DAN M. HAIR
Senior Vice President, Chief Risk Officer, Workers Compensation Fund
Modern workers' compensation systems are children of the industrial revolution. The concept of a social insurance program protecting workers from job-related injuries and illnesses had its modern origins in the development of European factory, child labor, and mining regulations throughout the eighteenth and nineteenth centuries. In the United States there was a long gestation period leading to the adoption of similar schemes. In the nineteenth century accidents in the mining and railroad industries led to early regulatory structures in those areas. The Russell Sage Foundation's Pittsburgh Survey of 1907 along with the Triangle Shirtwaist Factory fire in 1911 were major factors in the adoption of the first state workmen's compensation laws from 1911 to 1915.
In 1917, the Utah legislature passed the Workers' Compensation Act, requiring all employers to obtain workers' compensation insurance coverage. The Workers Compensation Fund (WCF), then called the State Insurance Fund, was created to provide competitively priced insurance to Utah employers. In the same year, the legislature appropriated $40,000 from the state treasury for WCF to begin writing insurance. This loan was repaid by WCF in four years, and from that time forward WCF has operated financially independent of the state and has functioned largely as a state agency.
A formal organizational study of WCF was completed in 1987. It recommended autonomy from state administration by establishing WCF as a quasi-public corporation with a board of directors comprised of policyholders and individuals with expertise. In 1988 the Utah legislature again modified its statutes to protect the state from any WCF expenses or debts and to prohibit the state from accessing the Injury Fund. In 2005 the Utah Supreme Court ruled that WCF and all of its assets were solely owned by its policyholders.
Today, WCF operates as a mutual insurance company owned by its policyholders and governed by a seven-member board of directors appointed by the governor. WCF performs a public purpose relating to the state and its citizens. Specifically, WCF serves as Utah's carrier of last resort for workers' compensation insurance coverage. As such, any Utah employer, no matter its size, the riskiness of its business, or its prior loss history, can obtain workers' compensation insurance coverage from WCF.
WCF is under state regulatory oversight provided by the Utah Department of Insurance and Utah Labor Commission. WCF also receives annual rating agency financial oversight through the A.M. Best Company, which examines, among other things, solvency, operating performance, risk-based capital requirements, and enterprise risk management (ERM) capabilities. Currently, WCF is rated A or excellent. WCF has its headquarters in Sandy, Utah, and additional branch offices in central, northern, and southern Utah. It also owns affiliated companies that are licensed to write workers' compensation insurance and perform claims management services in other states as well.
The early 1990s were a time of transformative change at WCF. In 1992 the board hired a new president and CEO, Layne Summerhays, who soon added additional executives. The resulting executive group was an amalgam of new leaders who had spent their careers in the private sector and retained leaders with critical institutional memory and experience with the workers' compensation system in Utah. The new executive team established a focus on customer service, internal accountability, operating efficiency, and private carrier best practices.
In the ensuing years WCF obtained its initial (A–) A.M. Best rating, significantly improved operating results and customer satisfaction, grew its surplus from $67 million to more than $600 million, and returned 40 percent of net income to policyholders in dividends. These impressive results came despite the vagaries of market cycles and some very difficult strategic challenges.
Utah has been a very competitive insurance market for many years. Competitors have included large, national multiline carriers, national workers' compensation specialty carriers, and locally domiciled insurers. Their ability to quote multiple lines of insurance in and out of Utah put WCF at a distinct competitive disadvantage. Additionally, as WCF's fortunes changed, various parties initiated discussions within the legislature regarding WCF's structure, its future status as a tax-exempt market of last resort, and the ultimate ownership of company assets.
These two significant risks were tackled by the management team in close collaboration with the board. Working toward solutions involved risk assessment, evaluation of options, and envisioning potential outcome scenarios, both positive and negative. Ultimately the multistate issue was creatively resolved by working with the legislature to get limited statutory changes in an amicable fashion and the formation of an affiliated company. Resolving ownership of company assets was a more contentious issue between WCF and the executive branch of state government. This was only resolved after the board and management determined it would be necessary to take legal action by suing the State of Utah. The resulting litigation was decided in favor of WCF by the landmark 2005 Utah Supreme Court decision.
