Upload
roro2191
View
10
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Enterprise Risk Management,
Citation preview
Enterprise Risk Management
P w C
ERM Steven SumnerSteven SumnerDirector, PricewaterhouseCoopers
P w C
Does ERM matter?Does ERM matter?
“Ri k t dd l t l t i di id l i“Risk management adds value not only to individual companies, but also supports overall economic growth by lowering the cost of capital and reducing the uncertainty of commercial activities ”capital and reducing the uncertainty of commercial activities.
James LamJames Lam“Enterprise Risk Management – From Incentives to Controls”
PricewaterhouseCoopersFiscal Year 2009
Slide 3
I
Risk management: lessons learnedRisk management: lessons learned
“Given the central role of effective, firmwide risk management in maintaining strong financial institutions, it is clear that supervisors must redouble their efforts to help organizations improve their risk-management practices…We are also considering the need for additional or revised supervisory guidance regarding various aspects of risk
t i l di f th h i th d f t i idmanagement, including further emphasis on the need for an enterprise-wide perspective when assessing risk.
Ben BernankeSpeech given May 2008: “Risk Management in Financial Institutions”Speech given May 2008: Risk Management in Financial Institutions
“These institutions…, comforted in the belief that the rating agencies had carefully examined and modeled the risks in arriving at their rating of these securitiesexamined and modeled the risks in arriving at their rating of these securities, apparently saw little need to conduct their own due diligence, risk management, modeling and valuation processes.”
Bob Herz FASBBob Herz, FASBSpeech given September 2008: “Lessons Learned, Relearned,
and Relearned Again from the Credit Crisis – Accounting and Beyond”
PricewaterhouseCoopersFiscal Year 2009
Slide 4
I
“ Many risks are preventable”
PricewaterhouseCoopersFiscal Year 2009
Slide 5
I
AgendaAgenda
R t l l d• Recent lessons learned • PwC survey highlights
ERM• ERM governance• Role of the CRO• Board reporting• ERM Survey Results• Closing the gaps
Section agendaSection agenda
R t l l dRecent lessons learned
Risk management: lessons learnedRisk management: lessons learned
SSG Report: “Observations on Risk Management Practices p gduring Recent Market Turbulence”• Senior management oversight• Risk identification and measurement• Valuation practicesp• Liquidity risk management
PricewaterhouseCoopersFiscal Year 2009
Slide 8
I
Senior Supervisory Group (“SSG”) Financial Services Organizations – Risk Management Practices
• Portfolio view of exposures and risks
g gSuccessful Companies Unsuccessful Companies
• Concentration of exposures/aggregationand risks
• Balance between risk appetite & controls
exposures/aggregation
• Pricing of liquidity and contingent liquidity
• Scenario modeling capabilities and risk quantification
• Certain risk management practices
• Controls over risk management • Sharing of qualitative and
quantitative information
• Enforcement of controls
gand valuation practices
• Liquidity risk management Enforcement of controls
• Wide range of risk measures and tools for credit and market risk
• Lack of a forward looking view of risk
• Standards for what constitutes market risk
• Timely reporting of risk to board and sr. mgmt
risk transfer
• Sr. mgmt’s role in understanding and acting on
PricewaterhouseCoopersFiscal Year 2009
Slide 9
I
understanding and acting on emerging risks
Section agendaSection agenda
P C ltPwC survey results
PwC survey results
PwC’s Global ERM Survey 2008PwC s Global ERM Survey 2008
S ti i ti S t tSurvey participation:
• Over 100 pages of detailed ti
Survey output:
• Published report – June 2008questions
• 53 Global Life and P&C • Customized self-assessment
reports for each participantInsurers and Reinsurers (44 in 2004)
• Detailed individual survey questions & responses
• 20 US Insurers (9 in 2004)
• 9 Bermuda Insurers
benchmarked against all participants, peers and similar organizationsorganizations
PricewaterhouseCoopersFiscal Year 2009
Slide 11
I
PwC’s Insurance ERM Global Survey - 2008 … www.pwc.com
PwC survey results
PwC s Insurance ERM Global Survey 2008 … www.pwc.com
PricewaterhouseCoopersFiscal Year 2009
Slide 12
I
Key themes: how far have insurers come?
PwC survey results
Key themes: how far have insurers come?
• Embedding of ERMg
• ERM governance
Risk data and modeling• Risk data and modeling
• Aligning risk and finance
• Risk assessment
PricewaterhouseCoopersFiscal Year 2009
Slide 13
I
PwC’s Global ERM Survey 2008
PwC survey results
ERM progress since 2004Strong Progress Some Progress Limited Progress
PwC s Global ERM Survey 2008
• Firm-wide understanding of ERM
• Setting of overall risk appetite
Strong Progress Some Progress Limited Progress
• Data quality and data availability
• Linkage of risk appetite with objectives
• Linkage between risk d l d t t i
• Modeling capabilities• CRO role• Board & Management
• ERM roles, responsibilities & accountabilities
models and strategic planning
• Consistent & well d t d li i &
gpriorities/oversight
• Trend toward Board level ERM committee structure
• Business Unit alignment with risk appetite & toleranceRi k di lunderstood policies &
procedures• Timely reporting of risk to
Board & Sr management
• Portfolio view of risk • Risk disclosures • Risk data or systems
strategies Li i i iBoard & Sr. management
• Risk mitigation & learning• Risk technology
• Limits monitoring, enforcement & exception approval
PricewaterhouseCoopersFiscal Year 2009
Slide 14
I
Section agendaSection agenda
ERMERM governance
ERM governance
Current credit crisis is another eye-opener to policymakers,
• Highlights the importance and necessity for the role of
Current credit crisis is another eye opener to policymakers, regulators, rating agencies, boards and management.
• Highlights the importance and necessity for the role of effective ERM governance, involving the board and senior management: g- Effective governance structures are required and in place to
enable:- Monitoring- Multiple levelsp- Elements of an ERM Framework
PricewaterhouseCoopersFiscal Year 2009
Slide 16
I
Effective governance structures and organizational design can help ERM governance
meet stakeholder expectations in a more effective and efficient manner
Setting and monitoring objectives, tone, policies,risk appetite, accountability and performance.
Governance
Identifying and assessing risks that may affect the ability to achieve objectives and determining risk response strategies and control activities.
Risk Management
Operating in accordance with objectives and ensuring adherence with laws and regulations, internal policies and procedures, and stakeholder commitments.
Compliance
Extended Enterprise & Value Chain
PricewaterhouseCoopersFiscal Year 2009
Slide 17
I
When evaluating governance structures and processes, consider
ERM governance
When evaluating governance structures and processes, consider the expectations of various stakeholders…
• RegulatorsRegulators- NAIC, SEC
• New York Stock Exchange Listing Standards- Audit committee risk oversight- Internal audit department
• Institutional ShareholdersInstitutional Shareholders
• Rating Agencies- S&P, AM Best, Moody’s, Fitch
• People
PricewaterhouseCoopersFiscal Year 2009
Slide 18
I
People
…As well as emerging frameworks enabling effective ERMERM governance
Environment
StrategyProcess
Infrastructure
Validation/re-assessment
Business mission and strategy Risk strategy Value proposition Risk appetite
re assessment
ReportingMeasurement and ControlOperationsRisk assessment/
ResponseRisk awareness/
Identification
Organisation Limits and MethodologiesOrganisation and people
Limits and controls
Methodologies & Models Systems Data Policies Reporting
Culture Training Communication Performance RewardCulture Training Communication measures Reward
PricewaterhouseCoopersFiscal Year 2009
Slide 19
I
Effective governance and organization are critical to embedding ERM ERM governance
into the business
• Business objectives• Integrated and scalable• Risk appetite and tolerance• Portfolio view of risk
Internal environment• Portfolio view of risk• Role clarity• Common risk and control languageRisk assessment
Event identification
Objective setting
ss U
nit
sidi
ary
g g• Process, risk, control libraries• Risk and Control Self
A t (RCSA)Control activities
Risk response
Risk assessmentnt
ity-le
vel
Div
isio
nB
usin
esS
ub
Assessment (RCSA)• Risk adjusted performance
managementMonitoring
Information and communication En
g• Economic capital• Benchmarking
PricewaterhouseCoopersFiscal Year 2009
Slide 20
I• KRIs and reporting
Organizational effectiveness is grounded in risk-adjusted performance t
ERM governance
management
Key ElementsPerformance Management F k • Leadership, organizational
Alignment and accountabilities• Defined performance goals
Framework
• Defined performance goals and risk tolerance
• Assign• Operate
C t l
• Strategize• Define
D l • Work processes and controls• Monitoring of key risk
indicators• Re-evaluate • Monitor & Review
• Control• Report
• Develop• Deploy
indicators • Management information • Rewards and incentives
• Examine• Innovate• Act
• Analyze• Plan & Prioritize• Change
PricewaterhouseCoopersFiscal Year 2009
Slide 21
I
Section agendaSection agenda
R l f th CRORole of the CRO
Even good CROs occasionally miss a Key Risk Indicator
Role of CRO
Even good CROs occasionally miss a Key Risk Indicator
PricewaterhouseCoopersFiscal Year 2009
Slide 23
I
Increased significance of the CRORole of the CRO
g
The CRO is a position that has grown in both significance and p g gstature in most organizations. • Yet current credit crisis has many investors and other external
stakeholders asking “where was the oversight?” • CROs help to:
- Bring business and risk management together- Enable a portfolio view of risk- Link planning, performance management, risk and capital
management
PricewaterhouseCoopersFiscal Year 2009
Slide 24
I
Why is a CRO neededRole of the CRO
Key reasons for a CRO• CROs are enablers and facilitators that bring the organization together• Need for executive thinking and authority and the ability to balance roles of
oversight and challenge. • Provide a portfolio view of risk while understanding the business and be• Provide a portfolio view of risk while understanding the business and be
able to communicate effectively with all arms of the organization. . • Encourages and rewards scrutiny and challenge, even if it appears to go
against the strategic change. • The CRO is a key responsible partner in all areas of risk and risk
managementmanagement• The CRO should serve as the catalyst for enterprise risk & return
opportunities – Particularly emerging risk • The CRO must develop effective enterprise risk communication with
consistent measurement criteria for the both the BOD and senior management
PricewaterhouseCoopersFiscal Year 2009
Slide 25
I
g
Attributes of a good CRO
Role of the CRO
g
• Holistic understanding of the firm’s strategies and core competencies• Must be able to add clarity around the setting of risk tolerance, appetite and y g , pp
risk limits• Maintains an appropriate level of broad-based technical capabilities
(actuarial finance economics underwriting capital markets etc ) and(actuarial, finance, economics, underwriting, capital markets, etc.) and market knowledge
• Owns economic capital development and provides a level of independence over the risk management process including how and when capital should be deployed to the business units
• Able to provide clear and accountable focus for the management of riskAble to provide clear and accountable focus for the management of risk • Provides a monitoring and validation role that spans across the enterprise
and is not limited to traditional internal controls • Must maintain a direct reporting line (or at least direct access) to the CEO
and access to the BOD
PricewaterhouseCoopersFiscal Year 2009
Slide 26
I
Attributes of a good CRO (cont’d)
Role of the CRO
g ( )
• Must maintain a direct reporting line (or at least direct access) to the CEO and access to the BODand access to the BOD
• Effective at communicating and interacting with the Board/senior management and external stakeholders including the ability to explain risk issues in practical understandable business terminology and language rather than technical concepts
• Ability to provide coaching and advising the business in how to monitor andAbility to provide coaching and advising the business in how to monitor and manage risk within a standardized-wide approach
• Ability to stretch the imagination on what could be possible in dealing with b t t t d th t l ith littlabstract concepts and the courage to explore new areas with little or no
direction or precedence.
