Enterprise Risk Management

ERM
Steven Sumner
Director, PricewaterhouseCoopers

Does ERM matter?

Risk
Ri
k managementt adds
dd value
l nott only
l tto iindividual
di id l companies,
i
but also supports overall economic growth by lowering the cost of
capital and reducing the uncertainty of commercial activities
activities.
James Lam
Enterprise Risk Management From Incentives to Controls

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 3

Risk management: lessons learned

Given the central role of effective, firmwide risk management in maintaining strong
financial institutions, it is clear that supervisors must redouble their efforts to help
organizations improve their risk-management practicesWe are also considering the
need for additional or revised supervisory guidance regarding various aspects of risk
management,
t including
i l di ffurther
th emphasis
h i on th
the need
d ffor an enterprise-wide
t
i
id
perspective when assessing risk.
Ben Bernanke
Speech given May 2008: Risk
Risk Management in Financial Institutions
Institutions

These institutions, comforted in the belief that the rating agencies had carefully
examined and modeled the risks in arriving at their rating of these securities
securities,
apparently saw little need to conduct their own due diligence, risk management,
modeling and valuation processes.
Bob Herz
Herz, FASB
Speech given September 2008: Lessons Learned, Relearned,
and Relearned Again from the Credit Crisis Accounting and Beyond

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 4

 Many risks are preventable

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 5

Agenda

Recentt llessons llearned

R
d
PwC survey highlights
ERM governance
Role of the CRO
Board reporting
ERM Survey Results
Closing the gaps

Section agenda
R
Recent
t llessons llearned
d

Risk management: lessons learned

SSG Report:
p
Observations on Risk Management
g
Practices
during Recent Market Turbulence
Senior management oversight
Risk identification and measurement
Valuation practices
p
Liquidity risk management

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 8

Senior Supervisory Group (SSG)

Financial Services Organizations
g
Risk Management
g
Practices
Successful Companies
Portfolio view of exposures

and risks
Balance between risk appetite

& controls
Scenario modeling

capabilities and risk

quantification
Sharing of qualitative and

quantitative information
Enforcement of controls
Wide range of risk measures

and tools for credit and

market risk
Timely reporting of risk to

board and sr. mgmt

I
PricewaterhouseCoopers

Unsuccessful Companies
Concentration of

exposures/aggregation
Pricing of liquidity and

contingent liquidity
Certain risk management

practices
Controls over risk management
g

and valuation practices

Liquidity risk management
Lack of a forward looking view

of risk
Standards for what constitutes

risk transfer
Sr. mgmts role in

understanding and acting on

emerging risks
Fiscal Year 2009
Slide 9

Section agenda
P C survey results
PwC
lt

PwC survey results

PwCs
PwC
s Global ERM Survey 2008
S
Survey
participation:
ti i ti

S
Survey
output:
t t

Over 100 pages of detailed

Published report June 2008

questions
ti
53 Global Life and P&C

Insurers and Reinsurers

(44 in 2004)
20 US Insurers (9 in 2004)
9 Bermuda Insurers

Customized self-assessment

reports for each participant

Detailed individual survey

questions & responses

benchmarked against all
participants, peers and similar
organizations

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 11

PwC survey results

PwCs
PwC
s Insurance ERM Global Survey - 2008 www.pwc.com

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 12

PwC survey results

Key themes: how far have insurers come?

Embedding
g of ERM
ERM governance
Risk data and modeling
Aligning risk and finance
Risk assessment

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 13

PwC survey results

PwCs
PwC
s Global ERM Survey 2008
ERM progress since 2004
Strong Progress
Setting of overall risk

appetite
Modeling capabilities
CRO role
Board & Management
g
priorities/oversight
Trend toward Board level
ERM committee structure
Portfolio view of risk

Limited Progress

Some Progress
Firm-wide understanding

of ERM
Linkage of risk appetite
with objectives
Linkage between risk
models
d l and
d strategic
t t i
planning
Consistent & well
understood
d t d policies
li i &
procedures
Timely reporting of risk to
Board & Sr.
Sr management
Risk mitigation & learning
Risk technology

Data quality and data

availability
ERM roles,
responsibilities &
accountabilities
Business Unit alignment
with risk appetite &
tolerance
Ri k di
Risk
disclosures
l
Risk data or systems
strategies
Li i monitoring,
Limits
i i
enforcement & exception
approval

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 14

Section agenda
ERM governance

ERM governance

Current credit crisis is another eye-opener

eye opener to policymakers,
regulators, rating agencies, boards and management.
Highlights the importance and necessity for the role of
effective ERM governance, involving the board and senior
management:
g
- Effective governance structures are required and in place to
enable:
- Monitoring
- Multiple
p levels
- Elements of an ERM Framework

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 16

ERM governance

Effective governance structures and organizational design can help

meet stakeholder expectations in a more effective and efficient manner

Governance

Setting and monitoring objectives, tone, policies,

risk appetite, accountability and performance.

Risk Management

Identifying and assessing risks that may affect

the ability to achieve objectives and determining
risk response strategies and control activities.

Compliance

Operating in accordance with objectives and

ensuring adherence with laws and regulations,
internal policies and procedures, and
stakeholder commitments.

Extended Enterprise & Value Chain

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 17

ERM governance

When evaluating governance structures and processes, consider

the expectations of various stakeholders
Regulators
- NAIC, SEC
New York Stock Exchange Listing Standards
- Audit committee risk oversight
- Internal audit department
Institutional Shareholders
Rating Agencies
- S&P, AM Best, Moodys, Fitch
People
I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 18

ERM governance

As well as emerging frameworks enabling effective ERM

Environment
Infrastructure
Process
Strategy

Validation/
re-assessment
re
assessment

Business mission
and strategy

Risk awareness/
Identification

Organisation
and people

Culture

Limits and
controls

Risk strategy

Risk assessment/
Response

Methodologies
& Models

Training

Value proposition

Operations

Systems

Communication

Risk appetite

Measurement
and Control

Data

Performance
measures

Reporting

Policies

Reporting

Reward

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 19

ERM governance

Effective governance and organization are critical to embedding ERM

into the business

Internal environment

Event identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring

I
PricewaterhouseCoopers

En
ntity-level
Division
Businesss Unit
Subsidiary

Objective setting

Business objectives
Integrated and scalable
Risk appetite and tolerance
Portfolio view of risk
Role clarity
g g
Common risk and control language
Process, risk, control libraries
Risk and Control Self
A
Assessment
t (RCSA)
Risk adjusted performance
management
g
Economic capital
Benchmarking
KRIs and reporting
Fiscal Year 2009
Slide 20

ERM governance

Organizational effectiveness is grounded in risk-adjusted performance

managementt
Performance Management
F
Framework
k

Strategize
Define
D
Develop
l
Deploy

Assign
Operate
C t l
Control
Report

Re-evaluate
Examine
Innovate
Act

Monitor & Review

Analyze
Plan & Prioritize
Change

Key Elements
Leadership, organizational
Alignment and accountabilities
Defined performance goals
and
risk tolerance
Work processes and controls
Monitoring of key risk
indicators
Management information
Rewards and incentives

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 21

Section agenda
R l off th
Role
the CRO

Role of CRO

Even good CROs occasionally miss a Key Risk Indicator

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 23

Role of the CRO

Increased significance
g
of the CRO
The CRO is a p
position that has g
grown in both significance
g
and
stature in most organizations.
Yet current credit crisis has many investors and other external
stakeholders asking where was the oversight?
CROs help to:
- Bring business and risk management together
- Enable a portfolio view of risk
- Link planning, performance management, risk and capital
management

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 24

Role of the CRO

Why is a CRO needed

Key reasons for a CRO
CROs are enablers and facilitators that bring the organization together
Need for executive thinking and authority and the ability to balance roles of
oversight and challenge.
Provide a portfolio view of risk while understanding the business and be
able to communicate effectively with all arms of the organization. .
Encourages and rewards scrutiny and challenge, even if it appears to go
against the strategic change.
The CRO is a key responsible partner in all areas of risk and risk
management
The CRO should serve as the catalyst for enterprise risk & return
opportunities Particularly emerging risk
The CRO must develop effective enterprise risk communication with
consistent measurement criteria for the both the BOD and senior
management
g
I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 25

Role of the CRO

Attributes of a g
good CRO
Holistic understanding of the firms strategies and core competencies
g of risk tolerance,, appetite
pp
and
Must be able to add clarityy around the setting
risk limits
Maintains an appropriate level of broad-based technical capabilities
(actuarial finance
(actuarial,
finance, economics
economics, underwriting
underwriting, capital markets
markets, etc
etc.)) and
market knowledge
Owns economic capital development and provides a level of independence
over the risk management process including how and when capital should
be deployed to the business units
Able to provide clear and accountable focus for the management of risk
Provides a monitoring and validation role that spans across the enterprise
and is not limited to traditional internal controls
Must maintain a direct reporting line (or at least direct access) to the CEO
and access to the BOD
I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 26

Role of the CRO

Attributes of a g
good CRO ((contd))
Must maintain a direct reporting line (or at least direct access) to the CEO
and access to the BOD
Effective at communicating and interacting with the Board/senior
management and external stakeholders including the ability to explain risk
issues in practical understandable business terminology and language
rather than technical concepts
Ability to provide coaching and advising the business in how to monitor and
manage risk within a standardized-wide approach
Ability to stretch the imagination on what could be possible in dealing with
abstract
b t t concepts
t and
d the
th courage to
t explore
l
new areas with
ith little
littl or no
direction
or precedence.

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 27

 We all know what can happen to the CRO

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 28

Section Two
ERM O
Overview
i

ERM Overview Organization and people

Organisation
and people

Limits and
controls

Methodologies
& Models

Systems

Data

Policies

Reporting

Centralized risk management function

Independent CRO or senior executive with risk role
Oversight committees at the Board / senior management levels
Risk awareness,
awareness culture and values
Risk training
Talent management
Linkages between risk and compensation

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 30

Overall Responsibility for Corporate Risk Management

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 31

Industrys
Industry
s Ability to Attract Talent

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 32

Interaction Between Business and Risk Management

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 33

ERM Overview Limits and Controls

Organisation
and people

Limits and
controls

Methodologies
& Models

Systems

Data

Policies

Reporting

Define overall and individual risk appetite

Risk assessments & inventories
Individual risk, product, exposure limits and triggers
Risk controls
Risk escalation

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 34

Defining Risk Appetite and Limits

Insurer
Overall Risk Appetite

BU 1

BU 2

BU 3

BU 1
Appetite

BU 2
Appetite

BU 3
Appetite

Risk Appetite by Product

Prod. 1

Prod. 2

Prod. 3

Prod. 4

Prod. 5

Product Limits
I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 35

Risk Appetite
Turns the story into some numbers
To effectively drive risk management need to specify both:

- Severity
- Probability
ERM programs may have multiple defined risk appetites
- Capital (Ruin focus)
- Earnings (Volatility focus)
- Rating (May be driver of probability choice)

I
Permission to reprint or distribute any content from this presentation requires the prior written approval of Standard & Poors.

36.
PricewaterhouseCoopers

Fiscal Year 2009

Slide 36

Risk Limits
Hard Limits or Soft Limits?
- Are they really limits if nothing happens when they are
exceeded?
Relative
R l ti or Ab
Absolute
l t Li
Limits
it
- Is business growth impacted by limit systems?
Add up to Overall
O
ll Risk
Ri k A
Appetite
i or llarger or smaller
ll value?
l ?
- Take into account diversification?
- Provide for tactical opportunities
Allocation process
Enforcement

I
37.
PricewaterhouseCoopers

Fiscal Year 2009

Slide 37

Other Risk Terms.

Terms
Risk Tolerance The upper bound of Bad Events that the
company wants
t to
t avoid,
id e.g.:
Loss of capital
Earnings
E i
shortfall
h tf ll
Damage to reputation
Damage
D
tto ability
bilit tto sellll b
business
i
iin kkey markets
k t
Loss of rating

I
38.
PricewaterhouseCoopers

Fiscal Year 2009

Slide 38

Other Risk Terms (cont

(contd)
d).
Risk Preferences
Uncertainty
Complexity
Location
Risk transfer
Time frame
Concentrations
Frequency/Severity threshold minimum
Class
Experience/Expertise
I
39.
PricewaterhouseCoopers

Fiscal Year 2009

Slide 39

Process in Place to Define Risk Appetite

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 40

Process in Place to Deal with Breaches of Limits

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 41

ERM Overview Methodologies & Models

Organisation
and people

Limits and
controls

Methodologies
& Models

Systems

Data

Policies

Reporting

Insurance, market, credit risk management

Operational
p
risk management
g
Economic capital models & capital allocation
Risk analytics,
y
, including
g scenario analysis,
y , risk indicators,, risk-adjusted
j

returns
Risk transfer strategies
Linkage of planning and risk strategy
Linkages to product pricing
Performance management
Capital management
I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 42

Economic capital models

Keyy areas where survey
y
respondents identified benefits of
implementing an economic capital
model:

Better allocation of capital

than under a regulatory capital
model
Definition of risk appetite
Freeing up of capital for use in
the business
Changes in the pricing of
products to better reflect risk
Ch
Changes
in
i strategic
t t i direction
di ti
after assessing risk-adjusted
performance

Excess Capital
Assets available
for required
capital

Economic Capital

Assets covering
liabilities

Liabilities

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 43

C
Capturing
i Ri
Risk
k

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 44

Guide Timing for Model Development

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 45

Model and Control Environment

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 46

Operational Risk
Traditional Operational Risk Management - Separate Silo
Ri k M
Risk
Managementt ffor:
IT Risks
HR Ri
Risks
k
Regulatory & Compliance Risks
Fraud
F d Risk
Ri k
Internal Controls
Reputation Risk
Business Continuity
Distribution Risks
Outsourcing/Vendor Risk
I
47.
PricewaterhouseCoopers

