ERM Chapter 11 Embedding ERM in Insurance and Information Technology.

ISO 31000:2018 11 Minutes
https://preteshbiswas.com/wp-content/uploads/2025/04/ERM-in-Insurance-and-Information-Technology.wav

11.1 Insurance

Enterprise Risk Management (ERM) in the insurance industry follows the same fundamental principles as in other sectors, focusing on uncertainties that may impact the achievement of business objectives. However, insurers face some unique challenges and considerations. At its core, an insurance company’s business model revolves around risk acquisition, making underwriting and fund investment the primary areas of risk exposure.

Key Additional Considerations for Insurers

  1. Categorisation of Insurance Risks – Understanding different types of risks specific to the insurance sector.
  2. Solvency II and National Regulations – Compliance with regulatory requirements, including the need to maintain reserves against potential risks.
  3. Use of Internal Risk Models – In some cases, insurers can apply their own models to calculate risk and determine capital requirements.

Insurance companies tend to use a similar classification system to banks. They have an additional category of “insurance,” as shown in Table

TypeDescription
StrategicUncertainties that could impact or arise from an organization’s business strategy and its strategic goals.
  CreditThe risk of loss due to counterparty default. It is restricted to default or situations where the counterparty can but refuses to make payment when due.
MarketThe risk of loss due to adverse economic changes in market conditions, rates or prices or fluctuations in volatility. Market risk includes price risk, volatility risk, interest rate risk and foreign exchange risk, among others.
  LiquidityThe risk of not having adequate funds available to meet financial commitments as they fall due. This may be caused by local or foreign economic conditions, a reduction in the firm’s credit rating, or situations where the firm is interested in trading an asset but cannot do so because nobody in the market wants to trade that asset.  
Operational          The risk of loss, direct or indirect, resulting from inadequate or failed internal processes, people, and systems or from external events. Thy are typically sub categorised as follows:   Internal fraud – for example, an inappropriately authorised paymentExternal fraud – for example, supplying incorrect data to gain insurance coverEmployment practices and workplace safety – for example, fines resulting from harassment, discrimination, or constructive dismissalClients, products, and business practices – for example, a fine for a breach  of the data protection ruleDamage to physical assets – for example, cost of repairing a buildingBusiness disruption and system failures for example, an IT failure Execution, delivery and process management for example, a service complaint
  InsuranceAlso known as underwriting risk. Insurance risk is the risk of a claim being made on an insurance policy or underwriting. Examples of classes of insurance risk include business interruption, cyber-crime, directors’, and officers’ liability, key person, motor (individual or fleet), property, professional indemnity, terrorism, unauthorised trading, as well as life and health policies.

Insurance risk: This type of risk falls under operational risk management when it stems from not adhering to policies or procedures, mistakes in actuarial calculations, or insufficient documentation.

Solvency II

The goal of regulating insurers is to ensure they maintain sufficient reserves (risk capital) to endure financial shocks and stay solvent, thereby keeping insurance functional within society. Without a global agreement, Solvency II serves as the standard regulatory framework for the insurance industry within the European Union. The European Insurance and Pensions Authority (EIOPA) provides extensive guidance on Solvency II. Similar to the Basel framework for banking, Solvency II is structured around a three-pillar system. Most nations with insurance markets follow a regulatory model comparable to Solvency II. The Solvency II framework is organized into three pillars, as outlined below:

  • Pillar 1 establishes quantitative standards, such as the amount of capital an insurer must hold (Solvency Capital Requirement – SCR) and a minimum threshold (Minimum Capital Requirement – MCR), below which regulators will intervene.
  • Pillar 2 defines qualitative standards, including governance, supervisory oversight, and the Own Risk and Solvency Assessment (ORSA). ORSA is the insurer’s risk management process, requiring it to evaluate its risks, manage them effectively, and determine the capital needed to operate.
  • Pillar 3 specifies reporting and transparency obligations under Solvency II, including the Solvency and Financial Condition Report (publicly disclosed) and the Report to Supervisors (submitted to regulators).

Bupa, in their strategic risk report, identify the five risks in order of the solvency capital required by their regulator to mitigate them, which are shown below in Table  Bupa risks vs solvency capital required:

