Leveraging an organization s current risk management to create a sustainable ERM program. Thursday, January 15, 2015

Similar documents
Leveraging an organization s current risk management to create a sustainable ERM program. Tuesday, September 23, 2014

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

Enhancing Our Risk Appetite Framework. A Case Study

Risk Management. Policy No. 14. Document uncontrolled when printed DOCUMENT CONTROL. SSAA Vic

Risk Appetite. What is risk appetite?

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

Enterprise Risk Management Program

360 Degrees of Enterprise Risk Management

ORSA reports: gaps and opportunities

FIRMA Nashville Tennessee April 21, 2015

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

Energize Your Enterprise Risk Management

Right Sizing Your Reserves: A Better Way

Navigating the New Normal Enterprise Risk Management After e-risk Identification and Assessment

Certified Enterprise Risk Professional (CERP) Test Content Outline

Delivering Clarity to Credit Unions Through Expertise and Experience

Presented by. Kristina Narvaez. President of ERM Strategies, LLC

Enterprise Risk Management How much risk do you want to take? Mark Lim Risk Consulting and Software Towers Watson

Kidsafe NSW Risk Management Plan. August 2014

Amex Bank of Canada. Basel III Pillar III Disclosures December 31, AXP Internal Page 1 of 15

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

Enterprise Risk Management by Many Other Names is Still Enterprise Risk Management David K. Whatley UTH Advisors April 15,2008

UNITED NATIONS JOINT STAFF PENSION FUND. Enterprise-wide Risk Management Policy

Introduction. The Assessment consists of: A checklist of best, good and leading practices A rating system to rank your company s current practices.

Sections of the ORSA Report

CORPORATE RISK 2017 ANNUAL REPORT

The ORSA opportunity:

ERM Implementation and the Own Risk and Solvency Assessment (ORSA)

RISK MANAGEMENT FRAMEWORK

Risk Management Policy and Framework

Day 2: Session 2 Tax governance, risk and control

Critical Reflection of Two State-of-the-Art Risk Management Frameworks (SRM004)

Use of the report This report is intended solely for use by the Board of the directors of the GTAA and the Minister of Transport of Canada.

TD BANK INTERNATIONAL S.A.

SOLVENCY AND FINANCIAL CONDITION REPORT EUROLIFE LTD

Pillar 3 Disclosure Statement

Excellence in Risk Management via Enterprise Risk Management. Presentation to: Audit Committee Ashok K. Roy, Ph.D., CIA, CFSA, CBA September 18, 2015

Enterprise Risk Management Focusing on the Right Risks

ENTERPRISE RISK MANAGEMENT IN HEALTH CARE. April 27, 2017

Understanding Enterprise Risk Management: An Overview

Working through Risk Appetite

ACUIA Region 3 Meeting Enterprise Risk Management. Henry Robaszewski Director of Risk Management October 7, 2016

Global Enterprise Risk Management in Insurance

The OCEG Open Risk Classification using XBRL

House Bill 20 Implementation. House Select Committee on Transportation Planning Tuesday, August 30, 2016, 1:00 P.M. Capitol Extension E2.

Own Risk Solvency Assessment (ORSA) Linking Risk Management, Capital Management and Strategic Planning

Basics of Liquidity Risk Management For Community Financial Institutions under $3 Billion in Assets

Senior Director, Fire Life Safety & Risk Management

PILLAR 3 DISCLOSURE POLICY

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

2016 Management s Discussion & Analysis

Risk Management Policy

Merrill Lynch Kingdom of Saudi Arabia Company. Pillar 3 Disclosure. As at 31 December 2017

Introduction. The Assessment consists of: Evaluation questions that assess best practices. A rating system to rank your board s current practices.

The Central Bank of Ireland Risk Appetite: A Discussion Paper

SOLVENCY AND FINANCIAL CONDITION REPORT EUROLIFE LTD

Business Continuity Management and ERM

RED 2.1 & 4.2: Quantifying Risk Exposure for ORSA. Moderator: Presenters: Lesley R. Bosniack, CERA, FCAS, MAAA

Credit risk management. Why it matters and how insurers can enhance their capabilities

Prudential Standard GOI 3 Risk Management and Internal Controls for Insurers

SCCE 2012 COMPLIANCE & ETHICS INSTITUTE. Workshop Agenda

Policy Number Functional Field. Governance and Management. Related Policies. Policy of Making University Policies.

