SlideShare a Scribd company logo

Implementing an Enterprise Risk Management program (2022 updates).pdf

Robert Serena, FSA, CFA, CPCU, profile picture
Robert Serena, FSA, CFA, CPCU

The document outlines the evolution and implementation of Enterprise Risk Management (ERM) programs, emphasizing their significance in contemporary organizations, particularly in energy and insurance sectors. It provides a framework for establishing an ERM program, detailing steps for implementation and integration of risk management across all aspects of the organization. Furthermore, it highlights the need for collaboration, strategic alignment, and proactive risk mitigation as essential components of an effective ERM approach.

Economy & Finance
Related topics:
Risk-Management Cyber-Risk
1 of 40
Downloaded 10 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Detailed Brief Implementing an ERM program (with 2022 updates) Robert Serena March 2022
Table of Contents 2 Slide 3 - About the author Slide 22 - Elements of the Total Cost of Risk Slide 4 – Executive Summary Slide 23 - Functional structure for an electric utility ERM group Slide 5 - Definition of ERM Slide 24 - Chief Risk Office job requirements Slide 6 - Evolution of Risk Management Slide 25 - Energy/Financial Services Regulators in the US Slide 7 - Architecture of an ERM program Slide 26 - Product hierarchy - LAH insurer Slide 8 - Maturity of an ERM program Slide 27 - Enterprise Risk hierarchy - LAH insurer Slide 9 - Steps in the Risk Management Process Slide 28 - Product Risk profile - LAH insurer Slide 10 - Risk Estimation - Consider the effect of scale Slide 29 - Sample Risk Estimation scales (likelihood) Slide 11 - Use cases - Enterprise Risks with hedges/mitigants Slide 30 - Sample Risk Estimation scales (severity) Slide 12 - ERM's economic significance (1 of 2) Slide 31 - Sample Risk heatmap (after controls) Slide 13 - ERM's economic significance (2 of 2)) Slide 32 - Sample Risk register (with linkage to strategic objectives) Slide 14 - How do we get started? (1 of 2) Slide 33 - Objective set with linkage to risk appetite/tolerance Slide 15 - How do we get started? (2 of 2) Slide 34 - Objective set with linkage to risk appetite/tolerance Slide 16 - Corporate Governance (1 of 3) Slide 35 - Risk Management Terms of Reference (1 of 6) Slide 17 - Corporate Governance (2 of 3) Slide 36 - Risk Management Terms of Reference (2 of 6) Slide 18 - Corporate Governance (3 of 3) Slide 37 - Risk Management Terms of Reference (3 of 6) Slide 19 - Top Risks in 2022 Slide 38 - Risk Management Terms of Reference (4 of 6) Slide 20 - Summary & Conclusions Slide 39 - Risk Management Terms of Reference (5 of 6) Slide 21 – Appendices Slide 40 - Risk Management Terms of Reference (6 of 6)
About the author Mr. Serena is a Risk Management and Actuarial executive with a very unique blend of financial services functional experience across insurance, reinsurance, commodity trading, and commercial banking - numerous technical and leadership roles in the First Line-of-Defense (Actuarial, Investment Management, and Capital Markets & Trading) and Second Line-of-Defense (Risk Management and Compliance). He holds a BS in Electrical Engineering from Rice University, an MS in Operations Research from the University of New Haven, and several professional certifications – Fellow in the Society of Actuaries (FSA), Chartered Financial Analyst (CFA), Financial Risk Manager (FRM), Chartered Property Casualty Underwriter (CPCU), and Certified in Risk and Information System Control (CRISC). He currently lives in Charlotte with his wife and two children. Robert Serena, FSA, CPCU, CFA, FRM, CRISC 3
Executive Summary Enterprise Risk Management has evolved over the past 30 years to become a critical function in large organizations, both private and public sector. Historically, the “risk management function” consisted of the team in charge of commercial insurance procurement and internal claims oversight, and this team typically reported up through the corporate treasurer and the CFO. To a lesser extent, Human Resources played a role in risk management by overseeing Workers Compensation programs. Insurance premiums were merely viewed as a cost of doing business, and the process of renewing coverage annually was an exercise in getting the highest level of coverage at the cheapest price. Risk Management personnel seldom had a seat at the table with regard to key strategic issues facing the organization – product development, competitive pressures, emerging regulation, talent management, growth opportunities, etc. In contrast to this more traditional approach, a well-funded and well-designed ERM program takes a more comprehensive view of Risk Management. Rather than merely being the “insurance folks” or the “janitors” that clean up messes after the fact, ERM teams are integrated into every facet of the business. They can anticipate risk events before they occur, and with the benefit of foresight and sufficient time runway, can either avoid or mitigate the risk at a reasonable cost. This presentation is slanted towards the energy and insurance industries. Arguably, formal ERM programs have made the most inroads and are the most mature in 4 specific industries - commercial banking, investment banking, insurance (both Life/Annuity/Health and Property & Casualty), and Regulated Utilities. The intent of this presentation is to provide some simple, clear, actionable guidance to practitioners on implementing an ERM program. I encourage the reader to scan through Terms of Reference at the end of the deck to get a quick grounding in ERM terminology. 4
Definition of ERM • Committee of Sponsoring Organizations (COSO) - Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. • International Organization for Standardization (ISO 31000) - A strategic organizational approach that supports the achievement of the institution’s objectives by addressing the full spectrum (reputational, strategic, financial, operational and compliance) of its risks and managing the combined impact as an interrelated set of risks. • Society of Actuaries - Enterprise risk management (ERM) is the process of coordinated risk management that places a greater emphasis on cooperation among departments to manage the organization’s full range of risks as a whole. ERM offers a framework for effectively managing uncertainty, responding to risk and harnessing opportunities as they arise. Unlike previous risk management practices, the concept of ERM embodies the notion that risk analysis cuts across the entire organization. The goal of ERM is to better understand the shock resistance of the enterprise to its key risks and to better manage enterprise risk exposure to the level desired by senior management. 5
Traditional Risk Management • Purchase insurance to cover risks • Hazard-based risk identification and controls • Compliance issues addressed separately • Safety & emergency management handled separately • “Silo” approach – risk management is not integrated across the organization • Risk Manager is the insurance buyer Advanced Risk Management • Greater use of alternative risk financing techniques • More proactive about preventing and reducing risks • Integrates claims management, contracts review, special event RM, insurance and risk transfer techniques • Cost allocation used for education and accountability • More collaboration – as departments are willing to work together • Risk Manager may be the risk owner Enterprise-wide Risk Management • A wide range of risks are discussed and reviewed, including reputational, human capital, strategic and operational • Aligns RM process with strategy and mission • May include “upside risks” (opportunities) • Helps manage growth, allocate capital & resources • Risks are owned by all & mitigated at the department level • Many risk mitigation & analytical tools available • Risk Manager is the risk facilitator and leader Transactional Integrated Strategic Risk is bad – focus is on transferring risk Risk is an expense – focus is on reducing cost-of-risk Risk is uncertainty – focus is on optimizing risk to achieve goals Evolution of Risk Management 6
Architecture of an ERM program Board of Directors/Audit Committee Senior Management of the firm 1st Line of defense 2nd Line of Defense 3rd Line of Defense Business Units and functional staff Risk Management Internal Audit “Owns” the risks associated with their activities and execute risk management processes on an operational basis Designs & coordinates the implementation of the ERM program: • ERM & Project Risk • Compliance Risk • Information Risk • Insurance Risk • Operational Excellence • HSSE & Business Continuity/Disaster Recovery Validates the effectiveness of the ERM program External Audit Regulatory Agencies 7
Maturity of an ERM program Source: The Institute of Risk Management 8
Steps in the Risk Management Process Develop (or revise) the firm’s set of strategic objectives. Facilitate interviews and/or workshops with front-line personnel to identify risks to these objectives. Use feedback from interviews/workshops to populate the corporate risk register. Capture the following attributes in the risk register for each risk event: Risk Description, Risk Type, Risk Owner, Likelihood, Impact, current Controls/Mitigations, Risk Tolerance, Residual Risk. For all risk events where the residual risk remains greater than the risk tolerance, develop remediation action plans to bring the risk back within limits. Once all remediation plans have been completed, there are 4 potential courses of action for each risk event: 1) Avoid (get out of the activity) 2) Accept/Retain (Monitor) 3) Reduce (add additional controls) 4) Transfer (Partner or buy insurance) Develop management reporting that provides for timely monitoring and reporting of the firm’s risk profile. Identify Assess Respond Monitor & Report 9
Risk Estimation – Consider the effect of scale Corporate level Business Unit Department Functional group Individual job role Individual process Level of risk increases the further up in the organization one travels – a risk that occurs at the individual process level is undoubtedly less material than a risk event that occurs at the business unit or corporate level 10
Use cases – Enterprise Risks with hedges/mitigants Risk event Primary Secondary Mitigant/hedge An electric utility suffers a loss of revenue due to a flood knocking out several generators at a power plant. Insurable Property Damage • Implement robust Business Continuity (BC) and Incidence Response (IR) plans to ensure that any adverse consequences to the firm are minimized after the incident has occurred. • Purchase property insurance to cover the risk of physical damage to physical assets and business interruption insurance to cover loss of income due to forced outages of physical assets. A trading firm suffers the loss of outstanding Accounts Receivable amounts and unrealized forward mark-to-market when a counterparty defaults. Credit Market • Implement an internal credit risk function that sets limits for trading activities and performs ongoing monitoring of current trading counterparties. • If economical, purchase credit insurance on a specific counterparty or group of counterparties. A manufacturer of electric turbines has to pay product liability claims when several of its turbines fail to operate within specified parameters due to premature metal fatigue. Insurable Liability • Incorporate rigorous quality management procedures into the manufacturing process for all products. • Purchase general liability insurance to cover potential losses for all of its commercial operations. Any energy firm that makes use of floating-rate debt financing is confronted with increased interest service costs and less cash flow certainty in an increasing interest rate environment. Market Interest Rate • Use interest rate derivatives – swaptions, caps/floors, fixed-for- float swaps – to hedge adverse interest rate movements. • If economical, lock-in fixed-rate financing in an increasing interest rate environment. Electric utilities are confronted with the potential loss of revenue from industrial and retail customers due to technological advancements allowing the deployment of more cost-effective distributed generation (e.g., small industrial firm installs an onsite natural gas generator). Strategic Customer preference • Build an effective internal Enterprise Risk Management group that monitors emerging risks and industry trends in order to anticipate market trends and changing customer preferences. • Ensure that the ERM group has a defined role in all capital investment decisions. A life insurer has 50% of its statutory reserves attributable to a single immediate annuity product and is experiencing longer than anticipated lifespans among the active cohort of annuitants. Insurable Longevity • Explore reinsurance options for hedging some portion of the longevity risk at product issue. • Price immediate annuity products on a very conservative basis (interest, mortality) and allow for the possibility of increasing benefit payments through the use of non-guaranteed dividends. A commercial auto insurer has been a market leader in utilizing advanced analytics like machine learning and predictive modeling to refine the pricing of the products it sells to transportation and logistics firms. After investigating the drivers for emerging losses in several states, the firm discovered that a computational error had been made in the development of its pricing model, leading to dramatic underpricing in the latest annual cycle. Operational Model Risk • Implement a robust Model Risk capability in the Enterprise Risk Management group and require that every update to pricing models be subject to a full model validation. • Implement an Economic Capital model with simulation and scenario-testing capabilities to ensure that a wide range of potential outcomes are evaluated. 11
By the numbers – ERM’s economic significance (1 of 2) Step 1 – The Financials + Step 2 – The Risk factors + Step 3 – Black Box = = Profitability Distribution 12
By the numbers – ERM’s economic significance (2 of 2) This is commonly referred to as the “median” of the normal distribution. In the context of a corporation’s financial health, this could also be interpreted as the “expected case” or P50 (50th percentile) in a forward-looking financial plan The economic results/outcomes in this part of the distribution arise from catastrophic risk events that are commonly referred to as “tail events” or “black swan events”. These events, by their very nature, are often unexpected and can have dramatic impacts on the affected parties…organizations, communities, and individual citizens. 11 118 681 1713 1664 686 120 0 200 400 600 800 1000 1200 1400 1600 1800 2000 -200,000,000 -150,000,000 -100,000,000 -50,000,000 0 50,000,000 100,000,000 150,000,000 200,000,000 Projected change in economic position Net worth at end of 5-year horizon 13
