• How Enterprise Risk Management (ERM) and 3
Lines of Defence was implemented
• Building risk register involving all staff
• Internal audit use of this in planning & audits
Documenting appetite, existing and future planned controls for Top 10 risks
Documenting appetite, existing and future planned controls for Top 10 risks
Audit committee risk based prioritiesAudit committee risk based priorities
Identified Top 10 Risks using Staff feedbackIdentified Top 10 Risks using Staff feedback
Risk register bottom up approach involving all StaffRisk register bottom up approach involving all Staff
Agree Roles & ResponsibilitiesAgree Roles & Responsibilities
Involve Board & Management on direction & strategyInvolve Board & Management on direction & strategy
Researching Risk Maturity ModelsResearching Risk Maturity Models
Researching Risk Management ApproachesResearching Risk Management Approaches
Established Risk Management CommitteeEstablished Risk Management Committee
Commencing The Journey
Risk Maturity Model Example
Adapted from Ward, S. (2003) Approaches to integrated RM: a multi-dimensional
framework. Risk Management: an international journal, 5(4), 7-23.
Dimension Nature of Dimension Range of choices
Stage 1 Stage 2 Stage 3 Stage 4
What Interpretation placed
on term ‘risk’
Threats Opportunities Uncertainty
When Location of applications
in the strategy life
cycle the decisions to
which RM is applied
Operations Projects Programmes Strategies
Why Purpose of RM Crisis
management
Business continuity Proactive control Strategy formulation
Which-way Nature of RM process
employed, in terms of:
degree of formality
scope of the process
tools and techniques
employed
issues examined
(quantitatively)
Ad hoc, informal
processes, little
documentation
Qualitative,
superficial
analysis
Some specific
formal processes
Analyses
documented
Some
quantification
Generic, formal processes
Quantitative analyses
documented and collated
Flexible, cost- effective
use of generic processes
Use of best- practice
techniques
Continuous improvement
Who Parties involved and
allocation of
responsibilities for RM
Scattered, ad
hoc
Specific functions
with limited roles
All functions, all levels
Effective facilitation of RM
Effective corporate-wide
involvement extended to
customers, suppliers
Wherewithal Resources applied to
RM
Implicit, ad hoc
allocation of
resources
Formal, but adhoc,
allocation of
resources
Widespread explicit, formal
allocation of resources
Planned investment of
resources to develop and
maintain RIVI
Explicit, formal, flexible
allocation, more if cost-
effective
Simpler approaches
1
Risk Identification
2
Risk Evaluation
3
Risk Control
•Accept
•Avoid
•Transfer
•Reduce
4
Risk Monitoring & Audit Risk Performance
Can be more effectively implemented
across the organisation in decision
making, objective setting, performance
review, projects,…
Ris
k C
ate
go
rie
s Grouped in
categories to
facilitate monitoring
& reporting
Categories chosen
are in line with Solvency II
and
recommended best
practice.
• Internal processes, people or systems, or external events.
Operational Risk
• Inherent uncertainties as to the occurrence, amount and timing of insurance liabilities.
Insurance Risk
• Counterparty failure to fulfill its obligations or perform them in a timely fashion.
Credit Risk
• Fluctuations in values of, or income from, assets or interest or exchange rates.
Market Risk
• Maintaining sufficient financial resources to meet liabilities as they fall due.
Liquidity Risk
• Risk events, of any nature, arising in or from membership of a corporate group.
Group RiskRis
k C
ate
go
rie
s
1st
Direct Risk Management Responsibility
Direct responsibility for the management & control of risk
1st
Direct Risk Management Responsibility
Direct responsibility for the management & control of risk
Board
Management
& Risk Owners
Individuals
2nd
Risk Management Support
Coordination, facilitation & oversight of Risk Management including Policy
and Methodology
2nd
Risk Management Support
Coordination, facilitation & oversight of Risk Management including Policy
and Methodology
Risk & Compliance Committee
Chief Risk Officer
3rd
Independent Assurance
Independent assurance & challenge across all business functions in
respect of integrity & effectiveness of Risk Management framework
3rd
Independent Assurance
Independent assurance & challenge across all business functions in
respect of integrity & effectiveness of Risk Management framework
Audit Committee
Internal Audit
External Audit
Roles and ResponsibilitiesRisk Governance Framework: Three Lines of Defence Model
Roles & ResponsibilitiesBoard of Directors
has ultimate responsibility for managing risk in the organisation, and for creating the infrastructure for risk management to operate efficiently and effectively
understands most significant risks facing the organisation
considers risk implications of board decisions
knows possible effects on shareholder value of deviations from expected performance
defines risk appetite and approves mitigations for breaches
knows how the organisation will manage in a crisis
should be assured that risk management processes are working effectively
Roles & ResponsibilitiesManagers
Cascading day-to-day responsibility for management of risks, promoting risk awareness and ensuring compliance consistent with high-level requirements. This includes
introducing objectives to improve management of risks
understanding risks in area of responsibility, possible implications on other areas, and consequences other areas may have on them
cascading delegated authority limits to individuals based on their specific expertise within an appropriate control framework including adequate approvals processes and segregation of duties
formulating performance indicators to monitor key activities, progress towards objectives, and identify developments which require intervention;
have systems which communicate variances in budgets and forecasts at an appropriate frequency to allow action to be taken;
systematically and promptly report any perceived new risks or failures of existing control measures.
…
Additionally in respect of RISK OWNERS
managing their assigned risks across the organisation
ensuring that for the assigned risks, the Risk Register is updated and correctly reflects the risk appetite and controls in place
reporting systematically and promptly to the CRO any material deviations from established risk appetite or failures of existing control measures or updates required to the Risk Register or Risk Control Calendar
annually providing the CRO with a Risk Owner Annual Report on the risks owned.
Roles & Responsibilities
Roles & ResponsibilitiesAnd the other individuals?
RM should be carried out every day by every employee.
Not all situations warrant the application of formal risk management processes however all individual employees should:
understand their accountability for risks and implement controls per instructions
promote and enable continuous improve management of risks
understand that risk management is a key part of organisation's culture
report systematically and promptly any perceived new risks or failures of existing control measures.
Roles & Responsibilities
Risk Committee
should support and facilitate ongoing development of
effective risk management throughout organisation
should carry out risk management at a corporate level
should review the effectiveness of risk management
activity
Roles & Responsibilities
Audit Committee
Via internal investigations, should provide separate
review and evaluation of risk management systems.
Consideration of these evaluations and any associated
recommendation should also form part of the Risk &
Compliance Committee's review work
Internal Auditor
Provides an independent appraisal of the adequacy,
application and effectiveness of the risk management
systems and internal control processes put in place by
management
What is Risk Management (RM)?
Something we’ve been doing in one form
or another since the dawn of time!
“Save for a rainy day” – Risk Financing
“Better safe than sorry” – Risk Control
“Prevention is better than cure”
– Risk Control
“Hope for the best, prepare for the
worst” – Risk Control
“Cross that bridge when we come to it” – Risk Acceptance
“Don't put all your eggs in one basket” – Risk Spreading
What is Risk Management (RM)?
Every organisation manages its risks, but not always in a way that is
visible, repeatable and consistently applied to support decision
making.
In all types of undertaking, there is the potential for events &
consequences that constitute opportunities for benefit (upside) or
threats to success (downside). RM is concerned with both positive
& negative aspects of risk
Good RM increases probability of success and reduces probability of
failure and the uncertainty of achieving our overall objectives.
RM must be integrated into the culture of the
organisation with each employee responsible for the
management of risk as part of their job description
securing opportunities through managed risk taking
assessment, management & control of risks
increasing certainty with fewer surprise
maintaining business continuity and service provision
through adversity
managing change
helping implement Solvency 2 which benefits insurers
with strong risk governance
What is Risk Management?
Risk Management helps us to reach our objectives by:
Find examples of Risk Management
principles in action within
organisation showing its proven added
value and lessons learnt
Audit committee use Top Risks to set Internal Audit priorities
Top Risks assigned Risk Owners
Managers use similar voting to rank risk groups and identify Top 10
Risks across organization grouped up under each category
Staff Wide Risk Identification & Ranking
Step 1
Brainstorming listing risks on a board
Step 2
Voting & ranking risks using Fibonacci scores(Top risk 34 then 21, 13, 8, 5, 3, 2, 1)
First Top 10 Risks Workshops
Operational
IT/Marketing,HR & Admin
Sales, Underwriting and Claims
Insurance
Sales, Underwriting and Claims
Credit, Market, Liquidity,
Operational
Finance & Compliance
Credit Control & Intermediaries
Each department considered
risk categories closest to them
Basic approach & ranking helped build a
comprehensive list of risks and more
importantly involved all staff in risk
management development
Risk register then validated against industry risk surveys
Risk Management PolicySub Policies & Other Pillar II Docs
Governance & Strategy
Board Governance
Charter
Business Planning Cycle
& Rolling Strategic Plan
Committee Charters:
Risk & Compliance
Actuarial
Audit & Internal Auditor
Investments
General
Risk Language
Risk Appetite
Risk Register
BCP
Policies:
Fit & Proper
Remuneration
Outsourcing
Risk Specific
Compliance
Investment
Asset Liability
Management
Liquidity
Credit
Underwriting &
Reinsurance
Claims Management
FraudCells
Committees TORs
Operations Manuals of individual
cells
Risk Management Policy
Scope
Risk Philosophy
Roles & Responsibilities
3 Lines of Defence
Risk Categories
Risk Identification
Risk Matrix
Risk Appetite
ORSA
Risk Register
Protected Cells
Internal Controls
Risk Communication
Risk Management Policy
Scope
Risk Philosophy
Roles & Responsibilities
3 Lines of Defence
Risk Categories
Risk Identification
Risk Matrix
Risk Appetite
ORSA
Risk Register
Protected Cells
Internal Controls
Risk Communication
All significant risks identified, measured,
assessed, prioritised, managed & monitored in a
visible, consistent, efficient & effective manner.
