Enterprise Risk Management

and the Compliance Professional

D i T i S i R l t C lt tDenise Tessier, Senior Regulatory ConsultantInsurance Professional ServicesDenise.Tessier@wolterskluwer.com

AGENDA

• What is ERM?Th D i f ERM• The Drivers of ERM

• Fundamentals of the ERM process- a “5 Course Meal”• The Benefits of ERM for Compliance• The Benefits of ERM for Compliance• Challenges for Compliance in ERM implementation• Recommendations/Best Practices• Q&A

Part 1 : Introduction to ERM

What is ERM?

• Enterprise Risk Management (“ERM”) - the process of ( ERM ) the process of planning, organizing, leading, and controlling all activities of a company in an integrated a company in an integrated fashion in order to minimize the effects of risk on the company’s capital and earnings.

A view of the “whole world” • A view of the “whole world” of risk throughout a company…

Before ERM - SilosBefore ERM Silos

• “Silo approach” (no collaboration or standardization btw business units)standardization btw business units)

• Qualitative risk assessments (lack of other methods in use)

• Risk avoidance / reactive risk controls (rather than proactive)Ri k ith • Risks with no owners

• Limited-risk mitigation scope• Limited regulatory scrutiny• Limited regulatory scrutiny• Risk is only seen as threats

5

With ERM – Integration

• Addresses risks in a broader wayB tt i ti g t • Better communication amongst management and whole company

• Streamlined management of risk, with g ,ability to PRIORITIZE risks

• Assigns and ensures risk ownership and t bilitaccountability

• Flexible to grown and change with company, as environment changescompany, as environment changes

• Addresses opportunities too

6

Compliance Risk: A Fundamental ERM Pillar

• Compliance risks are only part of the ERM picture, but they are some of the most significant risks to the they are some of the most significant risks to the company from a financial perspective, ranking high in priority for managerial review and action.

• The challenge facing many compliance professionals today is how best to integrate compliance risks into a today is how best to integrate compliance risks into a wider world of risk in a formal ERM structure.

Why ERM for Insurers?

Regulatory Drivers Business Drivers• Solvency II, European• SOX

• Strategic Analysis• Rating Agencies (S&P,

• Dodd-Frank• Regulators/Audits

AM Best, Moody’s)• Financial Auditors

• Banking and Securities • Shareholders and other stakeholders

• NAIC “ORSA” Proposal

8

The NAIC ORSA ReportChallenges Opportunities

• Size/magnitude P t ti ll • Size/magnitude• Frequency & timing

Non proportionality

• Potentially more flexible capital requirements• Non-proportionality

• Legal privilege and privacy concerns

requirements• Internat’l recognition

and reciprocityprivacy concerns• Legal entities and

non-insurance entities

and reciprocity• Improved ratings• Improved share price non-insurance entities • Improved share price

9

A New Perspective

• Adopting an ERM program is often a j lt l h f imajor cultural change for many companies.

• For the Compliance team an ERM initiative can lead to :• For the Compliance team an ERM initiative can lead to :– new ways of looking at compliance risk;– more attention being paid to quantification of risk;– study of ripple effects a compliance breach may have in

other departments or functional areas such as claims, underwriting and finance.underwriting and finance.

Part 2: The ERM ProcessA Five Course Meal

Implementing ERM –The Menu or Project PlanThe Menu, or Project Plan

• Every multi-course dinner starts with ya menu plan.

• Similarly, the ERM manager should start with a general overview of the ERM process and set out the specific M p ocess a d set out t e spec c steps required to realize the company’s vision and goals.

Ingredients: Types of RiskFi i l• FinancialCredit default, interest rate fluctuations, financial markets instability, currency, debt & credit rating, liquidity. Insurers: underwriting risk/losses and reserves.

