1 / 61

PwC

Enterprise Risk Management Symposium Chicago, April 26-27, 2004 The New COSO Enterprise Risk Management Framework “How to Make it Relevant” Presented by: Doug Brooks, SunLife Joel Aronchick, Chubb Richard Reynolds, PwC. PwC. Agenda. Overview of COSO ERM Framework

Download Presentation

PwC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Enterprise Risk Management SymposiumChicago, April 26-27, 2004The New COSOEnterprise Risk Management Framework “How to Make it Relevant”Presented by:Doug Brooks, SunLifeJoel Aronchick, ChubbRichard Reynolds, PwC PwC

  2. Agenda • Overview of COSO ERM Framework • Comments of the American Academy of Actuaries • Perspectives on Applying ERM • SunLife • Chubb • Open Discussion

  3. Overview of COSO ERM Framework Framework Application Guidance • COSO ERM project launched in 2001 (PwC Authored) • Builds on COSO Internal Control Framework (PwC Authored) • Consists of conceptual framework and application guidance

  4. Why ERM is Important • Underlying principles: • Every entity, whether for-profit or not, exists to realize value for its stakeholders. • Value is created, preserved, or eroded by management decisions in all activities, from strategy setting to operating the enterprise day-to-day. • ERM supports value creation by enabling management to: • Deal effectively with potential future events that create uncertainty. • Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.

  5. Enhancing Management Capabilities • Enterprise risk management provides enhanced capabilities to: • Align risk appetite and strategy • Link growth, risk and return • Enhance risk response decisions • Minimize operational surprises and losses • Identify and manage cross-enterprise risks • Provide integrated responses to multiple risks • Seize Opportunities • Rationalize capital

  6. Framework Components The Framework Has Eight Interrelated Components

  7. Key Concepts – Categories of Objectives • Entity objectives can be viewed in the context of four categories • Strategic • Operations • Reporting • Compliance

  8. Key Concepts – Entity-wide • ERM considers activities at all levels of the organization • Enterprise-level • Division or subsidiary • Business unit processes

  9. Key Concepts – Portfolio View • Enterprise risk management requires an entity to take a portfolio view of risk. • Management considers how individual risks interrelate. • Management develops a portfolio view from two perspectives: • Business unit level • Entity level

  10. Internal Environment • Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. • Establishes the entity’s risk culture. • Considers all other aspects of the organizations actions, including: • oversight by the board of directors • The integrity and ethical values • Competence of the entity's people • Management's philosophy and operating style • The organizational structure of the entity • Mechanisms used by management to assign authority and responsibility • Mechanisms used my management to organize and develop its people.

  11. Objective Setting • Is applied in objective-setting when management considers risks strategy in the setting of objectives. • Forms a risk appetite at the entity level. This risk appetite is encompassed in policy, guidelines and procedures. It is a high-level view of how much risk management and the board are willing to accept. • Establishes risk tolerances, which are the acceptable level of variation around objectives, and align with risk appetite.

  12. Event Identification • Distinguishes risk and opportunity • Events that may have a negative impact represent risks. • Events that may have a positive impact represent natural offsets or, opportunities,which management channels back to strategy setting. • Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. • Addresses how internal and external factors combine and interact to influence its risk profile.

  13. Risk Assessment • Allows an entity to understand the extent to which potential events might impact objectives. • Assesses risks from two perspectives – likelihood and impact. • Normally assesses risks using the same unit of measure as that used to measure the related objectives. • Employs a combination of both qualitative and quantitative risk assessment methodologies. • Relates the time horizons to objective time horizons. • Assesses risk on both an inherent and residual basis.

  14. Risk Response • Identifies and evaluates possible responses to risk. • Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses and degree to which a response will reduce impact and/or likelihood. • Selects and executes its response based on evaluation of the portfolio of risks and responses. • Assessment of and response to risks are integral components of ERM; which specific response is selected is not.

  15. Control Activities • Control activities are the policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. • Occur throughout the organization, at all levels and in all functions. • Includes application controls and general information technology controls.

  16. Information and Communication • Information is needed at all levels of an entity in identifying, assessing, and responding to risk. • Management identifies, captures and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. • Communication occurs in a broader sense, flowing down, across and up the organization.

  17. Monitoring • Monitors the ongoing effectiveness of the other enterprise risk management components through • Ongoing monitoring activities • Separate evaluations • A combination of the two

  18. Other Key Concepts - Roles and Responsibilities • Four broad areas of roles and responsibilities: • Management • The Board of Directors • Risk officers • Internal auditors

  19. Relationship with Internal Control • Relationship with Internal Control – Integrated Framework: • ERM expands and elaborates on elements of internal control as set out in COSO’s Internal Control – Integrated Framework (IC-IF). • ERM includes objective setting as a separate component. The IC-IF sets out that objectives as a prerequisite for internal control. • The ERM framework’s “Reporting” category of objectives expands the IC-IF “Financial Reporting”.

  20. Relationship with Internal Control • Effective internal control is necessary for effective enterprise risk management. • The ERM framework expands on the “risk assessment” component of IC-IF, separating it into three ERM components. • The ERM framework elaborates on other components of IC-IF as they relate to enterprise risk management.

  21. Leading organizations have many building blocks in place. The challenge is in creating seamless connectivity top to bottom. SVA / Risk Adjusted Performance Measurement • Link risk adjusted performance measurement to shareholder value and planning processes • Align performance measures with desired behavior • Rebalance, hedge the portfolio (capital optimization) • Correlation, VaR, marginal contribution Active PM • Manage concentrations through limits • Establish allowances (capital preservation) Portfolio Risk Traditional PM • Portfolio reporting and analysis • Aggregation of exposure (notional & risk adjusted) • Analysis of Loss & default experience • Data management / MIS Portfolio Risk Identification Linking the Building Blocks • Relationship profitability analysis • Risk adjusted pricing (value creation - MTM / RAROC) • Structuring individual transactions • Allocation of limits to clients / products Transactional risk management Transaction Risk • Risk Assessment • Risk Modeling • Pricing Analysis • Client, Industry and Market information Transactional risk identification Data Management • Data acquisition, maintenance and distribution

  22. We have utilized the following framework with several leading financial institutions to gain better role clarity, particularly around the integration of strategic, financial and risk management planning. Validate/refine strategy Business Cycle Business Strategy and Planning Business Process and Execution Evaluation • Business mission and strategy • Value proposition and risk appetite • Organization and governance • Business planning and budgeting processes • Capital allocation and balance sheet management • Business and individual performance objectives • Risk policies and procedures • Risk measurement methodologies • Risk-based pricing and customer profitability • Risk aggregation and reporting • Active portfolio and balance sheet management strategies • Value drivers • Internal reporting • Performance measures • External disclosure Procedures Analysis Limits Key Controls Capital Policy Reporting Re-allocate capital/limits Risk Management Systems Infrastructure

  23. The first step toward implementation is ensuring the business units and support functions have clearly defined, collaborative roles supported by appropriate infrastructure elements. Formulate Formulate Manage Manage Validate Request Request Formulate Formulate Reconcile Review Approve Facilitate Manage Review Request Review Review Review Produce Review Review Facilitate Formulate Analyze Approve Approve Analyze Approve Approve Review Review Test Test Review Review Review Test Test Test Illustrative Validate/refine strategy Evaluate Set Strategy Budget/ Plan Execute Control Business Cycle Business Units Financial Control Corporate Risk Management Corporate Audit Procedures Analysis Limits Key Controls Capital Policy Reporting Re-allocate capital/limits Risk Management Infrastructure

  24. Agenda • Overview of COSO ERM Framework • Comments of the American Academy of Actuaries • Perspectives on Applying ERM • SunLife • Chubb • Open Discussion

  25. General • COSO Framework is an important contribution to raising awareness of enterprise risk management • Three-dimensional structure • Valuable tool to assist auditors in assessment of nature of a company’s risk framework

  26. Framework Goals • A risk management framework needs to include a continuous, comprehensive review of the risks facing an organization, and their interactions • Reputation is a particularly significant concept that needs to be reflected in a framework; different companies will have very different exposures to reputational consequences

  27. Risk as Opportunity • A risk management framework must recognize that risk is necessary and appropriate • Risk management is not defensive in nature • Risk-return tradeoffs are an integral part of the strategic management process of organizations • Risk management should enhance profit

  28. The External Environment • COSO framework primarily addresses internal issues, and only tangentially external risks • Risk factors are often beyond management’s control • External risks are particularly important in the insurance industry • Importance of interaction of companies’ internal processes with external factors

