Enterprise risk management is becoming ever more deeply embedded in property/casualty insurers' corporate DNA, according to observers.

In part, insurers have little choice than to embrace ERM because of pressure from regulators and rating agencies, they say.

But with ERM insurers also can take a broader view of risk than they might otherwisedo, making it a strategic tool to gather risk information across the enterprise.

“They pretty much have to have ERM,” said Howard Mills, chief adviser at Deloitte L.L.P.'s insurance industry group in New York and a former New York superintendent of insurance. “It's pretty much expected that every regulator will expect every company to have an ERM program.”

“Both with regard to regulators and rating agencies—they're looking at who owns ERM,” said Mr. Mills. “The expectation is that it's done at the board level. Increasingly, you're seeing a restructuring at the board level to deal with risk, with a separate board committee.”

Zurich Insurance Co. Ltd. has been involved with ERM for more than a decade, said Linda Conrad, director of strategic business risk for Zurich in New York: “It's very essential to us as a company.”

She said ERM began as a means to comply with capital requirement regulations. But it has proved to be “a great strategic tool to start to gather additional information about managing risk across the company,” she said. “We've got a risk-based understanding when we're making strategic decisions.”

%%BREAK%%

“ERM is a comprehensive network that starts with the very definition of the risk appetite,” said Jacob Rosengarten, executive vice president and chief enterprise risk officer for XL Group P.L.C. “It's not a black or white question,” but rather a definition of success or failure among multiple tolerances of risk in different areas such as operation risks or liquidity statement, he said. “It's all about trade-offs.”

Mr. Rosengarten stressed that ERM has to be embraced by the corporate culture to achieve its goals. “A very strong risk-reward mindset is critical,” he said. “We want to have as few barriers as possible to free exchange of ideas.”

“ERM means, at its core, companies look at it as an opportunity to enhance their risk management program,” said Eric Simpson, Philadelphia-based practice leader for property/casualty consulting at Towers Watson & Co. “It's also an opportunity to take a more integrated view across companies that might have taken a more siloed approach to risk.”

“Traditionally, (property/casualty) insurers focused on risk in silos, and heavily on underwriting risk,” said Maryellen Coggins, a Boston-based director with PricewaterhouseCoopers L.L.P.

“ERM allows integration of each individual risk view into an integrated enterprisewide view. Insurers have been developing ERM practices over the past 10 years and have really made significant progress ... with embedding ERM processes into existing business and strategy setting processes,” she said.

Technology has been key in promoting ERM, said Mr. Simpson.

%%BREAK%%

“Technology has advanced so they can better measure their accumulation of risk and supplement their risk management decision-making and better inform the decision in a host of areas,” he said. “It's all about enhancing risk management and enhancing risk performance through a better framework.”

Ms. Coggins said insurers face two primary challenges in the ERM process.

The first involves tools, she said. “ERM requires really sophisticated quantitative tools to support management decision-making—such as economic capital models and stress-testing tools,” said Ms. Coggins. “It takes time for management to begin to use the results of these models and to really have comfort over the results of these models.”

The second challenge involves the timeline for implementing the process, according to Ms. Coggins. “Insurers have been developing the practices over 10 years and doing it in a very measured manner. They're doing it very carefully, but increasing external stakeholder demand for risk information has really accelerated the timeline.”

“We've taken a real active approach to invest a positive culture of risk,” said Zurich's Ms. Conrad. “A risk assessment is seen as a positive thing,” not only as a means to avoid potential pitfalls, she said.

Zurich follows a process called total risk profiling, said Ms. Conrad. She said the insurer performs the process about 200 times a year, going from the board level through the C-suite to the operational level.

“We do this total risk profiling process to lay out in a very organized fashion to see what the major exposures are at the company,” and to see what the triggers might be that would cause that risk to come to fruition, she said.

%%BREAK%%

The consequences of the risk can depend on the trigger, she said. To mitigate the risk, each scenario has an action owner assigned to it.

“We can look at improving the risk and look at controls that prevent it from happening. You want this total risk profiling process to occur before budget time,” Ms. Conrad said.

Towers Watson's Mr. Simpson said insurers' attitudes toward ERM have shifted considerably during the past decade.

Ten years ago, some companies viewed ERM as a fad and “they had a rough time rationalizing its benefit,” he said.

Now “everyone is well beyond that,” said Mr. Simpson.