Embed Size (px)
DESCRIPTION
David Ingram CERA, FRM, PRM. Enterprise Risk Management For Insurers and Financial Institutions. From the International Actuarial Association. 1. INTRODUCTION - Why ERM? 2. RISK MANAGEMENT FUNDAMENTALS – FIRST STAGE OF CREATING AN ERM PROGRAM - PowerPoint PPT Presentation
Citation preview
1
EnterpriseRisk ManagementFor Insurers and Financial Institutions
David IngramCERA FRM PRM
From the International Actuarial Association
2
Course Outline
1 INTRODUCTION - Why ERM
2 RISK MANAGEMENT FUNDAMENTALS ndash FIRST STAGE OF CREATING AN ERM PROGRAM
3 RISK ASSESSMENT AND RISK TREATMENT - ACTUARIAL ROLES
4 ADVANCED ERM TOPICS
3
ERM FUNDAMENTALS
FIRST STAGE OF CREATING AN ERM PROGRAM
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
29 Developing a First Stage Implementation Plan
4
21 Risk Identification
Systematic identification principal risks
Two Common Methods
Top Down Bottom Up
5
Risk Identification
Top Down Bottom Up
Advantages
Takes One DayTop Management Buy InResults in something that is at the right level of detail for top management amp Board
Likely to Capture all risksSometimes Middle Management buy inMay be at an actionable level for middle management
DisadvantagesRequires One Day of Top Management AttentionMight Miss SomethingMiddle Management might buy inRequires staff time to go from generalities to actionable level for middle management
Takes a Full YearMight not be accepted by Top ManagementRequires plenty of staff time to summarize for Top Management amp Board
6
Top DownKey Risks amp Controls Workshop
1) Risk Identification
2) Risk Assessment
3) Risk Control Assessment
4) Heat Map Development
5) Risk Plan
7
Risk Identification
Which are your Risks
A List of Risks Facing Insurers (compiled by Dave Babbel Wharton School)
CORPORATE LIABILITY SIDE Capital Utilization Pricing Expense Control Overhead Burden Pricing Adequacy Regulatory Compliance Expense Margin Ethics amp Employee Behavior Unrealistic Competition Accountability Policy Lapses Meritocracy Long Tail of Liabilities Quality of Management Inflation Risk Quality of Training Actuarial Quality of Workforce Service Mortality Management Succession Morbidity RecruitmentRetention Longevity Industry Reputation Subsidized Early Retirement Industry Concentration Disintermediation Company Reputation Secular Trend Teamwork Over Turf Utilization of Covenants Coping With Change Antiselection Technological Breakdown Natural Catastrophe Nontraditional Ventures Moral Hazard Guaranty Fund Assessments Fraudulent Information Tax Law Changes Fraudulent Claims Uninsured Pure Firm Losses Morale Hazard Information Systems Problems Product Development Legal Risk Product Design Financial Disclosure Risk Product Appeal Consumer Misunderstandings
ASSET SIDE Distribution Credit Cost of Distribution Public Bonds Agent Recruitment Private Placements Agent Productivity Mortgages Agent Retention Collateral Risk Policy Churning Counterparty Risk Regulatory Environment Reinsurer Insolvency Compliance Systematic Risks Interest Rate Risk Loss of Tax Benefits Call Risk - Callable Bonds Health Care Reform Prepayment Risk - MBS amp CMO Other Regulatory Changes Duration Convexity Drift Financial Reporting Change in Interest Volatility Surplus Strain Yield Curve Shape Twist GAAP for Mutuals Systematic Risks Other FAS 115 Equity Market Risk Unsound Reporting Basis Risk Mark-to-Market Risk Inflation Risk Reputation Liquidity Ethics amp Compliance Cash Mismatch Quality of Service Disintermediation Corporate Image Run on the Bank Market Maturity Extension Uncontrolled Growth Mortgage Refinancing Untested Markets Loss of Equity Value Market Saturation Real Estate Bank Competition Stocks Globalization Subsidiaries Liability Insurance Derivatives Political amp Currency Diversification Foreign Exchange Risk of Claims Asset Allocation Profits Repatriation Industry and Geographical Risk Political Risk Unstable Covariances Risk Terrorism