  29. Other Issues • Interdependencies of risks • Long-Term vs. Short-Term focus • Roles and Transparency • Risk Quantification

  30. Actuarial Expertise • Risk management techniques: measurement; exposure reports; risk limits; risk controls • Risk analysis of new products, investments and projects; risk-adjusted product pricing; risk mitigation strategies • Earnings volatility analysis and subsequent risk mitigation strategies • Risk adjusted financial measurement and reporting • Economic capital measurement and management

  31. Actuarial Models • Financial simulations based upon capital management strategy, asset/liability analysis • Portfolio analysis systems • Monte Carlo models and regime-switching models for interest rate scenario generation for financial reporting or strategic development of investment options • Credit risk modeling and management; solvency-related; pricing of financial products • Hedging and other risk management quantification techniques

  32. Agenda • Overview of COSO ERM Framework • Comments of the American Academy of Actuaries • Perspectives on Applying ERM • SunLife • Chubb • Open Discussion

  33. Perspectives on Applying ERM: SunLife

  34. Background • Sun’s approach developed largely as the result of a number of serious issues • Guaranteed Annuity Options in the UK • Pension Misselling in the UK • Reinsurance problems • Trust Company • Vanishing Premiums

  35. Risk Management Framework RISK COMMUNICATIONS RISK RISK TOOLS PHILOSOPHY CULTURE RESOURCES OBJECTIVES RISK RISK TOLERANCES POLICIES ACCOUNTABILITIES RISK PROCESSES

  36. Objectives of Risk Management • Avoid risks that could materially affect the value of the company • Contribute to sustainable earnings • Take risks that the company can manage in order to increase returns • Provide transparency of the company’s risks through internal and external reporting

  37. Risk Philosophy • Our business is accepting risks for appropriate returns • Driven by shareholder and policyholder expectations, external ratings and positioning in market place, we will take on risks that meet the organization’s objectives • Alignment with corporate vision and strategy • Embedded into the business management practices of every Business Group leader

  38. Risk Culture • Key components • Risk Consciousness • Accountabilities • Discipline • Collaboration • Communication

  39. Risk Management Structure Board Risk Review Committee • Requires management to identify and review the major areas of risk • Approves and reviews compliance with the policies implemented by the Company Executive Risk Committee • Provides oversight of risk globally • Approves and reviews compliance with risk policies • Monitors breaches of risk tolerance limits and directs action • Sponsors review and analysis on risk exposures related to specific issues Chief Risk Officer • Develops and coordinates the Company’s enterprise risk management framework • Reports to the CFO Enterprise Risk Mgmt. Committee • Comprised of the chief risk officer, other corporate functional heads and the country risk leaders from the main operations • Meets monthly and reports into the ERC Country risk leaders • Country risk leader either chairs a risk management committee or reports on risk management to the senior management team • Country risk leaders report into, liase with, or participate directly on the CRSC

  40. Risk Categorization MARKET CREDIT RISK RISK OPERATIONAL RISK INSURANCE RISK

  41. Risk Categorization • Categories • Sub-categories • Source • Exposure Triggers • Direct Consequences

  42. Desired Risk Profile • Risk Filter • return/volatility • capability to manage risk • identify and understand risk • appropriate level of monitoring and reporting as well as the infrastructure to support monitoring and reporting • ability to act on mitigation plans

  43. Desired Risk Profile

  44. Risk Management Reporting • Ongoing reporting processes • Market Risk Tolerance Limits • Earnings at Risks • Top-10 Risk Report • Regular Compliance Reports • Regular reports on specific issues • Equity-related Guarantees and Hedges • Guaranteed Annuity Options (GAO) • Ad hoc reports

  45. Market Risk Tolerance Limit (MRTL) Report • Tests sensitivity of the company’s income to changes in the interest rate and equity market environments • Results compared to tolerance limits

  46. MRTL Report - Interest Rates

  47. MRTL Report - Equity Markets

  48. Earnings-at-Risk (EaR) Report • Looks at sensitivity of company’s income to interest rate, equity market and currency changes • Tests sensitivity at the 95th percentile level based on 10,000 scenarios • Chart on next slide shows these sensitivities in the form of cones by risk and by business unit

  49. Earnings at Risk Report

  50. Common Currency: Risk Distribution Economic Regulatory

More Related