Corporate RISK MANAGEMENT – Getting it Right
The development of the new Solvency rules in Europe has seen risk management become not only a key function in the decision making process but also a regulatory requirement. The application and robustness of a risk management process is also a major factor for credit rating agencies in the evaluation of companies’ financial strength.
In the MENA region, where no risk-based regulations are yet fully developed and implemented, companies find themselves bound to comply with the agencies’ requirements hoping for a sound and better rating position.
In a world where credit rating is currently seen as the most important and reliable information in business relationships, even more than the entity’s history and market reputation, getting a good rating has become a vital element to business expansion and thus to the survival of the enterprise.
Requirements in this context are to establish an efficient risk management framework, define the different steps of the process and draw a plan for its practical implementation.
It is worth mentioning here that rating criteria do not only include internal factors; political risk, terrorism, security situation and sovereign rating also play a major role in determining the creditworthiness of regional players. The rating position of institutions located in unstable countries is ruled by their sovereign rating and negatively affected by the environment in which they operate.
The strength of a risk management programme is however defined by its ability to cope with uncertainties and to mitigate its risk exposure, an element that should be evenly viewed by rating agencies regardless of the physical location of the organisation.
Beyond regulatory and rating constraints, a successful application of the process would require us to go back to the basics of risk management and to its fundamental principles.
In a company, the one primarily responsible for risk management is the business owner, the first in charge of deciding on the objectives and future plans of their own enterprise.
To succeed, they will have to fully understand the business operations and identify the global risks that would impede the achievement of their goals. The definition of the elements of failure and success, if clearly communicated to the company’s directors, will enable them to ensure that the work process meets the requirements of the business owner.
It will therefore be the top management’s responsibility to identify all the risks to which the undertaking is exposed, from their own experience and from the daily work of employees.
It is the close cooperation and sharing of information between directors and business owners that helps inform the company’s global strategy.
Sound communication at the top of the organisation strengthens the risk management system as well as the chances of success of the entity.
To ensure clear communication, directors are required to put in place an efficient control and management system. The practical implementation of the process varies from one undertaking to another; organizational structure, work distribution, definition of roles and responsibilities, recruitment of specialised positions (risk managers, actuaries etc.), everything depends on the company’s internal policy.
Three elements remain nevertheless crucial for the development of a risk management process: understand the work operations, define the risk categories to which the entity is exposed and specify business indicators that allows effective monitoring evolveoring of how the risks evolve.
The intelligent definition of risk indicators, the development of necessary measurement tools and the good follow-up on their movement are determining factors of the level of progress and maturity of a risk management system. An effective control of these indicators facilitates the reporting and decision making process. While business indicators are used to prevent uncertainties by observing, for example, the financial, economic, geopolitical situation, the market conditions and the work environment,
it is only the measurement of the risks taken by the enterprise that allows to assess its level of exposure.
In order to simplify risk measurement, the European Insurance and Occupational Pensions Authority (EIOPA), in its preparation of the new supervisory regime for insurance and reinsurance undertakings, has developed standard formulas for the calculation of the regulatory capital requirement. The calibration of the calculation methods and parameters to be used misses nonetheless to adequately represent the risk profile specific to each entity. In order to address this problem, many insurance firms have decided to work on the development of their own internal models.
However, the procedures needed to implement these models may get companies lost in the complexity of calculations while preventing them from properly understanding the obtained results. It should be noted here that a risk measurement model should equally be considered as a management tool.
The capital charges produced are not just simple figures; if well analysed, they can help in evaluating the risk profile of the organisation, understanding causes and effects and finding the right solutions to enhance the level of risk.
A proper assessment of results requires a perfect knowledge of the data, assumptions and structure of the model. Hence, the analysis of the variation of capital charges goes back to determining how a change in the business profile impacts the company’s solvency and its vulnerability to hazards. It is therefore paramount to thoroughly analyse the information entered in the model so that the results appropriately reflect the entity’s exposure. Obviously, the complexity of calculations is proportional to the level of sophistication of business operations.
However, simplified methods and stress tests may better serve to understand and measure risks than other complicated approaches.
Knowing the procedures required for the establishment of a sound risk management process is not alas the only condition to its success.
Despite the fact that insurance risk management calls for the scientific skills of actuaries and of specialised professionals, it is not to be considered as a science in itself, but rather a culture to be deployed throughout the enterprise.
Having qualified positions in charge of risk management may not be sufficient for the implementation of a robust and efficient framework.
A risk culture is above all a cooperation and communication system between different parts of the institution. Employees need to work in tandem towards a common goal to understand risks and the importance of controlling them. Risk management is successful when it is no longer considered as a separate function from the rest of the entity and when it is integrated in the work of employees.
Risk culture in a company is a reflection of its management’s spirit. If it is duly seized at the top of the organization it can be better transmitted down to the rest of the team.
Finally, putting in place a risk management programme with the only objective to satisfy regulatory and rating requirements doesn’t necessarily lead to the desired level of risk control. It is essential to understand the advantages of the process and to be convinced of its key role in improving the company’s performance.
A risk management framework should first and foremost be adapted to the business model of the entity in order to meet the work needs and better manage its specific risks. It is only in this spirit that the application of norms can serve to develop the risk culture, increase the efficiency of the processes and strengthen the position of risk management in value creation.