MENA Insurance Enterprise Risk Management Survey. April 2015

Transcription

1 MENA Insurance Enterprise Risk Management Survey April 2015

2

3 Contents 4 1. Foreword 6 2. Introduction Risk governance and strategy Risk culture Risk management processes Technology enablement People and organization Regulatory/credit rating requirements Integration among risk, business and finance Appendix: Survey participants

4 1 Foreword

5 Foreword Fellow insurance industry professionals, It is with great pleasure that we share the MENA Insurance Enterprise Risk Management Survey that has been developed in joint collaboration between Munich Re and EY, on the insurance markets of Kingdom of Saudi Arabia (KSA) and United Arab Emirates (UAE). As part of our commitment to develop risk awareness and risk culture in the MENA insurance industry, we believe it will be useful for you to have access to this up-to-date and relevant industry information to help ensure that we all benefit from leading practices in the insurance sector. We have embarked on this initiative in KSA and UAE to start with, two being the largest insurance markets in the region, covering majority of the premiums written. The industry is still at an early stage of addressing the Enterprise Risk Management (ERM) challenges. Similar to Solvency II in Europe, there are no uniform regulatory requirements in the MENA insurance industry at present; however, each of the regulators in respective countries are at different stages of introducing risk, governance and solvency requirements. The report is based on an online industry survey combined with individual interviews with senior management of some of the insurers in both the aforesaid countries. Results are presented in a summary form on an anonymized basis across both countries; however, where we have identified divergent trends in the two markets, the same has been highlighted. Working on this project over the past few months was immensely informative and thought provoking for our team. We thank you for your participation in the survey and risk sessions. We hope you will find useful insights in this report to support your risk agenda. Bernd Kohn Munich Re Chief Executive Middle East and Africa Abdulaziz Al-Sowailim Chairman and CEO EY MENA Confidential All Rights Reserved EY 5

6 2 Introduction

7 About the survey and report EY and Munich Re embarked upon this regional initiative to conduct a joint Enterprise Risk Management (ERM) survey in the Kingdom of Saudi Arabia (KSA) and United Arab Emirates (UAE). The MENA Insurance Enterprise Risk Management (ERM) survey was conducted to gauge the maturity of ERM practices in the KSA and the UAE insurance markets, identify risk management challenges that insurance companies face and take a view on the evolving risk governance practices. Our efforts were focused on the insurance companies in KSA and UAE, including rated and unrated insurers, life, P&C and composite insurers, single country and regional operators, to have a comprehensive view of the market in both these countries. The survey was designed to cover the end-to-end risk management cycle. It was organized into the following key areas and we have provided a summary of key findings for each of these areas at the beginning of each sub-section: Risk governance and strategy Risk culture Risk management processes Technology enablement People and organization Regulatory/credit rating requirements Integration among risk, business and finance In addition to the online ERM survey, the EY-Munich Re team also carried out focused interviews with selected insurers in the KSA and the UAE, to gain a better understanding of the risk culture and management s philosophy toward risk. These meetings were mainly held with the GMs, CEOs, CROs (or risk managers), risk committee members, CFOs and head of re-insurance. We used a number of close-ended (multiple choice) and open-ended questions in this survey to obtain the suitable responses from the participants. These responses were combined with the insights that we obtained during our interaction with the industry participants to draw conclusions in different areas. In few cases, we have chosen to present the factual outcome and left it to the readers to draw their own conclusions. Where applicable, we have supplemented the survey findings with EY s and Munich RE s perspective, which is primarily drawn based on leading industry practices and benchmarks. The responses from the UAE participants were obtained prior to the release of new regulations around solvency, investments, technical reserves, accounting and risk management, which were issued by the UAE Insurance Authority on 2 February We hope that the information provided in this report will help insurance companies in evaluating and improving their own risk management practices against those of their peer group. We assure absolute confidentiality of individual responses and all the findings are presented in a summary form on an anonymized basis. Confidential All Rights Reserved EY 7

8 Executive summary MENA insurance industry is going through an interesting phase, with a number of market defining changes taking place. The market is continuing to grow on the back of government-backed infrastructural spending, large scale developmental projects and compulsory insurance (motor and medical). As the markets move toward more maturity, the regulatory landscape has undergone a major transformation in the recent past, led by the regulators in the KSA, Qatar and the UAE. As a result of the changing market and regulatory landscape, the subject of risk management is high on the agenda of the MENA CEOs and is becoming increasingly important for insurance companies daily activities and long-term sustainability. Given this, EY and Munich Re conducted this survey, results of which are expected to be of great interest and benefit to the industry at large. This ERM survey report covers the insurance markets of the KSA and the UAE. In terms of the participation, of all licensed insurers (listed/non-listed) participated in the survey spanning over the KSA and the UAE insurance markets. These insurers represent approximately 4 of the gross written premiums (GWP) of the KSA insurance market and approximately 69% of the GWP of the UAE insurance market (listed companies only). The majority of the participants were insurers offering both the general and life insurance, whereas one-third of the participants offer only general insurance. Half of the participants are rated by an external rating agency. Most of them are rated by S&P. Other rating agencies include AM Best and Moody's. The survey was designed to cover the end-to-end risk management cycle, including risk governance, strategy, risk management process and integration with other business areas. There was a remarkable difference in the risk management practices and framework of those insurance companies that are rated by an external rating agency as compared to those which are not. It was observed that the basic building blocks of a risk management framework, i.e., risk governance, strategy and risk appetite, continue to pose a major challenge for many insurers. Even if some of the insurers have established an enterprise-wide risk appetite, many have not been able to effectively cascade it down to the operational level and embed it into their decision-making or insurance value chain. Key study highlights 41% respondents that do not have a risk management department 4 do not have a formally defined and approved risk appetite statement in place & 18% long way to go to establish strong risk culture in the KSA and the UAE respectively 41% insurance companies believe there is a need to improve their overall risk management framework 8

9 Key study highlights 75% of risk reporting level and measurement are still poor 4 out of 5 respondents believe they have an opportunity to improve their risk identification and assessment process 8 ERM is an area of discussion with the regulator in the KSA 44% insurers know that reinsurance can be used as a risk management tool but don t have the necessary integration in place Importantly enough, risk governance structure is going through positive changes, with board of directors beginning to play a role in approving organization s risk policies and tolerances, and spending more time on the risk-related issues. The roles of CROs and risk managers are still evolving in the region, as they start to participate in diverse areas of the business, including strategy and planning, product development, pricing and compensation, to show tangible benefits that risk management can bring to the business. Shifting the mindset is a long-term change initiative requiring ongoing commitment of all stakeholders, including the regulators, shareholders, board of directors and senior management. The KSA insurers rated business taking ownership of risk as the top challenge to strengthening the risk culture, whereas the UAE insurers rated lack of a strong regulatory regime and competitive pressures as the top challenges for them. Lack of qualified risk professionals is a key concern most of the insurers are planning to increase their risk budget over the next three years, primarily to have more qualified risk staff. There is a lot to be done to change and fully embed appropriate risk methodology and risk processes. Technology, data and systems were found to be lacking to support a robust risk management framework, and hence many insurers are planning to invest substantial time and resources to improve technology to support risk management. Risk management practices were generally more developed and enhanced in the KSA due to SAMA s regulatory enforcement push in the recent past. There were a number of common issues highlighted with the UAE insurers, including significant exposure to high risk assets, weak ERM practices, lack of standardized accounting policies, and lack of measurement/standard reporting of technical reserves. The new rules introduced by the UAE Insurance Authority in February 2015 are expected to resolve some of these issues. When SAMA introduced similar rules in the recent past, the KSA insurers faced initial challenges, resulting in the industry going through a rollercoaster ride (in terms of financial results) over 2013 and A similar trend is expected in the UAE insurance market over the next few years. However, as proven by the KSA example, these challenges are short to medium term in nature and such initiatives lead to overall development and benefit of the industry in the longer term. Confidential All Rights Reserved EY 9

