Cambridge University Press, Institute and Faculty of Actuaries British Actuarial Journal

Institute and Faculty of Actuaries
Enterprise risk management for health insurance from an actuarial perspective

Author(s): G. C. Orros and J. Smith
Source: British Actuarial Journal, Vol. 17, No. 2 (2012), pp. 259-330
Published by: Cambridge University Press on behalf of Institute and Faculty of Actuaries
Stable URL: https://www.jstor.org/stable/23356781
Accessed: 11-12-2018 07:50 UTC
REFERENCES
Linked references are available on JSTOR for this article:
https://www.jstor.org/stable/23356781?seq=1&cid=pdf-reference#references_tab_contents
You may need to log in to JSTOR to access the linked references.
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide
range of content in a trusted digital archive. We use information technology and tools to increase productivity and
facilitate new forms of scholarship. For more information about JSTOR, please contact support@jstor.org.
Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at
https://about.jstor.org/terms
Cambridge University Press, Institute and Faculty of Actuaries are collaborating with
JSTOR to digitize, preserve and extend access to British Actuarial Journal
This content downloaded from 152.118.24.10 on Tue, 11 Dec 2018 07:50:56 UTC
All use subject to https://about.jstor.org/terms
British Actuarial journal, Vol. 17, part 2, pp. 259-314. © Institute and Faculty of Actuaries 2012
doi:10.1017/S1357321712000062
First published online 13 March 2012
Enterprise risk management for health insurance from an

actuarial perspective
G. C. Oíros* and j. Smith

[Presented to the Institute and Faculty of Actuaries, London: 18 January 2011]
Abstract
This paper focuses on Enterprise Risk Management (ERM) and strategic business management for
health insurance companies in our world of 'unknown unknowns' and the emergence of unexpected
risks over time. It illustrates how Chief Risk Officers (CROs) can focus on 'risk and opportunity
management' through an ERM framework, and thereby balance risks against opportunities, whilst
being resilient against 'unknown unknowns' and their emergence over time as 'known unknowns'
and 'known knowns'. The paper has been designed to meet the broad requirements of health
insurers that would like to implement an ERM framework for the effective risk management of their
health insurance lines of business. Risk management for health insurers in the context of Solvency II
and broader European Commission regulatory requirements is also discussed. The authors discuss
how insurers can develop and apply risk management to build resilience in the face of the storms
and shocks that may lie ahead.
Keywords
Enterprise risk management; Strategic risks; Risk and uncertainty; Governance; Risk appetite;
Health insurance; Healthcare providers; NHS.
1. Introduction
1.1 Background
1.1.1 Health insurers and healthcare providers succeed and fail for many reasons, and th
management of unexpected or unpredictable events has always attracted interest. Furthermore, ther
is a growing realisation that there is upside as well as downside risk potential. This leads to the conce
of risk and opportunity management as being the cornerstone of effective enterprise risk management.
1.1.2 This paper has been written by two health insurance actuaries who are interested in such
events (or risk) and the possibilities for risk and opportunity management. Consideration has be
given to both the short-term and long-term features of UK health insurance business. While th
paper takes a health insurance perspective, the authors believe it may have wider applicability. Note
that, in this paper, we are narrowing our view of health and care insurances to only those healt
insurance products that cover the costs of care provided in the event of illness or injury. We do no
* Correspondence to: George Orros, BA, MSc., MBA, FLA, FCII, C.Stat, Chartered Insurer. E-mail: uhcg@cwgsy.ne
Postal address: care of Institute and Faculty of Actuaries, Staple Inn, High Holborn, London WC1V 7QJ.
259
G. C. Orros and J. Smith
consider products that cover lost income or debt servicing obligations that are sometimes referred to
as income protection.
1.1.3 Enterprise Risk Management is not purely an actuarial preserve; it is important to recognise
that it is relevant to all areas of healthcare and that most of the work to date has been carried out by
non-actuaries. Our discussion suggests that the opportunities for actuaries to make a meaningful
contribution are growing, especially given rapidly changing UK regulatory and capital market
conditions, including Solvency II developments.
1.1.4 ERM has been around for many years and yet it has had a chequered history, only recently
starting to be fully adopted by companies in the UK insurance and financial service markets and
elsewhere around the world. Elements of ERM have also been applied throughout the UK National
Health Service (NHS) and other UK government agencies.
1.1.5 Continued development of the regulatory environment and the sophistication of risk
analysis techniques have changed approaches adopted by health insurers and the wider community
of life and non-life insurance companies. ERM is now commonly accepted as a necessary part of any
successful health insurer's modus operandi, even if what 'good ERM' means is not commonly
understood. ERM appears here to stay.
1.1.6 ERM has become a pivotal component of the forthcoming Solvency II regime for the UK and
the European Union. Although this paper is focused on ERM, substantive references are made to
Solvency II, its development and the associated regulatory framework.
1.2 Structure of Paper

1.2.1 Following this introduction, section 2, entitled 'ERM Framework for Health Insurers',
considers what ERM is and/or should be for UK health insurers. The scope of ERM is discussed and
how it varies from what has previously been discussed under the heading of risk management.
It summarises key aspects of the ERM process based on what the authors regard as current best
practice. The topics include:
(a) ERM framework model that would be suitable for UK health insurance obligations.
(b) ERM process inputs, mechanisms, constraints and outputs for a health insurance company.
(c) Examples and case studies of ERM process tools and techniques for a health insurance company.
1.2.2 Section 3, entitled 'Practical Examples of Risk and Opportunity Management', provides a case
study example based on innovation portfolio screening tools for health insurance business cases.
1.2.3 Section 4, entitled 'ERM Framework for Healthcare Providers, Consumers, and Policy
Makers', considers what ERM is and/or should be to these actors in the UK healthcare market, the
scope of ERM and how it varies from what has previously been discussed under the heading of risk
management. The topics addressed include:
(a) Health insurance ERM context within the UK's mixed economy of healthcare financing and
provision.
(b) ERM practices in the NHS, private healthcare providers and preferred provider networks.
(c) ERM in the healthcare area is not a new thing (e.g. NHS practices, Department of Health, etc.).
260
Enterprise risk management for health insurance
1.2.4 Section 5, entitled 'Health insurance under Solvency II', considers certain aspects of ERM
from the perspective of a regulator under the developing Solvency II regulatory regime as it will
impact UK health insurers. The topics in this section include:
(a) Solvency II developments and issues for health insurance business.

(b) How health insurance risks are conceptualised under Solvency II as well as how risk-based
capital requirements for health insurers will be measured.
(c) Potential health insurance industry reactions to Solvency II developments.
1.2.5 In section 6, entitled 'Many Risks ... and Many Views on Risk', having considered risk
management perspectives of insurers, providers, consumers, policy makers, and regulators, the
threads are pulled together and synthesised to provide a high-level view of ERM for health insurers
in a Solvency II world. This poses some interesting questions, such as:
(a) Is health insurance fundamentally different as a class of insurance?

(b) How should one balance long-term customer wants and requirements against the short-term
nature of health insurer's contractual obligations and regulatory requirements?
(c) Are there important risk management gaps arising from of the varying perspectives of participants
in the market?
1.2.6 Finally, in section 7, we draw some conclusions.
2. ERM Framework for Health Insurers
2.1 Health insurance in the UK is a complex subject from a risk management perspective. It has
short-term, medium-term and long-term enterprise risk connotations and these aspects need to be
managed to the satisfaction of the key stakeholders.
2.2 There are multiple perspectives on risks in health insurance decisions and purchases. For
example, the health insurer may want to manage risk to meet whatever its business objectives are
whereas the regulator may require sufficient capital so that the insurer can manage its risks over a
1-year time horizon. The insured and/or their insured dependants may want the insurer to be solvent
in the long-term and to be there to provide relevant insurance cover in future years and also in their
old age. Therefore, the health insurance CRO requires a broad ERM framework that can deal with
the multifaceted risk perspectives of the key stakeholders.
2.3 The health insurance CRO should also consider the risk perspectives of its key suppliers, such
as the private and public sector healthcare providers. These will generally have business objective
and capital investment programmes that will need to be carefully assessed and understood. It will be
important, therefore, for the CRO to review their business plans and to consider how these plans
may affect their business relationships with the health insurer. This argues for a broad ERM
framework that can deal effectively with the interactions between insurers and providers.
2.4 Furthermore, as the NHS in the UK accounts for the great majority of healthcare expenditures,
state financing and political considerations can have an important bearing on the ERM issues faced
by the health insurers and their planned risk responses. For example, NHS restructuring plans will
inevitably affect the complementary and supplementary product mix that the health insurers should
offer in response to the changing requirements (given the NHS offerings) of their personal and
261
corporate health insurance customers. This argues for a broad ERM framework that can deal
effectively with external sources of risk, such as legal, political, economic and social risks.
2.5 The authors believe that ERM framework models that can deal effectively with the qualitative
as well as the quantitative risk issues are likely to be more useful to the health insurance CRO than
those with primarily a quantitative focus. It is clear to the authors that, although quantitative risk
analysis can be useful, such analysis alone is a necessary but insufficient success criterion. Therefore,
the authors favour broadly based ERM framework models that can provide an appropriate balance
between the qualitative and the quantitative risk issues.
2.6 The operational risk elements of enterprise risk management, implications of value innovation
and blue ocean strategies are outside the scope of this paper. Readers are directed to relevant papers
on insurance companies, Orros & Howell (2006), on general insurance, Tripp et al. (2003) and on
life assurance, Dexter et al. (2006).
2.7 ERM frameworks for insurance lines of business have been studied by several actuarial
research groups, both in the UK and internationally. There have been several Institute of Actuaries
papers on the subject, include one on general insurance, Tripp et al. (2003) and another on life
insurance, Deighton et al. (2009).
2.8 ERM is viewed as a lead indicator, where a weakening of standards is an indicator of future
problems. In particular excellent ERM insurers need to be mentally prepared for soft markets (e.g. credit
markets, equity markets, interest rate markets and insurance markets) and understand the implications
for risk limits and risk/reward standards in the face of the softening of each of their relevant risk markets.
2.9 In the view of the authors, three of more interesting broadly based ERM framework models
for a health insurance CRO would be those associated with COSO, Standard & Poor's and
Chapman. These models were selected from a wider range of ERM frameworks, together with an
ERM bibliography of 60 relevant publications Orros (2007b).
2.10 A brief discussion of the COSO, Standard & Poor's and Chapman models is shown in
figures 1-9.
2.11 COSO ERM Framework Model
2.11.1 COSO (The Committee of Sponsoring Organisations of the Treadway Commis

COSO (2004b) has defined ERM as follows:
"Enterprise risk management is a process, effected by an entity's board of directors, m

agement and other personnel, applied in strategy setting and across the enterprise, designed
identify potential events that may affect the entity, and manage risk to be within its ri
appetite, to provide reasonable assurance regarding the achievement of entity objectives".
2.11.2 The COSO Integrated ERM Framework principles and methodologies are a unifying
of holistic enterprise risk management processes applicable to almost any enterprise or organis
in both the private sector and the public sector (e.g., Government, regulators). Private s
applications can include insurance and financial services business.
2.11.3 The COSO ERM framework is illustrated in Figure 1.
262
Event Identification
ssment
Figure 1. COSO ERM Framework
2.11.4 The COSO suite of application techniques covers the ERM issues associated with
internal environment, objective setting, event identification, risk assessment, risk response, con
activities, information, communication and monitoring, COSO (2004a). The underlying prem
that every entity exists to provide value and that all face uncertainty and the challeng
management is to determine how much uncertainty to accept as it strives to grow stakeholder v
2.11.5 Uncertainty presents both risk and opportunity, with the potential to erode or enhance v
ERM enables management to effectively deal with uncertainty and associated risk and opport
enhancing the capacity to build value. Value has the potential to be maximised when the manage
team sets strategy and objectives to strike an optimal balance between growth and return goa
related risks, and efficiently and effectively deploys resources in pursuit of the entity's objectives
2.11.6 According to COSO, ERM encompasses:
(a) Aligning risk appetite and strategy, via evaluating strategic alternatives, setting related
tives, and developing mechanisms to manage related risks.
(b) Enhancing risk response decisions, via providing rigour in identifying and selecting a
alternative risk responses (i.e. risk avoidance, reduction, sharing, or acceptance).
(c) Reducing operational surprises and losses, via gaining capability to identify potential even
establish responses, reducing surprises and associated costs or losses.
(d) Identifying and managing multiple and cross enterprise risks, via facilitating effective re
to the interrelated impacts, and integrated responses to multiple risks.
(e) Seizing opportunities, via considering a full range of potential events, management is posi
to identify and proactively realise opportunities.
(f) Improving deployment of capital, via robust risk information that allows management to
effectively overall capital needs and enhance capital allocation.
2.11.7 ERM capabilities can help management achieve performance and profitability targets
prevent loss of resources. It can help ensure effective reporting, compliance with laws
263
regulations, and help avoid damage to reputation and associated consequences. Events can have
negative or positive impact, or both. Negative impact events can erode existing value. Positive
impact events represent opportunities that can inform strategy and objective setting.
2.11.8 Risk appetite can be expressed in terms of a 'risk map', such as the map in Figure 2. Any
significant residual risk in the map's yellow area exceeds the company's risk appetite, and requires
management action to reduce the likelihood and/or impact of the risk in order to bring it within the
company's risk appetite, COSO (2004a).
Likelihood
Figure 2. Risk appetite expressed as a risk map
2.11.9 The company can then strive to diversify its portfolio to earn a return that is aligned with
the target risk profile. Inevitably, plotting the current state of the estimated 'return' against the
'capital at risk' will identify instances where the 'return' is insufficient to justify the 'capital at risk',
according to the company's risk appetite. In such situations, the associated business plans need to be
revised to satisfy the executive management and the Board that the proposed returns are compatible
with the capital at risk and the risk appetite. Portfolio diversification may be required in order to
propose a 'return' that aligned to the target risk profile, closer to the efficient risk/return frontier,
rather than lower down in the interior of the risk region, COSO (2004a).
2.11.10 A health insurance example of this might be expanding product range to include a
broader array of excess level options to policyholders at each renewal. All things being equal, higher
excess products make claim costs more volatile and require more policies to diversify. Availing the
option to policyholders will also increase selection. However, the option could make a firm's
offering more marketable. The question then becomes whether the firm has the appetite and
additional capital to support increased risk exposure, and would expected margins produce a
suitable return on capital.
2.11.11 Figure 3 illustrates the principle, and the effects of three business plan revisions that were
designed to move three business units closer to the efficient risk frontier.
264
Capital at Risk
Figure 3. Principle and effects of specific business plan revisions
2.12 Standard & Poor's ERM Framework Model
2.12.1 Standard δί Poor's (2005) provides an ERM evaluation methodology for insurers which
consists of seven initial criteria: competitive position, management and corporate strategy, operating
performance, capitalisation, liquidity, investments, financial flexibility. ERM rationalises the risk limits
and tolerances across different individual risks and allows comparable measures to be applied so that
the risk management process can be performed at both the individual risks and enterprise level.
2.12.2 Risk capital values can also be linked to risk taking activities enabling assessment of
projected and historical performance of activities in proportion to their economic capital
requirements. Targets can be set for the return on 'economic capital' of each activity, capital is
allocated to optimise the expected return on economic capital and management efforts to meet
targets are assessed.
2.12.3 According to Standard &c Poor's, a health insurer that practices ERM will be working
constantly to identify risks and regularly monitor the important risks. It will also have standards
and limits in place for the amount and form of the risks that it is prepared to retain or tolerate as
well as processes to measure and manage its risks so as to stay within formally agreed limits, within
a controlled risk-taking environment.
2.12.4 A health insurer that practices ERM is not one where managers believe that they do not
take any risks. Rather, it is a health insurer where managers knowingly take considered risks and
understand that losses are probable. In effect, ERM should provide the health insurer with
reasonable grounds to believe that it will be able to manage any events and losses within
predetermined bounds.
2.12.5 The strategic risk management pillars are illustrated in Figure 4.
2.12.6 Standard & Poor's suggested that ERM as a rating criterion has added weight for insurers
as taking risk and then managing it are core insurance business activities. Companies are viewed as
having excellent, strong, adequate or weak ERM relative to the risks of the company, its ability to
absorb risks and the complexity of the risks.
265
Figure 4. Strategic Risk Management Pillars
2.12.7 The Standard & Poor's ERM classifications relate to sustained capabilities to identify,
measure and manage risk exposures and losses within the company's predetermined tolerance
guidelines; evidence of the enterprise's practice of optimising risk-adjusted returns; and the extent to
which risk and risk management are important considerations in corporate decision making.
2.13 Chapman ERM Framework Model

2.13.1 According to Chapman (2006:8-9), the enterprise risk management process is defined as:
"ERM is a systematic process, embedded in a company's system of internal control (spanning

all business activity), to satisfy policies effected by its board of directors, aimed at fulfilling its
business objectives and safeguarding both the shareholder's investment and the company's
assets. The purpose of this process is to manage and effectively control risk appropriately
(without stifling entrepreneurial endeavour) within the company's overall risk appetite. The
process reflects the nature of risk, which does not respect artificial departmental boundaries
and manages the interdependencies between the risks. Additionally, the process is accom
plished through regular reviews, which are modified when necessary to reflect the continually
evolving business environment."
2.13.2 Chapman (2006:7) describes the process of ERM, which is essentially one of risk and
opportunity management, as impinging:
"on the 4 main functions of Boards; policy formulation, strategic thinking, supervisory
management and accountability and their respective control cycles".
2.13.3 These Board functions are illustrated in Figure 5.
2.13.4 Chapman (2006) develops an ERM corporate governance model which has five elements:
(a) Corporate governance (Board oversight).

(b) Internal control (sound system of internal control).
266
Policy review cycle
Accountability Policy Formulation

- to the company - creating the vision
-to owners - creating the mission
- to regulators - creating values
• to legislators - developing culture
- to other stakeholders - monitoring the environment
Risk and
Opportunity
Management
Strategic Thinking
- positioning in the changing markets
Supervisory Management - setting corporate direction
- oversight management - reviewing and deciding key resources
- monitoring budgetary control - deciding the implementation process
- reviewing key business results
- ensuring business capability
Short-term Long-term
I Operations review cycle |
Figure 5. ERM Board Functions

Source: Adapted from Garratt (2003).
(c) Implementation (appointment of external support).

(d) Risk management process (incremental phases of a 6-stage iterative process).
(e) Sources of risk (internal and external).
2.13.5 Figure 6 provides an overview of the ERM corporate governance model based on the ideas
presented by Chapman (2006). The authors have extended the feedback loop concept to allow for
iterations at each of the six ERM process stages. The rationale for this is that it is futile to continue the
ERM process if the foundation stages are flawed as a result of subsequent research and review stages.
1. Corporate Governance 2. Internal Control

(Board oversight) (sound system of internal control)
3. Implementation
(appointment of external support)
4. Risk Management Process««

(incremental phases of an iterative process)
Risk Risk
+ Risk Risk Risk
Analysis Identification Assessment Evaluation Planning Management
AI A2 A3 A4 AS A6
5. Sources of Risk
(internal to a business and emanating from the environment)
Internal Processes Business Operating Environment
Figure 6. Overview of Chapman (2006) ERM Corporate Governance Model
267
2.13.6 Under the Chapman model, the enterprise risk management process is a 6-stage iterative
process, as illustrated in Figure 7.
Figure 7. Chapman (2006) 6-stage ERM process
2.13.7 Each of the six risk management processes has inputs, outputs, control and mechanisms.
The modes of data connectivity can be charted using the IDEFO (Integration Definition for
Function Modelling) process mapping technique, as illustrated in Figure 8.
Control
I
Process
Input Output
í
Mechanism
Figure 8. IDEFO Process Mapping Technique
2.13.8 The first iterative step is 'Analysis', which builds a critical, holistic understanding of the
business and the specific business activities and processes. It is the ERM foundation for everything
that follows; its accuracy and realism determines the quality of the remainder of the risk
management process. Figure 9 provides a typical process map for the Analysis stage.
2.13.9 It is important (for an effective ERM framework implementation) that the 'Analysis' stage
goals are achieved via active representation and involvement across all business units and functional
departments. Active representation means the involvement and committed engagement of the
appropriate individuals with the requisite knowledge, experience, perspective and responsibility.
2.13.10 The 'Analysis' stage is critical. Should the 'Analysis' stage's detailed numbers research,
quantitative analysis or qualitative analysis be flawed then there is a danger that the results of the
ERM exercise will also be flawed and, in effect, worthless. Not only does this imply a high degree of
care, but also the need for iterative processes to ensure that new data and information is compatible
with the previous ERM process outputs. If, for example, a health insurer is considering outsourcing
268
INPUTS CONSTRAINTS
1 Appointment 1 Business risk management culture

2 Business objectives and plan 2 Risk management resources
3 Process map and organogram 3 Risk management study parameters
4 Value chain
4 Risk management plan
5 Audit committee
6 Internal controls
8 Financial reports
9 Marketing plan
10 Ratio analysis
MECHANISMS OUTPUTS
1 Finance analysis tools 1 Business analysis findings

2 Risk management process diagnostic
3 SWOT questions
4 PEST questions
5 PESTEL analysis
6 Risk mapping
7 Causal modelling
Figure 9. Typical process map for ERM analysis stage
a significant portion of its back office operations to India (and hence significant operational costs
it should not assume that recent foreign exchange rates will persist indefinitely into the future wit
no potential for large swings that, left unhedged, could create unexpected losses.
2.13.11 The 'active representation' process should also involve and engage the Non-Executive
Directors and the senior management group. Without their full and committed support, it
unlikely that an effective ERM framework implementation can be achieved.
2.13.12 In order to be judged sufficient, the 'Analysis' stage should be planned and evaluate
using formal criteria, the use of which encourages rigorous planning of the activities and a
objective review (involving non-participants in the process stage).
2.13.13 The 'Analysis' stage criteria might include, at a minimum, the following components:
(a) Define and articulate the mission and business objectives.

