This case study describes how the Zurich Insurance Group has implemented and evolved its enterprise risk management (ERM) approach for more than 10 years across the globe. It describes how Zurich has organized its governance structures and ERM champions to help integrate ERM into the business model that focuses on promptly identifying, measuring, managing, monitoring, and reporting risks that affect the achievement of strategic, operational, and financial objectives. This includes adjusting their risk profiles to be in line with Zurich's stated risk tolerance to respond to new threats and opportunities in order to optimize returns.

ENTERPRISE RISK MANAGEMENT AT ZURICH

As a large global insurance carrier, Zurich Insurance Group has relied on its ERM program for more than 10 years as a means to help Zurich remain profitable. With over 60,000 employees around the world and serving customers in more than 170 countries and territories, Zurich is exposed to a wide range of risks from its customers to its own operations. Yet Zurich recognizes that taking the right risks at the right time is a necessary part of growing and protecting shareholder value. Naturally, Zurich aims to capitalize on appropriate market opportunities that could attract the best talent and investor capital. To achieve this, Zurich utilizes insight from its ERM program to help balance growth opportunities with the reality that it is operating in a complex world economy.

ERM not only is embedded in Zurich's business, but is also aligned with its strategic and operational planning and budgeting process. Zurich assesses risks systematically and from a strategic perspective through its proprietary tools that allow it to identify and then evaluate the probability of a risk scenario occurring, as well as the severity of the consequence should it occur. Zurich then develops, implements, and monitors appropriate improvement actions. Its ERM tools are integral to how Zurich deals with change, by helping to evaluate strategic risks as well as risks to its reputation. At the senior management level, the ERM process is annually reviewed and tied to the strategic planning process, but is also embedded in the ongoing business.

Listed here are Zurich's major ERM objectives, and a tangible proof point:

• Protect the capital base by monitoring that risks are not taken beyond Zurich's risk tolerance.
• Enhance value creation and contribute to an optimal risk/return profile by providing the basis for efficient capital deployment.
• Support Zurich's decision-making processes by providing consistent, reliable, and timely risk information.
• Protect Zurich's reputation and brand by promoting a sound culture of risk awareness and disciplined and informed risk taking.

ZURICH GROUP'S ENTERPRISE RISK MANAGEMENT FRAMEWORK

At the heart of Zurich's ERM framework is a governance process with clear responsibilities for taking, managing, monitoring, and reporting risks. (See Exhibit 14.1.) Zurich articulates the roles and responsibilities for risk management throughout the organization, from the board of directors and the chief executive officer (CEO) to its businesses and functional areas. In fact, each business and functional or project team will have someone designated as a risk owner to be responsible for identifying and addressing relevant risk exposures and to help embed ERM further in the business unit and build a more open, positive risk culture.

One of the key elements of Zurich's ERM framework is to foster transparency by establishing risk reporting standards throughout the organization. Zurich regularly reports on its risk profile, current risk issues, adherence to its risk policies, and improvement actions both at a local and on a senior management level. Zurich has procedures in place for the timely referral of risk issues to senior management and the board of directors. Various governance and control functions coordinate to help ensure that objectives are being achieved, risks are identified and appropriately managed, and internal controls are in place and operating effectively.

Risk Governance Approach at Zurich with Three Lines of Defense

Zurich uses a “three lines of defense” model to help ensure governance and control. (See Exhibit 14.2.) This model consists of the following:

1. The first line of defense in the business or functional areas involves the employees making day-to-day business decisions like underwriting, managing projects, developing information technology (IT) solutions, or managing human capital issues.
2. The second line of defense is Group Risk Management, which oversees the company's efforts to apply appropriate risk identification and governance processes and provides tools and frameworks to manage decisions. Group Risk Management also coordinates very closely with the Compliance and Legal departments, Business Continuity Management, IT, Procurement, and other areas, to encourage better coordination across various silos to build an enterprise lens on risk management.
3. The third line of defense is the independent internal audit function, which is responsible for verifying the functionality of the ERM and internal controls framework.

To support the governance process, Zurich relies on documented policies and guidelines. The Zurich Risk Policy is its risk governance document; it specifies Zurich's risk tolerance, risk limits and authorities, reporting requirements, procedures to approve any exceptions, and procedures for referring risk issues to senior management and the board of directors. The limits are specified per risk type, reflecting the willingness and ability to take risks, considering issues such as earnings stability, economic capital adequacy, financial flexibility and liquidity, franchise value, and reputation. Zurich's strategic direction and operational plan seeks to achieve a reasonable balance between risk and return, and to be aligned with economic and financial objectives.