• Strategic• StrategicCompetition, foreign market protectionism, industry merger & acquisitions, supply chain disruption, political risk, product development or design, budget overruns, unions, ethical violations, pricing wars, quality issues, reputation., , p g , q y , p

• HazardNatural disasters, product and general liability claims, and class actions, fire and other property claims, loss of facilities, D&O liability, workers comp.p p y , , y, p

• OperationalStaff shortage, theft, health & safety violations, government investigations, network and IT failures, breach of security, utilities issues. Insurers: policy issuance & claims

• Compliance and Regulatory RiskLicensing of company and business partners, capital requirements, financial reporting laws, underwriting, policy administration and claims handling laws.

The Starter: Id tif i C t & E i Ri kIdentifying Current & Emerging Risks

The first course is identifying current and emerging risks.

VIA:• Face-to-face interviews or group meetings;• Surveys or questionnaires; y q ;• Research industry press; and • Using experts and consultants.

CONSIDERATIONS:CONSIDERATIONS:• Even the smallest tidbits of information are important to

identify patterns and trends.• Provides “first taste” of risk magnitude/financial impact

Hi hli h i k ff i l i l d • Highlights risks affecting multiple departments. • Introduces a “theme” for the overall ERM project, early.

ERM is not fast food.

Presentation – The Risk Register/Library

Generic Activity Generic Risk Risk Category

2 WKTIG Financial Management

Generic Function Generic Process Risks

1 WKTIG Operations

1

1

12.3 Budget Management 2.3.1 Other New Venture Business Targets Categories/Operational/Strategy Risk/New Venture Risk

2.2 Competition 2.2.1 Other Strength of Competition Categories/Operational/Strategy Risk/New Venture Risk

2 WKTIG Financial Management

2.1 Invesment Portfolio 2.1.1 Other Material Change in Rate Categories/Financial Risk/Market Risk/Interest Rate Risk

1

1

4 WKTIG Underwriting

3 WKTIG Claims

3.1 Claim Payment 3.1.1 Other Notification of Accounts Categories/Financial Risk/Liquidity/Cash Flow

2.4 Strategic Planning 2.4.1 Other Tax Regulation Changes Categories/Financial Risk/Liquidity/External Capital Changes

1

1

1

Risk Limits Categories/UNDERWRITING/Insuran4 2 3 Property

4.2.2 Specialty Underpricing Categories/UNDERWRITING/Insurance/Parameter/Pricing Risk

4.2 New Business and Renewal 4.2.1 Reinsurance Pricing Model Use Categories/UNDERWRITING/Insurance/Model/Model Assumption Risk

4.1 Underwriting Strategy 4.1.1 Casualty Business Cycle Impact Categories/UNDERWRITING/Insurance/Market Cycle Risk

Risk Limits Categories/UNDERWRITING/Insurance/Catastrophe Risk

4.2.3 Property

15

The Salad: Metrics—Assessing Frequency & SeverityFrequency & Severity

Metrics compliment/complete the risk analysis process.

• Companies establish standard scales/metrics for evaluation of different risk for like-to-like comparisons.

•Allows a company to rank their risks by significance;

• Prioritizes resources and activities around the most d k d h b f l ldangerous risks and the most beneficial controls;

•Sets objective, quantitative measurements of specific risks against an organization’s risk appetite the risks against an organization’s risk appetite, the statement of a company’s willingness to assume a degree of risk in pursuing opportunities.

16

Common Measurements & Metrics

Phase One• Frequency is the likelihood of a risk occurring and risks are first • Frequency is the likelihood of a risk occurring, and risks are first

usually classified on a scale from very unlikely to very probable• Severity, or magnitude, measures the impact of the risk should it

occur or the consequence Severity is also measured on a occur, or the consequence. Severity is also measured on a continuum of potential loss, from insignificant or immaterial, to extreme

Phase Two• Velocity – How fast can it happen?

D i H l ill i l ?• Duration – How long will it last?• Causation – Is there a common cause of many losses?

17

Cooking with Heat (the “Heat Map”)

18

Sorbet: Risk Reporting, Monitoring & AdjustmentMonitoring & Adjustment

ERM programs must also have planned breaks in the process for participants to evaluate prior work process for participants to evaluate prior work.

