4.1. Importance of Portfolio Management in ERM

An important aspect of portfolio management is the process of assessing the effectiveness of the ERM framework at the portfolio level. In the context of the COVID-19 induced market stress event, it assesses the elasticity and effectiveness of existing ERM frameworks to different stages of the evolution of the pandemic curve (early development, acceleration, late accumulation, and recovery).

The portfolios can represent portfolios of assets on insurance balance sheets backing up liabilities, such as annuity liabilities, or portfolios held for trading on banks’ balance sheets. The latter cover a wide range of risk factors and instruments These range from simple vanilla products such as corporate and sovereign bonds, equity, foreign exchange, credit products, infrastructure investments, real estate, private equity placements, and various derivatives transactions used to hedge or take a directional bet to different risk factors and markets across a range of geographies.

Emerging risks or low probability, high consequence events such as pandemics, extreme weather events, cyber-attacks on critical infrastructure are known risks, but the full extent of their immediate, short and long-term implications and their interaction with other types of risks are yet not fully understood. Emerging risks are characterised as “systemic” in nature because these risks are concurrent and diversified and have the potential to cause a system-wide breakdown or significant disruption to man-made economic, financial and security systems supporting our way of life.

Similarly, each of these events is called an “extreme” risk event because they are “rare,” that is events that are generally seen as deadly surprises, happening outside everyday experience, and their likelihoods are difficult to estimate. Hence, they are perceived by banks and the insurance sector, retail, and commercial investors as important but not urgent risks due to their very low likelihood of occurring over the regulatory capital planning horizon.

Furthermore, emerging risks pose key challenges to the processes of risk assessment and risk planning because, by their very nature, these events occur only infrequently. Therefore, effective enterprise risk management frameworks should ensure ongoing review and improvements to existing structures by creating an emerging risk sub-framework. This should account for “emerging risk identification” – identifying, assessing, quantifying, representing, and communicating those types of risks and their inherent uncertainties to ensure firms minimise the strategic shocks associated with disasters that arise from these types of events.

In an article published in the Global Association of Risk Professionals, James Lam cautions against the “new normal,” where disruptive risks, of which COVID-19 is one, are no longer events that only happen once in a hundred years. Lam lists technology (artificial intelligence, blockchain, and the Internet of Things), cyber security, climate change and geopolitical events as areas to watch. Experts are encouraging risk managers to use this time for a risk management reset of sorts – they are advising them to re-prioritise risks.

4.2. Enterprise-Wide Risk Management

The objective of Enterprise-wide risk management (EWRM) is to report on a regular basis the magnitude of selected risks across the entire company under normal and extreme risk scenarios to senior management. Therefore, EWRM is a process for systematic identification, measurement, reporting and monitoring of different exposures a company faces, across all its geographic operations and businesses. As the list of potential exposures is practically infinite, judgement and understanding of the company’s business will be required to define the list of risk factors and the dynamic risk profile that will be captured within the EWRM risk register system and reported regularly.

For example, the key risk components of EWRM for the banking sector could include the following:

1. 1. Emerging strategic risks

2. 2. Climate change risk

3. 3. Geopolitical risk

4. 4. Market & ALM Risk

5. 5. Credit risk

6. 6. Regulatory risk

7. 7. Operational risk

8. 8. Cyber risk

4.2.1 Pandemic risk and business continuity planning

Operational risk planning for pandemics exhibits distinct differences compared with traditional business continuity planning (BCP). A pandemic is global in nature, and the frequency and duration occur in multiple waves. In contrast to natural disasters and malicious activity, which are often specific to a particular geographic region or facility (i.e. their occurrences are limited in scope and duration), effects of a pandemic are more difficult to plan for, as they can occur globally and in multiple waves. Financial institutions should have adequate plans to continue operations during a global pandemic such as COVID-19. To address the unique challenges posed by a pandemic, the financial institution’s BCP should feature a documented strategy that provides for scaling the institution’s pandemic efforts, so they are consistent with the effects of a particular stage of a pandemic outbreak, such as the 6 intervals described by the Centre for Disease Control and Prevention (CDS) (Pandemic Intervals Framework, 2016), shown in Figure 2. The strategy will also need to outline plans describing how to recover from a pandemic wave and proper preparations for any following wave(s). Moreover, the strategy should have a testing and an oversight programme to ensure that the organisation pandemic planning practices and capabilities are effective and will allow critical operations to continue during a pandemic.

Figure 2. Centre for Disease Controls and Prevention pandemic intervals framework (Pandemic Intervals Framework, 2016).

4.3 Portfolio Management

The portfolio management review covers all major risk management responsibilities to assess the activities, risks, concentrations and risk management approach and effectiveness of EWRM frameworks over the lifetime of the pandemic cycle.

Portfolio review key considerations

• Assessing the effectiveness of the firm’s emerging risk framework.

• Understanding the behaviour of the firm’s risk profile in the context of COVID-19 induced market stress and development.

• Explanation of the firm’s risk profile generated prior, during and post-COVID-19 lockdown based on the CDC (Centers for Disease Control and Prevention, 2021) definition of pandemic cycle, highlighting the main risk and profit and loss (P&L) drivers and their evolution over the pandemic cycle.

• Explanation of how the main risk drivers evolved during the assessment period and how regulatory market, credit, operational, and liquidity capital models responded to the COVID-19 disruption. These include: value-at-risk (VaR); stressed value-at-risk (SVaR); credit value adjustment and potential future exposure metrics for counterparty credit risk metrics (CVA/PFE); incremental risk charge metric (IRC) to capture the outright default and migration risks of credit exposures in the trading book; sensitivities (Greeks); liquidity measures such as net sufficient funding ratio (NSFR), and liquidity coverage ratio (LCR).

• Explanation of back-testing results (hypothetical and clean P&L) to demonstrate whether the employed models are adequate.

• Explanation of the drivers of the actual P&L relative to COVID-19 induced market conditions and the approved P&L year-to-date budget

• Assessment of the operational robustness of the respective risk reports and risk systems.

• Assessment of the business adherence to their approved risk limits and products, highlighting material violations.

• Update on any issues faced during the pandemic.

• Assessment of the effectiveness of the business continuity strategy and any specific strategy for pandemic planning, or more generally extreme emerging risks

• Conclusions and outlook on expected new business activities and expected COVID induced market developments.

4.4. Summary

Emerging risk identification is complicated due to their rare and conjectural nature, and their potential for causing impacts beyond everyday experience. Thus, a review and improvement of ERM frameworks should consider a system level view of multiple hazards and risks, taking into account that the current practise of assessing discrete emerging risks is ineffective because of the interconnected nature of many of these risks and the common consequences they create as they rip through society. By incorporating emerging risk identification and analysis, to ensure that emerging risks are identified, analysis should focus on the full range of direct casual events that might produce a series of linked effects and risks.

Therefore, ERM frameworks should devote a section to emerging risks identification and assessment, with the following key areas suggested when considering the portfolio management component within the context of an emerging risk framework:

1. 1. Adopting a clear definition of emerging risks over short, medium and long-term horizons, with a full range of possible emerging risks from the insignificant to the catastrophic, with more urgency around the definition of systemic risks.

2. 2. Recognising at senior management level that emerging risks need explicit management and they need to be considered from a holistic system-based multidisciplinary approach and view of systemic risks.

3. 3. Have processes in place for the systematic identification of emerging risks that are considered improbable, or unlikely, and have a sub-framework for understanding, assessing, pricing, modelling and mitigating emerging risks.

4. 4. Understand the correlations between risks, whether they are all white swans, all grey swans all black swans or a combination of all types of swans

5. 5. Augment the use of historical data to map future events, with the use of artificial intelligence and predictive analytics to forecast ahead, using the enormous amount of data that are currently available to prepare for unknown or known events as they happen in the future, as opposed to waiting for the event to happen and acting to mitigate the consequences.

6. 6. Conduct a descriptive approach to risk assessment, both in terms of impact and likelihood, based on Renn’s (Ortwin, Reference Ortwin2008) system of risk categorisation and evaluation using the 1999 annual report of the German Advisory Council on Global Change (WBGU, 2000). Renn distinguishes three main categories of risk management: science-based, precautionary, and discursive.

7. 7. Quantify the uncertainty in the decision-making process and reduce “epistemic risk” (Parascandola, Reference Parascandola2010) – the risk of being wrong.

8. 8. Think of effective ways of representing the risks, such as the system developed by Renn using nine indicators such as reversibility, persistence, likelihood and impact to provide a more in-depth representation of emerging risks. Renn distilled these nine criteria into six genuine risk classes and assigned them names from Greek mythology.

9. 9. Manage the risks by building, developing, and maintaining mitigation capabilities to mitigate the impact of such risks.

10. 10. Develop strategies to communicate the risk to senior management in a timely manner, taking into account the importance of using the correct vocabulary when explaining emerging risks

5.1. Importance of Corporate Governance in ERM

How leadership models must remember key tenets to navigate the new normal

The subject of effective corporate governance and, more specifically, effective corporate risk management is by no means new. Since the early 1990s the topic has gathered momentum, particularly on the back of large-scale corporate failures that drew attention to the lack of adequate oversight and controls.

Examples of failed leadership at board level are not rare. Principles that should govern effective decision-making at the highest level (discussed throughout this section) have not changed and are extremely important to remember during the new normal of a COVID-19 world. Such extreme events create change, which should be navigated with clear decision-making responsibility. The ability for businesses to adapt effectively and quickly to the norms of working from home, exponentially growing cyber threats, increased economic uncertainty, interrupted supply chains, climate change and many others requires forward thinking stewardship by company boards and senior management.

The recently published World Economic Forum white paper on Integrated Corporate Governance (World Economic Forum, 2020) calls for, amongst other things, a shift in the models of corporate governance from the traditional shareholder centric focus to a wider stakeholder considered approach. As noted in the paper, “business value creation beyond the near term is increasingly dependent in the 21 ^st century upon a rigorous understanding and active management and governance oversight of these risks and opportunities.” This is an opportunity for boards to rethink strategy and capital allocation in a way that reflects a more sustainable long-term view.