10 Key study highlights 6 insurers believe implementation of risk regulations will impact business model and cost of doing business 67% insurance companies need to significantly improve their technology, data and system 88% have not fully implemented an IT system to support risk management 85% have weak integration with risk-based compensation Regulatory reforms are driving fundamental changes to the business. As a result, improvements to risk management practices are taking place to meet the fast changing regulatory environment. However, preparedness to comply with recent regulatory requirements, especially in the UAE, is low and insurance companies should start taking action to meet the regulatory requirements. 4 of the KSA insurers mentioned capital allocation as one of the key risk items, which underlines the solvency and minimum capital issues faced by the KSA market in the recent past. Most of the risk priorities were common in both the KSA and the UAE markets, except for the level of importance, i.e., the KSA insurers rated capital allocation and solvency as number one priority, whereas the UAE insurers rated risk governance as their number one priority. Both the KSA and the UAE insurance companies believe that the implementation of regulatory guidelines on risk management and risk-based capital will impact their business model, capital level, cost structure, investments, etc. While risk management is still perceived as a tickbox exercise by some insurers, a few insurers are already working toward converting it into a business enabler. This can be achieved by integrating risk management into the key business areas of capital management, reinsurance strategy and risk-based underwriting. As per the survey results, the strongest integration of risk management is with reinsurance function followed by risk-based pricing activities, with 41% and 37%, respectively. While most of the insurers agree with the need for integration, the common challenge remains with the actual implementation and operationalizing of the risk practices into the day-to-day business. 10

11 Key themes from the study Regulations/rating are the key influencers - There is a marked difference in the quality of risk management frameworks of those insurers who are rated as against those, who are not. The KSA insurers are significantly ahead of their UAE counterparts in introducing enterprise risk management framework, mainly due to SAMA s regulatory enforcement. However, this is expected to change with the recently introduced regulatory changes by the UAE Insurance Authority. ERM implementation - Even if basic risk management framework has been put in place by a few insurers, the challenge lies within its day-to-day implementation by operationalizing those risk management attributes. IT enablement - IT enablement in risk management has been extremely limited; however, most of the insurers expect to increase their risk management budgets going forward, to invest in risk staff and IT systems. Actuarial inputs - whilst actuarial inputs are gaining prominence in product pricing and underwriting (especially in the KSA), areas such as economic capital modelling; risk appetite development; determination of risk limits and tolerances, have limited actuarial involvement at this stage. Business integration - Risk management is working in silos with limited interaction with other business areas. Companies with advanced ERM framework expect this integration to strengthen going forward. Confidential All Rights Reserved EY 11

12 3 Risk governance and strategy

13 Risk governance and strategy Governance, risk appetite and strategy are still major concerns 75% of the UAE/KSA insurance companies have regulatory compliance as the main agenda on their boards 34% insurers believe there is room for improvement in development and monitoring of their risk appetite and strategy 4 of the respondents do not have a formally defined and approved risk appetite statement in place Due to the increasing regulatory requirements, risk management oversight has surfaced prominently on the agenda of the KSA and UAE insurance companies boards. However, a considerable amount of work still remains to be done before the risk governance is deemed to have been well established, e.g., 41% of the respondents do not have a risk management department. Tone from the top in the form of a risk appetite statement is an extremely important component of the ERM framework; however, 4 of the respondents did not have a well-defined and approved risk appetite statement in place. Insurance companies not rated by an external rating agency reported lack of risk governance processes and practices. Risk appetite and strategy ranked as the second-most important area of focus for the board. 34% of the insurance companies need to improve their process to align risk appetite and risk strategy with business strategy. Many insurance companies are struggling to effectively cascade the risk appetite through the operational levels of the organization and embed it into day-to-day decision-making. Risk appetite and strategy is increasingly viewed as an important strategic management tool; however, most of the insurance companies have not taken steps to link the risk appetite and strategy to day-to-day decisionmaking. Business Unit (BU) heads provide only the inputs during the risk appetite setting or reviewing process and are not involved in the implementation. 41% of the respondents did not have a risk management department insurance companies need to improve their risk governance processes Confidential All Rights Reserved EY 13

14 Risk governance Risk management ownership Establishing ownership of risk management activities is a critical starting point for an effective risk management function. Only 59% of the insurance companies have a dedicated risk management department. Figure: 1 Existence of risk management function Figure: 2 Ownership of risk management 7% 11% 4% 7% 4% 4% 1 56% 59% Compliance department Internal audit department Other 4% 19% Finance department No dedicated department Risk management department Chief Executive Officer (CEO) Chief Financial Officer (CFO) Chief Risk Officer (CRO)/Risk manager Head of Compliance Head of Internal Audit Other Two third of the respondents reported that the risk management function reports to the CEO only or CEO as well as board risk committee. Figure: 3 Reporting relationship of risk management function 56% of the participants have a chief risk officer or risk manager in place to look after the risk management function. 8 of the participants in the KSA have a CRO or risk manager in place compared to 41% of the insurance companies in the UAE. This is a clear reflection of the regulatory enforcement, as SAMA regulations require the insurers to have a risk manager or equivalent to own and manage the risk management function in the KSA insurers. The trend in the UAE is expected to change with the recently introduced regulations by the UAE Insurance Authority. 4% 11% 19% 22% 44% Board and/or management risk committee CEO Dual reporting to CEO and board risk committee Other There is no risk management function in the company 14

15 Oversight for ERM Board audit committees have the oversight of ERM activities at 56% of the insurance companies. Figure: 4 ERM oversight Contrary to the common perception, the survey findings reveal that head of risk management usually has a good access to the board/committees and has reasonable influence on the day-to-day business decisions. Figure: 5 Head of risk management s role 26% 1 11% 56% Significant influence on day-to-day business decisions, e.g., voting member or veto power for underwriting decisions Direct access to the board or the risk committee without the presence of the CEO and other business executives 41% 67% Audit committee None Executive committee Risk committee Meets regularly with the board risk committee 74% Two-third of the respondents reported that implementation of the ERM framework should be with the management-level risk management committee. Interestingly, the insurance companies that do not have a designated board-level committee to oversee implementation of ERM, typically: Operate only in one country - primarily domestic Have an annual GWP of less than US$500million Are Not rated by an external agency Note: The sum can add up to more than 10 due to multiple answers. Confidential All Rights Reserved EY 15