(b) Review and issue a clear, current and accurate business structure document.
(c) Review and issue a high-level business process map or now chart.
(d) Identify and review the existing internal control system.
(e) Identify and examine all primary business functions.
(f) Review the existing corporate risk management plan.
(g) Define, articulate and review the remit of the audit committee.
(h) Define, articulate and review the remit of the existing risk management committee.
(i) Profile the current ERM maturity level of the organisation.
(j) Define and articulate risk appetite - in qualitative and quantitative terms.
269
G. C. Orras and ). Smith
(k) Review the existing risk register.

(1) Canvas and engage knowledgeable and expert participants from across the organisation.
(m) Engage participants who can input to the project from a position of authority and expertise.
(η) Brief all participants and make them aware of their responsibilities.
(o) Consider and consult with non-executive directors where appropriate.
2.14 A1 Analysis Example - Value Chains

2.14.1 Inputs to the process include comprehensive high-level business process maps and value
chain analysis. The value chain describes the activities within and around an organisation which
combine to create a product or service offering. Value chain analysis enables managers to
understand how and where value may be created within the organisation and whether the value
chain is aligned to strategic objectives. It should inform risk identification by analysing business
activities which are cross referenced to specific strategic objectives. It also provides an input to
subsequent assessment, evaluation and planning stages. An ERM-enabled insurer can evaluate the
risk/return economics associated with its existing value chain configuration and linkages and plan
its risk response strategies to re-configure the value chain as and when required.
2.14.2 Figure 10 provides a typical value chain for a health insurer.
Outbound
Inbound Logistics Service Operations Marketing and Sates Atter Sales Service 1
Logistics
Actuarial. NPD. Price quotations, newClaims processing, Promotion, sales, CRM, customer
risk assessment, business processing, lapse processing, market intelligence, services, business 1
underwriting, renewal processes, managed care, channel management, retention, personalised 1
premium rating provider relations assistance service dient acquisition öfters
Health and care insurance services
Company infrastructure (tor example. ERM. finance, accounting, legal)

Human Resource Management
R&D. Technology Devetopment, Systems Development
Key to abbreviations:
NPD - New Product Devetopment
CRM - Customer Relationship Management
Figure 10. Value chain for a health insurer
2.14.3 Referring to the earlier outsourcing example, the analysis stage would also include carefu
re-mapping of the insurer's value chain and business process map to allow for the outsourcer
organisational capabilities, value chain linkages and 'softer' aspects such as culture. The insure
needs to understand the nature of the changes to its value chain, business process map and th
assumptions implicit within its existing business model. The following brief case study illustrates th
types of technique which would enable the insurer to carry out the analyses across multiple business
sites including the outsourcer.
2.15 A1 Analysis Case Study - Delphi Method

2.15.1 A major pharmaceutical company decided to obtain investment approval for a new
research and development facility in India. A project team with members based in the UK and Ind
was appointed to conduct a risk analysis. A distance-working solution was required in order
conduct the risk identification and assessment processes. The solution proposed was to use emai
270
and video-conferencing. A questionnaire was designed as a gap analysis tool to try to identify the
risks. A draft risk register was prepared based upon the responses to the questionnaire and used to
initiate a review of the risks, Chapman (2006).
2.15.2 A video conference was used to debate and build a consensus on the risk descriptions and
their assessment. It was recognised that the video conference was an inferior communication event
compared to a face-to-face meeting e.g. sound quality, time lags in transmission and the inability for
all of the participants to see each other during discussions. The main objectives were achieved due to
the rigour of the questionnaire process, content analysis of the questionnaire responses to form a
draft risk register and the facilitation of the video conference workshops. The risk analysis process
identified the major risks including weaknesses in the design of the procurement route which was
not aligned to the project's objectives, the lack of a formal business continuity plan and the risks
stemming from different stakeholder and client representatives whose requirements had not been
ascertained and incorporated within the project plan.
2.15.3 The second iterative step is 'Risk Identificationwhich is a transformation process

whereby one generates a series of risks and opportunities that are then recorded on the risk register.
As it is a process within ERM, it is useful to adopt the philosophy of process mapping, whereby one
process exists to make a contribution to one of more of the ERM goals.
2.15.4 Figure 11 provides a typical process map for the 4Risk Identification' stage.
CONSTRAINTS
1 Business risk management culture

2 Risk management resources
3 Risk management study
INPUTS
Business analysis
Assumptions
Uncertain events
Lessons learned
Issues
MECHANISMS
A2 OUTPUTS
1 Risk checklist
1 Risk register
2 Risk prompt list
3 PEST prompt
4 PESTEL prompt
5 SWOT prompt
6 Risk database
7 Process map
8 Business risk breakdown structure
9 Risk questionnaire
Figure 11. Typical process map for the 'Risk Identification' stage
2.15.5 The 'Risk Identification' process must be based on a clear under

and objectives of the overall business or the activities involved. It needs t
which would adversely affect the achievement of its objectives and the o
upside to an identified risk. The output is a 'risk register' of risks and o
271
2.15.6 External or internal risk facilitators can improve the quality and value of outputs from this
stage by encouraging experienced staff to adopt a more critical, self-conscious and objective
methodology to this activity. The process will generate a set of terminology which should be
managed to ensure consistency of use and meaning amongst participants. It will also clarify the
meaning of and distinction between 'risk' and 'uncertainty'. Failure to create universally understood
and accepted definitions will undermine the entire ERM process and create flawed outputs which
cannot be implemented.
2.16 A2 Risk Identification Example - Risk Register

2.16.1 Figure 12 provides a simplified Risk Register for a health insurance company, Orros &
Smith (2009).
Risk Register - Stage 2: Risk Identification

Internal or
Risk Category External
1. Reserving and pricing Insurance External
2. Provider contracting Insurance External
3. Product design Insurance External
4. Underwriting tightness Insurance Internal
5. Large claims (uncapped) Insurance External
6. Loss of client money Credit External
7. Bank failure Credit External
8. Reinsurer failure Credit External
9. Interest rate Market External
I0. Inflation Market External
11. Foreign exchange Market External
12. System failure and data use Operational Internal
13. Business continuity Operational External
14. Fraud Operational Either
15. Brand damage Operational Either
16. Clinical risks Operational Either
17. Quotation process Operational Internal
18. Political risks Operational External
19. Pandemic Several External
20. Terrorism Several External
Figure 12. Risk Register - Stage 2: Risk Identification
2.16.2 The third iterative step is 'Risk Assessment', which provides a judgement of the likelihood
and impact of the risks and opportunities identified, should they materialise. This process provides
an order of the potential 'pain' or 'gain' associated with risk and opportunity. Even when there is
considerable uncertainty, quantitative techniques provide a useful framework. Figure 13 provides a
typical process map for the 'Risk Assessment' stage.
2.17 A3 Risk Assessment Example - Causal Modelling

2.17.1 Causal chain modelling may be a useful tool to investigate the relations between an effect
and its possible causes. A simple technique uses a cause-and-effect diagram. Where appropriate,
more complex modelling approaches may be used to help analyse the risk data. However, in many
Ill
CONSTRAINTS

2 Risk management study parameters
INPUTS
1 Risk identification
2 Risk register
3 Profit and loss account
4 Balance sheet
5 Industry betas
MECHANISMS OUTPUTS
1 Probability distributions 1 Risk register,

2 Probability impact matrix including assessments
Figure 13. Typical process map for the 'Risk Assessment' stage
cases risk identification has access to limited relevant data and it is unhelpful to shift attention towar
the detail of a more complex modelling solution which is not appropriate to the data available.
2.17.2 Our high-level cause-effect risk map is shown below. It is noteworthy that it has an adapti
feedback control loop, from 'incorrect evaluation of financial outcomes' back to 'inappropriate ris
decisions', which then leads on to 'financial outcomes' and then cycles back to 'incorrect evaluation o
financial outcomes', and so on. The adaptive feedback control cycle loop is managed by examining the
output from 'incorrect evaluation of financial outcomes' to determine whether there is a continuing need
to modify the inputs to 'inappropriate risk decisions'. In practice, adaptive feedback control has to be a
expert manual process, based on a sound understanding of the business processes and their value chain
Tripp et al. (2003).
2.17.3 Figure 14 provides a typical high level risk map.
2.18 A3 Risk Assessment Example - Risk Heat Maps

2.18.1 Risk heat maps can help management to review the significant risk facing the busines
It is important to consider the likely impact as well as the likelihood. Figure 15 provides a typic
example.
2.18.2 Another example is shown in Figure 16, which is based on an insurance company model
for a relatively large multinational insurance group.
2.18.3 The fourth iterative step is 'Risk Evaluation\ which involves evaluation of the results of the
risk assessment stage and includes an understanding of the inter-relationships between the
273
High Level Risk Map
Figure 14. High Level Risk Map
Rare Unlikely Moderate Likely Almost certain

0.00 < ρ < 0.03 0.03 < ρ < 0.10 0.10<p<0.50 0.50<p<0.90 0.90 >p> 1.00
Catastrophic - the business Extreme Extreme Extreme Extreme

High
survival at risk (eg C25M loss)
Major - operations severely Extreme Extreme Extreme

High
damaged (e.g. £10M loss)
Moderate - significant time & Moderate Extreme

resources (e.g. £1M loss)
Minor - some disruption is

Moderate High High
possible (e.g. £0.5M loss)
Insignificant - minor problem, Moderate High

utilise normal daily processes
Figure IS. Typical Risk Heat Map
individual risks and the opportunities. It provides an iterative process of challenge and refinement of
the information captured during the risk assessment process.
2.18.4 Figure 17 provides a typical process map for the 'Risk Evaluation' stage.
2.18.5 With 'Risk Evaluation', the probability and impact of various combinations of multiple
risks occurring is often a major concern. Decision tree analysis is a simple, and often graphical,
technique to connect multiple risk combinations to come up with some estimates of the outcomes.
Using decision tree analysis and the rules of joint probability, we can assess the likelihood of
multiple risk events. The real strength of the decision tree graphical approach is to illustrate the
impact that certain risks may have on subsequent risk-based matters. A risk event at a small unit
may have an impact on other elements of operations when all of these risks are strung together.
274
Rare Unlikely Likely Probable Almost certain

0.00 < ρ < 0.05 0.05 < p < 0.30 0.30 < ρ <0.70 0.70 < ρ < 0.95 0.95 > ρ > 1.00
impact > £300M Extreme Extreme Extreme Extreme Extreme
£150M> impact >£300M Severe Extreme Extreme Extreme Extreme
£60M> impact >£150M Severe Extreme Extreme Extreme
C30M > impact > £60M Severe Severe Extreme Extreme
£10M > impact > £30M Severe Severe Extreme
£1M> impact >£10M Severe
£0.5M > impact > £1M Moderate High High High
£0 > impact > £0.5M Moderate High High
Figure 16. Example of a Risk Heat Map for a large multi national insurance group
CONSTRAINTS
INPUTS
1 Risk register
ι r
Risk Evaluation
MECHANISMS A4 OUTPUTS
1 Probability Trees i i 1 Risk register

2 Modelling results
2 Expected Monetary Value
3 Decision trees
3 Utility Theory
4 Quantitative results
4 Markov Chain
5 Scenario modelling
5 Investment appraisal 6 Sensitivity analysis
Figure 17. Typical process map for 'Risk Evaluation' stage
2.19 A4 Risk Evaluation Example - Scenario Planning

2.19.1 Scenario planning is a strategic-level tool in which analysts generate simulated
management games that can be used by the senior management team to consider and develop
plans to deal with alternative futures. These simulations can be developed by combining the relevant
facts that their framers can reasonably speculate about the future with relevant societal trends. They
generally include some plausible but unexpected situations or management issues that exist in some
form today. Another approach is to consider case studies, based on real situations that have
happened to industry competitors, or to companies in another related industry. The advantage of
275
the case study approach to scenario planning is it can be based on well-documented real
and, therefore, is more likely to engage the attention of the senior management team.
2.19.2 Scenario planning is a useful tool to explore existing data and analyses for emerging signals
and alternative outcomes. It can help insurers to focus on specific events and explore a wide
spectrum of outcomes, including interconnections and interactions across different groups of risks.
The process can involve workshops, brainstorming and extreme event simulations. These output
scenarios can test solutions and suggest new possibilities or improvement measures and so develop
the insurer's resilience. The process can build objective and analytical skills to enable employees to
adopt a more agile and creative approach to analysing signals within data.
2.19.3 A health insurer could incorporate risk evaluation in key planning and rate review
processes to help dislodge best estimate tunnel vision. If recent months' claim cost spikes points to a
surge in medical inflation not attributable to any specific source, what actions would management
take, and at what point, to rectify the situation? For example, how many months of confirmation
would they want before instituting other actions, expense control or provider negotiations.
2.20 A4 Risk Evaluation Case Study 1 - Risk Evaluation via Provider

Networks
2.20.1 The use of preferred provider networks is common to U.S. Health Plans. The Society of
Actuaries (SoA) Health Section Research Team have carried out a research study and developed a
model to address the financial impact of health plan provider network risk: Winkelman et al.
(2006). The study focused upon the negative impact of physician groups or hospitals who leave a
health plan network either voluntarily (e.g. in response to competitor health plan proposition) or
involuntarily (e.g. due to financial failure).
2.20.2 A reasonable degree of provider turnover is considered inevitable and may encourage
competition and improvement in performance. However there is a point where turnover becomes
dysfunctional as the health plan loses discounts on services, customer choice is restricted and the health
plan may suffer reputational damage and its competitive position in the market may be weakened
leading to a loss of its market share. The study considered the impact of provider network termination
rates with reference to the impact upon negotiated provider discounts and the potential 'domino' effect
upon pricing, market share and solvency. A model was developed to provide a starting point for health
plans to identify, assess and evaluate the financial impact of negative provider network events.
2.20.3 The authors of the SoA paper, Winkelman et al. (2006), also suggest that there is scope for
consideration to be given to strategic risk within provider network management, and this might also
imply the management of upside opportunities. There might also be scope for the consideration of
such analyses and models by European insurers, albeit configured for the different nature of
European insurance markets and the insurer-healthcare provider value chain configuration.
2.21 A4 Risk Evaluation Case Study 2 - Inadequate Risk Evaluation

2.21.1 In December, 1984, over 40 tons of poisonous gases leaked from a pesticide factory in
Bhopal, India, belonging to Union Carbide, killing more than 20,000 residents. After much
corrective action and legal wrangling, Union Carbide, which built the plant in 1969, settled a civil
suit brought by the Indian government in 1989 by agreeing to pay US$470 million for damages
276
suffered by the 500,000 people who were exposed to the gas. The company maintained that the
payment was made out of a sense of 'moral' rather than 'legal' responsibility since the plant was
operated by a separate Indian subsidiary, Union Carbide India Ltd.
2.21.2 The court proceedings revealed that management's cost cutting measures had effectively
disabled safety procedures essential to prevent or alert employees of such disasters. Dow Chemical
has since taken over Union Carbide and denies responsibility for this disaster. However, because of
the large loss of life there and the fact that Dow Chemical is much larger than what was once Union
Carbide and its Union Carbide India Ltd. subsidiary, ongoing litigation continues to haunt Dow
Chemical. The Bhopal gas leak is an example of how a risk event at a distant and relatively small
unit can have disastrous consequences on a firm.
2.21.3 This case study demonstrates the need for thorough 'risk identification', 'risk assessment'
and 'risk evaluation' processes that consider catastrophic incidents, such as one this magnitude.
Each operational business unit needs to recognise the likelihood and consequences of the risks that
they face. A risk event at a small foreign subsidiary can bring down the entire enterprise - risk
management at all levels should recognise that catastrophes can happen. We can never predict risks
of this major consequence, but an enterprise should always be aware that disasters can happen.
2.21.4 The fifth iterative step is 'Risk Planning', which combines the risks and opportunities
together and considers their combined effect. It builds on all of the preceding steps in the ERM
process to produce responses and specific action plans to address the risks and opportunities
identified to secure the business objectives; it is essential to ensure these plans are prepared,
considered, refined and implemented.
2.21.5 Figure 18 provides a typical process map for the 'Risk Planning' stage.
CONSTRAINTS
INPUTS
1 Risk register
2 Existing risk policies 1 r
3 Business risk appetite
4 Industry betas
riisK rianmng
OUTPUTS
MECHANISMS A5
1 Risk responses
1 Risk response flow chart i i
2 Response strategy 2 Updated risk register
Figure 18. Typical Process Map for 'Risk Planning' Stage
277
2.21.6 The 'Risk Planning' activity generates a series of risk responses which document, at the
most basic level, the 'risk ID', risk description, impact in terms of time and cost, the risk response
strategy to respond to the risk or opportunity. Each 'risk ID' must be referenced to an owner,
manager and personnel who are responsible for taking action, the date or timescale by which
actions must be implemented, the cost of the risk response strategy and any secondary risks which
may arise from the risk response strategy.
2.21.7 An example of risk planning may be a health insurer choosing to include terrorism as part
of standard coverage in all of its policies in the belief that the risk is overstated by customers and
brokers. Thus incorporating coverage might offer a marketing advantage. But doing this would
increase risk, albeit that large losses arising from terrorism may be a more remote risk. The
company may be willing to place a given amount of capital to back this risk within its planning
process, but only once certain operational or reinsurance arrangements are put in place.
2.22 A5 Risk Planning Example - Traffic Lights Confidence Tests

2.22.1 Figure 19 provides a typical example of traffic lights confidence that can be used by health
insurers to assess risks and plan their risk response strategies.
Is the profit pool for this new business average (yellow), a 'rare game'
(green) or a 'dog' (red)?
Do we have a significant advantage (green), small or uncertain

advantage (yellow), or negative advantage (red) in this new business?
Do we have leaders of this new business (and sponsors in the parent

company) that are clearly superior to (green), similar to (yellow) or less
strong than (red) competitor businesses?
Is the impact of this new business on existing businesses likely to be

significantly positive (green), uncertain (yellow), negative (red)?
Are we confident that the profit pool potential is still sufficient to justify
this project?
Are we confident that our value advantage is still sufficient to justify this
project?
Are we confident that we have project leaders and sponsors of

sufficient quality to justify this project?
Are we confident that the impact on the core businesses is such that
this project is still justified?
Figure 19. Typical example of Traffic Lights Confidence Test for Health Insurers
2.22.2 The sixth iterative step is 'Risk Management', which consolidates all the previous steps.
In fact, all of the six steps are iterative and it is frequently necessary to revisit earlier steps when
more information becomes available or circumstances change, as each stage relies upon inputs from
the earlier stages. All risk management process maps should state a need to ensure that risk
responses to identified risks are implemented and that the implementation is pro-actively managed.
2.22.3 Figure 20 provides a typical process map for the 4Risk Management' stage.
278
CONSTRAINTS
1 Business risk management culture

INPUTS 4 Risk management plan
1 Risk database
2 Risk register
3 Risk responses
MECHANISMS OUTPUTS
1 Meeting agendas 1 Meeting agenda

2 Proformas 2 Report format
3 Early warning indicators
4 Key performance indicators
Figure 20. Typical process map for 'Risk Management' stage
2.22.4 Risk Management consists of executing, monitoring and controlling all risk management
actions against the actions and parameters contained in the risk plan. Ensuring execution means
compliance with the risk plan and identifying rationale for any deviation. Monitoring should be
passive, neutral exercise which assesses how people and processes are working and that the Ε RM
process is 'alive' and alert to emerging signals in the internal and external business environment e.g.
are new risks and opportunities being identified and correctly cascaded through the ERM stages
Any signals of change need to be fed backwards or forward to the appropriate activity stage.
2.22.S Chapman (2006) also categorises the micro and macro influences that can be sources o
risk and opportunity and shape business performance (i.e. internal and external sources of risk).
2.22.6 Internal sources of risk are sourced within and may (potentially) be controlled by an
organisation. For example, financial risk, the exposure to adverse events which can adversely affe
profitability and may trigger closure of a business. For example, if a health insurer does not hol
enough adequate cash or access to credit facilities to meet a spike in claim obligations and other
current liabilities, it could trigger breaches or termination of provider contracts which in turn coul
lead to brand damage or reduced ability to price products competitively.
2.22.7 Figure 21 provides some typical internal sources of risk.
2.22.8 External sources of risk are sources of risk occur at sub-national, national, regional an
global/international levels. These sources of risk are largely exogenous to the insurer such
demographic trends however some factors may be influenced by the insurer or its peers (e.
regulation which addresses market and consumer issues). External sources of risk include th
economic, natural/physical, political, legal and regulatory environments, market structure an
conditions, legislation and socio-demographic and cultural factors. These factors create sources o
279
G. C. Orcos and J. Smith
Operational
Risk
Technological
Risk
Internal
Sources of Risk
Figure 21. Typical internal sources of risk
risk and opportunity; single factors can have relative pre-eminence or factors can interact and
a series of unpredictable and volatile shocks to the organisation which may contradict all
lessons learned by the organisation.
2.22.9 Figure 22 provides some typical external sources of risk.
Figure 22. Typical external sources
2.23 A6 Risk Management Example - Early Warning Indicators

2.23.1 Changes arising from the business analysis need to be explored and fed forward into
risk identification stage and downstream to update the risk assessment, evaluation, plannin
inform risk management. Early warning indicators and key performance indicators are ou
from this ERM process stage.
2.23.2 Figure 23 provides a 'key performance indicators' grid that illustrates actual
values for key indicators against a target value that a health insurer may wish to use.
2.23.3 The construction of a 'watch list' or dashboard of priority information should und
reporting activity. This approach would concentrate on 'key performance indicators', residual r
assess the severity of the emerging risk and the effectiveness of control mechanisms. The u
visuals to produce risk 'heat maps' indicating all substantial, quantifiable risks is also a usefu
2.23.4 In practice, the risk dashboard for a health insurer needs to be underpinned b
information underlay which enables fast and flexible access to the underlying experience and
280
Enterprise risk management For health insurance
KPI-1 Loss Ratio Trend KPt-2 Member Persistency KPI-3 ft

Current value 52.5% Target value 60.0% Current value 25.0% Target value 60.0% Current value 59.0% Target value 60.0%
7.5% Variance 35.0% Variance 1.0%
KPM Ombudsman Referrals KPt-5 Customer Service Level KPM5 Claim· Settlement Performance
Current value 19.0% Target value 60.0% Current value 60.2% Target value 60.0% Current value 92.0% Target value 60.0%
Variance 41.0% Variance -20.2% Variance -32.0%
.2
Figure 23. 'Key performance indicators' for health insurers
2.24 ERM Frameworks for Expecting the Unexpected

2.24.1 Health insurance practitioners need to take a necessarily broa
frameworks, processes and dedicated risk analysis and quantificat
recognising that catastrophic risks may also sometimes emerge from a
2.24.2 According to Roberto et al. (2006:106):
"The most dangerous situations arise when a warning sign is ambiguous

for causing a company harm is unclear. In these cases, managers ten
discount the risk and take a wait-and-see attitude. Such an approach c
2.24.3 According to McNamee (2004:1):
"Most of us are too specialized or focused and so accustomed to our envi

break out of our current thinking patterns to think broadly about our ri
risk that 'no one ever thought of' that causes the most harm. Altho
consultant) often is used to facilitate this broader thinking, the organizatio
to do it for itself. It is like learning to ask dumb questions, especially 'H
2.24.4 According to Rumsfeld (2002):
"Reports that say that something hasn't happened are always interestin
know, there are known knowns; there are things we know we know.
known unknowns; that is to say we know there are some things we d
are also unknown unknowns—the ones we don't know we don't k
throughout the history of our country and other free countries, it is t
tend to be the difficult ones."
2.24.5 ERM principles can help actuaries to manage health insurance b

uncertainty and to prepare for unexpected events, where equilibrium is a
fooled many European health insurers. We tend to post-rationalise the un
limitations of inductive logic based on assumptions of 'normality' and
vision, and thus severely underestimate the possibility of unexpected e
281
G. C. Orros and ). Smith
2.26 Black Swan Logic

2.26.1 In order to illustrate the limitations of inductive logic, consider the case of the 'black swan'.
According to Taleb, (2004) and (2007), a 'black swan' signifies a highly improbable incident or
event characterised by its unpredictability, massive impact; and, after the event, the human desire to
render its occurrence less random and more predictable than it was. For example, before the
discovery of Australia, people in the Old World were convinced that all swans were white, an
unassailable belief confirmed by empirical evidence. The sighting of the first black swan signifies a
severe limitation to our learning from observations or experience, the depth of our ignorance, and the
fragility of our knowledge. One single observation effectively invalidates a general statement based upon
consolidated experience from millennia of confirmatory sightings of millions of white swans.
2.26.2 Black Swan logic makes what you do not know far more relevant than what you do know.
The impact of black swans is exacerbated by its unexpectedness. For example, consider the terrorist
attack of 11 September 2001. According to Taleb (2004), had the risk been reasonably conceivable on
10 September 2001, it would not have happened. If such a possibility were deemed worthy of attention
(or conceivable) aeroplanes would have had locked and bullet proof doors and other now- preventive
measures would have been as commonplace as now and the attack would not have taken place.
2.26.3 According to Taleb (2004), in the 'mediocristan' world of Gaussian normality and
equilibrium, one thinks of ordinary fluctuations as the dominant source of randomness, with jumps
as an afterthought. Everything needs to fit some general socioeconomic model; people frown upon
descriptive models. Mediocristan practitioners seek to be perfectly right in a narrow model, under
precise assumptions. They use top-down models and rely on scientific papers and go from books to
practice. They are inspired by physics and rely on abstract mathematics.
2.26.4 On the other hand, in the 'extremistan' world of sceptical empiricists, one thinks of black swans
as the dominant source of randomness. They use bottom-up models and minimal theory, believing that
theorising is a disease that should be resisted. They do not believe that one can easily compute
probabilities. They develop intuitions from practice and go from empirical observations to books. They
are not inspired by any science or the use of messy mathematics and computational methods.
2.27 Problem of Inductive Logic

2.27.1 In general, health insurance is comparatively low risk across the spectrum of insurance
classes. Claim frequencies are high, and claim amounts tend to be small. Morbidity among covered
lives tends to be very independent. Thus, claim costs therefore tend to normalise very quickly. This
is often aided by provider contracting and regular re-pricing.
2.27.2 Even political changes to the healthcare market (e.g., introducing a risk equalisation
system, NICE approving a new drug, etc) tend to be signalled well in advance and managed
accordingly. This makes the life of the health actuary a busy but a predictable one. It is for this
reason that complacency and the weaknesses of inductive thinking can become so entrenched in
health insurance, and absurd scenarios dismissed (e.g., a reclassification of the UK Insurance
Premium Tax rate for health insurance from 5% to 20%).
2.27.3 Consider the case of a turkey that is fed every day, an illustration of the 'problem of
inductive knowledge'. Every single feeding will firm up the bird's belief that it is the general rule of
282
life to be fed by friendly members of the human race 'looking out for its best interests', as a
politician might say.
2.27.4 On the afternoon of the Wednesday before Thanksgiving, something unexpected will
happen to the turkey. It will incur a revision of belief, as illustrated in Figure 24.
1,001 Days of History

150
140
130
120
110
100
90
80
70
60
50
40
30
Surprise ! T~
20
10
0
Days
Figure 24. The Impact of the Highly Improbable

Source: Taleb (2007)
3. Practical Examples Of Risk And Opportunity Management

3.1. A holistic ERM approach based on risk and opportunity management can increase customer
value and facilitate a sustainable health insurance business model. Upside risks as well as downside
risks need to be appreciated and catered for within the ERM framework implementation.
Unrealistic assessment and dissemination of upside risks can create unrealistic stakeholder
expectations and a false expectation of continuing good news which will be disappointed.
3.2. The CRO may start with ERM framework implementation (e.g. COSO (2004a), COSO
(2004b), Chapman (2006)), following which they can commence innovation portfolio management.
They will need to balance the risks and rewards, which may require the embedding of ERM within
screening tools used to evaluate and filter the innovation portfolio.
3.3. A risk matrix can be used to support innovation portfolio screening tools. It can provide a
clearer picture of how the firm's planned projects fall within the spectrum of risk. The risk matrix is
the output from an experienced, multi-disciplinary team involving senior managers with a strategic
focus and authority for financial resource allocation and the participation of team members
delivering specific projects.
3.4 R-W-W: Is it real?, Can we win?. Is it worth doing? - Day (2007)

3.5. The risk matrix is a pre-cursor to other tools used to explore an innovation product concept,
its potential market and the company's capabilities and competition. Each concept in the health
insurer's innovation portfolio should be assessed by its development team using the R-W-W
screening system outlined below. A definite yes or no answer to the 'heading' questions in the first
column (i.e. 'Is it real?', 'Can we win?', 'Is it worth doing?') would require further investigation for
robust answers to the supporting questions in the second and third columns.
283
3.6. The CRO needs to embed ERM principles within the resolution of each of the 'heading'
questions (i.e. 'Is it real?', 'Can we win?', 'Is it worth doing?'), in order to screen the innovation
portfolio. The end result is to try and ensure that the proposed innovation portfolio is robust and is
aligned to the risk appetite of the company, the ERM framework and the corporate strategy. The 'Is
it real?' question includes an evaluation of legal, social and environmental acceptability (e.g. the
insurer's relationship with client and data protection issues). The question 'Can we win?' and
assessing ability to compete might involve the consideration of the people and process implications
attached to the delivery of a new service or product offer.
3.7. The CRO will also need to consider the implications of innovation screening questions for
ERM requirements at later stages (e.g. development, implementation, launch and post-launch). The
answer to the 7s it worth doingf" question involves a consideration of both ' Will the product be
profitable at an acceptable riskΓ and 'Does launching the product make strategic sense? The
evaluation of the capital allocation, risk appetite and opportunity management emerges from
applying an ERM perspective to the 'heading' questions 'Is it realV and 'Caw we wins"
3.8. R-W-W screening tools Day (2007)

3.8.1 The R-W-W screening tools, within the ERM framework, can help the CRO to move firmly
into the opportunity management arena. ERM should underpin balancing the risks and rewards
inherent in the innovation portfolio which may involve cross border insurance operations and
relatively complex healthcare service offers. The ERM framework needs to be inclusive, involving
insurers, out-sourcers, medical service providers, regulatory and governmental healthcare policy
advisors, and independent external input. A holistic view is required, taking account of quantitative
and qualitative risk measures, if the CRO is going to be in position to manage a business of
uncertainty and complexity effectively, such as a health insurer.
3.8.2 The link between ERM and the corporate strategy depends on the strategic direction, the
:orporate mission, the business objectives, the risk appetite and its communication to the key stakeholders,
which may include shareholders, rating agencies, investment analysts, management, employees, and
regulatory authorities. This link is important, but it is not necessarily simple or easy to manage.
j.8.3 Risk averse health insurers will have a small risk appetite and may want to follow the
market leaders, taking as few risks as possible. For them, the risk quantification measures from a
risk control environment, erring on the side of caution, will be their mantra. On the other hand,
entrepreneurial market leaders with new marketspace ambitions will have a large risk appetite and
may focus on using ERM for opportunity management. Whatever the risk appetite of the insurer, the
CRO needs to implement and manage a practical ERM framework that is aligned to the agreed
corporate strategy and the associated business plans. This will require the effective management of risk
and reward in a business of uncertainty, dealing with the upside risks as well as the downside risks.
3.8.4 Γο illustrate a practical ERM framework under a stress scenario, consider the idealised case
of a supplementary health insurance provider with a large risk appetite and market leadership
ambitions. This company has an entrepreneurial CEO with many new and insightful ideas and these
ideas have been formulated as an innovation portfolio. The corporate strategy is aligned to the
innovation portfolio and the key stakeholders have been persuaded. How should the CRO, who
may be an actuary, support the CEO and facilitate the prudential management of the insurance
company? How can the ERM framework facilitate risk and opportunity management?
284
3.8.5 The CRO might start with the design and implementation of a standard ERM framework,
such as COSO (2004b) or Chapman (2006) (e.g. the six iterative risk management steps, the
corporate governance and oversight issues, the internal controls, the internal and external sources of
risk) and then be in a position to tackle the effective risk management of the innovation portfolio.
3.9. Case Study using the R-W-W screening tools - Day (2007)
3.9.1 Assume for a moment the CRO has adopted the Chapman model (as this seemed to the CRO to
be more aligned with the agreed corporate strategy) and starts to deal with the effective risk management
of the innovation portfolio and the road towards the achievement of the corporate strategy. The
balancing of the risks and rewards inherent in the innovation portfolio requires the adoption of a risk
matrix, in order to obtain a clearer picture of how its planned projects fall on the spectrum of risk.
3.9.2 The risk matrix is the output from an experienced, multi-disciplinary team involving senior
managers with a strategic focus and authority for financial resource allocation and the participation
of team members delivering specific projects. Individual team members are required to position
products on the matrix and to provide a rationale to support their risk matrix.
3.9.3 Differences and divergences across the team serve to initiate a continuous process of evaluating
the company's mix of projects and their alignment with strategy and risk appetite. The risk matrix
model, with probability bands indicating the probability of failure, is illustrated in Figure 25.
Proöablüy of Failure
N«wto th»
comp my
Intended Market
Figure 25. Risk Matrix Model illustrating the probability of failure
3.9.4 The innovation portfolio is plotted on the risk matrix, as illustrated below. Some of the product,
service, and technology innovations are categorised as relatively small innovations, whereas others are
judged to be relatively large innovations. The risk matrix model, with probability bands indicating the
probability of failure and the innovation portfolio, is illustrated in Figure 26.
3.9.5 In Figure 26, each innovation product/service is positioned on the risk matrix based on a
scoring system, using the ordinal scales 1 to 5. Score 1 represents 'same as present' whereas
285
C. C. Orros and ). Smith
Probrtxltty of F alufi
Newt) Um 75-95*
compeny
Adjacent to
offerings
Same m
o fiera«'
Same a*p»sent Adjacent b p»e«nt Newto the company
Mended
φ Small innovation
Lai*· innovation
Figure 26. Risk Matrix Model, indicating probability of failure and the innovation portfolio
5 represents 'entirely different from our present market, or is unknown'. The 'x' and 'y' coordina
of the product innovation in the risk matrix are calculated by scoring each of the attributes of
'Intended Market' and 'Product/Service/Technology' matrices, and accumulate the scores.
3.9.6 A template is used to derive scores for the 'Intended Market' and 'Product, Service,
Technology' matrices. The template is a useful starting point, although the CRO and team mem
will need to evaluate and improve the template questions.
3.9.7 Nothing about the process should be static; new team members need to be substituted, t
member roles need to be varied and the templates themselves need to be challenged, evaluated
continuously improved. A 'starting point' template to score the familiarity and proximity of
'Intended Market' is shown below. Adding the 6 scores from the 'Intended Market' attributes (
scored from 1 to 5) gives the 'x' coordinate.
3.9.8 Figure 27 illustrates a typical scoring matrix.
3.9.9 Adding the 7 scores from the 'Product/Service/Technology' attributes described

template (each scored from 1 to 5) gives the 'y' coordinate, as illustrated in Figure 28.
3.9.10 The Figure 28 risk scoring matrix is a pre-cursor to other tools used to explore the prod
concept, its potential market and the company's capabilities and competition.
3.9.11 Each product concept in the health insurance company's innovation portfolio should
assessed by its development team using the R-W-W screening system in Figure 29. A definite
or no answer to the first column (i.e. 'is it real?', 'can we win?', 'Is it worth doing?') w
require further investigation for robust answers to the supporting questions in the second a
third columns.
286
Intended Market
... be entirely
... be the ... partially different form
same as in overlap with from our
our present our present present
market market market or are
unknown
Customers' behaviour and decision

1 2 3 4 5
making processes will..
Our distribution and sales
1 2 •3 4 5
activities will...
The competitive set (incumbents

1 2 3 4 5
or potential entrants) will...
... highly ... somewhat ... not at all

relevant relevant relevant
Our brand promise is ... 1 2 3 4 5
Our current customer relationships

1 2 3 4 5
are...
Our knowledge of competitors'

1 2 3 4 5
behaviour and intentions is ...
TOTAL
(x-axis coordinate)
Figure 27. Illustration of a typical scoring matrix
Product / Service / Technology

... will
... is fully require ... Is not
applicable significant applicable
adaptation
Our current development

1 2 3 4 5
capability...
Our technoloqy competency ... 1 2 3 4 5
Our intellectual property

1 2 3 4 5
protection is...
Our manufacturing, service and 4
1 2 3 5
CRM delivery system ...
... are
... overlap
somewhat completely
identical to
with those differ from
those from
from our those from
our current
current our current
offerings
offerings offerings
The required knowledge and

1 2 3 4 5
science bases..
The necessary product and service

1 2 3 4 5
functions ...
The expected quality standards ... 1 2 3 4 5
TOTAL
(y-axis coordinate)
Figure 28. Typical 'Product/Service/Technology scoring template
3.9.12 The CRO needs to embed the selected ERM framework and principles within the
resolution of each of the three 'heading' questions, in order to screen (via filtering and testing)
the company's innovation portfolio. The end result is to ensure that the proposed innovation
287
Figure 29. Typical R-W-W Screening Programme
portfolio is robust and is aligned to the risk appetite of the company, the ERM framework and the
corporate strategy.
3.9.13 The 'Is it real?' question includes evaluating whether there is a clear concept. For example,
this might include an evaluation of legal, social and environmental acceptability (e.g. the insurer's
relationship with broker and/or consumer and the data protection issues).
3.9.14 The question 'Can we win?' and assessing ability to compete might involve the
consideration of the people and process implications attached to the delivery of a new service or
product offer. The CRO will also need to consider the implications of innovation screening
questions for ERM requirements at later stages (e.g. development, implementation, launch and
post-launch).
3.9.15 The answer to the 'Is it worth doing?' question involves a consideration of both 'Will the
product be profitable at an acceptable risk?' and 'Does launching the product make strategic sense?'
The evaluation of the capital allocation, risk appetite and opportunity management emerges from
applying an ERM perspective to the 'heading' questions 'Is it real?' and 'Can we win?'
3.10 ERM using the R-W-W Screening Tools

ERM in the context of innovation screening needs to be positioned as part of a continuous
improvement and learning process, rather just a 'go/no-go' decision. ERM has the potential to help
develop the health insurer's capability to move from risk control to opportunity management.
For those with an innovation portfolio, the screening tools outlined above (which can be
288
aligned to a robust ERM framework) can help the CRO to effectively engage in the opportunity
management arena.
3.11 ERM - 'We are all risk managers here'

Finally, the success of ERM depends on people and team work, rather than on good ideas from the
top management team. ERM needs to be embedded throughout the health insurance organisation,
with the underlying message that 'we are all risk managers here'.
3.12 ERM Risk Profiling

3.12.1 Management needs to ensure that the risk profiling process does not become stale or be
seen as an end in itself. The risk profile is unlikely to change significantly in the short term, unless
the insurance business is rapidly changing or growing. A long term view is required, along with
secular consistency. One seeks out opportunities that increase the likelihood of the risk profile
remaining relevant over time to management decision making processes and also to pro-actively
respond to changes in these processes.
3.12.2 The risk profile reports should provide 'snapshot' management information about the
significant risks, as indicated in the executive summary report in figure 30.
Rare Unlikely Probable Almost certain

Likely
0.00 < ρ < 0.05 0.05 < ρ < 0.30 0.30 < ρ <0.70 0.95 > ρ > 1.00
0.70 < ρ < 0.95
impact >£300M Extreme Extreme Extreme Extreme

Extreme j
E150M > impact > E300M Severe

ExtiwneQ Extreme Extreme Ε Extreme (
£60M> impact >£150M Severe Extreme Extreme

Extreme ¡
£30M > impact > £60M Severe Severe f Extreme Extreme
£10M > impact > £30M Severe Severe

Extreme j
£1M> impact >£10M Severe ι
Moderate
£0.5M > impact > £1M
Θ High High High
£0 > impact > £0.5M ■""■"β High

High 0
Control effectiveness -► High φ Medium Q Low Q Opportunity φ
Figure 30. Risk Profile - Executive Summary