An important element of Zurich's ERM framework is a well-balanced and effectively managed remuneration program. This includes a groupwide remuneration philosophy and robust short- and long-term incentive plans, with strong governance and links to the business planning, performance management, and risk policies. Based on Zurich's Risk Policy, the board establishes the structure and design of the remuneration arrangements so that they do not encourage inappropriate risk taking.

As an ongoing process, adherence to requirements stated in the Zurich Risk Policy is assessed. Zurich regularly enhances its Risk Policy to reflect new insights and changes in the environment and to reflect changes to the risk tolerance. For example, the Zurich Risk Policy was recently updated and strengthened for various areas, including actuarial reserving in General Insurance, reinsurance, receivables, operational risk management, and particularly outsourcing and business continuity management. Related procedures and risk controls were also strengthened or clarified for these areas.

Integrated Assessment and Assurance

Integrated Assessment and Assurance (IAA) is a coordinated view from the Assurance functions to provide greater confidence that risks are identified, those risks are appropriately managed, and mitigation actions are implemented and controls are operating effectively. The Assessment and Assurance functions include Group Risk Management, Group Compliance, and Group Audit. (See Exhibit 14.3.) Close coordination is also maintained with Group Legal, External Audit, and management's review functions such as underwriting or claims reviews and actuarial peer reviews.

ROLE OF THE CHIEF RISK OFFICER AND GROUP RISK MANAGEMENT AT ZURICH

Zurich's chief risk officer (CRO) consults with the other assurance, control, and governance functions to provide the chief executive officer (CEO) with a review of risk factors to consider in the annual process to determine variable compensation. The CRO leads the Group Risk Management function, which develops methods and processes for identifying, measuring, managing, monitoring, and reporting risks throughout Zurich. The CRO is responsible for the oversight of risks across Zurich and regularly reports risk matters to the CEO, senior management committee, and the Risk Committee of the board.

The Group Risk Management organization at Zurich consists of central functions at the Corporate Center and a decentralized risk management network at all the segment, regional, business unit, and functional levels. At the Group level there are two centers of expertise: risk analytics and risk and control. The Risk Analytics department quantitatively assesses insurance, financial market, asset/liability, credit, and operational risks, and is Zurich's center of excellence for risk quantification and risk modeling. The Risk and Control department includes operational risk management, internal control framework, risk reporting, risk governance, and risk operations. Group Risk Management proposes changes to the risk management framework and Zurich's risk policies; it makes recommendations on the organization's risk tolerance and assesses the risk profile.

The risk management network consists of the chief risk officers (CROs) of the Group's segments and regions, and the local risk officers (LROs) of the business units and functions and their staff. While their primary focus is on operational and business-related risks, they are also responsible for providing a holistic view of all risks for their areas. The risk officers are part of the management teams in their respective businesses and therefore are embedded in the business units. The LROs also report to the segment or regional CROs, who in turn report to the Group's chief risk officer. The CROs of the Group's segments and regions are members of the leadership team of the Group's chief risk officer.

In addition to the risk management network, Zurich has audit and/or oversight committees at the major business and regional levels. These committees are responsible for providing oversight of the risk management and control functions. This includes monitoring adherence to policies and periodic risk reporting. At the local level, these oversight activities are conducted through risk and control committees or quarterly meetings between senior executives and the local heads of governance functions.

In 2012, Zurich strengthened the process through which the assurance, control, and governance functions provide risk and compliance information about each business unit as part of the annual individual performance assessment. Through these processes, Zurich encourages a culture of disciplined risk taking across the organization. It continues to consciously take carefully selected risks for which it expects an adequate return.

Emerging Risk Group

Zurich's Emerging Risk Group (ERG) seeks to preempt potential downsides of emerging risk and help its employees and customers understand and address them. The ERG looks to serve customers and society and build business opportunities to increase, not exclude, insurability of emerging risks. The ERG's remit is to respond to emerging risk threats and opportunities with strategies that help customers understand and protect themselves from risk and that drive profitable underwriting results.

The Zurich Emerging Risk Radar shows potential risks and opportunities that the ERG has currently identified. The online, internal version of Zurich Risk Radar is interactive, and one can roll the cursor over each threat to see a description of a risk and its potential harm—and each risk is classified by its primary scope (Science and Technology, Regulatory, Environmental, Social, or Legal), as well as the time over which the risk will potentially emerge (zero to three years, three to five years, five or more years), plus its potential impact on Group earnings. (See Exhibit 14.4 for a public version.)