This episode in the history of the company, which involved robust discussion of risk, potential scenario development, and close collaboration with the board, was the foundation for what has followed. In addition, at the company's annual retreat and planning session for board members, senior vice presidents, and vice presidents in 2006, time was set aside for consideration of the range of potential risks to the company. Returning from this board retreat, the executive team began an ongoing discussion of key strategic risks and opportunities that continues to this day.
Although the financial trials of the Great Recession of 2007–2011 did not seriously impact the solvency of WCF or the property-casualty insurance industry, it certainly stimulated boards to think about risk, fat tails, black swans, and low-frequency, high-severity events. This watershed event also resulted in financial rating organizations such as Standard & Poor's and A.M. Best moving toward the development of much more robust questioning of rated firms' capital management, risk assessment practices, and enterprise risk management capabilities.
At this time WCF's President and CEO, Ray Pickup, along with Board Chair Dallas Bradford and other directors, began serious discussions of the need for more formality and structure in the company's risk management efforts. As the former CFO, Ray Pickup not only had a deep understanding of risk but a passion for transparency and openness, as well as a self-effacing management style that valued input from all areas of the company. As a retired partner in a public accounting firm, Chairman Bradford had long dealt with issues of risk and was a self-described “glass is half empty guy” who “imagined the worst scenario.” He noted that when a company's risk management efforts fail, “a great many people would be financially damaged and the company's public image would perhaps be irreparably damaged.” He also expressed that “The company had done some significant work in this arena, but little of it had been documented and there was no clear response mechanism in place. Also, there was no organized process in place to evaluate the various risks. It was an easy step for me to encourage the company to undertake a much more rigorous program to identify and manage potential risks that could severely damage our company and the important public interests we serve.”1
In late 2010 Ray Pickup, with the approval of the board, created the chief risk officer (CRO) position, designating Dan Hair, who had been and would continue to serve as the Chief Underwriting and Safety Officer, as the first CRO. An additional committee of the board, the Risk Oversight Committee, was also created. The job description for the new CRO position contained several key elements (see WCF Chief Risk Officer Job Description). First, the CRO was to report to the president and CEO but with additional reporting responsibilities to the board and the newly formed Board Risk Oversight Committee. This was reinforced by the CEO, who encouraged direct access to the board by the CRO, including the airing of any differences of opinion. Second, the CRO was to have access to all areas of the company and its affiliates. This was fundamentally important if the CRO was to have an enterprise-wide understanding of all the risks facing WCF. Third, implicit in the job description and explicit in the WCF Risk Policy (see WCF Risk Policy) is the idea of excellence in the development of a program that is suitable and appropriate for WCF.
January 25, 2011: Initially the CRO, working with Chief Financial Officer Scott Westra, developed a preliminary risk assessment matrix to be used by the senior officers in a Delphi qualitative assessment of all risks facing the company. Each executive was asked to look at a list of risks provided by the CRO, add to it any risks they felt should be considered, and score the severity and probability of those risks. Several meetings followed with the entire senior team to come to a consensus on the matrix, scores, and risk list. Initial results were then presented to the entire Board, which resulted in further refinement of the matrix and heat maps (Exhibits 11.1 and 11.2). The Board and management were in agreement that risk appetite should primarily be evaluated by impact on WCF surplus. This was later refined to include statutory combined ratio and operating income. Senior management was explicitly tasked with developing mitigation plans for any risks scoring in the red area of the heat map.