Notes:
The top 12 risks have been positioned on the risk matrix and it is important to show their 'before' and
'after' situation, where the 'after' situation represents the indicated 'inherent residual risk' position. Any
risks coloured 'red' (e.g. Risks 7,11 and 12) are in the extreme danger zone and need remedial action (e.g
termination of underlying risk, as their implied risk tolerance is unacceptable). Any risks coloured 'orange'
(e.g. Risks 6 and 10) are in the severe danger zone and need remedial action (e.g. business plan to move t
a reduced underlying risk assessment). Any risks coloured 'green' (e.g. Risk 2) may be too safe and
consideration should be given to divestment to another organisation that can create more added value
In practice, the management team will need to focus primarily on the 'severe' and 'extreme' zones and
satisfy themselves that appropriate remedial action is taken, as these risk assessments are unsustainable
289
G. C. Orros and j. Smith
4. ERM Framework For Healthcare Providers, Consumers. And Policy Makers
4.1 Health insurance in the UK
4.1.1 The UK has a mixed economy of public and private healthcare delivery. Health insurance (also
known as PMI) is a supplementary and voluntary health insurance system and is an important component
of the mixed healthcare economy that comprises public and private financing and public and private
provision. The mixed economy shapes consumer expectations, the insurer's value chain and its linkages
and the underlying map of healthcare funding, provision and delivery. The interaction and flow of funds
between the public and private healthcare sectors is illustrated in Figure 31, Foubister et al. (2006).
r NHS ÎP Other Κ
Foreign ^dependent
(pubidy providers (e.g.
GPs provider treatment
owned alternative
teams centres
providers) therapists)
NHS pay
beds and
Private GPs
♦ private-#
patient units
i_L
United cost sharing (o.g. prescription charge) «·
Cost sharing (e.g.
excess)
Figure 31. Interaction and flow of funds

Source: toubister et al. (2006)
Notes:
In Figure 31, private hospitals and specialists have been boxed separately, since the initial consultation
and the hospital treatment is separated in time and place. Moreover, a privately financed consultation
may not necessarily lead to a hospital episode. The consultation will often take place in office space that
does not belong to a private hospital and for which the specialist will pay rent or a fee.
4.1.2 As health insurance is supplemental coverage, the insured always has the option to try and
access the NHS and receive public treatment, provided that they are prepared to wait. If the insured
decides to use their health insurance cover, they still have to deal with NHS business processes. In
practice, the insured will need to consult their general practitioner, who will refer them to a private
consultant. Some insurers require the insured to contact them at the time referral to ensure that the
consultant is on their approved list, as well as prior to booking any acute treatment.
290
4.1.3 There may also be incidence of individuals who opt to mix public and private systems to
provide different components of their care. For example, the patient may opt for certain higher cost
diagnostics to be carried out in the public sector e.g. MRI scans, and pay a nominal fee to the NHS
provider for the diagnostic report which can be used at a private out-patient specialist consultation.
This is a problematic policy issue as it involves out-of-pocket payments to be received by NHS
providers for a diagnostic test which is carried out using public healthcare facilities and staff.
4.1.4 As illustrated by the persistent number or cases profiled in the media, pressure also exists tor
patients to be able to self-pay for high cost pharmaceuticals not available as a public healthcare
service (e.g. for cancer drugs whilst still a public patient for all other services).
4.2 Health insurance Stakeholders
1.2.1 Supplementary health insurance in the UK provides cover tor the costs ot treatme
"espect of acute medical episodes. There are three key markets, Orros (2007a):
a) Individuals - book rated, medically underwritten (e.g., rull medical underwriting, morat
underwriting) and excluding pre-existing medical conditions.
b) Small Company Paid - partially experience rated (sometimes via rating pools), genera
medically underwritten and excluding pre-existing medical conditions.
c) Large Company Paid - experience rated and not medically underwritten.
Φ.2.2 Health insurers use medical underwriting and risk rating to set the othce premium
Full medical underwriting requires a declaration of the applicant's medical history. The in
determines, at the point-of-sale, the medical conditions that will be excluded from the policy
4.2.3 Moratorium underwriting, on the other hand, shifts the underwriting process to the po
:laim. With moratorium underwriting, pre-existing conditions (and directly related condi
during the last five years are excluded for two years, following which they are covered provid
the insured has been symptom free.
4.2.4 Consumers, individually and collectively, have a very high demand tor longer and
quality lives. This creates pressure for medical innovation, and an allowance for the social c
bearing it. Healthcare systems represent a social desire to promote basic social benefits (giv
sach of us will likely get seriously ill at one point) but assigning the funding burden to tho
ultimately call on the most benefits speaks to basic human senses of social fairness, trust
goodness. People clearly want to reduce or better manage healthcare risks, but they seem to
that accomplishing this is inescapably and partly a social endeavour.
4.3 Consumer Attitudes and Expectations

4.3.1 Health insurance consumers have personal health risk priorities. They may have a high
demand for health services when their life and well-being are threatened. Some purchase health
insurance in order to ensure access to healthcare in times of need, with limited or no financial risk.
They probably know that, although their cancer risk in the next twelve months is low, this risk
will increase with age; therefore, they will often buy insurance now rather than later. The
implication for health insurers is that they must, therefore, react to such consumer issues and
concerns on an ongoing basis, even if they cannot align their risk management objectives perfectly
to those of consumers.
¿y ι
4.3.2 A number of research organisations survey UK healthcare consumer attitudes, as part of

their European healthcare reform studies. The Stockholm Network has published the 'Impatient for
Change' study, Disney et al. (2004), which contained the conclusions outlined below.
4.3.3 The Stockholm Network study, Disney et al. (2004) concluded that Britons' rank of their
health system is at the bottom of those countries surveyed in terms of the gap between aspiration
and delivery. They are also the least inclined to put equality of access ahead of quality of personal
care of any country polled. Only in Sweden do a higher proportion of people think that their health
system is underfunded in absolute terms, and only in the Czech Republic do more people think that
their health service is underfunded relative to other European countries.
4.3.4 The study also concluded that, for the UK, waiting times are the most significant feature of
healthcare, while doctor choice is the least significant. Fewer than 1 in 5 rate the NHS as 'good' on
waiting times, and only 1 in 4 rate it as 'good' on convenience. Similarly on access to the latest
medicines and technology, no other country either rates it as highly as the UK, or scores their health
system so low at delivering it. In line with other countries, the single reform cited as the most likely
to increase the quality of care is giving patients more information about their illness while increasing
the number of available medicines and treatments.
4.3.5 The phenomenon of medical inflation and consumer tolerance of it also reflects certain
attitudes and expectations. Medical inflation arises from several factors, including new
technologies, preference for spending a higher portion of incremental income on healthcare as
overall per capita income increases, and a willingness to tolerate a degree of economic inefficiency
and moral hazard in healthcare systems as the 'price to pay' for social fairness.
4.4 Risk Management via Preferred Provider Networks

4.4.1 Some health insurers have preferred provider networks, whereby claimants are directed
towards in-network medical service providers. Although private hospital service providers operate
'rack rates' for their hospital beds and ancillary patient services, their actual charge levels are the
outcome of confidential negotiations between insurers and providers, conducted on a bilateral basis.
4.4.2 The value chain and linkages between insurers and healthcare providers can help to manage
moral hazard, improve quality of care and customer experiences and differentiate the insurer's
product and service offer. The U.S. market utilises preferred provider organisations. These are
health plans consisting of hospital and physician providers that provide healthcare services to
members at discounted rates in return for expedited claims payment. Although members can use
any healthcare provider, financial incentives are built into the benefit structure to encourage
utilisation of the preferred healthcare providers.
4.4.3 Preferred healthcare provider models are rare in Europe, although insurers may have
preferred provider networks to support group employer based contracts. However, their scope is
constrained in many European markets. In the context of voluntary complementary or
supplementary health insurance it is difficult to restrict provider choice. This issue is heightened
for voluntary as opposed to employer paid (mandatory) cover.
4.4.4 There is greater potential scope for employer paid cover to develop value chain linkages
and derive benefits from provider agreements e.g. protocols for care delivery and management
292
of care episodes. Overall, low market penetration rates and consumer attitudes to what is essentially
a voluntary purchase, create resistance to insurer initiatives perceived as restricting consumer
choice. This presents challenges to developing greater integration between insurer and provider
value chains to manage service delivery and consider more sophisticated forms of risk sharing.
1.5 Preferred Provider Networks - Case Study

1.5.1 Preferred provider network agreements were the subject ot the year 2000 investigation by
he Competition Commission. This concerned the proposed merger of the then Bupa Hospitals with
Community Hospitals Group. It was concluded that the actual charges set reflected the bargaining
¡trengths and abilities of the two sides, rather than the underlying structure of supply costs. The
arger insurers were deemed to have a competitive advantage (due to economies of scale and medical
:xpertise) over smaller insurers when it came to negotiating medical service provider prices
Competition Commission, 2000).
4.5.2 The Competition Commission concluded that the preferred provider discounts achievable
were sometimes 25% to 35% off the 'rack rates' for non-network business, and even higher for
network business. Furthermore, the then Bupa Hospitals had charged the Bupa insurance business
significantly less than it charged smaller PMI insurers. It concluded that it was far from obvious that
the lower Bupa Hospitals charges to the Bupa insurance business were fully justified on a volume
basis or because of significant cost savings, Competition Commission (2000).
4.6 Governmental Policy on Healthcare Risk Management

4.6.1 The Strategy Unit of the UK Cabinet Office first published a report in ¿002 that describes
how handling risk and opportunity is increasingly perceived to be at the centre of good government
Cabinet Office (2002) This report concludes, at the strategic level, that risk appetite concerns are
about where the organisation wants to go, how to get there, and how to ensure survival. Any major
risks at this level are likely to stop the organisation functioning. Risks at this level are typically
concerned with commercial, financial, directional, environmental, cultural, acquisition, political
and quality issues.
4.6.2 Public sector ERM focus is driven by the public sector's need do more to anticipate risks so
that there are fewer unnecessary and costly crises (citing BSE and failed IT contracts as examples);
to ensure that risk management is part of the delivery plans; get the right balance between
innovation and change on the one hand and avoidance of shocks and crises on the other; and,
finally, to improve the management of risk and its communication.
4.6.3 Figure 32 provides a public sector perspective on the separation between strategic-level,
programme-level, and operational-level decisions, Cabinet Office (2002).
4.6.4 Risk management in healthcare requires the deployment of real-time, electronic risk
management identification systems capable of tracking resource allocation, patient progress, and
outcomes across different clinical and provider operational functions and the ability for functional
teams to collaborate to support more effective management of risks across the organisation.
4.6.5 Patient and customer satisfaction has been identified in some studies as an area attectmg
many of the risk domains of ERM, including operational, human and strategic. Furthermore,
LV5
G. C. Orras and ). Smith
Strategic Decisions
Decisions transferring
strategy into action
Programme
Decisions required
Project and Operational
for Implementation
Figure 32. Public Sector Perspective of Decisions
studies of patient perceptions of safety have indicated that concerns about medical errors lead to
lower patient satisfaction ratings and a reduced willingness to return for care and the reduced
likelihood that patients would recommend a hospital to others, Braz et al. (2006).
4.6.6 Effective ERM, as in the example of patient satisfaction, involves information exchange
with multiple disciplines in the hospital in order to capitalise on broader perspectives for correction
and improvement (e.g. clinical competency of staff, physical access and environment, patient
identification procedures, and systems for medication administration). Patient complaints and
concerns represent not just exposure to loss, but rather they also present opportunities to improve
satisfaction and to increase market share through repeat encounters, increased visits and the
hospital's good reputation in the community.
4.6.7 Healthcare providers transitioning from Risk Management to ERM can benefit from the
activity of on-going change agents or ambassadors who can successfully promote recognition of the
need for change for the good of the business enterprise. ERM within a provider context also
involves hospital boards and governors, senior management and business unit committees. There is
also a strong need for cross-functional representatives who can represent the different players,
materials, resources, relationships and transactions involved in delivery of care in specific settings
(e.g., diagnostics, operating suite, day care, outpatient care).
4.7 NHS Risk Management Implementation

4.7.1 The UK NHS has applied risk management principles and governance for many years, partly
due to central government influences (e.g. Cabinet Office Strategy Unit papers, guidance and
instructions). Risk management principles are now embedded within NHS human resource
management and form an important part of NHS education, training, employee induction
programmes and their continuing professional development.
4.7.2 NHS best practice principles for ERM have often been considered in the context of clinical
governance and the continual drive for quality improvement, bearing in mind that an organisation is
only as strong as its weakest link. Therefore, much attention has in the past been given to quality
improvement studies based on peer group comparisons.
4.7.3 Best practice standards on clinical governance and quality improvement were subject of a
seminal paper prepared for the NHS 50th anniversary review in 1998 for the British Medical Journal.
294
This paper concluded that clinical governance was to be the main vehicle for continuously
improving the quality of patient care and developing the capacity of the NHS in England to
maintain high standards (including dealing with poor professional performance) and that new
approaches were needed to enable the recognition and replication of good clinical practice to ensure
that lessons were reliably learned from failures in standards of care, Scally &c Donaldson (1998).
4.7.4 The best practice standards for clinical governance and quality improvement are
summarised via Figure 33, which shows the interactions between the important components,
Scally Sc Donaldson (1998).
Figure 33. Best Practice Standards for Clinical Governance and Quality Improvement
Source: Scally & Donaldson (1998)
4.8 NHSLA (NHS Litigation Authority)

4.8.1 A key function for the NHSLA is to contribute to the incentives for reducing the number of
negligent or preventable incidents throughout the NHS. It is understood that they seek to achieve
this through an extensive risk management programme. To this end, they publish and distribute
their risk management Framework Document, National Health Service Litigation Service (2006).
4.8.2 During 2008/09, the NHSLA received 6,080 claims of clinical negligence and 3,743 claims
of non-clinical negligence against NHS bodies. This increased from the 2007/08 figures of 5,470
claims of clinical negligence and 3,380 claims of non-clinical negligence. A total of £769 m was paid
in respect of clinical negligence claims during 2008/09, up from £633 m in 2007/08.
295
4.8.3 The risk management framework and standards target fundamental hospital risk
management problems including under-reporting. Some commentators suggest that retrospective
case review would indicate that low percentages of adverse events are reported and that,
significantly, reporting of near misses is extremely poor. Under-reporting of near misses is both a
source of new emerging risk and of lost opportunity as important teaching and learning experiences
and lessons are wasted.
4.8.4 The Department of Health report 'An Organisation with a Memory' advocated the use of
risk incident and near-miss analyses to develop risk planning and management strategies for future
occurrences, Department of Health (2000). It concluded that the great majority of NHS care is of a
very high clinical standard, and serious failures were uncommon in relation to the high volume of
care provided every day in hospitals and in the community. Yet, where serious failures in care did
occur, they could have devastating consequences for individual patients and their families and
undermine public confidence in the healthcare services that the NHS provided.
4.8.5 According to the report, most distressing of all was that such failures often have a familiar
ring, displaying strong similarities to incidents which have occurred before and in some cases almost
exactly replicating them. Many could have been avoided if only the lessons of experience had been
properly learned, Department of Health (2000).
4.8.6 The report concluded that the introduction of clinical governance provided the NHS with a
powerful imperative to focus on tackling adverse health care events. It set out to review what the
Department of Health knew about the scale and nature of serious failures in NHS health care, to
examine the extent to which the NHS had the capacity to learn from such failures when they
occurred and to recommend measures which could have helped to ensure that the likelihood of
repeated failures was minimised in the future. The work of the group was informed by evidence and
experience from a range of sectors other than health, including industry, aviation and academic
research, Department of Health (2000).
4.8.7 As an interesting parallel to recent issues (e.g. whistle blowing) in the insurance and financial
services industry, the report noted that 'When things go wrong, whether in health care or in another
environment, the response has often been an attempt to identify an individual or individuals who
must carry the blame. The focus of incident analysis has tended to be on the events immediately
surrounding an adverse event, and in particular on the human acts or omissions immediately
preceding the event itself.' Department of Health (2000).
4.8.8 Risk incident reporting can be seen as a valuable source of identifying emerging signals of
risk and as an input to the risk identification process at all levels of a healthcare delivery system,
care providers and frontline healthcare professionals. It is also helpful to consider the value of risk
incident reporting in the context of a dynamic environment, the shortage of time in clinical settings
and the need for data from healthcare professional and patient interaction.
4.8.9 The reasons for under-reporting of incidents include fear of reprisals, concerns about
litigation and anonymity, training and design of incident reporting processes and forms, lack of
clarity over what constitutes an adverse event, short-term target pressures, shortage of time in
clinical settings and low priority where incidents do not result in an adverse outcome, incidents
which are undetected by the patient and other colleagues and a lack of peer support, forums
and feedback.
296
4.8.10 Reporting levels are however higher amongst some specific groups, such as nurses where
incident reporting is part of formal training and there are high levels of patient contact. Some
commentators also suggest that hospital working environments are not strongly conducive to
reflective learning and that even where incidents are reported the organisation may not be well
equipped and trained in using incident data to learn and improve processes.
4.8.11 The Standard Format of medical case conferences may also be seen as viewing errors as the
result of individual, personal failure or professional shortcoming. In this way the case review may
promote an 'unrealistic expectation of perfection [which] undoubtedly contributes to physicians'
traditional reluctance to discuss errors', Wächter et al. (2002). Studies have suggested that it may be
more constructive to focus upon system problems which may contribute to a clinical error or poor
outcome for a patient rather than focusing upon individual human errors.
4.9 NICE (National Institute for Clinical Excellence)

4.9.1 NICE seeks to contribute to the incentives for improving risk assessment and risk
management practices in the NHS. NICE publications include documented examples of risk
assessment best practices, NICE (2007). These case studies address risks in the healthcare sector and
provide some interesting ideas on how to deal with them, based on an initiative by the health
promotion bodies and the Health Services Advisory Committee.
4.9.2 The validity of an ERM framework needs to be continually tested, evaluated and assessed.
In a healthcare context this includes evaluation and post-implementation review of specific changes
in processes following patient risk incidents. This process needs to be carried to evaluate risk
planning and management activities from the perspective of patient care, provider costs and
capacity. However it is important to avoid a situation where resourcing pressures effectively censor
the output of the review as issues are raised with no available resources to address them.
4.9.3 The process of ongoing evaluation and embedding ERM culture at an organisational level is also
encouraged by the development of indicators for use by frontline healthcare staff to measure whether a
specific procedural change is successful and whether actual outcomes match those expected. While still
evolving, the use of ERM has become increasingly embedded in healthcare provision.
4.10 Healthcare Provider Risk Management Practices

4.10.1 Healthcare delivery organisations (e.g. NHS, private care providers) are exposed to a
broad, interactive spectrum of risk. These include operational risk, financial risk, human resources
(e.g. recruiting, retaining and managing a workforce); strategic risk, legal/regulatory risk (e.g.
ownership of patient data); technological risk (e.g. biomedical and information technologies).
4.10.2 The public sector has developed practical guidance to assist governments and government
agencies in developing ERM frameworks and risk response strategies to manage outcomes of policy
implementation, extreme events (natural and man-made) and increasing consumer activism where
the State is deemed to under-deliver or fail in delivering its legal responsibilities and duties.
4.10.3 The practice of NHS outsourcing to private sector health care providers can impact on the
private sector's own risk management practices. Private sector service delivery and pricing are
influenced by NHS outsourcing. In a mixed economy of care the insurer's ERM framework needs to
297
incorporate environmental scanning activity to detect the signals of risk and opportunity which may
originate from different stakeholder groups. The insurer's ERM framework should encompass both
technical quality 'what the customer gets' and functional quality 'how he gets it', Grönroos (1984)
and recognise the potential for unintended and unexpected consequences from shifts in policy and
risk management in the provider sector and how the impact on consumer behaviour.
4.10.4 Health insurance product differentiation and innovation aims to retain loyal/
knowledgeable customers, encourage repeat purchases maintain/increase market share whilst
copies appear, the competition intensifies and the segments drift apart Grönroos (1984). The impact
of economic, social and political change on public healthcare budgets, risk appetites and consumer
healthcare behaviour will demand ERM frameworks with adaptive feedback and control
mechanisms to identify where expected outcomes diverge from the business model and trigger
risk management actions. In particular, performance metrics based solely on general insurance
techniques primarily intended for a 1-year time horizon would seem inadequate to the challenges of
the health insurance market.
5. Health Insurance Under Solvency II
5.1 The Regulation of Health Insurance as an Insurance Enterprise

5.1.1 Solvency II seeks to harmonise insurance regulation within the EU, encourage the use of risk
management, and promote transparency and market efficiency. While Solvency II is explicit in its
aim to promote ERM, it is principle based in this aim. Thus, adequate risk management specific to
health insurance is not addressed in Solvency II. The extent of specific requirements for health
insurance related risks are the solvency capital standards for health insurance. Thus, this section of
the paper has a strong focus on risk based capital issues for health insurance.
5.1.2 The treatment of health insurance under Solvency II has been a topic of much debate. The
forms of health insurance, as well as their economics and risk profiles, vary across member states
due to national and regional perspectives on health and care, local social insurance systems, local
healthcare markets, and other factors. It is therefore a challenge to define health insurance in a
manner that can accommodate all this variation, and in particular a Standard Formula for
quantifying risk-based capital consistently across all Member States.
5.2 CEIOPS Advice on Health Insurance Regulation

