Economic Capital 4.14 Solvency II and Basel II and III Regulatory Standards 4.19 NAIC Own Risk and Solvency Assessment (ORSA) 4.23 Summary 4.

Transcription

1 xi Contents Assignment 1 Introduction to Risk Management 1.1 The Risk Management Environment 1.3 Benefits of Risk Management 1.9 Risk Classifications 1.15 Enterprise Risk Management 1.21 Enterprise Risk Management for Insurance Companies 1.26 Summary 1.32 Assignment 2 Risk Management Standards and Guidelines 2.1 Introduction to Risk Management Standards and Guidelines 2.3 ISO Risk Management Principles and Guidelines 2.8 COSO Enterprise Risk Management Integrated Framework 2.13 Summary 2.19 Assignment 3 Insurer Working Capital Management 3.1 Components of an Insurer s Working Capital 3.3 Insurer Credit Management 3.8 Insurer Cash Management 3.17 Summary 3.23 Assignment 4 Insurer Regulatory Capital 4.1 Risk-Based Capital Requirements 4.3 Risk-Based Capital for Life Insurers 4.8 Economic Capital 4.14 Solvency II and Basel II and III Regulatory Standards 4.19 NAIC Own Risk and Solvency Assessment (ORSA) 4.23 Summary 4.28 Assignment 5 Insurer Capital Structure and Allocation 5.1 Optimal Capital Structure 5.3 Optimal Capital Structure for Insurers 5.9 Insurer Cost of Capital 5.15 Risk-Based Capital Allocation 5.20 Summary 5.24 Assignment 6 Internal Audit and Control 6.1 Introduction to Internal Control 6.3 Internal Control Frameworks and Standards 6.8 Risk-Based Auditing 6.14 Risk Assurance to Evaluate Risk Management Performance 6.18 Collaboration Between Risk Management and Internal Audit 6.22 Summary 6.26 Assignment 7 Transferring Financial Risk 7.1 Types of Financial Risk 7.3 Derivatives 7.5 Securitization 7.8

2 xii Summary 7.10 Assignment 8 Financing Insurable Risk in the Capital Markets 8.1 Capital Market Risk Financing Products 8.3 Insurance-Linked Securities 8.5 Insurance Derivatives 8.11 Contingent Capital Arrangements 8.16 Concerns of Users and Suppliers of Capital for Transferring Hazard Risk 8.20 Capital Market Regulatory and Accounting Issues 8.23 Summary 8.24

3 Risk Management Standards and Guidelines 2.15 Framework The COSO Enterprise Risk Management Integrated Framework is designed to help an organization achieve its objectives in four categories: Strategic high-level goals, aligned with and supporting its mission Operations effective and efficient use of its resources Reporting reliability of reporting Compliance compliance with applicable laws and regulations There are eight interrelated components of the COSO framework that should be integrated within an organization s risk management process: Internal environment Determine risk management philosophy and risk appetite, integrity and ethical values, and the operating environment. A board of directors is an important part of the internal environment with influence on the other aspects of the environment. In this component of the risk management process, senior management aligns the people, processes, and infrastructure to make it possible for the organization to stay within its risk appetite. Objective setting Align risk management objectives with the organization s mission and risk appetite. Objectives must be determined before management can identify the events that might affect their achievement. Event identification Identify internal and external events that affect achievement of objectives, and distinguish between negative risk and opportunity risk. External events include economic, political, social, and technological elements. Internal factors include management decisions, people, infrastructure, processes, and technology. Risk assessment Analyze risks, considering likelihood and impact. Likelihood is the possibility that a given event will occur. Impact is the effect of an event if it does occur. Risk assessment is first applied to inherent risk. After the development of risk responses, residual risk is determined. Risk response Select how to respond to the risks identified, for example, by avoidance, reduction, or transfer. Control activities Establish policies and procedures to carry out effective risk responses. Control activities are the policies and procedures to determine that risk responses are performed correctly. Information and communication Use effective communication that flows down, across, and up the organization. An organization should use both historical and current data to have an effective risk management program. Monitoring Make modifications through ongoing monitoring of the risk management process. An organization may use both internal and independent evaluations to monitor its risk management. Inherent risk Risk to an entity apart from any action to alter either the likelihood or impact of the risk. Residual risk Risk remaining after actions to alter the risk s likelihood or impact.

4 2.16 Insurer Risk and Capital Management COSO Risk Management: Relationship of Objectives and Components There is a direct relationship between objectives, which an organization strives to achieve, and risk management components, which are necessary to achieve them. STRATEGIC OPERATIONS REPORTING COMPLIANCE INTERNAL ENVIRONMENT OBJECTIVE SETTING EVENT IDENTIFICATION RISK ASSESSMENT RISK RESPONSE SUBSIDIARY BUSINESS UNIT DIVISION ENTITY-LEVEL CONTROL ACTIVITIES INFORMATION & COMMUNICATION MONITORING Copyright, 2004, Committee of Sponsoring Organizations of the Treadway Commission. All rights reserved. Reprinted with permission. [DA07300] COSO states that risk management is not strictly a serial process, where one component affects only the next. It is a multidirectional process in which almost any component can and does influence another. 11 The process should be applied across all four levels of an organization: entity, division, business unit, and subsidiary. See the exhibit COSO Risk Management: Relationship of Objectives and Components. In the example of a bank, the organization would identify its strategic objectives to include return on capital, profit, and growth. The bank s operational objectives would support its strategic objectives in areas such as loan activity, customer growth, acquisitions, and expansion. The reporting and compliance objectives would focus on meeting regulatory requirements. The bank s managers would then apply the eight components of the COSO risk management framework across all of the organization s levels to align the bank s operations with its risk appetite and strategic objectives.

5 Risk Management Standards and Guidelines 2.17 ERM in Practice An organization applied the COSO Enterprise Risk Management Integrated Framework to its cloud-computing program through Google. More than 3 million businesses worldwide are clients of Google s cloud-computing services, which allow data to be stored on shared servers. Although this technology offers many advantages to organizations, it also represents a major change in how organizations operate with associated risks. Additionally, there are different models and service providers for cloud computing. The COSO cube can be transformed into a path for managing the risks at each step of an organization s process for selecting and implementing a cloudcomputing option. 12 [DA11302] Control Activities Section 404 of the Sarbanes-Oxley Act states that public companies are required to publish information in their annual reports regarding the scope and adequacy of their internal control structure and procedures for financial reporting. Additionally, the companies are required to assess the effectiveness of these internal controls and procedures. The registered accounting firm that provides an audit of the financial statement is required to attest to and report on the assessment of the effectiveness of the internal control structure and procedures for financial reporting. Because COSO 2004 historically focused on financial controls and developed its risk management framework in the context of internal audits related to compliance with Sarbanes-Oxley, control activities are a key feature of this standard in comparison with other risk management standards. Control activities are policies and procedures applied to each of the four categories of objectives strategic, operations, reporting, and compliance. Overlap may exist in how controls relate to objectives and areas of operation. The most important function of a control is its role in achieving its objective. For example, a control activity may have the objective of ensuring that all bank loans conform to the bank s guidelines. The organization may apply this control activity across regional divisions and branch offices. Control activities typically have two parts. The first part is the policy that states what should be done, and the second part is the procedure to accomplish the policy. For example, a policy states that all policies should conform to underwriting guidelines. The procedure is to enter all underwriting information into the insurer s computer system and produce daily reports for branch managers, weekly reports for regional managers, and monthly reports for the division vice president. The risk management process should be monitored to determine the effectiveness of control activities in meeting objectives. There are two types of