How do we get started? (1 of 2) ▪ With ERM programs, there is definitively not a “one size fits all” strategy. The optimal strategy depends on the industry, competitive pressures, regulatory framework, information technology infrastructure, workforce demographics, and a host of other factors. Having said that , it’s always better to view an ERM program implementation in phases – Phase I should be modest in scope, requiring limited resources (time, money, people) and focus on assessing the organization’s most material risk factors. Complexity and greater analytical rigor can be added in later phases. ▪ STEP 1 – Procure buy-in from senior management ▪ Develop simple and clear training materials to deliver to the executive team. ▪ Where possible, articulate the value proposition for ERM in clear economic terms – increased revenue, reduced expenses, contingent losses avoided, etc. ▪ Once the buy-in is achieved, it’s critical that there be at least one project sponsor for the initiative, and additionally each risk event has a named owner in the organization. ▪ Develop a multi-channel communication plan (e.g. email blasts, town hall meetings, organizational newsletters) through which the program and its intent will be communicated to employees. Provide employees with a feedback mechanism should they have follow-up questions. ▪ STEP 2 – Assemble a small project team ▪ Resource the project team with current employees from other internal groups with a Risk Management focus – Internal Audit, Regulatory Compliance, Finance, Environmental Health & Safety, HR, etc. ▪ Nominate a project director to lead the initiative. The individual doesn’t have to be a CRO, but must have a broad knowledge of the organization’s business model, product lines, and competitive environment. And he/she must have strong leadership skills and credibility with the executive team. 14
How do we get started? (2 of 2) ▪ STEP 3 – Compile and review any recent internal risk assessment materials performed by other groups (within the last year) ▪ There is seldom a need to build an ERM program from scratch – it’s always more efficient to leverage existing work performed by other groups. ▪ Aggregate all of the data and findings from these risk assessments into a normalized risk register format – risk definition, risk category, likelihood assessment, severity assessment, current state controls and mitigations, risk owner, etc. ▪ Once this data is normalized and tabulated, identify the top 5 existing risks (as measured by residual exposure) and pick a target business segment in which to run the Phase I ERM “pilot”. ▪ STEP 4 – Perform a risk assessment in the target business segment ▪ Distribute an online questionnaire to selected individuals in the target business segment – functional leads and their direct reports. ▪ The questionnaire doesn’t need to be long or complex – there are just a few simple questions: ▪ What are the key strategic objectives of the business segment? (Look for consistency with the executive team) ▪ What are the top 7 to 10 mission critical operational processes that are required to realize these goals? ▪ What are the top 5 risks that could adversely impact these processes? ▪ What controls are currently in place (the “as-is” state) to help mitigate these risks? ▪ As a follow-on to the questionnaires and to reinforce the findings, chair multiple F2F sessions to gather additional information. Invite the same individuals that were on the distribution list for the questionnaire. ▪ STEP 5 - Identify gaps and formulate a remediation plan ▪ Tabulate all of the feedback gathered from the questionnaires and facilitated F2F sessions, combine with findings from existing risk assessments, and develop a detailed gap analysis on the top 5 key risks. ▪ Present the findings to senior management with budget and time estimates for the remediation plan. 15
Corporate Governance (Insurers) – Background (1 of 3) ▪ Corporate Governance is the term that refers to the set of rules, policies, processes, structures and controls through which an entity is directed and controlled. ▪ Effective corporate governance is ultimately the responsibility of the Board of Directors, and allows the entity to achieve a balance between the interests of multiple stakeholders – owners/shareholders, employees, executive management, policyholders, vendors, communities, and regulators. ▪ Insurers, along with other financial intermediaries (e.g. banks, asset managers, pension funds), play a key role in the global economy. They are among the largest institutional investors, and also provide protection products (life, health, home, auto) and savings products (annuities, GICs) to retail consumers. So it’s particularly critical for insurers to have well established governance practices in place. ▪ Having an effective corporate governance framework is an essential condition precedent for having an effective risk management framework, and insurance regulators consider the quality, robustness, and performance of these frameworks when assessing insurers. ▪ The Organization for Economic Co-operation and Development (OECD) has laid out a set of specific guidelines for the insurance industry – these guidelines emphasize the following elements: 1. Expected prudent approach to business and financial strategies, consistent with the role of insurance in the economy and, where relevant, social security systems; 2. Well-developed risk culture and risk management and internal control systems, supported by effective and independent control functions; 3. High level of financial expertise among board members and within senior management; and, 4. Policies and procedures that ensure proper treatment of customers and policyholders (and any relevant beneficiaries), including mechanisms for redress. 16
Corporate Governance (Insurers) – Internal (2 of 3) 17 Key Components Role and Responsibilities Board of Directors • Set the direction for and oversee the affairs of the insurer. • Ensure that it meets its strategic objectives and is managed efficiently and prudently. • Establish appropriate policies and an effective governance system to achieve these aims. • Set the “tone at the top” by establishing and promoting a proper risk culture and ethical and sound control environment. • Meet regularly with management to review progress against objectives and assess the implementation of board policies and decisions. • Ensure that an integrated, firm-wide information and reporting system is established. • Board members should understand their responsibilities and dedicate sufficient time and energy to fulfilling them. Committees • Establish committees to support the full board in performing its functions, and where appropriate, to improve the effectiveness, efficiency, quality and independence of board decision-making, and enhance the oversight and governance of the insurer, in particular, depending on the company’s size and risk profile. • Responsibility for board decision-making should ultimately rest with the board. The board should review the performance of its committees at least annually. Management • Set, with the board, the proper “tone at the top” by supporting the development and implementation of a proper risk culture and control environment throughout the insurer and by promoting and adhering to high standards of ethics and business conduct • Recommend and implement board strategies, policies and decisions and efficiently manage the day-to-day operations of the insurer • Identify and monitor the key risks facing the insurer and undertake actions to manage, control, or mitigate them • Ensure that an effective risk management and internal control framework is implemented and ensure compliance with applicable laws, regulation and standards • Establish sound internal governance practices and effective internal organizational structures • Establish control functions, ensure their effectiveness and independence and communicate their importance throughout the insurer • Establish appropriate compensation systems and incentive structures to promote prudent behavior consistent with the long- term interests of the insurer and fair conduct toward consumers and policyholders External Audit • Appointed to perform an audit of the accounts of the insurer at least annually to assure the board and shareholders (and member-policyholders) that the financial statements fairly represent the financial position and performance of the insurer in all material respects. • Periodic Audits conducted in accordance with high-quality standards of auditing that are subject to independent public oversight. • Verify the insurer’s internal controls over financial reporting. • Use the audit process to verify the value of the insurer’s policy liabilities and the appropriateness of its technical provisions. • Perform all other duties as specified by external audit requirements in the country, which may include conducting a review of the insurer’s risk management and internal control system.
Corporate Governance for Insurers – Typical committees (3 of 3) 18 Board of Directors – Supporting Committees Investment Asset Liability Management Regulatory Affairs Compliance Business Continuity/Disaster Recovery Compensation Enterprise Risk Management Supply Chain Management Audit Capital and Liquidity Nominating Sustainability
Top Risks in 2022 ▪ Financial Risk - Inflation increasing sharply since 2020. ▪ Financial Risk – Debt levels too high globally (e.g. governments, consumers, corporations). ▪ Financial Risk – Increasing volatility in the capital markets (e.g. interest rates increasing, credit spreads widening, margin balances at all time highs). ▪ Financial/Physical Risks – Ongoing economic impacts and resource strains due to COVID- 19 variants. ▪ Physical Risk – Increased incidence of extreme weather events spurred by climate change. ▪ Physical Risk - Food Insecurity. Ukrainian conflict and record high prices for transportation fuels has resulted in significant price increases in key agricultural commodities. ▪ Operational Risk - Cyber attacks on key government sectors and private sector industries. ▪ Strategic Risk - Escalating political and social unrest. ▪ Strategic Risk – Talent sourcing and retention becoming increasingly difficult due to changed expectations about work location and work/life balance. 19
Summary & Conclusions Critical Success Factors • “Tone from the Top” - must be present and strongly communicated throughout the organization. • Gain buy-in from stakeholders – Both internal and external. Transparency is key! • No “one size fits all” ERM program - The optimal design of a program is tightly linked with the unique attributes of each firm – corporate culture, strategic objectives, industry, operational complexity, competitive landscape, etc. • An ERM program is a dynamic, ongoing exercise – Not a simple project with a defined beginning and end date. • Product Development/M&A activities – Involving the ERM group in the early stages will serve to dramatically increase the probability of success of any new product rollouts or prospective M&A targets. • Staffing Considerations - Several of the key drivers of ERM program success – deep understanding of the firm’s business model and competitive landscape, familiarity with the firm’s culture, etc are most likely to be found among existing staff in other functional groups. • Embed Risk Management objectives into incentive schemes. • Risk Appetite and Risk Tolerance - Must be clearly defined and measurable. Benefits of a robust ERM program • Strong and scalable platform to identify and pursue strategically important opportunities. • Integrated and holistic view of all risks that impact the organization. • Significantly improved reputation with internal and external stakeholders. • Improved credit ratings and reduced cost of debt and equity capital. • Effective identification of commercial opportunities and capital deployment. • Aligns risk appetite and strategy through risk quantification and risk mapping. • Effectively deal with uncertainty and associated risks and opportunities. • Increased resiliency in the face of catastrophic events. • Leverages collaborative “knowledge” to enhance risk response decisions. • Reduces operational surprises and losses. 20
APPENDICES 21
Appendix A Elements of the Total Cost of Risk (TCOR) ▪ Compensation and ancillary benefits for Risk Management staff members. ▪ Direct cash and incentive compensation. ▪ Employee benefits. ▪ Retirement plan costs – Defined Benefit/Defined Contribution. ▪ Corporate-Level Hedging Programs. ▪ Commercial insurance premiums. ▪ Financial transaction costs – hedging Forex and Interest Rate exposures. ▪ Retained (within the policy deductible) or self-insured claims. ▪ Risk Control costs – Health & Safety inspections, risk-reduction techniques, etc. ▪ Development and implementation of training programs. ▪ Legal and Regulatory Compliance. ▪ Financial penalties due to failure to perform on a contract. ▪ Unanticipated legal expenses – Responding to subpoenas, regulatory inquiries, non- standard advice, guidance on emerging regulation, etc. ▪ Explicit Regulatory fines. ▪ Miscellaneous Costs ▪ Cost of 3rd-party service providers – insurance brokers, consultants on a project, external audit firms, Information Security assessments, etc. ▪ Infrastructure development costs – Risk databases, Management Information Reporting, etc. 22
Appendix B Functional structure for an electric utility ERM group CEO/CFO CRO Transaction Risk Market Risk Credit Risk Mid-Office Analytics Compliance Risk Policy Development Compliance monitoring Regulatory Affairs Legal Investigations Compliance Training Information Risk Project Risk Technology Asset Management Operational outages Information Security Records Management Operational Excellence SOX-related risks Delegated authorities framework Non-SOX operational risks Integration of new commercial activities Quality management CAPEX/M&A activity Health & Safety Employee Health & Wellness Business Continuity, Disaster Recovery Environmental Regulation Backup sites Asset Decommissioning Commercial Insurance Procurement Claims management Broker relationships Periodic site visits with HSSE team 23
Appendix C Chief Risk Officer job requirements • Overall Mission - At a macro level, the role of a Risk Management group, and particularly the CRO, is to simultaneously sit outside of the business and be independent and objective, but also be “of the business” – understand at an intimate level how the firm generates revenue, the strategic & competitive landscape that confronts the firm, the culture of the firm, the regulatory landscape, etc. • Strong Educational Background - Highly analytical and quantitative discipline – mathematics, statistics, engineering, quantitative finance, hard sciences, etc. • Broad functional experience - Human Resources, Technology/IT, Environmental Health & Safety (HSSE), Accounting & Finance, Sales & Marketing, Procurement, Operations, Ethics & Compliance, Legal, Public Relations, Regulatory Affairs, Product Development, etc. • Intellectual Curiosity - Ability to scale from the high-level, “macro” view to the very detailed, “micro” view and back again with great agility. • High levels of self-confidence, decisiveness, and assertiveness - Must be very comfortable in making tough decisions, often in the absence of complete information. • Strong communication skills – Must possess a strong ability to distill complex and technical information and topics into simple to understand concepts and actionable guidance. • Strong leadership skills - Tough and demanding, but also fair and invested in the success of direct reports, with an unyielding moral compass. • Visionary and diplomat - Risk Management must be more than simply a paycheck. All RM roles are very challenging and demanding even on the best of days. The CRO should strongly believe that there is a broader social and fiduciary purpose to their role, well beyond the stated requirements of their specific job. 24
Appendix D Energy/Financial Services Regulators in the US Regulator Industries covered Jurisdiction Office Location Federal Reserve • Central bank of US • National payment system • Commercial Banks Federal level Washington, DC 12 regional banks Office of the Comptroller of the Currency (OCC) • National Banks; and • Thrift Institutions; and • Federally licensed branches foreign banks in the United States. Federal level Washington, DC Federal Deposit Insurance Corporation (FDIC) State-chartered banks Federal level Washington, DC National Credit Union Administration (NCUA) Credit Unions Federal level Alexandria, Virginia Pension Benefit Guaranty Corporation (PBGC) Private Sector Defined Benefit plans Federal level Washington, DC Securities and Exchange Commission (SEC) • Securities exchanges; and • Securities brokers and Dealers; and • Investment Advisors; and • Mutual Funds. Federal level Washington, DC Commodity Futures Trading Commission (CFTC) Derivatives markets Federal level Washington, DC Federal Energy Regulatory Commission (FERC) • Regulates the interstate transmission of electricity, natural gas, and oil. • Reviews proposals to build liquefied natural gas (LNG) terminals and interstate natural gas pipelines • Licensing hydropower projects. Federal level Washington, DC North American Electric Reliability Council (NERC) • Developing and enforcing reliability standards; and • Creating annual and 10-year assessments for winter and summer forecasts; and • Monitoring the bulk power system. Federal level Washington, DC State Utility Commissioners • Oversee electric, gas, water and telecommunications services; and • Also may regulate railroads, public transportation services, trucking and even modular home construction. State level Various State Insurance Departments Insurance, Agents, Brokers State level Various 25
Appendix E (1 of 3) Product hierarchy - LAH insurer Life, Annuity, Health Life Insurance Term Insurance Annual Renewable Term Level Term Permanent Insurance Whole Life Traditional Variable Universal Life Variable Fixed Rate Indexed Annuities Deferred Variable Fixed Rate Indexed Immediate Health Short-term Major Medical Long-Term Care Disability Income 26
Appendix E (2 of 3) Enterprise Risk Hierarchy – LAH insurer Enterprise Risks Market Risk Interest Rate Equity Price Foreign Exchange Commodity Price Credit Risk Spread Default Migration Insurable Risk Mortality Morbidity Longevity Policyholder Behavior- Disintermediation Catastrophic Operational Systems Information Security Implementation Risk Forced outages Process Inadequate training Inadequate processes People Fraud & Misconduct Strategic Competitive Sourcing Talent Product trends Compliance Legal breach Regulatory breach Contractual breach 27
Appendix E (3 of 3) Product Risk Profile - LAH insurer Product Liability-side risks Asset-side risks Fixed-Rate UL Mortality Policyholder Behavior - Disintermediation Interest Rate Credit Prepayment Long-Term Care Morbidity Mortality Inflation Interest Rate Credit Prepayment Immediate Annuity with COLA rider Longevity Inflation Interest Rate Credit Prepayment Variable Annuity with embedded options Mortality Policyholder Behavior Equity Credit Liquidity Prepayment Disability Income Morbidity Mortality Policyholder Behavior – Malingering Interest Rate Credit Prepayment 28
Appendix F (1 of 6) Sample Risk Estimation Scales (Likelihood) Level Descriptor Description Indicative Frequency 1 Very Rare Heard of something like this occurring elsewhere Once every 30 years. 2 Unlikely Low likelihood of the event happening. The event does occur somewhere from time to time. Once every 3 to 10 years. 3 Possible Medium likelihood of the event happening. The event has occurred at least once in your career. Once every 3 years. 4 Likely The event has occurred several times or more in your career. Once every year or less. 5 Almost Certain High likelihood of the event happening. The event has occurred in the last 6 months. More than once per year. 29
Appendix F (2 of 6) Sample Risk Estimation Scales (Severity) Level Descriptor Definition 1 Very Low <$100 million 2 Low >=$100 million and <=$250 million 3 Moderate >=$250 million and <=$1 billion 4 High >=$1 billion and <=$5 billion 5 Very High >$5 billion 30
Appendix F (3 of 6) Sample Risk Heatmap (after the application of controls) 1 - Very Low 2 - Low 3 - Moderate 4 - High 5 - Very high 1 - Very rare 2 - Unlikely 3 - Possible 4 - Likely 5 - Almost Certain MINOR MODERATE SIGNIFICANT CATASTROPHIC SEVERITY SCALE Likelihood Scale 31
Appendix F (4 of 6) Sample Risk Register (with linkage to strategic objectives) 32
Appendix F (5 of 6) Objective set with linkage to risk appetite/tolerance 33
Appendix F (6 of 6) Objective set with linkage to risk appetite/tolerance 34
Appendix G (1 of 6) Risk Management Terms of Reference Term Definition Data and Infrastructure - Big Data A term coined to describe data sets with sizes beyond the ability of commonly used software tools to capture, curate, manage, and process data within a tolerable elapsed time. The term encompasses unstructured, semi-structured and structured data…however the main focus is on unstructured data. The size threshold that defines “Big Data” is a constantly moving target, as of 2012 ranging from a few dozen terabytes to many zettabytes of data. Data and Infrastructure - Analytics The application of advanced computational techniques and methodologies to large data sets with the objective being to identify, interpret, and communicate patterns in such data to decision makers to enable better decision making. Data and Infrastructure - Artificial Intelligence A term used to describe an emerging discipline and technology within computer science, that of using computers and other types of machines to simulate human behavior. Data and Infrastructure – Cloud Computing A term that refers to the on-demand availability of flexible and scalable computing resources – particularly storage, software development platforms, and distributed computational resources – without direct management of such resources by the user. Data and Infrastructure - Machine Learning An application of artificial intelligence that involves designing computer programs and/or algorithms with the capability to learn and evolve independent of human beings. There are several different variants of machine learning: (1) Supervised, (2) Unsupervised, (3) Semi-supervised, and (4) Reinforcement. Data and Infrastructure – Natural Language Processing Refers to the technology that allows computer systems to understand and interpret human language and speech. 35
Appendix G (2 of 6) Risk Management Terms of Reference Term Definition InfoSec - Availability Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them. InfoSec – Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. InfoSec - Encryption A term used to describe different methodologies of converting plain English, readable text (known as plaintext) into encoded, unreadable text (known as ciphertext). There are 2 elements to any encryption methodology: • Key – The unique variable that is part of every cipher and allows the intended recipient to unencrypt the encrypted text. • Cipher – The algorithm or formula that is used to convert the reference text from plaintext to ciphertext. InfoSec - Integrity Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The term Integrity is used frequently when considering Information Security as it represents one of the primary indicators of security (or lack of it). The integrity of data is not only whether the data is 'correct', but whether it can be trusted and relied upon. For example, making copies (say by e-mailing a file) of a sensitive document, threatens both confidentiality and the integrity of the information. InfoSec - Security Controls The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the Confidentiality, Integrity, and Availability (CIA triad) of the system and its information. Metrics - Key Risk Indicators (KRI) A measure used in management to indicate how risky an activity is. It differs from a Key Performance Indicator (KPI) in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of future adverse impact. Metrics - Risk-Adjusted Return on Capital (RAROC) A financial measurement that allows analysts to take into account the effect of risk when comparing profitability and performance across various businesses. It is calculated by dividing the risk adjusted return (net income - expected loss from risk + income from capital) by the economic capital. Higher risk projects tend to bring higher rewards. 36
Appendix G (3 of 6) Risk Management Terms of Reference Term Definition Metrics – Value at Risk (VaR) A statistical measure that quantifies the level of financial risk within a firm, trading portfolio, or trading position over a defined time frame. This metric is most commonly used by (1) Commodity trading firms and/or (2) Investment banks to quantify the extent and occurrence ratio of potential losses in their trading portfolios. Qualitative Risk Assessment A collaborative process of assigning relative values to assets, assessing their risk exposure, and estimating the cost of controlling the risk. Differs from quantitative risk analysis in that it utilizes relative measures and approximate costs rather than precise valuation and cost determination. Quantitative Risk Assessment A process for assigning a numeric value to the probability of loss based on known risks and available, objective data. Used to determine potential direct and indirect costs to the company based on values assigned to company assets and their exposure to risk. For example, the cost of replacing an asset, the cost of lost productivity, or the cost of diminished brand reputation. Risk - Black Swan Events An event that lies outside the realm of regular expectations, because nothing in the past can convincingly point to its possibility. Events of this type often result in catastrophic impacts, whether they be economic, environmental, or reputational. Risk - Diversifiable Risks whose adverse consequences can be mitigated simply by having a diversified portfolio of risk exposures. Risk – Financial (Catastrophic) The risk that a natural disaster, terrorist attack, or other type of unanticipated extreme risk event threatens the financial solvency of a private sector firm, public sector organization, community, or even an entire nation. Risk – Financial (Credit) The risk of loss when a counterparty fails to meet a payment obligation, or the risk associated with any single exposure or group of exposures with the potential to produce large enough losses to threaten the firm’s operations, or the risk of loss arising when a sovereign state freezes foreign currency payments (transfer/conversion risk), or when it defaults on its obligations (sovereign risk). 37
Appendix G (4 of 6) Risk Management Terms of Reference Term Definition Risk – Financial (Insurable) A risk that meets the ideal criteria for efficient insurance. The concept underlies nearly all insurance decisions. To be insurable, several things must be true: • The insurer must be able to charge a premium high enough to cover not only claims expenses, but also to cover the insurer's expenses. In other words, the risk cannot be catastrophic, or so large that no insurer could hope to pay for the loss. • The nature of the loss must be definite and financially measurable. That is, there should not be room for argument as to whether or not payment is due, nor as to what amount the payment should be. • The loss should be random in nature, else the insured may engage in adverse selection (anti-selection). Risk – Financial (Longevity) This risk applies to insurance firms that issue pay out or immediate annuities. There are several different types of longevity risk, both for individuals, Life and Annuity insurers, and pension plan sponsors. • Individuals - The risk that individuals will outlive the assets that they have accumulated over their working lifetimes. • Insurance firms – The risk that the issuer of an annuity product has overestimated the mortality rates, and conversely underestimated the survival probabilities, for a specific block of annuity policyholders that results in the insurer setting aside insufficient reserves to fund the future annuity payments. • Pension sponsors – The risk that the sponsor of a defined benefit plan has overestimated the mortality rates, and conversely underestimated the survival probabilities, of a cohort of DB plan participants that results in a cash flow strain on the plan sponsor. Risk – Financial (Market) The risk that the value of a portfolio, either an investment portfolio or a trading portfolio, will decrease due to the change in value of the market risk factors. The four standard market risk factors are stock prices, interest rates, foreign exchange rates, and commodity prices. Risk – Financial (Morbidity) This risk applies to insurance firms that issue different types of health insurance – major medical, disability income, long-term care, specified disease etc. This is the risk that the issuing insurer underestimates the probability of a group of insureds succumbing to a defined health condition and is required to pay out a higher level of benefits than the insurer has set aside reserves for. Risk – Financial (Mortality) This risk applies to insurance firms that specifically issue different types of life insurance contracts and refers to the insurer having to fund death benefit payments for a cohort of life insureds sooner than they had anticipated in the initial pricing for the relevant product. If this occurs, the issuing insurer is not able to earn investment spreads on the reserve funds. Risk - Non-diversifiable Risks, shared by all persons or organizations, that cannot be mitigated by adding exposures to the portfolio. 38
Appendix G (5 of 6) Risk Management Terms of Reference Term Definition Risk – Nonfinancial (Regulatory) The risk that a change in laws and regulations will materially impact a security, business, sector or market. A change in laws or regulations made by the government or a regulatory body can increase the costs of operating a business, reduce the attractiveness of investment and/or change the competitive landscape. Risk – Nonfinancial (Strategic) The risk associated with future business plans and strategies, including plans for entering new business lines, expanding existing services through mergers and acquisitions, enhancing infrastructure, etc. Risk – Pure A Risk event that only allows for losses with no chance of a gain. Risk – Speculative A Risk Event that allows for either a gain or loss. Risk Appetite The amount of risk that an organization is willing to seek or accept in the pursuit of its long-term objectives. Risk Assessment The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk. Risk Capacity A firm’s ability to identify their financial resources, expertise, and operating mandate to determine how much risk they are able to take. Risk Control The activity of applying a range of Administrative, Technical, and Physical controls to reduce the risks to an organization’s assets. Risk Criteria The terms of reference against which the significance of a risk is evaluated. Risk criteria are based on organizational objectives and external and internal context. Risk criteria can be derived from standards, laws, policies and other requirements. Risk Culture The system of values and behaviors present in an organization that shapes risk decisions of management and employees. One element of risk culture is a common understanding of an organization and its business purpose. Employees must also understand that risk and compliance rules apply to everyone as they work towards business goals. This understanding can ensure a company “does the right thing” and is a fundamental part of good ERM practices. 39
Appendix G (6 of 6) Risk Management Terms of Reference Term Definition Risk Owner A person or entity that has been given the authority to manage a particular risk and is accountable for doing so. Risk Tolerance The boundaries of risk beyond which a given organization is not prepared to venture in pursuit of its long-term objectives. 40

More Related Content

DOCX
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
keturahhazelhurst
 
PDF
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
Dion K Hamilton
 
PDF
Risk Management Maturity Model (RMMM)
Adnan Naseem
 
PPTX
1-.Teklay-EFFORT (PPT) -April-2025- Risk Mgnt Top Mgmnt -Breifing.PPTX
teklayweldegerima1
 
PDF
Risk Management and Risk Transfer
CBIZ, Inc.
 
DOCX
Enterprise risk management
Anu Damodaran
 
PPT
Coso Erm(2)
deeptica
 
PPTX
Part 1 (cont.) Overview of Risk Management.s.pptx
nta06012003
 
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
keturahhazelhurst
 
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
Dion K Hamilton
 
Risk Management Maturity Model (RMMM)
Adnan Naseem
 
1-.Teklay-EFFORT (PPT) -April-2025- Risk Mgnt Top Mgmnt -Breifing.PPTX
teklayweldegerima1
 
Risk Management and Risk Transfer
CBIZ, Inc.
 
Enterprise risk management
Anu Damodaran
 
Coso Erm(2)
deeptica
 
Part 1 (cont.) Overview of Risk Management.s.pptx
nta06012003
 

Similar to Implementing an Enterprise Risk Management program (2022 updates).pdf (20)

PDF
Enterprise Risk Management (ERM); From theory to practice
Segun Ogunwale
 
PPTX
ToTCOOP+i O3 o4 unit-9_final_version_en
ToTCOOPiTech
 
PPT
project risk management
Ashima Thakur
 
PDF
Enterprise Risk Management
Anu Damodaran
 
PDF
Implementing an Effective Risk Management Appetite.pdf
rotimiadedayo1
 
PDF
Risk management standard 030820
Alberto Garcia Romera
 
PPTX
DiSerafino - ORSA_insurance_conference
Lou DiSerafino
 
DOCX
I need a response to the discussion in APA format.docx
4934bk
 
PPTX
Enterprise Risk Management for the Digital Transformation Age
Career Communications Group
 
PDF
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Tim Leech
 
PPTX
Erm talking points
EnterpriseGRC Solutions, Inc.
 
PDF
An approach to erm in the insurance industry apria 2002 rama warrier&preeti
Rama Warrier
 
PPTX
Dealing with Operational and Ecosystem Risk
Financial Services Innovators
 
PPTX
Enterprise Risk Management and Sustainability
Jeff B
 
PPT
Risks and TCoR
kruijsse
 
PDF
Ch_2_PRM (2).pdf
AronHailesellasieAbr
 
PDF
The IRM India- A Risk Management Standard
The IRM India
 
PDF
SymEx 2015 - Turning Risks Into Results, A Wider Perspective to Understand P...
PMI Indonesia Chapter
 
PDF
Risk management
kartikganga
 
PDF
Control Risks-ERM-whitepaper
Nadav Davidai, CBCP GRCP
 
Enterprise Risk Management (ERM); From theory to practice
Segun Ogunwale
 
ToTCOOP+i O3 o4 unit-9_final_version_en
ToTCOOPiTech
 
project risk management
Ashima Thakur
 
Enterprise Risk Management
Anu Damodaran
 
Implementing an Effective Risk Management Appetite.pdf
rotimiadedayo1
 
Risk management standard 030820
Alberto Garcia Romera
 
DiSerafino - ORSA_insurance_conference
Lou DiSerafino
 
I need a response to the discussion in APA format.docx
4934bk
 
Enterprise Risk Management for the Digital Transformation Age
Career Communications Group
 
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Tim Leech
 
Erm talking points
EnterpriseGRC Solutions, Inc.
 
An approach to erm in the insurance industry apria 2002 rama warrier&preeti
Rama Warrier
 
Dealing with Operational and Ecosystem Risk
Financial Services Innovators
 
Enterprise Risk Management and Sustainability
Jeff B
 
Risks and TCoR
kruijsse
 
Ch_2_PRM (2).pdf
AronHailesellasieAbr
 
The IRM India- A Risk Management Standard
The IRM India
 
SymEx 2015 - Turning Risks Into Results, A Wider Perspective to Understand P...
PMI Indonesia Chapter
 
Risk management
kartikganga
 
Control Risks-ERM-whitepaper
Nadav Davidai, CBCP GRCP
 
Ad

Recently uploaded (20)

PDF
way to join Real illuminati agent 0782561496,0756664682
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
PDF
Dr Tran Quoc Bao the first Vietnamese speaker at GITEX DigiHealth Conference ...
Gorman Bain Capital
 
PPTX
The discussion on the Economic in transportation .pptx
awanganiqkmal191
 
PPTX
Introduction to Managemeng Chapter 1..pptx
BettyMonizB
 
PPTX
How best to drive Metrics, Ratios, and Key Performance Indicators
PaulYoung221210
 
PDF
Q2 2025 :Lundin Gold Conference Call Presentation_Final.pdf
Adnet Communications
 
PDF
Blockchain Pesa Research by Samuel Mefane
KatlehoMefane
 
PDF
Understanding University Research Expenditures (1)_compressed.pdf
Innovosource
 
PDF
Topic Globalisation and Lifelines of National Economy.pdf
ridamten1423
 
PDF
Predicting Customer Bankruptcy Using Machine Learning Algorithm research pape...
Razan Shahwan
 
PDF
Bitcoin Layer August 2025: Power Laws of Bitcoin: The Core and Bubbles
Stephen Perrenod
 
PPTX
EABDM Slides for Indifference curve.pptx
deeksha8770
 
PPTX
Who’s winning the race to be the world’s first trillionaire.pptx
ManiRamesh15
 
PDF
illuminati Uganda brotherhood agent in Kampala call 0756664682,0782561496
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
PPTX
Session 3. Time Value of Money.pptx_finance
2023mb21003
 
PDF
ABriefOverviewComparisonUCP600_ISP8_URDG_758.pdf
AsifimranEmon
 
PDF
Copia de Minimal 3D Technology Consulting Presentation.pdf
viccarlin12
 
PDF
Dialnet-DynamicHedgingOfPricesOfNaturalGasInMexico-8788871.pdf
davidromero210805
 
PDF
Corporate Finance Fundamentals - Course Presentation.pdf
christygathoni
 
PDF
Why Ignoring Passive Income for Retirees Could Cost You Big.pdf
Enterprise world
 
way to join Real illuminati agent 0782561496,0756664682
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
Dr Tran Quoc Bao the first Vietnamese speaker at GITEX DigiHealth Conference ...
Gorman Bain Capital
 
The discussion on the Economic in transportation .pptx
awanganiqkmal191
 
Introduction to Managemeng Chapter 1..pptx
BettyMonizB
 
How best to drive Metrics, Ratios, and Key Performance Indicators
PaulYoung221210
 
Q2 2025 :Lundin Gold Conference Call Presentation_Final.pdf
Adnet Communications
 
Blockchain Pesa Research by Samuel Mefane
KatlehoMefane
 
Understanding University Research Expenditures (1)_compressed.pdf
Innovosource
 
Topic Globalisation and Lifelines of National Economy.pdf
ridamten1423
 
Predicting Customer Bankruptcy Using Machine Learning Algorithm research pape...
Razan Shahwan
 
Bitcoin Layer August 2025: Power Laws of Bitcoin: The Core and Bubbles
Stephen Perrenod
 
EABDM Slides for Indifference curve.pptx
deeksha8770
 
Who’s winning the race to be the world’s first trillionaire.pptx
ManiRamesh15
 
illuminati Uganda brotherhood agent in Kampala call 0756664682,0782561496
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
Session 3. Time Value of Money.pptx_finance
2023mb21003
 
ABriefOverviewComparisonUCP600_ISP8_URDG_758.pdf
AsifimranEmon
 
Copia de Minimal 3D Technology Consulting Presentation.pdf
viccarlin12
 
Dialnet-DynamicHedgingOfPricesOfNaturalGasInMexico-8788871.pdf
davidromero210805
 
Corporate Finance Fundamentals - Course Presentation.pdf
christygathoni
 
Why Ignoring Passive Income for Retirees Could Cost You Big.pdf
Enterprise world
 
Ad

Implementing an Enterprise Risk Management program (2022 updates).pdf

  • 1. Detailed Brief Implementing an ERM program (with 2022 updates) Robert Serena March 2022
  • 2. Table of Contents 2 Slide 3 - About the author Slide 22 - Elements of the Total Cost of Risk Slide 4 – Executive Summary Slide 23 - Functional structure for an electric utility ERM group Slide 5 - Definition of ERM Slide 24 - Chief Risk Office job requirements Slide 6 - Evolution of Risk Management Slide 25 - Energy/Financial Services Regulators in the US Slide 7 - Architecture of an ERM program Slide 26 - Product hierarchy - LAH insurer Slide 8 - Maturity of an ERM program Slide 27 - Enterprise Risk hierarchy - LAH insurer Slide 9 - Steps in the Risk Management Process Slide 28 - Product Risk profile - LAH insurer Slide 10 - Risk Estimation - Consider the effect of scale Slide 29 - Sample Risk Estimation scales (likelihood) Slide 11 - Use cases - Enterprise Risks with hedges/mitigants Slide 30 - Sample Risk Estimation scales (severity) Slide 12 - ERM's economic significance (1 of 2) Slide 31 - Sample Risk heatmap (after controls) Slide 13 - ERM's economic significance (2 of 2)) Slide 32 - Sample Risk register (with linkage to strategic objectives) Slide 14 - How do we get started? (1 of 2) Slide 33 - Objective set with linkage to risk appetite/tolerance Slide 15 - How do we get started? (2 of 2) Slide 34 - Objective set with linkage to risk appetite/tolerance Slide 16 - Corporate Governance (1 of 3) Slide 35 - Risk Management Terms of Reference (1 of 6) Slide 17 - Corporate Governance (2 of 3) Slide 36 - Risk Management Terms of Reference (2 of 6) Slide 18 - Corporate Governance (3 of 3) Slide 37 - Risk Management Terms of Reference (3 of 6) Slide 19 - Top Risks in 2022 Slide 38 - Risk Management Terms of Reference (4 of 6) Slide 20 - Summary & Conclusions Slide 39 - Risk Management Terms of Reference (5 of 6) Slide 21 – Appendices Slide 40 - Risk Management Terms of Reference (6 of 6)
  • 3. About the author Mr. Serena is a Risk Management and Actuarial executive with a very unique blend of financial services functional experience across insurance, reinsurance, commodity trading, and commercial banking - numerous technical and leadership roles in the First Line-of-Defense (Actuarial, Investment Management, and Capital Markets & Trading) and Second Line-of-Defense (Risk Management and Compliance). He holds a BS in Electrical Engineering from Rice University, an MS in Operations Research from the University of New Haven, and several professional certifications – Fellow in the Society of Actuaries (FSA), Chartered Financial Analyst (CFA), Financial Risk Manager (FRM), Chartered Property Casualty Underwriter (CPCU), and Certified in Risk and Information System Control (CRISC). He currently lives in Charlotte with his wife and two children. Robert Serena, FSA, CPCU, CFA, FRM, CRISC 3
  • 4. Executive Summary Enterprise Risk Management has evolved over the past 30 years to become a critical function in large organizations, both private and public sector. Historically, the “risk management function” consisted of the team in charge of commercial insurance procurement and internal claims oversight, and this team typically reported up through the corporate treasurer and the CFO. To a lesser extent, Human Resources played a role in risk management by overseeing Workers Compensation programs. Insurance premiums were merely viewed as a cost of doing business, and the process of renewing coverage annually was an exercise in getting the highest level of coverage at the cheapest price. Risk Management personnel seldom had a seat at the table with regard to key strategic issues facing the organization – product development, competitive pressures, emerging regulation, talent management, growth opportunities, etc. In contrast to this more traditional approach, a well-funded and well-designed ERM program takes a more comprehensive view of Risk Management. Rather than merely being the “insurance folks” or the “janitors” that clean up messes after the fact, ERM teams are integrated into every facet of the business. They can anticipate risk events before they occur, and with the benefit of foresight and sufficient time runway, can either avoid or mitigate the risk at a reasonable cost. This presentation is slanted towards the energy and insurance industries. Arguably, formal ERM programs have made the most inroads and are the most mature in 4 specific industries - commercial banking, investment banking, insurance (both Life/Annuity/Health and Property & Casualty), and Regulated Utilities. The intent of this presentation is to provide some simple, clear, actionable guidance to practitioners on implementing an ERM program. I encourage the reader to scan through Terms of Reference at the end of the deck to get a quick grounding in ERM terminology. 4
  • 5. Definition of ERM • Committee of Sponsoring Organizations (COSO) - Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. • International Organization for Standardization (ISO 31000) - A strategic organizational approach that supports the achievement of the institution’s objectives by addressing the full spectrum (reputational, strategic, financial, operational and compliance) of its risks and managing the combined impact as an interrelated set of risks. • Society of Actuaries - Enterprise risk management (ERM) is the process of coordinated risk management that places a greater emphasis on cooperation among departments to manage the organization’s full range of risks as a whole. ERM offers a framework for effectively managing uncertainty, responding to risk and harnessing opportunities as they arise. Unlike previous risk management practices, the concept of ERM embodies the notion that risk analysis cuts across the entire organization. The goal of ERM is to better understand the shock resistance of the enterprise to its key risks and to better manage enterprise risk exposure to the level desired by senior management. 5
  • 6. Traditional Risk Management • Purchase insurance to cover risks • Hazard-based risk identification and controls • Compliance issues addressed separately • Safety & emergency management handled separately • “Silo” approach – risk management is not integrated across the organization • Risk Manager is the insurance buyer Advanced Risk Management • Greater use of alternative risk financing techniques • More proactive about preventing and reducing risks • Integrates claims management, contracts review, special event RM, insurance and risk transfer techniques • Cost allocation used for education and accountability • More collaboration – as departments are willing to work together • Risk Manager may be the risk owner Enterprise-wide Risk Management • A wide range of risks are discussed and reviewed, including reputational, human capital, strategic and operational • Aligns RM process with strategy and mission • May include “upside risks” (opportunities) • Helps manage growth, allocate capital & resources • Risks are owned by all & mitigated at the department level • Many risk mitigation & analytical tools available • Risk Manager is the risk facilitator and leader Transactional Integrated Strategic Risk is bad – focus is on transferring risk Risk is an expense – focus is on reducing cost-of-risk Risk is uncertainty – focus is on optimizing risk to achieve goals Evolution of Risk Management 6
  • 7. Architecture of an ERM program Board of Directors/Audit Committee Senior Management of the firm 1st Line of defense 2nd Line of Defense 3rd Line of Defense Business Units and functional staff Risk Management Internal Audit “Owns” the risks associated with their activities and execute risk management processes on an operational basis Designs & coordinates the implementation of the ERM program: • ERM & Project Risk • Compliance Risk • Information Risk • Insurance Risk • Operational Excellence • HSSE & Business Continuity/Disaster Recovery Validates the effectiveness of the ERM program External Audit Regulatory Agencies 7
  • 8. Maturity of an ERM program Source: The Institute of Risk Management 8
  • 9. Steps in the Risk Management Process Develop (or revise) the firm’s set of strategic objectives. Facilitate interviews and/or workshops with front-line personnel to identify risks to these objectives. Use feedback from interviews/workshops to populate the corporate risk register. Capture the following attributes in the risk register for each risk event: Risk Description, Risk Type, Risk Owner, Likelihood, Impact, current Controls/Mitigations, Risk Tolerance, Residual Risk. For all risk events where the residual risk remains greater than the risk tolerance, develop remediation action plans to bring the risk back within limits. Once all remediation plans have been completed, there are 4 potential courses of action for each risk event: 1) Avoid (get out of the activity) 2) Accept/Retain (Monitor) 3) Reduce (add additional controls) 4) Transfer (Partner or buy insurance) Develop management reporting that provides for timely monitoring and reporting of the firm’s risk profile. Identify Assess Respond Monitor & Report 9
  • 10. Risk Estimation – Consider the effect of scale Corporate level Business Unit Department Functional group Individual job role Individual process Level of risk increases the further up in the organization one travels – a risk that occurs at the individual process level is undoubtedly less material than a risk event that occurs at the business unit or corporate level 10
  • 11. Use cases – Enterprise Risks with hedges/mitigants Risk event Primary Secondary Mitigant/hedge An electric utility suffers a loss of revenue due to a flood knocking out several generators at a power plant. Insurable Property Damage • Implement robust Business Continuity (BC) and Incidence Response (IR) plans to ensure that any adverse consequences to the firm are minimized after the incident has occurred. • Purchase property insurance to cover the risk of physical damage to physical assets and business interruption insurance to cover loss of income due to forced outages of physical assets. A trading firm suffers the loss of outstanding Accounts Receivable amounts and unrealized forward mark-to-market when a counterparty defaults. Credit Market • Implement an internal credit risk function that sets limits for trading activities and performs ongoing monitoring of current trading counterparties. • If economical, purchase credit insurance on a specific counterparty or group of counterparties. A manufacturer of electric turbines has to pay product liability claims when several of its turbines fail to operate within specified parameters due to premature metal fatigue. Insurable Liability • Incorporate rigorous quality management procedures into the manufacturing process for all products. • Purchase general liability insurance to cover potential losses for all of its commercial operations. Any energy firm that makes use of floating-rate debt financing is confronted with increased interest service costs and less cash flow certainty in an increasing interest rate environment. Market Interest Rate • Use interest rate derivatives – swaptions, caps/floors, fixed-for- float swaps – to hedge adverse interest rate movements. • If economical, lock-in fixed-rate financing in an increasing interest rate environment. Electric utilities are confronted with the potential loss of revenue from industrial and retail customers due to technological advancements allowing the deployment of more cost-effective distributed generation (e.g., small industrial firm installs an onsite natural gas generator). Strategic Customer preference • Build an effective internal Enterprise Risk Management group that monitors emerging risks and industry trends in order to anticipate market trends and changing customer preferences. • Ensure that the ERM group has a defined role in all capital investment decisions. A life insurer has 50% of its statutory reserves attributable to a single immediate annuity product and is experiencing longer than anticipated lifespans among the active cohort of annuitants. Insurable Longevity • Explore reinsurance options for hedging some portion of the longevity risk at product issue. • Price immediate annuity products on a very conservative basis (interest, mortality) and allow for the possibility of increasing benefit payments through the use of non-guaranteed dividends. A commercial auto insurer has been a market leader in utilizing advanced analytics like machine learning and predictive modeling to refine the pricing of the products it sells to transportation and logistics firms. After investigating the drivers for emerging losses in several states, the firm discovered that a computational error had been made in the development of its pricing model, leading to dramatic underpricing in the latest annual cycle. Operational Model Risk • Implement a robust Model Risk capability in the Enterprise Risk Management group and require that every update to pricing models be subject to a full model validation. • Implement an Economic Capital model with simulation and scenario-testing capabilities to ensure that a wide range of potential outcomes are evaluated. 11
  • 12. By the numbers – ERM’s economic significance (1 of 2) Step 1 – The Financials + Step 2 – The Risk factors + Step 3 – Black Box = = Profitability Distribution 12
  • 13. By the numbers – ERM’s economic significance (2 of 2) This is commonly referred to as the “median” of the normal distribution. In the context of a corporation’s financial health, this could also be interpreted as the “expected case” or P50 (50th percentile) in a forward-looking financial plan The economic results/outcomes in this part of the distribution arise from catastrophic risk events that are commonly referred to as “tail events” or “black swan events”. These events, by their very nature, are often unexpected and can have dramatic impacts on the affected parties…organizations, communities, and individual citizens. 11 118 681 1713 1664 686 120 0 200 400 600 800 1000 1200 1400 1600 1800 2000 -200,000,000 -150,000,000 -100,000,000 -50,000,000 0 50,000,000 100,000,000 150,000,000 200,000,000 Projected change in economic position Net worth at end of 5-year horizon 13
  • 14. How do we get started? (1 of 2) ▪ With ERM programs, there is definitively not a “one size fits all” strategy. The optimal strategy depends on the industry, competitive pressures, regulatory framework, information technology infrastructure, workforce demographics, and a host of other factors. Having said that , it’s always better to view an ERM program implementation in phases – Phase I should be modest in scope, requiring limited resources (time, money, people) and focus on assessing the organization’s most material risk factors. Complexity and greater analytical rigor can be added in later phases. ▪ STEP 1 – Procure buy-in from senior management ▪ Develop simple and clear training materials to deliver to the executive team. ▪ Where possible, articulate the value proposition for ERM in clear economic terms – increased revenue, reduced expenses, contingent losses avoided, etc. ▪ Once the buy-in is achieved, it’s critical that there be at least one project sponsor for the initiative, and additionally each risk event has a named owner in the organization. ▪ Develop a multi-channel communication plan (e.g. email blasts, town hall meetings, organizational newsletters) through which the program and its intent will be communicated to employees. Provide employees with a feedback mechanism should they have follow-up questions. ▪ STEP 2 – Assemble a small project team ▪ Resource the project team with current employees from other internal groups with a Risk Management focus – Internal Audit, Regulatory Compliance, Finance, Environmental Health & Safety, HR, etc. ▪ Nominate a project director to lead the initiative. The individual doesn’t have to be a CRO, but must have a broad knowledge of the organization’s business model, product lines, and competitive environment. And he/she must have strong leadership skills and credibility with the executive team. 14
  • 15. How do we get started? (2 of 2) ▪ STEP 3 – Compile and review any recent internal risk assessment materials performed by other groups (within the last year) ▪ There is seldom a need to build an ERM program from scratch – it’s always more efficient to leverage existing work performed by other groups. ▪ Aggregate all of the data and findings from these risk assessments into a normalized risk register format – risk definition, risk category, likelihood assessment, severity assessment, current state controls and mitigations, risk owner, etc. ▪ Once this data is normalized and tabulated, identify the top 5 existing risks (as measured by residual exposure) and pick a target business segment in which to run the Phase I ERM “pilot”. ▪ STEP 4 – Perform a risk assessment in the target business segment ▪ Distribute an online questionnaire to selected individuals in the target business segment – functional leads and their direct reports. ▪ The questionnaire doesn’t need to be long or complex – there are just a few simple questions: ▪ What are the key strategic objectives of the business segment? (Look for consistency with the executive team) ▪ What are the top 7 to 10 mission critical operational processes that are required to realize these goals? ▪ What are the top 5 risks that could adversely impact these processes? ▪ What controls are currently in place (the “as-is” state) to help mitigate these risks? ▪ As a follow-on to the questionnaires and to reinforce the findings, chair multiple F2F sessions to gather additional information. Invite the same individuals that were on the distribution list for the questionnaire. ▪ STEP 5 - Identify gaps and formulate a remediation plan ▪ Tabulate all of the feedback gathered from the questionnaires and facilitated F2F sessions, combine with findings from existing risk assessments, and develop a detailed gap analysis on the top 5 key risks. ▪ Present the findings to senior management with budget and time estimates for the remediation plan. 15
  • 16. Corporate Governance (Insurers) – Background (1 of 3) ▪ Corporate Governance is the term that refers to the set of rules, policies, processes, structures and controls through which an entity is directed and controlled. ▪ Effective corporate governance is ultimately the responsibility of the Board of Directors, and allows the entity to achieve a balance between the interests of multiple stakeholders – owners/shareholders, employees, executive management, policyholders, vendors, communities, and regulators. ▪ Insurers, along with other financial intermediaries (e.g. banks, asset managers, pension funds), play a key role in the global economy. They are among the largest institutional investors, and also provide protection products (life, health, home, auto) and savings products (annuities, GICs) to retail consumers. So it’s particularly critical for insurers to have well established governance practices in place. ▪ Having an effective corporate governance framework is an essential condition precedent for having an effective risk management framework, and insurance regulators consider the quality, robustness, and performance of these frameworks when assessing insurers. ▪ The Organization for Economic Co-operation and Development (OECD) has laid out a set of specific guidelines for the insurance industry – these guidelines emphasize the following elements: 1. Expected prudent approach to business and financial strategies, consistent with the role of insurance in the economy and, where relevant, social security systems; 2. Well-developed risk culture and risk management and internal control systems, supported by effective and independent control functions; 3. High level of financial expertise among board members and within senior management; and, 4. Policies and procedures that ensure proper treatment of customers and policyholders (and any relevant beneficiaries), including mechanisms for redress. 16
  • 17. Corporate Governance (Insurers) – Internal (2 of 3) 17 Key Components Role and Responsibilities Board of Directors • Set the direction for and oversee the affairs of the insurer. • Ensure that it meets its strategic objectives and is managed efficiently and prudently. • Establish appropriate policies and an effective governance system to achieve these aims. • Set the “tone at the top” by establishing and promoting a proper risk culture and ethical and sound control environment. • Meet regularly with management to review progress against objectives and assess the implementation of board policies and decisions. • Ensure that an integrated, firm-wide information and reporting system is established. • Board members should understand their responsibilities and dedicate sufficient time and energy to fulfilling them. Committees • Establish committees to support the full board in performing its functions, and where appropriate, to improve the effectiveness, efficiency, quality and independence of board decision-making, and enhance the oversight and governance of the insurer, in particular, depending on the company’s size and risk profile. • Responsibility for board decision-making should ultimately rest with the board. The board should review the performance of its committees at least annually. Management • Set, with the board, the proper “tone at the top” by supporting the development and implementation of a proper risk culture and control environment throughout the insurer and by promoting and adhering to high standards of ethics and business conduct • Recommend and implement board strategies, policies and decisions and efficiently manage the day-to-day operations of the insurer • Identify and monitor the key risks facing the insurer and undertake actions to manage, control, or mitigate them • Ensure that an effective risk management and internal control framework is implemented and ensure compliance with applicable laws, regulation and standards • Establish sound internal governance practices and effective internal organizational structures • Establish control functions, ensure their effectiveness and independence and communicate their importance throughout the insurer • Establish appropriate compensation systems and incentive structures to promote prudent behavior consistent with the long- term interests of the insurer and fair conduct toward consumers and policyholders External Audit • Appointed to perform an audit of the accounts of the insurer at least annually to assure the board and shareholders (and member-policyholders) that the financial statements fairly represent the financial position and performance of the insurer in all material respects. • Periodic Audits conducted in accordance with high-quality standards of auditing that are subject to independent public oversight. • Verify the insurer’s internal controls over financial reporting. • Use the audit process to verify the value of the insurer’s policy liabilities and the appropriateness of its technical provisions. • Perform all other duties as specified by external audit requirements in the country, which may include conducting a review of the insurer’s risk management and internal control system.
  • 18. Corporate Governance for Insurers – Typical committees (3 of 3) 18 Board of Directors – Supporting Committees Investment Asset Liability Management Regulatory Affairs Compliance Business Continuity/Disaster Recovery Compensation Enterprise Risk Management Supply Chain Management Audit Capital and Liquidity Nominating Sustainability
  • 19. Top Risks in 2022 ▪ Financial Risk - Inflation increasing sharply since 2020. ▪ Financial Risk – Debt levels too high globally (e.g. governments, consumers, corporations). ▪ Financial Risk – Increasing volatility in the capital markets (e.g. interest rates increasing, credit spreads widening, margin balances at all time highs). ▪ Financial/Physical Risks – Ongoing economic impacts and resource strains due to COVID- 19 variants. ▪ Physical Risk – Increased incidence of extreme weather events spurred by climate change. ▪ Physical Risk - Food Insecurity. Ukrainian conflict and record high prices for transportation fuels has resulted in significant price increases in key agricultural commodities. ▪ Operational Risk - Cyber attacks on key government sectors and private sector industries. ▪ Strategic Risk - Escalating political and social unrest. ▪ Strategic Risk – Talent sourcing and retention becoming increasingly difficult due to changed expectations about work location and work/life balance. 19
  • 20. Summary & Conclusions Critical Success Factors • “Tone from the Top” - must be present and strongly communicated throughout the organization. • Gain buy-in from stakeholders – Both internal and external. Transparency is key! • No “one size fits all” ERM program - The optimal design of a program is tightly linked with the unique attributes of each firm – corporate culture, strategic objectives, industry, operational complexity, competitive landscape, etc. • An ERM program is a dynamic, ongoing exercise – Not a simple project with a defined beginning and end date. • Product Development/M&A activities – Involving the ERM group in the early stages will serve to dramatically increase the probability of success of any new product rollouts or prospective M&A targets. • Staffing Considerations - Several of the key drivers of ERM program success – deep understanding of the firm’s business model and competitive landscape, familiarity with the firm’s culture, etc are most likely to be found among existing staff in other functional groups. • Embed Risk Management objectives into incentive schemes. • Risk Appetite and Risk Tolerance - Must be clearly defined and measurable. Benefits of a robust ERM program • Strong and scalable platform to identify and pursue strategically important opportunities. • Integrated and holistic view of all risks that impact the organization. • Significantly improved reputation with internal and external stakeholders. • Improved credit ratings and reduced cost of debt and equity capital. • Effective identification of commercial opportunities and capital deployment. • Aligns risk appetite and strategy through risk quantification and risk mapping. • Effectively deal with uncertainty and associated risks and opportunities. • Increased resiliency in the face of catastrophic events. • Leverages collaborative “knowledge” to enhance risk response decisions. • Reduces operational surprises and losses. 20
  • 22. Appendix A Elements of the Total Cost of Risk (TCOR) ▪ Compensation and ancillary benefits for Risk Management staff members. ▪ Direct cash and incentive compensation. ▪ Employee benefits. ▪ Retirement plan costs – Defined Benefit/Defined Contribution. ▪ Corporate-Level Hedging Programs. ▪ Commercial insurance premiums. ▪ Financial transaction costs – hedging Forex and Interest Rate exposures. ▪ Retained (within the policy deductible) or self-insured claims. ▪ Risk Control costs – Health & Safety inspections, risk-reduction techniques, etc. ▪ Development and implementation of training programs. ▪ Legal and Regulatory Compliance. ▪ Financial penalties due to failure to perform on a contract. ▪ Unanticipated legal expenses – Responding to subpoenas, regulatory inquiries, non- standard advice, guidance on emerging regulation, etc. ▪ Explicit Regulatory fines. ▪ Miscellaneous Costs ▪ Cost of 3rd-party service providers – insurance brokers, consultants on a project, external audit firms, Information Security assessments, etc. ▪ Infrastructure development costs – Risk databases, Management Information Reporting, etc. 22
  • 23. Appendix B Functional structure for an electric utility ERM group CEO/CFO CRO Transaction Risk Market Risk Credit Risk Mid-Office Analytics Compliance Risk Policy Development Compliance monitoring Regulatory Affairs Legal Investigations Compliance Training Information Risk Project Risk Technology Asset Management Operational outages Information Security Records Management Operational Excellence SOX-related risks Delegated authorities framework Non-SOX operational risks Integration of new commercial activities Quality management CAPEX/M&A activity Health & Safety Employee Health & Wellness Business Continuity, Disaster Recovery Environmental Regulation Backup sites Asset Decommissioning Commercial Insurance Procurement Claims management Broker relationships Periodic site visits with HSSE team 23
  • 24. Appendix C Chief Risk Officer job requirements • Overall Mission - At a macro level, the role of a Risk Management group, and particularly the CRO, is to simultaneously sit outside of the business and be independent and objective, but also be “of the business” – understand at an intimate level how the firm generates revenue, the strategic & competitive landscape that confronts the firm, the culture of the firm, the regulatory landscape, etc. • Strong Educational Background - Highly analytical and quantitative discipline – mathematics, statistics, engineering, quantitative finance, hard sciences, etc. • Broad functional experience - Human Resources, Technology/IT, Environmental Health & Safety (HSSE), Accounting & Finance, Sales & Marketing, Procurement, Operations, Ethics & Compliance, Legal, Public Relations, Regulatory Affairs, Product Development, etc. • Intellectual Curiosity - Ability to scale from the high-level, “macro” view to the very detailed, “micro” view and back again with great agility. • High levels of self-confidence, decisiveness, and assertiveness - Must be very comfortable in making tough decisions, often in the absence of complete information. • Strong communication skills – Must possess a strong ability to distill complex and technical information and topics into simple to understand concepts and actionable guidance. • Strong leadership skills - Tough and demanding, but also fair and invested in the success of direct reports, with an unyielding moral compass. • Visionary and diplomat - Risk Management must be more than simply a paycheck. All RM roles are very challenging and demanding even on the best of days. The CRO should strongly believe that there is a broader social and fiduciary purpose to their role, well beyond the stated requirements of their specific job. 24
  • 25. Appendix D Energy/Financial Services Regulators in the US Regulator Industries covered Jurisdiction Office Location Federal Reserve • Central bank of US • National payment system • Commercial Banks Federal level Washington, DC 12 regional banks Office of the Comptroller of the Currency (OCC) • National Banks; and • Thrift Institutions; and • Federally licensed branches foreign banks in the United States. Federal level Washington, DC Federal Deposit Insurance Corporation (FDIC) State-chartered banks Federal level Washington, DC National Credit Union Administration (NCUA) Credit Unions Federal level Alexandria, Virginia Pension Benefit Guaranty Corporation (PBGC) Private Sector Defined Benefit plans Federal level Washington, DC Securities and Exchange Commission (SEC) • Securities exchanges; and • Securities brokers and Dealers; and • Investment Advisors; and • Mutual Funds. Federal level Washington, DC Commodity Futures Trading Commission (CFTC) Derivatives markets Federal level Washington, DC Federal Energy Regulatory Commission (FERC) • Regulates the interstate transmission of electricity, natural gas, and oil. • Reviews proposals to build liquefied natural gas (LNG) terminals and interstate natural gas pipelines • Licensing hydropower projects. Federal level Washington, DC North American Electric Reliability Council (NERC) • Developing and enforcing reliability standards; and • Creating annual and 10-year assessments for winter and summer forecasts; and • Monitoring the bulk power system. Federal level Washington, DC State Utility Commissioners • Oversee electric, gas, water and telecommunications services; and • Also may regulate railroads, public transportation services, trucking and even modular home construction. State level Various State Insurance Departments Insurance, Agents, Brokers State level Various 25
  • 26. Appendix E (1 of 3) Product hierarchy - LAH insurer Life, Annuity, Health Life Insurance Term Insurance Annual Renewable Term Level Term Permanent Insurance Whole Life Traditional Variable Universal Life Variable Fixed Rate Indexed Annuities Deferred Variable Fixed Rate Indexed Immediate Health Short-term Major Medical Long-Term Care Disability Income 26
  • 27. Appendix E (2 of 3) Enterprise Risk Hierarchy – LAH insurer Enterprise Risks Market Risk Interest Rate Equity Price Foreign Exchange Commodity Price Credit Risk Spread Default Migration Insurable Risk Mortality Morbidity Longevity Policyholder Behavior- Disintermediation Catastrophic Operational Systems Information Security Implementation Risk Forced outages Process Inadequate training Inadequate processes People Fraud & Misconduct Strategic Competitive Sourcing Talent Product trends Compliance Legal breach Regulatory breach Contractual breach 27
  • 28. Appendix E (3 of 3) Product Risk Profile - LAH insurer Product Liability-side risks Asset-side risks Fixed-Rate UL Mortality Policyholder Behavior - Disintermediation Interest Rate Credit Prepayment Long-Term Care Morbidity Mortality Inflation Interest Rate Credit Prepayment Immediate Annuity with COLA rider Longevity Inflation Interest Rate Credit Prepayment Variable Annuity with embedded options Mortality Policyholder Behavior Equity Credit Liquidity Prepayment Disability Income Morbidity Mortality Policyholder Behavior – Malingering Interest Rate Credit Prepayment 28
  • 29. Appendix F (1 of 6) Sample Risk Estimation Scales (Likelihood) Level Descriptor Description Indicative Frequency 1 Very Rare Heard of something like this occurring elsewhere Once every 30 years. 2 Unlikely Low likelihood of the event happening. The event does occur somewhere from time to time. Once every 3 to 10 years. 3 Possible Medium likelihood of the event happening. The event has occurred at least once in your career. Once every 3 years. 4 Likely The event has occurred several times or more in your career. Once every year or less. 5 Almost Certain High likelihood of the event happening. The event has occurred in the last 6 months. More than once per year. 29
  • 30. Appendix F (2 of 6) Sample Risk Estimation Scales (Severity) Level Descriptor Definition 1 Very Low <$100 million 2 Low >=$100 million and <=$250 million 3 Moderate >=$250 million and <=$1 billion 4 High >=$1 billion and <=$5 billion 5 Very High >$5 billion 30
  • 31. Appendix F (3 of 6) Sample Risk Heatmap (after the application of controls) 1 - Very Low 2 - Low 3 - Moderate 4 - High 5 - Very high 1 - Very rare 2 - Unlikely 3 - Possible 4 - Likely 5 - Almost Certain MINOR MODERATE SIGNIFICANT CATASTROPHIC SEVERITY SCALE Likelihood Scale 31
  • 32. Appendix F (4 of 6) Sample Risk Register (with linkage to strategic objectives) 32
  • 33. Appendix F (5 of 6) Objective set with linkage to risk appetite/tolerance 33
  • 34. Appendix F (6 of 6) Objective set with linkage to risk appetite/tolerance 34
  • 35. Appendix G (1 of 6) Risk Management Terms of Reference Term Definition Data and Infrastructure - Big Data A term coined to describe data sets with sizes beyond the ability of commonly used software tools to capture, curate, manage, and process data within a tolerable elapsed time. The term encompasses unstructured, semi-structured and structured data…however the main focus is on unstructured data. The size threshold that defines “Big Data” is a constantly moving target, as of 2012 ranging from a few dozen terabytes to many zettabytes of data. Data and Infrastructure - Analytics The application of advanced computational techniques and methodologies to large data sets with the objective being to identify, interpret, and communicate patterns in such data to decision makers to enable better decision making. Data and Infrastructure - Artificial Intelligence A term used to describe an emerging discipline and technology within computer science, that of using computers and other types of machines to simulate human behavior. Data and Infrastructure – Cloud Computing A term that refers to the on-demand availability of flexible and scalable computing resources – particularly storage, software development platforms, and distributed computational resources – without direct management of such resources by the user. Data and Infrastructure - Machine Learning An application of artificial intelligence that involves designing computer programs and/or algorithms with the capability to learn and evolve independent of human beings. There are several different variants of machine learning: (1) Supervised, (2) Unsupervised, (3) Semi-supervised, and (4) Reinforcement. Data and Infrastructure – Natural Language Processing Refers to the technology that allows computer systems to understand and interpret human language and speech. 35
  • 36. Appendix G (2 of 6) Risk Management Terms of Reference Term Definition InfoSec - Availability Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them. InfoSec – Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. InfoSec - Encryption A term used to describe different methodologies of converting plain English, readable text (known as plaintext) into encoded, unreadable text (known as ciphertext). There are 2 elements to any encryption methodology: • Key – The unique variable that is part of every cipher and allows the intended recipient to unencrypt the encrypted text. • Cipher – The algorithm or formula that is used to convert the reference text from plaintext to ciphertext. InfoSec - Integrity Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The term Integrity is used frequently when considering Information Security as it represents one of the primary indicators of security (or lack of it). The integrity of data is not only whether the data is 'correct', but whether it can be trusted and relied upon. For example, making copies (say by e-mailing a file) of a sensitive document, threatens both confidentiality and the integrity of the information. InfoSec - Security Controls The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the Confidentiality, Integrity, and Availability (CIA triad) of the system and its information. Metrics - Key Risk Indicators (KRI) A measure used in management to indicate how risky an activity is. It differs from a Key Performance Indicator (KPI) in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of future adverse impact. Metrics - Risk-Adjusted Return on Capital (RAROC) A financial measurement that allows analysts to take into account the effect of risk when comparing profitability and performance across various businesses. It is calculated by dividing the risk adjusted return (net income - expected loss from risk + income from capital) by the economic capital. Higher risk projects tend to bring higher rewards. 36
  • 37. Appendix G (3 of 6) Risk Management Terms of Reference Term Definition Metrics – Value at Risk (VaR) A statistical measure that quantifies the level of financial risk within a firm, trading portfolio, or trading position over a defined time frame. This metric is most commonly used by (1) Commodity trading firms and/or (2) Investment banks to quantify the extent and occurrence ratio of potential losses in their trading portfolios. Qualitative Risk Assessment A collaborative process of assigning relative values to assets, assessing their risk exposure, and estimating the cost of controlling the risk. Differs from quantitative risk analysis in that it utilizes relative measures and approximate costs rather than precise valuation and cost determination. Quantitative Risk Assessment A process for assigning a numeric value to the probability of loss based on known risks and available, objective data. Used to determine potential direct and indirect costs to the company based on values assigned to company assets and their exposure to risk. For example, the cost of replacing an asset, the cost of lost productivity, or the cost of diminished brand reputation. Risk - Black Swan Events An event that lies outside the realm of regular expectations, because nothing in the past can convincingly point to its possibility. Events of this type often result in catastrophic impacts, whether they be economic, environmental, or reputational. Risk - Diversifiable Risks whose adverse consequences can be mitigated simply by having a diversified portfolio of risk exposures. Risk – Financial (Catastrophic) The risk that a natural disaster, terrorist attack, or other type of unanticipated extreme risk event threatens the financial solvency of a private sector firm, public sector organization, community, or even an entire nation. Risk – Financial (Credit) The risk of loss when a counterparty fails to meet a payment obligation, or the risk associated with any single exposure or group of exposures with the potential to produce large enough losses to threaten the firm’s operations, or the risk of loss arising when a sovereign state freezes foreign currency payments (transfer/conversion risk), or when it defaults on its obligations (sovereign risk). 37
  • 38. Appendix G (4 of 6) Risk Management Terms of Reference Term Definition Risk – Financial (Insurable) A risk that meets the ideal criteria for efficient insurance. The concept underlies nearly all insurance decisions. To be insurable, several things must be true: • The insurer must be able to charge a premium high enough to cover not only claims expenses, but also to cover the insurer's expenses. In other words, the risk cannot be catastrophic, or so large that no insurer could hope to pay for the loss. • The nature of the loss must be definite and financially measurable. That is, there should not be room for argument as to whether or not payment is due, nor as to what amount the payment should be. • The loss should be random in nature, else the insured may engage in adverse selection (anti-selection). Risk – Financial (Longevity) This risk applies to insurance firms that issue pay out or immediate annuities. There are several different types of longevity risk, both for individuals, Life and Annuity insurers, and pension plan sponsors. • Individuals - The risk that individuals will outlive the assets that they have accumulated over their working lifetimes. • Insurance firms – The risk that the issuer of an annuity product has overestimated the mortality rates, and conversely underestimated the survival probabilities, for a specific block of annuity policyholders that results in the insurer setting aside insufficient reserves to fund the future annuity payments. • Pension sponsors – The risk that the sponsor of a defined benefit plan has overestimated the mortality rates, and conversely underestimated the survival probabilities, of a cohort of DB plan participants that results in a cash flow strain on the plan sponsor. Risk – Financial (Market) The risk that the value of a portfolio, either an investment portfolio or a trading portfolio, will decrease due to the change in value of the market risk factors. The four standard market risk factors are stock prices, interest rates, foreign exchange rates, and commodity prices. Risk – Financial (Morbidity) This risk applies to insurance firms that issue different types of health insurance – major medical, disability income, long-term care, specified disease etc. This is the risk that the issuing insurer underestimates the probability of a group of insureds succumbing to a defined health condition and is required to pay out a higher level of benefits than the insurer has set aside reserves for. Risk – Financial (Mortality) This risk applies to insurance firms that specifically issue different types of life insurance contracts and refers to the insurer having to fund death benefit payments for a cohort of life insureds sooner than they had anticipated in the initial pricing for the relevant product. If this occurs, the issuing insurer is not able to earn investment spreads on the reserve funds. Risk - Non-diversifiable Risks, shared by all persons or organizations, that cannot be mitigated by adding exposures to the portfolio. 38
  • 39. Appendix G (5 of 6) Risk Management Terms of Reference Term Definition Risk – Nonfinancial (Regulatory) The risk that a change in laws and regulations will materially impact a security, business, sector or market. A change in laws or regulations made by the government or a regulatory body can increase the costs of operating a business, reduce the attractiveness of investment and/or change the competitive landscape. Risk – Nonfinancial (Strategic) The risk associated with future business plans and strategies, including plans for entering new business lines, expanding existing services through mergers and acquisitions, enhancing infrastructure, etc. Risk – Pure A Risk event that only allows for losses with no chance of a gain. Risk – Speculative A Risk Event that allows for either a gain or loss. Risk Appetite The amount of risk that an organization is willing to seek or accept in the pursuit of its long-term objectives. Risk Assessment The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk. Risk Capacity A firm’s ability to identify their financial resources, expertise, and operating mandate to determine how much risk they are able to take. Risk Control The activity of applying a range of Administrative, Technical, and Physical controls to reduce the risks to an organization’s assets. Risk Criteria The terms of reference against which the significance of a risk is evaluated. Risk criteria are based on organizational objectives and external and internal context. Risk criteria can be derived from standards, laws, policies and other requirements. Risk Culture The system of values and behaviors present in an organization that shapes risk decisions of management and employees. One element of risk culture is a common understanding of an organization and its business purpose. Employees must also understand that risk and compliance rules apply to everyone as they work towards business goals. This understanding can ensure a company “does the right thing” and is a fundamental part of good ERM practices. 39
  • 40. Appendix G (6 of 6) Risk Management Terms of Reference Term Definition Risk Owner A person or entity that has been given the authority to manage a particular risk and is accountable for doing so. Risk Tolerance The boundaries of risk beyond which a given organization is not prepared to venture in pursuit of its long-term objectives. 40