ORSA Compliance 5 Steps You Need to Take in 2014
description
Transcript of ORSA Compliance 5 Steps You Need to Take in 2014
-
ORSA Compliance-5 Steps You Need to Take in 2014
A publication of
ContentRisk Culture & Governance
Risk Identification & Prioritization
Risk Appetite & Tolerance Statement
Risk Monitoring, Controls & Action Plans
Risk Reporting & Communication
LogicManager Copyright 2005-2014
-
Request a Demo
Enterprise Risk
Management
Vendor
Management
Regulatory
Compliance
IT Governance
and Security
Business
ContinuityFinancial
Reporting
Audit
ManagementPerformance
Management
Policy
Management
LogicManager's All-in-OneERM Software
All the content you need & all connected.
Leadership: More than 2000 organizations use our risk management solution.
Insight: Put your risk picture together. Cloud Computing: No up-front investment and
no long-term commitment required.
-
Chapter 1
Risk Culture & GovernanceWith the adoption of the Risk Management and Own Risk and Solvency Assessment
Model Act (RMORSA) by The National Association of Insurance Commissioners (NAIC)
insurers are required to take a broader approach to risk management. The new ORSA
requirement is one component of the NAICs initiative to bring the US into regulatory
alignment with the International Association of Insurance Supervisors Core Principle
16, Enterprise Risk Management.
Starting in 2015 insurers will be required to submit an annual ORSA summary report
to their state commissioner that details an insurers risk management, capital
management, and strategic planning along with the associated relationships between
the three. The first section of the ORSA summary report is a detailed description of
the insurers ERM framework.
RMORSA Regulation
-
One of the primary goals behind the implementation of RMORSA is
to foster an effective level of ERM for all insurers. This includes
identifying, assessing, monitoring, prioritizing, and reporting on all
material and relevant risks.
Insurers have the opportunity to leverage much of their existing risk
management capabilities in becoming compliant with ORSA as much
of the ORSA requirements center around an ERM framework.
It is also important to note that the ORSA Guidance Manual
stipulates that insurers with appropriately developed ERM
frameworks may not require the same scope or depth of review as
organizations with less defined processes.
-
For any organization, risk is an essential part of creating business value and as such it needs to be managed in a way
that is beneficial to the bottom line of the organization. A risk governance structure needs to be put in place to collect
risk information at the activity level, where most operational risks materialize and to aggregate this information to a
level senior management and the NAIC care about.
A best practice approach thats been endorsed by the Institute of Internal Auditors (The IIA) is a 3 lines of defense
structure; Operational Management, or process owners, are expected to take ownership and accountability for the
risks faced by their business area as a primary line of defense.
3 Lines of Defense
-
Specifically, the IIA recognizes that this front line has the primary task of
identifying, assessing, and mitigating risks on a day-to-day basis.
Questions to ask yourself to determine if the process of owners of your
organization are operating effectively as a first line of defense:
Are each of your operational managers assigned a subset of your
organizations overall risk library, and can they suggest additions to
that subset?
Do they have the ability to document control procedures in a way that
ties them directly to their subset of risks?
And finally, are there adequate supervisory functions in place to notify
managers when a control breakdown or unexpected event takes place
in upstream or downstream process areas?
First line of Defense
Process Owners
-
Second line of Defense
Risk Managers
The second line of defense is the risk management function, which provides oversight and
facilitates the implementation of effective risk management. The compliance function is also
considered a second line of defense, however when compared with a risk management
function, compliance is responsible for a specific subset of risks related to applicable laws
and mandates. Whereas the first line of defense is process specific, the second line of
defense is cross-functional or systemic. It serves the critical role of ensuring that mitigations
and risk analysis are taking place as intended, but cannot independently report on an
enterprise picture of risk without input from process owners. The responsibilities of an
enterprise risk manager can include: Providing a risk management framework, identifying
emerging risks and issues, setting standards, Criteria and Tolerance levels, and providing
consulting and mentoring to process owners.
-
Third line of Defense
Internal Audit and Senior Management
The third line of defense, internal audit and senior management, offers independent
assurance that risk management is operating effectively. ORSA mandates that a Chief Risk
Officer sign off on each ORSA report. As such, the CRO and risk committee will be largely
responsible for their organizations compliance with ORSA. With clearly defined strategic
objectives set by senior management, the risk managers role is then to close the gap
between strategic level risk and all the operational risks faced at the front line of
organizations.
-
Board of Directors
Risk Managers
Process Owners
Risk Managers
Process Owners
Positive
Risk
Culture
Tone From The Top
Roles and responsibilities need to be clearly defined and articulated so that there is accountability at all risk levels in your
organization. Setting the right tone for your ERM program starts at the top with your board of directors and senior executives.
Getting their support and approval of your ERM program exudes a positive risk culture to the rest of the organization. This will
lead to better engagement in risk management processes at all levels of the organization. The more integrated ERM is in
everyones job descriptions the easier risk assessments will become and the more valuable they will be.
-
Chapter 2
Risk Identification & Prioritization
Just discussing high level concerns with senior executives may have been sufficient
2-5 years ago, but with the implementation of ORSA insurers are now required to
detail how they identify and categorize all relevant and material risks. This means
that more business value and better decision making are expected from risk
assessments. Formalized risk assessments allow risk managers to leverage existing
activities in an objective, quantifiable, repeatable manner to show how risks and
activities at the process level are impacting strategic objectives.
-
Root Cause
Risk Assessments
Strategic Objectives
Formalized Risk Assessment Process
The most effective way to collect risk data is to identify risk by root cause. It is impossible to get a clear risk
picture of strategic objectives without breaking them down into root cause, actionable, silo-specific activities.
Identifying the root cause of a risk provides information about what triggers a loss, where an organization is
vulnerable and where resolving systemic risks can lead to efficiency gains.
-
Root Cause 1
Root Cause 2
Root Cause 3
Outcome 1
Mitigation Activity 1
Mitigation Activity 2
Mitigation Activity 3
Outcome 2
Root Cause
Root-cause concept
However, orienting process owners to root cause is often easier said than done. Typically, management tends to think in
terms of outcomes or events they want to avoid or achieve, and the effects of such events. While there are a limitless set
of outcomes, as risk managers we need to operate at the root cause level in order to design effective mitigation activities.
-
External Risks caused by outside people, entities and environments
People
Risks involving people who work for the organization
Process
Risks arising from the organization's execution of business operations
Relationships
Risks caused by the organization's connection with third parties
Systems
Risks due to data or information assets
5 Root-cause categories
Root Cause
-
Prompt root-cause
Root CauseMost assessments jump to the What could go wrong aspect of risk identification which is
often just a detailed effect or symptom. Understanding the root cause requires identifying
the drivers of the WHY of the risk. You can begin to implement this root-cause approach in
a facilitated session or you can use a system to prompt assessors on the root causes of their
concerns, which helps implement this solution on an enterprise scale.
-
Prompt root-cause
Root CauseAs a first step, consider prompting process owners and business areas to select the root
cause category of their concern. Beginning with a root-cause risk library enables
organizations to track the selection of root-cause risks across multiple business areas,
which helps identify systemic risks throughout the organization and areas of upstream
and downstream dependencies.
-
Use a common numerical scale and criteria throughout your organization
High-medium-and low scales make it difficult and time-consuming to
quantify, aggregate, and objectively rank information. You should use
at least a 1-5 scale.
Risk Assessments
Best Practice favors a 1-10 scale, with 10 having the most unfavorable
consequences to the organization, split into 5 buckets to provide a high and low
of each bucket. Using a 1-10 scale makes the math easy and having the 5
buckets gives process owners doing the assessments flexibility to select the
high or low of a bucket.
Giving people more flexibility in their assessments will give you better accuracy
and more ability to determine what your top risks really are.
-
9 - 10Major
7 - 8Serious
Financial: Negative impact on net income $15 million to $20 million
Financial: Alternative financing (debt), sale or restructuring of the organization could be required
Operational: Inability to remain competitive (e.g., lagging customer service, operational inefficiencies)
Regulatory: Regulatory penalties are required
Financial: Negative impact on net income over $20 million
Financial: Catastrophic impact on financial statements (e.g., critical contractual ratios are no longer met)
Operational: Long-term impairment of critical functions make the organization vulnerable to forced sale or merger
Regulatory: Regulatory agencies seize control of assets or are granted absolute decision-making authority
Carry out assessments on same standards and assumptions
9 - 10Major
Financial
Legal
Operational
Regulatory
Strategic
7 - 8Serious
Financial
Legal
Operational
Regulatory
Strategic
5 - 6Moderate
Financial
Legal
Operational
Regulatory
Strategic
3 - 4Minor
Financial
Legal
Operational
Regulatory
Strategic
1 - 2Insignificant
Financial
Legal
Operational
Regulatory
Strategic
There are multiple ways of expressing severity, both qualitatively and
quantitatively. Severity should be outlined for financial, legal,
operational, regulatory, and strategic dimensions, among others. Each
bucket should have a variation of criteria applicable to that level of
severity.
For example:
If we are looking at the Impact criteria:
9-10 Major
In Financial terms, a specific dollar amount considered to be
catastrophic to your organization. In Regulatory terms, agencies shut
you down or take over.
7-8 Serious
In Financial term, the next level down that is painful but survivable.
In Regulatory terms, penalties are required
Only one of the criteria listed for an impact level has to be met in order
to rate a risk factor at that level. This way, any qualitative criterion can
be given a score to become quantitative and comparable across the
enterprise.
Risk Assessments
-
Risk Assessments
Carry out assessments with the same standards and assumptionsAdditionally, you need defined evaluation criteria for these scales. Often, one persons 9 is another persons 7. You should
provide a clear definition on what each of the 5 buckets are in unambiguous terms.
-
Objectively aggregate risk information to a strategic high level
Strategic Objectives
Now that assessment scores are
numerical and comparable, you
can create simple formulas to
automatically calculate the
inherent and residual indexes of
risks, and risks across your
organization can be sorted and
objectively ranked. For ORSA
reports, aggregate risks relating
to the same strategic goal or
other cross-functional topic, like
risk category frameworks,
providing an overall assessment
score for leadership, with
actionable underlying data for
when direction is given.
-
As a mandatory component of RMORSA an organization-wide risk appetite
statement provides direction for your organization. A risk appetite statement
should be reflective of your organizations strategic objectives, stakeholder
expectations, and key aspects of the business. Once your organization has
documented your risk appetite, with the Boards approval, the question
becomes how do you measure if your organization is adhering to it?
The answer is to implement risk tolerances.
Chapter 3
Risk Appetite & Tolerance
How Do You Make Risk Appetite Actionable?
-
Risk Tolerance
In the chart shown, the organizations projected path of performance is plotted in green. This line and the immediate area around it
represents the risk appetite, or goal of the organization. If the organization was to pursue or retain all risks in their environment, their
performance could fall anywhere between the grey lines. Most organizations are uncomfortable taking on all available risk, and new
laws and regulations require companies to implement more narrow tolerances (Purple area).
Operating within risk tolerances provides management greater assurance that the company remains within its risk appetite, which in
turn, provides a higher degree of comfort that the company will achieve its objectives.
Risk Environment
Risk Appetite and Risk Tolerance
-
Doesnt accept risks that could result in a significant loss of its revenues base
Doesnt accept risks that would cause revenue from its top 10 customers to decline by more than 1%
Risk Appetite
Risk Tolerance
Risk Appetite and Risk Tolerance
In other word, while risk appetite is a higher level statement that considers broadly the levels of risk that management
deems acceptable, risk tolerance sets acceptable levels of variation around risk and can be more readily measured.
For example a company that says it does not accept risks that could result in a significant loss of its revenue base is
expressing appetite. When the same company says that it does not wish to accept risks that would cause revenue from
its top 10 customers to decline by more than 1% it is expressing tolerance.
-
Prioritize Resources by Cut Level View Risk Trends by Tolerance Range
Because all risk assessment are conducted on standardized criteria, you can discuss with your board or senior management to determine a uniform
tolerance, or cut level, throughout the organization based on the resulting assessment indexes. This will help you prioritize resources to the risks that
need stronger coverage.
Everyday process owners are making operational decisions about risk far
from the organizations risk appetite statement. Process owners must look at
their assessments and if a risk exceeds or is below the range of set tolerance,
they must adjust mitigation activities, procedures, or controls to get within
the risk tolerance or escalate the issue.
When risk tolerances are aligned with both overall risk appetite and
strategic goals, they will improve risk mitigation effectiveness and
contribute to achieving your strategic goals. Aligning your tolerances with
risk appetite and strategic goals can be challenging but by trending risks
over time, you can get a more accurate picture of where you are and where
you need to be to reach your goals.
-
Chapter 4
Risk Monitoring, Controls &
Action Plans
ORSA requires Transparency Into If And How Risks Are Being Managed
Once you have identified the root cause of risks and objectively assessed
them, ORSA requires transparency into if and how risks are being managed by
insurers as they execute their business strategy. To do this an organization
must have adequate mitigation and monitoring activities in place.
-
Tolerance
Actual
Develop Risk Tolerances over TimeAs risks are reassessed periodically, you can focus on emerging risks that become out of tolerance and spend less time
on risks that have decreasing indexes. This allows you to allocate resources to the issues and areas that will yield the
greatest benefits to the organization.
-
Increase Organization Efficiency
Systemic risk identification will detect
areas of upstream and downstream
dependencies throughout your
organization, such as when one area
of the organization is unknowingly
causing strain on other areas.
Additionally, this method could also
identify areas that would benefit
from centralized controls, so the extra
work of maintaining separate controls
is eliminated, increasing organization
efficiency.
-
Prioritize Activities Conduct Risk Assessments
Link Risks to Activities
Prioritize Activities to be
Monitored
Collect Business Measures
Most organizations need a greater understanding of how the
business measures that they rely on daily are tied to their risks.
If a risk or activity changes, organizations have no way of
knowing how, or even if, these changes will affect their
metrics. By conducting risk assessments and linking risks to
activities, organizations can start prioritizing which activities
need to be monitored.
-
If risks are formally linked to anything, it is often Internal Audit or SOX controls, but all of operational
controls, activities, policies and procedures need to be taken into consideration too. Most of the risk
management disasters we hear about were a result of poor operational risk management. Risk managers
are responsible for risk monitoring effectivenessknowing what to monitor and how to determine if your
activities are effective or not.
Boards and CEOs, public and private, are depending on risk managers to monitor key risk indicators (KRIs) at
the business process level and have the proven capability to escalate up to the board as appropriate.
Operational Risk Management
-
Tolerancelevels
Collecting business metrics enables you to track the progress of your mitigation activities over time. You can set targets and tolerance
levels around these metrics. Warning signs appear as metrics begin to move out of tolerance, allowing you to take action before a negative
outcome materializes. Metrics need to be forward looking so that you can detect emerging trends long before they have significantly
affected your organization.
Monitor Business Metrics
-
Situation: Online Banking System experiences significant downtime and the issue is not resolved in a timely manner.
What They Found: The necessary expertise is not available during down time to work on the issues.
Typical Solution: Provide Cross-training program to more individuals, giving the appearance that a preventative measure has been put in place.
Risk Monitoring Example
Business Metrics:
Collecting business metrics enables you to track the progress of your mitigation
activities over time.
In this situation, if the bank was tracking system uptime, they would have seen
that there was no improvement from the control activity put in place, and
reinvestigated to realize that the system was going down during peak usage times,
like lunch, when the subject matter expert was away from their desk! They could
then institute effective activities, like adding more memory to the system.
Testing:
Often, organizations get caught up in testing the compliance or occurrence of
the control, such as, Has every new IT hire completed the training within the
first 6 months?
Testing provides a high level view of whether a control is effective, usually in
the form of pass or fail. Testing does not necessarily provide you with
actionable steps to take to improve a mitigation activity. Over time,
organizations lose sight of why the activity was implemented in the first place,
in this case to improve system uptime.
-
5 Key PrinciplesChapter 5
Risk Reporting & Communication
-
DASHBOARD #1: ROOT CAUSE
Using a common set of standards and assumptions means your organizations risks can be brought together and displayed on a single heatmap, where
upper right corner issues are most critical. This heatmap shows all of an organizations risks based on business process level observations. The information
stays current and changes in assessments are immediately reflected.
View Organizations Overall Risks
-
DASHBOARD #1: ROOT CAUSE
Viewing risks by a theme, such as an initiative or concern, enables organizations to take action by measuring
progress toward a goal and adding context to what needs to be done.
View Risk by Strategic Imperative Customer Satisfaction
-
Strategic Goals
DASHBOARD #2: ENTERPRISE VIEW
Due to the limitations of spreadsheets, risk managers often have to choose between presenting actionable data that is too granular for the board, or
presenting a high level summary, such as a top 10 risk report, which lacks the context of how risk within business processes relate to the objectives that the
senior leadership and board requires. However, a common risk taxonomy allows organizations to gather business activity level data and aggregate it to a high
level thats better understood and more actionable for senior leadership.
View by Strategic Goals
-
Not sureDASHBOARD #2: ENTERPRISE VIEW
Drill-down to Activity Level when Necessary
For the top risks across the organization, often risk managers provide the more detailed underlying data, such as which business areas are
involved, what their individual risk profile of the risk is, what the mitigation strategy is, and how the risk is being monitored.
-
Percentage of risks formally identified & assessed
DASHBOARD #3: ERM PROGRESS
Risk management is a process and the key to successfully monitoring the effectiveness of any process is measurement. The following are examples of measures
that will quantify and measure the value your ERM program is providing:
The first measure is Efficiency: Risk assessments are done for each business process or business unit. The chart shows the number of risks identified (red) and
number of risk assessed (blue) for each business process or business unit area. This tells the board how many of the risks in the enterprise have been collected
and evaluated.
-
Transparency: Assurance of Risk Coverage
Percentage of risks mitigated
DASHBOARD #3: ERM PROGRESS
The next critical value measure is Transparency: Risk management doesnt stop at just risk identification and assessment. Its also critical to show the state
of ERM in terms of how many of those risks identified and evaluated are covered by mitigation activities. Notice the gap between the red bar measuring
number of risks identified and assessed and the green bar measuring the number covered by mitigation activities. Notice each quarter the gap is getting
smaller between the 2 bars. This shows how the State of ERM has evolved over the past several quarters.
-
Percentage of KEY risks mitigated
DASHBOARD #3: ERM PROGRESS
You can filter this gap by using a cut level, focusing only on risks on a residual basis above a tolerance threshold, for this example, simply above the average. Now the board
can have a meaningful discussion of what level of risk they are willing to accept or how many resources they wish to allocate to getting stronger mitigation activities in place
to address this gap. This is matching risk tolerance to risk appetite that is actionable since discrete risks are connected to discrete controls with ownership.
-
Performance Management
DASHBOARD #3: ERM PROGRESS
You can also do this same focus by now filtering out low risks to only show the above average risks and corresponding mitigation activities that
directly impact each of the organizations strategic objectives. As risks are reassessed periodically, you can focus on emerging risks that become out of
tolerance and spend less time on risks that have decreasing indexes.
-
Request a Demo
Enterprise Risk
Management
Vendor
Management
Regulatory
Compliance
IT Governance
and Security
Business
ContinuityFinancial
Reporting
Audit
ManagementPerformance
Management
Policy
Management
LogicManager's All-in-OneERM Software
All the content you need & all connected.
Leadership: More than 2000 organizations use our risk management solution.
Insight: Put your risk picture together. Cloud Computing: No up-front investment and
no long-term commitment required.