualifying Deferred Annuity Policy (“QDAP”)

  2. (ii) Voluntary Health Insurance Scheme (“VHIS”)

  3. (iii) Term insurance policies

  4. (iv) Refundable insurance policies without substantial savings components

  5. (v) Renewable insurance policies without cash value, providing insurance protection (e.g. hospital cash, medical, critical illness, personal accident, disability, or long-term care cover).

In the sales process, all non-face-to-face (F2F) distribution means, including but not limited to digital, postal, tele-marketing and video-conferencing are permitted in the distribution of products. Wet signatures can also be replaced by means of electronic signature, personal identification number (“PIN”) verifications, one-time passwords, or onsite recording. However, the principle of fair treatment of customers shall still be strictly adhered to by authorised insurers and licensed insurance intermediaries. It is important to note that the principle of upfront disclosure stipulated in supervisory requirements as per respective guidelines for the sale of long-term insurance policies are unchanged, that is, proper disclosure of product features, risk and benefit illustration at the point-of-sale and post-sale confirmation calls for vulnerable customers under Guideline 16.

Without face-to-face interactions it would be difficult for insurance agents and brokers to gather adequate information from potential customers, for example, via conducting the Financial Needs Analysis (FNA) which is required statutorily per Guideline on Financial Needs Analysis (GL30) before intermediaries can make recommendations to their customers. Under the TFM, intermediaries still need to make upfront disclosure to make sure customers are aware of the features, risks, and nature of the insurance coverage prior to the purchase decision being made by the customers. Such disclosures need to cover the following key items: policy type and nature; target benefit period; payment period; level of premiums payable; prominent warning to the customer concerning affordability of the policy during the entire premium payment period and relevant information highlighting the liquidity risk associated with the product. If in any case during the sales process, intermediaries realise any issue of concern about the affordability of the policy for the clients, they should discontinue the sales process.

With the simplified insurance sales process, less information is required from policyholders before signing an insurance contract. This could lead to higher risks of mis-selling and a surge of ensuing complaint cases. To protect the interests of insurance policy holders affected by the compromised sales process, intermediaries are required to disclose important product information at the point of sale. The statutory required cooling-off period has also been extended from no less than 21 days to no less than 30 days. Furthermore, IA has also required the authorised insurers and intermediates to issue adequate company policies, standard procedures and training to staff members, to keep track of and control the sales of insurance policies that are changed when TFM are in place.

  1. 2. Stepped up surveillance on macro-prudential risks

At the early stage of the pandemic the mortality rate of infected individuals was still developing and unknown. The pandemic has shocked global financial markets. As a result of the economic downturn, life insurers suffered most from skyrocketing claims figures due to soaring deaths and hospitalisation expenses. Also, their investment returns were jeopardised by the fall in bond prices and widening of credit spreads and fall in global stock markets. Their solvency ratios were adversely affected by the unprecedented flattening of risk-free yields across all currencies. All of these combined market and credit risks posed great systemic risk to the life insurance industry.

To enable early detection of any potential risk of bank-runs leading to a banking crisis, IA intensified the monitoring work on the solvency positions of authorised insurers. Beyond the routine inspections and regulatory filings requirements, IA conducted stress tests to ascertain the capital and liquidity positions of the authorised insurers during COVID-19 induced market stress (Insurance Authority, 2020). With such pre-emptive interventions implemented prior to big crises, the industry can avoid and minimise the devastating economic, financial, and societal consequences that arise from a sudden collapse of a major insurance player.

  1. 3. Adopting supportive measures on regulatory levels

Understanding the difficulties faced by insurance companies, IA provided flexible measures for them to reduce their operational burdens in terms of statutory guideline compliance. For example, it has deferred the timeline for the implementation of full compliance for some of the planned regulatory requirements (e.g. GL25 Guideline on Offering of Gifts, GL27 Guideline on Long-Term Insurance Policy Replacements, GL31 Guideline on Financial Needs Analysis) (Insurance Authority, 2020). Also, it provided feasibility for the authorised insurers to defer their annual filing document submissions (Insurance Authority, 2020).

From an actuarial perspective, there is a change implemented in terms of investment valuation enhancement for authorised insurers writing long-term insurance. This is a collaborative action taken by the IA with the Actuarial Society of Hong Kong (ASHK) to revise the original prescribed approach of valuation interest rate termination.

In 2008, ASHK issued a “Notice for Appointed Actuaries: Chapter 41E – Reinvestment Yield for Reserving,” which has been an acceptable reference by the IA as an approach for authorised long-term insurers to adopt for determinations of reinvestment yields in their actuarial valuation reports (The Actuarial Society of Hong Kong, 2008). Chapter 41E sets down the rules for a minimum valuation basis, and that Appointed Actuaries of authorised long-term insurers must confirm whether the valuation basis is suitable and adequate, in addition to whether minimum requirements are met.