WORKING WITH EXTERNAL STAKEHOLDERS

Various external stakeholders, among them regulators, rating agencies, investors, and accounting bodies, have placed emphasis on the importance of a sound risk management program in the insurance industry. Regulatory requirements, such as the Swiss Solvency Test in Switzerland and the regulatory principles of Solvency III in the European Union, have emphasized a risk-based and economic approach, based on comprehensive quantitative and qualitative assessments and reports.

Rating agencies are now interested in enterprise risk management as a factor in evaluating companies' creditworthiness. Standard & Poor's, a rating agency with a separate rating for ERM, has rated Zurich's overall ERM as “strong.” Reinsurance and credit risk controls remain “excellent.” Market, asset/liability management (ALM), reserving, catastrophe, and operational risk controls, as well as strategic and emerging risk management, are seen as “strong.” Zurich is rated either “excellent” or “strong” in all of the Standard & Poor's dimensions for ERM.

Zurich also seeks external expertise from its International Advisory Council and Natural Catastrophe Advisory Council to better understand and assess risks, particularly regarding areas of complex change. In addition, the Investment Management Advisory Council provides feedback to Investment Management on achieving superior risk-adjusted returns versus liabilities for the Group's invested assets. Zurich also organizes various regional Risk Management Councils comprised of key customers, which engage to help identify and address issues together.

Zurich is involved in a number of international industry organizations engaged in advancing the regulatory dialogue and sound risk management practices pertaining to the insurance industry. It is also a standing member of and actively contributes to the Emerging Risk Initiative of the CRO Forum (an organization composed of the chief risk officers of major insurance companies and financial conglomerates that focuses on developing and promoting industry best practices in risk management).

Zurich actively participates in professional risk management bodies such as the Risk and Insurance Management Society (RIMS), the Institute of Risk Management (IRM), the Federation of European Risk Management Association (FERMA), and the Association of Insurance and Risk Managers in Industry and Commerce. For example, Zurich's staff serves on the RIMS ERM Committee and on the global Education Advisory Board of the IRM. It is also involved in various working groups in the Conference Board, supports the Red Cross in crisis recovery, and collaborates with other entities to help promote better risk identification, assessment, prevention, and mitigation.

Zurich is a main contributor to the Global Risk Report that is produced by the World Economic Forum in cooperation with other corporations (Swiss Re, Marsh & McLennan Companies, the Oxford Martin School [University of Oxford], the National University of Singapore, and the Wharton Risk Management and Decision Processes Center [University of Pennsylvania Center for Risk Management] [www.weforum.org/reports/global-risks-2012-seventhninth-edition]). The report's assessment of the most pressing global risks and the interconnections among them provides valuable information for risk mitigation worldwide. Supporting the report is also part of the Group's commitment to corporate responsibility by sharing Zurich's expertise to help businesses, nations, and society.

ZURICH'S PROPRIETARY TOOLS USED IN ERM FRAMEWORK

Zurich uses a variety of methodologies and tools to manage its business risk, with the following aims. More information on Zurich's Strategic Risk Management work can be found at www.zuricherm.com.

• Understand issues in enterprise strategy, resilience, supply chain, and business continuity.
• Identify scenarios that could—or should—be built into a strategic and/or operational resilience plan.
• Develop action points and risk responsibilities to help protect profitability.

Total Risk Profiling Tool

One of Zurich's key proprietary tools is called Total Risk Profiling (TRP); it is a workshop-based approach where a facilitator-led team develops a risk profile by determining relative ratings in probability and severity (likelihood and impact) for potential risk scenarios. (See Exhibit 14.5.) TRP is a structured approach to identifying, assessing, and monitoring holistic risks and improvement actions needed. By embedding its Total Risk Profiling methodology into its risk culture, this has helped ensure its risk management culture is consistent and effective across its various business units. It uses these risk scenarios to define the underlying issues and break them into components of vulnerability, trigger, and consequences. The TRP tool can also help a business unit define and quantify its risk tolerance limit. A short video explains more about Total Risk Profiling (http://zdownload.zurich.com/zna/TotalRiskProfiling.html).

A risk tolerance limit is defined as part of the risk appetite, and action plans are developed to improve the prioritized risks and bring them within the business unit's tolerance for risk. The structure of the TRP risk identification process provides a sound basis for detailed quantification of more complex risks. TRP has helped Zurich's business units set the agenda for internal audit or enterprise risk management to monitor risks at or just below the risk tolerance boundary.

By being able to define multiple risk triggers with different potential consequences, the TRP tool has helped Zurich to identify the true drivers of risk by undertaking various stress tests or even to define new risk exposures. A facilitator-led team develops a relative rating for each risk scenario, often without a predefined scale of impact and likelihood, to improve the business unit's understanding of the risk.

Another main aim of the flexible TRP tool is to help embed a risk culture that will sustain shareholder value through better enterprise risk management practices and strategic planning processes. Zurich performs nearly 200 TRP workshops per year, ranging from assessing strategy execution, project management, human resources (HR), mergers and acquisitions (M&A), or business interruption (BI) exposures to new product development. In fact, completion of a TRP is a requisite part of the submission for a project budget or operational plan. The TRP tool helps to enable the following:

• Assessment of current and emerging risks to business resilience and profitability
• Alignment of business strategy with key performance indicators
• Communication of board discussion on risk appetite to investors and other stakeholders
• Reviewing the environmental scanning tool for corporate or competitive business strategy development
• Embedding of ERM in the strategic planning process
• Product launches, acquisitions or divestitures, and project management
• Considering the vulnerabilities in the supply chain
• Evaluation of business interruption risk scenarios
• Testing of existing strategies in the context of unrealized/underrealized risks and opportunities
• Use in the objective-setting stage of the business cycle to determine the budget

Zurich's Risk Room

Another of Zurich's proprietary tools, called the Zurich Risk Room, helps the organization and its customers to systematically explore major global risks, investigating how they are expressed on a country-by-country basis. (See Exhibit 14.6.) It shows on a 3-D screen how risks and geographies combine (sometimes unexpectedly) to be relevant to Zurich's business concerns. This tool allows one to see which countries reflect similar profiles, and which risks begin to stand out on mapping various risk correlations. By working across different types of risks, risk correlations are identified that illustrate whether relevant risk connections exist and which ones are the strongest.

The Zurich Risk Room creates a statistical, fact-based assessment of global threats as they relate to business planning and implementation. Its output can complement departmental, regional, or consultant-based research and data, providing an additional objective lens to risk evaluation and reducing the issues related to silo-based risk assessments. Using a consistent global framework, the Zurich Risk Room can help identify threats that may cross boundaries and provide key decision makers with relevant risk information that can help them make more informed business decisions, even if they are not experts in risk analysis.

By examining risks and interconnections in detail, Zurich is able to compare both individual issues and overall country risk characteristics of one country to those of another. This allows Zurich to see whether a country's risk profile is unique or it shares similarities with other countries. For international businesses, it is vital to form a picture of where operations and investments are vulnerable and where these vulnerabilities may reside. Zurich is then able to identify how risks are bundled, or where a threat in one area might cascade to another.

A demo version of the Zurich Risk Room software for an iPad or Android tablet can be downloaded by searching for Zurich Risk Room in iTunes or Google Play. In addition, this is a link to a short video that will give a brief overview of the Zurich Risk Room application: www.youtube.com/watch?v=_UMaYJtDu6Q.

CATEGORIZING VARIOUS RISKS AT ZURICH

In order to enable a consistent, systematic, and disciplined approach to ERM, Zurich categorizes its main risks. (See Exhibit 14.7.) This grouping assists Zurich in monitoring any aggregation of exposures that may be accumulating across the enterprise and could, therefore, have a greater impact on the company.

CAPITAL MANAGEMENT

Capital and solvency are managed through an integrated and comprehensive framework of principles and governance structures as well as methodology, monitoring, and reporting processes. The capital management process is illustrated in Exhibit 14.8. At the group executive level, the Group Balance Sheet Committee defines the capital management strategy and sets the principles, standards, and policies for the execution of the strategy. Group Treasury and Capital Management are responsible for the execution of the capital management strategy within the mandate set by the Group Balance Sheet Committee.

Within these defined principles, the group manages its capital using a number of different capital models, taking into account regulatory, economic, and rating agency constraints. The capital and solvency position is monitored and reported on a regular basis. Based on the results of the capital models and the defined standards and principles, Group Treasury and Capital Management has a set of measures and tools available to manage capital within the defined constraints. This tool set is referred to as the Capital Management Program.

The Capital Management Program comprises various measures to optimize shareholders' return and to meet capital needs, while enabling Zurich to take advantage of growth opportunities as they arise. Such measures are used as and when required and could include efficient balance sheet structuring as well as cash dividends, share buy-backs, special dividends, issuances of shares or senior and subordinated debt, and purchase of reinsurance.

The group seeks to maintain the balance between higher returns for shareholders on equity raised, which may be possible with higher levels of borrowing, and the security provided by a sound capital position. The payment of dividends, share buy-backs, and issuances and redemption of debt can have an important influence on Zurich's capital levels.

ZURICH'S BUSINESS RESILIENCE TOOLS

Business resilience management helps provide Zurich with the structure for dealing with risks systematically, holistically, and successfully. Zurich's Business Resilience program is supported by an enterprise risk management framework that identifies particular events or circumstances relevant to its business objectives, assesses them in terms of likelihood and magnitude of impact, and then determines a response strategy. (See Exhibit 14.9.) A resilient enterprise is better able to anticipate surprises, recover more quickly from disruptions, adapt to changing conditions, and leverage emerging opportunities.

The objective of Zurich's Business Resilience program is “Prepared, Informed, and Resilient.” This tagline is regularly communicated to staff, especially during Business Resilience Awareness week. Some of Zurich's proprietary Business Resilience tools are listed here.

Business Interruption Modeling allows Zurich the capability to better manage its risks based on an in-depth understanding of the value chain, with a main focus on the business critical value flow, followed by identification, assessment, and quantification of business interruption exposures and optional mitigations. Like all organizations, a business interruption for Zurich could have the potential to inhibit productivity and could have multiple negative impacts on its organization. Some examples of business interruption impacts could include loss of customers, diminished customer service, legal and/or regulatory issues, lower employee morale, and even delays in projects, products, or other strategic growth. Thus, it is essential that organizations try to map and quantify how they serve customers, in order to proactively protect where they generate value.

Key stages of Business Interruption Modeling include:

• Defining scope by identifying the business-critical part(s) of the value chain
• Building an interdependency framework of business-critical value flows
• Identifying relevant business interruption vulnerabilities as loss of resources such as supplier, production, storage, and customer
• Assessing the extent based on interruption scenarios, and modeling the effects quantitatively
• Prioritizing risks based on financial impact of scenarios, with focus on unacceptable risks in order to develop a beneficial mitigation plan
• Assessing the effectiveness of current business continuity plans and identifying improvement actions

Supply Chain Risk Assessment allows Zurich to improve its reliability and minimize the effects of a supply chain disruption on its capital and earnings. Zurich's supplier risk assessment should help address vulnerabilities that could inhibit Zurich's ability to respond to a changing risk landscape. Its supply chain risk evaluation, mapping, and grading are designed to assess and quantify the broad areas of exposures and risk controls in its supply chain. This gives Zurich actionable insights to help facilitate mitigation strategies that can address the characteristics of each supplier individually, including risk transfer options.

The stages of a Supply Chain Risk Assessment include:

• Develop a supply chain/value chain map.
• Gather key supply/supplier details.
• Evaluate risk factor information.
• Define and evaluate potential risk or loss scenarios.
• Develop risk grading for each critical supplier.
• Determine risk strategies.

Business Continuity Management (BCM) includes the mitigation strategies used to minimize the impact after an incident, with the possible scope of risks coming from supply chain risks, strategic risks, operational risks, technological risks, or natural hazards. BCM is very useful in identifying gaps in risk mitigation strategies and improving risk controls to manage those exposures more effectively. As part of Zurich's business resilience process, BCM is important for managing the multitude of risk exposures and potential interruptions scenarios and thus strengthening Zurich's business resilience program.

Zurich's Six-Stage Business Continuity Management Life Cycle

1. Modeling key business processes
2. Business impact analysis
3. BCM strategy and processes
4. Business continuity planning
5. Crisis management
6. Training, exercise, maintenance, and assessment

Zurich is able to undertake a regular gap analysis of its business continuity plans against best practices and common BCM-related standards such as International Standards Organization (ISO), National Fire Protection Association (NFPA) and the British Standard. It also routinely tests its crisis response activities. For example, it has planned or completed simulation exercises such as:

• Eurostar trains caught in tunnel
• India: Bomb explosion in hotel where Zurich has employees, impacting the country where company has operations in Pune, Bangalore, and Chennai
• Fire in Home Office location injuring employees, impacting critical processes, and possibly preventing occupancy in location for up to three to four months
• Los Angeles earthquake
• Kansas tornado
• Political demonstration in New York City

Business Impact Analysis is designed to provide the method to identify the systems that, when absent, would create a danger to the survival of the organization. This analysis can also ensure that these systems receive the correct priority in any subsequent business continuity plan.

