Enterprise Risk Management Symposium Chicago, April 26-27, 2004 The New COSO Enterprise Risk Management Framework - PowerPoint PPT Presentation

Loading...

PPT – Enterprise Risk Management Symposium Chicago, April 26-27, 2004 The New COSO Enterprise Risk Management Framework PowerPoint presentation | free to download - id: 5a681b-NGI2M



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Enterprise Risk Management Symposium Chicago, April 26-27, 2004 The New COSO Enterprise Risk Management Framework

Description:

Enterprise Risk Management Symposium Chicago, April 26-27, 2004 The New COSO Enterprise Risk Management Framework How to Make it Relevant Presented by: – PowerPoint PPT presentation

Number of Views:2437
Avg rating:3.0/5.0
Slides: 62
Provided by: nhilai
Learn more at: http://www.casact.org
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Enterprise Risk Management Symposium Chicago, April 26-27, 2004 The New COSO Enterprise Risk Management Framework


1
Enterprise Risk Management SymposiumChicago,
April 26-27, 2004The New COSOEnterprise Risk
Management Framework How to Make it
RelevantPresented byDoug Brooks,
SunLifeJoel Aronchick, ChubbRichard Reynolds,
PwC

PwC
2
Agenda
  • Overview of COSO ERM Framework
  • Comments of the American Academy of Actuaries
  • Perspectives on Applying ERM
  • SunLife
  • Chubb
  • Open Discussion

3
Overview of COSO ERM Framework
  • COSO ERM project launched in 2001 (PwC Authored)
  • Builds on COSO Internal Control Framework (PwC
    Authored)
  • Consists of conceptual framework and application
    guidance

4
Why ERM is Important
  • Underlying principles
  • Every entity, whether for-profit or not, exists
    to realize value for its stakeholders.
  • Value is created, preserved, or eroded by
    management decisions in all activities, from
    strategy setting to operating the enterprise
    day-to-day.
  • ERM supports value creation by enabling
    management to
  • Deal effectively with potential future events
    that create uncertainty.
  • Respond in a manner that reduces the likelihood
    of downside outcomes and increases the upside.

5
Enhancing Management Capabilities
  • Enterprise risk management provides enhanced
    capabilities to
  • Align risk appetite and strategy
  • Link growth, risk and return
  • Enhance risk response decisions
  • Minimize operational surprises and losses
  • Identify and manage cross-enterprise risks
  • Provide integrated responses to multiple risks
  • Seize Opportunities
  • Rationalize capital

6
Framework Components
The Framework Has Eight Interrelated Components
7
Key Concepts Categories of Objectives
  • Entity objectives can be viewed in the context of
    four categories
  • Strategic
  • Operations
  • Reporting
  • Compliance

8
Key Concepts Entity-wide
  • ERM considers activities at all levels of the
    organization
  • Enterprise-level
  • Division or subsidiary
  • Business unit processes

9
Key Concepts Portfolio View
  • Enterprise risk management requires an entity to
    take a portfolio view of risk.
  • Management considers how individual risks
    interrelate.
  • Management develops a portfolio view from two
    perspectives
  • Business unit level
  • Entity level

10
Internal Environment
  • Establishes a philosophy regarding risk
    management. It recognizes that unexpected as
    well as expected events may occur.
  • Establishes the entitys risk culture.
  • Considers all other aspects of the organizations
    actions, including
  • oversight by the board of directors
  • The integrity and ethical values
  • Competence of the entity's people
  • Management's philosophy and operating style
  • The organizational structure of the entity
  • Mechanisms used by management to assign authority
    and responsibility
  • Mechanisms used my management to organize and
    develop its people.

11
Objective Setting
  • Is applied in objective-setting when management
    considers risks strategy in the setting of
    objectives.
  • Forms a risk appetite at the entity level. This
    risk appetite is encompassed in policy,
    guidelines and procedures. It is a high-level
    view of how much risk management and the board
    are willing to accept.
  • Establishes risk tolerances, which are the
    acceptable level of variation around objectives,
    and align with risk appetite.

12
Event Identification
  • Distinguishes risk and opportunity
  • Events that may have a negative impact represent
    risks.
  • Events that may have a positive impact represent
    natural offsets or, opportunities, which
    management channels back to strategy setting.
  • Involves identifying those incidents, occurring
    internally or externally, that could affect
    strategy and achievement of objectives.
  • Addresses how internal and external factors
    combine and interact to influence its risk
    profile.