Risk Management at Central Bank of Nepal

RISK MANAGEMENT FRAMEWORK OVERVIEW

The Components of a Sound Emerging Risk Management Framework

STRATEGIC PLAN & RISK ASSESSMENT

IT Risk in Credit Unions - Thematic Review Findings

THE INVESTOR FOR SECURITIES COMPANY. PILLAR III DISCLOSURE As of 31 December 2017

General questions 1. Are there areas not addressed in the Guidance that should be considered in assessing risk culture?

Enterprise Risk Management Framework: Is It Working Effectively or Is It Window Dressing?

Risk appetite. Getting in shape building and sustaining your risk appetite. 27 February 2014

Identity protection is a vital employee benefit

Basel III Pillar 3 Disclosures

Fathom Wealth Management Advisors Ltd Risk Management Disclosures Year Ended 31 December 2017

montanastatefund.com ANNUAL BUSINESS PLAN

Overview of ERM Assessment Viewpoints (June 2016) Overview

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

Risk Management Framework

Risk Appetite Survey Current state of the Insurance Industry

Aligning Risk Management with CU Business Strategy

CITY OF VILLA PARK The Hidden Jewel

West Coast District Municipality. Risk Management Policy

An introduction to Operational Risk

Using Meaningful KRI s for Basel II Operational Risk Management

OWN RISK AND SOLVENCY ASSESSMENT. ERM Seminar Compliance All Dealing from the same deck now

Enterprise Risk Management

Goodman Group. Risk Management Policy. Risk Management Policy

Nagement. Revenue Scotland. Risk Management Framework

Annual Business Plan July 1, 2015 through June 30, 2016

what is WORKERS COMPENSATION INSURANCE? For All That Matters

Agenda. Agenda (cont.) Risk Management Association. Loss Data in an Organization s DNA

GOV : Enterprise Risk Management Policy

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Risk Appetite: Survey Results. March 2015

montanastatefund.com ANNUAL BUSINESS PLAN

BUDGET DRAFT 1 November 19, 2019

Community Trust Company Basel III Pillar 3 Disclosures December 31, 2017

A.M. Best s New Risk Management Standards

Risk Evaluation, Treatment and Reporting

Transcription:

Leveraging an organization s current risk management to create a sustainable ERM program Thursday, January 15, 2015 Augustine Doe Ron Marx

AGENDA Pg 1 Pg 2 Pg 3 Pg 4 Pg 5 Pg 6 Pg 7 Pg 8 Pg 9 Pg 10 Pg 11 Pg 12 Pg 13 Pg 14 Pg 15 Pg 16 Pg 17 Cover page Agenda Potential risks airports experience Benefits organizations with ERM experience Best practices for transitioning from traditional risk management to ERM Leverage the airport s existing risk management How to create a sustainable ERM program for an airport How Outsource Risk Management ERM approach compares to others Distill the many risks to arrive at top-tier enterprise-wide risks How to report top-tier enterprise-wide risks Map top-tier enterprise wide risks on risk heat map to prioritize risk treatment Generate risk register to track ongoing risk management and monitoring Create risk dashboards to monitor risk management s performance Establish risk tolerance policy to convey acceptable risk thresholds Draft formal risk appetite statement to communicate the airport s risk strategy Questions Contact information 2

