Leveraging an organization s current risk management to create a sustainable ERM program. Tuesday, September 23, 2014

Transcription

1 Leveraging an organization s current risk management to create a sustainable ERM program Tuesday, September 23, 2014 Augustine Doe Ron Marx

2 AGENDA Important considerations for ERM Transition from traditional risk management to ERM best practices Key enterprise risk management and monitoring tools Sustainable ERM Distilling top-tier enterprise-wide risks Mapping top-tier risks on risk heat map to prioritize risk treatment Generating risk register to track ongoing risk management and monitoring Creating risk dashboards to monitor risk management s performance Establishing risk tolerance policy to convey acceptable risk limits Draft formal risk appetite statement to express the organization s risk strategy Questions Contact information

3 Important considerations for ERM - Study Do organizations with mature risk management practices outperform their peers financially? Ernst & Young study suggests YES Mature risk management drives financial results Findings: companies with more mature risk management practices generated the highest growth in revenue, EBITDA and EBITDA/EV Compound annual growth rates * by risk maturity level 20.3% Top 20% 16.8% Middle 60% 10.6% 8.3% Bottom 20% 9.5% 7.4% 4.1% Revenue EBITDA 2.5% 2.1% EBITDA/EV * 2011 YTD reported as of 18 November Ernst & Young Turning risks into results 3

4 Important considerations for ERM - Timeline Total implementation timeline = 55 weeks Based on: $2 Billion in revenues 40 executives interviewed during enterprise risk assessment One internal full-time person No mature traditional risk management program culture perceives ERM as a checklist and an additional cost that needs to be avoided Phase 1 Identify s Weeks Phase 2 Assess s Weeks Phase 3 Monitoring/ Reporting Weeks 4

5 General approach for developing an ERM program - using COSO and ISO RISK HEAT MAP TOP ENTERPRISE-WIDE RISKS HIGH H Probability of Credit Market Underwriting Operational Default Equities UW Process Monetary Controls Downgrade Other Assets Pricing Financial Reporting Disputes Currency Reserve Development Legal Controls Settlement Lag Concentration Product Design Distribution Sovereign Basis Concentration Re-investment Liquidity ALM Interest Rate Sensitivity Basis Frequency IT Systems Regulatory Severity Training Lapse Turnover Longevity Data Capture Strategic Competition Demographic / Social Change Negative Publicity Governance HIGHLIGHTS O1 L2 H2 R2 M LOW 5.0 HIGH Financial Impact Description of Probability of How is Currently Monitored H How is Currently Managed Economic Environment TOOLS RISK COMMITTEE Consolidate the identified enterprise risks into enterprise-wide risks Use the probability and financial and operational impacts of each enterprise-wide risk to prioritize the risks and distill the prioritized enterprise-wide risks to material enterprise-wide risks Work with the risk committee to document the key elements of each material enterprise-wide risk and populate these elements in the corporate risk register Work with the risk committee to design a risk appetite statement and draft a risk tolerance policy RISK APPETITE STATEMENT Map material enterprise-wide risks on a corporate risk heat map Minimum Limits Dashboard ACCEPTABLE RISKS UNDESIREABLE RISKS BUSINESS UNITS Degree of Control High VaR Report 20% probability of a 30% or greater decline in underwriting profits -70% Key Drivers of Probability of Populate material enterprise-wide risks in a corporate risk register Upload risk governance reports into a risk reporting and management information system Assessment Governance Management Strategy Medium Review contract with Customer Y (largest aging receivable) Monitor / Mitigate Sell receivable to third party at a discount UPLOAD RMIS Mr. X Maximum Limits Description of Current Mitigation Responses Increasing bad debts and aging receivables continue to impair our ability to generate enough liquidity to defray ongoing policyholder liabilities OWNER HIGHLIGHTS Monitoring Metrics Overall Magnitude Liquidity HIGHLIGHTS Financial Impact of Stress test material enterprise-wide risks, develop business continuity plans to manage material enterprise-wide risks and revise corporate risk register with new enterprise-wide risks insights Develop risk dashboards for specific material enterprise-wide risks Generate a Value-at- (VaR) report to quantify the impact of a specific loss event on a key performance indicator RISK TOLERANCE POLICY Types of H3 C2 0.5 Capital Availability Owner L Technological Policyholder Optionality F2 1.5 Regulatory / Political RISK REGISTER L1 2.5 Name of Customer Demands Concentration IT1 3.0 Rating Downgrade Mortality and Morbidity Leverage an organization s existing risk management and enterprise business objectives or goals to conduct an enterprise risk assessment that identifies and measures the organization s enterprise risks Build an organization s risk committee (including drafting the risk committee s charter) or leverage the organization s existing risk governance structure Assessment Financial Impact of M3 R1 F1 M2 3.5 LOW TOOLS Inventory Report: Sample C1 M1 L4 Ranking of Operational Impact of -30% Mean +25% (Mean) +50% 5