13
Risk Assessment
  • Allows an entity to understand the extent to
    which potential events might impact objectives.
  • Assesses risks from two perspectives likelihood
    and impact.
  • Normally assesses risks using the same unit of
    measure as that used to measure the related
    objectives.
  • Employs a combination of both qualitative and
    quantitative risk assessment methodologies.
  • Relates the time horizons to objective time
    horizons.
  • Assesses risk on both an inherent and residual
    basis.

14
Risk Response
  • Identifies and evaluates possible responses to
    risk.
  • Evaluates options in relation to entitys risk
    appetite, cost vs. benefit of potential risk
    responses and degree to which a response will
    reduce impact and/or likelihood.
  • Selects and executes its response based on
    evaluation of the portfolio of risks and
    responses.
  • Assessment of and response to risks are integral
    components of ERM which specific response is
    selected is not.

15
Control Activities
  • Control activities are the policies and
    procedures that help ensure that the risk
    responses, as well as other entity directives,
    are carried out.
  • Occur throughout the organization, at all levels
    and in all functions.
  • Includes application controls and general
    information technology controls.

16
Information and Communication
  • Information is needed at all levels of an entity
    in identifying, assessing, and responding to
    risk.
  • Management identifies, captures and communicates
    pertinent information in a form and timeframe
    that enables people to carry out their
    responsibilities.
  • Communication occurs in a broader sense, flowing
    down, across and up the organization.

17
Monitoring
  • Monitors the ongoing effectiveness of the other
    enterprise risk management components through
  • Ongoing monitoring activities
  • Separate evaluations
  • A combination of the two

18
Other Key Concepts - Roles and Responsibilities
  • Four broad areas of roles and responsibilities
  • Management
  • The Board of Directors
  • Risk officers
  • Internal auditors

19
Relationship with Internal Control
  • Relationship with Internal Control Integrated
    Framework
  • ERM expands and elaborates on elements of
    internal control as set out in COSOs Internal
    Control Integrated Framework (IC-IF).
  • ERM includes objective setting as a separate
    component. The IC-IF sets out that objectives as
    a prerequisite for internal control.
  • The ERM frameworks Reporting category of
    objectives expands the IC-IF Financial
    Reporting.

20
Relationship with Internal Control
  • Effective internal control is necessary for
    effective enterprise risk management.
  • The ERM framework expands on the risk
    assessment component of IC-IF, separating it
    into three ERM components.
  • The ERM framework elaborates on other components
    of IC-IF as they relate to enterprise risk
    management.

21
Leading organizations have many building blocks
in place. The challenge is in creating seamless
connectivity top to bottom.
SVA / Risk Adjusted Performance Measurement
  • Link risk adjusted performance measurement to
    shareholder value and planning processes
  • Align performance measures with desired behavior
  • Rebalance, hedge the portfolio (capital
    optimization)
  • Correlation, VaR, marginal contribution

Active PM
  • Manage concentrations through limits
  • Establish allowances (capital preservation)

Portfolio Risk
Traditional PM
  • Portfolio reporting and analysis
  • Aggregation of exposure (notional risk
    adjusted)
  • Analysis of Loss default experience
  • Data management / MIS

Portfolio Risk Identification
Linking the Building Blocks
  • Relationship profitability analysis
  • Risk adjusted pricing (value creation - MTM /
    RAROC)
  • Structuring individual transactions
  • Allocation of limits to clients / products

Transactional risk management
Transaction Risk
  • Risk Assessment
  • Risk Modeling
  • Pricing Analysis
  • Client, Industry and Market information

Transactional risk identification
Data Management
  • Data acquisition, maintenance and distribution

22
We have utilized the following framework with
several leading financial institutions to gain
better role clarity, particularly around the
integration of strategic, financial and risk
management planning.
Validate/refine strategy
Business Cycle
Business Strategy and Planning
Business Process and Execution
Evaluation
  • Business mission and strategy
  • Value proposition and risk appetite
  • Organization and governance
  • Business planning and budgeting processes
  • Capital allocation and balance sheet management
  • Business and individual performance objectives
  • Risk policies and procedures
  • Risk measurement methodologies
  • Risk-based pricing and customer profitability
  • Risk aggregation and reporting
  • Active portfolio and balance sheet management
    strategies
  • Value drivers
  • Internal reporting
  • Performance measures
  • External disclosure

Procedures
Analysis
Limits
Key Controls
Capital
Policy
Reporting
Re-allocate capital/limits
Risk Management Systems Infrastructure
23
The first step toward implementation is ensuring
the business units and support functions have
clearly defined, collaborative roles supported by
appropriate infrastructure elements.
Illustrative
Validate/refine strategy
Evaluate
Set Strategy
Budget/ Plan
Execute
Control
Business Cycle
Business Units
Financial Control
Corporate Risk Management
Corporate Audit
Procedures
Analysis
Limits
Key Controls
Capital
Policy
Reporting
Re-allocate capital/limits
Risk Management Infrastructure
24
Agenda
  • Overview of COSO ERM Framework
  • Comments of the American Academy of Actuaries
  • Perspectives on Applying ERM
  • SunLife
  • Chubb
  • Open Discussion

