ERM and ORSA are they the same? Focus on Active Risk Management

Similar documents
ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

Preparing for an Own Risk & Solvency Assessment

GUIDELINE ON ENTERPRISE RISK MANAGEMENT

How to review an ORSA

Prudential Standard GOI 3 Risk Management and Internal Controls for Insurers

The Changing face of ERM: The Insurance Company s Perspective

Overview and context

ERM/ORSA Training Thai General Insurance Association (TGIA)

Enterprise Risk Management How much risk do you want to take? Mark Lim Risk Consulting and Software Towers Watson

Risk category Category description Risk appetite

The Components of a Sound Emerging Risk Management Framework

Fund Management Fair Valuation Best Practices

Solvency Assessment and Management: Stress Testing Task Group Discussion Document 96 (v 3) General Stress Testing Guidance for Insurance Companies

Presentation by: Nasumba Kizito Kwatukha CPA,CIA, CISA,CFE,CISSP,CRMA,CISM,IIK 6 th JULY 2017

INTEGRATING RISK MANAGEMENT AND BUSINESS CONTINUITY

Subject SP9 Enterprise Risk Management Specialist Principles Syllabus

Solvency II implications for Asian life insurers

Keeping Pace With Solvency II

ORSA reports: gaps and opportunities

BERMUDA MONETARY AUTHORITY THE INSURANCE CODE OF CONDUCT FEBRUARY 2010

Solvency II Insights for North American Insurers. CAS Centennial Meeting Damon Paisley Bill VonSeggern November 10, 2014

An Overview of the Enterprise Risk Management Process

NAIC OWN RISK AND SOLVENCY ASSESSMENT (ORSA) GUIDANCE MANUAL

Critical Reflection of Two State-of-the-Art Risk Management Frameworks (SRM004)

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Risk Management Policy

Risks and uncertainties facing the business

CERA Module 1 Exam 2015

IAIS: Enterprise Risk Management for Capital Adequacy & Solvency Purposes. George Brady. IAIS Deputy Secretary General

Business Continuity Management and ERM

ERM in the U.S. life and annuity industry

Optimizing and balancing corporate agility for insurers

Consultation Paper No. 7 of 2015 Appendix 4. Abu Dhabi Global Market Rulebook Market Infrastructure Rulebook (MIR)

What Is Enterprise Risk Management?

ORSA: What it means for your business. Thai Life Assurance Association Seminar 22 November 2013, Bangkok

MAS consults on Enterprise Risk Management ( ERM )

American Academy of Actuaries Webinar: The Practice of ERM in the Insurance Industry. Enterprise Risk Management Committee November 19, 2013

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

ERM Concepts and Framework. Paul Duffy

ORSA is a central part of Solvency II and

ERM and Reserve Risk

Overview of Results of ERM 1 Assessment based on ORSA 2 Reports and ERM Hearings

Enterprise Risk Management

ก ก Tools and Techniques for Enterprise Risk Management (ERM)

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE. Nepal Rastra Bank Bank Supervision Department. August 2012 (updated July 2013)

Operational Risk Management

MAKING RISK APPETITE MEASURABLE

Session 5: Evolution of ORSA in the US. Moderator: Michael Anthony McComis Jr. MAAA,FCAS

Guidance Note: Stress Testing Credit Unions with Assets Greater than $500 million. May Ce document est également disponible en français.

IR day 2014 SCOR s ERM ensures that the Group s risk profile and solvency are in line with its strategic plan London, 10 September 2014

2014 EY US life insuranceannuity

7/25/2013. Presented by: Erike Young, MPPA, CSP, ARM. Chapter 2. Root Cause Analysis

Continuous Risk Monitoring and Assessment (CRMA):

White Paper: Incident Management. By Michael Miora, CISSP President & CEO ContingenZ Corporation

global economic crime survey 2005

Kidsafe NSW Risk Management Plan. August 2014

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

What does the WEF Global Risks Report have to do with my Risk Management program? GRM016 Speakers:

Client Risk Solutions Going beyond insurance. Risk solutions for Retail. Start

STRESS TESTING GUIDELINE

ENTERPRISE RISK MANAGEMENT, INTERNAL MODELS AND OPERATIONAL RISK FOR LIFE INSURERS DISCUSSION PAPER DP14-09

Public Disclosure Authorized. Public Disclosure Authorized. Public Disclosure Authorized. cover_test.indd 1-2 4/24/09 11:55:22

Pillar 2 for Insurer s:

Risk Management. Policy No. 14. Document uncontrolled when printed DOCUMENT CONTROL. SSAA Vic

ERM, the New Regulatory Requirements and Quantitative Analyses

Desjardins Trust Inc. Financial Information and Information on Risk Management (unaudited)

ERM Implementation and the Own Risk and Solvency Assessment (ORSA)

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Capital Requirements Directive Pillar 3 Disclosure. June 2017

Opinion of the EBA on Good Practices for ETF Risk Management

360 Degrees of Enterprise Risk Management

The Bank of East Asia, Limited (Incorporated in Hong Kong with limited liability in 1918) (Stock Code: 23)

Embrace the Solvency II internal model

Whistle-Blowing Policy

Delivering Clarity to Credit Unions Through Expertise and Experience

ERM and ORSA Assuring a Necessary Level of Risk Control

REASONS FOR INSURANCE COMPANY

World Bank / IFC Global Insurance Conference. Challenging aspects of Solvency II and the Own Risk Solvency Assessment (ORSA)

INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

Advisory Guidelines of the Financial Supervision Authority. Requirements to the internal capital adequacy assessment process

Risk Management. Credit Risk Management

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

RISK MANAGEMENT POLICY October 2015

How we manage risk. Risk philosophy. Risk policy. Risk framework

A.M. Best s New Risk Management Standards

S L tr lo a y t d egy s Cyber -Attack

Alternative Investments Advisory Services. kpmg.com

2013 Canadian Insurance Financial Forum

EARLY WARNING SIGNALS IN INSURANCE COMPANIES

Office of the Comptroller of the Currency (OCC) Regulatory Development: Recovery Planning Guidelines

Pillar 3 Disclosure Statement

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Strategic Risk Management and Balance Sheet Management under the new regulatory environment

Subject ST9 Enterprise Risk Management Syllabus

RISK MANAGEMENT MODULE

Enterprise Risk Management (ERM) Module 3.0 (CERA/FSA)

NAIC ORSA: A Practical Guide to the DOI s First Year Reviews

Sampo Group Risk Management Principles. 9 May 2018

Risk Appetite. What is risk appetite?

Supervisor of Banks: Proper Conduct of Banking Business (12/12) Operational Risk Management Page Operational Risk Management

Transcription:

ERM and ORSA are they the same? Focus on Active Risk Management Doug Caldwell Chief Risk Officer ING Asia Pacific Session Number: TBR4 Joint IACA, IAAHS and PBSS Colloquium in Hong Kong www.actuaries.org/hongkong2012/

A few opening thoughts it is often said that life insurance is a long term business, but that is only the case if our firms survive to the long term effective risk management is not about predicting the future as much as it is about preparing for what is possible - Larry Rubin, PwC we manage our business in Mediocrastan, but we often find ourselves in Extremistan - as explained by Nassim Talib in his book, The Black Swan Risk Management is important for each business to achieve its goals through a turbulent and often unpredictable environment. All stakeholders should have a focus on building a profitable and sustainable business that is able to meet promises to its customers, employees, and investors in a wide range of future scenarios. ERM and ORSA may have a slightly different focus but are a call to holistically and actively risk manage our business at all levels and functions of the organization. ING Asia Pacific 2

What is ORSA? Own Risk and Solvency Assessment Definition The ORSA is the entirety of the processes and procedures employed to identify, assess, monitor, manage, and report the short and long term risks a (re)insurance undertaking faces or may face and to determine the own funds necessary to ensure that the undertaking s overall solvency needs are met at all times. * * Source: 9 of CEIOPS Issues Paper on the Own Risk and Solvency Assessment, CEIOPS-IGSRR-09/08, May 2008 To ensure that the insurance companies: Objectives identify and assess all risks they are (or could be) exposed to; maintain sufficient capital to face these risks; and develop and better use risk management techniques in monitoring and managing these risks ING Asia Pacific 3

What is ERM? Enterprise Risk Management Definition ERM is a business discipline to ensure holistic, thorough, and consistent management of all risks to the business objectives Objectives to provide reasonable assurance on the realization of entity objectives (= controlling your business) strategy realization - applied in strategy setting and across all functions of the enterprise to identify potential events that may affect the entity, and manage risks (negative events) to be within its risk appetite ING Asia Pacific 4

ERM approach Are our business objectives specific and clear? Do we perform the right ERM activities? Are they effective? Monitoring Objective Setting Event Identification Which events (internal changes, operational errors, fraud, external events etc.) have the potential impact on our objectives? Is Management Communication effective? Is Communication to all employees adequate? Information and Communication ERM culture throughout the organization Risk Assessments How often can the key risk events occur (frequency) and what is their impact? What types of Control will we apply for the risks we want to address? Preventative, Detective, Transfer? Control Activities Risk Response How will we cope with key and material risks? ING Asia Pacific 5

ERM and ORSA: Similar but Different Focus Similarities Require management teams to focus on understanding risk Differences: Focus of Risk Assessment ERM ORSA Solvency Profits ERM & ORSA Risk analysis used in all decision making Solvency Solvency Franchise Value Solvency Everyone is involved in managing risk Important KPI Examples: Loss of key distribution partner or a tax law change may impact profits/franchise value but not hurt solvency ING Asia Pacific 6

Another view of this: Active Risk Management Insurance entities usually have many components of effective risk management Historical Risk Management components Active Risk Management Active Risk Management: Active Risk Management is transparent, efficient, and actionable to mitigate/ take risks where necessary to meet our business objectives ORSA focuses management on controlling the risk of insolvency and of inability to meet customer promises ORSA ERM ERM is a business discipline to ensure holistic, thorough, and consistent management of all risks to the business objectives ING Asia Pacific 7

Active Risk Management Everyone takes risks actively, not passively Encompassing all our risks to key business objectives Eyes wide open Managing risks with our eyes open to risks Being Systematic and Complete in our assessment of risks throughout our organization and developing appropriate Risk and Control Registries that we monitor, analyze and report Covers risk to key objectives Systematic and Complete Write it down so it is clear and transparent. Taking risks is part of our business and all risks can not be mitigated (either impossible or not cost justified), but we should know well which risks we choose to take and why Active Risk Management Clear, Transparent and Documented Not by chance Role of everyone to identify risk Instead of chance, business considers the question: Which risk should we take? Role of everyone to identify risk and role of management to decide which risks to take. Everyone in business is responsible for risks in their domain and not just the risk teams. ING Asia Pacific 8

Active Risk Management Framework Risk Governance and Decisions Three Lines of Defense Risk Appetite & Tolerances Risk Committees Formalized Policy House: Minimum Standards, Procedures, Guidelines. Model Governance Risk Limits Risk Acceptances Management actions based on analysis and reporting provided ( Use ) Risk Measurement Economic Capital Non- Financial Risk Dashboard Risk calculations focused on important balance sheets (economic, regulatory, shareholder reporting) Management risk information on key risks for business Stress Testing Scenario planning Risk Analysis and Reporting Key Risk and Control Registry ERM Management Reports Financial/market risk reporting including liquidity risk Insurance and reinsurance risk analysis Franchise value risk analysis Annual Risk Reporting to Regulators (ORSA) Incident and Loss analysis/reporting Audit and Non-audit issues analysis and reporting ING Asia Pacific 9

Key Risks Registry Each leader understands the risks in their area of responsibility better than anyone else. Thus they need to determine the key risks to the overall value or capital position of the franchise Annual Risk Assessment by each Function Senior Management Team determine to Accept or do something about the Risks. Approx. 200 risks Top Level Level 1 Direct report CEO & Management Team Direct report 10-12 key risks (1 mth to complete) 10-12 key risks (1 mth to complete) Responsible Managers at approximately top 4 levels of the business is responsible to identify key unmitigated risks currently in their area of responsibility. Assess Level 2 Level 3 Direct report Direct report Direct report Direct report Facilitated by Operational Risk, Insurance Risk, Compliance & Legal (integrated approach) 10-12 key risks (1 mth to complete) 10-12 key risks (1 mth to complete) The Key Risk registry is a regular process to understand key risks to value and capital at all levels of organization culminating in a determination of the most important unmitigated risks for the business. An action plan or risk acceptance is developed for all risks identified in the organization. All risks are important to monitor and decide actions. This process can be done based on departments or value/process chains. ING Asia Pacific 10

Key Risks Assessment cycle Risk Assessment Iterative process Each of management layers spend one four hour meeting to perform this risk assessment and then document and finalize for next layer. Consider business Value and Capital Requirements Initiate Risk Assessment Identify Key Risks & document them Determine to Accept or Address Monitor actively and report Management actions / decisions for future plan and objectives Clear understanding what to assess risks against: 1. Be clear about what represents value and the capital policy 2. Management Team communicates this to all managers in your departments with relevance to your key processes in the department Considerations: 1. Consider the key processes in your department for which you are responsible 2. How can they impact Value and Capital? 3. Consider past incidents/ events and potential future events Key Processes: 1. Where could current controls fail (operational errors can occur)? 2. Where Fraud could occur? 3. What Market behavior could impact your key processes? 4. What IT failures could occur and their impact? 5. Potential risks where we would not meet Regulatory Compliance? Key Risks identified: 1. What are the potential impact and frequency of these risks occurring? 2. Is it within risk tolerance to accept or does it need to be addressed 3. If to accept, execute standard risk acceptance process 4. If to address, what controls will be applied? Preventative, Detective, Transfer New Key Risks and controls identified: 1. Enter into Key Risk Register with details required 2. Set-up monitoring around these and report on them regularly in line with overall risks levels. Risk Committees and then to CEO & Management Team 1. Based on Key Risks, decide if it is acceptable and decide what changes, if any need to be made 2. Ensure the Key Risk Assessments are a continued cycle ongoing in each department to actively identify and manage risks in the organization ING Asia Pacific 11

Identifying the Key Risks in a department WHAT REPRESENTS VALUE? Example: Increase sales by x% New business of x Gain market share by x WHAT IS POLICY WITH RESPECT TO CAPITAL? Example: We want our capital to be ZZZ% of minimum regulatory capital Pay XX mln dividend per year What are the KEY RISKS to VALUE and CAPITAL (from your department)? [Examples below - not exhaustive list] Risk of incomplete business strategy decision leading to unexpected losses Risk that errors in processing claims are undetected due to lack of independent confirmation Risk that an unidentified control weaknesses or undetected fraud due to the lack of staff rotation or cross-checking leading to financial loss Risk of losing market share due to hyper aggressive competition Risk that in suspense accounts aged items are greater than threshold resulting in irregularities not being detected and investigated on a timely basis Risk of Agents signing off policy documents on instruction from Customers as a matter of convenience that could result in regulatory or reputational/financial loss Risk that activities and transactions with external parties are carried out and approved by unauthorised power of attorney leading to loss and reputational damage Risk of sharply increasing interest rates leading to lower capital ratio and liquidity crunch from higher surrenders Risk that complaint handling process is ineffective with possible impact on reputational, regulatory and financial representation Risk of negative publicity caused by disputes with employees or agents over unfounded allegations, defamation, invasion of privacy, wrongful terminal/dismissal Risk due to excessive outflow of staff / employees leading to financial impact or reputational damage as an employer of choice Risk of poor project management leading to losses from incomplete or overbudget projects Risk that sophisticated Cyber attacks could lead to leakage of passwords, customer data and other internal data Risk that the IT outsourcing service provider does not meet security standards leading to loss of confidential data. Risk that the existing Business Continuity Plan has important unresolved issues rendering it incapable of addressing the need to restore the critical IT systems Risk of employment of personnel who are not qualified for the role; have a criminal record; or make false representations leading to loss and reputational damage Reputation risk of unauthorized sales website publishing wrong information on products ING Asia Pacific 12