Political amp Currency SURPLUS International Investments Capital Adequacy Foreign Exchange Risk Funding Risk Terrorism
CreditRisk
InsuranceRisk
MarketRisk
LiquidityRisk
GroupRisk
OperationalRisk
ERM
8
Risk Assessment
How Significant are your risks
Subjective Assessment
Consensus view Frequency Severity
9
Risk Control Assessment
For Most Significant Risks How effective are your existing
control processes For the best controlled risks
how much risk is left after the control process Are they still significant
Subjective Assessment Not as easy to reach
consensus
10
Heat Map Development
Risk Control Self Assessment
Risk amp Control Heat Map
Large
Medium
SmallMore Effective Control
Less Effective Control
Low Priority
Moderate Priority
High Priority
Ris
k S
ign
ific
anc
e
11
Risk Control Plan
Choose High Priority Risks to address this year
Plan will be toPrepare detailed documentation of existing control
processesResearch and identify best practice control
processesCompare existing to best practiceChoose improvements to makeImplement improvements
12
22 Risk Language
Explicit firmwide words for risk and Risk Management
RISK WORDS
Start with LOSS What are the words for the worst thing that has happened
In the past quarter In the past year Ever
13
Realistic Loss Terminology
Good ndash Company meets plans bonuses paid Adverse ndash Company fails to meet plans by significent
margin no bonuses paid May be some layoffs Terrible ndash Company shows significant loss Top
management loses jobs Horrible ndash Company suffers large loss Downgraded
(or other bad publicity) causes company to lose ability to sell new business
Disaster ndash Company loses almost all surplus Taken over by regulators
Substitute your own words
14
Risk Terminology
Frequency amp Severity
Does ldquoHigh Severityrdquo mean the same thing in different departments
Do different departments have similar time frames in mind
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
2
Course Outline
1 INTRODUCTION - Why ERM
2 RISK MANAGEMENT FUNDAMENTALS ndash FIRST STAGE OF CREATING AN ERM PROGRAM
3 RISK ASSESSMENT AND RISK TREATMENT - ACTUARIAL ROLES
4 ADVANCED ERM TOPICS
3
ERM FUNDAMENTALS
FIRST STAGE OF CREATING AN ERM PROGRAM
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
29 Developing a First Stage Implementation Plan
4
21 Risk Identification
Systematic identification principal risks
Two Common Methods
Top Down Bottom Up
5
Risk Identification
Top Down Bottom Up
Advantages
Takes One DayTop Management Buy InResults in something that is at the right level of detail for top management amp Board
Likely to Capture all risksSometimes Middle Management buy inMay be at an actionable level for middle management
DisadvantagesRequires One Day of Top Management AttentionMight Miss SomethingMiddle Management might buy inRequires staff time to go from generalities to actionable level for middle management
Takes a Full YearMight not be accepted by Top ManagementRequires plenty of staff time to summarize for Top Management amp Board
6
Top DownKey Risks amp Controls Workshop
1) Risk Identification
2) Risk Assessment
3) Risk Control Assessment
4) Heat Map Development
5) Risk Plan
7
Risk Identification
Which are your Risks
A List of Risks Facing Insurers (compiled by Dave Babbel Wharton School)
CORPORATE LIABILITY SIDE Capital Utilization Pricing Expense Control Overhead Burden Pricing Adequacy Regulatory Compliance Expense Margin Ethics amp Employee Behavior Unrealistic Competition Accountability Policy Lapses Meritocracy Long Tail of Liabilities Quality of Management Inflation Risk Quality of Training Actuarial Quality of Workforce Service Mortality Management Succession Morbidity RecruitmentRetention Longevity Industry Reputation Subsidized Early Retirement Industry Concentration Disintermediation Company Reputation Secular Trend Teamwork Over Turf Utilization of Covenants Coping With Change Antiselection Technological Breakdown Natural Catastrophe Nontraditional Ventures Moral Hazard Guaranty Fund Assessments Fraudulent Information Tax Law Changes Fraudulent Claims Uninsured Pure Firm Losses Morale Hazard Information Systems Problems Product Development Legal Risk Product Design Financial Disclosure Risk Product Appeal Consumer Misunderstandings
