Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
A.R.F. Super Session The ORSA Journey – Where is it taking us?
Monday, June 8, 2015
3:30 – 5:00 p.m.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Objectives for this session
Past, present & future of ORSA
What is included in an ORSA report?
How ERM can provide a solid foundation for ORSA
How to gain efficiencies; what resources are needed
How ORSA may impact the future of regulations & ratings
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Questions for the audience
If you work for an insurance company –
If your company is required to submit an ORSA report –
If you are allowed to say, was your company involved in an
ORSA pilot program?
If your company is exempt from ORSA –
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
G-20
Worldwide Industry’s Articulation of their
Governance
Solvency II
Insurance Core Principle (ICP) 16 – Enterprise Risk
Management
Financial Sector Assessment
Program
Why ORSA?
5
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
2 Primary Goals
Effective level of Insurer's Enterprise Risk Management
Provide a group-level perspective on risk and capital
What is ORSA?
OWN Solvency ERM
Component
> $500 M Individual > $1 Billion Group 6
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Framework
• Maintain a risk management framework
ORSA Assessment
• Complete an Own Risk and Solvency Assessment
ORSA Report
• File an ORSA Summary Report with the insurance commissioner
ORSA Requirements
Effective date as of January 1, 2015,
with the first Summary Report filing
sometime in 2015, as states work with the
insurer for the states that have adopted
1/1/15 implementation date.
Adopted by NAIC
Sept. 2012
7
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
States that have Adopted ORSA
8
State Implementation Date
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
2012, 2013, 2014 ORSA Feedback
2012 2013 2014
Number of States Participating 12 16 26
Estimated Number of ORSA Reported Expected to
be Filed to Participating States
134 167 210
% of Total Estimated ORSA Reports Expected to be
Filed
50% 64% 77%
Number of Insurer/Groups Participating 14 22 28
Participants covered Life, P&C, Health & Title
9
2014 Pilot closed May 2015 Number of ORSA???
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Presentation:
How much to disclose in the report
Content:
Alignment of risk and business strategy
Risk appetite statement at enterprise level
Risk thresholds and limits for each material risk
Support to choice of metric to quantify the solvency capital
Quantification of solvency capital for some specific risks: • operational, emerging
Stress tests
Prospective risk and solvency capital assessment
Use test – i.e. how the ORSA process is used to support management decisions
Roll-out of ORSA processes into all functions due to immaturity of ORSA processes
1
0
Challenging Areas for Companies
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Scope out their first years’ reviews: breadth and depth
Use of foreign ORSAs for US regulatory purposes
Use of group ORSA by non-lead states
Training all staff – NAIC ORSA Training has been launched
and is being rolled out nationally
Lead State generally expected to perform review and
assessment
• Non-Lead States place significant reliance on Lead State
1
1
Challenging Areas for Regulators
Organizational charts
Entities covered by the group ORSA, preferably showing: • Accounting basis
• NAIC co-codes
Reason for entity exclusion
Status of development of ORSA processes: what has been developed and what is in progress
Current versus future state
Reference to data used (ie at what date)
Accounting basis used for section 3
Balance between depth of content and supporting evidence
List of ORSA documents available to examiners, with owner, date of last version
12
Like
A document (not PowerPoint slides)
A structure that reflects or can be reconciled to the ORSA Guidance Manual
A table of content
An executive summary
Use of appendices to supplement information in the main document
A glossary of terms used
Signed attestation from CRO or CRO-like
Use of heat maps to support risk identification
Use of graphics to explain processes / reporting lines
Use of comparatives for multi-year financial data
Clearly labeled exhibits/tables/graphs
Page numbers (!)
Needs Improvement
Presentation – Regulators’ considerations (from ORSA pilots)
Use of risk management to support business decisions
Business Strategy / direction of the group
Core business initiatives
Core risk management initiatives
Important corporate life events: acquisitions and disinvestments
Current and prospective look
Bringing together the 3 sections
13
Observations
Key part that sets the overall tone
Summarized presentation of the business strategy objectives (over time horizon of business plan), relevant risk strategy and solvency position at group level
Length and format vary based on insurer size and complexity
Needs Improvement
Executive Summary – Regulators’ considerations (from ORSA pilots)
Overview of the ERM process: • Genesis
• Models used (COSO, ISO31000, own, other)
• Maturity
• Current versus future state
How business strategic objectives tie to: • ERM
• Capital
• Operations
Risk culture & governance: • in the absence of a CRO, who is the “risk-go” to
person and engagement w management
• tie between compensation & incentive and risk management
Risk identification and prioritization: • Outline of the processes
• Criteria used to “prioritize”
• Emerging risk framework
14
Observations
Overview of the ERM process:
• Follow the building blocks of the ORSA Manual
• Put the ORSA processes in the context of the maturity of own ERM
• It helps dialogue with regulator
• Where are you really at?
Risk culture & governance:
• clear definition of roles & responsibilities (owners versus doers, supervision, independent assurance, granularity within group).
• Reporting lines (use of charts welcome)
Risk identification and prioritization: • robust and detailed process of identification throughout
the group
• process for selecting key risks from risk universe
Needs Improvement
Section 1 – Regulators’ considerations (from ORSA pilots)
Section 1 – Regulators’
considerations (from ORSA
pilots)
Risk Appetite, Tolerances and Limits:
• Articulate individual limits
• Consistency with key risks identified in prior parts of the report
Risk management and controls: • Controls around the key risks (rather than
financial controls)
• Escalation process in event of breach
• Current involvement of Internal Audit
Risk reporting and communications:
• Use test
• Exchange of information within the group
• Feedback loops
• Examples help!
15
Observations
Risk Appetite, Tolerances and Limits: • Link between business strategy and risk
appetite framework
• Process from overall risk appetite to individual risk preferences, tolerances and limits for each key risk
Risk management and controls: • Process in place to manage key and non-
key risks (what, how and who)
• Specific risk controls
• From inherent to residual risk
Risk reporting and communications: • Translation of limits into operational
guidance
Needs Improvement
Assessment of risk exposures: • Overview and summarized
presentation of results for all risks under both current and stressed conditions (for example, at beginning of section 2)
• Consistency with key risks identified
• Support to methodology selected (for either qualitative or quantitative)
• Comparison against tolerances and limits in section 1
Stress tests: • Consistency with key risks identified
• Effect of single stresses
• Effect of combined stressed
16
Observations
Assessment of risk exposures: • For each key risk
• Qualitative or quantitative
• Methodology and data used
• Under current and stressed conditions
Stress tests:
• Risks stressed
• Methodology used to select the stresses
• Results of the stresses
Needs Improvement
Section 2 – Regulators’
considerations (from ORSA pilots)
Group assessment of risk capital:
• Consistency with key risks identified in prior parts of the report (sections 1 and 2)
• Description of the methodology used to quantify risk capital for each risk
• “Fitness for purpose” of the risk capital metrics used
• Explanation and overview of the calculation of the diversification benefit
• Data: sources, quality, testing
• If internal models are used to quantify the risk capital: validation framework (scope, process, governance, results)
Prospective risk assessment: • Missing so far in reports
Management actions to remedy capital inadequacy • Access to capital markets/ liquidity assets
• Interconnectedness of US business to the international affiliates/parent
17
Observations
Group assessment of risk capital:
• On current and prospective basis • For each key risk
• Metric to define risk capital
• Methodology for aggregation
• Accounting basis selected
• Methodology for diversification
• Methodology and time horizon for projections
• Comparison against available capital
• Validation of results
Prospective risk assessment: • Changes to risk profile over time horizon
of the business plan
Management actions to remedy capital inadequacy
Needs Improvement
Section 3 – Regulators’ considerations (from ORSA pilots)
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Business strategic objectives
Maturity of ERM processes: what has been developed and what is in process? Do you have a plan to completion? What processes have been tested?