Risk Management Policy
Scope
Risk Philosophy
Roles & Responsibilities
3 Lines of Defence
Risk Categories
Risk Identification
Risk Matrix
Risk Appetite
ORSA
Risk Register
Protected Cells
Internal Controls
Risk Communication
Chief Risk
Officer
Risk Management Policy
Scope
Risk Philosophy
Roles & Responsibilities
3 Lines of Defence
Risk Categories
Risk Identification
Risk Matrix
Risk Appetite
ORSA
Risk Register
Protected Cells
Internal Controls
Risk Communication
OperationalOperational InsuranceInsurance
CreditCredit MarketMarket
LiquidityLiquidity GroupGroup
Risk Management Policy
Scope
Risk Philosophy
Roles & Responsibilities
3 Lines of Defence
Risk Categories
Risk Identification
Risk Matrix
Risk Appetite
ORSA
Risk Register
Protected Cells
Internal Controls
Risk Communication
Weighted Staff Survey1st Residual Risk Rating
Weighted Staff Survey1st Residual Risk Rating
Risk Owner RatingAnnual rating with Risk Function Assistance/Review
Risk Owner RatingAnnual rating with Risk Function Assistance/Review
Internal Audit
Prioritising plans according to ratings
Internal Audit
Prioritising plans according to ratings
Risk Management Policy
Scope
Risk Philosophy
Roles & Responsibilities
3 Lines of Defence
Risk Categories
Risk Identification
Risk Matrix
Risk Appetite
ORSA
Risk Register
Protected Cells
Internal Controls
Risk Communication
Group Companies Within Scope
Risk Category
Risk Grouping Description
Risk Grouping Owner
Risk Grouping Capital Requirement
Sub Risk Description
Inherent Risk Likelihood & Severity
Residual Risk Likelihood & Severity
Target Risk Likelihood & Severity
Key Risk Indicator (KRI) / Risk Appetite
Existing Risk Controls
Future Planned Controls
Last Review
Risk Management Policy
Scope
Risk Philosophy
Roles & Responsibilities
3 Lines of Defence
Risk Categories
Risk Identification
Risk Matrix
Risk Appetite
ORSA
Risk Register
Protected Cells
Internal Controls
Risk Communication
Intranet Wiki Policies & Procedures
Control Calendars
Risk Events Register
…
Risk Management Policy
Scope
Risk Philosophy
Roles & Responsibilities
3 Lines of Defence
Risk Categories
Risk Identification
Risk Matrix
Risk Appetite
ORSA
Risk Register
Protected Cells
Internal Controls
Risk Communication
Owner Annual Reports
Confirming risk controls stated in the risk register are in
place
Reporting any material deviations from established risk
appetite
Reporting any material failures of existing control measures
Proposed changes in probability/severity rating of risks
Progress on Future Planned Controls
Any other amendments to be made to the risk register
Risk‘s relationship with
Internal Audit
Regular dialogue between Internal Audit and
CRO while maintaining independence
Changes in risk ratings can trigger changes in
audit plans
Internal audit reports can trigger risk reviews
and vice versa
Through its ongoing work, internal audit can
help identify new risks besides providing
assurance on documented controls
Rolling Risk Based Audit Plan
Risk OwnerBoard
PolicyFunction
Risk RatingsAudit
Freq
Yr
1
Yr
2
Yr
3
Yr
4
Yr
5Inh Res Dif
L S P L S P P
Function Board PolicyAudit
Freq
Yr
1
Yr
2
Yr
3
Yr
4
Yr
5
… and higher level audits to ensure the plan “takes into account all
activities and the complete systems of governance” as also required
by sector‘s regulation:
For efficiency, trying to combine audits of risks, functions & policies