ASSET SIDE Distribution Credit Cost of Distribution Public Bonds Agent Recruitment Private Placements Agent Productivity Mortgages Agent Retention Collateral Risk Policy Churning Counterparty Risk Regulatory Environment Reinsurer Insolvency Compliance Systematic Risks Interest Rate Risk Loss of Tax Benefits Call Risk - Callable Bonds Health Care Reform Prepayment Risk - MBS amp CMO Other Regulatory Changes Duration Convexity Drift Financial Reporting Change in Interest Volatility Surplus Strain Yield Curve Shape Twist GAAP for Mutuals Systematic Risks Other FAS 115 Equity Market Risk Unsound Reporting Basis Risk Mark-to-Market Risk Inflation Risk Reputation Liquidity Ethics amp Compliance Cash Mismatch Quality of Service Disintermediation Corporate Image Run on the Bank Market Maturity Extension Uncontrolled Growth Mortgage Refinancing Untested Markets Loss of Equity Value Market Saturation Real Estate Bank Competition Stocks Globalization Subsidiaries Liability Insurance Derivatives Political amp Currency Diversification Foreign Exchange Risk of Claims Asset Allocation Profits Repatriation Industry and Geographical Risk Political Risk Unstable Covariances Risk Terrorism
Political amp Currency SURPLUS International Investments Capital Adequacy Foreign Exchange Risk Funding Risk Terrorism
CreditRisk
InsuranceRisk
MarketRisk
LiquidityRisk
GroupRisk
OperationalRisk
ERM
8
Risk Assessment
How Significant are your risks
Subjective Assessment
Consensus view Frequency Severity
9
Risk Control Assessment
For Most Significant Risks How effective are your existing
control processes For the best controlled risks
how much risk is left after the control process Are they still significant
Subjective Assessment Not as easy to reach
consensus
10
Heat Map Development
Risk Control Self Assessment
Risk amp Control Heat Map
Large
Medium
SmallMore Effective Control
Less Effective Control
Low Priority
Moderate Priority
High Priority
Ris
k S
ign
ific
anc
e
11
Risk Control Plan
Choose High Priority Risks to address this year
Plan will be toPrepare detailed documentation of existing control
processesResearch and identify best practice control
processesCompare existing to best practiceChoose improvements to makeImplement improvements
12
22 Risk Language
Explicit firmwide words for risk and Risk Management
RISK WORDS
Start with LOSS What are the words for the worst thing that has happened
In the past quarter In the past year Ever
13
Realistic Loss Terminology
Good ndash Company meets plans bonuses paid Adverse ndash Company fails to meet plans by significent
margin no bonuses paid May be some layoffs Terrible ndash Company shows significant loss Top
management loses jobs Horrible ndash Company suffers large loss Downgraded
(or other bad publicity) causes company to lose ability to sell new business
Disaster ndash Company loses almost all surplus Taken over by regulators
Substitute your own words
14
Risk Terminology
Frequency amp Severity
Does ldquoHigh Severityrdquo mean the same thing in different departments
Do different departments have similar time frames in mind
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
3
ERM FUNDAMENTALS
FIRST STAGE OF CREATING AN ERM PROGRAM
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
29 Developing a First Stage Implementation Plan
4
21 Risk Identification
Systematic identification principal risks
Two Common Methods
Top Down Bottom Up
5
Risk Identification
Top Down Bottom Up
Advantages
Takes One DayTop Management Buy InResults in something that is at the right level of detail for top management amp Board
Likely to Capture all risksSometimes Middle Management buy inMay be at an actionable level for middle management
