Drive more value from risk management in insurance

Sword GRC Blog

Drive more value from risk management in insurance

Working within the insurance sector and keen to learn how you can protect value and derive greater reward from risk management efforts within your organization? If you missed our webinar, ‘Top 10 ways to drive more value from risk management in insurance’ this post features highlights from guest speaker Lisa Cosentino’s insightful presentation.

Lisa, who leads business advisory services at Wouch Maloney & Co, boasts extensive experience in designing and executing compliance programs, applying a holistic approach to assessing risk and its impact on the organization. A frequent contributor to industry publications, she has presented at numerous conferences including the Pennsylvania Association of Mutual Insurance Companies (PAMIC), the Insurance Accounting and Systems Association (IASA), and the Institute of Internal Auditors (IIA).

The full ‘Top 10 ways to drive more value from risk management in insurance’ webinar also demonstrates how Lisa’s techniques can be practically applied within Sword Operational Risk Manager, our feature-rich and web based risk management system for the financial services sector.


“Talking to companies, I often hear from boards and CFOs that they are discouraged by the expensive and cumbersome method of the risk management process and they really want a streamlined approach. They feel uncertain that key risks are adequate in desire, want a process that holds measurable rewards, need clarity on the data they should be analysing and reporting to the board and senior executives for strategic decision-making.”

  1. Map your risks to your strategic objectives
    “To adequately monitor your risks, you have to align your risk identification with your company’s strategy. I would challenge you to actually question whether your risks are mapped effectively – do you have the right data, the right risk profiles and action plan in order to address what the risks are? Does your organization know the strategy and the strategic objectives as well as the business objectives?”
  2. Drive an entity-wide common language for risk
    “Does everyone within the organization understand what is meant by governance and culture, strategy, objective setting, performance, review, information communication and reporting? And what does that reporting look like? From my experience in having many different hats in the insurance industry, from being an officer, to external and internal auditor, to assisting regulators and forensic accountants, one thing is always present and that is that everyone assumes that someone is managing risk and doing it well. If asked if they understand ERM, people answer ‘Yes’. When asked if everyone within the organization understands ERM, people say ‘No’. That’s a big disconnect. Using a common language for risk is extremely important so that terms are fully understood. Value can be added by implementing this understood, common language within your risk management system.”
  3. Clarity for all groups included in the risk process  
    Different operating structures may result in different perspectives of a risk profile, which may affect ERM practices. “It’s really important to evaluate appropriately, spend the appropriate amount of time in the relevant areas, decreasing burden and cost.”
  4. Efficient risk mapping to appropriate frameworks
    “To drive value, if you look at your risk management with a holistic approach, you will meet your regulatory and internal reporting requirements… Having all critical risks identified in the risk management process will allow you to understand risk appetite, risk tolerance involved in your governance and have good clarity on processes for your regulators.” Lisa advises rather than taking a siloed approach, with an internal audit team doing their thing, and financial ratings and Own Risk and Solvency Assessment (ORSA) teams working independently, risk management process should be at the heart of activity, to drive efficiency and time savings. “By mapping for fraud risks, IT security and cyber security rules, you’ll get a very streamlined approach to reporting to your regulators.”
  5. Effective risk ownership 
    “Everyone needs to understand the strategy, not just those in the department doing risk management. Risk management should be throughout the organization and everyone should be involved in the process. Ownership should push down the organization form the board level… Is your board only engaged in occasional and ad hoc treatment of risk and risk management? A streamlined, dynamic process, with information communicated electronically will force risk ownership down.”
  6. Timely identification of risk changes
    “Look at emerging risks and rising risks and make sure that these types of risks are included in dynamic discussions. Also look at risks that have moved down in importance overall. See if exposure has changed periodically.” Lisa suggests that retired risks should be monitored sporadically as they could in fact re-emerge and be of relevance.
  7. Clarity of impact of risk changes and trends
    Taking the example of a large data breach, she details how one change in risk can impact within other areas of the organization – there may be the inability to process claims correctly, or regulator requirements may change. “Stress testing shows you the assumptions made to your assessment, the severity of your risks, behaviors of individual risks under stress conditions, but also the inter-dependence of your risks. So, if there’s an increase in your reinsurance rates, and a decrease in your investment returns as well as an increase in your claims exposure and catastrophic losses… how does it all affect the survival of your organization? By looking at the effectiveness of your risk responses, you can react in a timely manner and with precision.”
  8. Clarity is risk mitigation strategies
    Lisa outlines how an organization’s approach to risk may fall into four areas: Acceptance; Avoidance; Transfer; Limit. “With a large list of risks, the right people involved, using the right terminology, you have to look at how you are monitoring or mitigating these risks within the organization. With that clearly documented and understood, you are going to add value to your risk management process.”
  9. Internal audit activities mapped to ERM
    To enhance value, Lisa suggests that internal audit should play a role in ERM practice. “They can also review the management of the key risks, looking at the risk mitigation strategies, auditing and reporting independently and objectively on them.” She points out that when she talks to internal auditors, many say that they do their own risk assessment. “It’s true, they do, but their internal audit plans should be based upon the organization’s overall risk management and from that pick up key areas in which they should be formulating plans.”
  10. Streamlined risk reporting
    When talking with senior management, Lisa has found that risk reporting is the area of greatest frustration, with time spent compiling and then modifying reports, the issue of multiple versions being in circulation, the board and leadership not having sufficient time to review accurate and timely data. “In an organization where everyone is appropriately taking ownership of risk, and reviewing the appropriate information, can really help streamline this process if its readily available.” She adds, “The board should be aware of the type and the magnitude of the company’s principal risks and they should require the CEO and chief executives to report that to them, taking an oversight role that allows them to make the decisions.” The right information should be ‘pulled up’ to the top of the organization.


The full ‘Top 10 ways to drive more value from risk management in insurance’ webinar is available to view free of charge.


Learn more about the ‘single source of truth’ that drives more value from your risk management, Sword Operational Risk Manager.