16 Regulatory compliance risk appears to be the most important risk item on the agenda of the board in both the KSA and the UAE, and this is closely followed by risk strategy and appetite, and risk culture. Figure: 6 Top risk items on the agenda of the board % 76% 7 71% % 5 47% 1 1 6% Risk governance Risk strategy & appetite Capital allocation Stress testing Risk-based compensation Risk technology Risk culture Regulatory compliance KSA UAE Note: The sum can add up to more than 10 due to multiple answers. Stress testing was rated as one of the important risk items by the KSA insurers, whereas none of the UAE insurers listed this as an important risk item. However, with the recent introduction of new rules for insurance companies in the UAE, stress testing is expected to gain importance among the UAE insurers in the coming years. Interestingly, 4 of the KSA insurers mentioned capital allocation as one of the key risk items, which points to the solvency and minimum capitalization issues that the industry has been facing in the recent past. 16

17 Risk priorities The insurers listed the following as their three key priorities for the risk management function in 2015 and 2016: Capital allocation and solvency Risk governance KSA Risk appetite and strategy UAE Risk appetite and strategy Regulatory compliance Launch, implementation of ERM Figure: 7 Maturity: Self-assessment on risk governance 5 45% 44% 4 35% 25% 19% 11% 11% 1 5% Basic Developing Established Advanced Leading 44% of the insurance companies in MENA confirmed that they have an established risk governance. of the insurance companies admitted that they need to take action to improve their risk governance to transition from evolving to established stage. Definitions 1. Basic: Risk governance structure not defined, understood or communicated. 2. Developing: Risk governance structure developed, but not well-understood or communicated. 3. Established: Risk governance structure is clearly defined, understood and communicated, but not consistently reflected in risk-taking decisions. 4. Advanced: Risk governance structure is well established, with clear terms of reference for board committees; and the CRO is involved in key decisions. 5. Leading: Effective risk governance structure in place whereby board and risk committees are effective, adequate and independent. Risk management function is embedded in business decision-making process. Confidential All Rights Reserved EY 17

18 Risk appetite and strategy 4 of the respondents do not have a formally defined and approved risk appetite statement in place. Figure: 8 Existence of risk appetite statement 6% 4% 74% of the insurance companies use regulatory capital as the single most important parameter to set and monitor their risk appetite. Claims ratio, retention limits and concentration limits are rated as the second most important parameter used by the insurance companies. On an average, an insurance company use around 7 to 8 parameters to monitor its risk appetite. Figure: 9 41% 19% 11% Quantitative metrics to set and monitor risk appetite Regulatory capital (above regulatory limits) Claims ratio Retention limits 59% 59% 74% 19% Concentration limits 59% No statement Not sure Currently defining/seeking approval Informally defined/not approved Both qualitatively & quantitatively defined Quantitatively defined 74% of the respondents risk appetite and strategy is approved by the board. 44% of the respondents indicated that the responsibility for developing and implementing risk appetite and strategy is with the CRO/risk management function. Board committee/management committee/ceo s primary role is to review the risk appetite and strategy during the approval process. 63% of the respondents reported that BU heads provide only inputs during the process of setting-up/review of risk appetite and strategy and are not involved in leading the implementation of risk appetite and strategy at the operational level. Operational losses Liquidity (above regulatory limits) Credit ratings Provisions Liquid investment levels Growth measures Earnings at risk Credit rating capital Stress test results Capital ratio Economic capital Note: The sum can add up to more than 10 due to multiple answers. Market reputation, Regulatory expectations and Business goals, were the three highest ranked qualitative aspects that were included in the risk strategy. 26% 37% 33% 33% 33% 44% 41% 41% 41% 48% 56%

19 Figure: 10 Relationship between the size and maturity of the insurance companies in setting and monitoring their risk appetite Quantitative metrics greater than 8 $243 $525 $650 Quantitative metrics less than 8 $167 $233 Basic Developing Established Leading Advanced Note: Size of the bubble represent average GWP (in USD million). Larger companies with comparatively higher GWP ranked themselves as more advanced in self-assessment and also used more quantitative metrics for defining their risk appetite, as compared to smaller companies. Figure: 11 Qualitative aspects of risk strategy % 85% 44% 59% 78% 59% 63% 63% 56% 41% Reputation Expectations of regulators Ratings agencies Investors Counterparties/customers Business goals Views of the board Organizational philoosphy, culture & values Market conditions Competitive environment Management of transformation/major initiatives Note: The sum can add up to more than 10 due to multiple answers. Confidential All Rights Reserved EY 19

20 Linkage to business plans 85% of the respondents have some kind of linkage between risk appetite/strategy and their companywide business planning process. Figure: 12 Linkage between business planning and risk appetite/strategy 19% 1 66% Significant linkage Some linkage No linkage 73% of the respondents review their risk appetite and strategy on an annual basis. Interestingly, no insurer reviews it on a six-months basis. All the life insurance companies have a review cycle of one year to support their actuarial process and pricing decisions. Figure: 13 Periodicity of risk appetite review Insurers that reported significant linkage to business plans are also more open to reviewing the same in the light of the risk appetite and strategy. Table: 1 73% 12% Annual Half yearly Quarterly Not regular Correlation between business plan linkage and review Not reviewed Somewhat reviewed Largely reviewed No linkage 5 17% Some linkage 17% 33% 8% Significant linkage 33% 5 92% If a risk appetite merely becomes a statement that you dust off every year with a perfunctory review process, it is a wasted effort. It has to become a living document that you can relate to in everything you do 20

21 Top challenges There are two strong themes that emerge as challenges related to development/alignment of risk appetite with the business strategy. The first challenge deals with the nebulous nature of risk and difficulty in measuring/quantifying the risk. The problem of risk quantification is one major issue that insurers are struggling with, though 6 of the respondents have quantitative and qualitative defined risk appetite statement. Figure: 14 Top challenges associated with the development/ alignment of risk appetite with business strategy % 44% Expressing risk Determining the appetite for right metrics different risk types (some quantifiable and some that are not) 37% Determining right approach for the company 33% 33% Using the risk appetite framework as a dynamic tool for managing risks rather than another way of setting limits or strengthening compliance Clarity around concept of risk appetite Note: The sum can add up to more than 10 due to multiple answers. The second challenge deals with how risk appetite is perceived by stakeholders. Key stakeholders are conceptually unclear as to what risk appetite stands for they see it more as a compliance mechanism than anything else. Figure: 15 Maturity: Self-assessment on risk appetite and strategy % of the insurers feel that they have an established process to develop and monitor risk appetite and strategy, whereas 34% of the insurers believe they need to take actions to improve the alignment of their risk appetite and strategy with their business strategy. Definitions 19% 44% 11% 11% Basic Developing Established Advanced Leading 1. Basic: The organization does not have an approach to define acceptable levels of risk (i.e., risk capacity). Basic sensitivity analysis is performed (e.g., sensitivity to change in commodity prices). 2. Developing: The organization does not have a standard approach to define acceptable levels of risk (i.e., risk capacity). Sensitivity analysis includes impact of Greek measures (i.e., delta, gamma, vega). 3. Established: The organization does have a standard approach to define acceptable levels of risk, but it is not used by all functions consistently. Stress testing includes a combination of the majority of key risk factors and different time horizons. 4. Advanced: The organization utilizes a standard, consistent approach to define acceptable levels of risk (i.e., risk capacity). Stress tests and scenario analyses are done organization-wide (top-down). 5. Leading: The organization utilizes a standard and consistent approach to define acceptable levels of risk that provide an adequate and proportionate risk appetite. It is well established and understood by the complete organization including senior management and board. Forward scenarios and stress tests are used to explore known and unknown risks. Confidential All Rights Reserved EY 21