As per ASHK, this was a reliable method for most of the long-term insurers to use in preparation of their submitted audited reports. However, when COVID-19 was declared a pandemic by the World Health Organization in early 2020, interest rates across all major currencies fell to unprecedented levels and became highly volatile. This has put great pressure on insurance companies’ balance sheets under the current regulatory-prescribed liability valuation framework, which was not designed for such extreme market conditions. To tackle this, ASHK formed the “Low Interest Rate Working Group” (LIRWG) consisting of senior actuaries and consultants from the Hong Kong life insurance industry to explore ways to address the situation.

Given the observed dislocations in the financial market, LIRWG noted the guidance offered by the International Association of Insurance Supervisors as per the Insurance Core Principle (ICP) 14, Valuation, at ICP 14.3.7: “In some circumstances, a market price may not necessarily provide a decision-useful basis for a valuation. If the reference market is dysfunctional or anomalous in its operation, a more reliable method of determining value based on more normal conditions may be appropriate. Such circumstances may occur, for example, if there is a high cost in making actual trades, trading is thin, independent pricing sources are not available or are limited, or the market is subject to distorting influences.” (International Association of Insurance Supervisors, 2019). For such, LIRWG revised the recommended example in 2008 Notice to give more weights to historical averages than the observed risk-free rates as of the valuation date.

For readers interested in the technical details, refer to “Explanatory Note for Appointed Actuaries: Chapter 41E Supplemental Information on the Reinvestment Yield for Reserving” issued by ASHK in April 2020 (The Actuarial Society of Hong Kong, 2020).

12.5.2. Measures adopted by the authorised insurers

Apart from the measures directed and taken by the insurance regulator, many market participants in the insurance industry have taken numerous voluntary measures to aid policyholders in coping with the pandemic (The Hong Kong Federation of Insurers, 2020).

Given the foreseen possibilities that policyholders would face difficulties in renewing their coverage, either because it is hard to meet the agents or in terms of financial issues caused by short-term unemployment, some insurers have extended the grace period for premium payments to up to 180 days.

In terms of protection, many insurers have upgraded their benefits in terms of limited-time complimentary coverage. These include but are not limited to special coverage for vaccination side effects, one-off diagnosis benefits, and hospital incomes for hospitalisations due to the pandemic. For the original coverage, there are relaxations on hospital restrictions, and simplified and expedited procedures to file COVID-19 related claims. There are many other alleviation measures taken by the insurers because of the COVID-19 situation. For further details, please refer to the website “Insurance Dashboard on COVID-19” maintained by the Hong Kong Federation of Insurers.

All of these interventions have not only helped policyholders to maintain their coverage at a difficult time but have also helped insurance companies to mitigate reputational risks, lest the insurers are considered to be not client-focused and not caring enough to provide the necessary protections during unprecedented and difficult times.

12.5.3. Conclusion

In the face of such a rare and unprecedented systemic risk event, it is hard for individual insurance companies to protect themselves and their insured against the risks that arise from the ongoing pandemic, without the leadership and collaborative efforts of the government, regulatory bodies, and industrial bodies. It is through these collaborative efforts that the resulting potential systemic risks to the insurance industry were controlled and minimised. With the experience gained from the ongoing COVID-19 pandemic, stronger risk mitigation policies and guidelines are being created to minimise the impact of future waves, ensuring the mitigation of the risks for both the reputational and business continuity of insurers and intermediaries. These combined efforts will ultimately protect the interests of insurance policyholders and the general public.

12.5.4. Summary

  1. 1. In Hong Kong the entire insurance industry reacted swiftly to the COVID-19 outbreak to minimise its adverse impacts.

  2. 2. The regulator relieved operational burdens on insurers and insurance intermediaries by designing temporary facilitative measures and allowing flexible regulation compliance levels and valuation approaches.

  3. 3. Insurers provided voluntary benefits and extra adaptable features for their policyholders, which helped in maintaining their reputations.

13. Conclusion

As the emerging COVID-19 pandemic has shown, the risks we are facing are changing. The pandemic has led to unprecedented levels of uncertainty across the world. Many of the emerging risks facing the world today, such as pandemics and the extreme impacts of a changing climate are likely to increase in frequency and magnitude as a result of climate change. These emerging risks have the momentum to cause impacts beyond everyday experience, resulting in common consequences across multiple dimensions such as human welfare, economic damage, disruption to essential services, environmental damage, behavioural impacts, and impacts on national security and relations between countries.

The risk assessment of emerging risks in terms of likelihood is immersed in uncertainty. The likelihood of a discrete extreme risk event cannot be accurately quantified, and any risk assessment built on a likelihood-impact matrix of discrete risks can be misleading, and leads to a false sense of confidence, particularly in terms of prioritisation of risk. Furthermore, the current risk assessment of discrete emerging risks is ineffective because of the interconnected nature of many of these risks and the common consequences they create as they rip through society.