Further, this is also an opportunity to remind ourselves of the key principles of corporate governance and its place within an overall enterprise risk management (ERM) framework. Whilst by no means exhaustive, the discussion below is intended to highlight key areas of consideration.

1. 1. Risk appetite and risk policy

Potentially one of the most important questions a board should ask of itself is ‘How much risk are we willing to take for the strategic goals we want to achieve? In these times of shifting risk exposures, the actual risk profile that a company in any industry is facing is under transformation. A primary focus of effective corporate governance should be to assess whether a company is exceeding its risk appetite and risk tolerances.

The creation of this risk appetite statement and its translation into suitable risk limits at an operational level is critical. Boards must ensure that a suitable risk philosophy is developed with associated roles and responsibilities assigned, together with reporting and monitoring processes. This must occur in collaboration with the business units who are more often better placed to understand the situation on the ground.

Boards should develop a suitable risk policy that captures this ‘risk identity’ and ensure that all strategic decisions are made through consideration of this appetite. Value creation should occur only within the confines of these tolerances, in order to ensure the sustainability of the company over the long term. The intention behind such policies is to ensure that capital allocation is aligned with the risk characteristics defined by the board.

1. 2. Organisational structure

The structure of boards, particularly within which an effective ERM framework is deployed and managed, plays a key role in their success. The establishment of a formal risk management function led by someone suitably qualified is usually a key requirement of banking and insurance regulators, who mandate the independence of this function in executing its operational responsibilities and reporting to the board. In less developed regions, compliance and internal audit are sometimes substituted for this function but this is likely to be unsuccessful over the long term.

Board risk committees are now commonplace and are essential in ensuring that the risk policies of the company are implemented appropriately and that areas of increased exposure are highlighted and remedied with minimum delay. Board approved executive and employee remuneration packages that incentivise and reward good risk management practice are to be encouraged. Ensuring that risk is a tangible target that CEOs and other executives are assessed against will support the creation of a culture of risk at the top, which will then hopefully spread across the organisation.

COVID-19 has increased the prominence of the risk committee. More attention is necessary on the quantification of low frequency, high severity risks so that the Board is accurately able to understand its exposure and the resulting effectiveness of risk mitigation strategies.

1. 3. Performance assessment

How well is the board managing its responsibilities, particularly during this crisis? How does this compare to best practice standards?

Perhaps now more than ever, the controls and risk management practices of companies are being tested on many fronts simultaneously. Being able to accurately assess the adequacy of these controls is indeed the responsibility of the board. However, it is the board who must periodically put themselves through this same scrutiny and assessment for the purposes of best practice. The effectiveness and compliance with best practice standards of the various committees and individual directors is a health check that should itself be a component of the ERM framework.

Stakeholders deserve to know whether board members bring the skills and experience necessary to further the goals of the organisation. This includes consideration of adequate levels of training that the board receives on areas of emerging risk. These can be sensitive areas, but it is not surprising that some of the more successful large corporates place their boards under this scrutiny on an annual basis. The National Association of Corporate Directors (NACD) (National Association of Corporate Directors, 2020) provides guidance on such evaluations.

The need for the board to appoint directors with technical or risk management skills and experiences is a growing hallmark of success. Indeed, such perspectives are fundamental to navigate the technological, digital, data and other technology related risks and disruptions that companies face. Having a healthy balance of youthful, skilled directors helps to provide insights from the next generation of leaders. There is an increasing shift towards appointing directors who bring operational or academic skills and experiences related directly to understanding the company’s evolving risk profile.

Changes in board assessments during (or as a result of) COVID-19 are, as of now, still largely uncertain. We would however expect, over the longer term, a shift towards the appointment of technically strong directors with a good understanding of risk management.

1. 4. Business continuity & resilience to crises

Boards have a critical role in providing oversight and guidance on the ability to absorb and recover from external crises and systemic shocks. The impact of these systemic risks and shocks ranges from global crises (e.g. COVID-19, climate change) to regional crises (e.g. terrorism related incidents),

These events, as 2020 has shown, are often systemic in terms of impact and beyond the control of the board. The key question for the board is how well the company is prepared to respond to such crises and how resilient it is with respect to surviving the aftermath and recovering. An effective ERM structure ensures that the Board is suitably prepared for these risks.

Succession planning is critical as a part of crisis management and contingency planning. Chair and CEO succession plans are important, but this can be developed further to include other members of the executive team and for ‘mission critical’ roles and functions at operating levels. The human resource function is also critical for crisis preparedness and planning. Board committees should review mission critical roles as well as executive succession plans on an ongoing basis.

During crises, management will be working under intense pressure and time constraints. The board should be available to serve as a sounding board and offer support, especially in the case of mission critical decisions. Supporting staff and critical functions should be the focus.

The length of time and the intensity of a crisis will vary depending on the nature of the crisis and its systemic impact. The board and management should however review medium and longer-term recovery plans and note the lessons learned to improve risk management. Recovery options and strategy should be reviewed and improved as early as possible. Boards are responsible for contributing towards the company’s strategy and support management as they implement interim solutions options if business activities have been slowed. More importantly there may need to be changes in policies and operating procedures, risk management systems, capital allocation priorities and even core business strategy.

With respect to the insurance industry, this is a reminder of the importance of ‘own risk and solvency assessments’ (ORSAs) in terms of promoting companies to think and act proactively on risk management policies, measurement of risk exposure in normal and stressed environments and the implementation of economic capital models and solvency assessment tools. Through this process, insurers get the opportunity to re-examine and improve their ERM procedures with a forward-looking mindset.

1. 5. Public disclosure

Effective corporate governance includes effective reporting and communication with stakeholders. Leading corporations should reflect changing risk exposures and selected analyses of the effectiveness of the ERM framework in their financial disclosures. Ensuring that the company’s disclosure of its sustainability metrics and performance is independently assessed by an external third party is another step that boards can take towards a more integrated approach to reporting.

Corporations must be aware of their social responsibilities and must use the opportunity to express their commitment to the sustainability of their strategy through their disclosures. Sustainable value creation is material to business performance and should be addressed in the mainstream report and integrated into the core business strategy and governance processes. By reporting on these factors, including a discussion of their implications for company strategy and governance, a company demonstrates to all stakeholders that it has weighed all pertinent risks and opportunities in running its business, conducting its governance processes, and contributing to broader economic and social progress.

Finally, after such crises, the review of dividend policies and the communication of updated policies and decisions is a key element within these disclosures that ensures the board is mindful of the sentiments of stakeholders and the general public.

1. 6. Dividing responsibilities

Where is the line between board and management?

Given the preceding commentary, we must recognise the criticality of management in aiding the development of board approved policies and procedures and thereafter executing them. A major aspect of corporate governance is the board’s legal responsibility in providing oversight and accountability for the business affairs of the company under all normal and extreme risk scenarios that have a direct or indirect effect on the company’s day-to-day operations. Reacting to the challenges presented by COVID-19, the advice and opinions of senior management must feed into the decisions made by the board.

John Lam (Reference Lam2014) cites the separation of the roles and responsibilities of boards versus management as being a key area of ambiguity in practice. He provides the summary in Figure 3, which is a useful reminder to prevent boards from being overly involved in the business whilst at the same time ensuring they play an active role.

Figure 3. Lam’s division of management and board responsibilities in the context of ERM.

5.2. Summary

• Risk appetites and risk policies need to be reviewed in the context of extreme event occurrences. The transformed risk profile faced by companies and the alignment with new risk appetites requires continuous review and reporting.

• Organisational and board structures that may not have facilitated an effective response may need to revisit whether a risk management philosophy has perhaps been largely a crisis management philosophy.

• Aligning interests and incentives will always improve risk management and accountability by the board. Boards should embrace the need for training, development, and self-monitoring as the risk landscape continues to shift.

6.1. Importance of Having Integrated ERM Within Business Lines

Note that ‘business lines’ refers to the “revenue-producing” departments of an entity. For example, for a general insurance company, this would refer to the underwriting teams who are, by definition, the employees who are closest to the underlying risks being written by the firm. The benefits of having links between the ERM and the business writing functions of a company are well explained by Lam (Reference Lam2014), with advantages ranging from the alignment of business aims to effective risk assessment and mitigation. In particular, a key part of effective risk assessment is the adequate understanding and pricing of risk, and this is an area that will be further explored later in this section.

In response to an emerging risk, if there was an effective link between ERM and business lines in place, the following characteristics could be expected in theory:

• Effective feedback loops

This feedback loop should be dynamic, given that an emerging risk could evolve and change rapidly, as was the case with COVID-19. Having an effective feedback loop results in a firm being able to continually monitor a risk and assess whether risk management/mitigation approaches need to be amended in light of changing risk appetite and/or continually enhancing understanding of exposures from an emerging risk.

• An open culture that enables transparent and honest risk communication

When an emerging risk appears on the horizon, risk assessment becomes a key tool to evaluate potential exposures and gain an understanding around which areas of the business could experience material downside and upside risk. In many cases, such assessments will include a significant amount of uncertainty during the initial stages of an emerging risk (or also possibly once a risk has fully emerged, as was the case with COVID-19, due to regulatory and legal uncertainty).

An entity with an effective link between its ERM and business lines functions should have a culture that facilitates transparent and honest communication, particularly concerned with whether an emerging risk poses a threat to a firm achieving its business objectives, as well as any areas of uncertainty during the risk assessment processes; this is so that areas for further work/focus are clearly identified, rather than remaining undisclosed until opportunities for preventative actions have been missed.

• A comprehensive and timely view of an emerging risk and potential impact

An ERM framework that is effectively integrated within the business lines of a company should enable a more comprehensive “view of risk” to be determined when continuing with “business-as-usual” work alongside an emerging risk. This could manifest in a range of ways, such as including allowances for related potential losses in pricing/exposure management or an updated understanding of the responsiveness and adequacy of risk mitigation strategies in place.

Ultimately, an effective integration should result in a more in-depth and timely appreciation of how business lines – as well as the company as a whole – may be impacted so that proactive, rather than reactive, business decisions can be made. Importantly, this would also include considerations regarding secondary impacts (in the case of COVID-19, this was a deep global economic downturn) as well as potential for losses being triggered across business lines/non-business functions at the same time.

