Just because they protect other organizations doesn’t mean insurance companies aren’t immune to risk. Insurers have the same issues with natural disasters, cyber risk and professional liability as any other business.

But when an insurance company has a cyber breach, is sued for mismanagement or suffers an insurable loss, the cost is usually larger than just the price of fixing the problem. Because they are hired to help clients manage risks, an insurer’s inability to protect itself from risk can result in massive damage to its reputation, hampering the company’s ability to retain and attract clients.

The risks have been made even more difficult after a global pandemic upended families and wreaked havoc on the global economy. In such an environment, Enterprise Risk Management (ERM) can help manage the risks.

Why ERM?

ERM is a holistic approach to risk management that accounts for all risk across an enterprise, determining how these risks interconnect and affect each other. One of the strengths of this approach is analyzing and prioritizing risks that affect the entire organization, not a specific business line or division. Often, siloed business units fail to recognize that their risks may affect other parts of a business.

An insurance company with solid ERM practices can identify how these risks may play across their business lines and how a problem in one area will hurt its finances, management and reputation overall.

ERM starts with extensive data gathering. In-depth data analysis gives insurance companies a better picture of their risks. An insurance company can then identify and prioritize the management of those risks most acute to their organization. Insurance companies benefit immensely from this approach, giving them:

  • Increased predictability in the cost of risk and a stronger negotiating position in securing coverage.
  • Greater confidence in rates the insurance company pays.
  • A more robust defense on allegations against officers and directors.

But ERM is more than insuring risk — in some ways, it’s about managing what’s uninsurable. An insurance policy is the last layer of protection in an intricate web of risk management that ERM helps provide.

Starting with ERM

ERM for insurance companies starts with four steps:

  1. Perform a business impact analysis. An analysis takes a closer look at the business, gathering data on critical business operations and the associated resources necessary to ensure operational resilience. This data can be used to determine the projected cost of a disruption such as a weather event, including service delivery, recovery time objectives and recovery point objectives. It also shows how risk in one part of the business can affect the entire enterprise.
  1. Develop business continuity plans. Business continuity plans outline procedures and guidelines for operating during an unplanned disruption. How, for instance, can an insurance company keep operating if a hacker is holding its data hostage? A business continuity plan can help answer that question, covering every aspect of the business, from business processes and assets to human resources and business partners. Existing business continuity plans need periodic reviews and updates.
  1. Test the plans for reliability. Management, designated test teams, and certain employees need to practice business continuity plans. Tabletop exercises, physical drills and other tests can show what works and what needs to be changed. Whether it’s cyber risk, professional liability risk or a natural disaster, testing business continuity plans is the only way to see if they work.
  1. Take a team approach. Insurance companies know it’s critical to develop a team of dedicated risk management experts to focus on different components of risk, stay on top of emerging risks and educate employees. In lieu of a dedicated risk management team, your broker can help support bringing ERM to your business.

If your insurance business is small or medium-sized, you may not have a risk manager or a risk department that can dedicate itself to developing this kind of business-wide plan.

Contact HUB International for more information on developing ERM in your organization.