MAKING AN IMPACT How GREAT leaders communicate. Jon Harrison [email protected].
An Overview of Risk Management based on a Disclosure from an Annual Report Jon Wu, [email protected]...
-
Upload
stephany-stanley -
Category
Documents
-
view
218 -
download
2
Transcript of An Overview of Risk Management based on a Disclosure from an Annual Report Jon Wu, [email protected]...
An Overview of Risk Management based on a Disclosure from an Annual Report
Jon Wu, [email protected]
November 19, 2014
2
Contents
Organizational Structure
Risk Management
Risk Assessment (Quantitative/Qualitative)
Risk Reporting and Communication
Proprietary
3
Organizational Structure
Proprietary
• We will focus on CRO organization structure, its job responsibility, and its relationship with other department (management and collaboration)
• Keep in mind, no matter where you are in the organizational chart, the bottom line is to create value of the organization under a certain limits (e.g., risk limits – maintain appropriate risk capital level) and let define the value of the company is:
V = EV + PV of FVNB + Intangible
CROCOO
HRLEGAL &
COMPLIANCE
SALES
BoD
AuditCEO
CIO
CFO & Chief Actuary
4
Organizational Structure
Proprietary
• The concept of “three lines of defense”1&2 is important to implement the basic foundation of risk management:• First line: Front line functions such as sales, CFO, CIO, pricing
actuaries, etc.• Second line: Risk and compliance department• Third line: Internal auditor and external auditor
• In Europe, the Pillar II of Solvency II describes Own Risk Solvency Assessment (ORSA). But, it is a principle basis. Insurers have to figure it out themselves.
• In US, NAIC just updated its ORSA manual. Insurance company (depending on its size) may need to adopt the requirements in 2015. Don’t forget SOX already required some kinds of risk management from COSO – ERM.
1. http://www.ey.com/Publication/vwLUAssets/EY-Maximizing-value-from-your-lines-of-defense/$File/EY-Maximizing-value-from-your-lines-of-defense.pdf2. https://
na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf
3. http://www.naic.org/store/free/ORSA_manual.pdf
5
Risk Management - Summary
In general, risk management structure consists of Risk Management Framework: Include
governance, standard of Practice (SoP), organizational structure, risk identification, risk appetite, risk tolerance/limit, risk monitoring/control, and reporting, etc.
Risk Assessment (quantitative and qualitative) Risk Disclosure
Proprietary
6
Risk Management - Governance In the governance, company disclose how risk
management is organized. It includes description of various committees and how those committees are functioned and related to each other. Those committees include: Risk Committee ALM Committee Model Validation Committee Models and Assumptions Changes Committee ORM Committee Compliance Committee Finance Committee
Proprietary
7
Risk Management - SoPs SoPs are used to enforce the standards throughout a big
organization in addition to the SoPs and other guidelines specified by various industry group. Examples of SoPs include: EC SoP EC Reporting SoP EV/MCEV SoP EV/MECV Reporting SoP Assumption Setting SoP Product Approval and Review Process SoP New Investment Class Approval and Review SoP Etc.
Proprietary
8
Risk Management – Org. Chart
Risk organizational structure is normally structured by risk type. CRO reports to CEO directly. CRO in general works with CFO, CIO, and actuaries to organize those committee meetings. In
general, CRO is the chair. Any changes affecting financial statements have to be worked out with CFO. CIO normally get authority from Risk Committee or ALM Committee to invest per mandated requirements and pricing actuaries have to use models and assumptions agreed-upon based on the decision per Models and Assumptions Changes Committees.
Proprietary
Model Validation Committee
ORM & Compliance Committee
Models and Assumptions Changes Committee
ORM
Credit RiskModel
ValidationCOMPLIANCE
Risk Committee
ALM Committee
CRO
Market Risk Business Risk Insurance Risk
9
Risk Management – Risk Appetite, Risk Tolerance, and Risk Limits Risk Appetite: It is a qualitative term in general. It reflects
company’s business strategy, financial objective, and capital resource.
Risk Tolerance: It can be in qualitative or quantitative term. It should be consistent with risk appetite statement.
Risk Limits: It is quantitative statement in more detailed manners. It describes the limits the company will take and should be consistent with risk tolerance.
Considerations include confidence level, Earnings at Risk, Value at Risk, Capital at Risk, etc.
Proprietary
10
Risk Management – Risk Appetite, Risk Tolerance, and Risk Limits
Proprietary
Risk Tolerance Statement - ABC Company
Description Limit
New Business: No new business if market risk can't be hedged No no-lapse guarantee . .
Inforce Business Convert guaranteed Life to xxx Policy At least 30% in 2014 . .
Others Maintain optimal operational risk score card Stay in the top tier of the organization . .
11
Risk Management – Risk Monitoring and Mitigation Describe tools and methods used to monitor
the risks. Mitigation can be described in aggregate
manner or separately by risk type.
Proprietary
12
Risk Assessment – Risk Factors (Example per Solvency II)
Proprietary
13
Risk Assessment – Market Risk
Interest Rate Risk Interest Rate Spread Risk Equity Risk Real Estate Risk Implied Volatility Risk (for guarantees, e.g., no
lapse guarantee, ratchet, reset, etc.) FX Risk Illiquidity Risk Concentration Risk
Proprietary
14
Risk Assessment – Credit Risk
Credit Spread Risk Default Risk (based on in rating of investment
class) Counter-party Risk (e.g., reinsurers)
Proprietary
15
Risk Assessment – Business Risk
Lapse Risk (e.g., policyholders’ behavior) Premium Renewal Risk (e.g., annual
renewable health) Expense Risk (e.g., how fast expense can be
reduced in a stressed situation)
Proprietary
16
Risk Assessment – Insurance Risk
Life Mortality/Morbidity Risk Annuity Mortality and Morbidity Risk Health/Auto/P&C Claim Risk Concentration Risk Catastrophe Risk
Proprietary
17
Risk Assessment – Operational Risk
Mostly qualitative (data security, BCP, failure of adhering to internal policy and procedure)
Reputation risk Nevertheless, consider number of occurrence
and severity (amount per occurrence) and if you have the data you can fit the distribution
Usually, score card approach is used and a factor approach is used.
Proprietary
18
Risk Assessment – Compliance Risk
Mostly qualitative - failure of adhering to law and regulation, internal policy and procedure
Sometimes, it is confusing who is responsible for what – ORM, compliance, and internal audit
Can be quantified like operational risk
Proprietary
19
Risk Reporting and Communication
Disclosure of risk management structure Disclosure of the risk identification and
exposure Disclosure of the assessment Disclosure of the mitigation process List of the reporting and how they are used
to manage company’s business (use test)
Proprietary
20
Questions and Comments
Proprietary