Key stages of Zurich's Business Impact Analysis include:

• Prioritize the key business services or processes.
• Identify the internal and external risks to the continuity of these business processes.
• Assess the importance of each risk in terms of both the likelihood and the financial impact of potential outcomes.
• Establish priorities for mitigating the critical risks.
• Develop a management plan of action.
• Assess the business continuity plan and management plan of action.

HOW ZURICH USES ITS ERM TOOLS TO CREATE NEW VALUE

In the area of mergers and acquisitions, Zurich may use two opportunity analysis tools to supplement traditional due diligence practices. Both the Total Risk Profiling tool and the Zurich Risk Room can be used to simulate various risk scenarios and investigate potential outcomes. (See Exhibit 14.10.) When Zurich acquired holdings in Asia and Latin America, these tools served to help identify and understand the risks associated with the strategy, so they could be managed accordingly and increase the likelihood of success on these opportunities.

While key performance indicators (KPIs) can help an organization understand how well it is performing in relation to its strategic objectives, key risk indicators (KRIs) are leading indicators of risks to business performance. (See Exhibit 14.11.)

Zurich's ERM tools can add value by helping to determine and embed KRIs within an operations to provide an early warning that potential risks are on the rise. Some examples of Zurich using KRIs to monitor risks are in the areas of natural catastrophe risks (percentage of group shareholder equity), asset-liability matching (duration mismatch), strategic asset allocation (mix of investment across categories), and credit risk (weighted average credit rating).

Zurich has the opportunity to create value through business resiliency as well, which addresses disruption to business operations. It can use a combination of modeling software, supply chain risk assessment software, and business continuity gap analysis techniques to evaluate its exposure. It has recently appointed a supply chain risk officer, who reports into Zurich's CRO organization and is tasked with finding the appropriate balance between cost and reliability. It has a business continuity planning team throughout its operating regions, and maintains a robust network of champions within the business, trained to return the business to operation quickly and efficiently after a disruption. The business continuity team regularly exercises a variety of plans to ensure that Zurich can be ready for many potential risk situations. Stress-testing activities take place in parallel to ensure that the network is prepared to shift workload, deploy contingencies, and remain operational, particularly when customers may have suffered from the same event.

With new projects or product development opportunities, Zurich can also use its Total Risk Profiling (TRP) tool to evaluate risk scenarios that may prevent it from delivering on time, on budget, and with the expected results. Completion of a TRP analysis is normally required as part of most requests for project approval and budget. Improvement actions are assigned to risk owners during TRP sessions, and monitored regularly to ensure risk reduction. The TRP tool can also help with quantifying the potential exposure and risk tolerance level. For example, TRP was used as an analysis tool before considering outsourcing IT services, helping to vet the solution as a viable alternative. The risk assessment team assigned risk improvement actions to individuals, and proceeded with the project. The TRP was regularly updated and benchmarked throughout the course of the project, as risks changed and new ones surfaced. The TRP assessment can even be used as a yes/no decision gate during the project phases to help determine that the expected project benefits still outweigh the risks.

The TRP methodology can also be used at the board and senior management levels to help develop strategic (top-down) scenarios that can be applied consistently during operational (bottom-up) assessments across the enterprise. This has helped to ensure uniform handling of certain systemic issues and exposures to better balance the risks and rewards of new opportunities. It is very important to Zurich to set financial parameters around managing current risk issues and guiding key business decisions going forward. The TRP process can build team commitment and focuses management expertise on dedicating resources to mitigate those risks that are outside the risk tolerance level and pose the greatest barriers to achieving corporate objectives.

Another use of the TRP methodology is its employment in a risk tolerance workshop. Establishing a corporate risk tolerance is a critical step in helping increase business controls and profitability across an enterprise. The corporate risk boundary provides a clear indication of both an acceptable risk appetite for new opportunities and an unacceptable risk threshold for downside cost on potential exposures. Risk tolerance is often defined as the level of variability that an organization is willing to accept in its aggregate earnings and capital value at risk (VaR) limits. It is essential to both define and apply corporate risk tolerance in order to prioritize the most critical areas for risk improvement. The risk appetite at Zurich is set by senior management, and then broadly articulated and followed by business and functional areas.

Zurich's ERM program also contributes to its core business through the processes and procedures to review customer risks. Zurich performs credit checks to monitor collateral and financial viability of many of its customers and suppliers. Its cross-divisional Emerging Risk Group is tasked with scanning the horizon for new exposures that may impact Zurich and its customers. Zurich reviews customers' loss control techniques and provides best practices guidance through nearly 1,000 risk engineers who specialize in safety and operational risks around the world, serving the dual purpose of supporting customers' needs as well as protecting Zurich's own portfolio. Last, accumulations within Zurich's risk portfolio are monitored via a database to identify areas of disproportionate exposure to a single company, industry, supplier, or geographic location.

CONCLUSION

Every organization's directors and officers will approach ERM differently in order to achieve their unique objectives. Zurich has taken many steps to help develop a strong and effective ERM program. This program did not emerge overnight, but today Zurich views its ERM program as a competitive advantage well worth the investment. Despite having embedded a robust program into the fabric of its business, Zurich does not rest on its laurels. The program is constantly scrutinized in search of better ways to identify, assess, manage, and monitor Zurich's key risks. The company has even developed an ERM Gap Analysis that can be done yearly to help determine risk maturity and focus on its top areas for improvement. The organization's management continuously looks for opportunities to create a closer partnership between ERM and the core business, so that its ERM team is ready to consult and assist the business in understanding risk in pursuit of profit. ERM is certainly a long journey defined by many paths, but one that can continue to yield tremendous benefits for the organization.

APPENDIX

Internally, Zurich uses its Risk-Based Capital (RBC) model, which also forms the basis of the SST model. The RBC model targets a total capital level that is calibrated to an AA-rated financial strength. Zurich defines RBC as being the capital required to protect the Group's policyholders in order to meet all of their claims with a confidence level of 99.95 percent over a one-year time horizon.

While the Group's RBC model and the SST model are broadly the same, the following is a summary of the main differences between the three approaches:

• Model calibration. The RBC calibration is based on a value at risk at a 99.95 percent confidence level, whereas SST calibration is based on an expected shortfall at a 99 percent confidence level. The Group thereby sets itself a higher financial strength target than the SST regulatory requirement.
• Scope. Operational and business risks for General Insurance are reflected in RBC, but are not required in SST.
• Market/ALM risk. The extreme scenario for market/ALM risk in RBC is directly attributed to that risk, whereas extreme scenarios in SST are aggregated to the combination of all risk types. This treatment of the extreme scenario in the RBC model leads to a more conservative result than in the SST model.
• Available financial resources (AFR). Senior debt is included in AFR for RBC purposes, but not included in AFR for the SST calculation.

Zurich uses RBC to assess the economic capital consumption of its business in a one-balance-sheet approach. The RBC framework is an integral part of how Zurich is managed. The RBC framework is embedded in Zurich's organization and decision making, and is used in capital allocation, business performance management, pricing, reinsurance purchasing, transaction evaluation, and risk optimization, as well as regulatory, investor, and rating agency communication.

Zurich compares RBC to its AFR to derive an economic solvency ratio. AFR reflects financial resources available to cover policyholder liabilities in excess of their expected value. It is derived by adjusting the IFRS shareholders' equity to reflect the full economic capital base available to absorb any unexpected volatility in the Group's business activities.

At a Group level, the management committees dealing with risks are:

• The Group Balance Sheet Committee (GBSC) acts as a cross-functional body whose main function is to control the activities that materially affect the balance sheets of the Group and its subsidiaries. The GBSC is charged with setting the annual capital and balance sheet plans for the Group based on the Group's strategy and financial plans, as well as recommending specific transactions or unplanned business changes to the Group's balance sheet. The GBSC has oversight of all main levers of the balance sheet, including capital management, reinsurance, asset/liability management, and liquidity. The GBSC reviews and recommends the Group's overall risk tolerance. It is chaired by the CEO.
• The Group Finance and Risk Committee (GFRC) acts as a cross-functional body for financial and risk management matters in the context of the strategy and the overall business activity of the Group. The GFRC oversees financial implications of business decisions and the effective management of the Group's overall risk profile, including risks related to insurance, financial markets and asset/liability, and credit and operational risks, as well as their interactions. The GFRC proposes remedial actions based on regular briefings from Group Risk Management on the risk profile of the Group. It reviews and formulates recommendations for future courses of action with respect to potential mergers and acquisitions (M&A) transactions, changes to the Zurich Risk Policy, internal insurance programs for the Group, material changes to the Group's risk-based capital methodology, and the overall risk tolerance. The GFRC is chaired by the chief financial officer, while the chief risk officer acts as deputy.