Incident or exposure probability descriptions (Risk = P × S) | |
Very low (1): | Improbable, no prediction confidence (P = .01/range = <.02) |
Low (2): | Remote, may occur once every 10 to 50+ years (P = .02) |
Moderate (3): | Occasional, may occur once every 3 to 10 years (P = .16/range = .10 to .33) |
High (4): | Probable, may occur once every 2 to 5 years (P = .25/range = .20 to .50) |
Very high (5): | Frequent, could occur annually (P = .50/range = .50 to 1.0) |
Incident or exposure severity descriptions | |
Slight loss (1): | Inconsequential with respect to financial, personnel, or brand damage: less than 1% of surplus, or $10M loss or a 1- to 5-point impact on combined ratio. |
Medium loss (2): | Important financial, personnel, or brand damage; threshold of financial materiality, 5% or more of surplus, or $11M to 25M loss or a 6- to 10-point impact on combined ratio. |
Material loss (3): | Material damage to financial strength, personnel, or brand; $26M–$50M loss or an 11- to 15-point impact on combined ratio. |
Large loss (4): | Significant damage to financial strength, personnel, or brand; 10% or more of surplus, or a $51M to $75M loss, could damage stakeholder confidence or a 16- to 20-point impact on combined ratio. |
Very high loss (5): | Catastrophic impact on solvency, brand, or personnel; 50% or more of surplus; greater than a $75M loss, would damage stakeholder confidence or a combined ratio impact of >20 points. |
Exhibit 11.1 WCF ERM Risk Management Matrix Values
In subsequent months the CRO met with the leadership of each WCF department and affiliate to explain the importance of the ERM program, why it was being launched, and their role in the program. Basic risk management training was given to them along with a modified departmental risk matrix. Their views on risks within the company and their departments were solicited and they were guided to the development of their own heat maps. At the same time the initial meeting of the Board Risk Oversight Committee was held and the duties of the Internal Risk Committee (IRC), chaired by the CRO, were established (see WCF Internal Risk Committee Duties). This effectively created an ongoing three-level review of risk consisting of the board, senior management, and key company leaders.
In its initial meetings, the Board Risk Oversight Committee, which meets two or three times per year, approved the IRC Charter and gave direction and feedback regarding initial efforts. One valuable suggestion was to do a risk survey of the entire company. Although approximately one-third of WCF employees had already been involved in ERM activities to date, this was a very helpful idea. Over 50 percent of all employees responded (see 2012 All-Employee ERM Survey). The survey was done electronically with optional anonymity for all participants.
Initial IRC discussions were robust and enthusiastic. The mix of company officers, managers, and risk champions worked effectively together. Many of the risks that were contained in the consolidated risk list they developed were also identified by the senior group and the company-wide survey. Having wide unanimity on which risks were most important was very helpful and allowed effective focus. Early on it was decided to split the list of risks thus developed into two sections. The first section contained the risks that, as department leaders, the IRC could impact and manage. The second-tier risks were those that were of a strategic nature or just simply could only be managed by senior management.
The initial duties of the Internal Risk Committee were to review all the department risks, consolidate them where possible, and come up with a consensus scoring using the risk matrix. The committee was split into a gold team and a blue team to accomplish this and report back to the IRC, whereupon a consensus was reached. Mitigation plans were discussed and developed where appropriate. In some cases this involved tailored mitigation steps. In many others it was determined that existing WCF and department management protocols and procedures were adequate. It is the ongoing duty of the IRC to meet quarterly to discuss the adequacy of existing mitigation efforts and to consider new risks. In each meeting of the IRC, members are asked to again consider the question “Have we adequately protected the company against these risks?” Many of the early discussions of the IRC were taken up with data security concerns, particularly relating to the Health Insurance Portability and Accountability Act of 1996. The committee also focused on cyber risk, other operational risks, affiliate risks, and compliance risks.
As a final note to this section, developing and maintaining positive and helpful relationships with other executives is very important. Two roles that are especially important at WCF are the CFO and the company's head of Internal Audit. At WCF they work closely and effectively by fully sharing information, both internal and external. Both the CFO and Internal Audit leader participate in the IRC. The CRO has no direct authority over other executives, so he or she must work in a collaborative manner, building consensus as to needed measures and ERM development. Should problems arise, the CEO has been willing to intervene in support of the ERM program, but that has rarely been needed.
In the spring of 2011 a new tool was added to the ERM program with the introduction of the risk register (RR). Although this did not replace the risk list and heat maps, it consolidated all that information into one Excel file (see Exhibit 11.3) and added new elements necessary to properly manage risk. This is the primary document WCF uses to monitor enterprise risks.
The first cell contains each risk's assigned number and designation reflecting whether it is assigned to the IRC or to senior management. There are currently about 25 of each. A description of each risk is in the next cell, which is refined from time to time. The next cell captures risk correlation by listing the number of other risks in the document believed to be likely to occur at the same time or to be interrelated in some way. For example, a prolonged economic downturn affects other risks such as market cycle risk and pricing risk.
The next six cells in the RR deal with how the risk is scored and the potential loss to the company. The probability and severity scores are listed as currently scored. These are subject to modification to reflect changing conditions or successful mitigation. The risk score is listed and the cell is filled with light gray/medium gray/dark gray indications. The risk matrix gives ranges for both probability and severity, and selections are made for both and entered as AP (actual probability) and severity potential. These two cells are multiplied to produce a potential loss value. In a separate chart produced for the board, this cell is graphed into a tornado chart (see Exhibit 11.4) to give a representation of total potential losses at any one time. The CRO also prepares for them a separate modified heat map that shows only the most critical risks and opportunities with indications of whether we feel they are increasing or decreasing (see Exhibit 11.5).
The remaining five cells include space for probability and severity-reduction targets, mitigations recommended by the IRC or senior management, the risk owners, and who originally identified the risk. Formal mitigation steps are entered for higher-scoring risks. Usually at least a dozen or so risks have mitigation plans. A mitigation plan could be a set of active steps designed to reduce or control a risk or simply those steps that have been taken and are deemed adequate. Where this field is blank it represents a consensus that the risk is appropriately mitigated by current WCF guidelines and protocols. The risk owners are primarily responsible for actively monitoring the risk and suggesting changes or actions. The origination column just gives a record of where the concern started. Multiple people or WCF departments can appear in both cells.
In late 2011 the CRO suggested to the CEO and board that at some time a third-party review of the program might by helpful in reviewing progress to date, as well as providing some benchmarks for future improvements through the following two to three years. The board agreed, and allocations were made in the 2012 budget to engage a recognized thought leader with experience in the field to review WCF's ERM program. This was completed in the first quarter of 2012 and proved to be very helpful. The ERM expert thus engaged was Sim Segal, a Fellow of the Society of Actuaries (FSA), a Chartered Enterprise Risk Analyst (CERA), and president of Simergy Inc.
The engagement included a review of all documents relating to ERM at WCF to date, including matrices and heat maps in all their iterations. The risk register was reviewed along with minutes of all the IRC and Board Risk Oversight Committee meetings. This document review was followed by a lengthy discussion with the CRO responding to questions about the process, personalities, and content. A full day was spent by Sim Segal in one-on-one discussion with WCF's president and CEO, the board chairman, other WCF executives, and members of the IRC.
The final report with recommendations was given to and reviewed with all parties and discussed at the 2012 annual board retreat. The report was helpful in verifying WCF's initial steps and pointing it toward several key future steps with some action items. These included more rigorous risk analysis of key risks using sophisticated process safety tools, engaging more closely with the affiliates and moving toward a more formalized approach to risk/opportunity issues.
The action items have been a primary focus throughout 2012 and 2013, and two are worth specifically addressing. The most consistent failure mode for property-casualty insurance carriers is reserve failures. Workers' compensation claims have a very long tail in that costs are not finalized for many years. In fact, WCF is still paying on claims dating back to the 1950s. Case reserving involves an adjuster's considered estimate of all costs to the end of the claim and an actuary's judgment of the cumulative expected development on those claims. Some will close for less than the estimate whereas many will ultimately exceed the estimates by a considerable margin. If a carrier gets this wrong, it will become insolvent. The same is true for pricing workers' compensation insurance. It is based on a volatile estimate of cost of goods sold and is subject to fluctuation and pricing error. While this does not usually result in insolvency, it can dramatically impact profitability. Therefore, claim reserving error and pricing error seem to be the best candidates for a more rigorous risk analysis.
To make this analysis, a simple fault tree methodology was selected (see Exhibits 11.6 and 11.7).
The fault trees were developed through consultation with subject experts. They consist of an end point failure that WCF is seeking to avoid and levels of precipitating errors built upon each other that would lead to that top-level outcome. The final bottom end points would be factors for which WCF needs to build mitigation plans. In both cases significant variables are system malfunctions, human errors, and oversight failures. The finalized analyses are then reviewed with both risk committees.
Finally, the other major focus in 2013 is on developing both a robust risk/opportunity assessment tool and determining the parameters for its use. For WCF an acceptable tool has been difficult to agree on. An initial form was developed and experimented with on a voluntary basis (see Exhibit 11.8). The form contained a restatement of WCF's risk appetite/tolerance statement guiding the users in regard to when it should be used. A description of the proposed action was required along with cost and expected value explanations.
Identified risks to successful implementation were listed and scored using a matrix embedded in the tool. Mitigation strategies for risk scoring at a certain level were completed.