6.2. Key Lessons Learned from the COVID-19 Pandemic

With ERM functions having developed significantly in some industries – particularly in the financial sector – over the last decade, it is important to acknowledge that there were several successes in company responses to COVID-19. A good example is the business continuity plans that have been tested and prepared for many years but with such a scenario (over such a long timeframe) previously largely unexpected. Sizeable proportions of the workforce working from home has largely been successful, with minimal impacts for many companies operating in the insurance and financial/professional services industries and this is an element of ERM to be celebrated; of course, the level of success does differ by geographical region and industry (Lund et al., Reference Lund, Madgavkar, Manyika and Smit2020).

One key successful risk management technique employed in the pandemic response was horizon-scanning performed – to monitor COVID-19, and subsequent government guidance, as it developed in case of potential business disruption – early on, which enabled the effective dispatch of business continuity plans. However, as with most experiences, there are lessons that can be learned with the benefit of hindsight in preparation for future pandemics and/or emerging systemic risks. When specifically looking at this ERM/business line integration component, the following four examples are suggested:

1. 1. Deeper appreciation of the potential for emerging risks to become systemic

Again, from the perspective of the financial sector, horizon-scanning triggering the monitoring of an emerging risk is of obvious importance. Given that such scanning is likely to happen across many companies at similar times due to the increasing maturity of ERM frameworks within the industry, it is the subsequent work that is performed (to understand and manage the risk) that will differentiate a company’s response relative to its peers.

One element of the COVID-19 pandemic that was potentially underestimated was the full extent of the systemic nature of the risk. Many entities were previously considering the impact of pandemics on business lines/operational risks but how many had considered such losses being triggered at the same time (rather than considering impacts in silos during separate parameterisation exercises) as well as secondary impacts such as market and liquidity risk consequences? That is, was the risk assessment truly holistic and are emerging risks considered as systemic risks when they are on the horizon? Additionally, was the potential of pandemic impacts emerging differently across different business lines considered? For example, the impact on the contingency general insurance class of business was relatively quick to appear with many high-profile event cancellations globally, but what about the more delayed impact such as that on D&O insurance as a result of perceived inadequate responses to the pandemic situation.

Within risk management, a range of approaches incorporating “top-down” and “bottom-up” methods are adopted but the quality of such assessments needs to be reviewed to consider how much value they provided when COVID-19 was emerging and whether there are areas for improvement. In the case of an emerging risk, where there is usually a high degree of uncertainty, many risk professionals would agree that a “bottom-up” approach is necessary where risk impacts are considered at a granular risk type/business line level and then aggregated to determine potential company exposures. Furthermore, in such situations assessments are usually highly dependent on the judgements of the relevant personnel involved with the various risk types/business functions; this is not inappropriate, given these would be the employees with the greatest expertise in those areas, but does leave the potential for behavioural biases to enter the assessment process.

1. 2. Understanding exposures/unlocking a data-driven response

One of the key reasons that judgements are required in such assessments is due to the lack of data that can be used during attempts to assess the potential exposures to an emerging risk. Due to the nature of an emerging risk (i.e. one that is previously unknown!), a lack of information particularly in the early stages will likely remain a common issue. However, the reader is encouraged to consider whether there is data that is available in their companies that could be “unlocked” so that a previously solely judgement-driven response could also be blended with a data-driven response.

Expert judgements from relevant personnel will remain vital in risk management processes but data could provide an otherwise non-existent source with which to challenge assumptions (e.g. those being set by business lines regarding impacts on their classes) or supplement sensitivity analysis to understand the range of losses that could happen. A good example of how data can be “unlocked” and what “data-driven” means is given in 3. as an illustration of how this suggestion can be implemented in practice.

1. 3. Risk assessment & sensitivity testing based on contract clauses

An important characteristic that can be seen in many firms with a good, shared risk culture in place is the effective alignment of business aims between business lines and the ERM function. In practice, when considering the pandemic, what this characteristic resulted in was the shared ambition, when COVID-19 appeared on the horizon, to assess and limit potential exposures – both in the current book but also within any upcoming business. Furthermore, in some businesses, there was also the additional aim of how to optimise business returns and seize opportunities considering the pandemic and the impact it was having on the market (whether opportunities were due to reduced exposures on underlying risks, improved terms due to new exclusions in place, increased premiums being charged or the limited capacity and damaged reputation of competitors).

However, there are many limitations in the work done to assess such downside and upside risks adequately and this can result in adverse business decisions being made as a consequence – for example exiting classes of business that were later not as deeply impacted as initially anticipated (such as the impact of working from home on the cyber-insurance class); or perhaps even some classes being entered (such as contingency insurance) to benefit from the significant increase in rates without any consideration for the potential of COVID-19 becoming an ongoing event that could last for months.

There are two key elements within business lines that can drive some uncertainty in emerging risk assessments:

1. (1) Lack of capability to process contracts and log policy clauses/wordings within each contract in an easy and non-manual manner.

2. (2) Uncertainty in the response of contract wordings to the losses triggered because of the emerging risk.

Technological developments – particularly in the financial sector – should mean that the first item is soon to be a limitation of the past. Considering the example of general insurance, there are now a range of software solutions available to read (e.g. via the use of optical character recognition) and log contract clauses embedded in business contracts.

The second item above is a larger issue to tackle and a key area of uncertainty is how contract wording will respond in cases of emerging risks that have previously never tested contract clauses – a perfect example of how this can materially impact business is the Financial Conduct Authority’s (FCA) business interruption (BI) test case result. This specific example is explored in detail as a case study 1 later in the paper.

COVID-19 has shown that arbitrarily maintaining “pandemic” risk scenarios on risk registers parameterised with high-level parameters is not necessarily the most effective approach – sensitivity of the robustness of contract clauses within a ground-up approach is something that may now need to be embedded within risk management considerations and communication.

A good example of how this could be done in practice is explored in a non-affirmative cyber risk. These are unknown or unquantified systemic cyber risk exposures originating from cyber perils that may trigger traditional property and liability insurance. The paper by the Cyber Risk working party provides a framework with which to generate non-affirmative cyber scenarios by considering, amongst other items, the potential range of contract clauses and their associated “contract confidences” when quantifying potential loss amounts (Subgroup, 2019). Although that framework was developed specifically with non-affirmative cyber perils in mind, the general overarching principles are relevant to any emerging risk.

Setting up such “contract clause” sensitivity testing frameworks will also have an additional bonus of being easily fed back into underwriting/business pricing functions to assist in the business-as-usual assessment of risk. An enhanced understanding of exposures/contract terms is not only a benefit from a “risk management” perspective but also from a “line management” perspective if it enables information to be fed back into pricing and capital considerations so that profitability can be adequately assessed.

1. 4. Identifying and removing behavioural bias from the emerging risk response

An interesting final question that is posed to the reader in this section is whether behavioural biases exacerbated (or limited the ability of companies to react to) issues presented by the emerging pandemic. For example, was the scale of the pandemic underestimated because something similar had never been experienced before (availability heuristic)? Was there underestimated risk in how contract wordings would react due to previous challenges to contract clauses (overconfidence bias)?

Behavioural biases in risk/business processes need to be identified and removed to avoid “human behaviour” adding an additional layer of complexity to an already uncertain emerging business risk situation. Developing “data-driven” approaches that can challenge human judgements – as mentioned earlier – is one way in which this could be achieved. Other ways could be generated based on the behavioural bias being tackled.

6.3. Summary

ERM frameworks have developed significantly over the last decade, particularly in the financial sector, and items such as having “business continuity plans” in place and adequate risk “horizon-scanning” processes are still very much required but seen as standard procedures. Going forward, as was shown in responses to the COVID-19 pandemic, there are areas that can be further developed in order to generate a more effective integration of ERM within business lines. Many of these are focused on developing a deeper understanding of the potential risk and augmenting processes to enable business lines to be able to provide the most informed judgements (based on minimal human biases).

The following key areas are suggested when considering the integration of ERM within business writing functions:

1. 1. Deeper appreciation of the potential for emerging risks to become systemic.

2. 2. Understanding exposures/unlocking a data-driven response.

3. 3. Risk assessment & sensitivity testing based on contract clauses.

4. 4. Identifying and removing behavioural bias from the emerging risk response.

7.1. Importance of Risk Transfer in ERM

The insurance industry has a long history of managing, extremely well, financial risks that can be modellable. The COVID-19 pandemic, solar storms, large-scale cyber-attacks, and climate catastrophes are emerging risks, characterised as rare and systemic risk events. By their very nature these risks are considered improbable or unlikely. The insurance industry finds it very hard to insure those risks because of modelling limitations and difficulty in pricing those risks, resulting in a high price that renders the insurance product insuring against these events unaffordable, but also because they involve human interaction. Moreover, when these risks manifest, the size and severity of losses associated with these events can exceed the amount of premiums collected, or even the market capitalisation of the insurance industry. Therefore, they come with certain uninsurabilities.

There is limited historical data on these events with which to draw solid conclusions about their true dynamics. Therefore, different rare, systemic risks have different characteristics and different risk profiles, and this leads to different assumptions for modelling the frequency and severity of the risk and ultimately affects the risk-reflective pricing and the pure premium charged for these products.

The lack of awareness of these types of risks and the extremely low take-up rates of standard insurance products insuring against these risks, such as standard business interruption insurance, creates very low demand for these products and therefore affects their pricing, by making these products expensive to buy due to their important but not urgent nature, as a result of the perceived low likelihood of the occurrence of these events, and therefore they are not prioritised in risk registers.

Rare, systemic risks are not traditionally included in standard business interruption cover insurance, and as experienced during the pandemic, the uncertainty over different policy applicability to cover the risks associated with the pandemic has led to legal challenges for businesses trying to access policy pay-outs.

For these reasons, we have set up the Black Swans Insurance Working Party at the Institute and Faculty of Actuaries, with an overarching objective of being the leading source of knowledge and expertise on matters relating to systemic risk planning and insurance. One of the strategic goals of the working party is to structure and develop a model to allow for comprehensive and affordable systemic risk insurance to be offered, protecting the UK economy, and safeguarding society and livelihoods from these extreme risks.