Potential risks airports experience!"#$%&'()*+&,-+."/0,(%(#*+!1232+!"#$%&"'(")*+,"&"-.&'/+$*".(, 41,&,/1&%+!123+ 5&6"'*+&,-+7&8&)-+!1232+ 7$9&,+!123+ :;")&<(,&%+!123+ 5')&'"#1/+!123+ 0(1),'*"*2('("), 3*44("2(%,5*"6+$"2,!'/+&7((,48$++,4(), 9"6:4)%$*+,*.;&", >??,.5*"2(4, 0(.+$"(,$",*$%,)%*#(+, >:(+,5*"6+$"2, @*):%$"2,A&%8B&%.(,?2$"2,$"B%*4)%:.):%(, >%*:6C()5$.4, #$&+*;&", G(2:+*)&%7,.5*"2(4, 0*)*,/%$#*.7C+&44, 0*)*,/%&)(.;&", M74)('4,B*$+:%(, M<P,*"6,<MQ?, %(2:+*;&"4,!'/+&7'("),+*A4, *"6,%(2:+*;&"4,!.&"&'$.,6&A"):%", D%&:"6,&/(%*;&"4,!'/+&7((,%(.%:$)'("), >:(+,/%$.(,#&+*;+$)7, 9"#(4)'("), '*"*2('("), /%&.(44, G(#(":(,.&".(")%*;&", N*/$)*+,B:"6$"2, *#*$+*1$+$)7, N&4),.&")*$"'("), *"6,1:62(;"2, >$"*".$*+,%(4(%#(4, 3*44("2(%,)(%'$"*+, 5*H*%64, <..:/*;&"*+,5(*+)5, *"6,4*B()7, K(%%&%$4',*"6,E%(C (L/+&4$&", G()(";&",&B,8(7, +$.("4(6,/(%4&""(+, I(*",A&%8B&%.(,?$%E(+6,&/(%*;&"4, 4*B()7,?$%+$"(,4(%#$.(, 6(2%*6*;&", J:4$"(44,.&";":$)7, /+*""$"2, <=-*$%/&%),/*%8$"2,.&'/(;;&",?$%+$"(4C&/(%*)&%4, A$)56%*A$"2, F(2*;#(,/:1+$.$)7, <1)*$"$"2,/+*""$"2,.&"4(")4,?$%+$"(,6('*"64,!'/+&7((,4.%(("$"24,?$%/&%),4(.:%$)7, <:)4&:%.$"2,4)%*)(27, 3*"6('$., O"&A+(62(,)%*"4B(%, N&")%*.;"2,/%&.(44,!"#$%&"'(")*+, %(+(*4(,?6#(%4(,A(*)5(%, *"6,"*):%*+,.*)*4)%&/5(, R&%8/+*.(,$"S:%$(4,?14(")(($4', N&"4)%:.;&",&B,"(A, )(%'$"*+,&%,B*.$+$;(4, G(5*1$+$)*;&",&B, %:"A*7C*/%&", F(2*;#(,$'/*.),)&, %(/:)*;&", I*"6,B&%,B:):%(, *(%&"*:;.*+,"((64, J:4$"(44,6$#(%4$)7, 3

Benefits organizations with ERM experience Do organizations with mature risk management practices outperform their peers financially? Ernst & Young study suggests YES Mature risk management drives financial results Findings: companies with more mature risk management practices generated the highest growth in revenue, EBITDA and EBITDA/EV Compound annual growth rates 2004 11* by risk maturity level 20.3% 16.8% 10.6% 9.5% 8.3% 7.4% Top 20% Middle 60% Bottom 20% 4.1% 2.5% 2.1% Revenue * 2011 YTD reported as of 18 November 2011. EBITDA EBITDA/EV 2013 Ernst & Young Turning risks into results 4

Best practices for transitioning from traditional risk management to ERM Senior management must set the tone for implementing ERM - you may have to educate them about ERM Leverage the organization s existing risk management and don t reinvent the wheel Understand organization culture align incentives to behaviors Do not try to do too much at once implement ERM in reasonable phases Must measure risk in order to effectively manage and monitor it Phase 1 Identify Risks 12-18 Weeks Phase 2 Assess Risks 13-19 Weeks Phase 3 Monitoring/ Reporting 12-18 Weeks 5

Leverage the airport s existing risk management Where you are not the leader of the risk management team, advocate for ERM and work with other business departments to create the ERM program You have overall knowledge of the organization You are the repository for exposure information and loss data Gain knowledge of your business continuity, emergency response and disaster recovery You have the ability to prioritize risk based on probability and impact You have the contacts throughout the organization Leverage your risk management knowledge and experience to move ERM forward 6