5.2.1 CEIOPS has been active in seeking to develop a consensus view across member states on the
treatment of health insurance under Solvency II and its has issued and responded to a number of
consultation papers on the subject and how health insurance is intended to be regulated alongside
life and non-life insurance business lines.
5.2.2 The CEIOPS advice on the Level 2 implementing measures for the Solvency II regulation of
health underwriting risk and its treatment in the Standard Formula for the Solvency Capital
Requirement (SCR) was issued on 8 April 2010 as CEIOPS-DOC-68/lO (CEIOPS, 2010a).
5.2.3 The CEIOPS paper is the revised version of CP72, (CEIOPS, 2009)' following stakeholder
feedback from consultation and further collection of data.
298
5.2.4 CEIOPS has classified all health insurance undertakings under three separate categories:
(a) Health insurance obligations pursued on a similar technical basis to that of life insurance (SLT
Health).
(b) Health insurance obligations not pursued on a similar technical basis to that of life insurance
(Non-SLT Health).
(c) Health insurance obligations Catastrophe risk (Health CAT) (CEIOPS, 2010a). Therefore,
health insurance (as defined in this paper) would primarily be associated with the non-SLT
classification. But, depending on the health insurance product, it could have catastrophe
exposures or be classified as SLT.
5.2.5 CEIOPS summarises the health modules via figure 34.
SCR Health
ι
ï
Health slt
1 Health cat Health Non SLT
Premium &
Mortality nsl^ restive risk
Lapse
— ^ongevi^^sSJ
"""^lsaEIEtj^®
_jnorbidirQiskJ
Revision nsk^ SLT .Stasia »Li*»· ictTactaki

Νοα-SLT ■ Not Skmtar
urine· T< lo Lift a
— Lapse risk
Figure 34. Summary of Health Modules

Source: CEIOPS (2010a)
5.2.6 Each module is associated with a risk associated with health insurance, whether SLT, non
SLT, or both. Other risks assumed by a health insurer are addressed in through other modules are
not a part of the health underwriting module. For example, operational risks specific to health
insurance are addressed in a general operational risk module that applies to all classes of insurance.
5.2.7 CEIOPS provided the proposed calibration of the health underwriting risk module in
accordance with the requirements of Article 104 of the Level 1 text, which states that each of the
risk modules referred to in paragraph 1 shall be calibrated using a Value at Risk measure with a
99.5% confidence level, over a 1-year period.
5.2.8 CEIOPS' advice is based on health insurance data that they received from fifteen Member
States. This represented a significant improvement compared to previous calibration exercises
299
undertaken by CEIOPS. Only six Member States provided data for analysis in Consultation Paper
72, and only three for QIS3 and QIS4 (CEIOPS, 2010a). However, data for any one specific risk was
not necessarily available from all fifteen member states, The data was not necessarily homogeneous
across member states in respect of the forms of health insurance (e.g., medical expense versus
income protection). Subsequent analysis by CEIOPS as part of the European Commissions Health
Task Force slightly expanded the data points used for the final calibration.
5.2.9 The health insurance data used by CEIOPS in its calibration was judgementally filtered to
remove, to the best extent possible, distortions due to mergers and acquisitions, apparent
inconsistencies between different years and between opening reserve and closing reserve for the
same company, catastrophe losses and other features which were considered to be incorrect based
on expert judgement (CEIOPS, 2010a).
5.2.10 CEIOPS' analysis was stated to be in line with the requirements underlying the design of
the Standard Formula. For example:
(a) it provides an estimate for a set of factors which are pan-European;

(b) allowance has been made for an average level of geographical diversification, as implied
by data;
(c) no allowance for underwriting cycle;
(d) no allowance for expected profits and losses; and
(e) no allowance for a size factor (e.g., diversification by volume, which implies that the proposed
calibration may overestimate for large portfolios and underestimate for small portfolios)
(CEIOPS, 2010a).
5.2.11 No explicit allowance was made for inflation in the calibration process. Implicitly
therefore it was assumed that the inflationary experience in the period from 2002 to 2008 was
representative of the inflation that might occur in the future. The period analysed was a relatively
benign period with low inflation in the countries supplying data and without unexpected inflation
shocks which might be expected to increase the factors. The medical inflation issue in respect of
health insurance was not explicitly considered in CEIOPS' design and calibration of the health
underwriting risk module.
5.2.12 The CEIOPS advice was summarised via the results shown in CEIOPS-DOC-68/lO. The
final gross technical fitted result across all methods was derived by taking an average of the methods
that best fit the data. CEIOPS reported that their selection was not conservatively selected, but
rather based on the goodness of fit results and the adequacy of the method. Furthermore by
blending methods, CEIOPS is ensuring that the factors are not biased towards factors most
appropriate for larger portfolios (and hence leading to a lower calibration). The analysis shows that
for most lines of business the factors should be higher for smaller and medium portfolios (CEIOPS,
2010a).
5.2.13 CEIOPS supplemented its analysis with additional exercises provided by itself or by the
industry. These additional exercises also suggest that factors proposed for QIS4 may not be
appropriate at least for some lines of business.
5.2.14 CEIOPS initially recommended that the factors for the premium and reserve risk sub
modules should be as per figure 35.
300
LOB Net premium factor Net reserve factor
Accident 10.0% * (NCR/GCR) 17.5%
Sickness 7.5% * (NCR/GCR) 12.5%
Workers compensation 10.0% * (NCR/GCR) 12.5%
Figure 35. Recommended Factors for Premium and Reserve Risk Sub Modules
Source: CEIOPS (2010a)
Note:
CEIOPS has recommended an adjustment factor for Premium Risk that is undertaking specific, and
so it is not possible to provide a single numeric net premium factor common for all insurers since the
effect of reinsurance uniquely affects each insurer. NCR and GCR stand for net combined ratio and
gross combined ratio respectively
5.2.15 CEIOPS endeavoured to be as transparent in the process they followed as far as possible
(CEIOPS, 2010a).
5.2.16 At the time, CEIOPS recognised that, as the Standard Formula is intended to be pan
European, it is not possible to select a factor that fits all portfolio specificities and works perfectly for
all undertakings operating in the EEA. The Solvency II framework provides several approaches for an
undertaking to determine its SCR, only one of which is the Standard Formula. CEIOPS reported that
undertakings that consider that some or all of the standard parameters within the Standard Formula
do not appropriately reflect their risk profile, may wish to consider using Undertaking Specific
Parameters or applying for the approval of a (full or partial) internal model (CEIOPS, 2010a).
5.2.17 For estimation risk in the Standard Formula, a shock can be derived as follows: it is assumed
that undertakings estimate the level of claims from the last five observations, i.e. the annual inflation
adjusted claims for the last five years. If the distribution of annual claims is assumed to be approximately
normal, the estimation error on a 99.5% VaR level can be calculated as indicated by figure 36.
Estimation error = ^ '(0.995) *σ

«1.15*σ
where Ν is the cumulative distribution function of the standard normal distribution and σ the standard deviation
of annual claims.
Figure 36. Distribution of annual claims, assuming an estimation error of 99.55 VAR
5.2.18 The capital charge for the combined premium risk and reserve risk was determined
indicated by figure 37.
Htaith£2*^4Ibra - Ρ(σΝ*ΑΤ Hm* )· VMmSLTHmkk
Where
''«■STIMM
«
Volume measure (for NSLT Health insurance
obligations)
σ S—SU H~tk
"
Standard deviation (for NSLT Health insurance
obligations) resulting from the combination of the
reserve and premium risk standard deviation
Λσ*0*3 ΤΗ~1* )
«
A function of the standard deviation
Figure 37. Capital charge for combined premium risk and reserve risk
301
G. C. Orros and ]. Smith
5.2.19 The mathematical formulae used by CEIOPS are specified in their final advice paper
(CEIOPS, 2010a).
5.2.20 Following the publication of the final advice papers on 8 April 2010, the Solvency II
calibration paper was issued as CEIOPS-SEC-40-10 on 15 April 2010 (CEIOPS, 2010c). This paper
refined the calibrations for all lines of business and provided the background information to the
technical analysis carried out by CEIOPS for the calibration of key parameters of the Standard
Formula for the SCR and the calculation of technical provisions for the purpose of QIS-5. The
calibrations they advised for the Standard Formula are shown in figure 38 (CEIOPS, 2010c), but
have subsequently been revised (CEIOPS, 2010b), as indicated by figure 38.
LOB Gross premium factor

Gross reserve factor
Accident 12.5% 17.5%
Sickness 9.5% 12.5%
Workers compensation 5.5% 12.0%
Figure 38. Calibration of key parameters of the Standard Formula for the SCR and the calculation
of technical provisions for the purpose of QIS-5 in the final advice for CP 72
5.2.21 After adjusting for reinsurance, the draft technical factors for the QIS-5 calibration for the
Non-SLT health underwriting module for the purpose of the Standard Formula are as summarised
in figure 39 (CEIOPS, 2010c) although these have subsequently been revised (CEIOPS, 2010b).
LOB Net premium factor Net reserve factor
Accident 9.0% 16.0%
Sickness 6.0% 10.0%
Workers compensation 5.5% 12.0%
Figure 39. Summary of draft technical factors for the QIS-5 calibration for the non-SLT health
underwriting module for the Standard Formula
5.2.22 Under the Standard Formula the method to be used by the undertaking for estimating their
catastrophe risk is the 'standardised scenarios' method, which is aimed to provide a calibration of
catastrophe risk at the 99.5% VaR for undertakings that are exposed to extreme or exceptional events.
5.2.23 CEIOPS reported that their catastrophe risk scenarios selected were designed to provide an
appropriate and unbiased calibration based on the information that was selected. The three
scenarios selected (i.e., an arena disaster, a concentration scenario, and a pandemic scenario) were
considered to be an adequate selection of extreme and exceptional events that can impact the Health
SLT and NSLT portfolios. Each has been calibrated at a 99.5% level and has taken into account
diversification where appropriate.
5.2.24 For the Arena disaster, the scenario aims to capture the risk of having lots of people in one
place at one time and a catastrophic event affecting such location and people. It is recognised that
while many people will be affected by a major event such as this, not all them will be insured and
the insured lives will be covered by all (or almost all) of the insurance firms operating in the member
state. The formula attempts to reflect this dilutive effect on the exposure of any one firm.
302
5.2.25 For the Concentration scenario, the scenario aims to capture the risk or having
concentrated exposures the largest of which being affected by a disaster. For example: a disaster
within densely populated office blocks in a financial hub.
5.2.26 For the Pandemic scenario, the scenario aims to capture the risk that there could be a
pandemic that results in non lethal claims, e.g. where victims infected are unlikely to recover and
could lead to a large disability claim.
5.2.27 For health insurance, special consideration was given by CEIOPS to the catastrophe risks.
It is important to consider the ability of medical services providers to deal with the consequences of
the catastrophic event. The supply of medical services is normally fixed and is generally much less than
the demand for those services. As a result, there is little or no surplus capacity within the medical
services systems. In addition the nature of the local health insurance market must be considered since the
overall level, mix, and cost of care can vary significantly by region (CEIOPS, 2010c).
5.2.28 Health insurance, be it on a SLT or non-SLT basis, may cover all ot an insured's medical
treatment or may function to top up or provide an alternative to the state health system, in which
case medical treatment of the consequences of a catastrophe would fall to the state health system
rather than to insurers. As healthcare resources are transferred to deal with the catastrophe within
the state health system, it is possible that the claims on health insurers would reduce rather than
increase (CEIOPS, 2010c).
5.2.29 In the UK, health insurance provides access to care trom private care providers that deal
with acute conditions such as cancer and cardiovascular disease, but not emergencies. In
emergencies arising from an accident or a pandemic, policyholders would rely on the NHS for
treatment and care rather than rely on private providers. For markets such as these, no capital
requirements are considered necessary for the catastrophe scenarios specified. For a market event,
the constrained capacity within the NHS implies that the treatment would be in place of other
healthcare treatments that the insurer would be paying for anyway. Although the types of treatment
and costs would differ, it is anticipated that the overall increase in claim cost would be modest and
would be logically reflected in the ordinary volatility risk (CEIOPS, 2010c).
5.2.30 CEIOPS reported that their scenario in which catastrophe capital may be required is under
the 'concentration scenario' and the insurer would cover the cost of all medical treatment arising
out of the scenario. If health insurance is offered to a group of employees (or similar) then an event
effecting those employees would generate an unanticipated increase in claim cost for the insurer and
any offset from the substitution effect considered above would be very small. Capital would be
required here and should be calculated in a similar manner to that for other types of benefit. As a
result this has been allowed for under the 'concentration scenario' (CEIOPS, 2010c).
5.2.31 The final QIS-5 Solvency II design and calibration factors for health insurance published by
the EC (European Commission) on 5 July 2010, European Commission (2010) differ in several
respects from CEIOPS' final advice. In particular, the classifications for risks are along medical and
income protection lines rather than historical accident and sickness lines.
5.2.32 The QIS-5 documents define underwriting risk as the specific insurance risk arising from
insurance contracts, in so far as it relates to the uncertainty about the results of the insurer's
underwriting. This includes uncertainty about the amount and timing of the eventual claim
JU3
C. C. Orros and J. Smith
settlements in relation to existing liabilities, the volume of business to be written and the premium
rates at which it will be written, the premium rates which would be necessary to cover the liabilities
created by the business written and the risk resulting from decisions made by policyholders
regarding whether they decide to renew or not, European Commission (2010).
5.2.33 The QIS-5 Solvency II calibration factors for SLT and non-SLT health insurance business
(which are lower than those recommended by CEIOPS) have been summarised in figures 40 and 41,
alongside the CEIOPS emerging and final advice, Elliott & Abbey (2010) and CEIOPS (2010b).
Line of Business QIS4 CP50 CP72 CP72 QIS5 Line of Business QIS5
Option 3 Original
Revised Original Revised
Accident 5.0% 5.0% 10.0% 12.5% 9.0% Medical expense 4.0%

xNGR xNGR xNP
Sickness 3.0% 3.0% 7.5% 9.5% 6.0% Income protection 8.5%

xNGR xNGR xNP
Workers' 7.0% 7.0% 10.0% 5.5% 5.5% Workers' 5.5%

Compensation xNGR xNGR Compensation xNP
Non-proportional
17.0%
health reinsurance
Figure 40. Summary of non-SLT health underwriting risk module - development of premium factors
Note:
The adjustment factor for non-proportional reinsurance NP by line of business allows unde
to take into account the risk-mitigating effect of particular per risk excess of loss reinsuran
Line of Business QIS4 CP50 CP72 CP72 QIS5 Line of Business QIS5
Option 3 Original Revised Original Revised
Accident 15.0% 15.0% 17.5% 17.5% 16.0% Medical expense 10.0%
Sickness 7.5% 7.5% 12.5% 12.5% 10.0% Income protection 14.0%
Workers' 10.0% 10.0% 12.5% 12.0% 11.0% Workers' 11.0%

Compensation Compensation
Non-proportional
20.0%
health reinsurance
Figure 41. Summary of non-SLT health underwriting risk module - development of reserve facto
5.2.34 Despite the higher reserve risk parameter under the Standard Formula, the capital for
health insurance premium risk tends to be 2 to 4 times larger than the reserve risk capital. This
because healthcare claims settle very rapidly, so claims provisions are typically only 10% to 20%
annual premiums. Thus, volatility parameter for premium risk is the principal driver of risk based
capital for health insurance under Solvency II.
5.2.35 The above differences between the CEIOPS Solvency II calibration factors and the QIS-
calibration factors, for SLT and non-SLT health insurance business, evidence the on-going debate acro
Europe on the balance to be drawn between risk, reward, and consumer protection as well as th
difficulty of finding sufficient data to calibrate the parameters meaningfully across many markets.
304
5.2.36 Note that Solvency I requires a minimum capital broadly equal to 18% of the previous 12
months' of premiums assuming a typical healthcare loss ratio of 80%. Under QIS-5, the same health
insurer would be required to hold the equivalent of 14% of prospective 12 months' premiums for
lealth underwriting risk. QIS-5 requires a further 3% of prospective 12 months' of premiums for
aperational risk, which would bring the capital requirement to 17%. On top of this, the outcome of the
:atastrophe and lapse module, plus capital for any market and default risks assumed would be needed
|but with allowances for diversification among these market, default, and insurance risks). Thus,
Solvency II requirements would generally be in line with Solvency I for a simple health insurer.
5.2.37 Holding this capital has a cost. A proportionate balance needs to be set between low-risk
health insurance products on the one hand, and excessively high consumer prices for health
insurance products on the other. Nevertheless, the risk and opportunity management principles
underlying ERM can help health insurance managers to set an appropriate direction along the road
to satisfying consumer expectations while adequately providing for their security and still
generating an adequate return to shareholders.
5.3 Risk Management in Health Insurance Under Solvency II

5.3.1 Solvency II is about more than setting risk-based capital requirements. It is about also about
aligning management action with business decisions, operations, and planning, effective
governance, proper information flows, the right amount and type of capital to support risks
assumed, and the management of risk. Thus, health insurers will be required to articulate their
appetite for risk explicitly, assess their risk profiles and the appropriateness of their capital resources
to back these risks, and report these to their boards of management and their supervisors.
S.3.2 It is possible, and indeed likely, that a insurer's risk appetite will not align with the
supervisor standard of a 1-year 99.5% VaR. For example, a firm may seek a high credit rating, or it
may want a high confidence that it can meet its objectives well beyond a 1-year time horizon.
5.3.3 Solvency II recognises this. Thus as part of their Own Risk and Solvency Assessment (OKSA)
process, insurers must reconcile their risk profile and capital level to the regulatory minimum and prove
that the firm is no less prudent than the regulatory minimum. The insurance risk assessment is a central
feature of Solvency II's requirement that insurers produce an ORSA. Solvency Π is at its core about
insurer survival with a high degree of confidence. It is important that the management team takes a view
on insurance risk and how they will manage their insurance risk. Despite the common practice of an
annual business planning cycle, few insurance risks can be aligned with such a convenient time frame.
5.3.4 Solvency II nevertheless requires firms to take a broad view of the historical record and
recognise credibility and suitability limitations with data. At its heart, Solvency II should make firms
better appreciate the extent of what they know and do control and what they don't know and may not
control. Stress testing and scenario testing are expected to become the norm, including reverse stress
testing to help characterize the types of scenarios that would lead to insolvency. These scenarios could
very well play out over a longer time frame than the 1-year assumed in the design of Solvency II's SCR
or the time frame used by management for business planning purposes. Management should consider
extreme and 'inconceivable' scenarios and how they would unfold over time.
5.3.5 This may sound very theoretical, especially for a 'predictable class or insurance such as
health insurance. Figure 42 illustrates the experience of Bupa during the macro-economic context of
31)3
the 1970s (i.e., stagflation) and highlights how a narrow 1-year time horizon could be misleading
for health insurance since 'abnormal' conditions took a few years to manifest themselves and work
themselves through the economy and healthcare market.
Figure 42. Fluctuation of a health insurance portfolio's dynamics through turbulent macro
economic context
5.3.6 Figure 42 illustrates how during 'normal' times an insurer has to manage fluctuating claim
costs and the net rate of portfolio growth. Between 1966 and 1971, claim cost rate increases
doubled from 6% to 12% per annum whilst portfolio growth ranged from 2% to 10%.
5.3.7 If the period of 'normalcy' is sufficient, institutional memory of unstable periods may
weaken. Who in 1971 would have believed that the claim cost rates would reach four times
historical average and that the portfolio would begin to contract due to severe lapses and limited
growth?
5.3.8 Since health risks often have a significant macro-economic component, extreme scenarios
could easily take more than one year to play out. Such a time horizon is longer than that adopted for
Solvency II. A 1-year, 99.5% VaR level of confidence is a necessary standard for consistency across
the European insurance markets. But this simple historical case study suggests that it may not be
sufficient to characterise the risks inherent to a given business. Hence the need for stress and
scenario testing by a health insurer's management to inform them on the risks underlying
assumptions in the business model.
5.3.9 This is not to say the Solvency II standard is flawed or deficient in this aspect. Any solvency
standard will have limitations. It will always be necessary for insurers to strive to understand risks
and uncertainties in a more specific and realistic manner.
5.3.10 More generally, each health insurer will find itself in a unique position in respect to its
business objectives, risk exposures, risk appetite, and capital and management resources to support
306
risks assumed. Solvency II sets out some basic measures for capital adequacy, and both carrots and
sticks for developing risk management. This is especially true in respect of operational risk. Thus,
the ERM tools described in Section 2 of this paper are supportive of Solvency II's Pillar 2 objectives.
But it is not possible to translate these into "one right way" of managing health risks across the
market as easily as it can set Pillar 1 standards for preparing the regulatory balance sheet and
assessing capital adequacy.
5.4 Potential Reactions to Solvency II by the Health Insurance Industry

