2016 MI IASA SPRING CONFERENCEENTERPRISE RISK MANAGEMENT

Wes SimsAuto Club Group

April 20, 2016

2

TODAY’S AGENDAIntroductions What is Enterprise Risk Management (ERM)

and why is it important to an organization?Own Risk and Solvency Assessment (ORSA)

and other legislationA.M. Best ChangesCase studyQuestions and Discussion

3

WHAT IS ERM?Enterprise Risk Management (ERM) is a process, effected by an entity’s board of directors, management and other personnel towards strategy setting across the enterprise, designed to identify potential events that may adversely affect the entity, and maximize risk taking to be within a specified risk appetite.

Based on COSO (Committee of Sponsoring Organizations of the Treadway Commission)

4

ERM IS: A framework to ensure clear accountability and ownership of risk Elimination of silos and a focus on risk-related

interdependencies across departments Required by regulators and rating agencies Often focused only on Key Risks and significant potential risks Assurance of consistent and accurate assessment of risk Assurance of response plans A mechanism for reporting on risk exposure and the escalation

process A continuously improving and evolving journey

ERM SHOULDN’T: Own the actual management of risk, but rather the evaluation of

risk taking, and measurement, monitoring and mitigation of risk exposure

WHAT IS ERM?

5

WHY ERM? Improves decision making and understanding of risks

within an organization Reduces the downside in the volatility of earnings Supports preservation and better deployment of capital Satisfies regulatory requirements Enhances a risk-based culture throughout the organization Eliminates a siloed approach to risk management Provides common taxonomy for risk discussion within an

organization Provides structure, governance and parameters around

risk taking

6

Imagine an F5 tornado hitting insured homes, businesses and vehicles:There obviously will be claimsBut what about:Loss of company offices and facilities due to

outages or physical damages (is there an effective Business Continuity Plan and insurance on company property)Employees may not be able to get to work or service

claims due to flooding and road blockagesOutreach from Public Relations to insureds at the

critical initial momentsRESPONSE PLANS ARE KEY, AND NEED TO BE DONE HOLISTICALLY FOR SUCCESSFUL EXECUTION!

WHY ERM – HOLISTIC APPROACH

7

RISK PYRAMID CULTURE

Source: daftblogger.com

ENGAGEMENT SUCCESS

8

ERM PROCESSESERM can be defined as a process because it is a series of continuous actions performed in a defined manner. ERM is not just a policy that is adopted, but a perpetual cycle that pervades the culture of an organization.

How do we determine the size and scope of

the risk?

How well do we manage the risks?

What are the absolute limits of risk we can handle?

How much risk are we willing to take to achieve our objectives?

What are the key metrics and information that will indicate risk exposure?

How good are we at overseeing risk taking?

What are we doing about the risk? What will

we do if it occurs?

How do we ensure we have the right information to manage

risk and risk taking?

MO

NIT

OR

ING

/M

ITIG

ATIO

N

RISK DATA & INFASTRUCTURE

RISK

APPEITE /TO

LERAN

CE

STRESS TESTING

9

TYPES OF RISK

Asset RiskMarket, Counterparty, Credit

Insurance RiskUnderwriting, Pricing, Catastrophe, Reserving,

Claims, RegulatoryOperational Risk

Legal, Cybersecurity/IT, Personnel, Hazard, Compliance

Strategic RiskCompetitor, Consumer, Planning and Execution

10

Risk Appetite/Target Returns

Enterprise Risk Tolerance

Key Risks

Key Risks

Key Risks

Key Risks

Key Risk Tolerances

Key Risk Metrics

Key Risk Limits

The desired strategic returns of the organization

The amount of overall risk the organization is willing to accept to achieve desired goals

Individual risks identified as being most significant to the organization based upon a combination of impact and likelihood factors

The portion of overall risk tolerance allocated to a specific risk or risk area

The threshold or range when hit by a risk metric, indicates exposure to risk beyond the key risk tolerance

Metrics specific to a key risk which provide an indication of varying levels of risk exposure

APPETITE, TOLERANCE AND LIMITS

One approach…

11

3 LINES OF DEFENSE

FIRST LINE OF DEFENSE:

Risk Identification, Assessment and Management at the operational level

SECOND LINE OF DEFENSE:

Enterprise Risk Management FunctionRisk CommitteesRisk Governance

THIRD LINE OF DEFENSE:

Internal AuditCompliance

Manage Risk and Work Towards Operational and Company Goals within Risk Tolerances and Limits

Oversight of Enterprise Risk Management Activities

Ensure an Effective ERM Program is in Place

12

ERM STEPS Inventory Assess Prioritize

Plan Monitor Mitigate Control Report

Repeat

Con

tinua

l Ass

essm

ent a

nd

Mon

itorin

g

13

INVENTORY AND ASSESS

Gather Information on Risks to the Organization:

Interviews

Surveys

Research

Historical and Industry Data

14

INVENTORY AND ASSESS

Determine:

Impact

Likelihood

Controls in Place

Monitoring and Measurement

Gaps

Established Limits

15

PRIORITIZELi

kelih

ood

Impact

1’

2’

3’

4’

5’