Despite the various quantitative easing measures taken by central banks globally and the advanced financial risk management techniques developed as a consequence of the last global financial crisis that occurred in 2008–2009, negative market sentiment during the early stage of the COVID-19 pandemic led to increased financial systemic risk that threatened the stability of financial markets across the world.

Great improvements in medical technologies have meant that the cause and pathology of the virus causing the pandemic are no longer mysterious; together with vaccines being invented and produced at massive scale within a short period of time, they reduced the spread of the virus, but did not eliminate it completely. However, vaccines still cannot stop new variants and mutated virus outbreaks nor put an end to the ongoing COVID-19 pandemic. Therefore, we have to learn from this painful lesson and refine our existing Enterprise Risk Management framework to make it more prospective and resilient so that we are able to better anticipate, prepare and respond to a range of challenging scenarios, including those which we have never experienced before.

One of the lessons we learned from the pandemic is that individuals or even conglomerates cannot prevent themselves from becoming chaotic and dysfunctional when a rare event manifests. Measures such as border-closing and traveller quarantines can only be enforced by governments. New laws and regulations to handle crises of similar severity levels can only be drafted and enacted by lawmakers and regulators across various jurisdictions and industries.

Similarly, industrial associations and confederations should also be prepared to take more active and pre-emptive roles in facilitating risk awareness and business continuity management for their corresponding market participants. Strong leaders are needed to help show the right directions for market participants so that they can steer their own companies in an orderly and safe manner through future pandemics and turbulent times.

However, no matter how efficiently the regulatory environment and industrial best practices are set, Enterprise Risk Management systems of a company work only when it has a disciplined risk management culture. Senior management needs to be prospectively prepared to employ various risk mitigation strategies, including but not limited to: risk transfer arrangements; sufficient allowances for capital buffers; robust methodologies to identify rare, emerging extreme risks; and adverse scenario and stress testing frameworks. Further, risk planning must focus on the impact of extreme risks in terms of primary, secondary, and higher order risks triggered by these events and focus on the common consequences triggered by these risks, so that proper mitigation and response policies are built into risk registers and Enterprise Risk Management frameworks.

Furthermore, management at companies are urged to explore and evaluate emerging risks on an ongoing basis. Companies should catch up with technological improvements such as understanding artificial intelligence and introducing predictive analytics techniques applied in the risk management field. All of these initiatives enable designs of workable and effective action plans and crisis management systems to be implemented swiftly under a range of challenging extreme emerging risk scenarios, including those which we have never experienced before. This ensures business continuity and prevents insolvencies and bankruptcies, thus securing both the shareholders of the companies and all other stakeholders in society.

Acknowledgements

The biggest acknowledgement, and thanks from the authors of this paper, must go to Dawn McIntosh, Communities Development Manager of the Institute and Faculty of Actuaries; without her ongoing support, guidance, and patience, this workstream’s deliverables would never have been reached.

The authors of this report would like to also thank Niharika Bhojwani and Pankaj Pahuja for several interesting conversations on this topic.

Disclaimer

The views expressed in this publication are those of invited contributors and not necessarily those of the Institute and Faculty of Actuaries. The Institute and Faculty of Actuaries do not endorse any of the views stated, nor any claims or representations made in this publication and accept no responsibility or liability to any person for loss or damage suffered as a consequence of their placing reliance upon any view, claim or representation made in this publication. The information and expressions of opinion contained in this publication are not intended to be a comprehensive study, nor to provide actuarial advice or advice of any nature and should not be treated as a substitute for specific advice concerning individual situations. On no account may any part of this publication be reproduced without the written permission of the Institute and Faculty of Actuaries.

Footnotes

This paper was written by the Institute and Faculty of Actuaries’ Covid-19 Action Taskforce, ERM (Risk 1) Workstream. Membership of the contributing authors from the working party.

1 An event thought of as being largely unpredictable.

2 An event which was highly likely and perhaps predictable but was neglected.

References

AON (2020). AON’s 2019 Global Risk Management Survey, available at https://www.aon.com/2019-top-global-risks-management-economics-geopolitics-brand-damage-insights/index.html (accessed 15 August 2020).Google Scholar
AR6 Synthesis Report: Climate Change (2022). Intergovernmental Panel on Climate Change, 19 May 2021, available at https://www.ipcc.ch/report/sixth-assessment-report-cycle/ Google Scholar
Bank of England (2020). Monetary Policy Report and Interim Financial Stability Report – May 2020, 07 May 2020, available at https://www.bankofengland.co.uk/report/2020/monetary-policy-report-financial-stability-report-may-2020 (accessed 02 April 2021).Google Scholar
Bank of England (2021). Stress Testing, available at https://www.bankofengland.co.uk/stress-testing (accessed 24 January 2021).Google Scholar
Baudino, P. (2020). Stress-testing banks during the Covid-19 pandemic. Bank for International Settlements, 10 2020, available at https://www.bis.org/fsi/fsibriefs11.pdf (accessed 24 January 2021).Google Scholar
BBC (2020). UK unemployment rate continues to surge, 10 November 2020, ∼’https://www.bbc.co.uk/news/business-54884592#:∼:text=The%20UK’s%20unemployment%20rate%20rose,National%20Statistics%20(ONS)%20said (accessed 15 November 2020).Google Scholar
Best, A. M. (2020). Covid-19 highlights weaknesses in insurers’ Enterprise Risk Management. A M Best Information Services, 24 September 2020, available at http://news.ambest.com/PressContent.aspx?altsrc=172&refnum=29857&_ga=2.79574679.2016706940.1620765377-955847305.1620765377 (accessed 02 April 2021).Google Scholar
Bevere, L. & Weigel, A. (2021). Sigma 1/2021 – Natural catastrophes in 2020. Swiss Re, 30 March 2021, available at https://www.swissre.com/institute/research/sigma-research/sigma-2021-01.html (accessed 19 May 2021).Google Scholar
Call for Reform in the Residential Insurance Market after Hurricane Katrina (2010). RAND Corporation, available at https://www.rand.org/pubs/research_briefs/RB9558.html (accessed 25 September 2022).Google Scholar
Canadian Institute of Actuaries (2021). Enterprise Risk Management, available at https://www.cia-ica.ca/about-us/actuaries/what/erm (accessed 01 February 2021).Google Scholar
Cantle, N. (2020). It was on the risk register. Institute and Faculty of Actuaries, 06 July 2020, available at https://www.actuaries.org.uk/news-and-insights/news/it-was-risk-register (accessed 15 August 2020).Google Scholar
CAS (2003). Overview of Enterprise Risk Management. Casualty Actuarial Society, available at https://erm.ncsu.edu/az/erm/i/chan/m-articles/documents/CasualtyActuarialSocietyOverviewofERM.pdf Google Scholar
Catastrophe Risk Tolerance Survey: Public disclosures by sector Year-end (2022). AON. 2021, available at http://thoughtleadership.aon.com/Documents/20210701-cat-risk-tolerance-study.pdf (accessed 25 September 2022).Google Scholar
Census and Statistics Department Hong Kong Special Administrative Region (2020). Gross Domestic Product, February 2021, available at https://www.censtatd.gov.hk/en/data/stat_report/product/B1030002/att/B10300022020AN20E0100.pdf (accessed 02 April 2021).Google Scholar
Census and Statistics Department: The Government of the Hong Kong Special Administrative Region (2021). General Household Survey, Household Statistics Analysis Section, Census and Statistics Department. Table 6: Labour Force, Unemployment and Underemployment, 30 march 2021, available at https://www.censtatd.gov.hk/en/web_table.html? (accessed 02 April 2021).Google Scholar
Centers for Disease Control and Prevention (2021). Available at https://www.cdc.gov/coronavirus/2019-ncov/ (accessed 19 May 2021).Google Scholar
COSO: The Committee of Sponsoring Organizations of the Treadway Commission (2021). Enterprise Risk Management — Integrated Framework, available at https://www.coso.org/Pages/erm-integratedframework.aspx (accessed 01 April 2021).Google Scholar
Dardis, T., Lau, C. & Weis, A. (2021). Covid-10 and Enterprise Risk management. Milliman, available at https://www.milliman.com/en/insight/covid-19-and-enterprise-risk-management (accessed 24 January 2021).Google Scholar
Dismukes, D. E. & Peters, C. (2011). Diversifying energy industry risk in the GOM: Post-2004 changes in offshore oil and gas insurance markets. U.S. Dept. of the Interior, Bureau of Ocean Energy Management, Gulf of Mexico OCS Region, New Orleans, LA. OCS Study BOEM 2011-054. 95 pp., available at https://www.lsu.edu/ces/publications/2011/2011-054.pdf Google Scholar
EM-DAT (2021). The International Disaster Database Centre for Research on the Epidemiology of Disasters, available at https://www.emdat.be/ (accessed 19 May 2021).Google Scholar
Enhancing banks’ and insurers’ approaches to managing financial risks from climate change (2019). Bank of England. 15 April 2019, available at https://www.bankofengland.co.uk/prudential-regulation/publication/2019/enhancing-banks-and-insurers-approaches-to-managing-the-financial-risks-from-climate-change-ss (accessed 19 May 2021).Google Scholar
European Insurance and Occupational Pensions Authority (2020). Consultation on the Supervisory Statement on ORSA in the context of Covid-19. 23 December 2020, available at https://www.eiopa.europa.eu/content/eiopa-consults-orsa-context-of-Covid-19_en (accessed 02 April 2021).Google Scholar
Fast Company (2020). Why the coronavirus crisis is a “gray rhino” and not a “black swan”, available at https://www.fastcompany.com/90475793/why-the-coronavirus-crisis-is-a-gray-rhino-and-not-a-black-swan (accessed 01 December 2020).Google Scholar
Freeman, R. E. (1984). Strategic Management: A Stakeholder Approach. Pitman Series in Business and Public Policy.Google Scholar
Government Actuary’s Department (2020). Market Data Insights: Gov.uk, available at https://www.gov.uk/government/publications/market-data-insights/market-data-insights-november-2020 (accessed 24 January 2021).Google Scholar
Gov.uk. (2020). Public sector finances, UK, 21 October 2020, available at https://www.ons.gov.uk/economy/governmentpublicsectorandtaxes/publicsectorfinance/bulletins/publicsectorfinances/september2020 (accessed 15 November 2020).Google Scholar
Guy Carpenter (2021). Reinsurance Implications of The United Kingdom’s Business Interruption Test Case. gccapitalideas.com, March 20, 2021, available at https://www.gccapitalideas.com/2021/02/22/reinsurance-implications-of-the-united-kingdoms-business-interruption-test-case/ Google Scholar
Hung, L. S. (2003). The SARS epidemic in Hong Kong: what lessons have we learned? Journal of the Royal Society of Medicine, 96, 374378. doi: 10.1258/jrsm.96.8.374. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC539564/ (accessed 02 April 2021).CrossRefGoogle Scholar
Institute and Faculty of Actuaries (2021). IFoA Covid-19 Action Taskforce (ICAT) Workstreams, available at https://www.actuaries.org.uk/practice-areas/ifoa-covid-19-action-taskforce-icat-workstreams (accessed 31 January 2021).Google Scholar
Insurance Authority (2020). Application of Guidelines Issued by the Insurance Authority. 25 May 2020, available at https://www.ia.org.hk/en/legislative_framework/circulars/reg_matters/files/Circular_25052020.pdf (02 April 2021).Google Scholar
Insurance Authority (2020). Phase 2 of the temporary facilitative measures to tackle the outbreak of Covid-19. 27 March 2020, available at https://www.ia.org.hk/en/legislative_framework/circulars/reg_matters/files/Circular_27032020.pdf(accessed 02 April 2021).Google Scholar
Insurance Authority (2020). Annual Report 2019–20 Leading Change and Propelling Growth, available at https://ia.org.hk/en/infocenter/files/IA_Annual_Report_2019_20_Eng.pdf (accessed 02 April 2021).Google Scholar
Insurance Authority (2021). Extension of Phase 2 of the temporary facilitative measures to tackle the outbreak of Covid-19, 24 February 2021, available at https://www.ia.org.hk/en/infocenter/press_releases/20210224.html (accessed 02 April 2021).Google Scholar
Insurance Authority (2021). Temporary facilitative measures to tackle the recent outbreak of Novel Coronavirus. 21 February 2020, available at https://www.ia.org.hk/en/legislative_framework/circulars/reg_matters/files/Circular_21022020.pdf (accessed 02 April 2021).Google Scholar
Intergovernmental Platform on Biodiversity and Ecosystem Services (2020). IPBES Workshop on Biodiversity and Pandemics, available at https://ipbes.net/sites/default/files/2020-10/IPBES%20Pandemics%20Workshop%20Report%20Executive%20Summary%20Final.pdf (accessed 01 December 2020).Google Scholar
International Association of Insurance Supervisors (2019). Insurance Core Principles and ComFrame, available at https://www.iaisweb.o rg/page/supervisory-material/insurance-core-principles-and-comframe/file/89018/iais-icps-and-comframe-adopted-in-november-2019# (02 April 2021).Google Scholar
International Energy Agency (2020). International Energy Agency. Global Energy Review 2020 – Report extract Global energy and CO2 emissions in 2020, 07 2020, available at https://www.iea.org/reports/global-energy-review-2020/global-energy-and-co2-emissions-in-2020 (accessed 15 November 2020).Google Scholar
International Monetary Fund. Real GDP growth, available at https://www.imf.org/external/datamapper/NGDP_RPCH@WEO/AZE?year=2020 (accessed 15 November 2020).Google Scholar
ISO (2021). ISO 31000 – Risk Management, available at https://www.iso.org/publication/PUB100426.html (accessed 02 April 2021).Google Scholar
JudgmentsTransco plc (formerly BG plc and BG Transco plc) (Appellants) v Stockport Metropolitan Borough Council (Respondents) (accessed 28 March 2022) ((Respondents)).Google Scholar
Keith, B. (2020). Consumer Reports. More Hyundais Recalled for Fire Risk; Automaker Fined, 4 December 2020, available at https://www.consumerreports.org/car-recalls-defects/more-hyundais-recalled-for-fire-risk-automaker-fined/ (accessed 02 April 2021).Google Scholar
Kerjan, E-M. & Taglioni, G. (2017). Insuring Hurricanes: Perspectives, Gaps, and Opportunities After 2017. McKinsey.Google Scholar
Lam, J. (2014). Enterprise Risk Management: From Incentives to Controls, (2nd Edition). Wiley Finance.Google Scholar
Lloyd’s Capital Briefing (2021). Lloyd’s Capital Briefing – February 2021. Lloyds.com, available at March 20, 2021. ’https://assets.lloyds.com/media/fc58b281-2146-43df-b1df-04fc2f6c645b/Lloyd’s%20Capital%20Briefing%20-%20February%202021.pdf Google Scholar
Lloyd’s of London MRC Syndicate Capital (2021). LCR 2021 CIL FAQs. Lloyds.com, March 20, 2021, available at https://assets.lloyds.com/media/601e06c1-7a1c-40a0-b8bc-f740f2b113c5/LCR_2021_CIL_FAQs.pdf Google Scholar