PricewaterhouseCoopersFiscal Year 2009
Slide 27
I
“ We all know what can happen to the CRO”
PricewaterhouseCoopersFiscal Year 2009
Slide 28
I
Section TwoSection Two
ERM O iERM Overview
ERM Overview – Organization and peopleERM Overview Organization and peopleOrganisation and people
Limits and controls
Methodologies & Models Systems Data Policies Reporting
• Centralized risk management function• Independent CRO or senior executive with risk roleIndependent CRO or senior executive with risk role• Oversight committees at the Board / senior management levels• Risk awareness culture and valuesRisk awareness, culture and values• Risk training• Talent management• Talent management• Linkages between risk and compensation
PricewaterhouseCoopersFiscal Year 2009
Slide 30
I
Overall Responsibility for Corporate Risk ManagementOverall Responsibility for Corporate Risk Management
PricewaterhouseCoopersFiscal Year 2009
Slide 31
I
Industry’s Ability to Attract TalentIndustry s Ability to Attract Talent
PricewaterhouseCoopersFiscal Year 2009
Slide 32
I
Interaction Between Business and Risk ManagementInteraction Between Business and Risk Management
PricewaterhouseCoopersFiscal Year 2009
Slide 33
I
ERM Overview – Limits and ControlsERM Overview Limits and ControlsOrganisation and people
Limits and controls
Methodologies & Models Systems Data Policies Reporting
• Define overall and individual risk appetite• Risk assessments & inventoriesRisk assessments & inventories• Individual risk, product, exposure limits and triggers• Risk controlsRisk controls• Risk escalation
PricewaterhouseCoopersFiscal Year 2009
Slide 34
I
Defining Risk Appetite and LimitsDefining Risk Appetite and Limits
InsurerOverall Risk Appetite
BU 1 BU 2 BU 3 BU 1Appetite
BU 2Appetite
BU 3Appetite
Prod. 1 Prod. 2 Prod. 3 Prod. 4 Prod. 5
Risk Appetite by Product
Product Limits
PricewaterhouseCoopersFiscal Year 2009
Slide 35
I
Risk Appetite
• Turns the story into some numbers
Risk Appetite
• To effectively drive risk management need to specify both:- Severity- Probability
• ERM programs may have multiple defined risk appetites- Capital (Ruin focus)- Earnings (Volatility focus)- Rating (May be driver of probability choice)
PricewaterhouseCoopersFiscal Year 2009
Slide 36
I
36.Permission to reprint or distribute any content from this presentation requires the prior written approval of Standard & Poor’s.
Risk Limits
• Hard Limits or Soft Limits?
Risk Limits
- Are they really limits if nothing happens when they are exceeded?
R l ti Ab l t Li it• Relative or Absolute Limits- Is business growth impacted by limit systems?Add O ll Ri k A i l ll l ?• Add up to Overall Risk Appetite or larger or smaller value?- Take into account diversification?- Provide for tactical opportunities
• Allocation process• Enforcement
PricewaterhouseCoopersFiscal Year 2009
Slide 37
I
37.
Other Risk Terms
Risk Tolerance – The upper bound of Bad Events that the t t id
Other Risk Terms….
company wants to avoid, e.g.:• Loss of capital
E i h tf ll• Earnings shortfall• Damage to reputation
D t bilit t ll b i i k k t• Damage to ability to sell business in key markets• Loss of rating
PricewaterhouseCoopersFiscal Year 2009
Slide 38
I
38.
Other Risk Terms (cont’d)
Risk Preferences
Other Risk Terms (cont d)….
• Uncertainty • Complexity• Location• Risk transfer• Time frame• Concentrations • Frequency/Severity threshold minimum• Class• Experience/Expertise
PricewaterhouseCoopersFiscal Year 2009
Slide 39
I
39.
Process in Place to Define Risk AppetiteProcess in Place to Define Risk Appetite
PricewaterhouseCoopersFiscal Year 2009
Slide 40
I
Process in Place to Deal with Breaches of LimitsProcess in Place to Deal with Breaches of Limits
PricewaterhouseCoopersFiscal Year 2009
Slide 41
I
ERM Overview – Methodologies & ModelsERM Overview Methodologies & ModelsOrganisation and people
Limits and controls
Methodologies & Models Systems Data Policies Reporting
• Insurance, market, credit risk management
• Operational risk managementp g
• Economic capital models & capital allocation
• Risk analytics, including scenario analysis, risk indicators, risk-adjusted y , g y , , jreturns
• Risk transfer strategies
• Linkage of planning and risk strategy
• Linkages to product pricing
• Performance management
• Capital management
PricewaterhouseCoopersFiscal Year 2009
Slide 42
I
Economic capital modelsEconomic capital models
Key areas where survey
Assets available
“Excess” Capital
y yrespondents identified benefits of implementing an economic capital model:
Economic Capitalfor required capital• Better allocation of capital
than under a regulatory capital model
LiabilitiesAssets covering
liabilities
model• Definition of risk appetite• Freeing up of capital for use in
the business Liabilitiesliabilitiesthe business• Changes in the pricing of
products to better reflect riskCh i t t i di ti• Changes in strategic direction after assessing risk-adjusted performance
PricewaterhouseCoopersFiscal Year 2009
Slide 43
I
C i Ri kCapturing Risk
PricewaterhouseCoopersFiscal Year 2009
Slide 44
I
Guide Timing for Model DevelopmentGuide Timing for Model Development
PricewaterhouseCoopersFiscal Year 2009
Slide 45
I
Model and Control Environment
PricewaterhouseCoopersFiscal Year 2009
Slide 46
I
Operational Risk
Traditional Operational Risk Management - Separate Silo Ri k M t f
Operational Risk
Risk Management for:• IT Risks
HR Ri k• HR Risks• Regulatory & Compliance Risks
F d Ri k• Fraud Risk• Internal Controls• Reputation Risk• Business Continuity• Distribution Risks• Outsourcing/Vendor Risk
PricewaterhouseCoopersFiscal Year 2009
Slide 47
I
47.
Operational Risk Management
Enterprise ORM – leading to Strong ORM assessment by S&P usually i t d ith
Operational Risk Management
associated with:• Comprehensive assessment of risks & control capabilities• Identification of risks not adequately controlled by existing programsIdentification of risks not adequately controlled by existing programs• Prioritization• Development of key kisk indicators, Tracking process & problem
resolution system
Excellent ORM assessment usually associated with Strong programExcellent ORM assessment usually associated with Strong program • In place for several years• Repeated applicationp pp• Refinements of controls & KRI & response programs
PricewaterhouseCoopersFiscal Year 2009
Slide 48
I
48.
Operational RiskOperational Risk
Survey Results: Key Trends• <10% recognize operational risk management as a
competitive advantage • Integration of Operational risk into the broader ERM policies
and assessments and monitoring are at a limited stage- < 1/3 have formalized monitoring and reporting processes
to support ERM functions15% bl t bt i O ti l i k t d t- <15% capable to obtain Operational risk management data
- low level of comfort on data integrity
PricewaterhouseCoopersFiscal Year 2009
Slide 49
I
Length of Time Corporate Operational Risk ManagementLength of Time Corporate Operational Risk Management Function in Place
PricewaterhouseCoopersFiscal Year 2009
Slide 50
I
S ti f ti With O ti l Ri k M tSatisfaction With Operational Risk Management
PricewaterhouseCoopersFiscal Year 2009
Slide 51
I
Use of Operational Risk ManagementUse of Operational Risk Management
PricewaterhouseCoopersFiscal Year 2009
Slide 52
I
ERM Overview - SystemsERM Overview SystemsOrganisation and people
Limits and controls
Methodologies & Models Systems Data Policies Reporting
• ERM supporting technology
• System interface mapping tools middleware• System interface, mapping tools, middleware
• Risk registers
• Risk reporting tools
PricewaterhouseCoopersFiscal Year 2009
Slide 53
I
Systems Strategy RatingSystems Strategy Rating
PricewaterhouseCoopersFiscal Year 2009
Slide 54
I
P i it IT C bilitiPriority IT Capabilities
PricewaterhouseCoopersFiscal Year 2009
Slide 55
I
Integration of Risks and Controls Across the OrganizationIntegration of Risks and Controls Across the OrganizationThrough Technology
PricewaterhouseCoopersFiscal Year 2009
Slide 56
I
ERM Overview – DataERM Overview DataOrganisation and people
Limits and controls
Methodologies & Models Systems Data Policies Reporting
• Data quality assessments
• Risk and portfolio data requirements data definitions data• Risk and portfolio data requirements – data definitions, data cleansing, data access
• Data warehouses• Data warehouses
• Industry data and benchmarking
PricewaterhouseCoopersFiscal Year 2009
Slide 57
I
Level of Confidence in the Quality of Data Supplying SpecificLevel of Confidence in the Quality of Data Supplying Specific Areas
PricewaterhouseCoopersFiscal Year 2009
Slide 58
I
Data Management ProblemsData Management Problems
PricewaterhouseCoopersFiscal Year 2009
Slide 59
I
D t St t R tiData Strategy Rating
PricewaterhouseCoopersFiscal Year 2009
Slide 60
I
R ti D t M t E ditRating Data Management Expenditures
PricewaterhouseCoopersFiscal Year 2009
Slide 61
I
ERM Overview – PoliciesERM Overview PoliciesOrganisation and people
Limits and controls
Methodologies & Models Systems Data Policies Reporting
• Market, credit, insurance, operational risk policies and procedures, including:p , g
• Risk rating policies;• Exposure measurement policies;
Ri k li it li i• Risk limit policies;• Monitoring and review policies;• Risk transfer policies;• Risk transfer policies;• Management and board reporting policies.
• Overall risk policiesp
PricewaterhouseCoopersFiscal Year 2009
Slide 62
I
ERM Overview – ReportingERM Overview ReportingOrganisation and people
Limits and controls
Methodologies & Models Systems Data Policies Reporting
• Key risk indicators that quantify major trends and risk exposures
• Limit exception reporting• Risk dashboards• Board reporting, including enterprise view on aggregate losses,
risk incidents, policy exceptions, key exposures, KRIs• ERM disclosures• Finance effectiveness – exploiting synergies betweenFinance effectiveness exploiting synergies between
requirements for financial reporting, ERM, Solvency II, and IFRS
PricewaterhouseCoopersFiscal Year 2009
Slide 63
I
ERM O i A Ill t ti F k
ERM
Environment
ERM Overview – An Illustrative Framework
StrategyProcess
Infrastructure
Validation/re-assessment
Business mission and strategy Risk strategy Value proposition Risk appetite
re assessment
ReportingMeasurement and ControlOperationsRisk assessment/
ResponseRisk awareness/
Identification
Organisation Limits and MethodologiesOrganisation and people
Limits and controls
Methodologies & Models Systems Data Policies Reporting
Culture Training Communication Performance RewardCulture Training Communication measures Reward
PricewaterhouseCoopersFiscal Year 2009
Slide 64
I
Section agendaSection agenda
Cl i thClosing the gaps
Current ERM practices vs. targeted practices
Closing the gaps
Current ERM practices vs. targeted practices
ERM practice Current Targetedp g
Risk culture
• Program structured solely to respond to demands of external stakeholders
• Silo-based risk management
• Tone at the top• Management encouraged to act• ERM training and talent managementSilo based risk management ERM training and talent management• Risk-adjusted incentives
Risk assessment
• Lack of internal challenge• Acceptance of dated views
• Frequent, open dialogue• Exchange of risk information• Encourage internal challengeEncourage internal challenge
Risk measurement• Blind reliance upon unchallenged or
third party models• Models and tools that are “fit for
purpose”• Frequent validationq
Risk aggregation• Reliance upon judgment alone • ERM enabled systems, data
• Active assessment of aggregation and correlation
Alignment of risk and strategy
• Reactive risk management • Set and communicate enterprise-wide risk appetite
• Capital allocationEstablish targets and limits
PricewaterhouseCoopersFiscal Year 2009
Slide 66
I
gy• Establish targets and limits• Monitor limit breaches
PwC’s ERM Service Offerings
Insurance risk managementInsurance risk management has always been about risk.
When it comes to ERM, nothing should get in the way of opportunities
PricewaterhouseCoopersFiscal Year 2009
Slide 67
I
QuestionsQuestions
PricewaterhouseCoopersFiscal Year 2009
Slide 68
I