ERM for health insurance from an actuarial perspective A discussion paper By G.C. Orros and J. Smith 29 November 2010 (London) Presented to the Institute and Faculty of Actuaries ENTERPRISE RISK MANAGEMENT FOR HEALTH INSURANCE FROM AN ACTUARIAL PERSPECTIVE BY G.C. ORROS AND J. SMITH [Presented to the Institute and Faculty of Actuaries in London: 29 November 2010] ABSTRACT This paper focuses on Enterprise Risk Management (ERM) and strategic business management for health insurance companies in our world of ‘unknown unknowns’ and the emergence of unexpected risks over time. It illustrates how Chief Risk Officers (CROs) can focus on ‘risk and opportunity management’ through an ERM framework, and thereby balance risks against opportunities, whilst being resilient against ‘unknown unknowns’ and their emergence over time as ‘known unknowns’ and ‘known knowns’. The paper has been designed to meet the broad requirements of health insurers that would like to implement an ERM framework for the effective risk management of their health insurance lines of business. Risk management for health insurers in the context of Solvency II and broader European Commission regulatory requirements is also discussed. The authors discuss how insurers can develop and apply risk management to build resilience in the face of the storms and shocks that may lie ahead. KEYWORDS Enterprise risk management; strategic risks; risk and uncertainty; governance; risk appetite; health insurance; healthcare providers; NHS. CONTACT ADDRESS George Orros, BA, MSc., MBA, FIA, FCII, C.Stat, Chartered Insurer, Marsh Ltd., Tower Place, London, EC3R 5BU, United Kingdom. Tel: +44(0) 207 357 2768. E-mail: [email protected] 1. INTRODUCTION 1.1 Background 1.1.1 Health insurers and healthcare providers succeed and fail for many reasons, and the management of unexpected or unpredictable events has always attracted interest. Furthermore, there is a growing realisation that there is upside as well as downside risk potential. This leads to the concept of risk and opportunity management as being the cornerstone of effective enterprise risk management. 1.1.2 This paper has been written by two health insurance actuaries who are interested in such events (or risk) and the possibilities for risk and opportunity management. Consideration has been given to both the short-term and long-term features of UK health insurance business. While the paper takes a health insurance perspective, the authors believe it may have wider applicability. Note that, in this paper, we are narrowing our view of health and care insurances to only those health insurance products that cover the costs of care provided in the event of illness or injury. We do not consider products that cover lost income or debt servicing obligations that are sometimes referred to as income protection. 1 1.1.3 Enterprise Risk Management is not purely an actuarial preserve; it is important to recognise that it is relevant to all areas of healthcare and that most of the work to date has been carried out by non-actuaries. Our discussion suggests that the opportunities for actuaries to make a meaningful contribution are growing, especially given rapidly changing UK regulatory and capital market conditions, including Solvency II developments. 1.1.4 ERM has been around for many years and yet it has had a chequered history, only recently starting to be fully adopted by companies in the UK insurance and financial service markets and elsewhere around the world. Elements of ERM have also been applied throughout the UK National Health Service (NHS) and other UK government agencies. 1.1.5 Continued development of the regulatory environment and the sophistication of risk analysis techniques have changed approaches adopted by health insurers and the wider community of life and non-life insurance companies. ERM is now commonly accepted as a necessary part of any successful health insurer’s modus operandi, even if what ‘good ERM’ means is not commonly understood. ERM appears here to stay. 1.1.6 ERM has become a pivotal component of the forthcoming Solvency II regime for the UK and the European Union. Although this paper is focussed on ERM, substantive references are made to Solvency II, its development and the associated regulatory framework. 1.2 Structure of Paper 1.2.1 Following this introduction, section 2, entitled ‘ERM Framework for Health Insurers’, considers what ERM is and/or should be for UK health insurers. The scope of ERM is discussed and how it varies from what has previously been discussed under the heading of risk management. It summarises key aspects of the ERM process based on what the authors regard as current best practice. The topics include: (a) ERM framework model that would be suitable for UK health insurance obligations. (b) ERM process inputs, mechanisms, constraints and outputs for a health insurance company. (c) Examples and case studies of ERM process tools and techniques for a health insurance company. 1.2.2 Section 3, entitled ‘Practical Examples of Risk and Opportunity Management’, provides a case study example based on innovation portfolio screening tools for health insurance business cases. 1.2.3 Section 4, entitled ‘ERM Framework for Healthcare Providers, Consumers, and Policy Makers’, considers what ERM is and/or should be to these actors in the UK healthcare market, the scope of ERM and how it varies from what has previously been discussed under the heading of risk management. The topics addressed include: (a) Health insurance ERM context within the UK’s mixed economy of healthcare financing and provision. (b) ERM practices in the NHS, private healthcare providers and preferred provider networks. (c) ERM in the healthcare area is not a new thing (e.g. NHS practices, Department of Health, etc.). 2 1.2.4 Section 5, entitled ‘Health insurance under Solvency II’, considers certain aspects of ERM from the perspective of a regulator under the developing Solvency II regulatory regime as it will impact UK health insurers. The topics in this section include: (a) Solvency II developments and issues for health insurance business. (b) How health insurance risks are conceptualised under Solvency II as well as how risk-based capital requirements for health insurers will be measured. (c) Potential health insurance industry reactions to Solvency II developments. 1.2.5 In section 6, entitled ‘Many Risks ... and Many Views on Risk’, having considered risk management perspectives of insurers, providers, consumers, policy makers, and regulators, the threads are pulled together and synthesised to provide a high-level view of ERM for health insurers in a Solvency II world. This poses some interesting questions, such as: (a) Is health insurance fundamentally different as a class of insurance? (b) How should one balance long-term customer wants and requirements against the short-term nature of health insurer’s contractual obligations and regulatory requirements? (c) Are there important risk management gaps arising from of the varying perspectives of participants in the market? 1.2.6 Finally, in section 7, we draw some conclusions. 2. ERM FRAMEWORK FOR HEALTH INSURERS 2.1 Health insurance in the UK is a complex subject from a risk management perspective. It has short-term, medium-term and long-term enterprise risk connotations and these aspects need to be managed to the satisfaction of the key stakeholders. 2.2 There are multiple perspectives on risks in health insurance decisions and purchases. For example, the health insurer may want to manage risk to meet whatever its business objectives are, whereas the regulator may require sufficient capital so that the insurer can manage its risks over a 1- year time horizon. The insured and/or their insured dependants may want the insurer to be solvent in the long-term and to be there to provide relevant insurance cover in future years and also in their old age. Therefore, the health insurance CRO requires a broad ERM framework that can deal with the multifaceted risk perspectives of the key stakeholders. 2.3 The health insurance CRO should also consider the risk perspectives of its key suppliers, such as the private and public sector healthcare providers. These will generally have business objectives and capital investment programmes that will need to be carefully assessed and understood. It will be important, therefore, for the CRO to review their business plans and to consider how these plans may affect their business relationships with the health insurer. This argues for a broad ERM framework that can deal effectively with the interactions between insurers and providers. 2.4 Furthermore, as the NHS in the UK accounts for the great majority of healthcare expenditures, state financing and political considerations can have an important bearing on the ERM issues faced by the health insurers and their planned risk responses. For example, NHS 3 restructuring plans will inevitably affect the complementary and supplementary product mix that the health insurers should offer in response to the changing requirements (given the NHS offerings) of their personal and corporate health insurance customers. This argues for a broad ERM framework that can deal effectively with external sources of risk, such as legal, political, economic and social risks. 2.5 The authors believe that ERM framework models that can deal effectively with the qualitative as well as the quantitative risk issues are likely to be more useful to the health insurance CRO than those with primarily a quantitative focus. It is clear to the authors that, although quantitative risk analysis can be useful, such analysis alone is a necessary but insufficient success criterion. Therefore, the authors favour broadly based ERM framework models that can provide an appropriate balance between the qualitative and the quantitative risk issues. 2.6 The operational risk elements of enterprise risk management, implications of value innovation and blue ocean strategies are outside the scope of this paper. Readers are directed to relevant papers on insurance companies, Orros & Howell (2006), on general insurance, Tripp et al. (2004) and on life assurance, Dexter et al. (2006). 