Entities in scope and entities excluded
Deep dive into section 1 for first filings
Discussion around key risks
Exposures and stresses: current position against limits
Overall solvency position at group capital, access to capital sources
Evidence of use of all the above
Group perspective for risk and capital
18
What questions to expect from regulators
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
NAIC ORSA Guidance Manual (July 2014 version)
http://www.naic.org/store/free/ORSA_manual.pdf
RMORSA Model Act #505 (adopted on September 6th, 2012)
http://www.naic.org/documents/committees_e_risk_management_orsa_adopted_120906.pdf
SMI dashboard, showing the status of adoption by the individual states of a number of model acts as part of the Solvency Modernization Initiative (SMI), including the RMORSA Model Act #505 (on the second page), as of February 2, 2015:
http://www.naic.org/documents/committees_e_related_smi_dashboard.pdf?123
Latest draft guidance for financial analysts in the state Departments of Insurance on how to conduct analysis procedures on the ORSA reports:
http://www.naic.org/documents/committees_e_examover_fahwg_exposure_fin_analysis_handbook_prop_rev_form_draft.pdf (starts on page 171)
Latest draft guidance for financial examiners in the state Departments of Insurance on how to conduct an examination of the ORSA reports:
http://www.naic.org/documents/committees_e_examover_fehtg_exposure_orsa_guidance_rfswg.pdf
Basic Documents
1
9
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Tennessee Farmers Insurance Companies
EXPECTATIONS
ORSA Pilot Program
• Be able to use this report for AM Best
• Be one of the first insurance companies in Tennessee to file an
ORSA report
• We are in discussion with TDCI on what they expected to see in our ORSA
• Steering the analyst’s expectations
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Tennessee Farmers Insurance
ORSA
OSRA – The name means something
Who does it belong to?
• “OWN” Risk Solvency Assessment
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Tennessee Farmers Insurance
Where did we start?
Utilized common language
• Model Language
• ERM – Enterprise Risk Management Framework
• Insurer Assessment of Risk Exposures
• Group Assessment of Risk Capital and Prospective Solvency
Assessment
Used the model language to get an idea of the structure
Did not create any new processes or meetings
Documented everything
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Tennessee Farmers Insurance
ORSA Lessons Learned
Only had 2 people
ORSA had to be filed through Texas for Confidentiality
Used all resources
• Actuaries and Auditors
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
ORSA Section 1 – Leveraging ERM Mary Peter, Director of ERM (Eide Bailly,LLP)
How Section 1 of ORSA embodies Enterprise Risk Management
How Enterprise Risk Management can be leveraged with ORSA
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
ORSA Section 1 - Leveraging ERM
Description of the Insurer’s Risk Management Framework
• Key Framework Principles:
• A. Risk Culture and Governance
• B. Risk Identification and Prioritization
• C. Risk Appetite, Tolerances and Limits
• D. Risk Management and Controls
• E. Risk Reporting and Communication
• To what extent does your ERM Program contain these principles?
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
ORSA – Leveraging ERM
ORSA
ORSA ERM
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
ORSA - Leveraging ERM
ERM first; ORSA second or:
ORSA first; ERM second
Either way, ORSA supports a robust ERM process
A robust ERM process supports ORSA as its foundation
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Key Principles – Leveraging ERM
Risk Culture and Governance
• Cornerstone to managing risk
• Structure that clearly defines roles, responsibilities, accountabilities
• Risk Culture that supports accountability in risk-based decion-making
• Structure creates rigor within the organization
• Manages reasonably foreseeable and relevant material risk, in a
continuously improved manner
ERM needs this foundation for it to be successful and become
embedded in the organization.
ERM Step 1
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Key Principles – Leveraging ERM
Risk Identification and Prioritization
• This is key to the organization
• Responsibility for this activity should be clear
• Risk management function is responsible for ensuring the processes
are appropriate and functioning properly.