The working party will explore solutions to set up a construct that is fit for purpose and works for designing either a single product for each systemic risk event or an all-encompassing product covering tail events, through the equitable sharing of systemic risks between the parties to the transaction, including the insurance industry, reinsurance industry, capital markets, the insured, and government as the insurer of the tail risk, by designing a product for the sharing economy that is:

1. 1. Affordable: reasonable cost of delivering the product at an affordable price.

2. 2. Available: high confidence that the product is fit for purpose, and it will perform when it is needed.

3. 3. Relevant

For the risk transfer, the working party will explore whether the Pool RE model of public private partnership (PPP) is (OECD International Platform on Terrorism Risk, 2015) effective and sufficient and could be expanded to cover other types of systemic risks. The framework will achieve the following strategic goals:

• To develop a framework for the risk assessment of rare, systemic risks that is dynamic and data-driven, and to robustly identify systemic risks that are considered improbable or unlikely events.

• To identify and build robust methodologies for understanding, assessing, pricing and modelling different systemic risks with different characteristics, risk profiles and assumptions for modelling the frequency and severity of the risk; and coming up with a range of risk-reflective pricing charged for these products to reflect a long-term black swan risk premium.

• Designing and risk-sharing a systemic risk, black swan product, covering either each systemic risk event or an all-encompassing product covering tail events in general, taking into account:

• type of product

• the limits of indemnity – whole loss or part of it

• is the product index, parametric, or modelled loss, or some hybrid in between?

• is it mandatory or optional?

• taking into account behavioural aspects so the product incentivises behaviour rather than making it compulsory to affect premium rates

9.1. Importance of Data and Technology Resources in ERM

The technological landscape has been very volatile during the current pandemic. Many companies and some industries were severely underprepared in areas such as hybrid or flexible working. Following an initial scramble to put things in place, most have now found a new outlook on the technological base required to navigate their companies through future uncertainties. Financial institutions have been ahead of the curve when compared too many other industries and were quick to adapt to the new normal. In this section, we discuss what steps should be considered from a data and technology perspective to help update an ERM framework.

9.2. Key Lessons Learned from the COVID-19 Pandemic

• Regulators have played an active role in guiding companies towards improving or implementing robust technology risk management frameworks

• During times of volatility, quality of data collected could be impacted. Companies should take remedial measures to ensure data integrity

• A successful upgrade of risk management systems in light of the pandemic would require risk management and IT professionals to work closely to establish new standards.

First, we look at the technological aspects before delving into the data resources in ERM.

9.3. Technology Resources

The last few decades have seen significant technological progress. The exponential increase in computing capacity provided by rapid and incremental improvements in micro-processors has helped in shaping a new world. These advances have helped in improving data capture, storage and analytics while also improving the user interface to help implement systems (risk management being one of them) that assist senior management in taking appropriate decisions.

Financial institutions have been at the forefront of technological improvements during this period and have adapted their operations to take advantage of these opportunities. Risk management and IT professions have been tested in conceptualising, implementing, and upgrading their systems to keep pace with technological advancements. The current pandemic may have acted as a proverbial spanner in the works for many, helping refresh or reset their views on technology risk. Guidance from regulators, trade associations or external risk consultants helped companies adapt to the new circumstances they found themselves in.

An example of steps taken to educate and provide a framework for companies is the Technology Risk Management Guidelines issued by Monetary Authority of Singapore (MAS) (Monetary Authority of Singapore, 2021). The revised version of these guidelines issued in January 2021 set out risk management principles and best practices to guide financial institutions to establish sound and robust technology risk governance and oversight, as well as maintaining IT and cyber resilience.

The guidelines aim to provide a holistic view on technology risk management by providing both high-level essentials and an in-depth review of current IT systems, their resilience and how secure they are to cyber threats. The topics covered in the guidelines are:

• Technology risk governance and oversight

• Technology risk management framework

• IT projects management

• Software application development and management

• IT service management

• IT resilience

• Access control

• Cryptography

• Data and infrastructure security

• Cyber security operations

• Cyber security assessment

• Online financial services

• IT audit

Financial institutions should have an efficient feedback loop to help maintain and improve the risk framework within the organisations. Areas such as governance and oversight are critical for every company aiming to revise their risk management framework in light of the changes to the economic and work environment following the pandemic. An example to consider may be remote working. Does your company have a robust policy for the majority of employees are working remotely? If policies were implemented with working in office as the norm, technology risk management aspects should be modified to allow for any hybrid working policies in the present and future.

To this end, the MAS and The Association of Banks in Singapore also issued a paper on managing new risks that could emerge from extensive remote working arrangements adopted by financial institutions amid the COVID-19 pandemic. The paper titled “Risk Management and Operational Resilience in a Remote Working Environment” (Monetary Authority of Singapore, 2021) highlights four key risks of remote working to the operations of financial institutions:

1. 1. Operational risks

2. 2. Information security and technology risk

3. 3. Fraud and staff misconduct risks

4. 4. Legal and regulatory risks

For each of the risks, the paper delves into the details of the following aspects:

1. a. What has changed?

2. b. What are the risks?

3. c. What are the key risk management actions required?

4. d. Examples of mitigation controls

This paper again urges senior management to ask the right questions of their operations and improve risk management resilience. Companies often use technology as a competitive advantage, especially to be first to market on certain products. While this trend is expected to continue, risk management professionals and management must keep in mind the risks while leveraging such technologies.

9.4. Data Resources

Good risk management always starts with good data collection. The nature of data collected is usually complex and unique to the risk management process in question. For example, a trading risk management system would have a very different outlook to data when compared to an insurance risk management system. The inherent complexity in understanding and recording the correct data are magnified under stressed scenarios such as COVID-19. A few keys areas to consider when reviewing data management are:

1. 1. Review data sources and its use

An effective risk management system helps to monitor and record losses or events that cause significant distress to a company or industry (or both). A detailed record of how the company’s risk management framework reacted to a pandemic should be noted. Any failures should be corrected for the future and successes should be implemented in areas where they were not applied before.

Apart from internal sources, data from external sources such as industry associations, peers or regulators may also be collected to enhance risk registers and allow for ‘events not in data’ (ENIDs). This information should be used in determining the effectiveness of key risk indicators (KRIs) and revise them if required. COVID-19 may provide new perspectives on risk that have previously been deemed as too extreme. Companies may consider a more frequent review of their KRIs in the short to medium term as the true impact of the pandemic emerges.

Dashboard reporting is a popular way to represent risk information. A risk dashboard may try to incorporate adverse scenarios and impacts more prominently to help ensure that the senior management understand the risk better. As with all data, communicating the right message to the right audience is of utmost importance.

1. 2. Review data standards and reduce subjectivity

In addition to collecting data, data quality should be reviewed on an ongoing basis to ensure that information collected is compliant to all standards, including any subjective measures. The data collected during a pandemic is expected to be skewed when compared to normal conditions. Companies should aim not to ignore outliers but incorporate them in a structured manner (probabilistic approach) to help quantify and mitigate the downside risk.

Any additional subjectivity should be minimised to ensure that the data is fit for use in the future. Companies may opt to review any areas of data collection that rely heavily on manual processes. A good audit trail and a structured data collection framework may be provided to employees to ensure maintenance of the integrity of data.

1. 3. Embedding data collection practices

Many companies follow a decentralised approach to data collection within business units. This may lead to discrepancies in measures taken on risk mitigation as data may not be available at a level that is required to make appropriate decisions. Companies may review the data collection practices adopted by various business units and embed practices that ensure that the most critical pieces of information are collected for effective policy making. Again, successes and failures should be discussed to ensure that the best practices are followed throughout the organisation.

1. 4. Data privacy and governance

In recent years, regulations such as the Prudential Regulation Authority (PRA) and GDPR have put more focus on data collection and governance. Disclosure and transparency in data sharing are expected by regulators, especially from financial institutions such as banks and insurers. With hybrid working arrangements being implemented across the globe there is increased threat from cyber-attacks. Steps taken by regulators to reduce the risks include the Technology Risk Management Guidelines issued by MAS (Monetary Authority of Singapore, 2021). These provide guidance for companies to take steps to assess cyber security and implement appropriate measures to reduce the probability of data breach.

1. 5. Updates and feedback loops

Feedback loops are an essential part of any risk management system. This should also be reflected in the data management function. Companies tend to collect a lot of data on customers, suppliers, competitors, and other sources. A frequent review of the integrity and validity of data may be required to ensure optimal use of data in making decisions.

1. 6. Use of qualified risk management and IT professionals

The current pandemic provides a completely new data point with which to compare worst-case scenarios. Any decision-making for a future-ready system must be forward-looking while learning from past mistakes or successes. Seasoned risk management professionals are more attuned to the growing needs of businesses (and the industry) and should helm the transformation process. IT professionals must be a critical part of the transition process to help minimise disruption, understand the new technology and its pitfalls and provide effective integrations to current processes.

1. 7. Establishing consistent data standards

Any changes to internal or external data sources following a systemic event may impact the data collection and storage protocols. As risk management systems often collect data from sources within or outside a company, care must be taken to review such data standards following any significant events (internal or external) to ensure the integrity of data in databases. As noted in the previous section, data quality is critical in maintaining a healthy risk management framework. Appropriate steps should be considered to ensure data capture and reporting to senior management for decision-making purposes.

1. 8. Scalability

One of Lam’s (Reference Lam2014) suggestions was to use a structured and modular approach to build scalable systems. This is a vital part of the process to ensure the whole system/process is not reengineered at each update. COVID-19 taught us that lockdowns can be quickly implemented, and businesses should be flexible to adapt to new working conditions. A modular approach would provide an ideal solution to implement new risk parameters as the scenario evolves. We must however also take care not to over-engineer the systems to allow for extremely unlikely scenarios, making such systems less effective.

1. 9. Updating key risk indicators

The risk appetite for an organisation determines its Key Risk Indicators (KRIs). Risk-averse companies may look towards minimising the risk while the strategies or objectives of risk takers would look for opportunities during risky periods to enhance their business. Black swan/grey rhino events provide good real time scenarios with which to test risk appetite and understand if previously set KRIs and risk thresholds still hold true for the future.

9.5. Summary

The importance of data and technology resources in ERM during COVID-19 is recognised, with the following areas discussed:

1. 1. Regulators play a key role in providing guidance and framework to maintain data integrity (especially to small and medium firms) and to navigate the volatile risk landscape.

2. 2. Firms should consider a proactive approach to updating databases within their risk management systems by utilising the right combination of resources.

3. 3. Collection and data management are critical aspects of good risk management and firms should aim to revise these practices in light of observed grey swan events.

10.1. Importance of Stakeholder Awareness and Engagement with in ERM

One of the keys to any successful relationship is communication. As the working world struggles to rebalance after two years of COVID-19, there are clues as to why some of the more successful companies are stabilising more quickly than others.

Within the framework of Enterprise Risk Management (ERM) the principles that govern how best to manage stakeholder risk are useful to remember. The key stakeholders that concern most corporate entities include:

• Employees

• Customers

• Regulators

• Rating Agencies

• Business Partners

1. Employees

A recent estimate (World Economic Forum, 2020) by the World Economic Forum was that 2 out of every 5 jobs lost for COVID-19 related reasons (i.e. lockdowns, travel restrictions etc.) are unlikely to return. This is a staggering figure to digest, particularly given the expected impact on the viability of some industries as a whole. Employees are (or at least should be viewed as) the main asset of any company, especially for those industries that depend on intellectual or human capital. The Aon Global Risk Management Survey 2019 (AON, 2020) ranked ‘Failure to attract or retain top talent’ as the 11th highest risk as viewed by respondents. Going forward how will this risk (or rank) evolve? With mass layoffs occurring, companies may select shorter term gains but sacrificing valuable longer-term benefits but letting go of key talent.

It should be no surprise that employees’ and employers’ do not always align. Since employees have a high impact on profitability it is critical that they are managed well. This should flow through recruitment, training and organisational development.

Good talent is not as ubiquitous as we would like. With the current turmoil there is a general lack of appetite towards hiring as companies play it safe. It is important to remember however that onboarding talent should be encouraged to the extent that longer team strategy is facilitated. Dedicating additional resources towards screening and recruiting talent has historically shown to have its benefits. Perhaps the pool of talented candidates available has grown since the onset of the pandemic and it may be worth considering how a company can benefit from onboarding such talent.

Training and developing staff are key retention tools but it not always given due consideration. Staff turnover is costly. Losing talent can be even more painful when lost to competitors. Studies on the cost of employee turnover vary however the conclusion is the same – these costs are not well understood by companies. Another question that needs to be answered – does training offer value to both employees and employers. Retention, productivity and morale all improve and thus reduce the risk to the employer of high turnover. In addition to this companies should value and recognise employees. Promotions should be based on merit in order to create a culture where staff see a longer-term horizon for themselves within the company.

Particularly at a time when so many employees are working from home, the culture of the company in communicating and supporting staff is a key ingredient towards maintaining morale and productivity.

The inverse is obvious – letting go of large number of staff simultaneously reduces morale and can impact employee resignations. Singular terminations are however a common part of the life of a business and if managed well they can remind the other staff of a strong work culture that rewards talent and hard work. When employees resign this is also a useful learning opportunity for the business. Understanding what has prompted someone to leave the company so that the root causes can be fixed for the remaining staff is a lesson which companies can leverage off.

1. 2. Customers

Customer needs evolve continuously and companies who proactively track, assess and act on these changes are in a better position to manage the risk of a diminishing customer base (or even turn it into an opportunity by acquiring new ones). Preferences are also shifting due to a multitude of factors other than the product itself, such as ethical sourcing and production, compliance to General Data Protection Regulation (GDPR) and privacy laws, ESG (environmental, social and governance) issues etc. A recent McKinsey study (McKinsey & Company, 2020) discusses ‘Shock to Loyalty’ where customers tried other brands during the pandemic. Value and availability were the key drivers for the change. Customer acquisition and retention strategies must keep pace with the changing trends and the review of these strategies should be embedded within the risk management frameworks to help ensure they are up to date. To have an open channel of communication with clients and effective implementation of suggestions received through a feedback loop would also help improve brand perception.

During the current crisis, communications via social media platforms have provided companies with a critical lifeline in keeping customers engaged. Companies often follow and participate in popular trends on platforms and some even provide support to key social issues locally and globally. Companies should also consider the following:

Do companies have adequate policies and measures in place to ensure the right messages are communicated to their current and prospective clients?

Do they also have procedures in place to mitigate any impact to their business due to negative publicity?

While it is good to have quick and easy access to customers, the rules of engagement should be clearly defined and updated periodically. This also puts focus on a more customer centric approach to business rather than a product centric one which has prevailed for most of last century. The Aon Global Risk Management Surveys in 2017 (Global Risk Management Survey, 2017), 2019 (AON, 2020) and projected risks in 2022 all show Damage to Reputation, Failure to Innovate/Meet customer needs and Increasing Competition as three of the top 10 risks.

We must also give equal or even more weight to crises arising from within the organisation that can significantly alter consumer’s perception of a certain product. We can have better controls put in place to prevent these and have procedures in place in the event of one materialising. A crucial risk for many companies is a product recall. We have seen instances in recent times in many industries such as automobile, electronics, food & beverages, pharmaceuticals etc. involving large-scale recalls and a range of measures taken to restore customer confidence. An example of this is the recent decision by Hyundai to recall 82,000 electric vehicles because a reported 15 vehicles caught fire (Keith, Reference Keith2020).

A procedure manual or response plan incorporating key learnings from prior recalls (including that of peers) may help provide valuable inputs to the teams facing such a recall. The risk function in a company should take responsibility for such initiatives.

1. 3. Regulators

Since the global financial crisis of 2008, the role of regulators within the financial sector has increased significantly. Managing regulatory responsibilities, developments and expectations is a critical part of ERM structure. Aon’s Global Risk Management Survey in 2019 (AON, 2020) ranked regulatory and legislative changes as the 10^th largest risk.

The onset of the pandemic has further accelerated the need for regulatory involvement. In May 2020 the Saudi Arabian Monetary Authority (i.e. the Saudi insurance regulator) issued a declaration that all retail motor insurance policies in-force and to be sold within a 1-month period would be guaranteed an extension of 2 months on the original motor policy, at no additional cost to currently insured policyholders (Saudi Arabian Monetary Authority, 2020). The rationale being that due to low levels of driving, policyholder reasonable expectations should be considered in passing on some of the benefit that motor insurers received during the lockdown. Insurers were not given time to prepare for this regulation and had to adapt immediately.

Similar actions were taken in other parts of the globe where regulators realised the extremely important role they had to play in managing policyholder expectations at a time of unprecedented strain. The perils covered under business interruption cover have been the subject of intense public discussion and insurers are finding it more difficult to reject claims based on policy wordings and conditions. Regulation may likely be introduced to protect the interests of the insured with less concern about the potential impacts on insurers. How does the ERM framework of an insurer allow insurers to absorb these regulatory losses without crippling the business?

Indeed, such is the uncertainty around insurers denying coverage for losses caused by COVID-19 closures, the Insurance Council of Australia (ICA) started proceedings recently to test the application of certain infectious diseases exclusions in business interruption (BI) policies. To quote the ICA, “The Insurance Council initiated this test case on behalf of insurers that sell commercial property policies with business interruption cover. The ICA believes this test case is an important step towards providing greater clarity to insurers and small business customers in the treatment of pandemic-related claims” (Wood, 2020).

Current ERM frameworks must rapidly adjust to accommodate regulatory changes that are desperately being lobbied for by the general public.

1. 4. Rating agencies

“Whilst we understand the underlying factors that are pointed out by the ratings agencies, we think that during such a time of crisis, where the whole world is recalibrating and redefining its economic status, for any downgrades to be issued during this time is like kicking us when we’re down.” These are the words of the South African Revenue Service Commissioner in an online interview in May 2020 (Naidoo, Reference Naidoo2020). This followed a downgrade of South Africa’s debt by S&P to its worst status in 26 years over concerns that COVID-19 will have a significant negative impact on growth and places even more strain on the country’s ability to recover from the pandemic. The expectations of rating agencies are that several countries, particularly in Africa, will face exceedingly tough futures in the short to medium term and, from a risk management point of view, the resilience of these countries to survive the coming headwinds is severely diminished. Perhaps it’s time for countries and corporates to rethink how to address the risks they face in a climate where the action of rating agencies can contribute significantly to these headwinds.

As anyone who has been involved in a rating exercise knows, an effective ERM framework and a strong credit rating usually go hand in hand. ERM is a key part of the considerations of any rating agency that essentially provides to the broader public a ‘probability of default’ for a corporate entity. A strong framework that demonstrates the ability of an organisation to protect its capital base from unexpected losses is a critical criterion for a strong rating.

In assessing the control processes of a company, the rating agency scores the ability to identify, monitor and manage different categories of risk. These include market risk, credit risk, insurance risk and operational risk. The ability to weather rare but extreme events is also considered and assessed.

As of August 2022, none of the rating agencies have announced material adjustments to methodologies or rating criteria because of COVID-19 to date. However, it is likely there will be discussion on what should be measured going forward by the relevant rating criteria and what the real risk profile looks like.

Rating agencies must also balance communicating short-term credit risks to the market with the need to determine whether any of the short-term credit pressures lead to long-term enduring issues for the issuers. A distinguishing factor in the credit analysis compared to the 2008 market collapse is how apparent the current credit risks are to investors, particularly the short-term risks. This is unlike the complex asset-backed mortgage securities that were much less transparent and difficult to evaluate during the prior recession.

Rating agencies, actuaries, economists, and the world at large will learn from the recent quarter and the upcoming quarters. Soul-searching questions will be asked, such as

• What preparation could have been taken?

• What should have been reasonably expected?

• Should ratings have been adjusted in the short-term due to rating pressure, or is a different rating structure needed to capture risks to investors that are related to short-term liquidity?

Perhaps the questions themselves will also change.

1. 5. Business partners

Business partners are a cornerstone for companies where many have long standing business agreements and a finely tuned supply chain that optimises profits. But how well do you know your partners, and will they be around during or after a crisis?

This was a pressing question within the automobile industry in Asia following the Tohoku earthquake. Manufacturers faced severe disruptions, and many had to rethink the ‘Just-in-time’ philosophy. Some asked prospective suppliers to include alternative sourcing plans to ensure they can deliver the required goods under new contracts. Many stuck to their current approach to maintain competitiveness. Disasters (natural or man-made) are imminent and supply chain disruptions are bound to follow any such events. It is up to companies to either strengthen or diversify their procurement policy to ensure smooth operations. Contracts with key partners should be evaluated at frequent intervals (both internally and by third parties) to ensure they are fit for purpose.

Business partnerships are also critical for sales. Well established distribution channels help generate steady income while also providing an opportunity to explore new avenues of sales without significantly impacting revenue. Technological advancements and the evolving consumer needs have led to a proliferation of online marketplaces. Would companies prefer to use such established channels or build their own network? Either approach require careful planning and contracts with these entities are vital to ensure that they help enhance the company’s position in the long term. An ERM framework should provide adequate guidance to the management on risks under various distribution channels to help them take an informed decision.

While consumers preferred the digital channels to purchase products and services during the current pandemic, the recent Digitization Acceleration Grant by the Monetary Authority of Singapore also shows the intent from regulators to use this opportunity to push companies to have a more digital mindset in the future (both to increase efficiency and to make companies future-ready).

Most companies perform due diligence before onboarding new business partners. While this is adequate for many partners, is there a need to perform a more in-depth review of the business agreements in place under stressed scenarios? Scenario testing your business plans may help assess the health of current business partners and also plan for alternative arrangements to ensure business continuity. For many outsourced support centres for global financial institutions, Business Continuity Plans are regularly monitored and updated with frequent tests at remote working locations to ascertain the viability of current arrangements. For many, such tests may have provided a glimpse of managing employees remotely and be better prepared for events like COVID-19.

However, how proactive are companies in reviewing business continuity and is this process just on a piece of paper or tested meticulously to ensure preparedness? Business Interruption is and will always be one of the key risks for any company. While they may be an integral part of any risk register, as Neil Cantle explains in his blog (Cantle, Reference Cantle2020), we need to make these discussions more active and the ERM framework should consider appropriate communication channels to help stakeholders understand the risks.

10.2. Summary

• Employees are (or at least should be viewed as) the main asset of any company, especially for those industries that depend on intellectual or human capital. Commitment to staff retention in a stressed economic climate will have significant advantages post-crisis.

• Customer acquisition and retention strategies must keep pace with the changing trends and the review of these strategies should be embedded within the risk management frameworks.

• Current ERM frameworks must rapidly adjust to accommodate regulatory changes that are desperately being pushed for by the general public.

11.1. Practicalities around Assessing Effectiveness of ERM Frameworks

ERM is a corporate function that aims to manage and reduce enterprise-wide risks based on a holistic framework. In this context, ERM is a concept or approach rather than a unique tool that applies equally to all organisations across several industries. Every industry operates with a key set of risks and the characteristics of each risk differ from time to time depending on internal and external factors driving the total risk in each industry. Further, firms’ ERM initiatives are a support function rather a direct profit generating activity.

Consequently, the effectiveness of ERM is a time and context driven issue and cannot be measured in absolute terms that applies uniformly under all circumstances. Historically, there has been a long debate on the purpose of a commercial firm – whether it is solely profit making for its stockholders or contributes to society. In line with Milton Friedman’s Reference Milton1970 doctrine (Milton, Reference Milton1970), classical economic theory in the context of a free market advocates that profit making, which integrates social responsibility, should be the only objective of commercial firms. In contrast, from the moral and ethical perspective, Edward Freeman (Reference Freeman1984) argued that corporations should actively focus on meeting the needs of society rather than maximising profit solely for their stockholders. Although the tension between shareholder value versus stakeholder value is yet to be resolved, there is a recent move towards the environmental, social and governance (ESG) frameworks of large corporations to measure their corporate performances. However, unlike financial measures of corporate performance, such as Tobin’s Q, cumulative abnormal returns, return on assets (ROA) and excess stock market returns, non-financial measures like ESG contributions are still voluntary.

In this context, one can argue that insurers’ ERM effectiveness can be measured in an integrated framework combining both the traditional financial and the non-traditional ESG disclosures. As mentioned earlier, every industry has a unique way of designing their ERM programmes depending on the preferred set of key risks and opportunities in line with their revenue generating functions. In theory, the outcome of these functions should be captured in both financial and ESG performances. However, ESG reporting is comparatively new, and it is evident that the insurance industry only started reporting their ESG performance in 2007. Moreover, the ESG disclosures are not formally audited and in many cases the data are incomplete.

11.2. Methods of Effectiveness

Classical finance theories suggest that a firm’s current stock market performances represent a prediction of its accumulated future activities. This means that a firm’s stock price integrates the risk and opportunities arising from its operational and strategic functions in the presence of uncertainty. It is evident that insurance companies’ corporate performances are influenced by major events like natural catastrophes, financial crises and pandemics (as can be seen in Figure 5). In the literature the link between insurance prices and natural catastrophe events is well explained by the underwriting cycle. However, the impact on insurer’s stock price by the COVID-19 pandemic is not well explored. The following is a description of the method used to measure the impact of COVID-19 on selected ERM-practising insurers’ stock market performance compared to a range of other events that affected their earnings and profitability. Considering the practical limitations of the non-financial data, as explained above, the model accommodates only financial data to predict the effectiveness of ERM compared to the following events.

• 2001 September 11th incident: World Trade Centre losses in 2001 impacted the insurance industry by over $22 billion (Terrorism risk: A reemergent threat, 2004). As a result, there was a significant increase in reinsurance rates despite the government’s bailout.

• 2001–2002 credit crises: Following the long bull market from 1982 to 2000, the world stock market crashed in 2002. The market capitalisation plunged by billions of dollars. Price losses in the US capital market were calculated at $7 trillion beginning in March 2000. In the insurance sector, life insurers in particular struggled to generate cash from their businesses. Consequently, many life insurers were forced into a fire sale of their equity portfolios and withdrew unprofitable businesses.

• 2002: Insurers settled a substantial amount of losses for D&O related losses arising from the collapse of Enron and WorldCom. Thereafter the cost of D&O insurance went up by 260% from mid-2001 to mid-2003, driven by the lawsuits that arose from the accounting scandals of these companies.

• 2004: Insured losses from hurricanes Charley, Frances, Ivan, and Jeanne were priced at $28 billion and the economic losses were calculated at $56 billion (Call for Reform in the Residential Insurance Market after Hurricane Katrina, 2010; Macroeconomic and Budgetary Effects of Hurricanes Katrina and Rita, 2005).

• 2005: KRW worst-ever insurance loss from hurricanes Katrina, Rita, and Wilma (KRW) in 2005 was estimated at $65 billion and total damage to the economy was calculated at $170 billion (Ten-Year Retrospective of the 2004 and 2005 Atlantic Hurricane Seasons, 2014). The loss resulted in higher insurance prices and restricted coverage in the areas likely to be hit by natural catastrophes. A recent study conducted by Aon Insurance of stock price reaction to KRW found that insurance companies were more sensitive to a single large loss than to an aggregation of loss events (Catastrophe Risk Tolerance Survey: Public disclosures by sector Year-end, 2022).

• 2007–2008: Sub-prime mortgage crisis and subsequent financial meltdown threatened some renowned insurance companies that had exposure to structured financial products (e.g. collateralised debt obligations (CDOs)). The insurance industry as a whole did hold significant exposure to the financial market, and the life insurance industry was affected by the fall in interest rates. In addition, the industry was negatively impacted by the 2008 equity market disruption that resulted in the erosion of investment income and a reduction in capital reserves.

• 2008: Hurricane Ike, a Category 2 storm, and the biggest to hit Texas in nearly 50 years, cost $23 billion to the insurance industry (Dismukes and Peters, Reference Dismukes and Peters2011; Swiss Re, 2017).

• 2011–12: Hurricane Sandy and an earthquake and tsunami in Japan cost the insurance industry approximately $69 billion (Yoshiaki, Reference Lund, Madgavkar, Manyika and Smit2017).

• 2017: Hurricanes Harvey, Irma, Maria occur and there are losses of $92 billion (Kerjan and Taglioni, Reference Kerjan and Taglioni2017).

• 2020–2022: Insurers are exposed to COVID-19 losses in both household and commercial insurance policies including commercial property and business interruption, travel, life, health, and liability (OECD, 2020). Although the insurability of pandemics is not fully understood (Richter and Wilson, Reference Richter and Wilson2020), it is expected that the COVID-19 related loss could exceed $100 billion.

$$\matrix{ {Stock\;Market\;Performance\;\left( {ERM\;\;effectiveness} \right)\; = \;{\beta _0} + {\beta _1}Insurance\;Risk\; + \;{\beta _2}Financial\;Risk} \cr {\quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad + \;{\beta _3}Operational\;Risk\; + \;{\beta _4}Hazard\;Risk\;} \cr {\quad \quad \quad \quad \quad \quad \quad \quad \quad + \;\varepsilon \;\left( {Error} \right)} \cr} $$

In the model, ERM is defined within four types of risk, that is, insurance risk, financial risk, operational risk, and hazard risk (CAS, 2003).

Figure 5. Insurers’ stock market performances from 2000 to 2020.

The model is set to predict the effectiveness of each insurer’s ERM framework in terms of their respective stock market returns (the dependent variable). This will eventually help us to observe responses of the ERM of practising insurers to the listed events, including the COVID-19 pandemic. This benchmarking method of assessing the effectiveness of ERM will eventually help the insurers to revise their ERM tools, with limitations, to address the COVID-19 type pandemic risks.