!"#$%&"'(")*+,"&"- <=-*$%/&%),/*%8$"2, 0(1),'*"*2('("), 3*44("2(%,5*"6+$"2,!'/+&7((,48$++,4(), 9"6:4)%$*+,*.;&",.&'/+$*".(,.&'/(;;&",?$%+$"(4C&/(%*)&%4, >??,.5*"2(4, 0(.+$"(,$",*$%,)%*#(+, >:(+,5*"6+$"2, @*):%$"2,A&%8B&%.(,?2$"2,$"B%*4)%:.):%(, A$)56%*A$"2, >%*:6C()5$.4,?$%E(+6,&/(%*;&"4,!.&"&'$.,6&A"):%", D%&:"6,&/(%*;&"4,!'/+&7((,%(.%:$)'("), F(2*;#(,/:1+$.$)7, #$&+*;&", 4*B()7, 3*44("2(%,)(%'$"*+, G()(";&",&B,8(7,?$%+$"(,4(%#$.(, <1)*$"$"2,/+*""$"2, G(2:+*)&%7,.5*"2(4, >:(+,/%$.(,#&+*;+$)7, 5*H*%64, +$.("4(6,/(%4&""(+, 6(2%*6*;&",.&"4(")4, 9"#(4)'("), <..:/*;&"*+,5(*+)5, J:4$"(44,.&";":$)7, 0*)*,/%$#*.7C+&44, '*"*2('("), I(*",A&%8B&%.(,?$%+$"(,6('*"64, *"6,4*B()7, /+*""$"2, /%&.(44, G(#(":(, K(%%&%$4',*"6,E%(C 0*)*,/%&)(.;&",!'/+&7((,4.%(("$"24,?$%/&%),4(.:%$)7, <:)4&:%.$"2,4)%*)(27,.&".(")%*;&", (L/+&4$&", N*/$)*+,B:"6$"2, F(2*;#(,$'/*.),)&, M74)('4,B*$+:%(, 3*"6('$., O"&A+(62(,)%*"4B(%, N&")%*.;"2,/%&.(44, *#*$+*1$+$)7, %(/:)*;&", M<P,*"6,<MQ?, N&4),.&")*$"'("),!"#$%&"'(")*+, N&"4)%:.;&",&B,"(A, I*"6,B&%,B:):%(, R&%8/+*.(,$"S:%$(4, %(2:+*;&"4, *"6,1:62(;"2, %(+(*4(, )(%'$"*+,&%,B*.$+$;(4, *(%&"*:;.*+,"((64,?6#(%4(,A(*)5(%,!'/+&7'("),+*A4, G(5*1$+$)*;&",&B, >$"*".$*+,%(4(%#(4, *"6,"*):%*+,?14(")(($4', J:4$"(44,6$#(%4$)7, *"6,%(2:+*;&"4, %:"A*7C*/%&",.*)*4)%&/5(, CONFIDENTIAL Financial Impact How to create a sustainable ERM program for an airport Risk Assessment Risk Governance TOOLS =('",<&%+>1);()'+!1232?+5&9;%"+!"#$%&'()*+&,-+ 5&6"'*+&,-+7&8&)-+ 41,&,/1&%+!123+ 7$9&,+!123+ :;")&<(,&%+!123+ 5')&'"#1/+!123+."/0,(%(#*+!1232+!1232+ Leverage an organization s existing risk management and enterprise business objectives or goals to conduct an enterprise risk assessment that identifies and measures the organization s enterprise risks Build an organization s risk committee (including drafting the risk committee s charter) or leverage the organization s existing risk governance structure RISK COMMITTEE Financial Impact of Risk TOP-TIER ENTERPRISE-WIDE RISKS Operational Impact of Risk Probability of Risk HIGHLIGHTS Ranking of Risk Name of Risk Description of Risk Consolidate the identified enterprise risks into enterprise-wide risks Use the probability and financial and operational impacts of each enterprise-wide risk to prioritize the risks and distill the prioritized enterprise-wide risks to material enterprise-wide risks Work with the risk committee to document the key elements of each material enterprise-wide risk and populate these elements in the corporate risk register Work with the risk committee to design a risk appetite statement and draft a risk tolerance policy Probability of Risk HIGH LOW 5.5 5.0 4.5 4.0 3.5 3.0 2.5 2.0 1.5 1.0 0.5 0.0 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 5.5 LOW RISK HEAT MAP H2 O1 HC2 F3 Map material enterprise-wide risks on a corporate risk heat map Stress test material enterprise-wide risks, develop business continuity plans to manage material enterprise-wide risks and revise corporate risk register with new enterprise-wide risks insights Develop risk dashboards for specific material enterprise-wide risks Generate a Value-at-Risk (VaR) report to quantify the impact of a specific loss event on a key performance indicator IT1 HC1 H1 F2 C1 HIGH F1 How Risk is Currently Monitored How Risk is Currently Managed Risk Owner Financial Impact of Risk RISK REGISTER HIGHLIGHTS Types of Risk Populate material enterprise-wide risks in a corporate risk register Description of Risk Key Drivers of Risk Probability of Risk Upload risk governance reports into a risk reporting and management information system Risk Assessment Risk Governance TOOLS RISK APPETITE STATEMENT RISK TOLERANCE POLICY Minimum Limits HIGHLIGHTS Risk Dashboard Liquidity Risk Increasing bad debts and aging receivables continue to impair our ability to generate enough liquidity to defray ongoing policyholder liabilities OWNER Mr. X Review contract with Customer Y Sell receivable to third party at a (largest aging receivable) discount Overall Risk Magnitude Degree of Control Management Strategy High Medium Monitor / Mitigate Current Mitigation Responses UPLOAD RMIS BUSINESS UNITS ACCEPTABLE RISKS UNDESIREABLE RISKS Monitoring Metrics Maximum Limits VaR Report 20% probability of a 30% or greater decline in underwriting profits Mean -70% -30% +25% (Mean) +50% 7

How OutsourceRM ERM approach compares to others OutsourceRM Approach Identify, measure and determine material enterprise-wide risks that potentially impact an organization's strategy, goals and initiatives ( material to strategic direction approach). Distill material risks to those that impact the key drivers of the organization s business. Other Approaches Identify and measure all risks that potentially impact an organization and its business units ( boil the ocean approach). Provide an inventory of risks that are endemic to an organization s industry. Apply an in-house ( actionable ) perspective to create the performance measurement tools that senior leadership and members of the board would use to effectively manage and monitor enterprise-wide risks. Generate key performance indicators (KPIs), key risk indicators (KRIs), acceptable thresholds and corrective actions for each material enterprise-wide risks to communicate at the high-level how material risks that impact an organization s key business drivers are being managed. Develop risk management and monitoring tools from a consultant's viewpoint. Generate KPIs, KRIs and acceptable thresholds for all risks thereby muddying senior management s ERM focus and making ERM overwhelming. 8

Distill the many risks to arrive at top-tier enterprise-wide risks Leverage the organization s business information (including goals, strategies, initiatives, etc.) and risk management to create an enterprise risk assessment (ERA) questionnaire Use the ERA questionnaire to conduct the ERA interviews Consolidate risks Determine enterprise-wide risks based on enterprise weights Prioritize enterprise-wide risks based on probability and impact Arrive at top-tier enterprise-wide risk 9

Company XYZ s top-tier enterprise-wide risks Ranking Description of Risk Probability Financial Impact 1 Inability to consistently manage debt may negatively impact our 5 5 liquidity and prevent us from completing runway rehabilitation 2 Threat of and actual terrorism may significantly reduce air travel and 4 5 impact landing fee revenues 3 Where we are unable to contain costs within budget we may not be able to acquire land for future aeronautical needs 4 4 4 Data loss may expose us to privacy breaches which may negatively impact our reputation 4 3 5 Inability to consistently comply with FAA changes may result in 3 4 non-compliant operations 6 Where we are unable to consistently execute our people strategy we would continue to experience high turnover and poor ground 3 3 operations 7 Increased workplace injuries may hurt our reputation and prevent us from hiring quality staff 3 2 8 70 percent of our landing fees come from Delta airlines and in the event Delta experiences reputational incidents that reduce its passengers and 2 2 flights we may experience a significant decline in our revenues 9 Adverse weather and earth movement may impact airline traffic volume and decrease our revenues 2 1 10 Where we are unable to replace our aging infrastructure we may experience severe accidents 1 1 Operational Impact Borrow money to pay operating expenses at higher interest rate Unable to complete runway rehabilitation Decline in revenue Inability to effectively manage debt Increase debt Inability to expand aeronautical operations Airlines/operators withdrawing Decline in the number of flights that land Increase costs resulting from fines and stipulations Reduce landing fee revenues Increased operating expenses due to use of expensive temporary staff Poor handling of travelers and therefore low customer satisfaction score Rise in operating expenses Employee absenteeism Significant reduction in revenue Inability to meet debt obligations Increase operating costs Reduce targeted revenues Increase in severity and frequency of insurance claims 10