22 4 Risk culture

23 Risk culture Insurance companies are still working on building a risk culture 81% strengthening risk roles and responsibilities are a critical component of effective risk governance 8 key challenge in the KSA - business functions not taking ownership of risk & 18% long way to go to establish strong risk culture in the KSA and the UAE respectively risk culture has always been an area of focus Implementing risk management in an organization cannot be accomplished overnight. It is a process that requires time, effort and commitment. It is recognized by most of the respondents that educating staff about risk management is the key enabler to embed the risk-conscious culture in their organization. There are multiple challenges to truly embedding a risk culture across the company. Some key challenges that remain common across both the KSA and the UAE includes: Comfort level with status quo Maintaining balance between sales and risk Competitive pressures Lack of a strong regulatory framework came up as the most important challenge in the UAE. Whereas, reluctance of business to take ownership of risk and enforcing accountability were the key challenges in KSA. Strengthen risk roles and responsibilities, enhancing communication, training and reinforcing accountability were the key initiatives reported to strengthen risk culture. During our industry interviews, we observed that most of the insurance companies perceived risk management as tick-box exercise, and actions need to be taken to perceive them as business enabler. Most of the insurance companies agree that making risk everyone s business represents a significant shift in mindset, policies, systems and processes and requires an ongoing, long-term commitment and investment. Changing the culture to make risk everyone s business is an ongoing effort Confidential All Rights Reserved EY 23

24 Progress toward strong risk culture Creating a risk culture that enables an open dialogue and disciplined risk-taking is a key element. 82% of UAE insurers believe that they have either achieved or are making progress toward achieving strong risk culture. of KSA insurers indicated that they have a long way to go in this respect. Figure: 16 Insurance companies at different stages in the journey toward building a risk culture 7 Top challenges to strengthening risk culture Figure: 17 Challenges toward building a risk culture Lack of a strong regulatory regime Reistance to change Establishing a proactive risk culture 4 41% 4 53% 47% % 4 59% 23% Competitive pressures Enforcing accountability Balance between salesdriven front office culture and risk-focused culture Business taking ownership of risk 53% 4 29% 6 53% 6 35% We have a long way to go We are making progress We have achieved a strong risk culture UAE KSA KSA UAE Note: The sum can add up to more than 10 due to multiple answers. 24

25 Figure: 18 Perception of risk management Respondents perceive risk management mostly as a business enabler or as something that at times enhances the way we do business. However, during the industry interviews, we observed that risk management was perceived as a tick-box exercise. Survey responses confirmed that risk culture is a critical area of focus for senior management. An overwhelming number of participants acknowledge that management attention to building an effective risk culture has increased, in some cases significantly, in the past 12 months. Figure: 19 5% 7% 22% 33% 33% Business enabler, essential for adding value to our overall business Can occasionally help us improve the way we do business Credit rating agency s requirement Other Regulatory compliance exercise Senior management view on risk management Overall Risk culture has always been an area of focus in our organization Risk culture has been an area of increased focus since the 2008 financial crisis There has been no increase in attention in the past 12 months There has been some increase in attention in the past 12 months There has been a significant increase in attention in the past 12 months 7% 41% 37% Initiatives to strengthen risk culture Insurance companies are taking steps across the three pillars of alignment, accountability and capability to strengthen risk culture. While methods to embed a risk culture vary, opinions on sound practices coalesce several critical activities: 81% of respondents agree that well-defined and clearly articulated risk-ownership roles and responsibilities are a critical component of effective risk governance. 63% of respondents indicated they are enhancing communication and training regarding risk values and expectations. Constant and varied communication from a variety of channels are critical to reinforcing risk culture. 59% of the respondents indicated they are reinforcing accountability regarding risk management as one of their top initiative to strengthen the risk culture. Figure: 20 Initiative to strengthen risk management Reinforcing accountability regarding risk management Enhancing communication and training regarding risk values and expectations Aligning compensation with riskadjusted performance metric Strengthening risk roles and responsibilities Changing the composition of the board and senior management team 11% Note: The sum can add up to more than 10 due to multiple answers. 7% 59% 63% 81% 5 10 Confidential All Rights Reserved EY 25

26 5 Risk management processes

27 Risk management processes Still a work in progress 78% opportunity to improve risk policies and procedures 78% use audits or physical inspection as the prime tools and techniques for identifying risk 4 out of 5 respondents believe they have an opportunity to improve their risk identification and assessment process Well-defined risk policies and procedures are an extremely important element of an effective ERM framework, which includes: Risk identification and assessment (including risk models/scenario and stress testing) Risk monitoring, control and reporting Risk mitigation Operation risk was listed as the top issue requiring attention of the insurance CROs (63%). Four out of five respondents indicated that there is an opportunity to improve their risk identification and assessment process. Half of the respondents use models to systematically quantify risks, 75% of them involve a degree of inhouse contribution to developing a risk model. Two-third of the respondents indicated reputation risk and emerging risk are difficult to incorporate in their risk model. 75% of the respondents indicated that there is an opportunity to improve their risk monitoring and control process to: Establish a formal process to monitor risk in a timely and efficient manner Use tools and techniques for effective risk monitoring 2 out of 3 insurance companies need to improve their risk reporting framework and mitigation process 41% insurance companies believe there is need to improve their overall risk management framework Confidential All Rights Reserved EY 27

28 Risk policies and procedures Current state evaluation The existence of complete and appropriate policies, procedures and structure is a crucial factor to enable effective risk management. Formally established and effectively communicated policies and procedures on risk management pave the way for: Integrated approach Systematic execution Aligned direction, vision and goals Risk conscious culture Risk based business decision-making Four out of five respondents agreed that there is an opportunity to improve their risk policies and procedures. Figure: % 25% 1 5% 22% Fully evidenced Limited opportunity to improve 37% Moderate opportunity to improve 22% Significant opportunity to improve Operational risk is the most important issue that is occupying the mind of CROs closely followed by insurance risk. This observation is valid for both the KSA as well as the UAE. In the KSA, regulatory capital management is also one of the key issues requiring the attention from the CRO, which signifies the recent minimum capitalization issue seen with a number of insurers in the Kingdom. Issues related to treating customers fairly and risk-based compensation were not perceived as important by CROs of insurance companies. 4% Not evidenced Figure: 22 Top five issues requiring attention from the CRO Enhancing risk controls Regulatory compliance Note: The sum can add up to more than 10 due to multiple answers. 78% of the respondents prefer audits or physical inspection as the primary tools and techniques for identifying risk. It is interesting to note that insurers with annual GWP less than US$500 million and primarily domestic operations resort to simpler mechanisms like surveys and questionnaires. Figure: 23 Risk appetite Insurance risk Operational risk 44% 48% 48% Tools and techniques for identifying risk % Audits or physical inspection 7 7 Management discussion/interviews/ focus group discussions 56% 63% 5 10 Risk & control self assessment 63% Past organizational experience 48% 33% Note: The sum can add up to more than 10 due to multiple answers. 29% of the respondents indicated that they have a continuous process of risk identification and assessment. Other insurance companies perform the risk identification and assessment on a periodic basis (mostly annually or quarterly). Expert judgement Scenario analysis Surveys/questionnaires 28

