Concurrent Session 3A: Navigating today and tomorrow’s risk landscape

Navigating today and tomorrow’s risk landscape

25th Annual KPMG National Insurance Conference

2© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

With you today…

Stephen SmithPartner

+1 416 777 3194 [email protected]

Kevvie FowlerPartner


Alexander ShipilovPartner


Colin HilkowitzSenior Manager


How do insurers protect their business, manage their capital and meet regulatory expectations?


KPMG’s Opportunities and Risks Survey

61% of respondents to KPMG’s Canadian Risk and Opportunity Survey noted Improved management of risk and use of capital as the biggest opportunity over the next 12 months.

Opportunity in ERM

50% of respondents to KPMG’s Canadian Risk and Opportunity Survey noted Cyber risk as the biggest risk over the next 12 months.

Risk


Agenda

Deep dive on Cyber Risk

Q&A

Internal Audit (Line 3)

Operational Risk Guideline E-21

Operational Risk Guideline (E-21)

Implementation


Regulatory Evolution of Operational Risk Framework

Basel Committee of Banking Supervision Basic Indicator Approach (2003) Standardized Approach (2003) Advanced Measurement Approach (2003) Principles of Sound Management of

Operational Risk (2014) Standardized Measurement Approach

(proposed 2016)OSFI Capital Adequacy Requirements (2007) E-19: ICAAP (2010)

Solvency II MCT/MCSSR/LICAT (September 2016) E-19: ORSA (2013) Institute and Faculty of Actuaries: Model

Risk Working Party Report (2015) Actuarial Standards Board: Modelling

(second exposure draft 2014) AMF: Governance Guideline (updated

September 2016) AMF: ORM Guideline (draft October

2016)

Banking Insurance

OSFI E-21 Operational Risk Management (ORM)(June 2016)


OSFI Guideline E-21: Operational Risk ManagementOperational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputation risks. FRFIs to comply by June 2017.

Principle 1

Principle 3

ORM is integrated within the overall risk management framework and appropriately documented

Challenges:

• ORM is integral part of ERM framework• Breadth of the risk – many sub risks• Scope of impacts – $$ and reputational• Consistent, complete taxonomy of risks• Not always quantifiable

Robust accountability structure (e.g. 3 Lines of Defense) separates the components of ORM and provides for independent overview and challenge

Challenges:

• Who owns the risks and controls across organizations boundaries

• Subject matter experts becoming risk managers• Having both 1st and 2nd Line of Defense obligations• Place of Corporate Actuarial Function

Principle 2:

Principle 4

ORM supports the overall corporate governance structure and utilizes an operational risk appetite statement

Challenges:

• Setting appetite and limits for subjective risks and behaviors (quantifiable and non-quantifiable)

• Zero tolerance is not realistic• Setting up reporting/escalation thresholds

FRFI’s use ORM tools to identify and assess operational risk along with collection and reporting Op Risk information

Challenges:

• Granularity (too detailed vs. too summarized) & thresholds• Op Risk taxonomy. Boundary risks (e.g. Underwriting, investments)• Motivation of reporting issues or losses • How do you know you’ve covered and captured everything?• Challenge of aggregating non-quantitative information• Assessment of Model Risk

http://www.osfi-bsif.gc.ca/eng/fi-if/rg-ro/gdn-ort/gl-ld/pages/e21.aspx


Operational Risk Management Framework

Risk Management Tools

Risk definitions & ORCs Measurement &

Simulation MethodologiesRCSA / ORSA

Loss Data Management

Risk Controls

Org. Units & business line

mapping

Risk Controls KRIs / DashboardMitigation Approaches Economic Capital

Supporting Infrastructure

People IT Systems and databases

Risk-based Performance Evaluation

Risk Governance

ORM Structure (centralized vs. decentralized)

ORM Committees

Op. Risk Guidelines &

Policies

Roles & Responsibilities

Risk Strategy

Risk Appetite Risk Tolerance Risk Limits

High performance in ORM

How much:Capacity,

Ability, and willingness

Who is:Responsible,Accountable,

To be consulted, andInformed

How to:Identify,

Measure,Manage,

Control, and Mitigate / transfer

Can it be executable and sustainable?

Documentation


Actions for First Half 20171 Plan

Gain an understanding and agreement regarding the scope and objectives of the proposed regulatory requirements

3 Policy designDesign an Operational Risk

Management Policy and Framework, risk taxonomy, and

conduct ORSA (incl. risk appetite)

6 ReportingDevelop, monitor, and report KRIs and communicate effectively with senior and junior management

5 Risk ModellingDevelop a roadmap to move from basic to more advanced measurement approaches

4 ProcessDevelop operational risk measurement, management,

and mitigation processes commensurate to the risk profile and regulatory requirements

The band represents the

replay of the whole ORM process

Policy design

Plan

Reporting & Monitoring

Risk Modelling

2 AssessmentPerform a gap analysis and

develop a roadmap to mitigate gaps around

policy, process, people, data, and technology

Assessment

7 ReviewReview all components and improve them, if necessary, in the next run

Manage change

Process

Review

Cyber security

The vulnerability of health data



OtherPics., vids., docs., email

AOL20MMichaels

3M

Securus70M

Turkish Citizenship

50M

2014

Snapchat4.6M

US Voter Database191M

2015

2016

Anthem78.8M

T-MobileExperian 15M

Premera11M

Top data breaches December 2013 –April 30, 2016Data breaches of recognized organizations involving at least 1M records by size and type

CarPhoneWarehouse 2.4M

Adult Friend Finder 4M

CareFirst2.4M

Excellus10M

Ashley Madison

32M

OPM25M Rate My

Professor 4M

VTech5M

Hello Kitty3.3M

LifeboatMinecraft

7M

“Panama Papers” Mossack Fonseca11.5M

Alibaba TaoBao20M

Mexican Voters93.4M Philippine

Voters

55M

Ebay145M

Ashley Madison

32M

Home Depot109M

Sony11TB

Sony11TB

Target110M

Financial dataPayment card records,account numbers

Personal & Health dataHealth & medical insurance claims, PII, SIN, usernames & passwords

JP MorganChase83M

days between breach occurrence and detection

145

of breaches were by outsiders58%

M-Trends, 2016

Breach Level Index, 2015

of breaches involved an unknown number of compromised records

47%

Breach Level Index, 2015

Risk #1 – A data breach


Source: http://sensorstechforum.com/remove-jigsaw-ransomware-and-restore-fun-kkk-btc-encrypted-files/

Ransomware (reactive) Cyber extortion (proactive)

Source: Data Breach Preparation & Response,

Kevvie Fowler (ISBN: 0128034513)

Risk #2 – Cyber extortion-driven attacks


Risk of reputational and financial loss due Negative media profile about defects

within products Risk without defect Changing EULA standards

Risk #3 – Security researchers


OSFI Cyber Self Assessment GuidelinesAssists federally regulated financial institutions in ensuring their cyber risk management policies and practices remain appropriate and effective.1. Organization and Resources 2. Cyber Risk and Control Assessment 3. Situational Awareness 4. Threat and Vulnerability Risk Management 5. Cyber Security Incident Management

6. Cyber Security Governance

http://www.osfi-bsif.gc.ca/eng/wn-qn/Pages/cbrsk.aspx

• Establishment of a Senior Management committee

• Senior Management provides adequate funding and sufficient resources to support the implementation of a cyber security framework.

• Processes are in place to escalate breaches of limits and thresholds to Senior Management for significant or critical cyber security incidents.

• The Board, or a committee of the Board, is engaged on a regular basis to review and discuss the implementation of the Bank’s cyber security framework and implementation plan, including the adequacy of existing mitigating controls.

Senior Management & Board Oversight

Managing cyber risk

Stress testing is a risk management technique used to evaluate the potential effects on an institution’s financial condition in response to an to exceptional but plausible event. Risk identification and control Providing a complementary risk perspective to other risk

management tools Supporting capital management Improving liquidity management

http://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/e18.aspx

Stress testing

http://www.osfi-bsif.gc.ca/eng/fi-if/rg-ro/gdn-ort/gl-ld/pages/cg_guideline.aspx

http://www.osfi-bsif.gc.ca/eng/wn-qn/Pages/cbrsk.aspx

http://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/e18.aspx


You can establish effective cyber security by answering 3 questions

Where are we?

1Where do we want to

be?

▪ Perform a whole-business security maturity assessment

▪ Conduct an in-depth technological security assessment

▪ Determine your Cyber Defensible Position

How do we get there?

▪ Develop a prioritized roadmap to get to your Cyber Defensible Position

▪ Ensure proper cyber security oversight

2 3

Managing cyber risk (continued)

Integrated Assurance–Internal Audit’s Role In Operational Risk Management


Risk in the Boardroom – Discussion FrameworkBoard Responsibilities with respect to Risk Management & Internal Controls include:1) Exercising Responsibilities2) Establishing Systems3) Monitoring and ReviewTraditional – Three lines of defense


The role of internal audit in ERM


Internal Audit - The art of possible

QUALITY ASSESSMENTReviews of strategic or significant projects and initiatives at

the organization in order to provide assurance over quality of program.

REGULATORY COMPLIANCECompliance reviews related to product development, marketing, distribution, pricing and claim practices, and sustainability reviews.

DIGITAL MEDIA Digital media strategy and governance assessments, social media monitoring reviews (SnapChat), third party alliances and customer sentiment analysis.

INFORMATION TECHNOLOGYInformation protection, cyber security, system implementation pre/post reviews and production system reviews.

SOX COMPLIANCESOX risk assessment, documentation and testing, guidance and training for new locations/ acquisitions.

DATA AND ANALYTICS

THIRD PARTY REVIEWS

ENTERPRISE RISK MANAGEMENT

STRATEGIC PROJECTS/INITIATIVES

Revenue Growth: Customer acquisition, compensation and incentives, pricing, and product managementOperating Expenses: Vendor/contract management, budgeting and forecasting, Claims and distribution Invested Capital: Corporate strategy and management, IT management

OPERATIONS

ERM coordination, planning, monitoring and working with the business to coordinate risk management efforts; proactive insights to signals of change affecting overall risk profile.

Contract compliance reviews for significant third party relationships.

Data analytics enabled Internal Audit plan to deliver better scope coverage and insights through quantitative trend analysis. leveraging data & analytics and integrating Continuous Auditing/Continuous Monitoring (CA/CM).

Moving beyond focus on compliance driven activities towards value delivery across the enterprise enhancing assurance capabilities and providing valuable business insights.


Example outcome – Three lines of defense

Converged Activities

Discrete Activities

Risk & controlidentification

Risk & controlassessment

Quantification &

measurement

Monitoring,testing,

& verification

Reporting

Internal audit

3rd Line

BU’s

1st Line

Divisions ERM

2nd Line

Compliance SOX/ ICFRActuarial Informationsecurity Legal

Test controls periodically or continuously throughout the year Share test results with respective risk and control groups using common risk language and

Governance, Risk & Compliance (GRC) platform

Provide integrated guidance on risk assessment, quantification, and measurement

Independent testing

Develop IA Plan

Report on compliance

with regulations

Develop Compliance

Program

Develop SOX / ICFR Testing

Plan

Report on enterprise

risk exposure

Develop Enterprise

Risk management

Program, Risk

Taxonomy

Develop Actuarial Program

Develop Legal

Program

Review and challenge current risk assessments performed within the businessCoordinate calendars to perform additional procedures, as needed

Identify controls to be tested

Stakeholders

• Identify KRI• Capture risk loss data• Perform scenario

analyses• Perform trend

analyses• Consider ORSA

• Flowchart process • Identify risk and

controls• Link to SOX

oversight• Perform risk and

control self assessments (RCSA)

Provide assurance

Report on status of IS

program and compliance

Report on financial reporting controls

Report on servicer

compliance

Develop IS Program

Report on Actuarial Program


Integrated assurance…..What is it?

Integrated Assurance is the alignment of governance, risk and assurance activities –linking them with company strategy and business model – to better co-ordinate efforts and reporting with the aim of improving business performance and resilience.

Integrated assuranceWhat it is…

Starts with understanding strategic objectives, mission and business model

Involves co-ordination of assurance efforts and reporting across various oversight functions (e.g., Internal Audit, Compliance, ERM)

Encompasses people, processes and technology considerations

Promotes better leveraging of the “Three Lines of Defense” model

Converges risk, control and compliance data

Requires effective change management

Integrated assuranceWhat is it NOT…

— Just a new reporting approach

— Just a technology solution

— An elimination of the need for existing assurance functions (e.g., Compliance, Internal Audit, ERM)

— An additional bureaucratic layer that adds additional paperwork/administrative input

— Just a conceptual framework – it must be practical

— Achievable without buy-in from all key risk, control and compliance functions


Benefits to integrated assuranceStakeholders Objectives Business case

CEO/Board

CFO/COO

Chief Risk Officer

Chief Compliance

Officer

Chief Audit Executive

Clear reporting linking strategy,

risk, performance and controls

Lower cost of business without

increasing risk

Enhanced oversight over cross-functional risk

management activities and assurance

Integrated compliance at

lower cost

Reduced costs and more “value add”

Reduced Cost

Increased Stakeholder Confidence

Enhanced Insights

Improved Risk Management

Integrated assurance


Where we need to be Streamlined, transparent and focused management reporting

Integrated assurance

Multi-purpose Risk Assessment

Joint Activity Planning and Sequencing

Coordinated Control Testing

Shared Access to Data and ResultsJoint Risk and Control

Monitoring


Drivers

Growth pressures Regulatory compliance

Risk content Talent management

Board/Leadership is focusing on emerging risks and questioning completeness/quality of risk content

Increased risk of inadequate talent management due to pace of change, market conditions and organizational change

Right sizing

Redundancy and/or overlap in risk management and assurance given lack of clarity in roles and responsibilities (convergence, single view of risk, assurance mapping)

Risk that regulations and their compliance implications may not have been considered in new countries, new verticals or while developing new service offerings (innovation – related)

Pressure to sustain growth & profitability increases risks related to product innovation, operating model transformations (i.e., shared services, use of technology, outsourcing etc.), and new markets

Key enterprise challenges Need for integrated assurance

Performance

Strategy

— Enhanced regulatory compliance

— Reduction of costs

— Improved risk intelligence

— Improved linkage to strategy

— Better alignment to business

— Competitive advantage

Governance

Goa

l

A number of key enterprise challenges (some examples provided below) are compelling businesses to transform their various assurance functions –acting as key drivers to move towards integrated assurance that is leaner, safer and better.

LeanerInsights in Cost of Assurance

SaferRe-balance Lines of Defence

BetterIncreased Quality of information and Efficiency of Assurance Activities

— Greater transparency

— Alignment through GRC tools

Questions?

kpmg.ca

© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

http://kpmg.com/socialmedia

Economy & Finance

Concurrent Session 3A: Navigating today and tomorrow’s risk landscape