1 © 2014 CSAA Insurance Group. Confidential and proprietary. September 19, 2014 Strategic Risk Management Jeff Huebner Nicole Murray Risky Business Week

1© 2014 CSAA Insurance Group. Confidential and proprietary.© 2014 CSAA Insurance Group. Confidential and proprietary.

September 19, 2014

Strategic Risk ManagementJeff Huebner

Nicole Murray

Risky Business Week

2© 2014 CSAA Insurance Group. Confidential and proprietary.

We make explicit risk decisions, we are in the business of risk

• We aspire to be the #1 insurer in AAA member households across the markets we serve. As an insurer, our job is to assume and manage our member policyholders' personal lines insurance risk. We need to make risk choices and take risk in order to achieve this vision.

• In order to be the #1 insurer across the markets we serve, we need to take an appropriate level of risk for the financial, catastrophic, operational, and execution risk associated with growing books of personal lines business. We need to have a willingness to accept the higher level risk that is associated with growing our business.

• We believe that our strategy needs to be a consistent, aligning, guiding, and a driving force for the enterprise. We believe that frequently changing our strategy represents a very large risk. When it comes to enterprise strategy, we have a moderate appetite for the risk that we don't have the perfect strategy as the greater risk comes with too frequent changing of strategy. To support this, we need consistent communication to all employees to ensure alignment on the strategy.

Risk Category Low Appetite Moderate Appetite High Appetite

Catastrophe Risk n

Competition Risk n

Investment Risk n

Regulatory Risk n

Strategic Risk n


History of our Enterprise Risk Management program

2014

• Pre-separation, we used a high level ERM structure to identify, assess, prioritize, manage, monitor, and report risk.

• Included ERM into Audit Committee Charter

• Developed ERM guiding principles, risk management framework and ERM governance roles and responsibilities

• Identified top enterprise risks through interviews with management and ELT

• Identified risk owners for top enterprise risks and created ERM frameworks for each risk

• Conducted first ERM Leadership Team meetings

• A.M. Best identified our ERM capabilities as strong to superior

• Completed draft ORSA* report and participated in ORSA pilot program with CA DOI

• Created first Risk Appetite Statement

• Internal Audit provided independent assurance of our Business Continuity Planning and IT Disaster Recovery risks

2013201220112005 - 2010

*Own Risk and Solvency Assessment (ORSA) – component of an insurer’s enterprise risk management framework , is a confidential internal assessment appropriate to the nature, scale and complexity of an insurer conducted by the insurer of the material and relevant risks identified by the insurer associated with an insurer’s current business plan and the sufficiency of capital resources to support those risks.


Management owns risk and its management

The ERM team owns the risk process and focuses on key risks. The ERM team does not provide assurance

Strong and visible commitment from all members of the ERM leadership team, C-suite executives and Board of Directors

Clearly defined ownership for all key risks

Leverage ERM to ensure explicit risk choices rather than implicit or default decisions

Employ a single, consistent framework to achieve clarity and common understanding on disparate risks

Enterprise Risk Management Guiding Principles


Enterprise Risk Management Five Lines of Defense

Each enterprise risk is reviewed by five lines of defense, which is a four step process at each line of defense:

Identify and preliminary asses

Assess and prioritize likelihood and severity

Assign accountability and risk response

Monitor and reporting

Risk Owner

ERM Core Team

ERM Leadership

Team

Executive Leadership

Team

Board or Committee


Each top enterprise risk is evaluated through a consistent and extensive risk review process

Our risk identification process includes emerging risk discussions with the ERM Leadership Team and Executive Leadership Team, annual Board survey and review of risks within the industry and our peers

Once a risk is identified as a top enterprise risk, we use the following ERM process for each risk:

• Identify a risk owner• Identify C-suite owner• Identify Board or Committee

ownership• Define the risk• Set risk tolerance• Identify risk drivers and action

items• Identify and publish key risk and

performance indicators• Evaluate risk’s potential impact on

strategic initiatives and key company goals

• Quantify gross risk score• Identify mitigating controls• Evaluate mitigating control status• Quantify residual risk score• Determine current risk status• Identify target risk status• Determine current status of

mitigation efforts• Identify target status of mitigation

efforts• Speed of onset spectrum• Top risks correlations mapped

The risk owner then presents the completed ERM framework to the following groups:

• ERM Leadership Team – a body of 7 cross functional executives

• Executive Leadership Team (C suite)

• The Board or Board Committee that oversees the risk


ERM risks classified by speed of onset


For each top enterprise risk, we have articulated risk tolerances, with the following as representative examples

Overall risk tolerance

We want to manage risk to ensure we can do all of the following:

• Pay 100% of all claims to support our policyholders’ needs (including major catastrophe)

• Have the financial position to be able, if we choose, to renew all of our existing policies and continue to support AAA members with their existing insurance needs

• Have the additional capital to support growth, both in support of the strategy we have outlined, and in a post-catastrophe, dislocated market where AAA members reach to us to support them

• Maintain a minimum BCAR score of 250 and a capital position above required economic capital

Catastrophe and Reinsurer credit risk

We have a risk tolerance of up to 15% of surplus lost in a 1-in-250 year event

We will not tolerate excessive exposure to individual reinsurer credit risk and use allocation caps based on AM Best ratings as follows:

• $55 million cap for A++, $50 million cap for A+, $30 million cap for A, and $10 million cap for A-

Loss Reserves

We have little tolerance for the risk of adverse loss development and we set the loss reserve margin at a 95% confidence level that carried personal lines reserves will not be exceeded, given anticipated inflation


ERM Framework Template

Appendix

10© 2014 CSAA Insurance Group. Confidential and proprietary.© 2014 CSAA Insurance Group. Confidential and proprietary.

Risk NameEnterprise Risk Management


Risk Name

Risk Definition:

Business Owner: ELT Owner: Board/Committee:

Risk Tolerance:

Current Target Commentary

Risk Status

Status of mitigation efforts

Action Owner Date

Risk status legend: l Unacceptable Risk l Elevated Risk/Area of Focus l Acceptable Risk l Well Within Tolerance

Mitigation Status: l Unsatisfactory l Needs Improvement l Satisfactory l Exemplary


Risk Name

Risk Drivers Owner

Risk status legend: l Unacceptable Risk l Elevated Risk/Area of Focus l Acceptable Risk l Well Within Tolerance



Risk Name

Impact on Strategic Initiatives Impact on Enterprise OGSM

High Perf Culture

World-Class Agency Partnership

Exceptional Marketing & Direct Sales

Member-Centric Product Dev &

Mgt

Top-Tier Claims Experience

Easy Selling & Servicing

Strong Financial

Health

Top-tier Customer Experience

Significant PIF Growth

Competitive Expense &

Combined Ratios

High Level Of Employee

Engagement

Key performance indicator/Key risk indicator

Owner Target Year end 2011

Year end 2012

Q1/Q2 2013

Q3/Q42013

Year end 2013


Commentary:

Gross Risk Score =

Assurance

Description of Control Likelihood Severity Owner Status

Residual Risk Score =

Risk Assurance Matrix – Risk Name



Risk Name

Status Update: Organizational Response:

Conclusion:

Documents

1 © 2014 CSAA Insurance Group. Confidential and proprietary. September 19, 2014 Strategic Risk Management Jeff Huebner Nicole Murray Risky Business Week