In ERM, risk reporting and monitoring will be scheduled In ERM, risk reporting and monitoring will be scheduled on a regular basis, so that risks can be reviewed, re-ranked, and controls can be tested.

The Main Course: S tti Eff ti C t lSetting Effective Controls

’ ff lERM’s main course is effective controls.

• Customized suites of specific techniques, p q ,policies, and procedures are used to reduce or mitigate identified risks.

• Won’t eliminate 100% of all risk.

W ll d l d i bl l • Well-developed, sustainable controls can have a direct financial impact on a company.

Dessert: Strategic AnalysisStrategic analysis is the “icing on the cake”

• Strategic analysis is the process of weighing • Strategic analysis is the process of weighing whether potential gains will outbalance losses in a proposed course of action.

• Once main controls mitigate the “downside” of risk, a company can address the “upside” of risk—opportunities.

• Practical issues can be tackled:– How much capital should a company hold in reserves?

Sh ld t i t li f b i – Should we enter into a new line of business or develop a new product?

Reviews and Critiques: Dashboards and IM ReportsDashboards and IM Reports

O IOpen Issues Risk Events

22

ERM “Cooking Tips”

• Keep it simple, and make it tasty. –Gordon Ramsey Gordon Ramsey

• Focus on the guests, not just the food. –g , j fMartha Stewart

• The only real stumbling block is fear of failure. In cooking you've got to have a 'What the hell?' attitude. –Julia ChildWhat the hell? attitude. Julia Child

23

Part 3: The Compliance Function & ERM

24

Recap Benefits of ERM for ComplianceBEFORE ERM

• “Siloed” approach• Weak risk assessment process

AFTER ERM• Collaborative approach• Strong risk assessment process• Weak risk assessment process

• Qualitative measurements• Reactive focus on mitigation

Ri k ID’d b t t O d

• Strong risk assessment process• Quantitative measurements• Proactive focus, “best

practices” controls• Risks ID’d but not Owned• Risks perceived only as threats

practices controls• Risks Owned, monitored• Better alignment of all

b i it t d business units towards strategic company goals

As a Result…

• New perspectives on risks are obtainedR l ti / i i f t ff i t kfl • Re-evaluation/revision of staff assignments, workflows, and attestation processes

• Priorities are more easily setPriorities are more easily set• Encourages strengthening of controls, procedures• Opportunities for adopting “best practices”• Increases the profile & value of Compliance

Compliance can do a better job

26

Challenge #1: Defining the Compliance Function

• There are many ways to define what “compliance risks” are and how/by whom they should be managed are, and how/by whom they should be managed.

• The range of risks that could be considered “compliance risk” is very broad, varies by company. May include:y y p y y– Violation of the company’s Code of Conduct and Ethics;– Failure to adhere to state laws regarding advertising to and

communications with policyholders;communications with policyholders;– Non-compliance specifically with policy rate and form filing

procedures;– Violation of “good-faith” claim handling laws and regulations; or– Violation of good-faith claim handling laws and regulations; or– Breach of internal underwriting guidelines and authorities.

27

Challenge #2: Keeping Risks/Controls Updated

• Constant need to keep abreast of changes in compliance and regulatory risk, carried through to the ERM program.

• Over 11,000 new laws and regulations proposed, over 3,000 enacted or adopted annually.

New /emerging risks must be captured and shared– New /emerging risks must be captured and shared– Pure number of risks makes categorization difficult– Need to re-score and re-prioritize identified risks– Controls must be flexibly designed, updated frequently

• Compliance team may best positioned to help manage regulatory change for multiple departmentsregulatory change for multiple departments….