6 General approach for developing an ERM program using ORSA Solvency Assessment Leverage the insurer s existing solvency management and insurance industry best practices to assess and determine the reliability and adequacy of the insurer s solvency. Here we examine an insurer s: Liquidity and liquidity risk management -based capital modeling (Economic Capital modeling) Governance Establish risk committee or equivalent Generate actionable corporate risk register Create risk dashboards Create risk tolerance policy Draft formal risk appetite statement Simulate risk based capital model and create monitoring reports Generate value-at-risk report Deploy a Management Information System (RMIS) Assessment Deliverables RISK REGISTER RISK HEAT MAP 5.5 Inventory Report: Sample HIGH Identify and measure insurer s risks by leveraging existing risk management and enterprise goals and objectives Consolidate risks into enterprise-wide risks Use probability and financial impact to prioritize enterprise-wide risks Map material enterprise-wide risks on a corporate risk heat map Use risk assessment data to create corporate risk register 5.0 Market Operational Strategic Default Equities UW Process Monetary Controls Competition Downgrade Other Assets Underwriting Pricing Financial Reporting Disputes Currency Reserve Development Legal Controls Demographic / Social Change Settlement Lag Concentration Product Design Distribution Sovereign Basis Basis IT Systems Concentration Re-investment Frequency Regulatory Liquidity Severity Training ALM Lapse Turnover Interest Rate Sensitivity Longevity Data Capture Negative Publicity Rating Downgrade Customer Demands Regulatory / Political Capital Availability M3 IT H2 L3 2.0 R2 Technological Policyholder Optionality 0.5 Economic Environment Financial Impact of M4 H HIGHLIGHTS Key Drivers of H3 C2 1.0 Mortality and Morbidity Description of How is Currently Managed L2 O1 Types of L1 F2 1.5 Concentration R1 F1 M2 3.5 C1 M1 L4 4.0 Owner How is Currently Monitored H1 4.5 Credit Probability of Assessment Management and Monitoring Tools LOW Key Elements LOW 5.0 HIGH Financial Impact Key Indicators Probability of Solvency Assessment Deliverables Liquidity & Liquidity Management Report - Based Capital Report Governance Tools RISK BASED CAPITAL : Monitoring Report 800% 725% 700% 549% 500% RISK APPETITE STATEMENT 595% TAC / ACL RBC 495% TAC / ACL RBC Early Warning 400% 300% TAC / ACL RBC Concern 200% State TAC / ACL RBC Company Action State TAC / ACL RBC Regulatory Action State TAC / ACL RBC Authorized Control State TAC / ACL RBC Mandatory Control 100% RISK COMMITTEE 0% ACCEPTABLE RISKS UNDESIREABLE RISKS VaR Report Dashboard RISK TOLERANCE POLICY Minimum Limits -30% Liquidity Mean 20% probability of a 30% or greater decline in underwriting profits -70% BUSINESS UNITS 685% 650% 600% +25% (Mean) Overall Magnitude Degree of Control High +50% HIGHLIGHTS Management Strategy Medium Monitor / Mitigate Current Mitigation Responses Increasing bad debts and aging receivables continue to impair our ability to generate enough liquidity to defray ongoing policyholder liabilities Review contract with Customer Y (largest aging receivable) Sell receivable to third party at a discount Monitoring Metrics Maximum Limits OWNER Mr. X 6

7 Transition from traditional risk management to ERM best practices Understand your organizational culture culture survey Senior management must set the tone for implementing ERM Must measure risk in order to effectively manage and monitor it Leverage the organization s existing risk management and don t reinvent the wheel Do not try to do too much at once implement ERM in reasonable phases Have a roadmap and execute so that management stays continuously engaged with the process 7

8 Key enterprise risk management and monitoring tools The order of ERM tools creation Top-tier enterprise-wide risks heat map register dashboards tolerance policy appetite statement Others: Value-at-risk report, -based capital report, tornado diagrams, etc. The order of how senior management uses ERM tools appetite statement tolerance policy register dashboards Other tools: Value-at-risk report, based capital report, tornado diagrams, etc. heat map Top-tier enterprise-wide risks 8

9 ERM tools at-a-glance STRUCTURE OF A RISK COMMITTEE - SAMPLE rd of Directors Boa Reports EXECUTIVE MANAGEMENT BOARD Internal AUDIT Department BUSINESS UNIT RISK BUSINESS UNIT RISK Management Committee BUSINESS UNIT RISK BUSINESS UNIT RISK Management Committee Individual Business Units Individual Business Units Individual Business Units Individual Business Units Individual Business Units Individual Business Units Treatment Human Capital Disparity between employee base salary and marketplace base salary (1) Freezes in merit raises (2) Amount of merit raises (3) Increasing employee cost of healthcare benefits 5 = Certain $15,000,000 $5,000,000 (1) Laptop encryption not conforming to HIPAA standards (2) Patient health information and files not conforming to HIPAA standards (3) Sales, Marketing and certain employees exempted from ZIX 4 = Likely (1) Increased discounting of programs during marketing (2) Failure to obtain insurance contracts (3) Increasing bad debts 4 = Likely Clinical Legal Delivery of quality care Sentinel events (1) Failure of clinical staff to embrace treatment model (2) Increasing acuity and complexity of patients (3) Quality of physician pool 3 = Possible (1) Acuity of patients (2) Patient suicides (3) Patient drug overdose 3 = Possible $5,000,000 $1,000,000 $5,000,000 $1,000,000 $5,000,000 $1,000,000 $1,000,000 $500,000 Monitor Owner We will aggressively pursue regional strategies to meet our market growth objectives (increase of 4 percent in market share) and invest in and develop key markets. Reputation and brand image We will avoid any situation and action resulting in a negative impact on our reputation, if and when an undesirable situation arises, manage it aggressively to protect our reputation and brand image. Financial Derivatives We will limit our use of derivative instruments to "plain vanilla" swaps and options entered into with counterparties rated "AA" or better. Strategic risk parameters Investment Limits We will limit capital expenditures and investments in mergers and acquisitions to an amount that allows the company to achieve its annual free cash flow target of $330 million. Financial risk parameters Target debt rating We will seek to maintain an enterprise-level debt rating of "A" or better. Self sustaining growth In seeking new business, we will maintain our working capital ratio between 1 and 1.5 percent. Financial Strength We will maintain an EBIT/Interest ratio between 4 and 5 percent. Operational risk parameters Individual Business Units Loss Exposure We will manage our operational activities and exposures to avoid an event resulting in a loss to pre-tax operating margin of more than $25 million. Geographical Independence A single geographical location will not account for more than 20 percent of our total loans. (1) Targeted pay increases and job leveling roll-out (2) Rebid healthcare benefits in 20XX (3) Voluntary turnover rate (4) Number of exit interviews that cite compensation as key Head of Human Resources (SVP, HR) (1) Log and track areas of non-compliance and pursue corrective actions (2) Enforce annually required HIPAA training of all employees (3) Number of resolved non-compliance issues logged in the compliance log (4) Amount and types of citations received as a result of Head of Compliance (SVP, Compliance) (1) Track and discuss with programs with lower than budgeted revenues how to improve revenues (2) Increase collections training for Finance and Admissions (3) Bad debts expense as a % of revenue (4) Program allowances or discounts from revenue Head of Finance (CFO) H M3 R1 F1 M2 3.5 C1 M1 L4 IT1 2.5 H2 L3 2.0 R LOW HIGH Financial Impact Head of Legal (SVP & General Counsel) Specific economic condition Inadequate IT systems RBC levels Pricing / reserving issues Litigation Unfunded mandates / cost shifting Adequacy of insurance coverages Investments Reputational risks Provider contracting Poor economy Succession planning for senior management Fluctuation of asset values Unanticipated substantial increase in Workers Compensation reserves Policy Maximum Monitoring Metrics $5,000,000 to $15,000,000 2% monthly prime portfolio and 5% monthly subprime portfolio 4% monthly prime portfolio and 8% monthly subprime portfolio Borrower debt to equity ratio Subprime borrower default $5,000,000 to $15,000,000 Liquidation Value 10% monthly subprime portfolio 20% monthly subprime portfolio Monthly subprime default rate per 1,000 subprime loans Borrower amount higher as a percentage of home valuations $5,000,000 to $15,000,000 5% monthly sum of prime and subprime 7% monthly sum of prime and subprime Percentage difference in loan and home valuation Particular lender noncompliance $5,000,000 to $15,000,000 Cost of fines $2,500,000 Cost of fines $5,000,000 Total value of noncompliance fines Mortgage origination fraud $1,000,000 to $5,000,000 Loss due to fraud $500,000 Loss due to fraud $2,500,000 Average loss due to origination fraud Little or no documentation on borrower $1,000,000 to $5,000, incidents per month 30 incidents per month Number of no documentation incidents per month Depreciating housing market $1,000,000 to $5,000,000 3% decline in home values 4% decline in home values Percentage decline in home values over a given period Borrower concentration $625,000 to $1,000,000 20% California, 30% Florida 15% New York 30% California, 35% Florida, 20% New York Percentage of loan portfolio by geographical region Prime borrower default $500,000 to $1,000,000 4% monthly prime portfolio 6% monthly prime portfolio Monthly prime default rate per 1,000 prime loans Borrower paying low minimum payments $500,000 to $1,000,000 2% monthly prime portfolio and 5% monthly subprime portfolio 4% monthly prime portfolio and 10% monthly subprime portfolio Monthly percent of prime or subprime borrowers paying minimum payments Inability to resell loans in secondary market $500,000 to $1,000,000 1% annual prime portfolio and 2% annual subprime portfolio 2% annual prime portfolio and 4% annual subprime portfolio Annual percent of prime or subprime loans of borrowers with less than 5% equity High interest rates $500,000 to $1,000,000 1% basis points on prime and 2% basis points on subprime 2% basis points on prime and 4% basis points on subprime Basis points changes in prime or subprime rates RISK DASHBOARD: SAMPLES Liquidity 5.0 Degree of Control Overall Magnitude High 725% 700% 685% 650% 600% 500% Increasing bad debts and aging receivables continue to impair our ability to generate enough liquidity to defray ongoing policyholder liabilities 549% 595% TAC / ACL RBC Review contract with Customer Y (largest aging receivable) LEGEND: Probability of <$500,000 $500,000 to $1,000,000 $1,000,000 to $5,000,000 $5,000,000 to $15,000,000 Over $15,000,000 Monitor / Mitigate Rare Unlikely Possible Likely Almost Certain 495% Future Mitigation Strategy Overall Status TAC / ACL RBC Early Warning 300% TAC / ACL RBC Concern 200% State TAC / ACL RBC Company Action State TAC / ACL RBC Regulatory Action State TAC / ACL RBC Authorized Control State TAC / ACL RBC Mandatory Control Business Continuity Hazards or catastrophic/ other events threaten the company s ability to sustain operations and perform critical business functions or provide services to internal or external customers 0% Update Strategies agreed, any required funding in place and mitigation underway Strategies agreed, any required funding in place and mitigation in early stages Mr. X 400% 100% Sell receivable to third party at a discount OWNER Overall Magnitude LEGEND: Financial Impact Management Strategy Medium Current Mitigation Responses 800% C1 Pandemics H4 Employee voluntary turnover M4 H4 0.0 F2 M2 L2 O1 H2 M3 M4 H3 R2 L4 Moderate H3 C2 1.0 Medium L1 IT1 M1 L3 L2 O1 Very High H1 National healthcare R1 Potential HIPAA non-compliance F1 National healthcare regulation C1 Healthcare reform High L1 F (1) Use clinical treatment tool to educate and train clinical staff Head of Clinicians (2) Educate Admissions staff on how to screen-out (Chief Clinical Officer) acute patients (3) Percentage of staff that completes clinical treatment training (4) Number of new sentinel event incidents (1) Monitor and respond to sentinel events reported in the incident report system (2) Create new clinical management interventions (3) Number of sentinel events per program per month, quarter or year (4) Frequency and cost of sentinel-related litigation 5.0 Policy Minimum Borrower carrying more overall debt RISK BASED CAPITAL MONITORING REPORT: SAMPLE 5.5 HIGH Probability Probability of Drivers Decreasing revenue Individual Business Units LOW Description Financial Market Growth RISK HEAT MAP: SAMPLE Category Potential HIPAA non-compliance Description of s that are acceptable or On-Strategy CHECKS RISK REGISTER: SAMPLE Regulatory Compliance Our Assertions Management Committee REPORTS Audits RISK TOLERANCE REPORT: SAMPLE Elements s that are undesirable or Off-strategy ENTERPRISE RISK MANAGEMENT COMMITTEE Management Committee RISK APPETITE STATEMENT: SAMPLE Degree of Control High Medium Management Strategy Mitigate / Transfer Future Mitigation Strategy Current Control Responses Mitigation Implementing enhanced supplier/vendor risk mgmt. processes (D&B Supplier Mgmt. tool) Additional updates from Mr. X OWNER Transfer P&C, General Liability, Crime and Fiduciary renewals bound 3/31/20XX Update Overall Status Strategies in development, any required funding not yet in place as of yet, limited mitigation in process Significant improvements achieved in BI, Contingent BI, Flood, Earthquake and Wind coverage and sub-limits Mrs. Y RISK INVENTORY REPORT: SAMPLE Market Underwriting Operational Strategic Default Equities UW Process Monetary Controls Competition Downgrade Other Assets Pricing Financial Reporting Disputes Currency Reserve Development Legal Controls Demographic / Social Change Settlement Lag Concentration Product Design Distribution Sovereign Basis Basis IT Systems Concentration Re-investment Frequency Regulatory Liquidity Severity Training ALM Lapse Turnover Interest Rate Sensitivity Longevity Data Capture Mortality and Morbidity Policyholder Optionality Concentration Economic Environment VALUE AT RISK REPORT: SAMPLE RISK TORNADO DIAGRAM: SAMPLE Credit Annual Voluntary Turnover Rate (%) Base Value = 30%, Total # of Employees = 4,500 20% 40% 30% 10% : Employee Voluntary Turnover 60% Employee base salary 50% Negative Publicity Rating Downgrade Customer Demands Management of employees Work/Life balance 0% Mean 20% probability of a 30% or greater decline in underwriting profits Regulatory / Political Capital Availability Technological Tenure Employee performance Job characteristics Developmental opportunities % -30% +25% (Mean) +50% (%) Change in Underwriting Profits 9

10 Sustainable ERM Leverage your risk management knowledge and experience to move ERM forward You have overall knowledge of the organization You are the repository for exposure information and loss data Gain knowledge of your business continuity, emergency response and disaster recovery You have the ability to prioritize risk based on probability and impact You have the contacts throughout the organization Distill many, many risks to arrive at your organization s top-tier risks 10

11 Distilling risks to arrive at top-tier enterprise-wide risks assessment questionnaire Consolidating risks Determining enterprise-wide risks Prioritizing enterprise-wide risks based on probability and impact Arrive at top-tier enterprise-wide risks 11

12 Company XYZ s top-tier enterprise-wide risks Ranking Description of Probability Financial Impact 1 Ineffectively managed subsidiary results cause liquidity pressures Experience reputational incidents that tarnish brand image Data loss at parent and subsidiaries exposes Company XYZ to privacy breaches Decreasing RBC may affect Company XYZ s solvency The increased risk of underwriting health insurance in the post-aca market environment may negatively impact Company XYZ s financial strength and liquidity

13 Mapping top-tier enterprise-wide risks on risk heat map to prioritize risk treatment Use Excel and PowerPoint Use onnect and other GRC softwares 13

14 heat map: sample HIGH H Probability of M3 R1 F1 M2 3.5 C1 M1 L4 IT1 O1 L2 H2 L3 2.0 R2 LOW H LOW HIGH Financial Impact Comprehensive people strategy IT unable to support operations Inability to accomplish risk-based audit Regulatory non-compliance Litigation Decreasing COBRA benefits Adequacy of corporate insurance coverages Declining investment portfolio Changing service provider agreements Poor economy Deficient project management capability Unclear enterprise marketing strategy Vague strategic measures and targets Substantial increase in Workers Compensation reserves C2 Pandemics H4 Increasing cost of turnover M4 C2 0.0 F2 M2 L2 O1 H2 M3 M4 H3 R2 L4 Underwriting health insurance in post-aca market Data loss and privacy breaches Brand-making and reputational incidents Decreasing -Based Capital Moderate H H1 R1 F1 C1 L1 IT1 M1 L Medium High L1 F2 3.0 Very High 5.0 LEGEND: Financial Impact LEGEND: Probability of <$500,000 $500,000 to $1,000,000 $1,000,000 to $5,000,000 $5,000,000 to $15,000,000 Over $15,000,000 Rare Unlikely Possible Likely Almost Certain 14

