ERM for Small to Mid-sized Companies

Transcription

1

2 ERM for Small to Mid-sized Companies Session #304

3 Today s Presenters Greg Fritsky Jerry Ravi Rita Linterno Technology & Finance Transformation Consultant ERM / Internal Audit Specialist & Technology Consultant External Audit & ERM Specialist

4 Course Objective and Outcomes To discuss implementation standards of Enterprise Risk Management (ERM) practices for small to medium size insurers, and discuss the impact of ORSA and how to embrace ERM practices to be successful in achieving short and long term goals. Learning Outcomes: Participants will be able to: Discuss ORSA and the impact to current ERM practices Understanding the key implementation factors for a successful ERM program Develop a preliminary plan use a transformation framework within ERM practices across the organization, starting with Finance Discuss impact to the external audit and areas to consider for leverage and risk knowledge sharing

5 What s New with ERM Increased need for ERM reporting at the Board Level (regardless of the size of the organization) Getting a pulse on key emerging risks and alignment to strategy (MEASURMENT is Key) Impact on regulatory requirements (ORSA, SEC, etc..) Technology, operational and overall financial reporting enhancement Outsourcing relationships continue to grow (risk of outsourcing and monitorin Cybersecurity)

6 STATE OF ERM TODAY 25% believe their organization has a complete formal enterprise risk management process in place. 23% describe their organization s level of risk management maturity as mature or robust. 52% indicate that their organization s risk management process is not at all or minimally viewed as a proprietary strategic tool that provides unique competitive advantage. Source: 2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities Research Conducted by the ERM Initiative at North Carolina State University on behalf of the American Institute of CPAs Business, Industry & Government Team

7 CALLS FOR IMPROVED ENTERPRISE-WIDE RISK OVERSIGHT 68% indicate that the board of directors is asking for increased senior executive involvement in risk oversight somewhat to extensively. 65% of organizations experience pressure from external parties somewhat to extensively to provide more information about risks. Source: 2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities Research Conducted by the ERM Initiative at North Carolina State University on behalf of the American Institute of CPAs Business, Industry & Government Team

8 Breakdown of ERM / ORSA Process Risk Management Framework (Section 1) Assessment of Risk Exposures (Section 2) Group Risk Capital and Prospective Solvency Assessment (Section 3) Risk Culture and Governance Board Oversight Formalize Risk Management Structure Identification and Categorization Assessment and Prioritization (Risk Tolerances / Appetite) Mitigation, Monitoring, and Reporting Capital Adequacy (i.e., Models) Capital Management Solvency Assessment

9 States that have Adopted ORSA AR 9

10 Key ORSA Components Evaluate the Maturity of the ERM Framework Utilize Best Practices - RIMS Risk Maturity Model (RMM) Evaluate key principles on an ongoing basis start with a health check Define Risk Profile, Appetite and Tolerances Ensure integration and communication throughout the organization (leverage existing risk functions and assurance activities) Assess Risk Exposure Organize information into main risk categories or risk objectives Ensure documentation and rationale for risk exposures under both normal and stressed scenarios Conduct workshops to evaluate exposures Prioritize and align to strategy, decisions and capital allocation Measurement and alignment to capital allocation / compensation Determine internal capital assessment Relying on various models including internal and external models (RBC, BCAR, etc ) Review / utilize technology and software solutions (Igloo, MG-ALFA, etc ) Quantify necessary capital for different risks using various assumptions (stochastic and deterministic)

11 Section 2 Assessment of Risk Exposure Phase 1 Communicate / Align to Objectives Phase 4 Report and Monitor Phase 2 Identify, Analyze and Prioritize Phase 3 Validate and Collaborate

12 Think RISK TAXONOMY Financial Reporting Strategic Planning Vendor Management Taxonomy Policy Management Technology Compliance and Audit Management

13 Root Cause Approach to Collecting Risk Data Cause 1 Cause 2 Cause 3 Event Effect 1 Effect 2 Effect 3

14 Root Cause Approach Example Reference: LogicManager 2014

15 Top Down & Bottom Up Reference: LogicManager 2014

16 Responsibilities Changing Reference: LogicManager 2014

17 Risk Based Decision Making What types and levels of risk support objectives? Risk Profile Company Structure What data / analysis are needed? Risk Processes & Tools What structure supports effective decision making? Monitoring & Reporting DECISIONS What information is needed to make the decision?

18 Risk Management and Controls Assessment The less aware/prepared the entity is to a risk, the higher the impact will be should the event occur If risk responses, including controls, are not in place and operating as designed, then the likelihood of an event increases Assessing risk mitigation allows entities to gauge how well they re managing risks Risk mitigation assessment criteria include capabilities such as: oscenario planning orisk responses in place oability to respond and adapt quickly as events unfold ocapacity to withstand events such as capital buffer and financial strength

19 Risk Management and Controls An Overview Risk Management is the options to manage and mitigate risks, including: Risk Avoidance not proceeding with the process or activity that contains unacceptable risk (exit activity) Risk Reduction take action to reduce the likelihood or impact Risk Acceptance take no action due to the cost/benefit; low risk category; risk is acceptable Risk Sharing sharing all or part of the risk to another department or party (e.g., insurance) Risk Transfer transferring all of the risk to another department, group or committee Risk Reduction may be achieved through the use of Control Activities or other methods. Any system of risk treatment should provide, at a minimum: Effective and efficient operation of the organization Effective internal controls Compliance with laws and regulations 19