11.3. Summary

Based on classical finance theories, firms’ current stock market performances represent a prediction of their accumulated future activities. This means that firms’ stock prices integrate the risk and opportunities arising from its operational and strategic functions in the presence of uncertainty. Insurance stock market return during the early stages of the COVID-19 pandemic was impacted negatively. The conclusion reached is that insurance companies’ corporate performances are influenced by major events like natural catastrophes, financial crises and ongoing pandemics. The model accommodates only financial data to predict the effectiveness of ERM, considering the market perception of the companies’ insurance risk profiles, financial risk profiles, operational risk profiles and their exposures to hazard risk.

12.1. Case Study 1: Capital models (Solvency II – Lloyd’s of London) model completeness – adequate allowances for extreme events?

This case study considers the treatment of extreme events within a Solvency II (SII) context. Moreover, this case study looks at the Lloyd’s of London market response to COVID-19 and whether lessons can be learned from a model completeness perspective.

Prior to COVID-19, many risk registers allowed for pandemic risk events. COVID-19 has likely prompted many of these organisations to assess the value of such high-level allowances and whether these considerations were sufficient in covering the liabilities that arose from COVID-19, in order to prepare an entity for a future pandemic event. More specifically, characteristics that may have previously been underestimated include secondary impacts (e.g. the subsequent global economic downturn and widespread lockdowns) resulting in losses across many risk types, the timing of cascading impacts resulting in timescales of months/years rather than weeks, as well as the truly global scale of the event with variations across geographies due to differing political interventions.

Whilst it may be impractical – or even impossible – for an entity to consider a truly complete range of potential extreme events that may happen, events like the COVID-19 pandemic are now anticipated to occur more frequently than has been observed historically (Intergovernmental Platform on Biodiversity and Ecosystem Services, 2020). Moreover, lessons learned from the ongoing pandemic can be applied to extreme events in general. In this case study, we briefly consider specifically the allowance for pandemic/extreme events in capital models and what key lessons can be learned and whether there is an argument for allowing for widespread risks more generally in internal models to enable the conversation (and subsequent preparation) for an extreme event with complex characteristics that may not have previously been observed.

Under SII, capital models consider the 200-year risk measure; to parameterise such a return period, extreme scenarios are considered that may be unlikely to occur but, if they do manifest, they could have a material impact on an entity’s results. Prior to 2020, pandemic risks may have already featured in some capital models, even those who do not operate directly within the life/health insurance sector, through other means, for example the risk registers that generally feed into the operational risk calibration.

However, as the COVID-19 pandemic has highlighted, a systemic risk has the potential to trigger losses across an entity’s risk spectrum simultaneously (for example investment return risk, premium risk, reserve risk, operational risk, credit risk, liquidity risk and regulatory risk) and not just independently within risk types (e.g. across different elements of operational risk or different business classes within underwriting risk).

Many capital models will likely have already conducted reviews in light of COVID-19 and a good example of this is the work carried out by many syndicates over the summer of 2020 in response to Lloyd’s of London setting the pandemic as an explicit “Focus Area” (Lloyd’s of London MRC Syndicate Capital, 2021). Lloyd’s made it clear that “penal” loadings would be applied “to any syndicates that have not made appropriately logical or comprehensive” considerations and responses to the “the implications of recent/ongoing experience on their risk profile.”

Model updates of course would have varied on a syndicate basis but included reviews and updates to items such as distribution parameters across all risk types, volatility assumptions, dependency assumptions, any third-party data sources (such as any economic scenario generator (ESG) data due to the ongoing economic downturns) as well as allowances for extreme tail events/events not in data (ENIDs). Further details split by risk type can be found in Lloyd’s’ February 2021 capital briefing slides (Lloyd’s Capital Briefing, 2021).

In particular, there was a focus on determining not only the direct impacts but also the secondary effects of COVID-19 (shown in the exhibit - Figure 6) as well as conversations relating to whether model changes should be “temporary” or whether the pandemic should be treated as a “near-miss event,” which can be used to prepare for other events that “may have similar impacts,” for example, prolonged cyber-attacks, climate change or other global lockdowns.

Figure 6. Lloyd’s of London COVID-19 response best practice guidelines for secondary impacts.

Furthermore, one of the areas of focus for 2021 is looking more deeply at “model completeness.” After all, in the context of capital setting, syndicates take the 1:200 from the full uSCR (ultimate solvency capital requirement) distribution, which by definition should include allowances for ENIDs.

Following on with this train of thought, this case study investigates whether there is an argument to allow for a generic systemic risk distribution in internal capital models to help with this “model completeness” point. Practically, all potential ENIDs cannot be accounted for in capital models but a systemic risk distribution allowance that simultaneously triggers losses within and across risk types, like the impact of COVID-19, could allow for events that are otherwise materially missing from current calibrations.

The need to “load” or materially “update” parameters and assumptions during 2020–2022 reflected the fact that current solvency capital models had insufficient allowance for an event with such characteristics as those discussed. “Temporary” allowances may be suitable while this pandemic is ongoing, but once those losses move from being previously an ENID to instead being within the historical data set used for calibration, proactive attention needs to be given to whether there are sufficient allowances for other potential ENIDs with similar profiles.

This shifts the focus from reactive capital models to more proactive ones. This should not be seen as an unnecessary capital loading but rather a catch-all allowance for ENIDs that can capture losses or at least simultaneous risk triggering that would otherwise be missing from models.

For this to be a meaningful distribution that can help an entity assess the impact of such events on its business but also drive the discussion regarding the extent to which exposures to these events are understood, parameters would need to be selected in a meaningful way, relevant to the entity in question. Practically speaking, this may be set up simply by having a loss that triggers simulated losses across various parts of the model (across and within loss types) with a certain frequency. Alternatively, this functionality could be expanded to instead be set up as a distribution parameterised by considering a series of key potential events (their associated losses and return periods) and fitting a distribution (albeit crudely) through these points in order to give a “systemic risk allowance” distribution.

Of course, there are many areas of parameterisation that would need to be considered and it falls outside the scope of this case study to elaborate on all such features. However, to illustrate, one good example would be the volatility of losses, which was another key feature seen during COVID-19. Loss estimates varied dramatically over 2020–2022 and indeed even now industry loss estimates are still fluctuating.

In the context of general insurance, one driver of fluctuations in loss estimates was contract disputes, as was seen in the case of the FCA test case (Guy Carpenter, 2021). Due to the nature of having little data with which to parameterise, many extreme systemic events are parameterised using “expert judgement,” which may implicitly contain assumptions regarding how a regulator may react – the FCA test case has demonstrated the need to consider potential volatility around loss parameters as such events may trigger material contract uncertainty and disputes.

12.2. Case Study 2: Climate Change – What Can We Learn from COVID-19?

Climate change has been at the forefront of the global political agenda in recent years. Despite the emergence of COVID-19 in early 2020, the risks associated with climate change are still very much a concern, as highlighted by the World Economic Forum’s 2021–2022 Global Risk Report (World Economic Forum, 2021), where environmental risks still feature prominently.

While the implications of COVID-19 are well documented, it does provide us with additional food for thought on how the risks from a changing climate could impact different regions of the world. In this case study, we examine how we can learn from the ongoing economic implications of the pandemic and its relationship with the expected economic ramifications from climate change risks. Despite both risk sources having very different time horizons and magnitudes, they both share similar economic consequences.

12.2.3. Potential impact of climate change

Despite the attention that has been given to climate change, the main challenge is to understand, and perhaps visualise, the potential impacts of climate change on the economy. This has similarities to being asked a question on the economic ramifications of a global pandemic, prior to the onslaught of the ongoing COVID-19 pandemic in early 2020. However, the pandemic has led to an increase in unemployment rates and redundancies (shown in Figure 7), and an increase in government spending (shown in Figure 8) to help businesses and individuals pull through this difficult time, alongside a negative impact on global real economic growth (GDP). These are the same macroeconomic risks that we can expect to happen from climate change, so to some extent it helps to put into context the potential economic impacts from delayed action in tackling climate change. It should be noted that while the consequences might be similar, the magnitudes could be very different, with climate change risks expected to be more severe than what we have historically experienced. More importantly, climate change is also expected to be an event that is potentially irreversible.

Figure 7. (a) Unemployment (BBC, 2020) and (b) Redundancies (BBC, 2020) in the UK over time.

Figure 8. (a) Public sector net debt in the UK over time (Gov.uk, 2020) and (b) Real GDP growth globally in 2020 (International Monetary Fund, 2020).

12.2.4. Impacts will be disproportionate across sectors

The pandemic has caused disruption to financial markets where significant falls in share prices were observed during the pandemic peak in March 2020. However, shares seem to have largely recovered as seen by looking at how equity indices such as the FTSE 100 in UK have recovered.

However, when we start to dig deeper into the different sectors, we observe some variations. For example, sectors such as oil and gas have been affected significantly, while sectors such as tech, hardware and equipment have proven to be resilient and even experienced positive movements. This resembles how we expect climate change to affect the financial markets, where different sectors, particularly the ones that rely heavily on fossil fuels, will be affected differently. This highlights the importance of assessing the resilience of investment portfolios to different risks, even those that are challenging to model such as climate change risks.

Another interesting observation is that the Prudential Regulation Authority (PRA) in the UK previously ran a stress test exercise in 2019 where they specified climate change stresses versus asset values for different sectors (shown in Figure 9). One of the sectors considered was oil and gas where the PRA proposed a stress ranging between −30% to −48% for the oil sector and −15% to 25% for the gas sector. This may seem like an extremely onerous stress but the actual experience from the COVID-19 pandemic has already exceeded the PRA’s proposed stress scenarios.

Figure 9. Yield to date changes in share price found by extracting FTSE 100 index data (Shares Magazine, 2020) and the stresses from the PRA as part of the 2019 Life Insurance Stress Test exercise (Bank of England, 2019).

12.2.5. Increasing investor focus on environment, social and governance (‘ESG’) considerations

There has undoubtably been an increase in investor focus on ESG considerations over recent years and the pandemic has helped to place more attention on ESG. As we have seen, the airline industry has been quite significantly affected by the COVID-19 pandemic and there have been headlines that highlight governments being pressured to put climate-related conditions on any bailouts provided. This decision by the government reinforces to investors that the long-term sustainability of these companies is linked to their environmental efforts. In addition, we have also seen a number of analyses that show that ESG focused funds have outperformed their non-ESG counterparts during the course of the pandemic. As shown in Figure 10, sustainable funds have outperformed traditional funds, which further highlights the importance of sustainable investing.

Figure 10. Morgan Stanley sustainability reality: 2020 update. The analysis is based on January 2020 to June 2020 data (Morgan Stanley, 2020).

12.3. Case Study 3: COVID and Acts of God using Jordan as a Case Study

COVID-19 and the resulting public health measures taken by the public authorities in Jordan have caused heavy financial losses to businesses. Many of these businesses have insurance policies which cover them against losses arising from interruption of business due to various causes. The general nature of clauses within these policies provides insurance cover for business interruption loss caused by occurrence of a variety of risks, such as a notifiable disease; or business interruption losses resulting from measures taken by public authorities to prevent the spread of a disease, such as lockdown measures that prevent access to business premises. Likewise, they provide insurance cover against business interruption losses resulting from fate or loses that are a hybrid or combination of previous causes.

Over the past year an interesting development has been brewing in Jordan between the banking and insurance sectors. As a result of the COVID-19 pandemic, and the economic effects that followed, thousands of borrowers in Jordan have found themselves without income. This situation created a significant rise in bank credit risk exposures across both the retail and corporate sectors. The actual default experience from bank credit exposures due to COVID-19 related economic and mortality risks has risen to elevated levels. Therefore, insurance companies are no longer taking the responsibility to cover claims on defaulted debt instruments that arise due to the death of the borrower from COVID-19. Consequently, thousands of claims by the banking industry made under such policies have not been honoured by the insurance sector on the grounds that the policies do not cover certain effects of the COVID-19 pandemic.

Banks in Jordan buy insurance policies from insurance companies that protect them against credit risk where obligors (borrowers) are unable to meet their contractual obligations due to unforeseen circumstances or death. Banks pay a premium to the insurance provider and receive an agreed amount or compensation if the borrower dies or defaults prior to the maturity of the debt. The underlying debt that is insured takes many forms, such as personal loans, mortgages, car loans, credit card loans etc. As a result of the COVID-19 induced credit and liquidity stress in the banking and insurance sector, insurance companies found themselves unable to meet the COVID-19 induced excess claims due to COVID-19 related deaths and business interruption. The Actual excess deaths and business interruption caused by COVID-19 far exceed their base and stressed actuarial assumptions, and therefore they do not have the sufficient capital to meet the rise in COVID-19 related claims arising from their business interruption policies. Hence, they began to brand COVID-19 related deaths as Acts of God to limit the liquidity and capital erosion damage caused by the pandemic and to stop honouring their obligations to banks. Banks in turn, and the government, reacted by not labelling deaths in Jordan as caused by COVID-19 as they did earlier in the pandemic.

From a risk perspective, pandemics such as COVID-19 and extreme weather events driven by a changing climate such as storms, floods, heat waves, droughts, wildfires, and cyclones are characterised as “systemic” in nature. This is because they have the potential to cause a system-wide breakdown or significant disruption to man-made economic, financial, and security systems supporting our way of life. Similarly, each of these events is called an “extreme” risk event because they are “rare,” that is, events that are generally seen as deadly surprises, happening outside everyday experience, and their likelihoods are difficult to estimate. These events can cause a huge change in everyday life, at least locally, and they do have the momentum to turn society upside down in a few months, days or even minutes by causing massive destruction to human life and property.

There have been warnings that 1.7 million unidentified viruses known to infect people are estimated to exist in mammals and water birds (Scientists warn worse pandemics are on the way if we don’t protect nature, 2020). The transmission of any one of these viruses to humans may be more disruptive and lethal than COVID-19. Likewise, according to the Swiss-Re sigma report in 2021 (Bevere and Weigel, Reference Bevere and Weigel2021), global economic losses from natural and man-made catastrophes were $202 billion in 2020, up from $150 billion in 2019. Furthermore, according to EM-DAT (2021), the international global database on natural and technological disasters, in 2020, there were 384 global disasters including droughts, earthquakes, extreme temperatures, floods, landslides, storms, wildfires and volcanic activity, affecting 95,214,166 people, and claiming the lives of 14,856 worldwide.

Moreover, extreme weather events are projected to worsen over the next century, as the global annual mean temperature is expected to increase by as much as 4 degrees Celsius. In a 2007 study by two US national security think-tanks, it was concluded that 3 degrees Celsius of warming and a 0.5 m sea-level rise would likely lead to “outright chaos” causing severe economic disruptions, likely to lead to social instability.

Acts of God provisions, also called “Force Majeure” clauses, relate to events outside human control, like flash floods, earthquakes and other natural disasters. Generally, these provisions eliminate or limit liability for injuries or other losses resulting from such events. According to a ruling in the United Kingdom House of Lords (Transco plc (formerly BG plc and BG Transco plc, Reference Richter and Wilson2022) “‘Act of God’ was always a common law exception. It was metaphorical phrase (like ‘fate’) with a religious origin used to describe those events which involved no human agency and which it was not realistically possible for a human to guard against: an accident which the defendant can show is due to natural causes, directly and exclusively, without human intervention and could not have been prevented by any amount of foresight, pains and care, reasonably to be expected of him.”

Many of the processes in life can be approximated using a bell-shaped distribution. The bell shape indicates that most outcomes or events will be concentrated in the centre and some events will happen away from the centre but with lower probability. High impact, low probability events happen in the hidden part of the distribution, or what we call the tail or wing. Over the past several years, what we used to consider “rare and extreme events,” manifesting in the hidden part of the “distribution” (the tail), are becoming more frequent and slowly moving to the centre of the distribution (or even changing the shape of the distribution). It seems that from very recent history, true extreme events, occurring in the new tail of the distribution, are yet to be experienced. In other words, under the current global emerging risk landscape, a future 1 in 100-year loss may exceed today’s 1 in 1000-year loss. Consequently, the associated loss may more than double.

Therefore, based on the new evidence on the frequency and severity of emerging risks and the definition of Acts of God in law, a question arises as to what legally and statistically constitutes an “Act of God” event. This is defined as a rare risk event with low probability, causing severe consequences for human built systems in the old risk trajectory. This seems to be different from what is contained in the current risk trajectory, particularly when the totality of scientific evidence indicates that the climate and biodiversity crises and recent pandemics are all a direct consequence of human activity. Since these events are rising in frequency and severity, their characterisation as being improbable or rare, and that the underlying cause is directly and exclusively, without human intervention, seems to be no longer valid. For this reason, we need to explore the statistical and probabilistic pillars of what constitutes an Act of God in the new risk environment and whether the old definition is still a valid definition. In doing so we must take into account the updated distribution of the frequency of outcomes of emerging risks that were previously considered under the old risk environment to be rare and under the new risk trajectory are becoming more frequent and severe.

12.4. Case Study 4: The impact of the COVID-19 pandemic on stress and scenario testing – an insurance industry perspective

The risk management function within insurance and reinsurance companies (hereafter referred to collectively as “insurance companies”) gained a central role due to an increasingly onerous regulatory environment and also due to dealing with ongoing emerging risks such as the COVID-19 pandemic and severe weather events among others. In recent years, insurance companies strengthened their risk management frameworks by learning from past emerging risk events such as the global financial crisis and catastrophic events such as windstorms, earthquakes, and wildfires, and developed more sophisticated approaches to stress and scenario testing.

With the onset of the COVID-19 pandemic, risk management functions had to adopt new processes to monitor both existing and new risks. The pandemic led organisations to test the effectiveness of their ERM frameworks and to investigate whether their stress testing scenarios were sufficient in capturing extreme risk events. For example, have ERM frameworks adequately captured the occurrence of a range of economic and risk scenarios occurring simultaneously due to an extreme risk event? The latter aspect concerns the material accumulation of risks across the life, health, property and casualty and investment risks. These risks were largely uncorrelated in pre-COVID-19 scenarios. However, it has become more important for risk analytics to be able to measure the correlations between these risks and understand how these fit within the insurance company’s risk appetite and tolerance limits.

A special report by A.M. Best (Reference Best2020) highlighted that stress testing and assessment of non-modelled risks were areas of weakness, in particular where stress testing is not mandated by supervisory authorities. As Figure 11 sourced from this report illustrates, both areas are the least developed components of the Risk Framework Evaluation.

Figure 11. A.M. Best Special Report: COVID-19 Highlights Weaknesses in Insurers’ Enterprise Risk Management (Best, Reference Best2020).

12.5. Case Study 5: Hong Kong’s Insurance Industry Reaction to COVID-19

Hong Kong residents will never forget how the Severe Acute Respiratory Syndrome (SARS) outbreak struck the city in 2003. Around two thousand people were infected, and another 286 people lost their lives (Hung, Reference Hung2003). The economy of the city was badly hit with economic growth (GDP) falling by 3.1% (Census and Statistics Department Hong Kong Special Administrative Region, 2020) during that year along with a surging unemployment rate reaching 8.8% during May–August 2003 (Census and Statistics Department: The Government of the Hong Kong Special Administrative Region, 2021). The memory of this incident and lessons learned from it paved the way for Hong Kong’s government and local industries to take swift and decisive actions to minimise the effects of the ongoing COVID-19 pandemic.

This case study focuses on the insurance industry, a sector that is adversely affected by the pandemic in terms of revenue (an agency-intensive model that heavily depends on face-to-face interactions with clients) and the expenses (the expected excess claims outgo due to extra mortality and medical expenditures caused by the pandemic). Here we describe how the local Hong Kong insurance regulator and the industry reacted to the pandemic in terms of risk-mitigations strategies.

This case study illustrates how an insurance regulator, insurers and insurance intermediaries can prepare and respond to a future wave of COVID-19 pandemic and its variants, or to a completely new pandemic outbreak. Such information can also be used as a reference in designing the ERM policy of an insurance company for constructing and building future pandemic scenarios.