15 Generating risk register to track ongoing risk management and monitoring Create Key Indicators and risk metrics Link each top-tier risk to a Key Performance Indicator (KPI) Appoint risk owners makes management more accountable Develop an actionable risk register actions required and dates 15

16 register: sample Ranking Description Key Drivers of Probability Financial Impact 1 Increased risk of underwriting health insurance in post -ACA market (1) Adverse selection (2) Competition (3) Premium constraints 5 = Certain $15,000,000 $5,000,000 2 Data loss that exposes company to privacy breaches (1) Vendor security (2) Employee security practices (3) Hackers 4 = Likely 3 Brand-making and reputational incidents that impact brand health (1) Lack of effective controls around employee agreements (2) Ineffective governance structure (3) Major adverse event 4 Decreasing risk-based capital that may impact liquidity 5 Lack comprehensive people strategy Key Performance and Indicators (KPIs & KRIs) Actions Required Owner (1) Monthly loss ratio analysis (2) Monthly claims trend analysis (1) Review reinsurance annually for adequacy of coverage (2) Report to board new business and renewal quotes Head of Actuary $5,000,000 $1,000,000 (1) Number of vendors reviewed by security per month (2) Number of employee non-compliance with IT security practices per month (1) Implement security management and controls by 20XX (2) Implement software that monitors s real time by 20XX 4 = Likely $5,000,000 $1,000,000 (1) Customer satisfaction (CSAT) score (2) Employee satisfaction (ESAT) score (1) HR report to Board unique Head of employee agreements Communications (2) Continue to monitor CSAT and ESAT scores and implement corrective measures (1) Subsidiary results (2) Subsidiary losses and cost overruns (3) Investment portfolio variability 3 = Possible $5,000,000 $1,000,000 (1) Quarterly ratio (%) of TAC/ ACL RBC (2) Month end budget variance (1) Purchase catastrophic reinsurance by 20XX (2) Finance sign-off on all major projects (1) Unclear compensation program (2) Employee relations/engagement (3) Talent acquisition and recruitment plans 3 = Possible $1,000,000 $500,000 (1) Current month employee turnover (voluntary) (2) Revenue per employee (1) Beginning 20XX establish process for approving positions (2) Acquire new talent Head of IT Head of Finance Head of Human Resources 16

17 Creating risk dashboards to monitor risk management s performance KRIs and KPIs for board-level reporting metrics for executive-level reporting Current value, target minimum and target maximum 17

18 dashboard: samples Decreasing RBC Current Value Policy Minimum Policy Maximum 460% 400% 530% Update Overall Status Actions Required and Corrective Actions Subsidiary results, losses and cost overruns continue to negatively impact our RBC = (TAC / ACL RBC) OWNER Head of Finance Brand-Making and Reputational Head of Finance to develop policies and procedures for Finance sign-off on new initiatives that require an investment of over $200,000 Board and Management to revisit corporate governance of subsidiary operations to provide appropriate oversight and controls Head of Finance to develop reports that track intercompany balances and budget variances On July 9, 2014, policies and procedures for Finance sign-off was completed and discussed with New Business Development Acceptable Level Reports that track intercompany balances expected to be completed by July 10, 2014 Current Value Policy Minimum Policy Maximum 99.6% 95% 100% Update Concern Level Overall Status Unacceptable Level Actions Required and Corrective Actions Experience reputational Work with Head of HR to refine Employee Expense Reimbursement approval process incidents that tarnish our and Terms of Employment policy brand image (Health of Continue to monitor brand image real time using Street Smart Research brand = Customer Satisfaction (CSAT) score) Develop and implement transparent communication messaging that conveys to the public how company is managing reputational incidents On June 27, 2014 completed refining expense reimbursement approval process Conduct Street Smart Research in July 2015 OWNER Head of Communications 18

19 Establishing risk tolerance policy to convey acceptable risk limits Meet with risk owners and determine the minimum and maximum limits for each KRI, KPI and risk metrics Determine appropriate corrective actions needed to normalize KRIs, KPIs and risk metrics 19