Lund, S., Madgavkar, A., Manyika, J., & Smit, S. (2020). What’s next for remote work: An analysis of 2000 tasks, 800 jobs, and nine countries. Mckinsey & Company Mckinsey Global Institute, November 23rd, 2020, available at https://www.mckinsey.com/featured-insights/future-of-work/whats-next-for-remote-work-an-analysis-of-2000-tasks-800-jobs-and-nine-countries (accessed 7 March 2021).Google Scholar
Macroeconomic and Budgetary Effects of Hurricanes Katrina and Rita (2005). CBO Testimony, Congressional Budget Office, Washington, D.C, 10 June 2005, available at https://www.cbo.gov/sites/default/files/109th-congress-2005-2006/reports/10-06-hurricanes.pdf (accessed 25 September 2022).Google Scholar
McGrath, M. (2020). BBC. Climate change: Covid pandemic has little impact on rise in CO2, 23 November 2020, available at https://www.bbc.co.uk/news/science-environment-55018581 (accessed 15 November 2020).Google Scholar
McKinsey & Company (2020). Consumer sentiment and behavior continue to reflect the uncertainty of the Covid-19 crisis, available at https://www.mckinsey.com/business-functions/marketing-and-sales/our-insights/a-global-view-of-how-consumer-behavior-is-changing-amid-Covid-19 (accessed 15 August 2020).Google Scholar
Michele, W. (2020). Was the pandemic a grey rhino or a black swan? The Economist, 17 November 2020, available at https://www.economist.com/the-world-ahead/2020/11/17/was-the-pandemic-a-grey-rhino-or-a-black-swan (accessed 31 January 2021).Google Scholar
Milton, F. (1970). The Social Responsibility of Business Is to Increase Its Profits, New York Times Magazine, pp. 122–126.Google Scholar
Monetary Authority of Singapore (2021). Risk Management and Operational Resilience in a Remote Working Environment, available at https://www.mas.gov.sg/-/media/MAS/News-and-Publications/Monographs-and-Information-Papers/Risk-Management-and-Operational-Resilience-in-a-Remote-Working-Environment.pdf (accessed 15 March 2021).Google Scholar
Monetary Authority of Singapore (2021). Technology Risk Management Guidelines, available at https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/TRM-Guidelines-18-January-2021.pdf (accessed 15 March 2021).Google Scholar
Morgan Stanley (2020). Morgan Stanley. Sustainable Reality, 17 September 2020, available at https://www.morganstanley.com/content/dam/msdotcom/en/assets/pdfs/3190436-20-09-15_Sustainable-Reality-2020-update_Final-Revised.pdf (accessed 15 November 2020).Google Scholar
Naidoo, P. (2020). Credit Rating Agencies Told to Freeze Action During Pandemic. Bloomberg, 06 May 2020, available at https://www.bloombergquint.com/onweb/halt-credit-rating-moves-for-virus-south-africa-tax-head-says (accessed 15 July 2020).Google Scholar
National Association of Corporate Directors (2020). Assess Strengths and Opportunities for Development, available at https://www.nacdonline.org/services/content.cfm?itemnumber=53246 (accessed 05 September 2020).Google Scholar
OECD (2020). Initial assessment of insurance coverage and gaps for tackling Covid-19 impacts, available at https://www.oecd.org/finance/Initial-assessment-of-insurance-coverage-and-gaps-for-tackling-Covid-19-impacts.pdf Google Scholar
OECD International Platform on Terrorism Risk (2015). Terrorism Risk Insurance, available at https://www.oecd.org/daf/fin/insurance/UK-terrorism-risk-insurance.pdf (accessed 02 April 2021).Google Scholar
Ortwin, R. (2008). Risk Governance: Coping with Uncertainty in a Complex World. London: Earthscan.Google Scholar
Pandemic Intervals Framework (2016). Centers for Disease Control and Prevention, 03 November 2016, available at https://www.cdc.gov/flu/pandemic-resources/national-strategy/intervals-framework.html (accessed 19 May 2021).Google Scholar
Parascandola, M. (2010). Epistemic Risk: Empirical Science and the Fear of Being Wrong. Oxford: Oxford University Press, Law, Probability and Risk, Vol. 9. doi: 10.1093/lpr/mgq005.CrossRefGoogle Scholar
Prime Minister’s Office (2021). 10 Downing Street and The Rt Hon Boris Johnson MP. No government can address the threat of pandemics alone – we must come together. GOV.UK, available at https://www.gov.uk/government/speeches/no-government-can-address-the-threat-of-pandemics-alone-we-must-come-together?fbclid=IwAR1OJEL4s6OZOH7vFFsfF0ITdDUTUwNnTQv7OqcBIdV32P1zQFFzkt9fhgE (accessed 01 April 2021).Google Scholar
Prudential Regulation Authority (2020). Insurance Stress Test 2019 and Covid-19 stress testing: feedback for general and life insurers. Bank of England. 17 June 2020, available at https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/letter/2020/insurance-stress-test-2019-feedback.pdf (accessed 02 April 2021).Google Scholar
Psychology Today (2020). Is Covid-19 a Black Swan Event?, available at https://www.psychologytoday.com/gb/blog/seeing-what-others-dont/202005/is-covid-19-black-swan-event (accessed 01 December 2020).Google Scholar
Recommendations of the Task Force on Climate related Financial Disclosures (2017). Task Force on Climate related Financial Disclosures, available at https://www.fsb-tcfd.org/recommendations/ (accessed 19 May 2021).Google Scholar
Richter, A. & Wilson, T. C. (2020). Covid-19: implications for insurer risk management and the insurability of pandemic risk. The Geneva Risk and Insurance Review, 45, 171199.CrossRefGoogle Scholar
Risk (2020). Net. Stress-testing Special report, available at https://www.risk.net/stress-testing-special-report-2020 (accessed 24 January 2021).Google Scholar
Saudi Arabian Monetary Authority (2020). SAMA commends insurance companies on the initiative of extending individual vehicle insurance policies for two months without incurring additional cost, available at https://www.sama.gov.sa/en-US/News/Pages/news-559.aspx (accessed 15 July 2020).Google Scholar
Scheurwater, S. (2020). Covid-19 and the European Economy: Black Swan or Grey Rhino. RICS World Built Environment Forum, available at https://www.rics.org/uk/wbef/megatrends/markets-geopolitics/covid-19-and-the-european-economy-black-swan-or-grey-rhino/ (accessed 15 April 2020).Google Scholar
Scientists warn worse pandemics are on the way if we don’t protect nature (2020). World Economic Forum, 04 May 2020, available at https://www.weforum.org/agenda/2020/05/scientists-pandemics-coronavirus-nature-covid19-health/?utm_source=sfmc&utm_medium=email&utm_campaign=2718479_Agenda_weekly-8May2020&utm_term=&emailType=Newsletter (accessed 19 May 2021).Google Scholar
Shares Magazine. Shares, available at https://www.sharesmagazine.co.uk/shares (accessed 15 November 2020).Google Scholar
Solvency II Directive (2021). EUR-Lex, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02009L0138-20140523&from=EN (accessed 24 January 2021).Google Scholar
Subgroup (2019). Institute and Faculty of Actuaries’ Cyber Risk Investigation Working Party: silent Cyber. Silent Cyber Assessment Framework Research Project.Google Scholar
Sweeting, P. (2017). Financial Enterprise Risk Management. Cambridge: Cambridge University Press. doi: 10.1017/9781316882214.CrossRefGoogle Scholar
Swiss Re (2017). Global insurance review 2017 and outlook 2018/19. Swiss Re Institute, available at http://www.swissre.com/dam/jcr:9b1c4514-39e7-45c6-9ba9-994afac9d7ca/Global_insurance_review_2017.pdf Google Scholar
Ten-Year Retrospective of the 2004 and 2005 Atlantic Hurricane Seasons (2014). Part 2: The 2005 Season. Guy Carpenter, available at http://www.guycarp.com/content/dam/guycarp/en/documents/dynamic-content/Ten-Year_Retrospective_of_the_2004_and_2005_Atlantic_Hurricane_Seasons_Part_2.pdf (accessed 25 September 2022).Google Scholar
Terrorism risk: A reemergent threat (2004). Impacts for Property/Casualty Insurers. Insurance Information Institute, available at https://www.iii.org/sites/default/files/TerrorismThreat_042010.pdf (accessed 25 September 2022).Google Scholar
The Actuarial Society of Hong Kong (2008). Notice for Appointed Actuaries: Chapter 41E Reinvestment Yield for Reserving, available at https://www.actuaries.org.hk/sto rage/download/Ch41E-NoticeforAA-ReinvestmentYield(081219).pdf (accessed 04 02, 2021).Google Scholar
The Actuarial Society of Hong Kong (2020). Explanatory Note for Appointed Actuaries: Chapter 41E Supplemental Information on the Reinvestment Yield for Reserving, available at https://www.actuaries.org.hk/storage/download/ExplanatoryNoteon23March2020HKIACircularreReinvestmentYieldunderCap41E.pdf (accessed 02 April 2021).Google Scholar
The Hong Kong Federation of Insurers (2020). Alleviation Measures Taken by Insurers under Covid-19. 全城抗疫保險顯微鏡 Insurance Dashboard on Covid-19 24 December 2020, available at https://www.hkfi.org.hk/Covid19/smc.html (accessed 02 April 2021).Google Scholar
Thomä, J. (2021). Stress-Testing COVId-19 An Exploratory Stress-Test Scenario for the next 36 months. 2° Investing Initiative, available at https://2degrees-investing.org/resource/stress-testing-covid-19/ (accessed 24 January 2021).Google Scholar
WBGU (2000). World in Transition. Strategies for Managing Global Environmental Risks. Annual Report 1998. Berlin: Springer.Google Scholar
Wood, C. (2020). The ICA launches BI test case in NSW Supreme Court. Reinsurance News, 13 August 2020, available at https://www.reinsurancene.ws/the-ica-launches-bi-test-case-in-nsw-supreme-court/ (accessed 15 August 2020).Google Scholar
World Economic Forum (2020). Integrated Corporate Governance: A Practical Corporate Guide to Stakeholder Capitalism for Boards of Directors. WeForum, available at http://www3.weforum.org/docs/WEF_Integrated_Corporate_Governance_2020.pdf (accessed 06 August 2020).Google Scholar
World Economic Forum (2020). How 2 out of every 5 jobs lost during Covid-19 may not come back, available at https://www.weforum.org/agenda/2020/05/42-of-jobs-lost-during-covid-19-may-not-come-back/ (accessed 15 August 2020).Google Scholar
World Economic Forum (2021). The Global Risks Report, available at http://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2021.pdf (15 November 2020).Google Scholar
World Health Organisation (2020). The best time to prevent the next pandemic is now: countries join voices for better emergency preparedness. WHO, available at https://www.who.int/news/item/01-10-2020-the-best-time-to-prevent-the-next-pandemic-is-now-countries-join-voices-for-better-emergency-preparedness (accessed 01 December 2020).Google Scholar
Yoshiaki, K., et al. (2017). The Great East Japan Earthquake and Insurance. In The Fukushima and Tohoku Disaster: A Review of the Five-Year Reconstruction Efforts. Butterworth-Heinemann, pp. 177–194.Google Scholar
Figure 0

Figure 1. Lam’s 7 ERM components.

Figure 1

Figure 2. Centre for Disease Controls and Prevention pandemic intervals framework (Pandemic Intervals Framework, 2016).

Figure 2

Figure 3. Lam’s division of management and board responsibilities in the context of ERM.

Figure 3

Figure 4. Credit spread levels in 2020 for selected markets. Source: All Bloomberg Barclays indices: Global Aggregate Credit index, Emerging Market USD Aggregate Index, USD Aggregate A and BBB Corporate Index, EUR Aggregate A and BBB rated Corporate Index, Asia Pacific Aggregate A and BBB rated corporate index, US Securitised ABS and CMBS indices and US Corporate High Yield Index as of 30 September 2020 (Vanguard, 2020).

Figure 4

Figure 5. Insurers’ stock market performances from 2000 to 2020.

Figure 5

Figure 6. Lloyd’s of London COVID-19 response best practice guidelines for secondary impacts.

Figure 6

Figure 7. (a) Unemployment (BBC, 2020) and (b) Redundancies (BBC, 2020) in the UK over time.

Figure 7

Figure 8. (a) Public sector net debt in the UK over time (Gov.uk, 2020) and (b) Real GDP growth globally in 2020 (International Monetary Fund, 2020).

Figure 8

Figure 9. Yield to date changes in share price found by extracting FTSE 100 index data (Shares Magazine, 2020) and the stresses from the PRA as part of the 2019 Life Insurance Stress Test exercise (Bank of England, 2019).

Figure 9

Figure 10. Morgan Stanley sustainability reality: 2020 update. The analysis is based on January 2020 to June 2020 data (Morgan Stanley, 2020).

Figure 10

Figure 11. A.M. Best Special Report: COVID-19 Highlights Weaknesses in Insurers’ Enterprise Risk Management (Best, 2020).