25
General
  • COSO Framework is an important contribution to
    raising awareness of enterprise risk management
  • Three-dimensional structure
  • Valuable tool to assist auditors in assessment of
    nature of a companys risk framework

26
Framework Goals
  • A risk management framework needs to include a
    continuous, comprehensive review of the risks
    facing an organization, and their interactions
  • Reputation is a particularly significant concept
    that needs to be reflected in a framework
    different companies will have very different
    exposures to reputational consequences

27
Risk as Opportunity
  • A risk management framework must recognize that
    risk is necessary and appropriate
  • Risk management is not defensive in nature
  • Risk-return tradeoffs are an integral part of the
    strategic management process of organizations
  • Risk management should enhance profit

28
The External Environment
  • COSO framework primarily addresses internal
    issues, and only tangentially external risks
  • Risk factors are often beyond managements
    control
  • External risks are particularly important in the
    insurance industry
  • Importance of interaction of companies internal
    processes with external factors

29
Other Issues
  • Interdependencies of risks
  • Long-Term vs. Short-Term focus
  • Roles and Transparency
  • Risk Quantification

30
Actuarial Expertise
  • Risk management techniques measurement exposure
    reports risk limits risk controls
  • Risk analysis of new products, investments and
    projects risk-adjusted product pricing risk
    mitigation strategies
  • Earnings volatility analysis and subsequent risk
    mitigation strategies
  • Risk adjusted financial measurement and reporting
  • Economic capital measurement and management

31
Actuarial Models
  • Financial simulations based upon capital
    management strategy, asset/liability analysis
  • Portfolio analysis systems
  • Monte Carlo models and regime-switching models
    for interest rate scenario generation for
    financial reporting or strategic development of
    investment options
  • Credit risk modeling and management
    solvency-related pricing of financial products
  • Hedging and other risk management quantification
    techniques

32
Agenda
  • Overview of COSO ERM Framework
  • Comments of the American Academy of Actuaries
  • Perspectives on Applying ERM
  • SunLife
  • Chubb
  • Open Discussion

33
Perspectives on Applying ERM SunLife
34
Background
  • Suns approach developed largely as the result
    of a number of serious issues
  • Guaranteed Annuity Options in the UK
  • Pension Misselling in the UK
  • Reinsurance problems
  • Trust Company
  • Vanishing Premiums

35
Risk Management Framework
36
Objectives of Risk Management
  • Avoid risks that could materially affect the
    value of the company
  • Contribute to sustainable earnings
  • Take risks that the company can manage in order
    to increase returns
  • Provide transparency of the companys risks
    through internal and external reporting

37
Risk Philosophy
  • Our business is accepting risks for appropriate
    returns
  • Driven by shareholder and policyholder
    expectations, external ratings and positioning in
    market place, we will take on risks that meet the
    organizations objectives
  • Alignment with corporate vision and strategy
  • Embedded into the business management practices
    of every Business Group leader

38
Risk Culture
  • Key components
  • Risk Consciousness
  • Accountabilities
  • Discipline
  • Collaboration
  • Communication

39
Risk Management Structure
40
Risk Categorization










41
Risk Categorization
  • Categories
  • Sub-categories
  • Source
  • Exposure Triggers
  • Direct Consequences

42
Desired Risk Profile
  • Risk Filter
  • return/volatility
  • capability to manage risk
  • identify and understand risk
  • appropriate level of monitoring and reporting as
    well as the infrastructure to support monitoring
    and reporting
  • ability to act on mitigation plans

43
Desired Risk Profile
Category Acceptable within policy tolerances Corporate Approval / Coordination Unacceptable Risks
Credit Risk Risk A Risk B Risk C
Market Risk Risk D Risk E Risk F Risk G Risk H Risk I
Insurance Risk Risk J Risk K Risk L Risk M Risk N
Operational Risk Risk O Risk P Risk Q Risk R Risk S
44
Risk Management Reporting
  • Ongoing reporting processes
  • Market Risk Tolerance Limits
  • Earnings at Risks
  • Top-10 Risk Report
  • Regular Compliance Reports
  • Regular reports on specific issues
  • Equity-related Guarantees and Hedges
  • Guaranteed Annuity Options (GAO)
  • Ad hoc reports