Challenge #3: Assessing Compliance Risk

• Quantifying risk may be another special challenge for Compliance in the ERM process. – Compliance may not be used to evaluating risk frequency

or severity, or prioritizing compliance/risk issues – Have to also consider departments outside of Compliance p p

which may be impacted by a compliance breach. – May be limited company or industry data on certain types

of compliance losses or risksof compliance losses or risks

» Resources: Laws, Regulations, NAIC, State DOIs, News, 3rd-partyDatabases, Published Market Conduct Exams

Challenge #4 – Developing “Best Practice” Controls

• Day-to-day “Policies and Procedures” are some of the most important kinds of key “ERM controls ” The two most important kinds of key ERM controls. The two concepts are different, but should be kept as integrated.

Risks Controls Policies Procedures

• Failure to keep Compliance Risk Management, Policies and Procedures, and ERM Controls aligned and cross-checked can lead to staff confusion, duplicate or checked can lead to staff confusion, duplicate or inefficient workflows, missed regulatory changes, and poor management of risks overall.

The Risk: Improper underwriting, or underwriting loss, due to a i l ti f li li it th it

Example, an Underwriting Risk…

violation of a policy limit authorityKey Controls, as listed in an ERM Control Library/Register: • Underwriting Guidelines by line of business• Management delegation of approval of U/W authority• System Controls to prevent override of U/W authority, entering in

contractRelated Policies & Procedures, including protocols for:• Ensuring U/Ws receive an Underwriting Authority Letter upon hire

(HR, U/W management responsibility)(HR, U/W management responsibility)• For Policy(contract) issuance to policyholder, and recording of

policy data in systems (U/W support or Operations, Finance, IT)• Disclosure Committee procedures for Breach Reporting such as • Disclosure Committee procedures for Breach Reporting, such as

quarterly reports to Compliance/Risk/Disclosure Committee of Breach of U/W Authorities (Compliance, Risk, Legal)

31

Integrating Compliance into ERM Efforts

• The Compliance team should be given more advance notice of strategic issues faced by other departments. This i l d i f ti b t d t li b i includes more information about new product lines, business partners, vendors, and other initiatives.

Th i f ti C li h d th li th • The more information Compliance has, and the earlier they have it, the better Compliance staff can assess related compliance or regulatory risks and controls, to offer meaningful input into any decision-making process.

• Managing the compliance risk of anynew business initiative is a keyfirst step on the road to success.

• All departments should coordinate efforts on identifying and sharing “emerging risks” and trends in their area of g g gresponsibility, and create a communication loop to understand risks seen by other areas (legal, finance, etc.)

• Use Compliance team members in ERM projects, as leaders or participants, such as reviewing or auditing certain cross-d t t l t l d l i k f departmental controls, developing key performance indicators, or improving management ERM reports.

– Better integrate ERM controls with compliance “policies and procedures.” Frequently self-assess the ERM program against Compliance initiatives the ERM program against Compliance initiatives group-wide for any gaps or areas of duplication.

33

• Widen the audience who receives news of compliance breaches, and increase p ,focus on the “group-wide” impact of compliance violations.

• This will help the ERM team and management, see compliance problems from multiple angles, in terms of the potential harm t th ’ t ti l f b i d t i d to the company’s reputation, loss of business, and strained agent, broker or reinsurance relationships.

• Communication of how compliance risks actually develop, and how they are managed or dealt with in practice, helps educate other departments about losses inherent in the educate other departments about losses inherent in the business, and potential solutions for mitigating future losses.

34

Conclusion: Compliance as Star Performers• Despite the challenges that Compliance professionals may

face while implementing an ERM program, they can also provide crucial skills, wide perspective and valuable insight to provide crucial skills, wide perspective and valuable insight to help a company assess legal and regulatory risk.

• Solid compliance risk management is crucial to enterprise risk management and can provide a strong foundation for broader management, and can provide a strong foundation for broader evaluation of risks and controls across the company.

• Compliance professionals should be star performers on every ERM ERM team.

QUESTIONS ??For more information on Enterprise Risk Management, visit Wolters Kluwer’s RISK HEADQUARTERS site at http://www.riskheadquarters.com/

THANK YOU !