• A process must identify risk and prioritizes such risks in a way that
potential are addressed in the framework.
ERM foundation needs to be established before beginning to identify
and prioritize enterprise risks. A cross-functional team will be best
equipped to complete this activitiy.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Key Principles – Leveraging ERM
Risk Appetite, Tolerances and Limits
• A formal risk appetite statement, with associated risk tolerances and
limits is foundational element of a risk management framework
• Understanding the risk appetite statement ensures alignment with the
risk strategy set by senior management and the board of directors
• This should be easy to communicate, be understood, and should be
closely tied to the organization’s strategy.
• Underlying tolerances and limits can be selected and applied to
business units and risk areas as deemed appropriate.
• Risk tolerances/limits provide direction outlining the Company’s
tolerance for taking on certain risks
ERM utilizes a strong risk appetite in the assessment of enterprise risk.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Key Principles – Leveraging ERM
Risk Management and Controls
• Managing risks is an ongoing ERM activity, operating at many levels
within the organization
• It is a key aspect of managing and controlling the reasonably
foreseeable and relevant material risks of the organization.
• Relevant business units put mechanisms in place to identify, quantify
and monitor risks
• Risks are reported up to the next level based upon the risk reporting
and risk limits.
• Controls are put in place on the backend, by internal audit or
independent consultant
ERM is most effective with both clear accountability and controls.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Key Principles – Leveraging ERM
Risk Reporting and Communication
• Provide key constituents with transparency into the risk-management
processes
• Facilitates active, informal decisions on risk-taking and management.
• Reporting is made available to the management, board and
compliance as appropriate
• Reporting can allow decisions to be made throughout the
organization by appropriately authorized people, with ultimate
ownership by senior management or the Board , as appropriate
ERM is an active and living process that depends upon reporting and
communication to be value driven.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
ORSA – Leveraging ERM (contd.)
Other essential items to include:
• How are risks monitored?
• How are new or emerging risks added to the process?
• How strategic or business decisions are impacted
• Signed by Chief Risk Officer (or executive responsible for the oversight of
the insurer’s ERM process); attesting to the best of his/her belief and
knowledge that the insurer applies the ERM process as described in
the ORSA Summary Report, and that a copy has been provided to
the board of directors or the appropriate committee
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
ORSA – Leveraging the Steps of ERM
Foundation
Risk Culture
Governance
Roles & Responsibility
Identification
Relevant
Inter-related
Risks being
Identified &
Categorized
Assessment
Risk Appetite
Risk Tolerance
Limits
Enterprise-Level,
Approved by Board
Effective Controls
Evaluate
Linked to Strategy
Prioritized
& Used in business strategy
Tools used
Risk Response
Reporting within the
Company
Controls used to
Mitigate or
Manage risk
Monitoring
ERM program
emerging risks
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Maturity of Your ERM/ORSA Program
Non-Existent
Level 0
Ad hoc
Level 1
Insurer has not recognized a need for
risk management and risks aren’t
directly identified, monitored or
managed.
Insurer has not developed or
documented standardized risk
management processes and is relying
on the individual efforts of staff to
identify, monitor and manage risks.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Maturity of Your ERM/ORSA Program
Initial
Level 2
Repeatable
Level 3
Managed
Level 4
Leadership
Level 5
Insurer has
implemented risk
management
processes, but the
processes may not be
operating consistently
and effectively. Certain
risks are defined and
managed in silos
Rather than
consistently throughout
the organization
Insurer has risk
management processes
in place designed and
operated in a timely,
consistent and
sustained way. The
insurer takes action to
address issues related
to high priority risks.
Insurer is advanced in
its risk management
capabilities. Risk
management activities
are coordinated across
business areas and
tools and processes are
actively utilized.
Enterprise-wide risk
identification,
monitoring,
measurement and
reporting are in place.