5.4.1 Solvency II will promote risk and capital awareness. Ideally firms will be prompted to
develop a deeper appreciation for ERM and in doing do assimilate ERM practices such as risk
planning and scenario testing and the use of a rigorous ERM framework. (Sections 2 and 5).
5.4.2 Capital requirements under Solvency I were based on simple revenue and claims based
measures. These were tied to uneconomic and arbitrary rules. These include a 50% limit to the
amount of capital that could be offset through reinsurance and the so-called 'three-year look back
rule'. In addition, a 72% loss ratio threshold that triggered a higher capital requirement rate
regardless of whether portfolios with a 72% loss ratio represent fundamentally different levels of
risk and uncertainty. These factors limited the use of reinsurance in the health insurance market and
also created barriers to entry in established markets.
5.4.3 Solvency II, on the contrary, focuses on risks and uncertainties in health insurance
underwriting, reserving, and catastrophe exposures. It does away with Solvency I's arbitrary and
uneconomic rules. The consequences of this include reinsurance being more extensively used as a
capital management tool. For example, the larger health insurers can be expected to realise more
capital efficiencies under Solvency II and this in turn will increase the competitive pressures on the
smaller health insurers in those markets.
5.4.4 QIS-5 will evaluate the impact on the health insurance sector. The calibration of the SCR
suggests that the aggregate capital requirements will be broadly in line with Solvency I levels for the
typical health insurer. CEIOPS expects to publish it QIS-5 findings in early 2011.
6. Many Risks ... And Many Views Of Risk

6.1 In the previous sections, we touched on the risk perspectives of several key players in the
health insurance industry, namely those of insurers, consumers, providers, policy makers, and
finally regulators. These players' influences on the health insurance market form something of a
system, with its own ecology. While each part in the health system depends on others, any one
party's actions can also work at odds with the others.
6.2 Another way of conceiving this is that there are always multiple perspectives on risks in every
health insurance purchase and decision. For example, an insurer may want to manage its risks to
meet whatever its business objectives are, while the regulator requires sufficient capital so that the
insurer can manage risks to a high standard over a 1-year time horizon. Consumers want the insurer
to not only be solvent over the next few years but provide coverage on an ongoing basis that
provides access to the care they desire in the event of an adverse health event even if years in the
future. Solvency II requires only the reconciliation of the first two of these objectives. Ostensibly it
requires a consideration of the consequences of risks originating from other entities, but only if such
307
risks are material. And it does not require a reconciliation of the supervisory and insurer
perspectives with that of consumers.
6.3 Why might this gap be a problem? If consumers are purchasing health products using more of
a life insurance mindset, they may be assuming that the insurer will always renew products each
year, and on reasonable and non-discriminatory terms, in order to provide coverage they would
want now in the event of need. However, the insurer may decide at some future time to change its
mind on product support, design, or pricing, at which point the customer may not meet insurer's
underwriting standards for contract renewals. One could argue that the supervisor would seem to
be indifferent, provided that the anticipated liabilities can be settled in full as they fall due to a
supervisory standard and to the standard set out by the insurer's board of management.
6.4 Furthermore, the insured may develop a medical condition which was covered for claims at
the point of onset but not following the insurer's retroactive management decision to deny such
medical conditions for future claims. Whilst such action may be acceptable within short-term
general insurance obligations, it would not be acceptable under long-term insurance obligations.
It could be argued that there is asymmetry between the insured's long-term health insurance
requirements and the insurer's short-term (i.e., 1-year) insurance contract. Again, the supervisor
would seem to be indifferent to such asymmetries between short-term cover and long-term
insurance needs.
6.5 Health insurance is not quite like other personal classes of insurance, such as travel or motor
insurance. With these classes, there is less of an attachment to insurers and more of a willingness to
change based on price product or value without penalty. At least with life products, firms must meet
capital standards that consider adverse events that occur over long durations. It is hard for health
insurance customers to switch if they have a pre-existing condition. Thus, if the future has the
potential for 'black swans', are health insurance consumers more exposed to this mismatch of
parties' risk management expectations?
6.6 Health insurance is relatively 'low risk' in the near term, despite the complexities of products
and markets. But what makes it so interesting is the longer term interaction of the players
above. Health insurance industries around the world have struggled to create long term products
to provide customers with the products and guarantees they desire, even in those markets where
risk equalisation systems, national health systems, and community rating or age-at-entry rating
systems exist.
6.7 Such a product would have to address, amongst other factors:
(a) Morbidity trends.

(b) Medical inflation trends.
(c) Medical advances and associated changing medical protocols.

(d) Macro-economic shocks.
(e) Innovations and breakthroughs in medical technologies and treatment.
(f) Shifting definitions or standards for illness, treatment, minimally acceptable care, and what is
considered medically necessary.
(g) Adverse selection and moral hazard.
(h) Shifts in government policy.
308
(i) Periodic social upheaval, war, etc.

(j) Changing regulation.
6.8 It has been difficult for the industry to embrace successfully all of these risks and uncertainties
and in doing so create a viable market for long-term health insurance products. Fundamentally there
are gaps and conflicts between the perspectives of risk among the players in the 'eco-system' of
healthcare and health insurance. This seems to be a common problem found in most countries around
the world. They have responded with many varieties of solutions, such as risk equalisation systems,
guaranteed issue requirements, community rating schemes, risk pooling, mandated benefits, and so on.
6.9 Health insurance seems to involve an implicit standard of fairness that is difficult to codify into an
insurance contract. Consumers want insurers to be there to provide good service in the long run, and
hence be capitalised and manage risks accordingly, regardless of the regulatory standard that applies.
6.10 Furthermore, they trust that their policies will be renewed at a fair price, perhaps with
changes to excess levels, accepting that medical inflation is a difficult but necessary social
phenomenon. Consumers do not expect insurers to drop them from coverage simply because they
have claimed. And while consumers can struggle with the difficulty of changing definitions and
medical understanding over the long term, they expect to be treated fairly if definitions used at point
of purchase become nebulous as time passes and medical standards evolve. Health insurers thus
appear to preserve a custodial duty to consumers beyond a fiduciary duty.
6.11 If this is the case, what if anything should insurers consider as part of their risk management
efforts that factor in this consumer's perspectives on health risks? Or, are there some risks associated
with health insurance, such social and healthcare costs trends, that are effectively uninsurable and
which the consumer is willing to assume?
6.12 As an example of just one issue, risk-based performance measurement systems used by health
insurer's management are often those commonly used those for general insurance products, such as
risk-adjusted return on capital. Given that health insurance is relatively low risk as discussed in
section 5 (e.g., a small SCR), but implicitly depends on brand and long-term customer loyalty
(which is not an asset represented on the Solvency II balance sheet), perhaps some form of
embedded value metric would be valid. Such a metric could be used to encourage behaviours in
health insurance organisations to align and manage longer-term interests common to the insurer and
consumer that are not likely to be captured by either an SCR or a 1-year business plan. Insurers
must ask themselves if they are incentivising management consistently with the risks and the
appetite for these risks that the board seeks to manage over a specific horizon of time.
6.13 The world is continually changing. For example, how would the healthcare 'eco-system'
described above change if a period of stagflation returns as governments try to lower deficits and bond
markets attempt to price in credit risks? What would happen to healthcare providers, to insurance
premium tax rates, consumer purchasing power, anti-selection, etc? Such questions would seem to be
sensible to evaluate by health insurers even if their time horizon is shorter than the government's.
6.14 Solvency II encourages thinking about risk management and anticipating absurd but possible
change. But it is unclear if Solvency II's paradigm is sufficient given health insurance's unusual social
and long-term characteristics that lead other key players in the market, such as consumers,
providers, and government officials, to take a longer term view of healthcare risks.
309
7. Conclusions
7.1 Health insurers should consider developing ERM programmes (as described in sections 2
that include very open ended stress and scenario testing to drive out hidden assumptions about
shows the effects of shifts and shocks to the wider healthcare landscape (as described in section
5), along with the challenges the limitations and suitability of our knowledge in the face of r
uncertainties related to the future. They should assess how the organisation can learn from p
risk exposures and then synthesize these findings into more effective operations to manage r
exploit opportunities.
7.2 ERM frameworks for health insurers are likely to be more complex than those for lif
non-life insurers. Not only will they have to cater for the insurance lines of business, but
their interface with government healthcare policy and a mixed economy of public and private
healthcare providers.
7.3 ERM frameworks for public and private sector healthcare providers are likely to be a
by governmental and political influences regarding corporate governance best practice and th
to satisfy public expectations regarding healthcare delivery services. In the eventuality of
and shocks, there will be occasions when national and local government are likely to be
involved to deal with such stresses and shocks.
7.4 The ERM process commences with comprehensive Analysis of the business model, where the
inputs include business process maps and value chain analysis. The Analysis stage provides an input
to subsequent assessment, evaluation and planning stages. The conclusion to the ERM process
should be an ERM-enabled insurer who can evaluate the risk/return economics associated with its
existing value chain configuration and linkages and plan its risk response strategies to re-configure
the value chain as and when required.
7.5 Holistic ERM is allied to risk and opportunity management and can potentially build a
sustainable supplementary health insurance business model which increases customer value in a
complex, mixed economy of care. ERM can underpin balancing the risks and rewards inherent in
the insurer's innovation portfolio associated with complex healthcare service offers. The ERM
framework needs also to be inclusive, involving insurers and their stakeholder community,
policyholders and their dependants, healthcare providers, regulatory and Government healthcare
policy advisors.
7.6 In the view of the authors, the CRO of a health insurer should start with the design and
implementation of a broadly based ERM framework. Having covered the core ERM implementation
issues, including the six iterative risk management steps (if we adopt the base framework outlined by
Chapman), considered the corporate governance and oversight issues, the internal controls, the internal
and external sources of risk, the CRO can then begin to deal with the effective risk management of the
innovation portfolio and the road towards the achievement of the corporate strategy.
7.7 The CRO will need to balance the risks and rewards inherent in the innovation portfolio.
ERM needs to be embedded within innovation portfolio screening tools such as a risk matrix which
plots a firm's planned projects on a spectrum of risk. The essential input to this project is an
experienced, multi-disciplinary team involving senior managers with a strategic focus and authority
for financial resource allocation and the participation of team members delivering specific projects.
310
The risk matrix is a pre-cursor to other tools used to explore an innovation product concept, its
potential market and the company's capabilities and competition.
7.8 Each concept in the health insurer's innovation portfolio should be assessed by its
development team using the R-W-W screening system. The CRO needs to embed the selected
ERM framework and principles within the resolution of each of the three 'heading' questions, in
order to screen the company's innovation portfolio. The end result is to try and ensure that the
proposed innovation portfolio is robust and is aligned to the risk appetite of the company, the ERM
framework and the corporate strategy.
7.9 An organisation is only as strong as the weakest link across its value chain. The health insurer
must take the broadest view of its own value chain and how and who it interfaces with. This is
enabled by an exhaustive analysis of the insurer's value chain and the development of appropriate
risk management processes e.g. hospital provider and consultant/surgeon input monitoring systems
and processes which manage delivery and costs upstream whilst managing experienced outcomes
downstream at the point of pre-authorisation and care delivery.
7.10 Effective supplier monitoring systems supported by a risk dashboard or watch list can
further indicate emerging risks or opportunities. Prioritising supplier relationships and value chain
linkages as critical risks with a high impact can also lead to the development of cooperative
relationship with providers.
7.11 Health insurance under Solvency II is a complex subject, as much depends on the national
position of the EC member states on their public and private sector healthcare delivery systems.
Some features of health insurance are similar to those for non-life insurance undertakings, whereas
other features are similar to those for life insurance undertakings. The CEIOPS advice has attempted
to recognise these complexities and has sought to develop on pan-European view on how best to
proceed with the regulation of health insurance undertakings. However, healthcare seems unusual in
the number of key players in the market with differing objectives, time horizons, and views on risks.
7.12 Under Solvency II, the UK health insurance model has potential applications for other EC
member states and insurers may benefit from EC increased mobility of labour and residence.
Supplementary health insurers may be able to exploit gaps in state provision and in customer
segments served by the public sector. They will need to adopt a combined strategy of cost and value
differentiation to balance the tension arising from the differing perspectives on healthcare risk and
value among key players in the healthcare market. The switch from Solvency I to Solvency II should
help prompt the health insurance industry to make more economic decisions in the use of their
capital, the management of risks, the design of products, and organisation of operations. But
Solvency II does not capture many of health insurance's nuances.
7.13 Given the complexity involved with the health insurance, product concepts should be
positioned as 'options' on the future rather than 'winners and losers', with these options part of a
relevant ERM framework module. The screening process should derive and evolve from the direct
input of team members to avoid the risk of 'transplant rejection' where a process is grafted on from
an external or internal donor that does not share the same DNA as the adopter. Embedding ERM
within the organisation and ensuring that it is part of the DNA of every strategic and operational
decision hinges on people and culture. This includes connecting with a diverse stakeholder
community.
311
7.14 ERM health insurance practitioners need to build a culture and business processes which
value learning from the people within the insurer's stakeholder community:
Learn from the people

Plan with the people
Begin with what they have
Build on what they know
Of the best leaders
When the task is accomplished
The people all remark
We have done it ourselves
source: laoist sage, Lao-tzu.
References
Braz, R., Barger, D., Geller, K., Kicklighter, L., Midgeley, M.S., Shostek, K., Ulmer, E.G
Nakamura, P.L. (2006). Enterprise Risk Management Monograph. American Society for
Healthcare Risk Management, USA.
Cabinet Office (2002). Risk Improving Government's Capability to Handle Risk and Uncertaint
Strategy Unit, Cabinet Office, London, UK.
CEIOPS (2009). Consultation paper no. 72 - Draft L2 advice SCR Standard Formula - Calibrati
of Health Underwriting Risk, available at: https://www.ceiops.eu/fileadmin/tx_dam/file
consultations/consultationpapers/CP72/CEIOPS-CP-72-09-Draft-L2-Advice-Calibrati
health-underwriting-risk.pdf
CEIOPS (2010a). CEIOPS' Advice for Level 2 Implementing Measures on Solvency II: SCR Stan
dard Formula Calibration of the Health Underwriting Risk, published as CEIOPS-DOC-6
10 available at: https://www.ceiops.eu/fileadmin/tx_dam/files/consultations/consultationpaper
CP72/CEIOPS-DOC-68-10%20_L2_%20Advice_on_Calibration_Health_Underwriting_%2
Risk.pdf
CEIOPS (2010b). QIS-5 Technical Specifications: Annex to Call for Advice from CEIOPS on QIS-5.
Available at: https://www.ceiops.eu/fileadmin/tx_dam/files/consultations/QIS/QIS5/Annexes
to-QIS5-technical_specifications_20100706.pdf
CEIOPS (2010c). Solvency II Calibration paper, published as CEIOPS-SEC-40-10. Available at:
https://www.ceiops.eu/fileadmin/tx_dam/files/consultations/consultationpapers/CP70/
CEIOPS-L2-Advice-Market-risk-calibration.pdf
Chapman, R.J. (2006). Simple Tools and Techniques for Enterprise Risk Management. John Wiley
& Sons Inc., New Jersey, USA.
Competition Commission (2000). British United Provident Association Limited and Community Hos
pital Groups Pic.: A Report on the Proposed Merger. Competition Commission, London, England.
COSO (2004a). Enterprise Risk Management - Integrated Framework, Application Techniques,
COSO. (The Committee of Sponsoring Organisations of the Treadway Commission), September
2004.
COSO (2004b). Enterprise Risk Management - Integrated Framework, Executive Summary, COSO
(The Committee of Sponsoring Organisations of the Treadway Commission), September
2004. Available at: http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf
Day, G.S. (2007). Is it Real? Can we Win? Is it worth doing?: Managing Risk and Reward in an
Innovation Portfolio, Harvard Business Review, December 2007.
Department of Health (2000). An Organisation with a Memory: Report of an expert group on
learning from adverse events in the NHS chaired by the Chief Medical Officer. HMSO
UZ
Stationery Office, London. Available at: http://www.dh.gov.uk/prod_consum_dh/groups/

dh_digitalassets/@dh/@en/documents/digitalasset/dh_4065086.pdf
Deighton, S.P., Dix, R.C., Graham, J.R. &c Skinner, J.M.E. (2009). Governance and Risk Man
agement in United Kingdom Insurance Companies. British Actuarial Journal, 15(3), 503-572.
Dexter, N., Ford, C., Jakhria, P., Kelliher, P., Mccall, P., Mills, C., Probyn, Α., Raddall, P. & Ryan, J.
(2006). Quantifying Operational Risk in Life Assurance Companies, Life Operational Risk
Working Party, Institute and Faculty of Actuaries. Available at: http://www.actuaries.org.uk/
sites/all/files/documents/pdf/opriskcapital.pdf
Disney, H., Horn, K., Hrobon, P., Kilmarnock, Α., Mihm, Α., Mingardi, Α., Philippe, C., Smith, D.,
Van Den Broek, E. &c Verhoeks, G. (2004) Impatient for Change: European Attitudes to
Healthcare Reform. The Stockholm Network. Available at: http://www.healthpowerhouse.
com/files/Impatient%20for%20change.pdf
Elliot, S. & Abbey, T. (2010) Health and Care; Good Practice for Internal Models: A Closer Look at
Solvency II. Institute and Faculty of Actuaries Health and Care Conference, April 2010.
Available at: http://www.actuaries.org.uk/sites/all/files/documents/pdf/abbey.pdf
European Commission (2010). April 2010: Fifth Quantitative Impact Study: Consultation on Call
for Advice and Technical Specifications. Available at: http://ec.europa.eu/internal_market/
insurance/solvency/index_en.htm#consultation Draft technical specification available at:
http://ec.europa.eu/internal_market/insurance/docs/solvency/qis5/draft-technical-specifications_
en.pdf
Foubister, T., Thomson, S., Mossialos, E. & Mcguire, A. (2006). Private Medical Insurance in the
United Kingdom. WHO Regional Office for Europe, Copenhagen, Denmark.
Garratt, R. (2003). The Fish Rots from the Head: The Crisis in our Boardrooms - Developing the
Crucial Skills of the Competent Director. Profile Books Ltd, London, England.
Grönroos, C. (1984). A Service Quality Model and its Marketing Implications. European Journal of
Marketing, 18(4) 1984, pp. 36-44.
Mcnamee, D. (2004). Risk Reflections: based on his extensive experience. Internal Auditor, October
2004. (Report of an Interview). Available at: http://findarticles.cOm/p/articles/mi_m4153/
is_5_61/ai_n6332709/pg_2/?tag=content;coll
National Health Service Litigation Authority (2006). Framework Document. Available at: http://
www.nhsla.com/NR/rdonlyres/D872241A-43E3-492B-8F74-32FB0586608F/0/Framework
document.pdf
National Institute for Clinical Excellence (2007). Risk Assessment at work: Practical examples in
the NHS. Available at: http://www.nice.org.uk/niceMedia/documents/risk_assment_examples.pdf
Orros, G.C. (2007a). Risk Sharing Models for Private Healthcare Insurance. IAAHS Colloquium
paper, May 2007. Available at: http://www.actuaries.org/IAAHS/Colloquia/Cape_Town/
IAAHS_2007_Orros.pdf
Orros, G.C. (2007b). ERM Literature Review. GIRO 2007 Convention. Actuarial Profession.
Summary paper available at: http://www.actuaries.org.uk/research-and-resources/documents/
enterprise-risk-management-erm-working-party-overview-and-summary, where "ERM Lit
erature Review" is Appendix 1A and Appendix IB and are available on request from
libraries@actuaries.org.uk
Orros, G.C. & Howell, J.K.A. (2006). Value Innovation for insurance and financial services firms.
Available at http://www.cwgsy.net/private/uhcg/index_files/Page352.htm
Orros, G.C. & Smith, J. (2009). Health at Risk. The Actuary, December 2009, pp 25-27. Available
at http://db.riskwaters.com/global/actuary/digital/Actuary_1209_OrrosSmith.pdf
Roberto, M.A., Böhmer, R. & Edmonson, A.C. (2006) Facing Ambiguous Threats. Harvard
Business Reivew. November 2006.
313
G. C. Orros and j. Smith
Rumsfeld, D. (2002) Department of Defense News Briefing. 12 February 2002. Available at: http://
www.quotationspage.com/quote/30526.html
Scally, G. & Donaldson, L.J. (1998). Clinical Governance and the Drive for Quality Improvement
in the New NHS in England. British Medical Journal, 317, July 1008. Available at: http://
www.ncbi.nlm.nih.gov/pmc/articles/PMC1113460/pdf/61.pdf
Standard & Poor's (2005). Insurance Criteria: Evaluating the enterprise Risk Management Practices
of Insurance Companies. Standard & Poor's, McGraw Hill, USA.
Taleb, N.N. (2004). Fooled by Randomness: The Hiden Role of Change in Life and in the Markets,
2nd Ed. The Random House Publishing Group 2005. Penguin Books 2007, London, England.
Taleb, N.N. (2007). The Black Swan: the Impact of the Highly Improbable. Allen Lane, an imprint
of Penguin Books, London, England.
Tripp, M., Orros, G.C., Bradley, H., Devitt, R., Overton, G., Pryor, L. & Shaw, R. (2003). Risk
Measurement or Bust: Operational Risks Working Party. GIRO (2003) Convention. Available
at: http://www.actuaries.org.uk/sites/all/files/documents/pdf/measurement-or-bust.pdf
Wächter, R.M., Shojania, K.G., Saint, S., Markowitz, A.J. 8c Smith, M. (2002). Learning from Our
Mistakes: Quality Grand Rounds, a New Case-Based Series on Medical Errors and Patient
Safety. Annals of Internal Medicine, 136(11), 850-852.
Winkelman, R.A., Van Den Bos, J. & Johns, C. (2006). Society of Actuaries' Research Project:
Health Plan Provider Network Risk, Society of Actuaries, USA. Available at: http://www.soa.
org/files/pdf/final%206-26-06.pdf
314
British Actuarial Journal, Vol. 77, part 2, pp. 3 Ί5-330. Institute and Faculty of Actuaries 2012
doi: 10.1017/S1357321712000219
First published online 29 May 2012
Enterprise risk management for health insurance from an

actuarial perspective
Abstract of the London discussion

[Institute and Faculty of Actuaries, 18 January 2011]
Contact
George Orros, F.I.A., E-mail: uhcg@cwgsy.net
This abstract relates to the following paper: Orros, G.C. and Smith, J. Enterprise risk management
for health insurance from an actuarial perspective. British Actuarial Journal, doi: 10.1017/S13573217
12000062
Miss S. D. Elliott, F.I.A. (the Chair): I welcome our two authors, Mr George Orros and Mr John
Smith, and all of you who have come to participate in this event.
Mr George Orros qualified as an actuary in 1973. He then acquired several other professional and
academic qualifications, partly in order to move from the "back" room to the "front" room of th
insurance and financial services world. Having spent many years in the healthcare insurance aren
as Actuary to BUPA, he moved into actuarial and management consultancy with a global firm
In the early 1990s he founded a specialist consultancy firm in the health and care insurance,
innovation and risk management space, initially in London and then in the Channel Islands. Thi
summer he has taken on a leadership role with a global risk management and advisory firm.
Mr John Smith is Group Chief Actuary at BUPA, where he has worked for a little over four years, an
is preoccupied with the actuarial, risk, capital and finance challenges of Solvency II, but also support
BUPA's strategic and organisational development interests. Prior to joining BUPA, Mr Smith worked in
the UK life branch of Munich Reinsurance in London, and before that worked in the United States,
first as an associate actuary with Milliman and then as an assistant actuary with Nationwide Insurance
He is a member of the Society of Actuaries in the US. He holds graduate degrees in mathematics and in
epidemiology, and has completed additional coursework in population health.
Following the traditional format of a sessional research meeting, Mr Orros is going to provide th
highlights of the paper and then I am going to provide my opening comments as to what I feel are
the key messages coming out from the paper. Then we will open up the floor for discussion an
finally Mr Smith and myself will close the session.
Mr G. C. Orros, F.I.A. (introducing the paper): The paper is wide ranging. It is not a technical paper
and is almost devoid of mathematics. One of the key messages is that ERM for health insurance
should essentially be about people and teamwork. It is about fully embedding ERM principles into
the corporate culture and to encourage the stakeholders, which includes the employees, to develo
their ERM for health insurance DNA and to have the confidence to believe that "we are all risk
managers here." It is not a "one person thing"; it is about teams and teamwork.
315
Health insurance, as we have described it, has both a long-term and a short-term dimension. If you
mismatch these two aspects, either strategically or in day-to-day decision-making processes, that
can and probably will lead to a wide range of difficulties.
For example, under the Solvency II regulatory requirements for business, which is for a one-year
value at risk calculation based on a l-in-200-year event, that may be a necessary success criterion
but it will certainly not be a sufficient criterion for the long-term viability of the health insurance
undertaking, given all the long-term aspects that are relevant for people purchasing healthcare
insurance products. Rather, you have to look at it from the point of view that healthcare insurance is
not like other short-term personal insurances. For example, motor insurance or travel insurance
focuses on events in the policy year (or the month if it is renewed monthly) whereas health insurance
focuses beyond the first period because people do not purchase health insurance products just to
have the cover for only 12 months. They are looking, it is hoped, to stay for a very long time -
maybe for decades, maybe for a lifetime.
So what really matters to achieve profitability, given the high acquisition costs associated with
:ertain personal health insurance, is having excellent customer service and high retention levels,
partly in order to encourage people not to go somewhere else. By and large, they buy health
insurance when they are fit and healthy, expecting that, sometime later when they are not so fit and
healthy, the health insurance company will still be there and ready to provide a service. This also
:omes back to some of the regulatory points about capital, and the aspiration that the insured will
not be discriminated against, that they will be treated fairly, and that they can trust that the health
insurance company has integrity and transparency and it is really there to look after them many
years after they made their initial health insurance purchase.
So, this business should really be about trust and reputation, rather than just what the lowest price is
for the next 12 months. That is a somewhat different situation from somebody buying personal motor
insurance, travel insurance or accident insurance, where there will be different considerations. These
different considerations should result in a different way of thinking, if there is going to be a reasonable
:hance of succeeding to have a profitable health insurance operation.
1 he second point is the health insurance company needs to be resilient whatever the future holds
and to have a roadmap as to how to achieve that, given the very complex nature of the business.
In order to do that, the business model needs to be clear, not just the model of the health insurance
:ompany but of its partners and its suppliers, because, as far as the public is concerned, what matters is
:he whole operation - the "brand." It may be that failure to meet customer expectations is caused by a
¡upplier and not by the health insurance company on their own, but that still damages the customer
ind he/she will still associate the "brand" with that failure. So the business model should be more like
'supply chain management", rather than just about selling cheap personal lines insurance.
Ihis is where hRM comes in, because the business should be looked at holistically with all the
3usiness decision levers applying to all the product and service aspects that might go well or badly.
^oming on to enterprise risk, a définition is:

•JiKM is a systematic process, embedded in the company's system of internal controls (spanning all
business activity) to satisfy policies affected by its board of directors aimed at fulfilling its business
Dbjectives and safeguarding both the shareholder's investment and the company's assets.
(16
The purpose of the process is to manage and effectively control risk appropriately (without stifling
entrepreneurial endeavour) within the company's overall risk appetite. The process reflects the
nature of risk, which does not respect artificial departmental boundaries, and manages
the interdependencies between the risks. Additionally, the process is accomplished through
regular reviews, which are modified when necessary to reflect a continually evolving business
environment."
Therefore ERM is not about "departmental silos", it is about the "whole thing".
Figures 21 and 22 in the paper show some of the common internal and external sources of risk.
This particular version of the external sources of risk was constructed about five years ago. There
have been many other external risks since that affect a complex business model like health
insurance. For example, the global financial crisis and current Eurozone crises with the collapse of
some currencies have severely affected all insurance companies. These events may affect supply
relationships and people's trust in currency over the next 20 to 50 years in which they hope to retain
their health cover.
"Medical inflation" and the external effects of that, particularly now with the cutbacks in public
services and the likely shift between the public and the private sectors, will lead to offloading some
healthcare risk from the state to insurance companies. How is that going to be factored in? What
about climate change and how that may affect risk over the next 20 to 50 years? This might be
relevant when considering future treatments. What about all the "green" issues in terms of energy
usage and other factors? Health insurance is long-term, maybe 20 to 50 years. These things matter
when trying to think through what needs to be done to enable the health insurance company to
survive and prosper over that length of time.
The world is constantly changing, particularly in the health and care field. Decisions taken now
might be regretted in 5 to 10 years from now, in terms of how the business model was set,
guarantees given, renewal of health insurance policies, medical advances; and to what extent the
company is tied into any of these. It could be argued that the company has to be aware of what is
happening in the outside world in order to have any resilience and robustness in the health insurance
undertaking.
More recently, with the "age of austerity" in the UK becoming a major theme, healthcare
insurance spend in the UK, currently at about 4% of the total health, is being affected. It is necessary
to look at the business processes behind changes and the stresses within those in order to be
able to manage the business. Part of that involves considering what are the value chains within the
business, both for the insurance operation but also the suppliers and the supply chain management
behind that. If the heath insurance business model is to be understood, it is necessary to think
about managing the "risk,", reducing the volatility, or improving the resilience, and how these fit
together.
Figure 10 in the paper sets out a typical value chain for a health insurer and the following diagram
helps summarise the various things to think about and do well in order to establish and maintain a
profitable business.
Healthcare provision is even more complex, as illustrated by Figure 31 in the paper. That figure shows
how things fit together and what the role is of the insurance piece within this bigger picture - perhaps
317
Modem Risk Management in Health Insurance
Nature of Encourage Provider

the Risk Wellness Contracting
Wellness
benefits Which
Underwriting
providers
Health are most
Pricing
Information efficient per
premiums unit of care?
Identify
Predictive
problems Care
modelling while still management
manageable in systems
"y
= Profitable Business
Diagram 1. Modern Risk Management in Health Insurance
96% of the total is not health insurance. The business process flows shown there may well affect w
happens in the health insurance piece.
Risk management and ERM are not new in the healthcare provision sector. Increasingly, more a
more risk management is being carried out on the health provision side, particularly in terms
clinical governance.
Figures 15, 16 and 30 in the paper show a common layout for a "risk heat map". This form of m
helps identify the relative importance of risks. Those risks positioned in the "red" or "extreme dang
zone mean that the business cannot tolerate those events. There are some events in the "green" z
that are really not significant and you should wonder why you are spending management time on th
within the insurance operation, when instead they could be outsourced somewhere else.
You have to look at the "before" and "after" situations on the risk heat map. Firstly, what was
situation before you took the business plan action? Secondly, what is the inherent residual risk aft
taking the planned remedial action? That is, what you think is achieved by having taken th
actions?
Management spend time worrying about anything that is positioned in the "amber" zone or th
"red" zones. You have to have very good reasons why, given the inherent residual risk, you sho
tolerate risks in the "amber" or "red" zones that appear to be uncontrollable.
On a more holistic basis, it is not just about downside risks. The counterpoint of risk control
opportunity management. There may also be an upside. The process to identify risks can a
identify opportunities that should be taken up. So one can try to position the opportunities as w
as the risks, in order to plan the business and to survive and prosper.
The Risk and Opportunity Management Framework is summarised in Figure 6 in the paper
replicated here for convenience.
318
Risk and Opportunity Management Framework
1. Corporate Governance 2. Internal Control

(Board oversight) (sound system of internal control)
3. Implementation
(appointment of external support)
4. Risk Management Processes

(incremental phases
of an iterative process)
Analysis Risk Risk Risk Risk Risk
Identification Assessment Evaluation Planning Management
A1 A2 A3 A4 A5 A6
5. Sources of Risk
(internal to a business and emanating from the environment)
Internal Processes Business Operating Environment
Diagram 2. Risk and Opportunity Management Framework
There are many underlying elements described in the diagram. ERM can and should provide a
holistic view of the enterprise. ERM can and should be an iterative process with many feedback
loops that are interactive. The arrows show the process. You can see there is no point in continuing
from, say, "analysis" to "identification" unless you are happy that the initial "analysis" made some
sense. Otherwise, you are building spurious models and actions. If you do not trust stage two from
stage one, then you had better go back and do it again. When you get to the end of the process of
risk management, you are making decisions in real time. If you do not have confidence in the
underlying models or the underlying analysis that gave those models, then you are never going to
implement it and then the exercise is totally pointless.
Having gone through the process and come out the other end with a sensible ERM framework for
dealing with risk management issues that come up, there results in effect a "real time" risk dashboard.
Figure 23 of the paper shows real time risks for a health insurance company as dashboards. If you
are in charge, either the CRO or the CEO, and the health insurance company has fully implemented
Solvency II then you will need to ask:
"Should there be any difference in terms of risk dashboards, what do you do about it, or what
do the dials mean in a real-time situation?"
If you think about it that way, then it is common sense. You have to have confidence that the risk
dashboard and the dials actually mean something, that means the underlying model must mean
something, and you are going to rely on it.
Moving on through the paper, we talk about Solvency II. There are many technicalities as to what
the current situation is, and many diagrams based on the current thinking on Solvency II. One
observation made towards the end of the paper is that the solvency regime has a specific aim. It is
looking at the health insurance company on a 1-year basis for a potential 1 in 200 year risk event,
and trying to ensure that on that basis the company is going to survive.
However, on the health insurance side, this may be inconsistent with how the business model really
works, and stress testing over a longer period of time may be necessary. Also, there is the issue about
319
the customers and their risk appetites, and the risk appetite of the health insurance operator
hopefully trying to survive more than one year. That is going to have an impact on how you run
your business model and how much capital you hold, and everything else.
What comes out of this is the realisation that although quantitative risk modelling is a necessary
condition for financial survival and for regulatory approval, it is not, and never can be, a sufficient
success criterion. The qualitative risk modelling aspects, which include corporate governance and
all the people issues, are fundamental.
The other point to make is that past observation may be very misleading. To take a well used
example, consider the turkey's experience prior to Thanksgiving Day in the USA. For a thousand
days, these nice humans look after it, feeding it and making it comfortable, yet the thousand
observations do not mean very much if you look at the whole picture. We also, like the turkey,
might only have a small window in our universe. It may be totally misleading because we only see
the bit that we can through the lens that we are given.
The theory of the black swan is basically saying that the world is full of discontinuities, that there is
not such a thing as equilibrium and we move from one discontinuity to the next. Then we post
rationalise the past events that are unexplainable. You have to be prepared: you have to expect the
worst and have some resilience so that whatever the world throws at you, you will be a survivor.
Our paper concludes with the words of Lao-Tzu, who 2,600 years ago knew all about ERM and the
importance of people and team work. It is only in recent years that the health insurance world, and
other financial services institutions, have woken up to these pearls of wisdom. Let me quote:
"Learn from the people

Plan with the people
Begin with what they have
Build on what they know
Of the best leaders
When the task is accomplished

The people all remark
'We have done it ourselves.'"
Miss S. D. Elliott, F.I.A. (the opener and the Chair): The phrases that struck me when reading the
paper were "unknown unknowns", "known unknowns" and "known knowns". This is a great way
to describe what we are trying to do in this field.
There are lots of opportunities for healthcare actuaries, especially with the advent of Solvency II and
the developments which are going on, given the complexity of health insurance risk. The paper
states that to date non-actuaries have populated the field of risk management and enterprise risk
management. It is a discipline that we can get really involved in.
The paper discusses healthcare management, focussing on the quantitative as well as the qualitative.
It talks about ERM framework models, COSO, which model seems the most appropriate. It is
about constantly identifying risks and monitoring the most important ones. There is no sense in
monitoring the ones on the bottom left-hand corner of the risk heat maps, which are too easy to do
and maybe we should outsource them as Mr Orros suggests.
320
Then there is the culture of the organisation. The aim is not just getting the model in place but
ensuring this works across the organisation.
There are two points I wish to add as an ex-reinsurer. First, analysis is the foundation. There is no
sense in having that first step wrong as the rest will fall apart. In particular, before that stage, the
data for analysis needs to be credible, as it is unhelpful to shift towards very complex modelling
solutions when you do not have the appropriate data.
Second, we need to identify the combinations of multiple risks. This is key to healthcare given that
we have both internal and external sources of risk. In healthcare we have the NHS and what could
happen there, what could happen in a pandemic, and things like that. I do not think that there is any
other product that is more involved with different internal and external sources of risk.
Catastrophic risks also need careful consideration. Mr Smith and I were on a CAT risk task force for
CEIOPS and Solvency II. This was interesting because putting CAT risks together in non-life
businesses is very complicated. There were so many things to think about. At times we were having
difficulty coming up with what CAT risk there could be for healthcare, but we eventually came
down to a simplified CAT risk model, as the NHS A&E picks up emergencies in the UK.
The ERM frameworks for dealing with "expecting the unexpected" are discussed in section 2.24 of the
paper. Mr Orros mentions the Black Swan logic in section 2.26. I thought that was quite interesting.
In section 3 of the paper, treating practical examples of risk and opportunity, the authors consider
under 3.4 the risk matrix, R-W-W, that is asking the questions, "Is it real? Can we win? Is it worth
doing?" That is a good theme to consider. I note that this extended to consider a holistic approach
looking at the quantitative and qualitative aspects.
The innovation portfolio was helpful, covering product development and adding new features to
products, whether to manage risk or add new product features to help the market position. Showing
how you can move from risk control to opportunity management is a very positive message and
shows the process is not all about the negative side but also where the opportunity is.
In section 5 the authors address Solvency II for healthcare insurance, promoting capital and risk
awareness, which has been a big challenge for the industry, not just in the UK but across the EU. We
have tried to harmonise insurance regulation across the EU. However, we realised fairly late that it
was not going to be easy to harmonise the products, as they vary from country to country, and
different products have the same name in different countries.
At least as the Actuarial Profession we have been able to help with the consultations and encourage
risk management, transparency and market efficiency. The issues are about risk-based capital and
the overall risk management of the business portfolio.
There was much debate about the names and the categorisation of the whole healthcare module.
The authors summarised it very nicely, covering SLT and non-SLT in paragraph 5.2.4.
At one point the new regulations were going to treat healthcare all under life, and then some
healthcare under life, some under non-life and some under the catastrophe risk element. We
negotiated a separate healthcare module.
321
For non-SLT, the authors summarise the transition of the premium and reserve factors for the non
SLT component for the PMI and how that has developed over time. There may be some questions
you might have for the authors as to how that has moved over time, and the ups and downs that it
has had. I am sure it is going to continue.
The biggest message of the paper is in one of the concluding remarks, which may cause some debate.
The ERM frameworks are much more complex for healthcare than for life and for non-life, that
being due to the internal and external risk factors, combining with quantitative and qualitative, and
also introducing the public sector into it.
Those are my initial thoughts and I now to open it to the floor for further discussion.
Mr R. H. Plumb, F.I.A.: I am now an academic at Cass Business School. I lecture on health

insurance but also life and pensions. I am going to deal with four points in a very good paper.
The first point relates to subsection 2.13 (paragraphs 2.13.1 to 2.13.10). This treats analysis and
getting the right information and it has been referred to by both speakers this evening.
Years ago, before even perhaps the phrase ERM was invented, I had this task in a different business
life - in essence to try to get hold of some of the problems faced by my employer at that time. I could
be used because I had worked with most people and had their confidence to be able to be told their
real secrets, the real bits of dirty washing. Some of problems I could guess. One or two I got near by
the guesses and, as they trusted me, out came the whole story.
I am very concerned about whether actuaries generally have that type of training to get at all the
information. The Actuarial Profession is extremely good, once it has got the information, in
analysing it. I seriously wonder whether this task should be undertaken by a multidisciplinary team:
an actuary who has the mathematical expertise, analytical and everything else, coupled with
somebody who is suave, who can actually gain the trust of people, ask the right questions and get
the complete answers.
Actuarial investigations are like my late father's interrogation. He was a senior police officer and,
while I was used to his style of questioning, everybody else who came into the family found it
extremely difficult to deal with. I suspect that might be the case with actuaries in the early years of
doing this.
I would welcome the views of the authors and welcome views from other people. It is dangerous for
actuaries in the early years to go on their own rather than as part of a team.
Mr Orros (responding): The point throughout the paper is that you are building foundations, and,
if the data is inappropriate when you get to the analysis stage, there is no real point carrying on.
More importantly, when you get to the next stage - trying to identify risks and put these into a risk
register - you may find that there are questions raised over the initial work that was done. The only
solution then is to go back and to redo it and to put in the extra work, because what you are really
building is the trust and integrity of the whole system. Unless the model represents the real world, it
is a pointless exercise and is of no benefit to anybody.
Mr Plumb: I will move on to my second point.
322
In paragraphs 5.3.5 to 5.3.7 of the paper presents an analysis of BUPA, an insurance company that
has declared some of its experience. In recent times, authors have tended to produce papers and
analysis not using their own data. Some of the great actuaries from the past used to say, "I am aware
of an office" and then produce their office data and say, "Well, we have found so and so". Long may
this type of approach continue.
I would urge people to quote their company's data, with some qualification if necessary. By doing
so, and bringing that to the table, I have found in my business experience that I learnt far more than
I gave away. I may have given information but I learnt far more in the process.
May I pass on to my third point. There was a remarkable landing on the Hudson River in New York
very recently by a skilled pilot. That was down to sheer experience on the back of years of flying.
We have got to be careful if we are flying on four engines that we do fly on four and not on two. We
are at the beginning of the process and need to be careful as to what we try and do. It is not
appropriate to build a model claiming to be an absolutely super model to start with. Current models
should be treated as an indication of where we might go to.
Mr Orros (responding): I would like to address where we are by commenting on the risk dashboard.
This needs to be simple enough so that you understand it and/or avoid redundancy. If you read a lot
of management writings from the famous companies, particularly about General Electric maybe 20
or 30 years ago, there would be reams and reams of business plans and reports and glossy
presentations, and all the rest of corporate planning. And then they threw it all away and said,
"What we want is simple storyboards that can explain your proposals and your requests for
investment on about one or two sides of paper, preferably using pictures. And, if you cannot have a
storyboard using visuals and pictures explaining why the investment really is a good idea, then we
are not even going to look at it because we would be blinded by having your 200 page business plan
report. Furthermore, if you cannot express the business investment proposal in very simple terms,
perhaps via a simple risk dashboard that is sufficient but is not distracting, then you are in no
position to manage the organisation or to be in charge of risk."
So the question is: what is going to help you to sleep at night? What do you want shown
on one sheet of paper that you are going to look at every day that is going to help you to say,
"I have looked at enough to actually make decisions. I do not want to see a 200 page report.
I want to see a few pictures on a storyboard and/or risk dashboard and everything has to mean
something."
Dr D. J. Hughes, F.I.A.: I thank the authors for this very helpful paper. I showed it to a non-actuary
who works in insurance, and he commented that he never knew actuaries wrote such useful, clear
and helpful papers.
There was a phrase mentioned in the authors' introduction of the paper this evening that struck
home with me: "We are all risk managers now". This is very useful to bear in mind in discussing all
sorts of scenarios.
You emphasised working in teams. There is one very important role in a typical health insurer that
should certainly be involved in the team because they have been doing this for years, and that is the
underwriter. Underwriters have said as much in this hall. I hope their time has come. An underwriter
probably hits the ground running as far as these sorts of issues are concerned.
323
Section 6 of the paper made me pause. It seems to hint that health insurance may not be long-term,
but it nevertheless has horizons which extend beyond the short-term. There is something for us all to
think about here. A phrase that comes to my mind is "policyholders' reasonable expectations".
What are their reasonable expectations with regard to a product which might not be wholly short
term? Another phrase, "treating customers fairly", has not come up yet.
There are many circumstances where promises have been gradually extended. Insurers have
gradually been assumed or asked to offer or promise just that little bit of extra reassurance going
forward, which has often led to problems. It may be possible to offer some sort of longer term
health insurance, but I am sure it will be very expensive. This is not just a question for insurance
companies, but also for those who sit on regulatory or advisory committees. The authors say in
paragraph 6.3 of the paper that perhaps the supervisor would seem to be indifferent about this
aspect. I probably have not understood what was meant here, but it seems to me odd that the
supervisor might be indifferent to the extent of the forward horizon of a contract which is perhaps
not purely short-term. Perhaps I can invite you to develop that theme.
Mr J. Smith, F.I.A. (responding): The second and third points are closely related.
There could be conflict about what "indifferent" means, because it seems, if the supervisor is
focusing on the short-term, this tail risk in the short-term (by the strict definition of what is on the
balance sheet), is a 12 month contract, and they are saying, "Gosh! That brand! Long-term loyalty,
we appreciate it, but it is not on the balance sheet." So it is not really exposing this customer to
risk but is the heart of doing business, affecting business decisions and the value chains, supply
chain, distribution. It is essential; it is at the heart of the matter, but I could see them not necessarily
getting it.
Solvency II might not be as robust as we want it. It has to be "not one size fits all" but flexible
enough to accommodate all businesses. If you have health insurance which is not quite fish or fowl -
it has features of long-term and short-term business - it does call into question many fundamental
things that would be taken for granted as supervisors try to get a handle on all of this and manage
general insurers, non-life insurers and life insurers. "Indifferent" is probably in the sense that "we
are ticking that box on the tail, and I really do not understand the stuff about the long-term nature
of it". So I am not trying to say that they just do not care; I am sure they care, and in due course will
understand the nature of the liabilities.
The Chair: On the same point, the supervisors have also got to contend with actual true long-term
health products as well as more protection products and not get confused.
Mr Smith (responding): The supervisors will get to know what it means and what is most valued.
What are the key decisions that management takes in health insurance? What are those disaster
scenarios? What do they really look like for the testing regime that just came into effect in December
and is anticipated in Solvency II?
We can think about reverse stress: what is it that will lead to a health insurer failing? The answer
would describe in detail what would go wrong or what combinations of things.
If the supervisors really pursue that, and encourage firms to do that and get into the detail then the
management, including the non-executives, would not be indifferent. If they truly believe in this
324
stress test, it is going to pick up the limitations on the short-term focus that the SCR has been
calibrated to, including the CAT module. The CAT module has a 12 month focus as well, even
though most catastrophes for a health insurer probably unfold over a longer period of time. It
depends on how they approach it. It might take several years before the spirit of that and what it
means gets into the dialogue between the supervisors and the management boards in a meaningful
way from an ERM perspective.
The Chair: The other unanswered question is about working in teams, especially with underwriters.
I know that the answer again is going to vary between a short-term writer and a long-term writer.
Long-term we tend to have been involving underwriters because of the medical aspects of the
product.
But any comments from the authors or the floor about involving underwriters in ERM?
Mr Oíros (responding): If you can have a team of professionals that respect each other, albeit with
different backgrounds and different professional experiences, it can only add value. It does not
matter if it is an underwriter, a doctor, a nurse or the government administrator. Healthcare is a very
complex subject. The more you can understand where everyone is coming from, and everyone's
business models, and that of the supply chain, the better the decisions that the health insurer is going
to be in a position to make. If underwriters have something to say that others are not saying, then
they ought to be listened to.
Miss Ε. A. Howell, F.I.A.: I read the book about black swans and wonder if you have built things
like dashboards that look at the risks that you are managing on a day-to-day basis, do you end
up missing out on the black swans which are not easy to put on the dashboard? How do you
actually envisage a black swan? The whole book seems to be very much about unknown unknowns,
so how do you actually guess what the next unknown unknown is because, by definition, it is
unknown?
Mr Orros (responding): The important thing is to appreciate that, in the real world, discontinuities
do happen. Therefore, if you are going to serve the public as a health insurance company, they
expect you to be there for the next 20, 50 years, or even 70 years, whatever the future throws at you.
You certainly do not want to put all your eggs in one basket. You will want to be a survivor.
That means making small bets on many different things. If you look at other industries and how
they do this, there are a many good examples. If you are in oil, mining, or other exploration or
energy industries, they do get disasters and you can learn from those disasters to say, "What would
you have done had this happened to you?"
For example, there was the BP Deep Water Horizon incident most recently. As the press stated, that
incident was badly managed, at least in terms of how the company management dealt with the
emerging ecological disaster. I understand that some other energy groups around the world, as soon
as the BP disaster happened, spent the next three months or so with large research teams analysing
exactly what happened, what was the process, what was the sequence, what would they have done
in exactly the same circumstances, and how comfortable are they that had it been them they would
not have made the same mistakes. I understand that they believe that they would have survived.
Some boards of energy groups came away saying, "We are satisfied that if it was us, we would have
done things differently and would not have got into that situation."
325
In summary, you have to have a crisis team which is able to respond whatever you throw at them.
That means training, stress testing, having workshops and management retreats to throw
unexpected events and seeing how you cope with them as a team.
There has been much work in the area. Many major companies do this as a matter of routine to
prepare themselves for the worst. The more that can be stress tested in different scenarios, the better.
I have chaired some groups that have looked at company failures. It is always a combination of
events that cause failures. It is never pandemics or frequency of claims. It is generally bad
management or bad reaction to reputation loss. It may take you 50 years to build up a reputation.
You can lose it in a few days quite easily.
You can learn from those situations. You need to go through case studies of imagining that you were
that company: "here is the news, please react". Let us see how you behave. It is hoped that you learn
from the process.
Just one anecdote: the most famous case of a company that lost its reputation in about five minutes
was Ratner's, the jewellers, where the chairman was cracking jokes in an after-dinner speech and
made two jokes about Ratner's products, but it cost the company about £500 million in about five
minutes. Even though it was just two jokes at an after-dinner speech, the company disappeared. You
can very easily lose reputation and it is very hard to rebuild it afterwards.
You need to learn from these situations and play them through in real case studies and say, "Please
react; please behave as if it was you", and, it is to be hoped, when it does happens to you, you will
have learnt from that case study.
Miss Howell: I agree with all of that. I would be interested to know what your thoughts are about
planning in advance. Learning from hindsight is a little bit of the black swan example. People can
rationalise after the event, believing, with hindsight, they would have known what to do.
But we should not always just be trying to think with hindsight. It needs to be something a little bit
more forward looking than that, surely.
Mr Orros (responding): As I said before, that is why the board should have non-executives on it
with diverse experiences and, it is to be hoped, between the board's experience, there will be enough
different backgrounds, and strong characters, so that you think of more situations than otherwise.
People invest in the wrong things. What you think is risk management in terms of protection, when
you look at the losses after the event, are never what you expected them to be. If you read Professor
Taleb's book on the black swans, he did consulting work for a casino in Atlantic City where they
had spent several hundred million dollars over a ten-year period trying to protect the casino from
losses, and they had invested hundreds of millions in terms of CCTV, checking the background of
the croupiers, all sorts of stress testing on that, expecting the losses to come from internal
corruption, basically from insiders.
What he found was that the investments they had made in security to protect themselves against
losses accounted for less than one in 1000 of the actual losses which took place over 10 years. What
happened was they had three or four major losses, none of which they had predicted.
326
The unexpected happens and you just have to be wise enough and diverse enough to look at all
examples and say to yourself, "Let us learn from what happened to that competitor of ours."
Mr A. J. M. Labram (student): A lot of what we have discussed here about the unexpected does not
seem to be within the ERM framework. You cannot plan for them. Isn't it a waste to spend a lot of
time running through scenarios trying to find out how you would prevent these unpreventable
situations?
The other question I have is that the other risk of running through a lot of scenarios is you get
paralysed by all the extreme tail risks that could conceivably crop up.
I am reminded of "medical student syndrome", where the medical student reads a huge textbook full
of every known disease and suddenly concludes that he has at least half of them and panics. Is there
a risk of companies overdoing the risk management, particularly on the tail events?
Mr Smith (responding): The paralysis response I can see coming more and more as people develop
ERM. That was close to the point we discussed earlier. All this risk is going to make us more
prudent, if we just can get our heads round it and think about it the right way. The other side of
your question is: is it actually going to make us believe that we understand things better than we do?
I guess that is what effective ERM does. It allows you to put together what you think is your best
guess and how you manage the slight swings around that best estimate versus these real things
which you should anticipate or understand to allow you to build a more responsive culture. That is
the trick about being a good risk officer: you to see more dynamically how to manage what your
overall exposure is, even if you cannot fully understand it. Over time it would allow you to survive
more shocks that you just cannot anticipate, or big ones, or combinations of those.
Mr Orros (responding): Bear in mind that an organisation is only as strong as its weakest link.
Therefore it is hard enough to get things right in a very volatile world. It is easy to get things wrong if
you have not got good corporate governance and/or proper systems and controls, or if you do not
understand your business models, or do not know what your value chains are. If do not know how
your suppliers think and behave and what their models are, you are in no position to think about risk.
We can think of it like Maslow's hygiene factors. If you can get the basic factors, the basic principles
right, then you need not worry about those. Then you can worry about growing your health insurance
operation rather than worrying about systems failing, fraud, inaccurate reports coming through, or
the wrong data coming through. You have enough to worry about without worrying about the
hygiene factors. The hygiene factors you can get right. Everything else is much more difficult.
The Chair closing: The key theme throughout is ERM in health insurance is all about people and
teamwork across all the stakeholders.
We are all risk managers and the real-time risk dashboard should help to reduce the clutter so that
significant events are not missed, except when the black swan is flying by (with a co-pilot to pick up
the consequences).
Teams of professionals who respect and understand what each other does is key. Being able to
prepare for the unexpected was considered. This is a point which Miss Howell raised.
327
We have just mentioned paralysis by analysis. If we set about having multi-disciplinary teams it is to
be hoped that that will stop the actuary from going in circles and going down areas where it is just
getting too negative.
I should just like to reiterate some things from my opening remarks about the ERM frameworks
being more complex for health insurance than for life or for non-life. The authors have clearly
demonstrated this, both in the paper and in the discussion. There are a number of internal and
external influences that we need to deal with. They can be quite complex.
The qualitative analysis of ERM for health insurers is very, very important, not just the numbers;
and the qualitative element can add to the discussion about the amount of capital that is needed,
especially when we are bringing the public sector into it as who knows what they are going to do?
Mr Smith (author closing): I was surprised how much of our discussion was on pure risk management
and the specifics about health insurance. What I am going to do is to draw out a few of the health
insurance issues that reflect back on some of the risk management issues and ERM issues touched on.
We have touched on this long-term versus short-term issue. There is no one risk appetite out there or
no one risk horizon. There are competing risk perspectives and risk appetite horizons. What the
customer wants and seeks might be different from what the regulator wants, what shareholders
want or what the government wants. How you coexist with all of this and deal with the pressures
within them is intrinsic in health insurance.
It can find its way into the industry in terms of organisational thinking in ways that you might not
anticipate. If the consultancies are showing up and saying, "I have this return on capital snake oil" is
that what you need? Only that one-year return on capital metric? Is that good enough or is that
emphasising the one-year time horizon too much?
Health insurers will be forced to think more about how to set all this up rather than just necessarily
buying it in. A lot of the material and thinking have been on the life side adapted toward the health
side. Health insurance is not motor insurance or life insurance but it has features of both.
It would be nice if we could come up with a way of dealing with medical inflation so that we can
create long-term health insurance contracts that allow us to manage these risks over long term.
Those markets have not yet been viable. Therefore, we have focused on the short-term perspective
in terms of legal substance and capital, even though the customer is looking for brand and loyalty
and long-term protection.
Health actuaries will be forced to call into question many assumptions and methods. The more they
do that, the more they will get into the essence of ERM.
Brand and franchise value are not on the balance sheet. They tend to be the essence of what, as
health insurers, we are focusing on. It is not about the fat tail - the assumption-heavy fat tail - or the
big black swan. It is more about operations and how we think about what is happening to the
people in the insurance pool and the distribution of it and also the supply of services.
We tend not to think about clinical risk and the governance of clinical risk, but in some ways that is
the essence of what health insurers have to do. Clinical risk management, medical management, the
328
disease management aspects and what that means to your brand is already important but it is going
to be more so. Any good framework for health insurance would pick that up - not just the volatility
about the claims coming from cardiac events, hip replacements, or other procedures - but who
should be in your system or in your provider network. If you do not pick up the right people and
you do not manage that well and something goes wrong, that can really affect your brand. It can
affect your ability to distribute your product; it can have dire consequences and have domino effects
on how you are trying to manage other strategic opportunities or business development effort.
Health insurers are forced to think a lot more like retailers in terms of supply chains and the
intrinsic risks, and less in terms of those distributions and a big capital model. It does not mean that
they are entirely irrelevant; but if they were managing that franchise and brand, which is not on the
balance sheet, then we have to think differently about what is happening more broadly with the
ERM as it is coming through on the Solvency II side.
Health insurance is complex so it is important that we get an organisational memory - a rich

connectivity between people, with mutual respect, being able to ask the right questions throughout
the system and getting people to communicate the right information without getting so cluttered
with noise that they get quite paralysed.
That is a particular problem because health insurance is probably the most complex form of
insurance on the product side. There are lots of providers, there are trends, and there are any
number of pricing points to pick up to make that small margin that the industry tends to get.
It is balancing all that complexity in a holistic way that is meaningful and focused on the enterprise
mission that is going to stand in future.
Healthcare is contextual. It is a social, political, macro-economic provision and is increasingly

globalised with outsourcing services to India, for example, with people looking at X-rays, and what
have you.
If 96% of all healthcare spending in the UK is coming through the NHS, and they are just about to
overhaul it in some way, a shock to that 96% is going to show up somewhere in that insurance 4%.
That could be a big change. This could be happening simultaneously with other changes. Perhaps,
because of the money printing that is going on, which may not lead to inflation but in the context of
the macro factor feeding in and increasing the risk, could suddenly lead to increases in premiums of
25% at the same time as a shift in demand because of the NHS overhaul, and maybe because the
Competition Commission has decided to do something clever resulting in major shocks to the
system. These scenarios are intrinsic to health insurance.
The development of these risk frameworks in Solvency II is not entirely devoid of contextual
thinking. They tend to look at systems and insurance entities on a very silo or entity basis. Health
insurance does not work that way. Thinking about things in that broader context is going to be far
more critical to that.
As actuaries we have to question ourselves and our tunnel vision on all of this. So, in actuarial
practice, how do we think about understanding what risk management is, the right way to ask
questions to really know what we do not know, what we do know and how to deal with those
potential black swans?
329
Teasing all of this out involves questioning such things as what hidden assumptions we are making
about nice stable trends and nice stable loss ratios. Those are some assumptions thatNve probably
have now that have grown out of recent history. But Solvency II, if it were freely followed in spirit,
would really call that into question. It is going to take a lot of work for actuaries to do that. That
feeds into thinking about the Pillar II dimensions.
What Solvency II means for health insurance is, at heart, far more concentrated in Pillar II. It does
not mean that Pillar I and Pillar III do not exist. There would be more calls on health actuaries to
fulfil that Pillar II role, given all this complexity, and given the nature of the enterprise. It is hard to
imagine life and general insurance actuaries having quite that type of exposure to step up and
embrace ERM in quite the same way in many topics we have touched on.
Solvency II is necessary but not sufficient. Health insurance is more than about volatility of the loss
ratios and fitting that to a normal distribution; it is about this complex system and supply and
demand, major social and external factors that need to be balanced as we continue into the future.
Those are the main points from the paper from my perspective.
The Chair: It leaves me to thank the authors for an excellent paper: thank you to John and to
George. I found it quite refreshing to have a paper that you could get through quite easily without
lots of formulae. The messages coming out were excellent with the Solvency II section at the end
summarising it all.
Also, thank you to all of you who have participated this evening.
330

Cambridge University Press, Institute and Faculty of Actuaries British Actuarial Journal

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cambridge University Press, Institute and Faculty of Actuaries British Actuarial Journal

Uploaded by

Copyright:

Available Formats

Institute and Faculty of Actuaries

Enterprise risk management for health insurance from an actuarial perspective

Enterprise risk management for health insurance from an

G. C. Oíros* and j. Smith

1.2 Structure of Paper

(a) Solvency II developments and issues for health insurance business.

(a) Is health insurance fundamentally different as a class of insurance?

1.2.6 Finally, in section 7, we draw some conclusions.

2. ERM Framework for Health Insurers

2.11 COSO ERM Framework Model

2.11.1 COSO (The Committee of Sponsoring Organisations of the Treadway Commis

"Enterprise risk management is a process, effected by an entity's board of directors, m

2.11.3 The COSO ERM framework is illustrated in Figure 1.

Figure 1. COSO ERM Framework

2.11.6 According to COSO, ERM encompasses:

Figure 2. Risk appetite expressed as a risk map

Figure 3. Principle and effects of specific business plan revisions

2.12 Standard & Poor's ERM Framework Model

2.12.5 The strategic risk management pillars are illustrated in Figure 4.

Figure 4. Strategic Risk Management Pillars

2.13 Chapman ERM Framework Model

"ERM is a systematic process, embedded in a company's system of internal control (spanning

2.13.3 These Board functions are illustrated in Figure 5.

(a) Corporate governance (Board oversight).

Policy review cycle

Accountability Policy Formulation

I Operations review cycle |

Figure 5. ERM Board Functions

(c) Implementation (appointment of external support).

1. Corporate Governance 2. Internal Control

4. Risk Management Process««

Internal Processes Business Operating Environment

Figure 6. Overview of Chapman (2006) ERM Corporate Governance Model

Figure 7. Chapman (2006) 6-stage ERM process

Figure 8. IDEFO Process Mapping Technique

1 Appointment 1 Business risk management culture

1 Finance analysis tools 1 Business analysis findings

Figure 9. Typical process map for ERM analysis stage

(a) Define and articulate the mission and business objectives.

(k) Review the existing risk register.

2.14 A1 Analysis Example - Value Chains

2.14.2 Figure 10 provides a typical value chain for a health insurer.

Health and care insurance services

Company infrastructure (tor example. ERM. finance, accounting, legal)

Figure 10. Value chain for a health insurer

2.15 A1 Analysis Case Study - Delphi Method

2.15.3 The second iterative step is 'Risk Identificationwhich is a transformation process

1 Business risk management culture

2.15.5 The 'Risk Identification' process must be based on a clear under

2.16 A2 Risk Identification Example - Risk Register

Risk Register - Stage 2: Risk Identification

Figure 12. Risk Register - Stage 2: Risk Identification

2.17 A3 Risk Assessment Example - Causal Modelling

1 Risk management resources

1 Probability distributions 1 Risk register,

2.17.3 Figure 14 provides a typical high level risk map.

2.18 A3 Risk Assessment Example - Risk Heat Maps

High Level Risk Map

Figure 14. High Level Risk Map

Rare Unlikely Moderate Likely Almost certain

Catastrophic - the business Extreme Extreme Extreme Extreme

Major - operations severely Extreme Extreme Extreme

Moderate - significant time & Moderate Extreme