45
Market Risk Tolerance Limit (MRTL) Report
  • Tests sensitivity of the companys income to
    changes in the interest rate and equity market
    environments
  • Results compared to tolerance limits

46
MRTL Report - Interest Rates
47
MRTL Report - Equity Markets
48
Earnings-at-Risk (EaR) Report
  • Looks at sensitivity of companys income to
    interest rate, equity market and currency changes
  • Tests sensitivity at the 95th percentile level
    based on 10,000 scenarios
  • Chart on next slide shows these sensitivities in
    the form of cones by risk and by business unit

49
Earnings at Risk Report
50
Common Currency Risk Distribution
Economic
Regulatory
51
Top-10 Risk Process
  • Bottom-up Process with Structure
  • encourages discussion and learning
  • provides focused and actionable results
  • provides form and forum for follow-up
  • information is accessible and understandable in
    addressing both financial and non-financial risks

52
Worldwide Top Ten Risks
53
Key Elements of ERM
  • Development of a cohesive and integrated risk
    management framework
  • A target risk profile
  • A common language in which to discuss risk and
    return
  • A common measurement framework for quantifiable
    risks
  • Comprehensive risk reporting
  • Policies and limits to guide business activities
  • Risk/Return culture
  • Continual development of technical tools and
    processes

54
Perspectives on Applying ERM Chubb
55
Chubb Snapshot
  • Founded 1882--incorporated 1967
  • Chubb Corp. is a holding company for various
    insurance companies
  • (Federal, Vigilant, Pacific Indemnity, Chubb
    Europe, etc.)
  • 12th largest U.S. PC group based on 2002 NWP
  • At December 2003
  • 8.5 billion shareholders equity
  • 38.4 billion total assets
  • 12,300 people - over 5 continents
  • 11.1 billion NWP (82 U.S., 18 Foreign)
  • 95.3 C/R 1.4 billion pre-tax PC income
  • A A. M. Best financial strength ratings (AA
    from SP)
  • excl AE

56
History of ERM at Chubb
  • Conservative company rooted in matrix management
    and specialized underwriting culture, since 1882
  • Senior Underwriting Officer typically set
    individual risk tolerances
  • Creation of Strategic Business Unit concept 1999
  • Enron-WTC et al. validates need for ERM
  • Dis-establishment of Senior Underwriting Officer
    position 2002
  • Sarbanes - Oxley enacted
  • Chief Risk Officer position established Dec. 2003

57
Laying the Foundation for ERM
  • Strong emphasis from the Board Chairman
  • Underwriting, asset and credit risks had been
    managed as single impact events
  • Organizational complexity requires coordinated
    assessment and direction
  • Evolving exposure patterns not readily adaptable
    to smoke stack management
  • Varying levels of risk appetites exist within and
    across the company
  • Scorekeeping issues can impede economic decisions
    on retained exposure

58
Global ERM Process Challenges
  • Identify-assess-value-prioritize major corporate
    risks
  • Assure key risks and exposures are understood
    and mitigated
  • Install monitoring and tracking tools for
    exception reporting
  • Develop a volatility to earnings strategy
    protect balance sheet
  • Integrate a sensible risk taking approach across
    the organization
  • Establish communication and information sharing
  • Help support growth opportunities across the
    enterprise
  • Watch the store

59
Changes Made
  • All operating units moved to a capital
    ownership-return model
  • Formalized risk quantification process underway
  • Exception routines established for Exec. Mgmt
    and Bd. Audit Committee
  • Establishment of a risk volatility curve project
  • Individual and enterprise risk (underwriting-credi
    t-asset exposure)
  • Repositioning and hedging
  • Nat Cat PML, protections re-built (severity vs.
    frequency)
  • Credit limits established (customers and
    counter party)
  • Usage of actuarial science in model building
  • Reinsurance purchasing authority pulled from
    SBUs

60
Examples of Live Issues
  • Terrorism load after TRIA
  • Systemic loss exposure
  • Professional liability risks
  • Emerging risks (i.e. cyber hurricane, SARS,
    Mold)
  • Country specific capital and earnings exposure
  • New concentrations (Summer Olympics, GOP/DNC
    Conventions)
  • Cross enterprise credit aggregation
    (Surety-Professional Liability-Asset)
  • Electronic cross customer-exposure data base
  • Newco vetting/approval
  • Specific SBU gross and net limit re-structuring

61
Agenda
  • Overview of COSO ERM Framework
  • Comments of the American Academy of Actuaries
  • Perspectives on Applying ERM
  • SunLife
  • Chubb
  • Open Discussion
About PowerShow.com