2016 MI IASA SPRING CONFERENCE ENTERPRISE RISK … Risk... · 5 WHY ERM? Improves decision making...
Transcript of 2016 MI IASA SPRING CONFERENCE ENTERPRISE RISK … Risk... · 5 WHY ERM? Improves decision making...
2016 MI IASA SPRING CONFERENCEENTERPRISE RISK MANAGEMENT
Wes SimsAuto Club Group
April 20, 2016
2
TODAY’S AGENDAIntroductions What is Enterprise Risk Management (ERM)
and why is it important to an organization?Own Risk and Solvency Assessment (ORSA)
and other legislationA.M. Best ChangesCase studyQuestions and Discussion
3
WHAT IS ERM?Enterprise Risk Management (ERM) is a process, effected by an entity’s board of directors, management and other personnel towards strategy setting across the enterprise, designed to identify potential events that may adversely affect the entity, and maximize risk taking to be within a specified risk appetite.
Based on COSO (Committee of Sponsoring Organizations of the Treadway Commission)
4
ERM IS: A framework to ensure clear accountability and ownership of risk Elimination of silos and a focus on risk-related
interdependencies across departments Required by regulators and rating agencies Often focused only on Key Risks and significant potential risks Assurance of consistent and accurate assessment of risk Assurance of response plans A mechanism for reporting on risk exposure and the escalation
process A continuously improving and evolving journey
ERM SHOULDN’T: Own the actual management of risk, but rather the evaluation of
risk taking, and measurement, monitoring and mitigation of risk exposure
WHAT IS ERM?
5
WHY ERM? Improves decision making and understanding of risks
within an organization Reduces the downside in the volatility of earnings Supports preservation and better deployment of capital Satisfies regulatory requirements Enhances a risk-based culture throughout the organization Eliminates a siloed approach to risk management Provides common taxonomy for risk discussion within an
organization Provides structure, governance and parameters around
risk taking
6
Imagine an F5 tornado hitting insured homes, businesses and vehicles:There obviously will be claimsBut what about:Loss of company offices and facilities due to
outages or physical damages (is there an effective Business Continuity Plan and insurance on company property)Employees may not be able to get to work or service
claims due to flooding and road blockagesOutreach from Public Relations to insureds at the
critical initial momentsRESPONSE PLANS ARE KEY, AND NEED TO BE DONE HOLISTICALLY FOR SUCCESSFUL EXECUTION!
WHY ERM – HOLISTIC APPROACH
7
RISK PYRAMID CULTURE
Source: daftblogger.com
ENGAGEMENT SUCCESS
8
ERM PROCESSESERM can be defined as a process because it is a series of continuous actions performed in a defined manner. ERM is not just a policy that is adopted, but a perpetual cycle that pervades the culture of an organization.
How do we determine the size and scope of
the risk?
How well do we manage the risks?
What are the absolute limits of risk we can handle?
How much risk are we willing to take to achieve our objectives?
What are the key metrics and information that will indicate risk exposure?
How good are we at overseeing risk taking?
What are we doing about the risk? What will
we do if it occurs?
How do we ensure we have the right information to manage
risk and risk taking?
MO
NIT
OR
ING
/M
ITIG
ATIO
N
RISK DATA & INFASTRUCTURE
RISK
APPEITE /TO
LERAN
CE
STRESS TESTING
9
TYPES OF RISK
Asset RiskMarket, Counterparty, Credit
Insurance RiskUnderwriting, Pricing, Catastrophe, Reserving,
Claims, RegulatoryOperational Risk
Legal, Cybersecurity/IT, Personnel, Hazard, Compliance
Strategic RiskCompetitor, Consumer, Planning and Execution
10
Risk Appetite/Target Returns
Enterprise Risk Tolerance
Key Risks
Key Risks
Key Risks
Key Risks
Key Risk Tolerances
Key Risk Metrics
Key Risk Limits
The desired strategic returns of the organization
The amount of overall risk the organization is willing to accept to achieve desired goals
Individual risks identified as being most significant to the organization based upon a combination of impact and likelihood factors
The portion of overall risk tolerance allocated to a specific risk or risk area
The threshold or range when hit by a risk metric, indicates exposure to risk beyond the key risk tolerance
Metrics specific to a key risk which provide an indication of varying levels of risk exposure
APPETITE, TOLERANCE AND LIMITS
One approach…
11
3 LINES OF DEFENSE
FIRST LINE OF DEFENSE:
Risk Identification, Assessment and Management at the operational level
SECOND LINE OF DEFENSE:
Enterprise Risk Management FunctionRisk CommitteesRisk Governance
THIRD LINE OF DEFENSE:
Internal AuditCompliance
Manage Risk and Work Towards Operational and Company Goals within Risk Tolerances and Limits
Oversight of Enterprise Risk Management Activities
Ensure an Effective ERM Program is in Place
12
ERM STEPS Inventory Assess Prioritize
Plan Monitor Mitigate Control Report
Repeat
Con
tinua
l Ass
essm
ent a
nd
Mon
itorin
g
13
INVENTORY AND ASSESS
Gather Information on Risks to the Organization:
Interviews
Surveys
Research
Historical and Industry Data
14
INVENTORY AND ASSESS
Determine:
Impact
Likelihood
Controls in Place
Monitoring and Measurement
Gaps
Established Limits
15
PRIORITIZELi
kelih
ood
Impact
1’
2’
3’
4’
5’
1
2
3
4
5
GROSS RISK RESIDUAL RISK
16
PRIORITIZE
1. One in 1000 year tornado hits policyholder footprint
2. Adverse reserve development occurs
3. Large class action law suit is filed
4. Cyber attack steals all policyholder data
5. Equities lose 40% of value
RISKRANKING
Gross Residual
17
PLAN, MONITOR, MITIGATE, CONTROL
Develop risk responses
Establish/refine tolerances, limits and metrics
Perform stress testing