DisadvantagesRequires One Day of Top Management AttentionMight Miss SomethingMiddle Management might buy inRequires staff time to go from generalities to actionable level for middle management
Takes a Full YearMight not be accepted by Top ManagementRequires plenty of staff time to summarize for Top Management amp Board
6
Top DownKey Risks amp Controls Workshop
1) Risk Identification
2) Risk Assessment
3) Risk Control Assessment
4) Heat Map Development
5) Risk Plan
7
Risk Identification
Which are your Risks
A List of Risks Facing Insurers (compiled by Dave Babbel Wharton School)
CORPORATE LIABILITY SIDE Capital Utilization Pricing Expense Control Overhead Burden Pricing Adequacy Regulatory Compliance Expense Margin Ethics amp Employee Behavior Unrealistic Competition Accountability Policy Lapses Meritocracy Long Tail of Liabilities Quality of Management Inflation Risk Quality of Training Actuarial Quality of Workforce Service Mortality Management Succession Morbidity RecruitmentRetention Longevity Industry Reputation Subsidized Early Retirement Industry Concentration Disintermediation Company Reputation Secular Trend Teamwork Over Turf Utilization of Covenants Coping With Change Antiselection Technological Breakdown Natural Catastrophe Nontraditional Ventures Moral Hazard Guaranty Fund Assessments Fraudulent Information Tax Law Changes Fraudulent Claims Uninsured Pure Firm Losses Morale Hazard Information Systems Problems Product Development Legal Risk Product Design Financial Disclosure Risk Product Appeal Consumer Misunderstandings
ASSET SIDE Distribution Credit Cost of Distribution Public Bonds Agent Recruitment Private Placements Agent Productivity Mortgages Agent Retention Collateral Risk Policy Churning Counterparty Risk Regulatory Environment Reinsurer Insolvency Compliance Systematic Risks Interest Rate Risk Loss of Tax Benefits Call Risk - Callable Bonds Health Care Reform Prepayment Risk - MBS amp CMO Other Regulatory Changes Duration Convexity Drift Financial Reporting Change in Interest Volatility Surplus Strain Yield Curve Shape Twist GAAP for Mutuals Systematic Risks Other FAS 115 Equity Market Risk Unsound Reporting Basis Risk Mark-to-Market Risk Inflation Risk Reputation Liquidity Ethics amp Compliance Cash Mismatch Quality of Service Disintermediation Corporate Image Run on the Bank Market Maturity Extension Uncontrolled Growth Mortgage Refinancing Untested Markets Loss of Equity Value Market Saturation Real Estate Bank Competition Stocks Globalization Subsidiaries Liability Insurance Derivatives Political amp Currency Diversification Foreign Exchange Risk of Claims Asset Allocation Profits Repatriation Industry and Geographical Risk Political Risk Unstable Covariances Risk Terrorism
Political amp Currency SURPLUS International Investments Capital Adequacy Foreign Exchange Risk Funding Risk Terrorism
CreditRisk
InsuranceRisk
MarketRisk
LiquidityRisk
GroupRisk
OperationalRisk
ERM
8
Risk Assessment
How Significant are your risks
Subjective Assessment
Consensus view Frequency Severity
9
Risk Control Assessment
For Most Significant Risks How effective are your existing
control processes For the best controlled risks
how much risk is left after the control process Are they still significant
Subjective Assessment Not as easy to reach
consensus
10
Heat Map Development
Risk Control Self Assessment
Risk amp Control Heat Map
Large
Medium
SmallMore Effective Control
Less Effective Control
Low Priority
Moderate Priority
High Priority
Ris
k S
ign
ific
anc
e
11
Risk Control Plan
Choose High Priority Risks to address this year
Plan will be toPrepare detailed documentation of existing control
processesResearch and identify best practice control
processesCompare existing to best practiceChoose improvements to makeImplement improvements
12
22 Risk Language
Explicit firmwide words for risk and Risk Management
RISK WORDS
Start with LOSS What are the words for the worst thing that has happened
In the past quarter In the past year Ever
13
Realistic Loss Terminology
