Enterprise Risk Management for Captives and their Parent Organizations Robert J. Walling III, FCAS, MAAA, CERA Principal and Consulting Actuary, Pinnacle Actuarial Resources Barry Franklin SVP & Chief Risk Officer, Zurich North America March 11, 2014
About Rob Walling Principal, Pinnacle Actuarial Resources, Inc. Fellow of Casualty Actuarial Society (FCAS) Committee Chair of Ratemaking, ERM and New Fellows Chartered Enterprise Risk Analyst (CERA) B.S. Secondary Math Education Miami University 1987 Areas of Focus Captives & Alternative Markets, Regulatory, Commercial Lines Ratemaking and Loss Reserving, Expert Witness, Legislative Cost Wife, Anne, and three kids Lifelong Cincinnati Reds fan 2
Background - Terms Risk The potential for future losses or shortfalls from expectations due to deviation of actual results from expected results. Enterprise Risk Management (ERM) The discipline by which an organization in any industry assesses, controls, exploits, finances and monitors risks from all sources for the purpose of increasing the organization s short- and long-term value to its stakeholders. Initial Premise - Captives of all sizes offer tremendous opportunities for companies to actively engage in ERM in an ever-widening range of risks. 3
ERM Control Cycle Identify Risks Monitoring/ Policing Evaluate Risks Risk Mitigation Risk Tolerances, Appetites, & Limits Accept or Avoid Risks 4
A Captive s Potentially Expanding ERM Scope Monitor Other Business Risks Identify Mitigate Insurable Risk Evaluate Core Insurance Risk Accept/ Avoid Risk Appetite 5
Core Insurance Operations CORE ERM Cycle Step Identify Risks Evaluate Risks Risk Tolerances, Appetites, Limits Activity/Questions Are there other coverages in my core insurance program that could be in the captive? Have the core coverages evolved? What are the captive s expected losses? Reinsurance/excess costs? Other coverage alternative costs. Should I adjust my captive s limits/retentions? How much additional loss volatility am I exposed to? Is it worth it? 6
Core Insurance Operations CORE ERM Cycle Step Accept or Avoid Risk Mitigation Activity/Questions Evaluate cost-benefit. Implement and manage. Actively manage loss control/prevention Monitoring/ Policing Am I capturing sufficient data to actively manage my core insurance program? Would predictive analytics add value? 7
Insurable Risk Insurable risk Random, accidental or fortuitous event Not under insured s control Measurable damages Economically feasible damages Predictable or estimable Transfer both timing and economic value Insurable 8
Insurable Risk - Examples Insurable Contingent Business Income (various causes of loss) Cyber Liability Defense and Legal Expense Directors & Officers Liability Employee Dishonesty/Theft Employment Practices Liability Errors & Omissions Liability General Liability Gaps (Contractual, Intellectual Property) Key Person Reputational Risk Supply Chain Risk 9
Other Insurable Risk Insurable ERM Cycle Step Identify Risks Evaluate Risks Risk Tolerances, Appetites, Limits Activity/Questions Evaluate corporate financials for potential insurable risks Input from risk management professionals Current coverage exclusions/gaps? Actual historical costs Market comparable pricing, Benchmarks How much additional risk can I bear in the captive? How does it impact the company s financials and risk profile? Capitalization 10
Core Insurance Operations Insurable ERM Cycle Step Accept or Avoid Risk Mitigation Activity/Questions Monitoring/ Policing Keep score. What will the captive regulator think? Implement and actively manage Are there educational tools that would reduce risk profile? 11
Business Risk Business ERM Cycle Step Identify Risks Evaluate Risks Risk Tolerances, Appetites, Limits Activity/Questions Investment Strategy - Interactions with Loss Exposures - Hedging Loss Exposures Dividend Strategy Operational Risks Captive as Profit Center Comprehensive Risk Models Stochastic Models + Deterministic Scenarios Tail Value at Risk (TVAR) How bad is bad? (Black Swan) 12
Insurable Risk Related-Unrelated Risks Business Owner-Operators (Trucking) Non-employed Physicians Subcontractors Employees (e.g. Group Health Insurance/Benefits) Franchisees (e.g. Restaurants, Hotels, Moving & Storage) Contractors/Installers (for Manufacturers) Key Customers (for Manufacturers, e.g. ProAir) Competitors (e.g. Trucking Cargo & Physical Damage) 13
Business Risk Insurable ERM Cycle Step Accept or Avoid Risk Mitigation Monitoring/ Policing Activity/Questions Investment Guidelines Compensation Plans (Executive & General) Use Captive for Related-Unrelated Business Implement and actively manage Monitor interactions between risks What additional data do I need/want? What additional opportunities are there? 14
Conclusion Captives of all sizes offer tremendous opportunities for companies to actively engage in ERM in an ever-widening range of risks. Monitor Other Business Risks Identify Mitigate Insurable Risk Core Insurance Risk Evaluate Accept/ Avoid Risk Appetite 15
About Barry Franklin SVP & Chief Risk Officer, Zurich NA Fellow of Casualty Actuarial Society (FCAS) VP-ERM; Joint Risk Management Section Council Chairman Chartered Enterprise Risk Analyst (CERA) CERA Global Treaty Board B.S. Probability & Statistics NIU 1981 Background: Towers Watson, Corporate ERM practice leader Aon Global Risk Consulting, Group MD Americas Ernst & Young LLP, Partner & Consulting Actuary 16
Agenda Recent ERM implementation trends External influences on ERM implementation ERM in a larger captive or commercial insurer Getting started
How many companies have implemented ERM? No 33% All respondents Yes 67% No 3% Financial Services Yes 97% No 44% Non-Financial Services Yes 56% Source: Towers Watson 2013 Risk & Finance Manager Survey
What does ERM look like in most companies? We have identified, assessed and prioritized our key risks and assigned risk owners 78% 90% Our executive committee/board of directors receives regular reports regarding ERM activities and findings 65% 84% We regularly quantify our key risks and use those metrics in making business decisions 31% 55% Our executive committee/board of directors actively uses enterprise risk management as part of their strategic Risk metrics are integrated into our budgeting and planning process Other 0% 8% 36% 24% 29% 22% Cross-functional approach Further developing/formalizing the risk appetite statement Program is beginning in earnest in 2013 We do two formal risk assessments per year, followed by a year-end report to the Audit Committee Financial Services, including Insurance n=31 Non-Financial Services n=51 Source: Towers Watson 2013 Risk & Finance Manager Survey
For those that said no to ERM, why not? Nobody has been able to articulate the value of implementing ERM to our company 34% Too resource intensive and expensive to pursue, regardless of value We did an initial ERM project that was not viewed as successful Too compliance oriented and bureaucratic to pursue, regardless of cost Other 22% 15% 10% 19% ERM effort underway but not yet formalized Handled at corporate level Having an ERM program is not something we are focusing on at the time Informal ERM in place It s being developed No interest from senior management We are in the process of developing a model that will be effective in our organization We have a partial ERM process residing within Internal Audit department Source: Towers Watson 2013 Risk & Finance Manager Survey
Do companies communicate risk information in financial metrics that are important to the company? Financial Services, including Insurance n=32 Non-Financial Services n=91 No 50% Yes 50% No 59% Yes 41% Source: Towers Watson 2013 Risk & Finance Manager Survey
Do companies communicate risk information in financial metrics that are important to the company? Financial Services, including Insurance n=32 Non-Financial Services n=91 Could this signal heat map overload? No 50% Yes 50% No 59% Yes 41% Source: Towers Watson 2013 Risk & Finance Manager Survey
Is the risk management function integrated into the strategy and business planning process? Very integrated - the organization actively uses ERMdefined risk processes to make decisions and risk management is an active participant in the organization s strategy and business planning process 3% 3% Integrated risk management has set an ERM process in place and has managed to make it a part of the organization-wide strategy setting 17% 31% Somewhat integrated risk management is involved, but generally as a passive participant 44% 43% Minimally integrated risk management is sometimes asked for input, but is generally not an integral part of the process 19% 24% Not integrated - risk management s role is primarily limited to risk financing decisions 3% 13% Source: Towers Watson 2013 Risk & Finance Manager Survey Financial Services, including Insurance n=32 Non-Financial Services n=91
External factors impacting ERM practices Just to name a few: Standard & Poor s ERM credit rating criteria Solvency II ORSA CIMA Cayman Risk Management Rule Bermuda Insurance Code of Conduct Outside directors and board best practices Credentialing organizations CFA Institute, AICPA, AFP, CAS, SOA, CIA, The Institutes (CPCU), CERA, RIMS, etc.
The link between your ERM process and your captive Whichever ERM framework you use, your captive needs one too you are running an insurance company COSO ERM Key elements your ERM framework must have: ISO 31000 Risk Organization and Governance Structure Risk Appetite, Tolerance and Limits Risk Management Process, Procedures and Controls Risk Metrics and Measurement Risk Monitoring, Reporting and Communication
Impact of representative risks facing insurers Risk Category Small Captive Large Captive Carrier Failure of fronting company/primary carrier Failure of excess carrier/reinsurer Internal fraud External fraud Investment/asset risk Loss reserve volatility Loss of favorable tax treatment Loss of key personnel Dependency on third party service providers Insurance industry competitive climate Impact of large or catastrophic claims Adverse court interpretations of policy terms Regulatory non-compliance Weak claims management processes Inadequate pricing or underwriting
Example of commercial insurance ERM: Zurich Mission The mission of risk management at Zurich is to promptly identify, measure, manage, report and monitor risks that affect the achievement of strategic, operational and financial objectives. This includes adjusting the risk profile in line with the Group s stated risk tolerance to respond to new threats and opportunities in order to optimize returns. Objectives Protect the capital base by monitoring that risks are not taken beyond the Group s risk tolerance Enhance value creation and contribute to an optimal risk-return profile by providing the basis for an efficient capital deployment Support the Group s decision-making processes by providing consistent, reliable and timely risk information Protect Zurich s reputation and brand by promoting a sound culture of risk awareness and disciplined and informed risk taking
Risk taking and risk control at Zurich Three lines of def ense 1 2 3 Business management ow ns all risks 1. Business t akes risk decisions opt imizing risk/ret urn 2. Business manages risks every day 3. Business mit igat es risks w here necessary GRM ensures a consistent risk & control framew ork 1. Develops and implement s Ent erprise Risk M anagement f ramew ork and Zurich Risk Policy (ZRP) 2. Est ablishes met hodologies t o measure and assess risk 3. M onit ors Zurich risk exposure against t he Group s risk tolerance and sets risk limits 4. Develops and operat es appropriat e risk & cont rol inf rast ruct ure, incl. risk aggregat ion and risk report ing Audit provides independent oversight and assurance 1. Audit assesses the effectiveness of the risk framework 2. Audit builds on risks identified by GRM for planning its activities 3. Audit independently monitors effectiveness of controls
Risk taking and risk control at Zurich 1 Business management ow ns all risks 1. Business t akes risk decisions opt imizing risk/ret urn 2. Business manages risks every day 3. Business mit igat es risks w here necessary Three lines of def ense 2 GRM ensures a consistent risk & control framew ork 1. Develops and implement s Ent erprise Risk M anagement f ramew ork and Zurich Risk Policy (ZRP) 2. Est ablishes met hodologies t o measure and assess risk 3. M onit ors Zurich risk exposure against t he Group s risk tolerance and sets risk limits 4. Develops and operat es appropriat e risk & cont rol inf rast ruct ure, incl. risk aggregat ion and risk report ing Difference in ERM maturity lies in the 2 nd line of defense 3 Audit provides independent oversight and assurance 1. Audit assesses the effectiveness of the risk framework 2. Audit builds on risks identified by GRM for planning its activities 3. Audit independently monitors effectiveness of controls
Zurich s ERM approach an integrated view
Risk and control governance at Zurich
Getting started Identify all key captive management processes Map captive work flow processes Propose draft risk assessment criteria and discuss risk tolerance with captive board and parent company Agree on the process for risk assessment, mitigation and reporting Identify the team that will own the process and their roles Know where you are going make sure all key stakeholders are aligned on the desired level of ERM maturity for your organization
Questions and/or Comments? Thank you for attending today s session!