Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
How accountants ruined risk management…
…and how actuaries will save it10/14/2019
Legal Disclaimer
1
The following content and accompanying presentation are illustrative and for educational purposes only.
All information contained herein is based on publicly available information, estimates supported by publicly available information, or purely illustrative.
All opinions expressed are my own and do not necessarily represent my employer’s position.
Objectives for today
2
How accountants ruined risk management… …and how actuaries will save it
Lets talk about a new definition for enterprise risk management
Practical uses of risk quantification in insurance management that you can use today
Risk quantification of everything is not just a dream
A look into the future of quantitative risk management
3
The dreaded risk mindset of the accountant
𝑰𝒏𝒉𝒆𝒓𝒆𝒏𝒕 𝑹𝒊𝒔𝒌 × 𝑪𝒐𝒏𝒕𝒓𝒐𝒍 𝑹𝒊𝒔𝒌 × 𝑫𝒆𝒕𝒆𝒄𝒕𝒊𝒗𝒆 𝑹𝒊𝒔𝒌 = 𝑨𝒖𝒅𝒊𝒕 𝑹𝒊𝒔𝒌
𝐻𝑖𝑔ℎ × 𝐻𝑖𝑔ℎ × 𝐿𝑜𝑤 𝑙𝑜𝑡𝑠 𝑜𝑓 𝑒𝑣𝑖𝑑𝑒𝑛𝑐𝑒 = 𝐿𝑜𝑤
1. Risk issues driven by the “accountant / auditor mindset”
2. An infestation of the “Flaw of Averages”
3. Organizational Gridlock
4
Risk issues driven by the “accountant / auditor mindset”
5
Risk issues driven by the “accountant / auditor mindset”
Credit: David Vose (https://www.linkedin.com/pulse/good-news-you-mature-enough-go-quantitative-david-vose/)
6
Risk issues driven by the “accountant / auditor mindset” Illustrative
7
An infestation of the “Flaw of Averages”
What happened to the financial statement accountant who tried to cross a river that was on average only 3 feet deep?
Published Sunday, October 8, 2000, in the San Jose Mercury News. Jeff Danziger (www.danzigercartoons.com)
8
Actuaries to the rescue
Risk (Loss Event)
Loss Event Frequency (LEF)
Loss Event Magnitude (LM)
# $
Most-Likely or Expected
(50% prob.)
Higher Confidence
Outcome
Lets talk about a new definition for enterprise risk management
9
Committee of Sponsoring Organizations of the Treadway Commission (COSO)Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. https://www.coso.org
Risk & Insurance Management Society (RIMS)Enterprise risk management (ERM) is a method of systematically identifying, evaluating and prioritizing the activities and goals of an organization. Applying a common risk-based framework to the governance activities across departments, creates efficiency, drives better business decisions and strengthens strategic planning.https://www.riskmaturitymodel.org/about-the-rims-risk-maturity-model-for-erm/
Lets talk about a new definition for enterprise risk management
10
Committee of Sponsoring Organizations of the Treadway Commission (COSO)Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. https://www.coso.org
Risk & Insurance Management Society (RIMS)Enterprise risk management (ERM) is a method of systematically identifying, evaluating and prioritizing the activities and goals of an organization. Applying a common risk-based framework to the governance activities across departments, creates efficiency, drives better business decisions and strengthens strategic planning.https://www.riskmaturitymodel.org/about-the-rims-risk-maturity-model-for-erm/
Lets talk about a new definition for enterprise risk management
11
Committee of Sponsoring Organizations of the Treadway Commission (COSO)Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. https://www.coso.org
Risk & Insurance Management Society (RIMS)Enterprise risk management (ERM) is a method of systematically identifying, evaluating and prioritizing the activities and goals of an organization. Applying a common risk-based framework to the governance activities across departments, creates efficiency, drives better business decisions and strengthens strategic planning.https://www.riskmaturitymodel.org/about-the-rims-risk-maturity-model-for-erm/
Lets talk about a new definition for enterprise risk management
12
Committee of Sponsoring Organizations of the Treadway Commission (COSO)Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. https://www.coso.org
Risk & Insurance Management Society (RIMS)Enterprise risk management (ERM) is a method of systematically identifying, evaluating and prioritizing the activities and goals of an organization. Applying a common risk-based framework to the governance activities across departments, creates efficiency, drives better business decisions and strengthens strategic planning.https://www.riskmaturitymodel.org/about-the-rims-risk-maturity-model-for-erm/
A new cleaner definitionEnterprise risk management helps the organization to make decisions in the face of uncertainty.
Lets talk about a new definition for enterprise risk management
13
Committee of Sponsoring Organizations of the Treadway Commission (COSO)Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. https://www.coso.org
Risk & Insurance Management Society (RIMS)Enterprise risk management (ERM) is a method of systematically identifying, evaluating and prioritizing the activities and goals of an organization. Applying a common risk-based framework to the governance activities across departments, creates efficiency, drives better business decisions and strengthens strategic planning.https://www.riskmaturitymodel.org/about-the-rims-risk-maturity-model-for-erm/
A new cleaner definitionEnterprise risk management helps the organization to make decisions in the face of uncertainty.
Uncertainty is the lack of complete certainty, that is, the existence of more than one possibility. The “true” outcome/state/result/value is not known.
Risk is a state of uncertainty where some of the possibilities involve a loss, catastrophe, or other undesirable outcome.
Practical uses of risk quantification in insurance management that you can use today
14
Data Security & Cyber Risk
ACME Insurance
$10 B in Revenue
15M records in largest data pool
What is inside?• Breach Expenses (Forensics,
Restoration & Crisis Management)• Breach Response Costs (Notice,
Credit Monitoring, Call Center, & Identity Fraud Remediation)
• Regulatory Fines & Defense• Civil Liability (Legal Defense &
Damages)
What is not?• Loss of business due to reputation• Service Level Agreement Penalties• System Upgrades and enhancements
Illustrative
Qualitative Fears & Questions
• Breaches could cost us $239 per record, which is $3.5 billion!
• Its not if we get breached, but when we get breached!
• Do we have enough insurance coverage?
• What does a bad scenario really look like?
• Are we over investing in comparison to other risk?
$38,807
$10,179
$0
$5,000
$10,000
$15,000
$20,000
$25,000
$30,000
$35,000
$40,000
Single Event Exposure Annual Retained Loss Exposure
WTW Cyber Quantified Results for ACME Insurance(No Insurance at 99%) in $'000
Practical uses of risk quantification in insurance management that you can use today
15
Legal & Regulatory Risk (D&O/E&O/EPL)
ACME Insurance
$10 B in Revenue
See previous slide
What is inside?• Response to claims from third parties
& employees• Response to regulatory actions (i.e.,
Stark Law violations, MC/MA Fraud & Abuse)
• Defense costs• Judgments & Settlements (non-
criminal)
What is not?• Punitive damages (based on state)• No Performance Losses (STARS)• No ERISA Fiduciary Losses• No Wage and Hour• No Crime (Fidelity)
Illustrative
Qualitative Fears & Questions
• How can we provide assurance to our board members that our coverage is adequate?
• What does a bad litigation event look like?
• Can we really establish a risk appetite statement measure around litigation exposure?
• What should our budget be for litigation expenses?
• What does an efficient deductible look like for litigation risk?
AON EO Analysis for ACME Insurance(No Insurance at 99%) in $'000
$37,008
$97,570
$0
$10,000
$20,000
$30,000
$40,000
$50,000
$60,000
$70,000
$80,000
$90,000
$100,000
Single Event Exposure Annual Retained Loss Exposure
Total Remaining Risk
Aon Risk Solutions | Global Risk Consulting | Actuarial & AnalyticsProprietary & Confidential 16
Assumptions
D&O Assumptions MCE&O
$ in millions $ in millionsExposure base: Revenue $10,000.0 Exposure base: Revenue $10,000.0Number of claims projected in a year: 0.001 Number of claims projected in a year: 8Largest simulated loss: $64.7 Largest simulated loss: $690.8
EPL
$ in millionsExposure base: Revenue $10,000.0Number of claims projected in a year: 1Largest simulated loss: $51.4
Illustrative
Leveraging broker capabilities in risk & insurance management
17
What is the risk quantification? …is the first question now
Deciding on standalone business unit towers versus a combined enterprise tower
Developing long term strategies for limits
Bringing real perspective on risk
Using the quantification in stress scenario development (including ORSA)
Risk quantification of everything is not just a dream
18
Key Principles1. Anything of value can be measured
2. The goal is an estimate that is accurate with a reasonable level of precision (90% correct)
3. Think like Enrico Fermi (start with an absurd range and then narrow it down)Dr. Enrico Fermi
(Physicist)
Risk quantification of everything is not just a dream
19
Key Principles1. Anything of value can be measured
2. The goal is an estimate that is accurate with a reasonable level of precision (90% correct)
3. Think like Enrico Fermi (start with an absurd range and then narrow it down)
The Estimation Process1. Start with building your loss event magnitude distribution
2. Then try to estimate event frequency
3. Road show and revise your estimate
Dr. Enrico Fermi(Physicist)
Risk quantification of everything is not just a dream
20
Key Principles1. Anything of value can be measured
2. The goal is an estimate that is accurate with a reasonable level of precision (90% correct)
3. Think like Enrico Fermi (start with an absurd range and then narrow it down)
The Estimation Process1. Start with building your loss event magnitude distribution
2. Then try to estimate event frequency
3. Road show and revise your estimate
ExampleYour plan just purchased the Dragon resupply business from SpaceX, should you consider purchasing insurance to protect your organization from mission failures?
Dr. Enrico Fermi(Physicist)
Risk quantification of everything is not just a dream
21
Key Principles1. Anything of value can be measured
2. The goal is an estimate that is accurate with a reasonable level of precision (90% correct)
3. Think like Enrico Fermi (start with an absurd range and then narrow it down)
The Estimation Process1. Start with building your loss event magnitude distribution
2. Then try to estimate event frequency
3. Road show and revise your estimate
ExampleYour plan just purchased the Dragon resupply business from SpaceX, should you consider purchasing insurance to protect your organization from mission failures?
As far as we know…. space insurance is a highly niche coverage…. and likely none of us are rocket scientists.
Dr. Enrico Fermi(Physicist)
A look into the future or quantitative risk management
22
Vendor risk quantification today
• Risk and threat level is subjective based on a “gut feel” about risks and term variances
• Unclear separation of roles between term interpretation activities and risk assessment activities
• Creates gridlock because of broad qualitative conclusions and lack of business empowered decision making
Illustrative
A look into the future or quantitative risk management
23
Vendor risk quantification tomorrow
• Risk and threat level is objective based on quantitative contract modeling
• Clear separation of roles based on 3 lines of defense (business line management, risk management, & internal audit)
• Enable business management empowered decision making through quantitative results
A look into the future or quantitative risk management
24
Vendor risk quantification tomorrow
• Risk and threat level is objective based on quantitative contract modeling
• Clear separation of roles based on 3 lines of defense (business line management, risk management, & internal audit)
• Enable business management empowered decision making through quantitative results
Illustrative
Contact Information & Questions?
Justin SchellSenior Risk Management ConsultantHighmark [email protected]
Joseph RizzoSenior Consultant & ActuaryAON Risk [email protected]
Robert BarberiVice PresidentWillis Towers [email protected]
25