RiskDescriptionMitigating actions
        PropertyThe risk of the volatility in values or the devaluation of properties held for own use (including owned care provision properties), or for investment purposes, resulting in adverse impacts.       This includes capital associated with leased properties following the introduction of IFRS      By maintaining a geographic spread of businesses across a number of countries, we are able to diversify exposure to national or regional property markets and trading conditions.
          Insurance      Risks relating to our insurance businesses. Risk of inadequate pricing and/or underwriting of insurance policies, and of claims experience being materially adversely different to expectations.The relatively short-tailed nature of Bupa’s products allows us to respond to market changes quickly, although this can be limited by government-set pricing controls in some markets. There is a low exposure to reserving risk compared to underwriting risk due to the very short-term nature of our claims development patterns. We have extensive control mechanisms in place, including holding an appropriate prudence margin, to ensure that reserves are adequate to mitigate against the risk of higher-than-expected claims costs. The geographical diversity of Bupa offers further mitigation against insurance risk.
    Currency.Risk arising from changes in the level or volatility of currency exchange rates impacting on cash flows and assets held in currencies other than sterling, and on the financial statements.Currency translation risk is mitigated through a hedging programme to a Board-approved level of risk. We limit currency risk exposure through asset liability matching in local currencies.
  Credit spread and counterparty default.Risk of a loss in value of bond assets and/or that a counterparty fails to meet its obligations in the face of adverse economic conditions. This also includes the risk of a loss in value of the bond assets held within the pension schemes.  Our bond portfolio is small in relation to our other financial assets and the majority is investment grade. Counterparty exposure is managed by dealing with highly rated counterparties with exposure limits defined by Group Treasury Policy.
    Operational (including conduct risk and clinical risk)Risk of loss arising from inadequate or failed internal processes, or from personnel, systems, or external events. This risk also includes conduct risk (the risk that our behaviours, actions or controls result in detriment or unfair outcomes for our customers), and clinical risk (the risk of injury, loss, or harm to customers in receipt of healthcare).    Maintaining internal control processes and governance frameworks, approving risk policies, and assessing compliance help to mitigate this risk. The Group Clinical Function, led by the Group Chief Medical Officer, is responsible for ensuring clinical quality and governance within the business

Risk calculation models used by insurers

To determine the risk capital an insurer must maintain, it can employ its own internal models instead of relying on a standard formula. Solvency II mandates the use of internal models in specific situations. These models account for the diverse nature and magnitude of risks an insurer faces. A key requirement is that the internal model must satisfy a “use test,” meaning it must be actively utilized in the insurer’s everyday risk management practices. According to EIOPA, the use test stipulates that insurance and reinsurance companies must show that their internal model is integral to their governance framework, as outlined in Articles 41 to 50 of Solvency II . This includes their risk management system (per Article 44) and decision-making processes, and their processes for assessing and allocating economic and solvency capital, including the evaluation described in Article 45. Furthermore, these companies must prove that the frequency of calculating the Solvency Capital Requirement (SCR) with the internal model aligns with how often they use it for the other purposes mentioned above. The administrative, management, or supervisory body is tasked with ensuring that the internal model’s design and functionality remain suitable over time and accurately reflect the risk profile of the insurance or reinsurance entity. The underlying idea is that an internal model, actively applied in daily management, provides a more accurate depiction of the insurer’s risk exposure. However, the ongoing use of such a model requires approval from the insurer’s regulator, as part of the supervisory review process under Pillar 2.

Insurance Types

The three reasons why an organization will wish to purchase insurance cover are met through the broad areas in which insurance operates are:

  • balance sheet/profit and loss protection (first-party protection).
  • mandatory legal and contractual obligations (third-party protection).
  • protection of employee assets (benefits insurance).

Different types of insurance are

  • Mandatory, legal and contractual obligations
    • Employers’ liability – compensation to employees injured at work
    • Public liability – compensation to the public or customers
    • Motor third party – compensation following a motor accident
    • Product liability – compensation for damage or injury
    • Professional indemnity – compensation to the client for negligent advice
  • Balance sheet/profit and loss protection
    • Business premises – damage to premises by adverse events
    • Business interruption – loss of profit and increased cost of working
    • Asset protection – losses, such as loss of cash, goods in transit, credit risk and fidelity guarantee (staff dishonesty)
    • Motor accidental damage – repair of own vehicles
    • Terrorism – compensation for damage caused by terrorism
    • Loss of a key person – compensation for the loss of a key staff member
  • Employee benefit/protection of employee assets
    • Life and health – benefits to employees that can include: life cover, critical illness cover, income protection, private medical costs, permanent health cover, personal accident and travel injury/losses
    • Directors’ and officers’ liability – legal and compensation costs
  • Captive Insurance
    • A captive insurance company is an insurer wholly owned by an organization that does not typically operate in the insurance industry.
    • Its primary role is to offer insurance coverage to the parent organization, utilizing the organization’s own financial resources to cover specific expected losses or claims.
    • More often, a captive insurance company functions as a reinsurer, providing additional coverage to the primary insurance provider selected by the organization.

11.2 Information Technology

Cyber security

Many organizations face increasing pressure to digitize their operations to remain competitive and meet the expectations of customers or service users. This shift heightens their dependence on robust cyber security measures to shield against cyber threats. Keeping cyber security systems current and staying informed about the latest risks and corresponding safeguards often feels like an overwhelming challenge.

Cyber Security Trends:

  1. Demand for instant access to widespread data and information platforms continues to rise.
  2. Cybercriminals are leveraging advanced tools like AI, machine learning, and other technologies to execute more complex and sophisticated attacks.
  3. A constantly expanding regulatory environment, combined with persistent shortages in resources, expertise, and skilled personnel, will likely outstrip cyber security efforts. For IT professionals, reducing cyber security risks remains a top priority. McKinsey emphasizes that this demands:
    “…continuous monitoring and a systematic approach to ensure organizations actively assess their surroundings and adapt their cyber posture as needed.”

Organizations are increasingly adopting this three-step process:

  1. Verify cyber controls – particularly new ones – through technical assessments to confirm preparedness for emerging threats and technological changes.
  2. Reassess cyber strategy – update the plan by incorporating new capabilities and methods.
  3. Implement a structured program – establish an official system to regularly evaluate the cyber strategy, tools, and processes in response to evolving cyber security trends.

IT Risk Standards

The ISO 27000 series is a collection of interrelated information security management standards designed to work together, offering a globally recognized framework for implementing best practices in information security management. ISO 27001 is widely adopted by international organizations to develop and audit their information security management systems or to assess risks tied to third-party vendors. For optimal effectiveness, the information security management system should be woven into the organization’s processes and overarching management framework, ensuring that security considerations shape the design of processes, systems, and controls. The implementation of such a system is expected to be tailored to the organization’s specific requirements.

ISO 27001 encourages the adoption of an Information Security Management System (ISMS), which consists of a set of guidelines an organization establishes to:

  • Evaluate, manage, and
  • Reduce risks related to its information security.

These guidelines are often expressed as security objectives. Under ISO 27001, these objectives focus on safeguarding three key elements of information:

  • Confidentiality: Robust access controls ensure that only authorized individuals can access data.
  • Integrity: Restrictions are placed on altering or destroying information to maintain its accuracy and reliability.
  • Availability: Authorized users must have access to data whenever it is required.

ISO 27001 includes multiple references to risk management, which are integral to its four-stage accreditation process. These references can be summarized as follows:

  1. Compile Required Documentation – Several mandatory documents are required, with the following having the strongest ties to risk management:
    A. Risk Assessment and Management Plan, incorporating excerpts from corporate risk registers.
    B. Incident Response Framework and Management Plan.
    C. Business Continuity, Crisis Management, and Disaster Recovery Plan.
    These documents must be backed by proof of training, internal audits, maintained registers, and reporting to appropriate levels with evidence of follow-up actions.
  2. Conduct a Risk Assessment – The risk assessment process aligns with ISO 31000 (previously discussed in Unit 3) and involves three steps: Identify, Evaluate, and Prioritize risks.
  3. Mitigate Risks with Five Control Categories – The standard outlines five types of controls that an Information Security Management System (ISMS) should implement:
    • Technical Controls: Examples include backup systems, antivirus or endpoint protection tools, firewalls, patch management, configuration management, and other infrastructure-related safeguards.
    • Organizational Controls: These encompass policies like acceptable use, user permissions, identity and access management roles, organizational hierarchies, approval processes, and clearly defined responsibilities for all staff.
    • Legal Controls: Examples include non-disclosure agreements, service level agreements, data ownership contracts, and compliance with applicable laws or regulations.
    • Physical Controls: These involve equipment or devices to manage physical access and security, such as alarm systems, locks, and access codes, all of which should be implemented and documented.
    • Human Resource Controls: ISO 27001 mandates controls like security awareness training, internal auditor training, and other initiatives to boost employees’ understanding of information security.
  4. Meet the Standard’s Mandatory Requirements – Clauses 4 through 10 of ISO 27001 outline a set of compulsory requirements that must be fulfilled to obtain certification.

COBIT Framework

COBIT, which stands for Control Objectives for Information and Related Technology, is a framework created by ISACA to support IT governance and management within organizations. It is versatile enough to be applied across any industry or organization. The framework helps ensure high-quality information, while enhancing the control and reliability of an organization’s IT systems. COBIT equips organizations with the structure needed to align their IT processes with their broader business goals. It is built on five core principles critical to effective IT governance and management:

  • Principle 1: Addressing stakeholder needs
  • Principle 2: Providing comprehensive coverage across the enterprise
  • Principle 3: Utilizing a unified, integrated framework
  • Principle 4: Promoting a comprehensive approach
  • Principle 5: Distinguishing governance from management

These principles underpin a holistic IT governance and management framework, supported by seven key ‘enablers’:

  1. People, policies, and frameworks
  2. Processes
  3. Organizational structures
  4. Culture, ethics, and behavior
  5. Information
  6. Services, infrastructure, and applications
  7. People, skills, and competencies

Together, these principles and enablers help organizations align their IT investments with their strategic goals, maximizing the value derived from those investments. A key distinction of COBIT compared to other frameworks is its specific emphasis on security, risk management, and information governance. This focus is clarified in COBIT 2019, which provides sharper definitions of its scope. For instance, ISACA notes that COBIT is not intended for organizing business processes, managing technology operations, making IT decisions, or defining IT strategies or architectures. Instead, it is exclusively designed as a framework for the governance and management of enterprise IT throughout the organization.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply