Cohen Strategic Consulting

Insurance Risk Management Viewpoints

Friends …

Those of us working in and with the insurance industry have always been acutely aware of the spectrum of risks that insurers assist clients in managing. First and foremost, it's obviously our business. Of critical importance … arguably also first and foremost … is the management of risks affecting the management of insurance businesses. This newsletter explores the latter category.

Specific areas of risk affecting insurers considered here are as follows:

Stakeholder Risk

Concentration vs. Diversification Risk

Economic/Financial Risk

Fiduciary/Advice Risk

Contagion Risk

Stakeholder Risk, and Stakeholders' Tolerance for Risk

An insurer's strategy and operations and the risks they are exposed to need to be considered in light of the impact on the various parties … the insurance company’s stakeholders … whose interests would be affected and what their possible reactions might be.

The impact of this dynamic is two-fold:

(1) What insurance company risks will cause what adverse impacts that stakeholders will react unfavorably to, and more specifically understanding what thresholds exist for these adverse impacts that will trigger these unfavorable reactions by stakeholders?

(2) Should certain stakeholder groups (or subgroups) act unfavorably, what risks does this present to the insurer?

These two themes are clearly connected.

Given that the various stakeholder groups will react differently (and that within those groups specific stakeholders may react differently from each other) and their reactions will have varying impacts on the company, it can be concluded that the smallest unacceptable scenario triggering an undesirable reaction by any stakeholder group becomes a collective threshold for their tolerance for (the adverse impact of) risk. For example, the loss of a certain amount of capital could lead to a rating agency to downgrade a company before it leads to other stakeholder groups reacting in an undesirable manner, and each rating agency may not react at the same point in time or even not at all.

Groups of Insurers' Stakeholders:


Producers, distribution 'chain'

Board of Directors


Rating agencies


Counterparties                                                                                                                                            - Financial                                                                                                                                                  - Business partners

Supply chain

Executives, management, critical staff

Triggers Stakeholders Will React To:                                                                                                          - Financial outcomes: capital, earnings                                                                                                      - Business line inadequacy (products and features, service, advice/information)                                      - Business misconduct/reputational impairment                                                                                        - Rating downgrades

Decisions Stakeholders Might Make If Risk Thresholds Are Breached:                                                     - Cease doing business with you, or diminish the volume of business they do (Customers, Producers, Counterparties, business partners, Supply Chain, Executives/Management/Critical staff         - Sell your stock, lowering price in the process (Investors)                                                                       - Replace management, lower compensation (board of directors, investors)                                           - Charge you a higher price (interest rate) for capital (lenders)                                                               - Downgrade your company (rating agencies)                                                                                         - Mandate that you cannot participate in your business (regulators, customers … if ratings are not high enough)

Each of the following categories of risk should be evaluated with a keen eye towards how stakeholders will react to them.

Concentration vs. Diversification Risk

In a discussion of the optimal point for a company to be on the continuum of 'putting all of your eggs in one basket' to 'being all things to all people', it is fundamental to consider the activities in which that company can succeed and the risks inherent both in terms of its specific businesses and managing the breadth and diversity of the businesses it operates in.

A 'Concentrated Business' is ideally one where the company is a specialist … in a product, a market, a process … and possesses some competitive advantage(s), proprietary technology or patents or favorable image in the marketplace.

Risks faced by a concentrated business                                                                                                   - A large, powerful, well-capitalized competitor may decide to enter this business                                   - Regulations may change, materially restricting its operations, rendering the company without enough viable businesses to operate profitably                                                                                                       - A new business concept (technology-driven being a likely scenario) may cause it to be obsolete

An 'Overdiversified Business' is defined here as one with too many disparate operations to be managed successfully

Risks faced by an overdiversified business                                                                                               - Lack of focus on all aspects of the operations. As a case in point AIG, up through the middle of the last decade, had well over 100 distinct businesses all over the world. All were performing well, until its Financial Products Division (which specialized in credit default swaps) imploded … causing the entire enterprise to be on the brink of bankruptcy.                                                                                             - Lack of necessary resources (human, financial, operational) to manage all of the activities success       - Lack of agility in decision making, execution                                                                                           - Customers may determine that the company's 'lesser business lights' are not desirable product/service providers relative to established leaders in the segment

Perspective: There are no absolutely correct answers as to the optimal extent of concentration or diversification for any particular company. No 'rightsizing', no 'one size fits all' solutions can be credibly espoused. What can be said is that there are scenarios that are sure to be doomed:                               - A narrowly focused company whose one business has a material chance of being outmaneuvered or compromised due to environmental forces (regulatory, economic/financial, competitive, demographic, etc.) won't be long for the world                                                                                                               - A broad, multi-faceted organization will be significantly challenged to be a leader in all of its businesses, and could well be faced with losing propositions is its non-core activities.

Economic/Financial Risk

These risks are largely out of a company's control. Nonetheless, a company whose strategies (business and financial) fall victim to these often powerful and unforgiving forces can suffer irreparable harm even if it has substantial capital and liquidity. I do not believe that these risks can be too broadly defined. Examples:                                                                                                                                      - Interest rates that are too low (currently) or too high (early 1980's)                                                      - Unemployment rates above those thought to be structural                                                                    - International economies, how they are managed: currencies, exchange rates, tariffs, competition among them                                                                                                                                              - Commodities prices, impact on sovereign economies                                                                              - Liquidity unavailability, with the most dangerous example being the freezing of the financial markets in 2008

Given that insurers can never control these factors, it is incumbent on them to develop contingency plans for managing their balance sheets and earnings capacity in te event of these unfavorable scenarios.

Fiduciary/Advice Risk

Losing credibility as a provider of quality 'answers' could well devastate a company.

Examples:                                                                                                                                                  - Ineffective or self-serving advice, losing credibility with customers and potentially triggering E&O claims                                                                                                                                                          - Divulging confidential information (insider trading being the most conspicuous example)                      - Illegal advice, advice givers not certified or credentialed to give particular advice

The United States Department of Labor (DOL) has developed a rule, planned to be effective in April, 2017, to address problems with conflicts of interest in the provision of investment advice. This ruling is being challenged by many constituencies, and it is not clear what its final resolution will be.

The clear and present danger here is that insurers can be seen as not helping their customers achieving their objectives, either by being product pushers as opposed to problem solving partners, or by giving advice that causes customers to make decisions damaging to their financial situations.

Contagion Risk

Prior to 2007, contagion risk as it applied to the insurance industry was primarily focused on reinsurers: specifically, would reinsurers be able to pay claims on the policies they assumed from direct writers?

Events during the financial crisis that began in 2008 changed that thinking. The two most notorious examples of the insidious consequences of contagion risk were AIG and Lehman Brothers, each of which failed during the financial crisis. Lehman Brothers went out of business, with only its Private Investment Management business surviving and being acquired by Barclays. AIG would have been forced into bankruptcy, an event only forestalled by a massive bailout by the United States government.

There are many perspectives on what led to the demise of each organization, and I offer the following:


AIG was considered to be the 'gold standard' among financial services organizations up through 2007. According to its annual reports, AIG was comprised of well over 100 financial services businesses located all over the world, all overseen by then legendary CEO Maurice 'Hank' Greenberg. Its U. S. life and property & casualty operations (each comprised of many regulatory insurance companies) were but two of them.

One of those businesses was known as the Financial Products Division, located in London. The predominant focus of the Financial Products Division was credit default swaps, which essentially insured other financial services firms against losses on various businesses of those other firms. As the financial crisis worsened in 2008, those other firms incurred huge losses, and the credit default swap contracts written by AIG were obligated to cover those losses. The cumulative losses AIG assumed approached $200 billion, and the organization would have been bankrupted had the United States government not bailed it out. As a backnote, AIG not only reimbursed the U. S. government in full (by divesting many of its businesses to raise capital) but enabled the government to earn a profit.

A lesson to be learned here is that AIG either did not know what its potential exposure from those credit default swaps could be, possibly not believing that those contracts could actually be in a position to pay off. Another lesson to be learned is that an organization with so many businesses could well be too large to be managed effectively, including not being able to accurately assess its risk exposures.

An important perspective incorporated in the analysis of insurers conducted by the rating agencies is that the organizations in which insurers 'reside' need to be scrutinized to see if they have any facets of their operations that could imperil the claims paying ability and more broadly the financial strength of their insurance company affiliates. AIG's property & casualty and life insurance companies were on very strong footing, and the near disaster fate of the entire organization is well documented history.

Lehman Brothers

Lehman Brothers had humble origins, founded in the mid-1800s. While the firm prospered over the following decades as the U.S. economy grew into an international powerhouse, Lehman had to contend with plenty of challenges over the years. It survived them all – the railroad bankruptcies in the second half of the 1800s, the Great Depression of the 1930s, two world wars, a capital shortage when it was spun off by American Express in 1994, and the Long Term Capital Management collapse and Russian debt default of 1998. However, despite its ability to survive past disasters, the collapse of the U.S. housing market ultimately brought Lehman Brothers to its knees, as its huge position in the subprime mortgage market proved to be a disastrous step.

In 2003 and 2004, with the U.S. housing boom (bubble?) well under way, Lehman acquired five mortgage lenders, including subprime lender BNC Mortgage and Aurora Loan Services, which specialized in Alt-A loans (made to borrowers without full documentation). Over the next three years, Lehman's profitability and market capitalization soared.

By the first quarter of 2007, however, cracks in the U.S. housing market were already becoming apparent as defaults on subprime mortgages rose to a seven-year high. On March 14, 2007, a day after the stock had its biggest one-day drop in five years on concerns that rising defaults would affect Lehman's profitability, the firm reported record revenues and profit for its fiscal first quarter. In the post-earnings conference call, Lehman's then CFO said that the risks posed by rising home delinquencies were well contained and would have little impact on the firm's earnings. He also said that he did not foresee problems in the subprime market spreading to the rest of the housing market or hurting the U.S. economy.

In 2007, Lehman underwrote more mortgage-backed securities than any other firm, accumulating an $85 billion portfolio, or four times its shareholders' equity. In the fourth quarter of 2007, Lehman's stock rebounded, as global equity markets reached new highs and prices for fixed-income assets staged a temporary rebound. However, the firm did not take the opportunity to trim its massive mortgage portfolio, which in retrospect, would turn out to be its last chance to do so.

Lehman's high degree of leverage - the ratio of total assets to shareholders equity - was 31 times in 2007, and its huge portfolio of mortgage securities made it increasingly vulnerable to deteriorating market conditions. Events during the first half of 2008, capital raising offsetting the near-collapse of Bear Stearns (the second-largest underwriter of mortgage-backed securities) and hedge fund managers' questioning the valuation of Lehman's mortgage portfolio restored some confidence in Lehman and enabled its fortunes stabilize temporarily. In June, the firm also said that it had boosted its liquidity pool to an estimated $45 billion, decreased gross assets by $147 billion, reduced its exposure to residential and commercial mortgages by 20%, and cut down leverage from a factor of 32 to about 25.

Ultimately (in the third quarter, 2008) and very quickly, the collapse of the U.S. housing market ultimately brought Lehman Brothers to its knees, as its considerable exposure to the subprime mortgage market proved to be the fatal step for the company.

The massive contagion risk it caused by being a major catalyst of the sub-prime mortgage market … stressing the already dangerous housing bubble, exacerbated by being extremely overleveraged … had a profound negative impact on the financial crisis. Combining an enormous level of risk with the fact that subsequent review of internal company documents post facto portrayed an organization in which there was no accountability for failure (and inadequate management responses) clearly suggested that Lehman was headed down a disastrous path with no way to forestall it. In the dark days of September, 2008 no rescuers for Lehman could be found … and quite logically so.

Systemically Important Financial Institutions (SIFIs):

Institutions deemed "too large to fail" … in other words, whose failure could cause widespread harm to the financial system … have been assigned requirements to hold greater levels of capital and undergo extensive stress testing to determine their 'total loss-absorbing capacity' (TLAC).

Regulators, primarily in the United States and Europe, have sought to develop and enforce regulations to govern the operations of financial services firms to ensure that a financial crisis does not occur again and in the event of a severe financial downturn large firms do not cause a ripple effect (contagion) that might cause other firms to fail. No disagreements here.

The crux of these regulations are capital related, bolstered by various stress testing triggers. It is unassailable that more capital is better than less capital in enhancing the strength of a financial services organization and serving as a buffer against risks' adverse consequences. What is at issue here is the extent to which these greater capital requirements adequately buffer organizations against the specific business risks they are exposed to. How will the requirements imposed on SIFIs ensure that they will not be significantly impaired by damaging exposures?

The whole concept of 'systemically important' … what exactly does it mean, and to which financial organizations with what components and relationships does it apply to? … has been challenged from many angles. A critical question here is, "Who is going to be hurt should a large financial services institution (a bank or an insurer) fail?" Hearken back to the stakeholder discussion earlier in this newsletter. The onus is on any and each of those entities to decide which financial services firms they would like to have relationships with, whatever they might be. The risk to those financial services firms is to ensure that the various stakeholders want to have relationships with them and manage accordingly, or risk losing these relationships.

This notion of 'systemically important', at its core and as it seeks to avoid the potential domino effects seen during the financial crisis, speaks to the possibility of a failed firm to cause the failure of another. I pose an 'acid test': If an organization has contracts with another (credit default swaps, for example), and its demise could cause the ruination of the other by not being able to fulfill them … 'being contagious', then it is systemically important.

The European Union

Needless to say, this multi-faceted relationship is far broader than a business enterprise. It is sadly instructive, however, when exploring the topic of contagion risk. At one important and fundamental level, the concept of a European union was a wonderful idea to bring together all of its member states into a multi-faceted cooperative organization after many, many centuries of bitter conflicts among them.

On the other hand, who could have imagined the depth of the financial problems created, however, by the bonding together of the members' economies, when they varied so greatly in terms of economic viability, productivity, and cultural attitudes? It is hard to imagine a powerful business enterprise forging a relationship 'of equals' in terms of guarantees with a far weaker entity.


The National Association of Insurance Commissioners (NAIC, the United States insurance regulatory body) passed the Risk Management and Own Risk and Solvency Assessment Model Act in 2012 and has updated it several times since. Insurers of a certain size, comprising the vast majority of the United States insurance industry in terms of assets, are required to perform an Own Risk and Solvency Assessment (ORSA). The ORSA, positioned as a component of an insurer's enterprise risk management program, is a confidential internal assessment appropriate to the nature, scale and complexity of an insurer conducted by the insurer of the material and relevant risks identified by the insurer associated with an insurer's current business plan and the sufficiency of capital resources to support those risks. Its goals are two fold:                                                                                                - To foster an effective level of ERM at all insurers, through which each insurer identifies, assesses, monitors, prioritizes and reports on material ad relevant risks indentified by the insurer, and                     - To provide a group-level perspective of risk and capital, as a supplement to the legal entity view.

The operative word in ORSA is own. This legislation, passed by the NAIC, requires insurers to assess their own risks and determine the appropriate mitigation techniques and level of capital to serve as an appropriate buffer against those risks. Implicit in this mandate is that insurance regulators acknowledge that they are not the appropriate arbiters of an insurers' overall risk management process, and I would contend that regulators worldwide are similarly not the best positioned to develop and implement the risk management processes of the financial services firms in their jurisdictions.

Bottom line, insurers (and all financial services firms) need to have a thorough understanding of the business risks they are taking and contractual obligations they are entering into in every one of their operations and manage them accordingly (conservatively, one would fervently hope) or face the same fates as did AIG and Lehman Brothers.

A good and wise friend of mine once shared a philosophy of his with me: "If it is to be, it's up to me". So true in life, and so true in risk management. No external entity … regardless of how well meaning … can require an insurer (or any enterprise) to manage its risk more effectively than it can itself.

For more information, contact:

Michael A. Cohen, Principal
Cohen Strategic Consulting
(215) 595-7259

^ back to top