29 Figure: 24 Frequency of risk identification/assessment 4% 29% 37% 4% 26% Figure: 25 Annual Quarterly Monthly Continuous process Not at all Current state assessment of risk identification/assessment 35% 26% 33% 26% 25% 22% 22% 22% 22% 22% 11% 19% 19% 11% 1 5% 3% 3% 4% Utilizes a risk assessment Risk register is updated on a approach to objectively evaluate periodic basis to reflect market, risks environmental, regulatory, compliance and industry changes/events Risk assessment results are shared across business areas Strategic and operational planning processes incorporate results and key findings from risk identification and assessment exercise Fully evidenced Limited opportunity to improve Moderate opportunity to improve Significant opportunity to improve Not evidenced Four out of five respondents feel that they have an opportunity to improve their risk identification and assessment process. Most of the insurance companies that have rated themselves favorably across the four areas of risk identification and assessment (either Fully evidenced or Limited opportunity to improve ) are rated by an external rating agency. Confidential All Rights Reserved EY 29

30 Risk identification and assessment Risk models Figure: 26 Existence of risk models Figure: 27 Development of risk models 25% 52% 48% 5 25% Yes No Internally developed Externally developed Combination of internal & external Half of the respondents use risk models to systematically quantify their risks. Respondents that do not have risk models are all relatively smaller firms with an annual GWP of less than US$500 million. 69% of the respondents who rated themselves as fully evidenced or limited opportunity to improve in their current state assessment, use risk models to systematically quantify their risk. There is a strong element of customization when it comes to development of risk models. Among respondents who indicated that they are using risk models, 75% involve a degree of in-house contribution and 63% of them use stress and scenario testing. Reputational risk is something that two-third of insurance companies are finding difficult to model; however, it is incorporated into their risk management framework due to its sheer importance. 30

31 Risk monitoring and control Figure: 28 Current state evaluation on risk monitoring and control 4 35% 25% 1 5% 26% 26% 14% 37% 19% Formal processes are in place to monitor risks in a timely and effective manner 11% 26% 33% 4% 4% 4% Tools and technology (e.g., data analytics) is effectively used for risk monitoring 19% 19% 33% 26% Feedback from monitoring activities is used to assess risks, design controls and drive process improvement Fully evidenced Limited opportunity to improve Moderate opportunity to improve Significant opportunity to improve Not evidenced The biggest scope for improvement, when it comes to risk monitoring and control, is to do with the usage of tools and technology. The challenge lies in consistently applying key risk indicators, and tolerance levels throughout the organization for monitoring and control. Risk reporting Figure: 29 Current state evaluation on risk reporting/management information 35% 33% 33% 33% 25% 22% 26% 19% 1 5% 7% 5% 7% Information is sufficiently detailed and clear to assist the board, committees, executives and management for making effective decisions Clear responsibility for reporting and escalation Fully evidenced Limited opportunity to improve Moderate opportunity to improve Significant opportunity to improve Not evidenced Confidential All Rights Reserved EY 31

32 Risk mitigation Figure: 30 Current state evaluation on risk mitigation 45% 4 35% 25% 1 5% 11% 33% 33% 22% 4% Risk mitigation plans and strategies are in place to respond/address risk at all levels of the organization 26% 19% The organization can track the status and resolution of a risk issue at any point 4 41% 22% 11% 7% 4% Unresolved or pending resolution risk issues are flagged, and it is clear who is accountable for driving resolution 7% Risk issues impacting other risk functions or business areas are flagged Fully evidenced Limited opportunity to improve Moderate opportunity to improve Significant opportunity to improve Not evidenced About one-third of the respondents believe to have clear risk reporting framework and risk mitigation process in place, while the remaining feel there is scope for improvement Figure: 31 Maturity: Self-assessment on risk management processes % 11% 7% Basic Developing Established Advanced Leading 59% of the insurance companies in MENA feel that they have an established risk management process, whereas 41% of the insurance companies should take actions to improve their risk management process to achieve desired risk objectives of the organization. Most of them indicated that risk management processes are in place but exceptions in control, coverage and effectiveness are common. Definitions 1. Basic: Basic risk management processes are in place, but exceptions in control coverage or effectiveness are common place. 2. Developing: Risk management processes are developing and are beginning to incorporate controls to manage significant risks. 3. Established: Business processes have adequate controls to manage significant risks and escalate to appropriate management levels, where necessary. 4. Advanced: Business processes have a standardized and recurring approach for identifying and assessing significant risks and defining controls to manage these significant risks. 5. Leading: Business processes have a standardized and recurring approach for identifying and assessing significant risks, defining controls to manage these significant risks and defining key risk indicators (KRIs) to monitor significant risks and key controls. 32

33

34 6 Technology enablement

35 Technology enablement Need for specialized risk management system is evident 88% have not fully implemented an IT system to support risk management 75% of risk reporting and calculation is still poor 3 out of 4 plan to increase the IT budget in the coming years 67% insurance companies need to significantly improve their technology, data and system Making a data landscape work across multiple and complex IT systems, multiple reporting bases and potentially across both group and solo entities remains a significant challenge. Most of the insurance companies in MENA face the problem of integrating risk management system with core insurance system. 63% of the insurance companies do not have a specialized risk management system and most of them are using spreadsheets and documents as a medium for risk management system. 74% of the insurance companies have not started any work around economic capital modelling. Respondents indicated the following as top three challenges in relation to technology, data and system in performing risk management function: 63% - quality of data 59% - legacy systems 56% - ability to use data for management reporting 44% of the respondents want to enhance their risk management capabilities by improving their IT system. The majority (75%) of the insurance companies are manually reporting and calculating key risk management metrics. There is a considerable opportunity for increased automation. Just like other areas of business, there is an increased recognition of the need to have fit-for-purpose risk systems. While the larger insurers and those that have a credit rating, have been working on this already, the focus is soon expected to shift to smaller/single location insurers, due to increasing regulatory requirements. 63% do not use specialized risk management system Confidential All Rights Reserved EY 35

36 Technology, data and systems Risk management system A company s investment to introduce and maintain a risk management system demonstrates the effort and commitment to ensuring efficient risk processes. Many insurers have not progressed much on the journey toward building a specialized risk management systems, and almost two-third of the respondents rely on manual documents and spreadsheets. Insurance companies that do not have any system to support risk management are mostly insurers with an annual GWP of less than US$500 million. Figure: 32 Existence of risk management systems 22% No system 48% Only spreadsheets and documents In-house-developed IT system Specialized risk management system In the technology arena, insurance companies are primarily struggling with challenges posed by assurance regarding the quality of data. This is mainly due to lack of prior experience in managing risk in a technology-friendly environment and the problem of integrating risk system with core insurance system. Figure: 33 Top challenges in risk management system % Quality of data 59% Legacy systems 56% Ability to use data for management reporting 33% Access/availability of data 26% Data governance 22% Inconsistent risk and core insurance data 4% Inconsistent risk & finance data Data storage Note: The sum can add up to more than 10 due to multiple answers. None of insurers are looking at reducing the IT spend over the next two years, whereas 74% of survey participants are expecting to increase their IT expenditure in the next two years. The main reason (44%) attributed to this anticipated increase in IT budget is the need to enhance risk management capabilities. 36

37 Automation for risk reporting 6 of the respondents estimated that their level of automation is less than or equal to 4. This demonstrates that although some progress has been made, there is a substantial potential to improve the information flows throughout the organization. Leveraging technology to improve risk management cost effectiveness is an area of opportunity for many insurance companies. Figure: 34 Extent of IT automation 80 % 100 % 60 % 80 % 11% 4 60 % 20 % 40 % 19% 0 20 % 41% 5% 1 25% 35% 4 45% It is interesting to note that just because insurance companies have achieved a high degree of automation, they are not cutting down on their IT spend. In fact, all respondents that are in the highest bracket of automation (8-10) reported that they would increase their IT spend primarily to enhance risk capabilities. Respondents with high degrees of automation are mostly rated by an external rating agency. Figure: 35 Relationship between the size and maturity of the insurance companies with their level of IT automation High $525 Automation $163 $175 $100 Low Basic Developing Established Leading Advanced Note: Size of the bubble represent average GWP (in USD million). In general, the respondents with relatively larger size (in terms of GWP) ranked themselves as Advanced in the maturity self-assessment and had a higher degree of automation. Confidential All Rights Reserved EY 37

38 74% of the participants have not started any work around economic capital modelling. Figure: 36 IT activities to support risk management 45% 4 35% 25% 1 5% 19% 26% 22% Risk and finance data reconciliation 33% 22% 19% 33% 33% 26% Implementing Governance, Risk and Compliance (GRC) IT solutions 11% 41% Economic capital modeling 33% 29% 19% 19% Reinsurance system Completed Work underway Work planned Not planned/not underway It is relevant to note that about one-third of the respondents have not even planned to start at least one of the above initiatives. Insurance companies are focusing on continuing their IT activities on risk and finance data reconciliation, and implementing Governance, Risk and Compliance (GRC) IT solutions. Focus of the insurance companies is limited to integrating reinsurance system with risk management system to enable risk-based business decision-making. Respondents who have completed the implementation of economic capital modeling are mostly rated by an external agency. Only 12% of the respondents have reached a stage to say that they have fully implemented the IT system to operate their risk management framework, whereas a vast majority indicated there is significant scope for improvement and work to do. 38

39 Current state evaluation on technology enablement Figure: % 52% 45% 1 19% 22% Risk identification, assessment and measurement IT systems 19% 11% 11% 3% 3% Risk monitoring and reporting IT systems to generate risk reports that facilitate monitoring of various risks on a regular basis 7% 26% 11% Capital modeling and stress testing an integrated economic capital model in place supported by stress testing capability Fully implemented Limited opportunity to improve Significant opportunity to improve Not implemented Not applicable Figure: 38 Maturity: Self-assessment on technology, data and systems 67% of the insurance companies in MENA feel that there is very slow progress on enabling technology, data and system to support the risk management framework. 45% 4 35% 25% 1 5% 37% 19% 7% 7% Basic Developing Established Advanced Leading Definitions 1. Basic: No risk systems in place and risk management is dependent on reports by business units. 2. Developing: Some use of spreadsheets for consolidation and basic reporting. 3. Established: Established extensive end-user-computing (desktop databases and spread sheets) but intensive manual intervention required. 4. Advanced: Use of fit-for-purpose risk engines and desktop analytics. 5. Leading: Use of consolidated risk and finance databases with linkage to source systems; calculation engines; advanced analytics; integrated reporting and dashboards with drill-down capabilities. Confidential All Rights Reserved EY 39

40 7 People and organization

41 People and organization Lack of qualified risk professionals is one of the key concerns 78% respondents expected to increase the risk function budget over the next three years. CRO focus on non-risk related issues An effective ERM framework requires a well-defined organizational structure with clearly defined responsibilities and accountability, which is linked to performance management. CROs of MENA insurance companies spent less time on critical risk matters compared to the industry expectation. The roles of the risk manager/cro is not expected to undergo a major transformation in the near future and the key areas of focus are expected to remain more or less the same, i.e.,: Reporting to board/management and regulators Providing strategic inputs, when required Monitoring exposure or operational issues Implementing risk management processes 78% of the insurance companies are planning to increase their risk budget over the next three years, primarily to have more risk staff and invest in technology/systems. 52% respondents believe they have well established organization structure aligned to strategic and risk objectives 74% risk related performance measures not embedded in the reward and compensation structure of senior management Risk management is a shared responsibility, the burden is not Risk Managers alone Confidential All Rights Reserved EY 41

42 Almost all the insurance companies in the region prefer operating lean teams in the risk management function, regardless of their size, presence in other locations and type of insurance provided. 78% of respondents expect an increase in the risk function budget over the next three years. Figure: 39 Changes in risk function budget 22% 96% of the respondents expected the risk budgets to increase between 1% - 6 over the next three years. The key challenges foreseen are: Finding and retain qualified risk professionals Keeping up with the expected regulatory and industry changes Training existing staff Improving the risk framework to align them with regulatory requirements, market practices and international best practices Figure: 40 Expected increase in budgets > 10 4% Increase No change 78% 81% 10 61% 8 41% 6 19% 21% 4 22% 1% 56%

43 Reasons for increase in risk function budget The increase in budget is mainly going to support people and technology planning to increase headcount and also to invest in risk technology. Figure: 41 Reasons for increase in risk function budget Respondents that have indicated their preference to use more of external consultants in the future are insurance companies with an annual GWP of less than US$500 million who may lack the know-how and expertise to establish/grow their risk management function and seek advise to feed their growth plans. All of the below Increase in use of third-party services Increase in staff training Increase in use of external consulting Increase in investment in risk technology 19% 22% 44% Going forward, risk managers/cros would want to reduce the time they spend on governance and limit framework maintenance and increase the time they spend on performing forward-looking risk identification and analysis. It s interesting to note that none of the risk managers/cro spent or planning to spend their time on non-risk related issues. Change in staff size 44% Note: The sum can add up to more than 10 due to multiple answers. Figure: 42 Time spent by risk manager/cro Risk management process, e.g., identification, assessment and mitigation of risks Non-risk related issues Reporting to regulators Reporting to board/management Performing forward-looking risk identification and analysis Providing transactional review/advice Calculating metrics/risk measurement Monitoring exposure or operational issues Governance and limit framework maintenance Strategic input (e.g., risk appetite, review of business plans) Future Current Note: The sum will not add up to 100 since it is a median analysis. About one-forth of the survey participants believe they have embedded risk-based performance management in their day-to-day functioning, whereas three-forth of the survey participants believe there is limited significant room for improvement. Confidential All Rights Reserved EY 43

44 Figure: 43 Current state evaluation on performance management 4 37% 35% 25% 26% 26% 26% 26% 26% 22% 33% 26% 18% 18% 19% 1 7% 7% 5% Roles and responsibilities are periodically reviewed and updated to support business and risk management objectives 4% The organization has a formal performance management process that is linked to meeting organization s strategic and risk management objectives. Performance on key risk indicators are included in the compensation of senior management. 4% The organization has a documented succession plan and updates it appropriately as business needs change Fully evidenced Limited opportunity to improve Moderate opportunity to improve Significant opportunity to improve Not evidenced 44

45 Figure: 44 Maturity: Self-assessment on people and organization 45% 4 41% 35% 25% 26% 19% 1 5% 7% 7% Basic Developing Established Advanced Leading Definitions 1. Basic: Organizational structure is not clearly defined. Risk functions are not aligned or coordinated across operations, business support and governance functions. Feedback is received through an informal appraisal process. 2. Developing: Key organizational structure is defined, through a number of informal structures remain. The risk functions have understood the skills and a capability needed to execute their strategy, but have limited resources with the required competencies. Appraisals are performed, but are not directly linked to development and risk. 3. Established: The organizational structure is defined, aligned to the strategy and objectives, well understood, and for the most part, operate effectively. The risk functions have defined the skills and capabilities needed; and have sufficient resources with the required competencies to achieve their ongoing requirements. 4. Advanced: Well-defined organizational structure is aligned to the strategic and risk objectives. The risk functions have identified, defined and embedded skills and capability requirements and have begun to update their recruitment and training activities to fulfil these needs. Appraisals are conducted annually and personnel are given informal feedback on a regular basis. 5. Leading: Well-defined organizational structure, designed to meet strategic objectives, operates efficiently and effectively and is linked to performance management system. The 3 Lines of Defence model has been fully implemented and is in place with harmonized risk, compliance and assurance functions. Confidential All Rights Reserved EY 45

46 8 Regulatory requirements and credit rating

47 Regulatory requirements and credit rating 5 of the respondents believe the regulations need to improve significantly 8 ERM is an area of discussion with the regulator in KSA 6 insurers believe implementation of risk regulations will impact business model and cost of doing business 41% respondents believe regulators are not expected to impose sanctions/penalties due to noncompliance with regulatory requirements Regulatory and credit rating requirements are the two key catalysts for development of risk management framework globally, e.g., Solvency II. SAMA has transformed the KSA insurance industry in the recent past by enforcing regulations covering a number of areas, including risk management, capital adequacy, reserving, risk-based pricing and solvency requirements. The Insurance Authority of UAE also issued new rules recently, aligning the UAE insurers with European solvency requirements, allowing insurers two to three years to comply with the new rules. The new regulations cover areas related to investment, solvency, technical provisioning, company s assets, accounting policies and data management. It is expected that these new regulations will have the same impact on the UAE insurance sector like the SAMA regulations had on the KSA insurance market. Most of the insurance companies in the region believe that improving risk management practices should be the topmost priority for the regulators. 24% of UAE respondents are aiming for a very strong ERM rating from an external credit rating agency, over the next three years. 5 of the KSA respondents are currently not rated and do not have intentions of seeking a credit rating, while target to have a strong ERM rating. 24% UAE respondents aiming for a very strong ERM rating from an external credit rating agency, over the next three years 47 Confidential All Rights Reserved EY 47

48 Regulatory requirements The KSA insurers were inspected by the regulator at least once during the last one year. 29% of the respondents from the UAE reported they were last inspected last within the last three years. Figure: 45 Latest inspection by regulator Figure: 46 Frequency of interaction with regulators UAE 5 5 KSA Within the last 6 months Within the last 36 months 29% 18% 24% 29% 29% 42% UAE Within the last 12 months 18% 11% Figure: 47 Risk management focus by the regulator Capital adequacy is the most common area of discussion with the regulators for insurance companies, both in the KSA and the UAE. Regulations enforced by SAMA in the recent years on minimum capital requirement has resulted in KSA insurance companies to reflect capital adequacy as a key agenda in their regulatory compliance framework. Figure: % 35% 18% KSA Significantly increased Same as earlier UAE Increased Decreased Areas of discussion with the regulator KSA Reporting and IT systems 29% Several times in a month Once in 3 months Once in a month Once a year Management or board committee for risk management 12% More than a year Risk officer appointment 24% The KSA insurers believe SAMA has increased the focus on enterprise risk management. While current figures do not show the same degree of focus from the UAE Insurance Authority, it s worth noting that the new UAE insurance regulations were introduced immediately after the survey was closed. Enterprise risk management function Capital adequacy 29% 71% UAE KSA Note: The sum can add up to more than 10 due to multiple answers. 48

49 Most of the insurance companies in the region felt that the regulatory guidelines need significant improvement, with some insurers suggesting regulations similar to Solvency II, with adjustment for regional specifities. Figure: 49 Insurance companies view on regulatory guidelines Regulations similar to Solvency II guidelines should be implemented with adjustment for regional specificities 24% Needs significant improvement 35% 5 Too liberal Too rigid Should be made more robust Not clearly defined 29% 29% Clearly defined and are fit for purpose 12% UAE KSA Note: The sum can add up to more than 10 due to multiple answers. Confidential All Rights Reserved EY 49

50 Key risk management areas of focus for regulators Common across the regulators Implementation of ERM framework Capital adequacy Risk governance and strategy Operational risk Risk identification and evaluation Compliance Pricing/actuarial pricing Risk recommendations KSA specific Nationalization (Saudization) Independence and transparency People risk - Competency of risk staff Risk awareness within organization UAE specific Broker management Liquidity risk Reserving Market behavior Consumer protection Investment risk 50

51 The survey respondents expressed satisfaction in their dealing with the regulators on areas, such as sharing information, size of regulatory team and periodicity of interactions. However, most of the respondents believe there is room for improvement when it comes to providing guidance, suggestions and feedback on regulatory matters or company-specific issues. Figure: 50 Performance of regulatory authorities % 27% 35% 35% 35% 35% 42% 35% 23% % 19% 31% 1 4% Providing information on regulatory progress Support and consultancy in the interpretation of regulatory requirements Providing feedback on company-specific implementation progress Expertise of regulatory authorities upon special requests 4% 4% Size of regulatory team Overall frequency of interaction with regulatory authorities Very satisfying Satisfying Partially satisfying Not satisfying Figure: 51 Impact on business model and cost of doing business UAE 35% 18% 6% 35% 6% KSA It will have a significant effect It will have a modest effect It will have no effect It is difficult to assess accurately, given current regulatory uncertainties Other A majority of respondents believe that the implementation of regulatory guidelines around risk management and risk-based capital will impact their business model, capital levels, cost structure and investments, etc. Confidential All Rights Reserved EY 51

52 Key challenges in implementing regulatory requirements Solvency norms Availability of trained national staff Inadequate/unclear regulatory guidelines Lack of clear communication Quality of regulatory staff Lack of enforcement from regulator, making requirements a competitive disadvantage for compliant companies 41% of the respondents believe that regulators are not expected to impose sanctions/penalties due to noncompliance with regulatory requirements. Verbal warnings are expected when insurance companies have insufficient setup of key functions, e.g., not having a risk manager. Inability to meet reporting deadlines is likely to result in greater level of future supervision by the regulators. Figure: 52 Probability of imposing sanctions/penalties % % 38% 1 8% 29% 21% 29% 17% 29% 17% 17% 12% 4% 4% 4% 4% 4% 25% 4% Breach of minimum regulatory capital requirement Insufficient set up of key functions, e.g. risk management department Failure to meet reporting deadlines Inadequate risk management framework Expecting no sanctions Expecting a higher level of supervisory intervention Expecting material financial sanctions Expecting verbal warnings only Expecting higher effective capital requirements 52

53 ERM rating from an external credit rating agency 24% of UAE respondents are aiming for a very strong ERM rating from an external credit rating agency, over the next three years, whereas 18% are happy with the current rating they have. 5 of the KSA respondents are currently not rated and do not have intentions of seeking a credit rating, while target to have a strong ERM rating. Figure: 53 Insurance companies target on external ERM rating over the next three years UAE 12% 24% 12% 24% 5% 5% 18% KSA Weak Adequate with strong risk control Very strong Not seeking a rating Adequate Strong We are not rated Already have rating and not seeking any revision Confidential All Rights Reserved EY 53

54 9 Integration among risk, finance and business

55 Integration among risk, finance and business Business functions are not integrated with risk management 85% weak integration with risk-based compensation 11% insurers have redefined the capital allocation across business units 44% insurers know that reinsurance can be used as a risk management tool but don t have the necessary integration in place 74% ORSA not used to assess the effectiveness of the risk management system Risk is inherent to all functions of an insurance business; however, 12% of the respondents indicated that there is no linkage between business and risk management at all. Unless several silo risk management approaches and initiatives are grouped into a complete framework at the entity level, the overall objective of risk management may not be achieved. 59% of the respondents listed aligning capital with present and future regulatory requirements as the primary driver for changing their approach to capital allocation. While regulatory requirements are an important aspect, the allocation of capital should be primarily driven through an economic capital model, which is an integral part of ERM. Reinsurance is one of the most important risk management tool used by insurers globally. Insurance companies can use reinsurance to reduce its insurance risks and the volatility of its financial results, stabilize its solvency, use its available capital more efficiently, improve its ability to withstand disasters, increase its underwriting capacity, and draw on the reinsurer s expertise with respect to product development. 56% of the respondents indicated that they are not aware that reinsurance can be used as risk management and capital allocation tool. Close to half of the respondents stated they were planning to increase their retention limits over the next year. While this is a good development for the maturity of the local insurance markets, this needs to be underpinned by a robust reinsurance strategy and a fit-for-purpose economic capital model. 55 Confidential All Rights Reserved EY 55

56 Risk integration As per the respondents, the strongest integration of risk management is with reinsurance function followed by risk-based pricing activities, with 41% and 37%, respectively. The integration is at its weakest for risk-based compensation, with only 11% of the respondents having a favorable opinion. Figure: 54 Extent of integration between risk and other related functions 45% 4 35% 25% 1 5% 37% 41% 41% 29% 29% 26% 22% 22% 22% 19% 19% 7% 7% 7% 4% 3% 4% 4% 4% 4% 4% Risk-based pricing Reinsurance Capital management by finance Risk-based compensation Fully evidenced Limited opportunity to improve Moderate opportunity to improve Significant opportunity to improve Not evidenced Not applicable 56

57 Redefining capital allocation across BUs Figure: 55 Review to redefine capital allocation 4 35% 37% 37% 37% Most of the insurance companies change their approach to allocating capital mainly to satisfy the regulatory capital (59%) and credit rating agency requirements (47%). Figure: 56 Factors impacting the changed allocation of capital across business units 25% 1 5% 11% Across business units 19% 22% Across entity 7% Reallocation of capital to achieve new risk-weighted asset (RWA) goals Alignment of capital allocation with economic capital Alignment of capital allocation with internal stress testing Re-evaluation of risks in portfolios 6% 18% 24% 41% Completed Underway Planned Not planned No response Implementation of risk appetite 41% Most of the insurance companies have realized the need to conduct the review to redefine the capital allocation across business; not all have implemented it. Once an insurance company decides to perform the review, they normally start with an entity level review and most of the time do not drill down to the BU level. Alignment of capital allocation with credit rating capital Alignment of capital allocation with regulatory capital 47% Note: The sum can add up to more than 10 due to multiple answers. 59% The challenge for capital is that you want to have enough to run the company. But you don t want to hoard capital to the point where you re not rewarding shareholders Confidential All Rights Reserved EY 57

58 Figure: 57 How reinsurance strategy supports capital allocation, business optimization, rating agency needs and ERM elements % 48% 44% 37% 1 We have performed a lineby-line assessment of reinsurance protection needs to account for or optimize the aggregate impact on our capital requirements We use risk appetite, risk tolerance and risks limits by line to refine retention limits and create desired underwriting capacity We know we can use reinsurance as a tool for risk management/capital allocation; however, we don t have the necessary integration in place Our ERM program is integrated with the underwriting/reinsurance system and the program leads to consideration of alternative reinsurance types and structures for best usage of capital 4% Not applicable to our company Note: The sum can add up to more than 10 due to multiple answers. Figure: 58 Effectiveness of the risk management system % 44% Self-assessment by risk management function 22% 4% 74% 52% 33% 33% 37% ORSA assessment Internal audit Assessment by auditor 44% 37% 19% 19% External advisor 37% 44% Assessment by regulator Fully assessed Partially assessed Not assessed Internal assessment (be it self-assessment or internal audit) is predominantly used to measure the effectiveness of risk management system as compared to the external assessment (through auditor, regulator or advisor). Among internal assessment, internal audit is most prevalent (52%), and among external assessment, assessment by auditor is most prevalent (33%). 74% of the respondents indicated that ORSA is not used at all. 8 of the respondents that are Fully assessed by an external advisor and regulators are also rated by an external rating agency. 58

59 Figure: 59 Implementing risk management essentials % 19% 11% 25% Projection of capital solvency within the planning horizon (3 5 years) 37% 37% 4% 14% 19% Design of stress and scenario tests 7% 33% 22% 22% 19% Assessment of Assessment of the governance effectiveness significance of the risk profile deviating from assumptions underlying the Solvency Capital Requirement calculation 11% 33% 26% 19% 7% 11% Integration of risk management evaluation results in the strategic business planning process The company already goes beyond the requirements Most of the requirements are met The requirements are not met All of the requirements are met Some of the requirements are already met Companies that do not meet the capital solvency projection requirement are all found to be the very small companies, with primarily domestic operations and with Annual GWP of less than US$100 million. Confidential All Rights Reserved EY 59

60 Appendix 10 Survey participants