20 tolerance policy: sample Key / Performance Indicators (KRIs/KPIs) Policy Minimum Policy Maximum Owner Underwriting health insurance in post-aca market Quarterly loss ratio 75% 90% Head of Actuary Data loss and privacy breaches Total number of successful hacking attempts per month Head of IT Brand-making and reputational incidents Customer satisfaction (CSAT) score 95% 100% Head of Communications Decreasing RBC Quarterly ratio (%) of TAC / ACL RBC 400% 530% Head of Finance Comprehensive people strategy Monthly employee turnover (voluntary) 10% 25% Head of Human Resources IT unable to support operations Monthly systems uptime 200 hours 350 hours Head of IT Inability to accomplish risk-based audit Total monthly hours available to audit 600 hours 750 hours Head of Audit and/or Management Regulatory non-compliance Number of regulatory warnings Head of Legal or Management Subsidiary cost overruns Subsidiary budget variance $200,000 $400,000 Head of Finance Substantial increase in Workers Compensation reserves Percentage change in WC reserves 3% monthly 8% monthly Head of Audit and/or Management Declining investment portfolio Monthly change in value of portfolio 3% monthly 7% monthly Head of Finance Decreasing COBRA benefits Percentage change in COBRA benefits administered 5% monthly 8% monthly Head of Business Unit Description of 20

21 Draft formal risk appetite statement to express the organization s risk strategy General counsel involvement in risk appetite statement Guiding statement appetite elements assertions Listing additional support 21

22 This Formal Appetite Statement is drafted solely for the purpose of providing Company XYZ, its subsidiaries and affiliates guidance on how to manage enterprise-wide risks. No statements made herein bind Company XYZ, its subsidiaries and affiliates to any contemplated contracts or agreements. Company XYZ, its subsidiaries and affiliates reserve the right to change any statements made herein with or without notice to any third parties. Formal risk appetite statement: sample Elements Our Assertions Guiding Statement Company XYZ is an insurance company that exists for the benefit of its policyholders. We protect our brand, maintain adequate capital, run sustainable subsidiary and affiliate operations, carry-out core operations and leverage our market share to ensure we return value to our policyholders. Vision and Mission Statements Brand protection and enhancements: We strive to proactively avoid any situation or action that has the potential to unnecessarily impair our brand and reputation. This involves ensuring our employees, business partners and policyholders are committed to our values and that their actions and behaviors reflect these values. We believe this is what would allow us to take appropriate actions to preserve the strength of our brand and reputation in the areas of corporate compliance, customer privacy, corporate information security, governance and positive public image. Employee Expenses Reimbursement Policies Employment Policies Capital Adequacy -based capital: We will strive to grow to an RBC level appropriate to the risk of our core operations to ensure our sustainability in our market. (1) Controlled subsidiaries: Controlled subsidiaries are expected to manage their businesses and operations with the best interest of the shareholder and other appropriate stakeholders in mind. This expectation includes analysis and understanding of the risks associated with business initiatives to be undertaken by the controlled subsidiary. Further, controlled subsidiaries should comply with defined agreements (e.g. inter-company agreements, dividend policies, etc.) and governance processes as established with their shareholder. (2) External Portfolio risk: Must contemplate the risk profile of our controlled subsidiaries, the risk profile of our core business and Company XYZ's capital position. Investment Policy Intercompany Agreements and Dividend Policies with Subsidiaries Contribution to Surplus Income/earnings: In order to remain viable in our market, we target an annual operating margin of 5% across all core operations. Product segments (both core and non-core) are expected to have a positive contribution to RBC. Network Provider Penetration Provider reimbursements: We will maintain adequate market share to provide the best value to our policyholders. We target no less than 50% of aggregate California health care providers' private payer revenue. Operational Parameters Contract management and bid and proposal review: No projects or bids will be pursued without appropriate review and analysis based on defined governance processes, which should include an assessment of material risks and financial impact. Human Resources Parameters Human Capital: We will ensure Company XYZ has identified key talent and leadership to develop new leaders through defined succession plans and development. We will maintain the resources and tools to attract, develop and retain the employees necessary to fulfill our mission. Brand-making and reputation Additional Support Human Resources Policies 22

23 QUESTIONS 23

24 CONTACT INFORMATION Augustine Doe OutsourceRM (949) Ron Marx Marsh (858)