In the midst of implementing the most significant enterprise risk management changes Hong Kong insurers have ever experienced, their new ERM frameworks are being subjected to the ultimate workout.
As part of the upcoming HKRBC regime, Hong Kong insurers are implementing enhanced ERM frameworks in line with the Insurance Authority’s GL 21 Guideline on Enterprise Risk Management. To comply with the regime, many insurers are having to repurpose their existing ERM processes and procedures, upskill their workforce and modify or build new critical systems.
One of the regime’s expected capabilities is for insurers to monitor for warning signals of emerging risks, conduct stress and scenario testing, and regularly review their ERM framework to ensure it remains fit for purpose. In this context, two types of events are considered the ultimate test of risk management:
- “Black swan” events – rare events with disproportionate impact that become retrospectively predictable
- “Gray rhino” events – predictable events with disproportionate impact crystallizing from neglected threats
In 2020, insurers’ readiness to predict and manage their businesses during such events was put firmly in the spotlight. Just as new ERM frameworks were being put in place, the world started a new decade with the China-US trade dispute, the Russia-Saudi Arabia oil war and the COVID-19 pandemic. The disproportionate impacts of these events translated into multiple ERM test situations including the current low-yield environment, a volatile equity market and economic and health uncertainty.
How are ERM frameworks holding up?
Some Hong Kong insurers, already familiar with RBC frameworks, are across all the risk areas. For others, where the new regime requires fundamental change, they remain unprepared. Less than 30% of Hong Kong insurers in 2019 had approved mitigation plans across all RBC-specified risk management areas.
Insurers are struggling in three main areas:
- Lack of risk culture – Many insurers need to broaden enterprise knowledge of ERM beyond the board, senior management and dedicated ERM team and out to the entire company. Risk culture requires every employee to exhibit the right norms, attitudes and behaviors related to risk awareness, risk-taking and risk management. This means training, communication, performance incentives and reviews are needed to educate everyone about risk appetite and encourage the use of effective controls and risk quantification tools.
To support this, the tone from the top is critical. The board and senior management have an important role in communicating the importance of risk management to the whole organization. The message should be that senior leadership expects more coordinated cooperation among different corporate functions. - Lack of capabilities – Those insurers outside of Solvency II are struggling to develop the necessary ERM capabilities. The most obvious gaps are capital projection with the capability of forward-looking risk and solvency assessments, stress and scenario testing, continuity analysis, recovery planning and management mitigation actions. Unfortunately, existing capabilities to determine the mathematical reserves, solvency requirement and Dynamic Solvency Testing (for life insurers) are factor-based or essentially volume-based measures. However, the upcoming HKRBC requirements are risk-based, requiring a much more demanding analysis than is currently required from the factor-based approach.
- Lack of capacity – HKRBC is being implemented at the same time as insurers are working to comply with IFRS 9 and 17. This means already scarce resources are being split several ways into different compliance streams. Added to this, new challenges are emerging as the low-yield environment and volatile equity markets force life insurers to carry out monthly, weekly or even daily monitoring of their solvency positions. The danger here is that more frequent monitoring will inevitably lead to model simplification due to the time required to produce results.
Emerging market practices
As the pandemic evolves, with restrictions being temporarily relaxed, the industry is adapting its own ERM practices.
In the short-term, insurers are having to stay ahead of emerging and evolving risks triggered by COVID-19. Key risk areas under constant consideration include: distribution, conduct, third-party and cybersecurity-related risks. Insurers must constantly identify these risks, track their acceptance status and gather sufficient information/documentation to verify and validate that all emerging risks are being taken into consideration when making decisions and reviewing governance.
For insurers looking further ahead, additional practices are emerging to meet different GL21 requirements, including:
- New approaches to surface emerging risks – Most insurers are familiar with the quantifiable risks, and arguably the non-quantifiable risks, in their risk identification processes. But now emerging risks are front and centre with regulators, boards and shareholders, some insurers are moving to identify emerging risks using Political, Economic, Social, Technological, Legal and Environmental (PESTLE) analysis. This requires a group of senior individuals to discuss and identify emerging risks from PESTLE factors, including landing on a potential time frame and the impacts to the business when the emerging risks materialize.
- Reverse stress testing – The pandemic has seen many insurers revisiting their asset-liability management and business contingency plans. Typically, pre-COVID business contingency plans were relatively high-level, with their main focus being on the qualitative considerations of operational resilience. Now, Hong Kong insurers are developing quantitative considerations using reverse stress testing, where the possible drivers of these events are used to perform stress and scenarios testing to quantitatively understand balance sheet behaviors. Then, once the nature of the balance sheet is understood, insurers can build in early warning signals to boost operational resilience.