Risk heat map: sample Probability of Risk LOW HIGH 5.5 5.0 H1 F1 4.5 4.0 IT1 F2 3.5 3.0 HC2 HC1 C1 2.5 2.0 H2 F3 1.5 1.0 O1 0.5 0.0 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 5.5 LOW HIGH Financial Impact Very High Risk F1 H1 Inability to consistently manage debt may negatively impact our liquidity and prevent us from completing runway rehabilitation Threat of and actual terrorism may significantly reduce air travel and impact landing fee revenues High Risk F2 Where we are unable to contain costs within budget we may not be able to acquire land for future aeronautical needs IT1 Data loss may expose us to privacy breaches which may negatively impact our reputation C1 Inability to consistently comply with FAA changes may result in non-compliant operations HC1 Where we are unable to consistently execute our people strategy we would continue to experience high turnover and poor ground operations Moderate Risk HC2 Increased workplace injuries may hurt our reputation and prevent us from hiring quality staff Number 1 2 3 4 5 Low Low to Moderate Moderate Moderate to High High Low Moderate Risk F3 H2 Low Risk O1 Probability/Financial Impact Key Meaning of Probability Probability in Percentages Range of Financial Capacity < 5% 5% to 15% 15% to 30% 30% to 50% > 50% 70 percent of our landing fees come from Delta airlines and in the event Delta experiences reputational incidents that reduce its passengers and flights we may experience a significant decline in our revenues Adverse weather and earth movement may impact airline traffic volume and decrease our revenues Where we are unable to replace our aging infrastructure we may experience severe accidents $0 - $7,000,000 $7,000,000 - $12,000,000 $12,000,000 - $20,000,000 $20,000,000 - $40,000,000 Over $40,000,000 11

Generate risk register to track ongoing risk management and monitoring snapshot of the key aspects of information technology (IT1) risk in the risk register KEY ASPECTS OF RISK Risk Name Description of Risk Risk Owner(s) Key Drivers of Risk Probability of Risk Potential Financial Impact of Risk Potential Operational Impact of Risk Key Performance Indicators (KPIs) Key Risk Indicators (KRIs) Risk Control/Mitigating Measures Actions Required Data loss/privacy Data loss may expose us to privacy breaches which may negatively impact our reputation Chief Technology Officer (First name, Last name) Vendor security Employee security practices Hackers 4 (Moderate to High: 35% to 50% chance of occurring) 3 ($12 million to $20 million) Airlines/operators withdrawing Decline in the number of flights that land Number of vendors reviewed for data security compliance by IT per month Number of unsuccessful hacking attempts per month Number of hacking threats per month Number of successful threats per month Number of employee non-compliance with IT security practices per month IT Security Policy Vendor IT security SLAs Firewalls Data encryption Implement IT security management and controls by February XX, 20XX Implement software that monitors emails real time by March XX, 20XX 12

Risk dashboard: samples Current Value Policy Minimum Policy Maximum Decreasing RBC 460% 400% 530% Update Overall Status Actions Required and Corrective Actions Subsidiary results, losses and cost overruns continue to negatively impact our RBC = (TAC / ACL RBC) OWNER Head of Finance Head of Finance to develop policies and procedures for Finance sign-off on new On July 9, 2014, policies and initiatives that require an investment of over $200,000 procedures for Finance sign-off Board and Management to revisit corporate governance of subsidiary operations to was completed and discussed provide appropriate oversight and controls with New Business Development Head of Finance to develop reports that track intercompany balances and budget variances Reports that track intercompany balances expected to be completed by July 10, 2014 Acceptable Level Concern Level Brand-Making and Reputational Risk Current Value Policy Minimum Policy Maximum 99.6% 95% 100% Actions Required and Corrective Actions Update Overall Status Unacceptable Level Experience reputational incidents that tarnish our brand image (Health of brand = Customer Satisfaction (CSAT) score) Work with Head of HR to refine Employee Expense Reimbursement approval process and Terms of Employment policy Continue to monitor brand image real time using Street Smart Research Develop and implement transparent communication messaging that conveys to the public how company is managing reputational incidents On June 27, 2014 completed refining expense reimbursement approval process Conduct Street Smart Research in July 2015 OWNER Head of Communications 13