Insurer is at the leading
edge of companies in
relation to risk
management. Risk
management is
embedded in strategic
planning, capital
allocation, and other
business processes
and is used in daily
decision-making. Risk
limits and early warning
systems are in place to
identify breaches and
require corrective action
from board &
management
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
ORSA Sections 2 & 3 Update Jerry Ravi, Partner (EisnerAmper)
How the assessment portion of ORSA ties into ERM and governance
How internal and external audit can be leveraged.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Key ORSA Components
• Utilize Best Practices - RIMS Risk Maturity Model (RMM)
• Evaluate key principles on an ongoing basis – start with a health check
• Define Risk Profile, Appetite and Tolerances
• Ensure integration and communication throughout the organization (leverage existing risk functions and assurance activities)
Evaluate the Maturity of the ERM Framework
• Organize information into main risk categories or risk objectives
• Ensure documentation and rationale for risk exposures under both normal and stressed scenarios
• Conduct workshops to evaluate exposures
• Prioritize and align to strategy, decisions and capital allocation
• Measurement and alignment to capital allocation / compensation
Assess Risk Exposure
• Relying on various models including internal and external models (RBC, BCAR, etc…)
• Review / utilize technology and software solutions (Igloo, MG-ALFA, etc…)
• Quantify necessary capital for different risks using various assumptions (stochastic and deterministic)
Determine internal capital assessment
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Section 2 – Assessment of Risk Exposure
Phase 1 – Communicate /
Align to Objectives
Phase 2 – Identify, Analyze and
Prioritize
Phase 3 – Validate and Collaborate
Phase 4 –Report and Monitor
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk Identification & Prioritization
Risk identification is the continuous process by which Risk Management
creates and updates its catalog of risks. • Cataloged by risk categories and sub-categories tailored to the insurer
• Risks have to be assessed for prioritization; too many risks to be monitored and managed at the
enterprise level
• Perform Risk Assessment to prioritize risks and to identify key risks
Leverage Internal and External Audit Process
Focus on continuous monitoring and follow-up
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk Maturity Model – Evaluation (NAIC ORSA principles)
Key Principle(s)
Initial Repeatable Managed Leadership
Risk Identification and Prioritization
The ERC manages business area risks, creating context for risk assessment as a foundation of the ERM Process. ERM dedicated process owners identify and create risk indicator lists and share them with the ERM Process owners for tracking and measurement. Impact, likelihood, and controls’ effectiveness are standardized and used for prioritization and risk follow-ups.
ERM Program Managers review Risk indicators deemed critical to their areas with the ERM team on a weekly basis. ERM standardizes evaluation criteria of impact, likelihood, and controls’ effectiveness that are used to prioritize risk for follow-up activity.
ERM gathers and maintains Internal and external best practices based on experience to enhance the risk management process. The ERC, on a quarterly basis, provides risks and opportunities to senior management. Frontline employees’ participation is promoted through workshops.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk Based Decision Making
Risk Profile Monitoring &
Reporting
Company Structure
DECISIONS
Risk Processes & Tools
What types and levels of risk support objectives?
What data / analysis are needed?
What structure supports effective decision making?
What information is
needed to make the decision?