2.7 ERM frameworks for insurance lines of business have been studied by several actuarial research groups, both in the UK and internationally. There have been several Institute of Actuaries papers on the subject, include one on general insurance, Tripp et al. (2008) and another on life insurance, Deighton et al. (2009). 2.8 ERM is viewed as a lead indicator, where a weakening of standards is an indicator of future problems. In particular excellent ERM insurers need to be mentally prepared for soft markets (e.g. credit markets, equity markets, interest rate markets and insurance markets) and understand the implications for risk limits and risk/reward standards in the face of the softening of each of their relevant risk markets. 2.9 In the view of the authors, three of more interesting broadly based ERM framework models for a health insurance CRO would be those associated with COSO, Standard & Poor’s and Chapman. These models were selected from a wider range of ERM frameworks, Orros (2007a), together with an ERM bibliography of 60 relevant publications Orros (2007b). 2.10 A brief discussion of the COSO, Standard & Poor’s and Chapman models is shown in figures 1 – 9. 2.11 COSO ERM Framework Model 2.11.1 COSO (The Committee of Sponsoring Organisations of the Treadway Commission), COSO (2004:2) has defined ERM as follows: ”Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”. 2.11.2 The COSO Integrated ERM Framework principles and methodologies are a unifying suite of holistic enterprise risk management processes applicable to almost any enterprise or organisation in both the private sector and the public sector (e.g., Government, regulators). Private sector applications can include insurance and financial services business. 2.11.3 The COSO ERM framework is illustrated in Figure 1. 4 Figure 1: COSO ERM Framework 2.11.4 The COSO suite of application techniques covers the ERM issues associated with the internal environment, objective setting, event identification, risk assessment, risk response, control activities, information, communication and monitoring, COSO (2004). The underlying premise is that every entity exists to provide value and that all face uncertainty and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. 2.11.5 Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. ERM enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value has the potential to be maximised when the management team sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. 2.11.6 According to COSO, ERM encompasses: (a) Aligning risk appetite and strategy, via evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks. (b) Enhancing risk response decisions, via providing rigour in identifying and selecting among alternative risk responses (i.e. risk avoidance, reduction, sharing, or acceptance). (c) Reducing operational surprises and losses, via gaining capability to identify potential events and establish responses, reducing surprises and associated costs or losses. (d) Identifying and managing multiple and cross enterprise risks, via facilitating effective response to the interrelated impacts, and integrated responses to multiple risks. (e) Seizing opportunities, via considering a full range of potential events, management is positioned to identify and proactively realise opportunities. 5 (f) Improving deployment of capital, via robust risk information that allows management to assess effectively overall capital needs and enhance capital allocation. 2.11.7 ERM capabilities can help management achieve performance and profitability targets and prevent loss of resources. It can help ensure effective reporting, compliance with laws and regulations, and help avoid damage to reputation and associated consequences. Events can have negative or positive impact, or both. Negative impact events can erode existing value. Positive impact events represent opportunities that can inform strategy and objective setting. 2.11.8 Risk appetite can be expressed in terms of a ‘risk map’, such as the map in Figure 2. Any significant residual risk in the map’s yellow area exceeds the company’s risk appetite, and requires management action to reduce the likelihood and/or impact of the risk in order to bring it within the company’s risk appetite, COSO (2004). h g Hi Exceeding Risk Appetite ct pa m m u I di e M Within Risk Appetite w o L Low Medium High Likelihood Figure 2: Risk appetite expressed as a risk map 2.11.9 The company can then strive to diversify its portfolio to earn a return that is aligned with the target risk profile. Inevitably, plotting the current state of the estimated ‘return’ against the ‘capital at risk’ will identify instances where the ‘return’ is insufficient to justify the ‘capital at risk’, according to the company’s risk appetite. In such situations, the associated business plans need to be revised to satisfy the executive management and the Board that the proposed returns are compatible with the capital at risk and the risk appetite. Portfolio diversification may be required in order to propose a ‘return’ that aligned to the target risk profile, closer to the efficient risk/return frontier, rather than lower down in the interior of the risk region, COSO (2004). 2.11.10 A health insurance example of this might be expanding product range to include a broader array of excess level options to policyholders at each renewal. All things being equal, higher excess products make claim costs more volatile and require more policies to diversify. Availing the option to policyholders will also increase selection. However, the option could make a firm’s offering more marketable. The question then becomes whether the firm has the appetite and additional capital to support increased risk exposure, and would expected margins produce a suitable return on capital. 2.11.12 Figure 3 illustrates the principle, and the effects of three business plan revisions that were designed to move three business units closer to the efficient risk frontier. 6 Global Protection High Excess Personal Low Excess Personal n Corporate ur Individual Surgical et R Individual Health Cash Hospital Cash Plan Capital at Risk Current State Target State Figure 3 – Principle and effects of specific business plan revisions 2.12 Standard & Poor’s ERM Framework Model 2.12.1 Standard & Poor’s (2005) provides an ERM evaluation methodology for insurers which consists of seven initial criteria: competitive position, management and corporate strategy, operating performance, capitalisation, liquidity, investments, financial flexibility. ERM rationalises the risk limits and tolerances across different individual risks and allows comparable measures to be applied so that the risk management process can be performed at both the individual risks and enterprise level. 2.12.2 Risk capital values can also be linked to risk taking activities enabling assessment of projected and historical performance of activities in proportion to their economic capital requirements. Targets can be set for the return on ‘economic capital’ of each activity, capital is allocated to optimise the expected return on economic capital and management efforts to meet targets are assessed. 2.12.3 According to Standard & Poor’s, a health insurer that practices ERM will be working constantly to identify risks and regularly monitor the important risks. It will also have standards and limits in place for the amount and form of the risks that it is prepared to retain or tolerate as well as processes to measure and manage its risks so as to stay within formally agreed limits, within a controlled risk-taking environment. 2.12.4 A health insurer that practices ERM is not one where managers believe that they do not take any risks. Rather, it is a health insurer where managers knowingly take considered risks and understand that losses are probable. In effect, ERM should provide the health insurer with reasonable grounds to believe that it will be able to manage any events and losses within predetermined bounds. 2.12.5 The strategic risk management pillars are illustrated in Figure 4. 7 Strategic Risk Management s se c ontrol Proces reme Events anagement and Economipital Models sk C ExtM Risk Ca Ri Risk Management Culture Figure 4: Strategic Risk Management Pillars 2.12.6 Standard & Poor’s suggested that ERM as a rating criterion has added weight for insurers as taking risk and then managing it are core insurance business activities. Companies are viewed as having excellent, strong, adequate or weak ERM relative to the risks of the company, its ability to absorb risks and the complexity of the risks. 2.12.7 The Standard & Poor’s ERM classifications relate to sustained capabilities to identify, measure and manage risk exposures and losses within the company’s predetermined tolerance guidelines; evidence of the enterprise’s practice of optimising risk-adjusted returns; and the extent to which risk and risk management are important considerations in corporate decision making. 2.13 Chapman ERM Framework Model 2.13.1 According to Chapman (2006:8-9), the enterprise risk management process is defined as: “ERM is a systematic process, embedded in a company’s system of internal control (spanning all business activity), to satisfy policies effected by its board of directors, aimed at fulfilling its business objectives and safeguarding both the shareholder’s investment and the company’s assets. The purpose of this process is to manage and effectively control risk appropriately (without stifling entrepreneurial endeavour) within the company’s overall risk appetite. The process reflects the nature of risk, which does not respect artificial departmental boundaries and manages the interdependencies between the risks. Additionally, the process is accomplished through regular reviews, which are modified when necessary to reflect the continually evolving business environment.” 2.13.2 Chapman (2006:7) describes the process of ERM, which is essentially one of risk and opportunity management, as impinging: “on the 4 main functions of Boards; policy formulation, strategic thinking, supervisory management and accountability and their respective control cycles”. 2.13.3 These Board functions are illustrated in Figure 5. 8
Description: