The Evolution of the Corporate Risk Library
A few years ago, I wrote a blog called “6 Steps to a Good Risk Assessment” which highlighted how a good corporate risk assessment process supports management’s ability to assess a company’s risks, controls and resources. While an assessment process should be a standard and ongoing activity in an organization, the risks and details that are assessed are constantly changing and evolving. A company’s risk library should evolve and reflect the business plan, the company and its associates, and the current market and regulatory environment.
The importance of a flexible risk library has been evident in recent years, with a focus on the impact of the pandemic, environmental, social and governance risks, and cyber security threats.
The risk library provides the framework for the risk assessment process as a common repository of the risks to which the company is exposed. The library helps to facilitate discussions of risks while promoting risk awareness. At Gen Re, our risk library is broken into four categories, with multiple risks falling into each individual category:
While the categories have not changed, the risks that fall into each category must evolve to reflect our changing industry and often-changing company risk profiles. For a risk library to remain a relevant tool for assessing exposures, there must be a disciplined review process. At Gen Re, our risk library is conducted by the risk management team and subject to an annual review, at the very least.
The first step in the review process is to distribute the current year’s corporate risk library to all relevant stakeholders and risk owners across the entity. The review group at Gen Re includes risk committees from across the Gen Re group, the management team, and members from various business and service units including IT, underwriting, actuarial, and finance. It is important to cast a wide net for feedback to ensure that we are comprehensive and capture comments that reflect our current and changing risk profile. Our review template asks stakeholders to propose changes to individual risk definitions. We encourage stakeholders to propose new risks and definitions that are not currently captured by the risk library.
It is also helpful for the risk management team to look back at the previous year’s risk assessment to consider if any risks substantially changed. Changing risk profiles on individual risks may signal changes to the underlying risk and exposures. It is important that the risks in our corporate risk library reflect the current and future exposure state.
Feedback from across the entities is consolidated into a master template for the risk library update. This master template is helpful for documentation purposes, but also allows for an organized review by the corporate risk management team. Risk management and subject matter experts from the organization meet to review and discuss the proposed changes by the group’s stakeholders. Together, the risk management team decides which of the proposed changes to risks and/or definitions it should accept or reject.
All decisions by the risk management team are documented in the master template for the risk library update. If no agreement can be reached, the group has an agreed upon arbiter to make the final decision. After this process has been completed, all proposed changes are presented to the Gen Re group’s risk committee, which reviews and approves the updated risk library. The approved updated risk library is then distributed to all the entities in the Gen Re group for use in their next risk assessment process. Using a standard risk library across the group is important for promoting a common understanding of risks and a consistency of risk assessments. This enables for easier aggregation of risks across the segments for more effective management of the group’s risks.
The events of 2020 underscored the reality that our industry’s risks and exposures are always evolving, and the risk library review process we conducted in the summer of 2020 reflected our changing world. During that review process, we considered the impact on our risk library from sustainability risk and climate change and changed our definition of Pandemic Risk. In response to the COVID-19 pandemic, the definition of Pandemic Risk was expanded to consider the impact of lockdowns on relevant Property and Casualty lines of business, the impact of the economic downturn and any legal implications on policy wording or retroactive cover.
During the summer of 2021, the Gen Re risk management team will undertake its annual review of the corporate risk library. The world has undergone significant change in the last 18 months, and we expect to see it reflected there. The risk assessment process is ongoing. To be effective risk managers and promote a culture of risk awareness, we must continuously update the risk library to reflect our changing environment.
To learn more about how to set up a risk assessment process, see my blog “6 Steps to a Good Risk Assessment Process” or reach out to your Gen Re account executive.