Risk tolerance policy: sample Description of Risk Key Risk/ Performance Indicators (KRIs/KPIs) Minimum Threshold Maximum Threshold Risk Owner Underwriting health insurance in post-aca market Quarterly loss ratio 75% 90% Head of Actuary Data loss and privacy breaches Total number of successful hacking attempts per month 35 60 Head of IT Brand-making and reputational incidents Customer satisfaction (CSAT) score 95% 100% Head of Communications Decreasing RBC Quarterly ratio (%) of TAC / ACL RBC 400% 530% Head of Finance Comprehensive people strategy Monthly employee turnover (voluntary) 10% 25% Head of Human Resources IT unable to support operations Monthly systems uptime 200 hours 350 hours Head of IT Inability to accomplish risk-based audit Total monthly hours available to audit 600 hours 750 hours Head of Audit and/or Risk Management Regulatory non-compliance Number of regulatory warnings 10 20 Head of Legal or Risk Management Subsidiary cost overruns Subsidiary budget variance $200,000 $400,000 Head of Finance Substantial increase in Workers Compensation reserves Percentage change in WC reserves 3% monthly 8% monthly Head of Audit and/or Risk Management Declining investment portfolio Monthly change in value of portfolio 3% monthly 7% monthly Head of Finance Decreasing COBRA benefits Percentage change in COBRA benefits administered 5% monthly 8% monthly Head of Business Unit 14

Formal risk appetite statement: sample This Formal Risk Appetite Statement is drafted solely for the purpose of providing Company XYZ, its subsidiaries and affiliates guidance on how to manage enterprise-wide risks. No statements made herein bind Company XYZ, its subsidiaries and affiliates to any contemplated contracts or agreements. Company XYZ, its subsidiaries and affiliates reserve the right to change any statements made herein with or without notice to any third parties. Risk Elements Our Assertions Additional Support Guiding Statement Brand-making and reputation Capital Adequacy Contribution to Surplus Network Provider Penetration Operational Risk Parameters Human Resources Risk Parameters Company XYZ is an insurance company that exists for the benefit of its policyholders. We protect our brand, maintain adequate capital, run sustainable subsidiary and affiliate operations, carry-out core operations and leverage our market share to ensure we return value to our policyholders. Brand protection and enhancements: We strive to proactively avoid any situation or action that has the potential to unnecessarily impair our brand and reputation. This involves ensuring our employees, business partners and policyholders are committed to our values and that their actions and behaviors reflect these values. We believe this is what would allow us to take appropriate actions to preserve the strength of our brand and reputation in the areas of corporate compliance, customer privacy, corporate information security, governance and positive public image. Risk-based capital: We will strive to grow to an RBC level appropriate to the risk of our core operations to ensure our sustainability in our market. (1) Controlled subsidiaries: Controlled subsidiaries are expected to manage their businesses and operations with the best interest of the shareholder and other appropriate stakeholders in mind. This expectation includes analysis and understanding of the risks associated with business initiatives to be undertaken by the controlled subsidiary. Further, controlled subsidiaries should comply with defined agreements (e.g. inter-company agreements, dividend policies, etc.) and governance processes as established with their shareholder. (2) External Portfolio risk: Must contemplate the risk profile of our controlled subsidiaries, the risk profile of our core business and Company XYZ's capital position. Income/earnings: In order to remain viable in our market, we target an annual operating margin of 5% across all core operations. Product segments (both core and non-core) are expected to have a positive contribution to RBC. Provider reimbursements: We will maintain adequate market share to provide the best value to our policyholders. We target no less than 50% of aggregate California health care providers' private payer revenue. Contract management and bid and proposal review: No projects or bids will be pursued without appropriate review and analysis based on defined governance processes, which should include an assessment of material risks and financial impact. Human Capital: We will ensure Company XYZ has identified key talent and leadership to develop new leaders through defined succession plans and development. We will maintain the resources and tools to attract, develop and retain the employees necessary to fulfill our mission. Vision and Mission Statements Employee Expenses Reimbursement Policies Employment Policies Investment Policy Intercompany Agreements and Dividend Policies with Subsidiaries Human Resources Policies 15

QUESTIONS 16

CONTACT INFORMATION Augustine Doe OutsourceRM adoe@outsourcerm.com (949) 466-6968 Ron Marx Marsh Ron.Marx@marsh.com (858) 552-3710 17

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback