Operational Risk Management - Institute of Actuaries of India 2010/S4_Kieth_walter.pdf ·...

© 2010 Towers Watson. All rights reserved.

Operational Risk Management2010 Seminar on Current Issues in Life Assurance

by Keith Walter22 November 2010

© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 2Presentation1

We live in a risky world!

In the month of September 2008— Two USA Government-sponsored

enterprises (Fannie Mae and Freddie Mac) were put into conservatorship

— Lehman Brothers filed for bankruptcy

— Merrill Lynch was sold to Bank of America

— AIG struggled under a severe liquidity crunch

On 28 September 2008, the US stock markets crashed, wiping out more than $1.2 trillion of value – the first single day loss to ever to exceed $1 trillion!


Enterprise Risk Management- Context for Operational Risk

towerswatson.com 3


Some definitions

Wikipedia ERM provides a framework for risk management which typically involves

identifying…risks and objectives…assessing them…determining a response strategy and monitoring progress. [Allows businesses to] protect and create value for their stakeholders…

COSO ERM framework …process affected by an entity’s BoD, management and other

personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Basel Operational risk is “the risk of loss resulting from inadequate or failed

internal processes, people, and systems or from external events”.


Risk Management Capability Maturity Model

Risk management is reactive, not consideredcore to business, highlydelegated

Ad hoc

Risk managementconducted by independent functionsby risk type withinbusiness units

Fragmented

Risk management is enterprise-wide and encompasses all risk types; viewed as necessary function

Comprehensive

Risks are treated as a portfolio at the enterpriselevel and aggregated across risk types and business units with dependencies

Integrated

Risk management is built into culture and decision making, and the organization selectively seizes opportunity because of its special ability to exploit risks

Strategic

RiskAdvantage

Adapted from the Capability Maturity Model framework developed by Carnegie Mellon University, 1993


Towers Watson Global Survey on ERM

towerswatson.com 6


Towers Watson has conducted its sixth biennial surveyon Enterprise Risk Management in the insurance sector

During the second quarter of 2010, Towers Watson conducted a web-based survey among senior executives in major insurance companies around the world

Chief risk officers, chief financial officers and chief actuaries were asked to document the approaches to, and current status of, ERM activity within their companies

This is the largest survey of the insurance industry on its topic; over two-thirds of the total 465 insurance executive respondents were C-suite

Respondents include a wide range of insurance organizations from North America (31%), Europe (21%), Asia Pacific (19%) and multiple regions (28%)

Respondents come from all lines of business, including life insurance (37%), property & casualty (P&C) insurance (29%), multiline insurers (18%) and reinsurance (13%)

Geographical termsNorth America: U.S., Canada and BermudaEurope: U.K. and continental EuropeAsia/Pacific: Asia and AustraliaLatin America: Mexico and South AmericaMiddle East/Africa: Middle East and Africa

Company size termsLarge: Annual revenue in excess of U.S. $10 billionMedium: Annual revenue between U.S. $1 billion and $10 billionSmall: Annual revenue less than U.S. $1 billion


The proportion of respondents who have a documented risk appetite has increased from 47% in 2008 to 59% in 2010

2010 Base: Total respondents n = 459 for Q.12 Do you have a documented risk appetite/tolerance statement? Please select one response.

Yes, and further developments are planned within the next 12 months46%

13%Yes, and no further developments are planned over the next 12 months

No, and no plans to develop within the next 12 months

9%

No, but planned to be in place

within the next 12 months

32%

0%9%29%33%71%58%Large

9%11%32%33%59%56%Medium

12%22%35%44%53%34%Small

201020082010200820102008

No PlansNot in Place, but PlannedIn Place

RISK APPETITE


The risk appetite statement significantly impacts decisions about asset strategy and capital management

Base: Those having a documented risk appetite//tolerance statement giving a valid answer (percentages exclude not applicable) n = 247 for Q.22 Within which business processes is risk appetite explicitly referenced or monitored? Please select all that apply.

2%

13%

25%

28%

47%

56%

57%

64%

68%

68%

Strategic planning

Incentive compensation

Other

Risk transfer (e.g., reinsurance, securitization, hedging)

Mergers and acquisitions

Capital management

Business planning

ALM/asset strategy

Performance management

Product or business unit risk management

RISK APPETITE, LIMITS AND REPORTING


While the vast majority of European respondents still expect to use internal models, planned utilization is significantly down since 2008

4%

53%

57%

79%

90%

4%

51%

65%

80%

86%

9%

2%

37%

55%

71%

81%

Market risks

Credit risks

Insurance risks

Operational risks

Other N/A

2010 Base: European insurers only (percentages exclude “don’t know”) n = 180 for S.4 For which type of risks are you likely to take advantage of the ability to use internal models? Please select all that apply.

N/A

Not applicable — unlikely to use internal model

Risk Quantification

Expected use varies by size of company, with 100% of large companies, 94% of midsize companies and 83% of small companies expecting to use internal models for one or more risks

201020082006


Operational Risk Management- External Point of View

towerswatson.com 11


Basel II introduced a standard industry approach for operationalrisk in financial services companies

Direct (cash) losses:

Fraud

Systems failures

Legal claims

Indirect (cash) losses: Loss of recourse

Compensation

Fines

Preventative (cash) costs: Control enhancements

Quality assurance

New systems

Value destruction: Strategic risk

Political risk

Reputational risk

Definition of operational risk

“The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.”

Risks


Best’s five major categories of risk

Default Disputes Sovereign Downgrade Settlement lag Concentration

Credit

Equities Concentration Liquidity Other assets Basis ALM Currencies Reinvestment Interest rate

sensitivity

Market

Underwriting process

Basis Mortality and

morbidity Pricing Frequency and

severity Policyholder

optionality Reserve

development Lapse Concentration Product design Longevity Economic

environment

Underwriting

Monetary controls

Distribution Training Financial

reporting IT systems Turnover Legal controls Regulatory Data capture

Operational

Competition Rating

downgrade Availability Demographic/

social change Customer

demands Technological Negative publicity Regulatory/

political capital

Strategic

Source: A.M. Best.


Insufficient training

Causes Events Consequences

Lack of managementsupervision

Inadequateauditing procedures

Insufficient riskmonitoring

Poor HRpolicies

Poor systemsdesign

Inadequate segregation of duties

Regulatory, Compliance and Taxation Penalties

Restitution

Loss of Recourse

Reputation

Business Interruption

EffectsMonetary Losses

OtherImpactsForgoneIncome

•

•

•

Write-down

Loss or Damageto Assets

Legal Liability

A robust taxonomy provides the foundation for a common language, but the universe of operational risk has three overlapping dimensions: causes, events and consequences

Legal is an impact

Reputation is an Impact

External Fraud

Employment Practices and Workplace Safety

Execution, Delivery andProcess Management

Damage to Physical Assets

Business Disruption and System Failures

Clients, Products and Business Practices

Internal Fraud


Risk identification and management

Source: A.M. Best’s Rating Methodology, January 25, 2008 and Towers Watson

Traditional risk management (from annual rating meeting)

Exception reporting — performance vs. key risk metrics (by functional area and/or risk type)

Action plans for exception items

Operational risk and strategic risk

Emerging risk issues

An objective framework that identifies, monitors and manages emerging risks, risk accumulation and correlations within and across the entire organization

Ongoing process for identifying and managing significant operational risks

Corporate risk profile and ERM process reflect both historical experience and future expectations

Rigorous process for evaluating the impact of emerging risks

A.M. Best’s checklist

Best practices observed by Towers Watson


Guidance from Consultation Paper no. 33

c) the need for an early warning system

b) operational risk events that currently, or may be exposed to, and the mitigation approach

a) All activities and processes including IT systems

Should have an operational risk strategy that takes into account:

c) The arrangements, processes and mechanisms detailed above should be comprehensive and proportionate to the nature, scale and complexity of the undertaking’s activities

b) Effective processes to identify, assess, mitigate , manage, monitor, report operational risks that are, or may be, exposed to and adequate internal control mechanisms

a) Undertaking wide definition of operational risk - for the purpose of internal policies and procedures

Operational risk framework should include:

Companies should have a well-documented assessment and management system for operational risk with clear responsibilities

https://www.ceiops.eu/home-news/index.html


Guidance from Consultation Paper 33

An effective process to regularly identify, document and monitor exposure to operational risk and track relevant operational risk data - including near misses

Fire Drills!



Reputational Risk

It is important to have an understanding and recognition of the key values affecting the reputation of the firm, considering expectations of stakeholders and sensitivity of the marketplace

Reputational risk is defined as the risk of potential loss through deterioration of a firm's reputation or standing due to a negative perception of the undertaking’s image among customers, counterparties, shareholders and/or supervisory authorities.



Summary

towerswatson.com 20


1. What risks are you prepared to take?

What is your risk appetite?

How does your risk appetite relate to your business goals

and objectives?

Can you name your most

significant risks?


2. How will you manage those risks?

What sort of risk culture exists in your company?

Who is responsible for managing risks?

What governance structure do you have in place?


3. How will you address hard-to-quantify risks?

Do you include all important risks in your analysis, even

when they’re hard to quantify?

What information do you capture to describe your risk

exposure?

Do you have one measure to

quantify all risks?


4. How will you demonstrate that risk management is working?

Have you defined what you expect to

achieve through your risk

management strategy? How will you measure

“success”?

What time frame have you put on this?


Contact Details

Keith E. WalterDirector, Risk Consulting and SoftwareTel: +65 6880-5655Email: [email protected]

mailto:[email protected]

Operational Risk Management - Institute of Actuaries of India 2010/S4_Kieth_walter.pdf ·...

Documents

Transcript of Operational Risk Management - Institute of Actuaries of India 2010/S4_Kieth_walter.pdf ·...