Good ndash Company meets plans bonuses paid Adverse ndash Company fails to meet plans by significent
margin no bonuses paid May be some layoffs Terrible ndash Company shows significant loss Top
management loses jobs Horrible ndash Company suffers large loss Downgraded
(or other bad publicity) causes company to lose ability to sell new business
Disaster ndash Company loses almost all surplus Taken over by regulators
Substitute your own words
14
Risk Terminology
Frequency amp Severity
Does ldquoHigh Severityrdquo mean the same thing in different departments
Do different departments have similar time frames in mind
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
4
21 Risk Identification
Systematic identification principal risks
Two Common Methods
Top Down Bottom Up
5
Risk Identification
Top Down Bottom Up
Advantages
Takes One DayTop Management Buy InResults in something that is at the right level of detail for top management amp Board
Likely to Capture all risksSometimes Middle Management buy inMay be at an actionable level for middle management
DisadvantagesRequires One Day of Top Management AttentionMight Miss SomethingMiddle Management might buy inRequires staff time to go from generalities to actionable level for middle management
Takes a Full YearMight not be accepted by Top ManagementRequires plenty of staff time to summarize for Top Management amp Board
6
Top DownKey Risks amp Controls Workshop
1) Risk Identification
2) Risk Assessment
3) Risk Control Assessment
4) Heat Map Development
5) Risk Plan
7
Risk Identification
Which are your Risks
A List of Risks Facing Insurers (compiled by Dave Babbel Wharton School)
CORPORATE LIABILITY SIDE Capital Utilization Pricing Expense Control Overhead Burden Pricing Adequacy Regulatory Compliance Expense Margin Ethics amp Employee Behavior Unrealistic Competition Accountability Policy Lapses Meritocracy Long Tail of Liabilities Quality of Management Inflation Risk Quality of Training Actuarial Quality of Workforce Service Mortality Management Succession Morbidity RecruitmentRetention Longevity Industry Reputation Subsidized Early Retirement Industry Concentration Disintermediation Company Reputation Secular Trend Teamwork Over Turf Utilization of Covenants Coping With Change Antiselection Technological Breakdown Natural Catastrophe Nontraditional Ventures Moral Hazard Guaranty Fund Assessments Fraudulent Information Tax Law Changes Fraudulent Claims Uninsured Pure Firm Losses Morale Hazard Information Systems Problems Product Development Legal Risk Product Design Financial Disclosure Risk Product Appeal Consumer Misunderstandings
ASSET SIDE Distribution Credit Cost of Distribution Public Bonds Agent Recruitment Private Placements Agent Productivity Mortgages Agent Retention Collateral Risk Policy Churning Counterparty Risk Regulatory Environment Reinsurer Insolvency Compliance Systematic Risks Interest Rate Risk Loss of Tax Benefits Call Risk - Callable Bonds Health Care Reform Prepayment Risk - MBS amp CMO Other Regulatory Changes Duration Convexity Drift Financial Reporting Change in Interest Volatility Surplus Strain Yield Curve Shape Twist GAAP for Mutuals Systematic Risks Other FAS 115 Equity Market Risk Unsound Reporting Basis Risk Mark-to-Market Risk Inflation Risk Reputation Liquidity Ethics amp Compliance Cash Mismatch Quality of Service Disintermediation Corporate Image Run on the Bank Market Maturity Extension Uncontrolled Growth Mortgage Refinancing Untested Markets Loss of Equity Value Market Saturation Real Estate Bank Competition Stocks Globalization Subsidiaries Liability Insurance Derivatives Political amp Currency Diversification Foreign Exchange Risk of Claims Asset Allocation Profits Repatriation Industry and Geographical Risk Political Risk Unstable Covariances Risk Terrorism
Political amp Currency SURPLUS International Investments Capital Adequacy Foreign Exchange Risk Funding Risk Terrorism
CreditRisk
InsuranceRisk
MarketRisk
LiquidityRisk
GroupRisk
OperationalRisk
ERM