Fiscal Year 2009

Slide 47

Operational Risk Management

Enterprise ORM leading to Strong ORM assessment by S&P usually
associated
i t d with:
ith
Comprehensive assessment of risks & control capabilities
Identification of risks not adequately controlled by existing programs
Prioritization
Development of key kisk indicators, Tracking process & problem
resolution system
Excellent ORM assessment usually associated with Strong program
In place for several years
p
application
pp
Repeated
Refinements of controls & KRI & response programs

I
48.
PricewaterhouseCoopers

Fiscal Year 2009

Slide 48

Operational Risk
Survey Results: Key Trends
<10% recognize operational risk management as a
competitive advantage
Integration of Operational risk into the broader ERM policies
and assessments and monitoring are at a limited stage
- < 1/3 have formalized monitoring and reporting processes
to support ERM functions
- <15%
15% capable
bl tto obtain
bt i O
Operational
ti
l risk
i k managementt d
data
t
- low level of comfort on data integrity

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 49

Length of Time Corporate Operational Risk Management

Function in Place

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 50

S ti f ti With Operational
Satisfaction
O
ti
l Risk
Ri k M
Managementt

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 51

Use of Operational Risk Management

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 52

ERM Overview - Systems

Organisation
and people

Limits and
controls

Methodologies
& Models

Systems

Data

Policies

Reporting

ERM supporting technology

System interface,
interface mapping tools,
tools middleware
Risk registers
Risk reporting tools

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 53

Systems Strategy Rating

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 54

P i it IT Capabilities
Priority
C
biliti

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 55

Integration of Risks and Controls Across the Organization

Through Technology

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 56

ERM Overview Data

Organisation
and people

Limits and
controls

Methodologies
& Models

Systems

Data

Policies

Reporting

Data quality assessments

Risk and portfolio data requirements data definitions,
definitions data

cleansing, data access

Data warehouses
Industry data and benchmarking

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 57

Level of Confidence in the Quality of Data Supplying Specific

Areas

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 58

Data Management Problems

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 59

D t Strategy
Data
St t
Rating
R ti

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 60

R ti D
Rating
Data
t M
Managementt E
Expenditures
dit

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 61

ERM Overview Policies

Organisation
and people

Limits and
controls

Methodologies
& Models

Systems

Data

Policies

Reporting

Market, credit, insurance, operational risk policies and

procedures,, including:
p
g
Risk rating policies;
Exposure measurement policies;
Risk
Ri k lilimit
it policies;
li i
Monitoring and review policies;
Risk transfer policies;
Management and board reporting policies.
Overall risk policies
p

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 62

ERM Overview Reporting

Organisation
and people

Limits and
controls

Methodologies
& Models

Systems

Data

Policies

Reporting

Key risk indicators that quantify major trends and risk

exposures
Limit exception reporting
Risk dashboards
Board reporting, including enterprise view on aggregate losses,

risk incidents, policy exceptions, key exposures, KRIs

ERM disclosures
Finance effectiveness exploiting synergies between

requirements for financial reporting, ERM, Solvency II, and

IFRS
I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 63

ERM

ERM O
Overview
i
An
A Illustrative
Ill t ti F
Frameworkk
Environment
Infrastructure
Process
Strategy

Validation/
re-assessment
re
assessment

Business mission
and strategy

Risk awareness/
Identification

Organisation
and people

Culture

Limits and
controls

Risk strategy

Risk assessment/
Response

Methodologies
& Models

Training

Value proposition

Operations

Systems

Communication

Risk appetite

Measurement
and Control

Data

Performance
measures

Reporting

Policies

Reporting

Reward

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 64

Section agenda
Cl i th
Closing
the gaps

Closing the gaps

Current ERM practices vs. targeted practices

ERM p
practice

Current
Program structured solely to respond

Risk culture

Risk assessment

to demands of external stakeholders

Silo
Silo-based
based risk management
Lack of internal challenge
Acceptance of dated views

Blind reliance upon unchallenged or

Risk measurement

third party models

Reliance upon judgment alone

Risk aggregation

I
PricewaterhouseCoopers

Tone at the top

Management encouraged to act
ERM training and talent management
Risk-adjusted incentives
Frequent, open dialogue
Exchange of risk information
Encourage internal challenge

Models and tools that are fit for

purpose
Frequent
q
validation
ERM enabled systems, data
Active assessment of aggregation and

correlation
Reactive risk management

Alignment of risk and

strategy
gy

Targeted
g

Set and communicate enterprise-wide

risk appetite
Capital allocation
Establish targets and limits
Monitor limit breaches
Fiscal Year 2009
Slide 66

PwCs ERM Service Offerings

Insurance risk management

has always been about risk.
When it comes to ERM,
nothing should get in the
way of opportunities

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 67

Questions

I
PricewaterhouseCoopers

Fiscal Year 2009

Slide 68