INSURANCE AND RISK MANAGEMENT OVERVIEW

Risk management is a broad term which refers to the identification and evaluation of risks and the use of resources to control or reduce that risk’s occurrence or probability of being associated with negative events while maximizing profits and reducing costs. For example, if a large corporation is planning on implementing a new piece of software, its risk management department will evaluate the project to determine whether or not it could potentially pose any negative consequences, such as the company’s employee resources, or profitability. Other areas which risk management is mindful of include the quality of products, service provided, the reputation of that organization, and/or brand value. The risks can have many derivatives including, but not limited to; volatile financial markets, the failure of a project, unexpected accidents, or for some natural reasons. 

 

Most financial companies have Enterprise Risk Management groups who take charge of risk management for that company by analyzing any possible events which could negatively impact the company and provide them with a framework for their risk management. This group tends to analyze the organization's main objectives and assess the impact a risk occurrence might have on each², while also addressing the needs of stakeholders. Normally, enterprise risk management is an umbrella term referring to that company’s credit risk, market risk, interest rate risk, and operational risk. These groups will vary from company to company and the policies in that organization can be affected by its leaders, personnel, and board of directors ³.

 

In 2003, the banking world adopted the Basel II accord in an attempt to uphold the financial system by ensuring that each organization will have enough funds in reserve to successfully cover any risk which might occur ⁹. This is actually a replacement standard for Basel I which set a standard for minimal capital requirements for banks in 1988 ¹⁰. Under Basel II, those companies who have a strong control over their risk management processes, will not be required to have quite as much money in reserves as those who currently have these controls in place ⁹. Though there are many risks to be monitored for, the Basel framework breaks types of risk into categories which are thought to be the three main contributions of economic capital ¹⁰ - credit risk, market risk, and operational risk. Credit risk refers to the risk of losing money when a debtor fails to pay back a loan or a line of credit ². Market risk refers to the risk which climates in the financial market may pose on the value of an investment and includes any changes the market factors may pose on equity risk, interest rate risk, currency risk, and commodity risk. When dealing with operational risk, one is analyzing a wide range of frauds or disruptions which could be inflicted on a company if they are not controlled and prevented ¹. Operational Risk has varying definitions in different companies, but often includes internal and external fraud, safety of employees, business integrity, physical damages, business systems failures, and process management ¹. In other words, it is the risk of a direct or indirect loss as a result of external events or from unsuccessful internal processes, people, or technology ⁹.

 

It should be noted that risk management is not the same thing as Business Continuity Planning, or BCP ². Where risk management is simply finding financially efficient approaches to minimize the negative effects of a threat if it were to occur, BCP is more of a reactive way of dealing with the consequences of potential risks or events which have occurred. However, Risk Managers will work closely with those in BCP to create standards and controls for proposed risks in the event that they are observed² , so they are not completely separate functions.

 

One form of risk management is insurance ². The main purpose of insurance is to protect an individual or a business against the risk of losing something. In other words, insurance is basically an agreement of compensation for particular, probable, future losses in exchange for an incremental payment ⁵. It is used to protect the financial comfort and safety of its consumer which can be an individual or a company.

 

MAIN FUNCTIONS 

 

Risk management’s main function is the identification and evaluation of risks and the use of resources to control or reduce that risk’s probability of having adverse effects on that company. Some of these negative consequences make vulnerable the company’s employees, resources, profitability, quality of products/services, the reputation of that organization, and/or brand value. In corporate finance, the risk is evaluated to measure the financial or operational risk on that company and how it might affect them as a whole.

 

Risk management is thought to bring value to organizations that monitor and implement this practice. One obvious value is that of compliance and prevention. Implementing an effective risk management program can help an organization avoid crisis and avoid personal liability failure while simultaneously complying with corporate governance standards ¹⁰. Effective risk management programs can also help the operations and performance of a company by helping employees and leaders understand the complete range of risks facing the company, evaluate the business strategy risks, and accomplish best practices ¹⁰. Other values of risk management programs are the maintenance of a positive company reputation and the shareholder values on that organization, while likely improving
returns ¹⁰.

 

The functions of insurance are primarily to protect the financial well being of its consumer by providing aid in the event of a risk, which could potentially occur. Many different types of insurance exist; some of the most common types are outlined below.

 

• One of the most common types of insurance is health insurance which protects people from being required to cover the cost of medical treatments.

 

• Disability insurance helps employees who are unable to work by allowing them to remain on payroll while they are out ⁷.

 

• Property insurance protects physical property from damage or theft. This includes a wide variety of assets, but most commonly home insurance to protect your house and anything inside of it from any natural disasters, fires, or other risks ⁷. The other common insurance is automobile insurance, which is often required ¹³, and assists in the cost of any damages or loss of a car, as well as any claims against the driver of the vehicle ².

 

• Life insurance refers to the protection against any lost funds in consequence of a death ². Its products pay out for untimely deaths and can help fund a retirement fund even if it is years away ¹³. Life insurance is one type of insurance which many people do not think about very often, but it is important for those who would need to replace income for their family in their absence, or pay off any personal debt to relieve this burden from their family⁷. 
 

STANDARDS IN RISK MANAGEMENT

 

In attempt to control and standardize the risk management industry, standards have been widely implemented in most financial companies. Each company, especially at the enterprise level, must understand its federal and state legal requirements for regulating the amount of risk management required ⁸. The most common standards are from the Project Management Institute (PMI), ISO Standards, multiple actuarial societies, and the National Institute of Science and Technology ². The most common standards used in the banking sector are those defined by the International Organization for Standardization, which clearly states that risk assessment should: create value, be a fundamental part of an organization’s process, be a factor in decision making, address uncertainty, be very structured, be based on the best possible information, be tailored take humans into account, be transparent, be responsive to change, and be capable of modifications or improvements ². A newer kind of standards in both risk management and insurance have recently been developed by the RIMS (Risk and Insurance Management Society) Standards and Practice committee in an effort to assist society in the education of guidelines and vocabulary in risk management ⁸. The committee will be working alongside the U.S. Department of Homeland Security on the preparation of risk management and business continuity ⁸.  

 

As mentioned earlier, there is an international standard in risk management known as Basel II, which was implemented in 2003¹⁰ in many global financial companies as a way to regulate the amount of money banks need to save in order to protect themselves from financial and operational risks they face ². Basel II is actually a replacement of Basel I which set a standard for minimal capital requirements for banks in 1988 ². Under Basel II, those companies who have a strong control over their risk management processes, will not be required to have quite as much money in reserves as those who currently have these controls in place ⁹. Ideally, Basil II is expected to help protect the international financial system in the event that one or more banks collapse by insuring that those which undertake more risk than others should have more capital on reserve than those who undertake fewer risks ¹⁰. The Basel framework breaks types of risk into categories which are thought to be the 3 main contributions of economic capital ¹⁰: credit risk, market risk, and operational risk. Credit risk refers to the risk of losing money when a debtor fails to pay back a loan or a line of credit ². Market risk refers to the risk which climates in the financial market may pose on the value of an investment and includes any changes the market factors may pose on equity risk, interest rate risk, currency risk, and commodity risk. When dealing with operational risk, one is analyzing a wide range of frauds or disruptions which could be inflicted on a company if they are not controlled and prevented ¹. Operational Risk can be defined differently in different companies, but often includes internal and external fraud, safety of employees, business integrity, physical damages, business systems failures, and process management ¹.

 

There has been criticism over some of the risk management standards currently in place. Some do not believe that they will lead to any improvement on the risks even though the estimates indicate they will ². There is also some variation with methods used and the assessments as to where the risk might occur ², so it is important that each company makes their policies standardized and clear.

PROCESS

The process of risk management entails many steps taken to identify, monitor, and control risk. This process should be implemented anytime the ability to meet objectives could potentially be at risk ² in order to remove any uncertainty. Each company will differ on the specific processes within risk management, but some rough outlines can be highlighted.

 

One of the most important steps in the risk management process is planning. In the beginning stages of risk analysis, it is imperative that potential risks are methodically brainstormed and that all possible risks will be taken into consideration ¹¹. Next, risks will be quantified and classified to establish which risks are more threatening than others. Moving into the risk management phases, the risk must be deemed acceptable or unacceptable. If acceptable, a contingency plan is calculated. If it is not acceptable, response planning begins to take place in preparation of potential occurrences. If an acceptable or unacceptable risk takes place, it must be documented, reported, and reviewed in a risk log. Normally, there will be lessons learned from it to share with the group and the organization. From here, there will be more planning for risk management, this time understanding a risk more thoroughly ¹¹ in the event that it happens again there will be more efficient reactions.

 

Though this process is quite similar to the previously highlighted process, according to the ISO 31000 Risk Management Standards, the first step in risk management is to identify the risk. This should take into account both internal and external sources and any other threats. As soon as that risk is identified, a plan should be made and it should map out the communal scope of the risk, the goals of the stakeholders of that company, and the grounds in which those risks will be evaluated along with their constraints ². Next, a framework should be made to plot the activity and agenda of managing the risks, and an analysis is usually done on risks that surfaced. During this assessment, a common equation used is: the RATE of occurrence X the IMPACT of the event = RISK. All risks must be systematically documented for future use and to reduce the chance of them occurring again ¹⁰. Finally, risks are mitigated using the company’s employees and resources ².

 

In insurance, a policy will be drawn up between the insurer and the client. This policy serves as a contract or a promise of payment in the event of a loss to the client. The client will then be responsible for paying what is called a premium, or a periodic payment, in order to maintain the contracts validity ⁵. In the event that a specific circumstance for which that client is insured occurs, the insurer will be responsible for paying that policy-holder (the person or company insured) a sum of money to assist them in the relief of financial burden. Most of the time, the policy-holder is responsible for paying a small portion of the loss which is known as a deductable ⁵. Insurance professionals make money by keeping claims and expenses low so they are able to collect more of the money that comes from premiums. Sometimes, they will invest those premiums to generate more revenue for themselves ¹³.

 

INDUSTRY TRENDS

Often times, initial risk management plans will not work ² , which is normal. Because there are an infinite number of risks in the world, it is impossible to gather every possibility and the only way to improve these initial plans is through practice and experience. Also, there will never be a perfect action to completely eliminate a specific risk, as there is always possibility of risk occurrence. This is the case even with appropriate measures taken, and is known as residual risk ². It is also important not to spend a large amount of time managing unlikely risks, as it may be more efficient to simply deal with the risk reactively ².

 

In insurance, global insurance premiums have been in growth mode and those who seek to be insured are required to pay increasingly larger amounts of money to have the protection ². In 2007, global insurance premiums grew around 11% overall ². Insurance premiums in health care for 2009 have actually risen more than 4 times faster than earnings for families since 2000 and are actually buying consumers less coverage ⁶. The examination and regulation of these premiums is a statewide responsibility ⁶ and there has been a tremendous amount of resistance to the increases by residents. Another trend which is often seen as controversial is that of the complexity of contracts for insurance policies. These terms are usually written with high level language in a way that will leave many policy holders with unfavorable terms if they do not understand the policies ² outlined. Because some types of insurance are required of an individual, and many people might not understand the contracts due to the complexity of its language, many people have been found to be insured for much more than is required or needed.

 

In light of recent economic events and a large mass of people who defaulted in housing loans, the insurance industry has been through a challenging 2008/2009 at best. However, there is always going to be a need for insurance as some types are required, and there will always be a need for people to protect themselves and their assets ¹³. Some insurance companies are attempting to capitalize on the recent federal bailout of AIG (American International Group Inc.) by trying to pick up their clientele which is giving some of the smaller boutique firms more business in 2009 ¹³. Other insurance companies have recognized the need to diversify their risks and spread them while developing more relationships with other insurers and underwriters to allow them multiple options and flexibility when dealing with claims ¹⁷.

 

As another result of the recent financial crisis, risk management is certainly on the rise as companies have watched their competitors fall and have recognized the dire need to focus on their own operations more seriously and more long-term. There has been a clear attempt to recognize and eliminate any risks which could have a negative impact on the company as a whole ¹⁷. Not only are many companies recognizing their own value and the business at stake, but there is also more pressure from shareholders to demonstrate a thorough risk mitigation plan as it is tailored specifically for that organization ¹⁷. In truth, the financial crisis revealed that practices, which were in place for many financial organizations, were not sustainable enough to overcome such broad obstacles ¹⁷, and actions are taken to prevent this being the case in the face of further adversity. From a human relations perspective, companies are also responding by strengthening risk management practices in order to instill confidence in existing employees. Even those employees who have survived the layoffs have been effected by the recession, and if employers can ensure the safety and stability of the organization, these employees will be much less likely to look for fresh challenges once the global economy appears to provide a more promising outlook. 

 

Not surprisingly, the insurance and risk management industries have suffered some job losses in 2009, but there has fortunately already been some evidence of rehiring ¹⁷. As compensation still remains a focus to those employees in transition, it does not look like bonuses will be increasing anytime soon, but there have been some raises in base salary as companies compete for the talent pool and try to ensure that they will have enough skill in place to survive future events ¹⁷. For those who do interview for positions in risk management and insurance, the requirements have become more stringent as positions ¹⁷ are more competitive and employers are less willing to take risks on untrained employees while they are in re-growth mode. 

 

CORPORATE STRUCTURE & CAREER PATH

In corporate finance, risk management divisions have many different employment opportunities. Risk Analyst is a title which can be found in many organizations referring to those who work to identify risks, document them in some type of risk log, and carry out assessments by measuring that particular risk and categorizing it¹¹. One value a risk analyst brings is that of quantifying potential risks and prioritizing them so that higher exposure risks are tended to more than those who pose less risk of having a smaller chance of occurrence¹¹.

 

Risk Managers or Risk Officers are very senior people who usually report to a Senior Executive or the CEO and are responsible for administering and managing all of the risk in the whole facility. A Risk Manager will usually plan appropriate risk responses and calculate the actions needed to deal with higher exposure risks ¹¹. This individual would normally design the companies program and Enterprise Risk Management (ERM) approach while adhering to company objectives and ensuring compliance with state and federal laws as well as with risk management standards. The Manager will implements all tools, systems and policies surrounding the risk. They will then educate and train all of the leadership and staff in the group as well as in the company so they can provide clarity to the policies they have implemented and encourage adherence ¹¹. Other tasks for Risk Managers include the collection and analysis of risk related data including employee injury, loss of money due to a project, or other root problems ³. In many companies, an employee will work up to different levels of Risk Management. For example, one might first work as a Risk Analyst, move into a Risk Management role at the first level, be promoted into level 2 Risk Manager, and then to an even more Senior Executive or even sometimes on the trading side ¹³.

Some people become Project Managers, normally reporting to the Risk Managers, who basically make plans of how to manage the risks associated with a project. The Project Manager will have a budget, and use this budget to delegate and implement tasks related to risk management, responsibilities for controlling the risk, and assigning specific roles to team members. The Project Manager will also be in charge of forecasting and intercepting potential problems with the projects and ensuring their timely completion.

 

An Actuary² is another business professional within risk management whose main function is to control risk. Actuaries are very mathematical and quantitatively skilled people who evaluate the likelihood of future events, attempt to find ways to minimize the possibility of their occurrence, and try to reduce the impact said undesirable events might have on the company ¹⁴. It is very important for these professionals to have a solid understanding of the business in order to use their expertise to accurately assist in developing the company’s products, calculate prices, and to determine costs associated with them after damages ¹⁴. Actuaries have consistently been ranked in the United States as one of the best ranked professions in accordance to surveys done by The Wall Street Journal ¹⁵ and U.S. News and World Report ¹⁶, and it is also expected to have a high demand in the near future ¹⁶. 

 

An Underwriter is a common title seen in both risk management companies, insurance companies, as well as in retail banking companies ². This role can be more entry level ¹³, as the role is relatively structured and does not require as much training. Underwriters normally follow an organizational process to screen customers in order to determine their eligibility to receive those organization’s products. Common products which often require analysis by an Underwriter include equity capital, insurance, home loans or mortgages, and lines of credit ². This process can include reviewing credit reports, property valuations, analysis of driving records, or other analysis used to determine the risk this customer might pose on that company ².

 

Claims Adjusters, also known as Loss Adjusters or Claims Examiners, are people who investigate insurance claims by questioning both the witness and the person submitting the claim as well as analyzing any relevant evidence such as hospital records or damages ² in order to determine the liability of the company. They will take into account the cost of replacements of an item and any depreciation costs to that item to determine a fair market value. Adjusters will be required to do a large amount of paperwork and research for each aspect of each claim and be able to ensure accurate prices and accurately assess damages ². For example, if a driver had car insurance for a vehicle which was valued at $15,000 when the insurance was purchased, of which goes down in market value after 6 years of use, the Claims Adjuster will re-value the car to determine how much the insurance company should be reimbursing that client. Claims Adjusters are a prevalent profession within Risk Management to move to, because there are needs for them in every company and they must be readily available to tend to client requests. In 2006, they accounted for 9% of jobs in the insurance industry ¹³.

 

In order to become a claims adjuster, some schooling is normally required, although few colleges have specialized programs for this. Most companies will require a four year degree in business or a related field, though there is some flexibility at times. Because there is not a specific college major to prepare people for a career in claims adjustment, some states will require a certification to operate as an Adjuster ².

 

There are also additional positions in sales for those who are working in the insurance sector ⁵. An Agent is one who is licensed by the state ² to sell insurance for an insurance company or companies ⁵. These Agents can be independent, where they act as Sales People and represent multiple insurance companies rather than one single company ⁵, or they can be captive where they will exclusively work for one single company ⁵.

 

STRATEGIES IN INSURANCE AND RISK MANAGEMENT

 

To assess and quantify risks, some professionals will use a point system or a color system. Once potential risks are identified, a team will go over each item and begin labeling it. In a numbering scheme, 100 might indicate a lower priority risk while a 300 might be a more threatening risk. In a color scheme, green colors might indicate less likely risk where bright red might be a more threatening or likely risk¹¹.

 

To manage risk, many different strategies can be used. The company might do things differently, when possible, to avoid the risk altogether or use prevention tactics to keep an event from happening altogether ¹¹. For example, one may never drive a car in order to avoid being responsible for an accident on the road.

 

Some people try to treat the risk ¹¹ or reduce the adverse effects a risk could potentially incur ² , which is the most common strategy used to deal with risk ¹¹. This could mean including a privacy policy on data in attempt to avoid information leakage. Using the same example as above, the person who is trying to avoid an accident might reduce the chance of an accident by driving more slowly or trying not to follow the car ahead too closely.

 

One strategy is to transfer risks or share the risks with a third party. In this situation, another party is thought to be the best party to resolve the risk or the best situation might be to share the risk between two or more parties ¹¹. For example, in insurance, both the policy holder and the insurer hold some responsibility for an accident. If the driver crashes the car, the insurance company will absorb the effects of that risk, and that driver will be required to pay a premium and their rate potentially goes up. 

 

Sometimes, risk management professionals will have to accept the risks that may have unfavorable effects on the organization or the people ². It is possible that nothing can be done at a reasonable cost or that the likelihood of the risk and the impact of its occurrence is not worth the resources to plan for ¹¹. The driver who is accepting this strategy might simply drive normally and accept the fact that, even if it might not be likely, an accident might occur.