The management committees rely on output provided by technical committees, including:

• The Asset/Liability Management and Investment Committee (ALMIC) deals with the Group's asset/liability exposure and investment strategies and is chaired by the chief investment officer.
• The General Insurance Global Underwriting Committee (GUC) acts as a focal point for underwriting policy and related risk controls for General Insurance and is chaired by the Global Chief Underwriting Officer for General Insurance.
• The Group Reinsurance Committee (GRC) defines the Group's reinsurance strategy in alignment with its risk framework and is chaired by the Global Head of Group Reinsurance.

ABOUT THE CONTRIBUTORS

Linda Conrad is Director of Strategic Business Risk Management for Zurich. She leads a global team responsible for delivering tactical solutions to Zurich and to customers on strategic issues such as business resilience, supply chain risk, enterprise risk management (ERM), risk culture, and Total Risk Profiling. Linda also addresses enterprise resiliency issues in print and television appearances, including CNBC, Fox Business News, and the Financial Times, and is featured in a Wall Street Journal microsite at www.supplychainriskinsights.com.

Linda holds a Specialist designation in ERM, and serves on the global Education Advisory Board of the Institute of Risk Management in London. Linda is deputy member of the ERM Committee of the Risk and Insurance Management Society (RIMS), sits on the Supply Chain Risk Leadership Council, and was chairwoman of the Asian Risk Management Conference. She taught at the University of Delaware Captive program and in the Master's on Supply Chain Management program at the University of Michigan's Ross School of Business, where she serves on the Corporate Advisory Council. Linda studied at the Graduate Institute of International Studies in Geneva, Switzerland, and Fox Business School.

Kristina Narvaez is the president and owner of ERM Strategies, LLC, which offers ERM research and training to organizations on various ERM-related topics. She graduated from the University of Utah in environmental risk management and then received her MBA from Westminster College. She is a two-time Spencer Education Foundation Graduate Scholar from the Risk and Insurance Management Society and has published more than 30 articles relating to enterprise risk management and board risk governance. She has given many presentations to various risk management associations on topics of ERM. She teaches a Business Strategy class at Brigham Young University.

REFERENCES

1. Bugalla, John, Linda Conrad, and Kristina Narvaez. 2013. Presentation given at Risk and Insurance Management Society Annual Conference in Los Angeles, April 22.
2. Conrad, Linda. 2013. Presentation given at Risk and Insurance Management Society ERM Conference in San Francisco, November 4.
3. Zurich Insurance Group. 2012. Zurich Risk Report.

ABOUT THE CONTRIBUTORS

Linda Conrad is Director of Strategic Business Risk Management for Zurich. She leads a global team responsible for delivering tactical solutions to Zurich and to customers on strategic issues such as business resilience, supply chain risk, enterprise risk management (ERM), risk culture, and Total Risk Profiling. Linda also addresses enterprise resiliency issues in print and television appearances, including CNBC, Fox Business News, and the Financial Times, and is featured in a Wall Street Journal microsite at www.supplychainriskinsights.com.

Linda holds a Specialist designation in ERM, and serves on the global Education Advisory Board of the Institute of Risk Management in London. Linda is deputy member of the ERM Committee of the Risk and Insurance Management Society (RIMS), sits on the Supply Chain Risk Leadership Council, and was chairwoman of the Asian Risk Management Conference. She taught at the University of Delaware Captive program and in the Master's on Supply Chain Management program at the University of Michigan's Ross School of Business, where she serves on the Corporate Advisory Council. Linda studied at the Graduate Institute of International Studies in Geneva, Switzerland, and Fox Business School.

Kristina Narvaez is the president and owner of ERM Strategies, LLC, which offers ERM research and training to organizations on various ERM-related topics. She graduated from the University of Utah in environmental risk management and then received her MBA from Westminster College. She is a two-time Spencer Education Foundation Graduate Scholar from the Risk and Insurance Management Society and has published more than 30 articles relating to enterprise risk management and board risk governance. She has given many presentations to various risk management associations on topics of ERM. She teaches a Business Strategy class at Brigham Young University.