Information regarding the risk owner and approvals completed the form. The usefulness of the process seemed to lie in three areas:
The question seems to come down to whether present systems are adequate or is additional formalization worth the effort and extra work? After further consultation with the Board Risk Oversight Committee in late 2013, management decided to adopt a “principle-based guideline that could be used on a voluntary basis or required by management as desired.” (See pp. 223–224.) This approach gives maximum flexibility along with simplicity. Simple but fundamental questions are used to elicit understanding of a proposed action. Examples of ventures that might be suitable for an analysis are given and a simple follow-up process is described. So far, this approach has been successfully used several times and seems to meet the needs of the organization at this time.
At the time of the preparation of this chapter, WCF is analyzing the results of its second employee survey (see 2013 All-Employee ERM Survey). The questions in the survey were reviewed with both the IRC and the Board Risk Oversight Committee prior to the survey, and again, about half of the company's 300+ employees have responded. WCF is trying to ascertain whether it is truly developing a risk-sensitive culture and whether it has any barriers to the free expression of concerns and ideas. This desire for transparency and openness has been clearly and publicly articulated by both the president and the chairman. Analysis of the survey results, when completed, will be presented to the board.
The question of how much is enough is one WCF continues to grapple with. For better or worse, it is one in which both its regulator and its rating agency are giving specific direction as well. In the past couple of years A.M. Best has become increasingly clear regarding its expectations of the companies it is rating. Speaking at an industry conference in the spring of 2012, Group Vice President Ed Easop outlined an approach of generally matching ERM expectations to the general risk profile of the company. Where a carrier's ERM risk capabilities did not measure up to its risk profile, its rating might be notched down or capital requirements might be raised. If a carrier's capabilities matched or exceeded its risk profile, more favorable ratings treatment and lower capital requirements would be likely.
More recently A.M. Best addressed this in greater detail at its annual conference in March 2013. A.M. Best indicated that although the property-casualty industry is making progress in developing ERM programs, information gleaned from its supplemental risk questionnaires leaves little doubt that the industry has a long way to go. The rating agency also spelled out in great detail the underlying characteristics of its ERM rating levels of superior, strong, good, and weak in 17 key risk management areas. WCF will have its annual rating discussion meeting with A.M. Best in late fall 2013. It will be interesting to receive feedback in those meetings regarding the rating agency's perception of the WCF risk profile and the adequacy of WCF's efforts to date.
Since 2013, the state regulator, the Utah Department of Insurance, has not engaged WCF on this subject, but that is expected to change. As a member of the National Association of Insurance Commissioners (NAIC), it is aware of that organization's adoption in September 2012 of the Risk Management and Own Risk and Solvency Assessment (ORSA) model legislation. This model law is effective for adoption by state legislatures in 2015. Among other things, the Act requires that “An insurer shall maintain a risk management framework to assist the insurer with identifying, assessing, monitoring, managing, and reporting on its material and relevant risks. This requirement may be satisfied if the insurance group of which the insurer is a member maintains a risk management framework applicable to the operations of the insurer.”2 At this time, WCF meets the exemption requirement due to premium volume written, but the Act clearly sets out standards of best practice that should be considered.
Management has committed to, and the board expects, continued development of the ERM program and culture. This must be done to a level that matches WCF's risks and ensures it will always be able to discharge the long-term responsibilities it has to policyholders and injured workers. The depth and complexity of the ERM program will be determined through discussion and consultation between management and the board. WCF's mission is excellence.
What skill set or industry experience would be most valuable for a CRO to acquire?
If a Board has an audit, investment, and risk committee how should they work together and what would be an appropriate division of duties?
Should the CRO's role be a directing or a counseling one? How would this vary in small, medium, or large companies?
What would the ideal working relationship be between the CRO and CFO?
How should the Board and CEO evaluate a CRO's performance and contribution to the Company?
Dan Hair is the Chief Risk Officer (CRO) at Workers Compensation Fund, located in Utah. He joined WCF in 2005 after a 25-year career with Zenith Insurance Company. As CRO, Dan is responsible for the enterprise risk management efforts of WCF and reports to the president and CEO. He works directly with the board of directors and the Board Risk Oversight Committee. Dan was educated at UCLA and USC, has an insurance operations and safety engineering background, and has taught and published in the areas of risk and risk management for years.