1

2

3

4

5

GROSS RISK RESIDUAL RISK

16

PRIORITIZE

1. One in 1000 year tornado hits policyholder footprint

2. Adverse reserve development occurs

3. Large class action law suit is filed

4. Cyber attack steals all policyholder data

5. Equities lose 40% of value

RISKRANKING

Gross Residual

17

PLAN, MONITOR, MITIGATE, CONTROL

Develop risk responses

Establish/refine tolerances, limits and metrics

Perform stress testing

Evaluate measurements against limits and tolerances through continuous monitoring

Evaluate, employ and test mitigation and controls such as:

Internal processes and procedures

Insurance and reinsurance

Business Continuity Plan

18

ERM requires reporting at regular intervals to the Board of Directors, the CEO and Senior Management on the status of and exposure to the various risks that significantly threaten the organization

External reporting is also required of insurers

REPORTING

19

Own Risk and Solvency Assessment (ORSA)Passed in Michigan in December 2015Becomes effective in 2018

Related Legislation Enterprise Risk Report (Form F)Corporate Governance Annual Disclosure

REGULATORY UPDATES / ORSA

20

Promulgated by NAIC in its Risk Management and Own Risk and Solvency Assessment Model Act (#505)

A confidential, internal assessment…conducted by [the] insurer of the material and relevant risks associated with an insurer’s current business plan and the sufficiency of capital resources to support those risks

A component of ERM framework, ORSA has two primary goals:

Foster effective ERM at all insurersProvide a group-level perspective on risk and

capital, as a supplement to the existing legal entity view

ORSA

21

Applies to Individual entity’s premium is greater than $500 million

and/ or Insurer group’s premium is greater than $1 billion

Can be required by commissioner even if you don’t meet threshold

Adoption35 States have adopted the legislation.

Provided toCompany’s Board of Directors and signed by the Chief

Risk Officer

ORSA

22

Summary Report Major Areas

Section 1 – Description of the Insurer’s Risk Management Framework

Section 2 – Insurer’s Assessment of Risk Exposure

Section 3 – Group Risk Capital and Prospective Solvency Assessment

ORSA

23

Provide a summary of the insurer’s ERM process Regulator may review (and the report may reference)

supporting materials Underwriting & claims policies Investment policies Reinsurance program

Most aspects of section 1 of the report would not change significantly from year to year Effective strategy is to incorporate other policies

(which are dynamic) by reference to avoid having to update ORSA report

SECTION 1 – DESCRIPTION OF THE INSURER’S RISK MANAGEMENT FRAMEWORK

ORSA

24

General statement that an effective ERM should be based on the five principles: Risk culture and governance Risk tolerance and appetite framework Risk identification and prioritization Risk management and controls Risk reporting and communication

SECTION 1 – DESCRIPTION OF THE INSURER’S RISK MANAGEMENT FRAMEWORK

ORSA

25

Quantitative and/or qualitative assessments of risk exposure in both normal and stressed environments for each material risk category

Detailed descriptions and explanations of risks, assessment methods used, key assumptions and outcomes

No risk quantification method is prescribed; should be consistent with way in which business is managed

May include impact of stresses on capital; consider risk capital requirements, available capital, regulatory, economic, rating agency or other views of capital

Demonstrate process for model validation, including factors considered and model calibration

SECTION 2 - INSURER’S ASSESSMENT OF RISK EXPOSURE

ORSA

26

Group risk capital assessment – test aggregate available capital to determine sufficiency to withstand various risks, individually and collectively – not a regulatory minimum amount (not RBC)

Prospective solvency assessment – demonstrate that financial resources are available to execute multi-year business plan in accordance with risk appetite

Capital adequacy assessment process integrated into management and decision making culture

Projection of future financial position should include economic and regulatory capital given current risk profile, management policy, quality and level of capital, considering normal and stressed scenarios

SECTION 3 - GROUP RISK CAPITAL AND PROSPECTIVE SOLVENCY ASSESSMENT

ORSA

27

A.M. Best moving to stochastic BCAR P&C carriers are now receiving recalculations of 2014 Focus on solvency at multiple confidence intervals to

test ability to handle various levels of adverse results Looks at risk from: Catastrophes Market Losses (interest rates, default, equities…etc) Pricing and Reserving Credit Exposure

RATING AGENCY UPDATES

28

In September 2015, the Environmental Protection Agency (EPA) discovered a so-called “defeat device” in Volkswagen’s (VW) diesel engine that was programed to improve the engine’s performance results during testing. Once on the road, the engines switched out of this test mode.

The result? Engines emitted pollutants up to 40 times above what is allowed in the US.

CASE STUDY ~ VOLKSWAGEN

http://www.bbc.com/news/business-34324772

29

Strong enterprise risk management practices would have helped. This scandal highlights the domino effect of poor risk management in the following ways: Investment risk: diesel engine technology did not meet

emissions performance objectives Employee/people risk: scheme hatched to cover up poor

performance, resulting in CEO resignation Reputational risk: loss of public trust and market share Compliance risk: fines and recalls Financial risk: fines and loss of sales Legal risk: legal penalties and lawsuits

CASE STUDY ~ VOLKSWAGEN

30

This could have been avoided if VW had implemented a strong ERM program by:Developing mitigation plans for technology failuresEstablishing controls to prevent unethical behaviorConducting routine risk assessments for all risk areas

to uncover issues in time to take corrective actionsApproaching risks holistically, involving all risk areas to

ensure that the risks were fully reviewed and communicated from all angles

CASE STUDY ~ VOLKSWAGEN

31

QUESTIONS?

Thank you!