8
Risk Assessment
How Significant are your risks
Subjective Assessment
Consensus view Frequency Severity
9
Risk Control Assessment
For Most Significant Risks How effective are your existing
control processes For the best controlled risks
how much risk is left after the control process Are they still significant
Subjective Assessment Not as easy to reach
consensus
10
Heat Map Development
Risk Control Self Assessment
Risk amp Control Heat Map
Large
Medium
SmallMore Effective Control
Less Effective Control
Low Priority
Moderate Priority
High Priority
Ris
k S
ign
ific
anc
e
11
Risk Control Plan
Choose High Priority Risks to address this year
Plan will be toPrepare detailed documentation of existing control
processesResearch and identify best practice control
processesCompare existing to best practiceChoose improvements to makeImplement improvements
12
22 Risk Language
Explicit firmwide words for risk and Risk Management
RISK WORDS
Start with LOSS What are the words for the worst thing that has happened
In the past quarter In the past year Ever
13
Realistic Loss Terminology
Good ndash Company meets plans bonuses paid Adverse ndash Company fails to meet plans by significent
margin no bonuses paid May be some layoffs Terrible ndash Company shows significant loss Top
management loses jobs Horrible ndash Company suffers large loss Downgraded
(or other bad publicity) causes company to lose ability to sell new business
Disaster ndash Company loses almost all surplus Taken over by regulators
Substitute your own words
14
Risk Terminology
Frequency amp Severity
Does ldquoHigh Severityrdquo mean the same thing in different departments
Do different departments have similar time frames in mind
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
5
Risk Identification
Top Down Bottom Up
Advantages
Takes One DayTop Management Buy InResults in something that is at the right level of detail for top management amp Board
Likely to Capture all risksSometimes Middle Management buy inMay be at an actionable level for middle management
DisadvantagesRequires One Day of Top Management AttentionMight Miss SomethingMiddle Management might buy inRequires staff time to go from generalities to actionable level for middle management
Takes a Full YearMight not be accepted by Top ManagementRequires plenty of staff time to summarize for Top Management amp Board
6
Top DownKey Risks amp Controls Workshop
1) Risk Identification
2) Risk Assessment
3) Risk Control Assessment
4) Heat Map Development
5) Risk Plan
7
Risk Identification
Which are your Risks
A List of Risks Facing Insurers (compiled by Dave Babbel Wharton School)
CORPORATE LIABILITY SIDE Capital Utilization Pricing Expense Control Overhead Burden Pricing Adequacy Regulatory Compliance Expense Margin Ethics amp Employee Behavior Unrealistic Competition Accountability Policy Lapses Meritocracy Long Tail of Liabilities Quality of Management Inflation Risk Quality of Training Actuarial Quality of Workforce Service Mortality Management Succession Morbidity RecruitmentRetention Longevity Industry Reputation Subsidized Early Retirement Industry Concentration Disintermediation Company Reputation Secular Trend Teamwork Over Turf Utilization of Covenants Coping With Change Antiselection Technological Breakdown Natural Catastrophe Nontraditional Ventures Moral Hazard Guaranty Fund Assessments Fraudulent Information Tax Law Changes Fraudulent Claims Uninsured Pure Firm Losses Morale Hazard Information Systems Problems Product Development Legal Risk Product Design Financial Disclosure Risk Product Appeal Consumer Misunderstandings
ASSET SIDE Distribution Credit Cost of Distribution Public Bonds Agent Recruitment Private Placements Agent Productivity Mortgages Agent Retention Collateral Risk Policy Churning Counterparty Risk Regulatory Environment Reinsurer Insolvency Compliance Systematic Risks Interest Rate Risk Loss of Tax Benefits Call Risk - Callable Bonds Health Care Reform Prepayment Risk - MBS amp CMO Other Regulatory Changes Duration Convexity Drift Financial Reporting Change in Interest Volatility Surplus Strain Yield Curve Shape Twist GAAP for Mutuals Systematic Risks Other FAS 115 Equity Market Risk Unsound Reporting Basis Risk Mark-to-Market Risk Inflation Risk Reputation Liquidity Ethics amp Compliance Cash Mismatch Quality of Service Disintermediation Corporate Image Run on the Bank Market Maturity Extension Uncontrolled Growth Mortgage Refinancing Untested Markets Loss of Equity Value Market Saturation Real Estate Bank Competition Stocks Globalization Subsidiaries Liability Insurance Derivatives Political amp Currency Diversification Foreign Exchange Risk of Claims Asset Allocation Profits Repatriation Industry and Geographical Risk Political Risk Unstable Covariances Risk Terrorism
Political amp Currency SURPLUS International Investments Capital Adequacy Foreign Exchange Risk Funding Risk Terrorism
CreditRisk
InsuranceRisk
MarketRisk
LiquidityRisk
GroupRisk
OperationalRisk
ERM
8
Risk Assessment
How Significant are your risks
Subjective Assessment
Consensus view Frequency Severity
9
Risk Control Assessment
For Most Significant Risks How effective are your existing
control processes For the best controlled risks
how much risk is left after the control process Are they still significant
Subjective Assessment Not as easy to reach
consensus
10
Heat Map Development
Risk Control Self Assessment
Risk amp Control Heat Map
Large
Medium
SmallMore Effective Control
Less Effective Control
Low Priority
Moderate Priority
High Priority
Ris
k S
ign
ific
anc
e
11
Risk Control Plan
Choose High Priority Risks to address this year
Plan will be toPrepare detailed documentation of existing control
processesResearch and identify best practice control
processesCompare existing to best practiceChoose improvements to makeImplement improvements
12
22 Risk Language
Explicit firmwide words for risk and Risk Management
RISK WORDS
Start with LOSS What are the words for the worst thing that has happened
In the past quarter In the past year Ever
13
Realistic Loss Terminology
Good ndash Company meets plans bonuses paid Adverse ndash Company fails to meet plans by significent
margin no bonuses paid May be some layoffs Terrible ndash Company shows significant loss Top
management loses jobs Horrible ndash Company suffers large loss Downgraded
(or other bad publicity) causes company to lose ability to sell new business
Disaster ndash Company loses almost all surplus Taken over by regulators
Substitute your own words
14
Risk Terminology
Frequency amp Severity
Does ldquoHigh Severityrdquo mean the same thing in different departments
Do different departments have similar time frames in mind
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
6
Top DownKey Risks amp Controls Workshop
1) Risk Identification
2) Risk Assessment
3) Risk Control Assessment
4) Heat Map Development
5) Risk Plan
7
Risk Identification
Which are your Risks
A List of Risks Facing Insurers (compiled by Dave Babbel Wharton School)
CORPORATE LIABILITY SIDE Capital Utilization Pricing Expense Control Overhead Burden Pricing Adequacy Regulatory Compliance Expense Margin Ethics amp Employee Behavior Unrealistic Competition Accountability Policy Lapses Meritocracy Long Tail of Liabilities Quality of Management Inflation Risk Quality of Training Actuarial Quality of Workforce Service Mortality Management Succession Morbidity RecruitmentRetention Longevity Industry Reputation Subsidized Early Retirement Industry Concentration Disintermediation Company Reputation Secular Trend Teamwork Over Turf Utilization of Covenants Coping With Change Antiselection Technological Breakdown Natural Catastrophe Nontraditional Ventures Moral Hazard Guaranty Fund Assessments Fraudulent Information Tax Law Changes Fraudulent Claims Uninsured Pure Firm Losses Morale Hazard Information Systems Problems Product Development Legal Risk Product Design Financial Disclosure Risk Product Appeal Consumer Misunderstandings
