Pursuing mergers and acquisitions is a strategic growth tool for many businesses, including insurers. However, due to limited resources and capital constraints, opportunities must be assessed alongside alternative growth strategies, which could include creating a new product, going into a new territory or adding a distribution system.
Unlock More
About our ‘A Year in the Life of the Strategic CRO’ series
As a part of the strategy selection process, someone will be tasked with assessing the potential to achieve the objectives for new sales or customers or whatever the goal. Someone will be tasked with assessing the likely costs of the new activity, while someone will need to assess the likelihood of achieving the target return on investment. And if it is not already part of the due diligence process, a key strategic role for enterprise risk management (ERM) would be to assess the risk, proposed mitigations and controls and expected profit compared to the risk.
This review could answer questions such as:
- What are the inherent risks of the new strategy?
- Are those risks adding to the insurer’s highest risk concentrations or are they diversifying?
- What are the key risks to delivery/implementation of the strategy?
- What mitigations and controls are proposed?
- Do these require new expertise?
- What is the impact of the new strategy on risk profile with mitigations in place?
- How does the residual risk level compare to other current activities?
- Risk / premiums – average, range
- Risk / asset value – average, range
- How do the expected profits compare to risk?
- Year one, year two, year three?
- How does this compare to company standards and to other strategies?
- When is return on risk expected to be comparable to current activities?
- Are we prepared to monitor:
- Compliance with proposed mitigations and controls?
- Amount of additional risk?
- On a timely enough basis to catch and fix any problems?
Data based on a Willis Towers Watson survey of webinar participants, December 2018
However, M&A activity also has unique characteristics that must be assessed alongside the more generic strategy evaluation process. If the deal is sizeable enough, the buying firm will inflict a massive change to its own environment. The key question for ERM becomes not simply whether the characteristics of the acquisition target fit the risk profile of the buyer, but even more fundamentally whether the buyer’s risk management and reporting tools will be able to function adequately in the combined firm. This question has financial and cultural implications for each phase of the M&A process.
Due diligence phase
Risk profile and appetite
Best practice for the acquiring firm is to assess the risk profile of the acquired firm at the time of an agreement of sale. In practice this assessment often relies on an actuarial appraisal at a prior valuation date, so particular care should be given to the process used to roll this valuation forward to the acquisition date.
In addition, the acquiring firm should have a clear idea of how acceptable the resulting risk profile of the combined firms will be and how the new risk profile compares with the risk appetite and preferences of each firm before the merger. If, in any way, the resultant risk profile is unacceptable, the acquiring firm should have a plan to achieve an acceptable risk profile. Moreover, if the acquisition results in a major adjustment to the risk tolerance of the newly formed entity, its management should be prepared to explain the reasons for this adjustment.
Throughout the due diligence process, the acquiring firm's management can be expected to refine its view of the risk profile and make adjustments as needed. An especially important aspect of the risk profile during this phase is developing a full awareness of any risks that were not fully disclosed or understood during the negotiation phase. Active risk management often requires the acquiring firm to be aggressive in this search for such items that would include, for example, off-balance-sheet risks such as litigation risks.
Risk adjusted return
The history of reported profit for the target company will be well known, but the risk adjusted return may not be. The CRO should look at combining the analysis performed with the reported returns to be able to report the risk adjusted returns of the target company by major lines of business. With this information, management can assess whether the profits achieved by the target company were poor/appropriate/superior when adjusted for the level of risks taken. In addition, the CRO can show how those returns might change after accounting for the impact of the changes in diversification (either plus or minus) that will occur because of the merger.
Assess risk management system
At the end of the due diligence phase, the CRO should be able to identify the quality of the risk management system of the firm being acquired. The CRO needs to draw up specific risk management plans for the merged operations. Such plans should include details about what risk management activities should be performed and by which group from the firm being acquired or the acquiring firm’s ERM teams or from a newly formed joint group.
For example, would the acquired firm continue with its past practices or incorporate new ones from the acquiring firm? Would a combination of practices from both firms be more effective? Also, which firm's staff will be primarily accountable for the newly merged firm's risk management system? There is quite a bit of danger in leaving risk management planning until after the merger.
Implementation Phase
Integration of risk management
During this phase, important implementation issues to discuss include which key employees should be retained and the degree to which the newly created firm is able to add staff or to streamline operations for which there are overlaps without creating operational holes.
One important ERM consideration for the acquiring firm is whether it plans to transition the newly acquired business from one control system to another, in which there may be periods during which there are no controls. This is a particular concern if the acquired business has risks to which the acquiring firm is not familiar. There have been many instances of newly acquired businesses that have mandates to grow by a new owner that does not understand the risks they have acquired or because of physical or organizational distances does not exercise adequate risk controls.
In addition, cultural clashes may increase the probability of turnover among the risk management staff immediately before or after the acquisition, emphasizing the need for risk mitigation programs to increase training and reduce dependency on key individuals.
Drivers of value destroying acquisitions
Finally, the CRO should be careful to seek to avoid these common drivers of losses:
- Inadequate assessment of asset quality, including investments and reinsurance receivables
- Quality of underwriting portfolio management and underwriting expertise not assessed
- Inability to articulate clearly a combined risk appetite
- Inadequate assessment of credit and counterparty exposure
- Failure to assess fully market risks
- Failure to assess regulatory and political risk, including mandatory approvals and requirements
- No assessment of economic conditions or foreign exchange exposures
- Back office and internal control weaknesses not identified
- Failure to meet strategic goals and projected cost savings (This may arise if businesses are incompatible or a loss of management focus on the core business.)
- Goodwill or intangible assets overvalued, making return hurdles difficult
- Excessive optimism in evaluating future business growth prospects that could drive excessive risk taking to achieve unrealistic growth goals
- Failure to retain key staff in operating and risk management positions and sales staff
- Excess focus on short-term earnings accretion rather than long-term value
- Outstanding claims, contingent liabilities and unexpired risks not accurately quantified
- Failure to determine the impact on group exposures and aggregates especially in terms of high-risk coverage
- Failure to migrate to a more favorable distribution system or provider network if this was part of the rationale for acquisition
- Inability to integrate different types of sales channels, such as brokerage and career forces
Mergers and acquisitions can be fraught with risks, but the strategic CRO will see the opportunity for risk management to not only steer the organization away from potential pitfalls but also to raise the function’s profile by providing greater clarity about newly acquired risks in the context of overall strategy.
Previously in the A Year in the Life of the Strategic CRO series: 3 factors that make silent cyber risk so challenging for CROs