20 Risk Reporting and Communication Key Risks Monitored and Managed by Risk Owners Feedback Provided to Manage Key Risks including update to risk tolerances, Limits and Appetite Dashboard with Clear and Concise Information on Top Risks- including Assessment, Prioritization, and Response Periodic Presentation to and Evaluation by Key Stakeholders/Committee 20

21 Risk Prioritization HEAT MAP

22 Risk Identification & Prioritization Risk identification is the continuous process by which Risk Management creates and updates its catalog of risks. Cataloged by risk categories and sub-categories tailored to the insurer Risks have to be assessed for prioritization; too many risks to be monitored and managed at the enterprise level Perform Risk Assessment to prioritize risks and to identify key risks Leverage Internal and External Audit Process Focus on continuous monitoring and follow-up

23 Operational Risk Management Approach to Your Audit Process Enterprise and Operational Risk Focused Work closely with your management team, including the ERM Committee to identify critical enterprise risks and prospective risks facing the company including: strategic, market, credit, reputational, operational, liquidity, financial, and compliance risks Evaluate and critique risk mitigation strategies designed to address the critical risks Consider downside threats (potential of a negative outcome) and upside threats (failure to capitalize on an opportunity) when evaluating the ERM framework Benchmark the risk management framework to best practices and provide valuable insight to improve risk management framework and activities Integrated Audit Process Our planning and detailed testing approach will allow us to provide insights and identify potential improvements related to the organization s critical risk areas and increase audit process efficiency Throughout our audit process we will maintain a risk catalog and evaluate alignment to management s overall risk appetite and risk mitigation activities Focus on continuous monitoring and follow-up Assess the process for identifying potential future events that create uncertainty, as well as evaluating their ongoing risk mitigation process (i.e., response) to reduce the likelihood of downside outcomes.

24 Tailored Audit Approach Interviews Enterprise Risk Committee Internal Audit Audit Committee Review of company prepared risk assessment documents Inventory of risks Internal strategy documents Meeting minutes Evaluate how changes to the environment are factored Rapid growth Change in business mix New products Changes in technology ERM Evaluation Financial Risks (Competition, Credit, Capital needs) Operational Risks (Profitability, U/W, control Structure, key indicators, related party transactions, business continuity, business mix) Prospective Risks (Regulatory, Liquidity, Reputational) Benefit: An Audit that addresses your key risks, a more efficient audit process, value added recommendations

25 Three Lines of Defense Drives Governance Structure Board of Directors / Audit Committee Senior Management 1 st Line of Defense 2 nd Line of Defense 3 rd Line of Defense Financial Control Administration Controls Internal Control Measures Security Risk Management Quality Legal Compliance Assurance & Validation External Auditor / Regulator

26 Emerging Technology Data Analytics Cloud Computing Social Media Technology Trends Mobile Devices Collaborative Applications In Memory Computing

27 ERM Framework Predictive Analytics Risk Dashboards ERM Framework Streaming Social Media ERM Software

28 Leveraging Data Analytics Data analytics can be used to Identify the risks that have resulted from the exponential growth of technology and the internet, and our increasing reliance on both. Provide a comprehensive view of internal and external risks by alerting decision makers about potential fraud, unusual network traffic patterns, hardware failures, and security breaches. Convert data into actionable information, helping businesses move their cybersecurity measures from a reactive state to a proactive state.

29 ERM Solutions and Dashboard Reporting Several ERM solutions currently exist and most integrate well into an existing platform. When combined with a data and social media analytics program, an effective ERM program can be realized. Risk Dashboards can provide top-down risk reporting and details that can help detect and prevent control failures. Source: Gartner

30 Integration Configuration Platform Detecting Fraud with Data Analytics Millions of transactions can be analyzed to detect certain anomalies that may indicative of a fraud Fraud Analytics software can analyze 75 million insurance claims in just 1.5 seconds Monitoring Fraud Monitoring & Performance Optimization Prevention Fraud Pattern Analysis Rules & Predictive Analysis Fraud Detection Strategy Calibration & Simulation Detection Online Detection Mass Detection Investigation Alert Notification Inquire & Analyze Investigation Evaluation & Decision Claim Handling & Settlement From Claim Notification to Claim Closure Source: SAP

31 Common Pitfalls Focus of ERM Program Area Issues Impact ERM process is solely focused on output to the Board, not utilized as a tool for management. ERM is focused solely on WCGW or hazards. Risk Analysis Risk appetite is not adequately defined and communicated. Risk levels are not measured against risk tolerance levels. Risk does not define inherent vs. residual risk. Risk impact is not quantified. ERM Reporting Reporting is limited to enterprise level and/or only a subset of risks or business areas are considered and/or reported. Managing Risks Action/mitigation plans and owners are not effectively assigned to mitigate key risks. Risk assessment is not embedded in strategic planning and business process. Management is disengaged from the process because they don t feel that a value is added. Board/management lacks transparency to determine if risk levels are appropriate, if risks require further mitigation action or possible exploitation and whether certain activities should be continued, given risk levels and current mitigation steps. Risk reported to the board are reported out of context. Board lacks transparency into overall risk profile/specific business unit risk. Lack of clear accountability and proactive action plans may lead to risks going unattended.

32 Thank You!!! Greg Fritsky, Director Redwood Software 10 Denise Drive Allentown, NJ Jerry Ravi, Partner Eisner Amper LLP 111 Wood Avenue South Iselin, NJ Rita Linterno, Senior Manager Eisner Amper LLP 750 Third Avenue New York, New York (609) (732) (347)

33 Please Complete the Session Evaluation Form on the Conference App