Stress testing Stress testing Financial market events that lead to insolvency or other major business disruptions Reverse Stress Testing In what circumstances would the company become insolvent or would the business model break? Historical scenarios Examples 1997 Asian Financial Crisis 2008 Global Financial Crisis Historical flu epidemics Forward looking scenarios Examples China hard landing EUR break up Korean war or unification Kanto Earthquake War in the Middle East Depression Financial Examples Liquidity problems, failure to pay the bills. Mass lapse. Rating downgrade of portfolio bonds to junk status Insolvency from failed hedging programs and/or ALM strategy Non-Financial Examples License suspended Irreversible damage to brand/reputation Stress testing is very important in an Active Risk Management, ERM, or ORSA process. Management should be clear what could happen in tail event scenarios and decide what should be done to mitigate those risks. Reverse stress testing identifies circumstances in which a company could go insolvent and then back solves for scenarios that could create such circumstances. Reverse stress testing should be performed annually and provides input for the final Key Risk Registry. It is often useful to follow up Stress Testing with Scenario Planning. Scenario Planning uses BCP style techniques to walk through the scenario and make decisions and build a plan how to react. ING Asia Pacific 13

Market Risks at Extreme Rates? How well does management understand risks? ALM implications for product with options at extreme rates - Bonds cannot match interest rate risk across rate possibilities Value of block is reasonably stable for normal rates (mediocrastan) Value of block decreases significantly at extreme rates (extremistan) ING Asia Pacific 14

What if the unthinkable happens. terrorists gain access to weapons of mass destruction and use them next health epidemic breaks out causing large scale quarantine and large loss of economic activity oil prices double from current levels interest rates hit Japan levels worldwide for a decade interest rates triple from current levels multiple risks combine leading to much higher losses than anticipated in single risk focus liquidity sources evaporate war breaks out mass violent protests occur in multiple Asian countries the major thing that we are not thinking about happens ING Asia Pacific 15

ERM Management Report how can we get the key points to Sr Mgt and Board? Management Summary (1 page) High Level Risks (2 pages) Major Financial Risks (2 pages) Systemic: the most important sector developments (emerging risks) which concern the Board collectively regardless of strategy Business: the most important risks to the our strategy realisation (business risks) for which action is required and possible Short term: financial risks affecting short term (<12 months) solvency and value Long term: scenarios and sensitivites affecting our Financial Risk Metrics, Liquidity and Capital/ actions required ING Asia Pacific 16 Major Non Financial Risks (2 pages) Capital Management (2 pages) Internal Audit Report (1 page) Short term: the most important risks & incidents which concern the board collectively and could have a major indirect impact on our strategy Long term: overall picture and outlook Short term: current capital position Long term: Projected capital under normal business and stressed scenarios/ mgt actions A 10 page report can be used to focus senior management and help them actively manage the most important risks for the organization.

A few closing thoughts it is often said that life insurance is a long term business, but that is only the case if our firms survive to the long term effective risk management is not about predicting the future as much as it is about preparing for what is possible - Larry Rubin, PwC we manage our business in Mediocrastan, but we often find ourselves in Extremistan - as explained by Nassim Talib in his book, The Black Swan If ERM and ORSA are about setting a risk appetite and balancing short and long term success, then an interesting question, for large shareholder owned firms. which parties are focused on the long term? ING Asia Pacific 17

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback