Embed Size (px)
DESCRIPTION
The Towers Watson Risk and Finance Manager Survey examines how North American companies use outside resources, tools and frameworks to address risk.
Citation preview
Executive Summary
The Towers Watson Risk and Finance Manager Survey examines how North American companies use outside resources, tools and frameworks to address risk. Key findings from this year’s survey include:
• 57% of respondents have ERM programs in place, just slightly improved over last year.
• 95% have at least some concern over the hardening property & casualty (P&C) market.
• 22% are not aware of changes in property risk modeling.
• 72% have not purchased network security/privacy liability policies.
Enterprise risk management (ERM) is receiving more attention worldwide from regulators, policyholders and stockholders. Stability and financial health are more important than ever. The heightened scrutiny reflects recent jolts to global financial markets that include a Eurozone debt crisis as well as continued uncertainty over oil prices and economic recovery. And the recent memory of the severe global financial downturn continues to linger. In spite of these pressing reasons to implement ERM, the 57% implementation rate demonstrates that a disconnect exists, as little progress was made to put programs in place over the last two years of our survey.
While ERM is important for the long-term health of all companies, companies outside of the financial services sector need to accelerate their efforts even more than those in the financial services sector. Nearly three-quarters (72%) of financial services companies, including insurers, had ERM in place, compared with 54% of nonfinancial services companies. This might be connected to efforts such as the Own Risk and Solvency Assessment (ORSA) and other regulatory requirements that insurers will now be required to complete.
It might also highlight the need for more formal, thorough education about what ERM is and what it can do for companies. The survey found that a significant 40% of respondents answered that nobody has been able to articulate the value of implementing ERM, largely consistent with our 2011 survey.
With only 28% of respondents buying network liability policies, the lack of take-up in purchasing this coverage raises another glaring weakness in companies’ risk control efforts. Cyber-attacks and data theft are a major threat for corporations and will continue to grow as organized professional hackers find more sophisticated ways to infiltrate company systems.
Nearly two-thirds of survey participants were either seriously concerned (17%) or moderately concerned (46%) over a hardening market for P&C insurance. Another 32% expressed slight concern. One way to address this issue is for respondents to more actively engage in the use of analytics to prepare their companies for a market change. This also offers brokers an opportunity to help clients better see the linkage between effective analytics and preparation for a hardening market. It is a connection that was not as essential in a soft market where coverage was more accessible and relatively inexpensive.
But if respondents are trying to prepare for a market hardening, there are still steps they need to take to become better informed about the market. A notable 22% indicated they were not aware there had been changes to the assumptions being used in property catastrophe modeling, which has had a profound impact on the premiums charged to those companies with locations in catastrophe-prone areas.
2012 Risk and Finance Manager Survey Full Report
2012 Risk and Finance Manager Survey 2towerswatson.com
A Closer LookERM Implementation
ERM implementation is slightly improved over 2011’s 54% response rate. This year’s 57% response offers a slight reason for encouragement, although in a world of heightened economic and political risk, the relatively flat implementation rate suggests that a lot more needs to be done to encourage development of ERM programs.
Programs that are in place have attributes that differentiate how risk appetite is determined, how ERM is described, and how it is used to quantify risks and potential mitigation strategies.
Nearly 60% of respondents said that risk appetite is determined either at the corporate level based on qualitative judgment (37%) or at the corporate level based on financial metrics (e.g., EPS) (22%) (Figure 1). Perhaps even more telling is the 26% of responses that indicated no risk appetite level is explicitly set. This large response rate may be due to several possible causes: Management wants to remain nimble in the event company or economic circumstances change; there is reliance on a more general range than a specific level; or respondents have not had the time, resources or understanding of how to establish a risk appetite level. Whatever the reason, the lack of a definable risk appetite makes it difficult to effectively prepare for and manage potential risk.
Financial services companies, including insurers, had a better understanding of this need for definition. A 10% response rate on “no risk appetite level is explicitly set” was far smaller than the 30% recorded for nonfinancial services companies. Financial services companies were also more likely to make decisions at the corporate level (53% based on qualitative judgment and 25% on financial metrics) than nonfinancial services companies (33%, qualitative and 21%, financial metrics).
The overwhelming majority (88%) of those surveyed responded that their ERM identified, assessed and prioritized key risks and assigned risk owners. Over two-thirds (69%) indicated that their executive committees and boards of directors received regular ERM activity and findings reports. But a smaller 37% regularly quantified key risks and use those metrics in making business decisions, and an even smaller
0% 20% 40% 60% 80%
No risk appetite level is explicitly set
Other
At the operational/division level based on �nancial metrics (e.g., EPS)
At the operational/division level based on qualitative judgment
At the corporate level based on �nancial metrics (e.g., EPS)
At the corporate level based on qualitative judgment
Note: Those giving a valid answer (percentages exclude ‘Don’t know’) n=148
2222
3737
99
33
33
2626
Figure 1. How risk appetite is determined
• Combination of factors at division and corporate levels/Combination of corporate and operational involvement
• Variety of methods
14
14
11
Financial services, including insurance (n=32)
Nonnancial services (n=116)
0% 20% 40% 60% 80%
No risk appetite level is explicitly set
Other
At the operational/division level based on �nancial metrics (e.g., EPS)
At the operational/division level based on qualitative judgment
At the corporate level based on �nancial metrics (e.g., EPS)
At the corporate level based on qualitative judgment53
33
2521
610
33
1030
2218
158
15
15
10
13
105
108
33
Note: Those giving a valid answer (percentages exclude “don’t know”)
• Combination of factors at division and corporate levels/Combination of corporate and operational involvement (both)
• Variety of methods (non�nancial services)
35% integrated risk metrics into the budgeting and planning process. These findings show that most ERM programs are more qualitative and compliance focused. For the most part, financial services and nonfinancial services had response rates that were nearer the same. The one exception was the difference in responses for integrating risk metrics into budgeting and planning: 48% for financial services companies and 29% for nonfinancial services companies.
2012 Risk and Finance Manager Survey 3towerswatson.com
Risk Measurement
When asked about the ERM framework that companies used to quantify risks and potential mitigation strategies, most organizations (52%) are doing this qualitatively using likelihood and impact scales, and a full 25% responded that they do not attempt to quantify risks. Nonfinancial services companies had a 27% response rate, and financial services companies, including insurers, had a 16% rate. The finding is consistent with the overall 26% response rate for those that established no risk appetite level. The two responses together present a picture of a sizable minority of respondents that do not measure or understand how much risk they could bear. For those companies that do rank risks, 52% undertake the exercise on both a frequency and impact scale.
Even though a quarter of respondents do not quantify risks and just over a quarter have not determined their risk appetite, over half (54%) of those polled did differentiate between their risk-bearing capacity and their risk appetite/tolerance. Financial services companies were much more likely to make this differentiation (78%) than nonfinancial services companies (47%).
Education
The lack of discernment among some survey participants and reasons offered for not having ERM in place speaks to the need for an organized, thorough education program to be put in place. A full 40% of respondents indicated that nobody has been able to articulate the value of implementing ERM, and another 25% cited ERM as too resource-intensive and expensive to pursue, regardless of value (Figure 2). These responses are slightly lower than last year’s respective 42% and 29%, suggesting that there may be some more awareness of ERM’s value from which a formal educational effort could be leveraged. Yet another 14% responded that ERM is too compliance-oriented and bureaucratic to pursue, regardless of cost. This response rate is down significantly from last year’s 26% rate, a positive sign.
Surprisingly, financial services companies, including insurers, were nearly twice as likely (22%) than nonfinancial services companies (12%) to consider ERM too compliance-oriented and bureaucratic. Perhaps these respondents, in a heavily regulated sector, believe that they already have too many regulations and requirements. But financial services companies also need to control volatility and risk. It would seem that these survey participants would understand that the advantage of effective risk management would outweigh any additional compliance burdens. Even so, no financial services companies considered ERM too resource-intensive and
0% 20% 40% 60% 80%
Other
We did an initial ERM project that was not viewed as successful
Too compliance-oriented and bureaucratic to pursue, regardless of cost
Too resource-intensive and expensive to pursue, regardless of value
Nobody has been able to articulate the value of implementing ERM to our company
Note: Companies not having an ERM process in place (n=65)
2525
4040
1414
33
1818
2626
Figure 2. Reasons for not having an ERM process in place
• In process/Coming soon/Looking into how to best implement one now
• Not applicable/Not considered necessary given size/ nature of business
• Still in silos
• We had one in place, but upon acquisition by another company, we have had other priorities. We are planning a reimplementation at this time
• Unknown
14
14
11
Financial services, including insurance (n=9)
Nonnancial services (n=56)
0% 20% 40% 60% 80%
Other
We did an initial ERM project that was not viewed as successful
Too compliance-oriented and bureaucratic to pursue, regardless of cost
Too resource-intensive and expensive to pursue, regardless of value
Nobody has been able to articulate the value of implementing ERM to our company34
41
029
2212
112
1030
2218
158
15
15
10
13
105
108
3316
Note: Companies not having an ERM process in place
• In process/Coming soon/Looking into how to best implement one now (both)
• Not applicable/Not considered necessary given size/nature of business (both)
• Still in silos (non�nancial services)
• We had one in place, but upon acquisition by another company, we have had other priorities. We are planning a reimplementation at this time (non�nancial services)
• Unknown (non�nancial services)
expensive, far different from the 29% of nonfinancial services companies that responded to the question. Existing risk management programs may explain this willingness to accept resource requirements and expenses.
Indeed, the need for more education also surfaces when responses to questions about cyber-risk are examined.
2012 Risk and Finance Manager Survey 4towerswatson.com
Cyber-Risk
An important aspect of ERM is managing cyber-risk. Yet nearly three-quarters (72%) responded that they did not purchase a network security/privacy liability policy, roughly unchanged from last year. And those that did purchase policies (28%), also relatively unchanged from last year, opted for limits that were on the low end of the spectrum. Forty-three percent said that their policies had a $1 million to $5 million limit.
A significant number of respondents expressed confidence in their own IT departments. When asked why a network security/privacy liability policy was not purchased, 41% responded that their own internal IT department/controls were adequate. Another 25% indicated that they do not believe that they have a significant data exposure. Surprisingly, there was relatively little concern over the prohibitive cost of transferring risk (12%).
Survey participants overwhelmingly responded that they rely on their internal IT departments and are comfortable with their level of exposure (78%). Less than half engaged in comprehensive information security risk assessments (46%) and conducted penetration tests (44%). Limit levels for network security/privacy liability policies were largely benchmark- or broker-driven (68% and 50%, respectively).
When respondents did purchase cyber-protection, expertise was the single-largest determinant in the purchasing decision, with 45% ranking it as number one and another 19%, number two. A positive finding was that pricing was not the most influential factor in selecting coverage, suggesting that respondents are not simply shopping for the lowest rates, but rather are interested in comprehensive coverage and carriers that are committed to the business. Only 9% of survey participants ranked pricing as number one and 31%, number two.
Market Concerns
If cyber-risk was not a major concern for respondents, a hardening market was. Nearly two-thirds of survey participants were either seriously concerned (17%) or moderately concerned (46%). Another 32% expressed slight concern. One way to address this issue is for respondents to more actively engage in the use of analytics to prepare their companies for a market change. And it offers brokers an opportunity to help clients better see the linkage between effective
analytics and preparation for a hardening market. It is a connection that was not as essential in a soft market, where coverage was more accessible and relatively inexpensive.
Companies are taking steps to prepare for a hardening market. In both the property and casualty markets, companies are marketing their programs with respective 69% and 63% response rates. A third of property respondents indicated that they are using broker-provided catastrophe modeling. Among casualty respondents, 44% are using independent, actuary-provided retained loss analytics and 30%, predictive modeling. However, predictive modeling is much more likely to be used by insurers (38%) than noninsurers (29%). A sure sign that companies are anticipating a potential market hardening is the respective 25% and 19% response rates among companies participating in the property and casualty markets that they are putting out RFPs for brokerage services.
But if respondents are trying to prepare for a market hardening, there are still steps they need to take to become better informed about the market. A notable 22% indicated that they were not aware that there had been changes to the assumptions being used in property catastrophe modeling.
For those companies that do intend to reach out to insurance brokers or those that already have insurance brokerage services, depth of resources and knowledge are ranked as more important considerations than cost of services. Half of respondents ranked depth of resources as either first or second in range of importance for insurance brokerage services. Company knowledge was ranked first by 27% and second by 20%, and industry knowledge received a respective 20% and 28%. The response is an affirmation that respondents are willing to pay for solid service and reliability. But cost was only ranked first by 12% and second by 11%, for a combined 23%.
In a similar vein, technical skill, ranked most important by 46% of respondents, was the most important feature identified for actuarial services. And for captive insurance companies, mitigating the impact of insurance market price and coverage changes was the most important benefit of using captives, with 41% citing it as the first choice. The ability to pursue innovative risk financing strategies, such as putting employee benefits into a captive, ranked next most important, with 33% ranking it first.
About Towers WatsonTowers Watson is a leading global professional services company that helps organizations improve performance through effective people, risk and financial management. With 14,000 associates around the world, we offer solutions in the areas of employee benefits, talent management, rewards, and risk and capital management.
Copyright © 2012 Towers Watson. All rights reserved.TW-NA-2012-24351
towerswatson.com
About This StudyTowers Watson’s third annual Risk and Finance Manager Survey examines how North American companies use outside resources, tools and frameworks to address risk. The online survey was conducted from February 16 through March 12, 2012. A total of 153 companies responded, a 2% participation rate.
The largest group of respondents, 34%, had total 2011 revenues of between US$1 billion and US$4.9 billion, followed by 23% of the respondents with total revenues of under US$500 million. A significant 17% of survey participants had total 2011 revenues of US$10 billion or more.
The three industry sectors with the largest survey representations were manufacturing, with 22%; financial services, including insurance, with 13%; and health care, excluding pharmaceuticals, also with 13%.
Conclusion
Recent experience proved that there is a pressing need for ERM. Fallout from the roiling financial markets of the last several years illustrates how damaging unbridled risk is for companies. Global regulators have taken note and are in the process of instituting new regulations based on an ERM blueprint.
But even with compelling past and future reasons to implement ERM programs, there is little movement to do so. This year’s response is only slightly more affirmative than results from last year’s survey.
What becomes evident is that more formal ERM education would benefit any company that is interested, or should be interested, in managing its level of risk. That education needs to start at the most basic level: identifying acceptable levels of risk and prioritizing key risks. However, those companies aiming to mature their ERM process should consider using quantitative tools to understand the potential impact of risks on the business, measure the return on investment from risk mitigation solutions, and improve the budgeting and planning process.
Companies would also benefit from reexamining how they treat certain kinds of risk, such as cyber-threats. For instance, it may be worthwhile for companies to consider an outside assessment of how current systems protect them from cyber-security threats. This could supplement heavy reliance on internal IT departments. Companies should also reevaluate the purchase of network security/privacy liability policies, considering the value of the benefits provided (e.g., defense costs, credit monitoring) versus the catastrophic nature of the exposure.
It may be particularly important for companies to take action if, as many respondents indicated, the P&C market is hardening. Companies are already starting to market their programs and make more use of modeling and analytics. They are also reaching out to brokers. Brokers need to understand how they can better position companies for any upcoming changes.
0% 20% 40% 60% 80%
Under US$500 million
US$500 million – US$999 million
US$1 billion – US$4.9 billion
US$5 billion – US$9.9 billion
US$10 billion or more
Base: Those giving a valid answer (percentages exclude “prefer not to say”) (n=144)
Mean = $2,284 million
1313
1717
3434
1313
2323
Figure 3. Total revenues in 2011
14
14
11
