ERM Basics for Group Captives
June 05, 2019
Readers might be somewhat surprised by the title of this article. Some may ask why single-parent captives shouldn't have the need to understand enterprise risk management (ERM) basics as well as group captives. The reason to focus solely on group captives is twofold: The first is because there are myriad Internet stories touting how single-parent captives can be used to fulfill the risk mitigation functions of their corporate parents as identified by ERM. Second, most single-parent captives are housed within the risk management or finance functions of their respective parent organizations. Without a doubt, these parents will have a number of employees who have functional responsibility for the parent's ERM initiatives, which will include the captive. Compare with group captives where the ERM function may exist in some form or another with the captive manager or not at all.
The genesis of this article is the result of a recent financial audit for an insurance company of which John Foehl, Captive.com editor, is familiar. The state insurance department examiners placed great emphasis on how the company was dealing with cyber-security issues and how those were then incorporated into its ERM program. This new scrutiny by insurance examiners suggested (at least to Mr. Foehl) that the captive industry and particularly group captives probably need to pay closer attention to ERM. Therefore, we offer some ERM basics for group captives to consider.
Who Should Perform the Functions of the ERM Committee?
This is the first question a group captive will need to answer. Group captives may consider assigning this role to their captive manager for a number of reasons. Their captive manager will have a greater knowledge of ERM and how to build an effective ERM oversight process. Captive board members have limited time to devote to the process. It's more cost effective to outsource the function than to have the board handle the matter. However, we suggest that captive boards rethink the tendency to delegate ERM and instead consider building a risk subcommittee within the board. Alternatively, the entire board may well want to be involved in the process.
A search on the Internet for "ERM committees" provides a number of position papers describing how to build an ERM committee, its role, and the necessary tools. As a result of the financial crisis, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed. As described on its website, COSO is a joint initiative between five private sector organizations that are "dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence." Its inaugural report, Effective Enterprise Risk Oversight: The Role of the Board of Directors (2009), stated as follows.
An entity's board of directors plays a critical role in overseeing an enterprise-wide approach to risk management. Because management [editor's comment: in the case of most group captives, the captive manager] is accountable to the board of directors, the board's focus on effective risk oversight is critical to setting the tone and culture towards effective risk management through strategy setting, formulating high level objectives, and approving broad-based solutions.
What Should the Role of the ERM Committee Be?
Assuming your group captive board determines that it will assume this responsibility, this is the next logical question. Basically, the committee should have oversight and approval of the group captive's enterprise risk management framework. This should include the following.
- Oversight for the group captive's risk appetite and risk tolerance.
- Creating appropriate policies and procedures relating to risk management governance and risk management practices. (Note, in many instances the captive's audit firm can offer guidance and suggestions to the board to fulfill this function.)
- Processes and systems for identifying and ranking risks borne by the captive and a formula to identify risk management deficiencies and emerging risks on a company-wide basis.
- Ongoing compliance monitoring of the policies and procedures developed in Step 1.
- A methodology for addressing and correcting risk management deficiencies identified as part of Step 3.
Once the board has agreed on the role of the new committee, we suggest the board and/or the committee develops a charter for the ERM committee. A charter specifies the committee's responsibilities and how it carries them out. The more precise the committee's charter, the better able it will be to carry out the oversight vested in it. (Samples of ERM committee charters can be found on the Internet in abundance.)
What First Steps Should the Committee Consider To Improve the Risk Governance of the Organization?
Assuming your group captive has gotten this far, this is the next question. The steps are as follows.
- Notify all the captive's professional vendors of the formation of the committee, and indicate the committee will want to understand how each vendor addresses ERM risks associated with the captive.
- Consider creating a benchmarking process against peers. For group captives, this may be easier said than done, but we suggest this would be a function that any number of the captive associations could provide under their educational and training function.
- Seek guidance from other risk management professionals, and consider inviting several speakers to help the committee get up to speed.
- Focus more of the board's attention on risk management and its value proposition.
- Review the captive's ethical guidelines and code of conduct.
In a future article, we will explore the more technical questions associated with ERM and how a group captive board can use these to effectively fulfill its ERM function.
June 05, 2019