Evaluate measurements against limits and tolerances through continuous monitoring
Evaluate, employ and test mitigation and controls such as:
Internal processes and procedures
Insurance and reinsurance
Business Continuity Plan
18
ERM requires reporting at regular intervals to the Board of Directors, the CEO and Senior Management on the status of and exposure to the various risks that significantly threaten the organization
External reporting is also required of insurers
REPORTING
19
Own Risk and Solvency Assessment (ORSA)Passed in Michigan in December 2015Becomes effective in 2018
Related Legislation Enterprise Risk Report (Form F)Corporate Governance Annual Disclosure
REGULATORY UPDATES / ORSA
20
Promulgated by NAIC in its Risk Management and Own Risk and Solvency Assessment Model Act (#505)
A confidential, internal assessment…conducted by [the] insurer of the material and relevant risks associated with an insurer’s current business plan and the sufficiency of capital resources to support those risks
A component of ERM framework, ORSA has two primary goals:
Foster effective ERM at all insurersProvide a group-level perspective on risk and
capital, as a supplement to the existing legal entity view
ORSA
21
Applies to Individual entity’s premium is greater than $500 million
and/ or Insurer group’s premium is greater than $1 billion
Can be required by commissioner even if you don’t meet threshold
Adoption35 States have adopted the legislation.
Provided toCompany’s Board of Directors and signed by the Chief
Risk Officer
ORSA
22
Summary Report Major Areas
Section 1 – Description of the Insurer’s Risk Management Framework
Section 2 – Insurer’s Assessment of Risk Exposure
Section 3 – Group Risk Capital and Prospective Solvency Assessment
ORSA
23
Provide a summary of the insurer’s ERM process Regulator may review (and the report may reference)
supporting materials Underwriting & claims policies Investment policies Reinsurance program
Most aspects of section 1 of the report would not change significantly from year to year Effective strategy is to incorporate other policies
(which are dynamic) by reference to avoid having to update ORSA report
SECTION 1 – DESCRIPTION OF THE INSURER’S RISK MANAGEMENT FRAMEWORK
ORSA
24
General statement that an effective ERM should be based on the five principles: Risk culture and governance Risk tolerance and appetite framework Risk identification and prioritization Risk management and controls Risk reporting and communication
SECTION 1 – DESCRIPTION OF THE INSURER’S RISK MANAGEMENT FRAMEWORK
ORSA
25
Quantitative and/or qualitative assessments of risk exposure in both normal and stressed environments for each material risk category
Detailed descriptions and explanations of risks, assessment methods used, key assumptions and outcomes
No risk quantification method is prescribed; should be consistent with way in which business is managed
May include impact of stresses on capital; consider risk capital requirements, available capital, regulatory, economic, rating agency or other views of capital
Demonstrate process for model validation, including factors considered and model calibration
SECTION 2 - INSURER’S ASSESSMENT OF RISK EXPOSURE
ORSA
26
Group risk capital assessment – test aggregate available capital to determine sufficiency to withstand various risks, individually and collectively – not a regulatory minimum amount (not RBC)
Prospective solvency assessment – demonstrate that financial resources are available to execute multi-year business plan in accordance with risk appetite
Capital adequacy assessment process integrated into management and decision making culture
Projection of future financial position should include economic and regulatory capital given current risk profile, management policy, quality and level of capital, considering normal and stressed scenarios
SECTION 3 - GROUP RISK CAPITAL AND PROSPECTIVE SOLVENCY ASSESSMENT
ORSA
27
A.M. Best moving to stochastic BCAR P&C carriers are now receiving recalculations of 2014 Focus on solvency at multiple confidence intervals to
test ability to handle various levels of adverse results Looks at risk from: Catastrophes Market Losses (interest rates, default, equities…etc) Pricing and Reserving Credit Exposure
RATING AGENCY UPDATES
28
In September 2015, the Environmental Protection Agency (EPA) discovered a so-called “defeat device” in Volkswagen’s (VW) diesel engine that was programed to improve the engine’s performance results during testing. Once on the road, the engines switched out of this test mode.
The result? Engines emitted pollutants up to 40 times above what is allowed in the US.
CASE STUDY ~ VOLKSWAGEN
http://www.bbc.com/news/business-34324772
29
Strong enterprise risk management practices would have helped. This scandal highlights the domino effect of poor risk management in the following ways: Investment risk: diesel engine technology did not meet
emissions performance objectives Employee/people risk: scheme hatched to cover up poor
performance, resulting in CEO resignation Reputational risk: loss of public trust and market share Compliance risk: fines and recalls Financial risk: fines and loss of sales Legal risk: legal penalties and lawsuits
CASE STUDY ~ VOLKSWAGEN
30
This could have been avoided if VW had implemented a strong ERM program by:Developing mitigation plans for technology failuresEstablishing controls to prevent unethical behaviorConducting routine risk assessments for all risk areas
to uncover issues in time to take corrective actionsApproaching risks holistically, involving all risk areas to
ensure that the risks were fully reviewed and communicated from all angles
CASE STUDY ~ VOLKSWAGEN
31
QUESTIONS?
Thank you!