Cary Schneider
212-669-9200
Date: May 7, 2001

Enterprise Risk Management Offers New Opportunities for Insurers to Develop New Risk Transfer Products

MIAMI BEACH, FLA. May 7 -- The growing use of Enterprise Risk Management (ERM) is encouraging insurers and reinsurers to develop new risk transfer products in cooperation with banks, securities firms and other financial institutions, the Casualty Actuarial Society (CAS) was told.

ERM has a far broader scope than traditional insurance, often encompassing risks for which the property/casualty industry historically has had no solutions, said Janet R. Nelson, chief risk officer and senior vice president, St. Paul Companies.

Panelists at the CAS 2001 Spring Meeting reviewed how ERM works to help risk professionals address exposures such as energy costs, weather, Internet security and changes in interest and currency exchange rates.

Brian M. Kawamoto, director, Swiss Re New Markets, explained that applications of ERM have combined techniques of corporate finance, insurance and reinsurance and investment banking to creatively address the variety of risks that confront businesses.

"ERM is a process that helps an organization identify, measure and control risk," he said. "It's critical that organizations look at risk in a much different way; whether it's defensive or whether it's opportunistic."

At the most basic level, an enterprise is used to dealing with risk on an individual basis, said Kawamoto. For example, a company treasurer may be concerned on any given day with an individual risk, such as a foreign currency valuation or a commodity trader with the price of electricity. At the CFO level, risk is now viewed in wider terms such as the volatility of earnings or cash flow.

Today, even that broader approach to risk has evolved to an even more expansive view where the CEO defines risk as "any event that adversely affects an organization's reputation, customers, employees, shareholders, business opportunities or financial assets," Kawamoto pointed out.

He identified four fundamental elements that comprise an ERM toolkit. First is event -triggered financing where debt or equity capital is drawn upon under a pre-determined scenario to optimize capital resources. Second are derivatives, which are contingent claims based on the value of an underlying hazard or index. The four building blocks of derivatives are options, swaps, futures and forwards.

The third tool is structured finance -- a capital management process that typically utilizes a highly structured combination of risk transfer, risk retention and risk financing. The fourth is integrated risk transaction -- the packaging of several diverse risks into one structure that often results in less volatile and less costly risk transfer.

Gary Taylor, manager - Weather Risk Management for ENRON Global Markets, discussed how ERM can be applied to weather-related risks.

Taylor traced the relatively short history of the weather risk management business from its beginning in August 1977 with the first weather-related commodity transaction to the present, in which an estimated 5,000 such deals have been completed with a national value of over $10 billion.

Taylor said weather risk management deals commonly involve applying historical weather data on which to base probability assessments and using index-based settlements, which do away with the traditional insurance claims process.

"Traditional insurance industry support and computer modeling companies have entered the weather risk management market," said Taylor, "and there are other insurance and reinsurance opportunities in energy derivative markets, power unit outage protection, as well as power and gas price risks." The markets are there and customers are ready to pay premiums for these types of protection, Taylor emphasized.

Taylor said there are also a lot of weather-related risk management deals, however, in which there are no premiums involved. He said these "flat transactions" are those in which there is an agreement to pay to or collect from a company if certain circumstances occur.

Very few organizations are using security management to protect themselves from growing attacks. Christine Jones, Business Development manager for Atlanta-based Internet Security Systems (ISS), observed that because there is no such thing as 100 percent security for computer users, protecting businesses against such attacks offer actuaries and insurers the opportunity to develop and market specialized insurance policies to meet a growing market need.

Jones said the Federal Bureau of Investigation (FBI) and the U.S. Department of Defense estimate that employees who may or may not be acting intentionally commit the vast majority of company computer security violations. Statistics show that 58 percent of such violations are committed by authorized employees, 24 percent by unauthorized employees, 13 percent by former employees, 13 percent by hackers or cyber terrorists and only 3 percent by business competitors.

"To be able to attack business computer systems, you don't have to be a PhD anymore," Jones said. Such attacks can be instigated by a 13-year-old hacker."

Jones said her company tracks and works to stay up to date on the tools and programs computer hackers and virus writers use to commit their mischief and destruction. She said ISS is currently tracking several so-called Distributed Denial of Service (DDoS) plots, similar to ones successfully perpetrated recently on e-Bay and Western Union, that can costs companies millions of dollars in lost revenue. And she added that her company can even forecast imminent DDoS attacks.

The Internet security company official urged companies to develop a computer security policy and self-manage it. "But most companies that do have such a policy, do not enforce it," Jones pointed out.

The Casualty Actuarial Society is an organization dedicated to the advancement of the body of knowledge of actuarial science applied to property, casualty and similar risk exposures.