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk Management and Controls Assessment
• If risk responses, including controls, are not in place and operating as
designed, then the likelihood of an event increases
• Assessing risk mitigation allows entities to gauge how well they’re
managing risks
• Risk mitigation assessment criteria include capabilities such as:
oScenario planning
oRisk responses in place
oAbility to respond and adapt quickly as events unfold
oCapacity to withstand events such as capital buffer and financial
strength
o Consider Data Analytics and Technology Solutions to enable
an effective assessment and monitoring process
Risk Assessment – Impact Criteria Rating Financial
Reputational Legal/Regulatory Operational People/safety/environmental
5
Extreme
• Annual
financial loss of
XXX
• International
long-term
negative media
coverage
• Game-changing
loss of market
share
• Significant prosecution
and fines, litigation
including class actions,
incarceration of
leadership
• Product Liability
significant
• Complete
disruption of
operations for
2 weeks or
more
• Loss of multiple, key executives
• Significant injuries or fatalities to employees
or third parties, such as customers or vendors
• Permanent environmental damage
attributable to the company
4
Major
• Annual
financial loss of
XX million up
to XX million
• National long-
term negative
media coverage;
significant loss of
market share
• Report to regulator
requiring major project
for corrective action
• Complete
disruption for
less than 2
weeks
• Limited in-patient care required for
employees or third parties, such as customers
or vendors
• Some senior managers leave, high turnover of
experienced staff, not perceived as employer
of choice
• Environmental incident requires remediation
3
Moderate
• Annual
financial loss of
$XX million up
to $XX million
• National short-
term negative
media coverage
• Report of breach to
regulator with
immediate correction to
be implemented
• Major
interruption for
less than a
week
• Out-patient medical treatment required for
employees or third parties, such as customers
or vendors
• Widespread staff morale problems and high
turnover
• Environmental incident disrupts operations
2
Minor
• Annual
financial loss of
$XX million up
to $XX million
• Local reputational
damage
• Reportable incident to
regulator, no follow up
• Intermittent
interruption up
to a week
• No or minor injuries to employees or third
parties, such as customers or vendors
• General staff morale problems and increase
in turnover
1
Incidental
• Annual
financial loss of
less than $XX
million
• Local media
attention quickly
remedied
• Not reportable to
regulator
• interruption of
less than a day
• No injuries to employees or third parties,
such as customers or vendors
• Isolated staff dissatisfaction
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
RISK ASSESSMENT (Section 3 - from the Actuary’s Desk) Quantitative Considerations
Actuarial Standard of Practice #46 –
“Risk Evaluation in Enterprise Risk
Management”
ASOP 46 focuses on 5 aspects of risk evaluation:
1. Risk Evaluation Models
2. Economic Capital
3. Stress testing
4. Emerging Risks
5. Other Risk Evaluations
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
RISK ASSESSMENT
• They need to fit the purpose for which they are being used, and have the appropriate characteristics for the situation reflecting cost, timeliness, sophistication, ability to stress test, and also be integrated, complete and reproducible.
• The underlying model assumptions should be documented, supported and appropriate
Risk Evaluation
Models
• Model must reflect appropriate accounting considerations
• Since often the output is dependent on the distribution of outcomes under extreme events, the model should be validated by experience whenever possible and tested for reasonability
Economic Capital - (i.e. BCAR, RBC)
• Should consider varying time horizons (catastrophe vs recession)
• Scenarios should be appropriately selected and reflect potential resulting changes in behavior, both your own and/or others. (i.e. - demand surge after hurricane cats.)
Stress and Scenario Testing
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Three Lines of Defense Drives Governance Structure
Senior Management
Board of Directors / Audit Committee
1st
Line of Defense 2nd
Line of Defense 3
rd Line of
Defense
Ad
min
istratio
n
Co
ntro
ls
In
te
rn
al C
on
tro
l
Me
asu
re
s
Financial Control
Security
Risk Management
Quality
Compliance
Legal
Assurance
&
Validation
Ex
te
rn
al A
ud
ito
r /
Re
gu
lato
r
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
External Audit Approach – Leveraging ERM
Interviews
• Enterprise Risk Committee
• Internal Audit
• Audit Committee
Review of company prepared risk assessment documents
• Inventory of risks
• Internal strategy documents
• Meeting minutes
Evaluate how changes to the environment are factored
• Rapid growth
• Change in business mix
• New products
• Changes in technology
ERM Evaluation
Financial Risks (Competition, Credit, Capital needs)
Operational Risks (Profitability, U/W, control Structure, key indicators, related party transactions, business continuity, business mix)
Prospective Risks (Regulatory, Liquidity, Reputational)
Benefit: An Audit that addresses key risks, a more efficient audit process, value
added recommendations
As part of audit planning, in order to understand the entity, we
complete a financial & operational risk assessment including:
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Questions
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Please Complete the Session Evaluation Form on the Conference App