ASSET SIDE Distribution Credit Cost of Distribution Public Bonds Agent Recruitment Private Placements Agent Productivity Mortgages Agent Retention Collateral Risk Policy Churning Counterparty Risk Regulatory Environment Reinsurer Insolvency Compliance Systematic Risks Interest Rate Risk Loss of Tax Benefits Call Risk - Callable Bonds Health Care Reform Prepayment Risk - MBS amp CMO Other Regulatory Changes Duration Convexity Drift Financial Reporting Change in Interest Volatility Surplus Strain Yield Curve Shape Twist GAAP for Mutuals Systematic Risks Other FAS 115 Equity Market Risk Unsound Reporting Basis Risk Mark-to-Market Risk Inflation Risk Reputation Liquidity Ethics amp Compliance Cash Mismatch Quality of Service Disintermediation Corporate Image Run on the Bank Market Maturity Extension Uncontrolled Growth Mortgage Refinancing Untested Markets Loss of Equity Value Market Saturation Real Estate Bank Competition Stocks Globalization Subsidiaries Liability Insurance Derivatives Political amp Currency Diversification Foreign Exchange Risk of Claims Asset Allocation Profits Repatriation Industry and Geographical Risk Political Risk Unstable Covariances Risk Terrorism
Political amp Currency SURPLUS International Investments Capital Adequacy Foreign Exchange Risk Funding Risk Terrorism
CreditRisk
InsuranceRisk
MarketRisk
LiquidityRisk
GroupRisk
OperationalRisk
ERM
8
Risk Assessment
How Significant are your risks
Subjective Assessment
Consensus view Frequency Severity
9
Risk Control Assessment
For Most Significant Risks How effective are your existing
control processes For the best controlled risks
how much risk is left after the control process Are they still significant
Subjective Assessment Not as easy to reach
consensus
10
Heat Map Development
Risk Control Self Assessment
Risk amp Control Heat Map
Large
Medium
SmallMore Effective Control
Less Effective Control
Low Priority
Moderate Priority
High Priority
Ris
k S
ign
ific
anc
e
11
Risk Control Plan
Choose High Priority Risks to address this year
Plan will be toPrepare detailed documentation of existing control
processesResearch and identify best practice control
processesCompare existing to best practiceChoose improvements to makeImplement improvements
12
22 Risk Language
Explicit firmwide words for risk and Risk Management
RISK WORDS
Start with LOSS What are the words for the worst thing that has happened
In the past quarter In the past year Ever
13
Realistic Loss Terminology
Good ndash Company meets plans bonuses paid Adverse ndash Company fails to meet plans by significent
margin no bonuses paid May be some layoffs Terrible ndash Company shows significant loss Top
management loses jobs Horrible ndash Company suffers large loss Downgraded
(or other bad publicity) causes company to lose ability to sell new business
Disaster ndash Company loses almost all surplus Taken over by regulators
Substitute your own words
14
Risk Terminology
Frequency amp Severity
Does ldquoHigh Severityrdquo mean the same thing in different departments
Do different departments have similar time frames in mind
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
7
Risk Identification
Which are your Risks
A List of Risks Facing Insurers (compiled by Dave Babbel Wharton School)
CORPORATE LIABILITY SIDE Capital Utilization Pricing Expense Control Overhead Burden Pricing Adequacy Regulatory Compliance Expense Margin Ethics amp Employee Behavior Unrealistic Competition Accountability Policy Lapses Meritocracy Long Tail of Liabilities Quality of Management Inflation Risk Quality of Training Actuarial Quality of Workforce Service Mortality Management Succession Morbidity RecruitmentRetention Longevity Industry Reputation Subsidized Early Retirement Industry Concentration Disintermediation Company Reputation Secular Trend Teamwork Over Turf Utilization of Covenants Coping With Change Antiselection Technological Breakdown Natural Catastrophe Nontraditional Ventures Moral Hazard Guaranty Fund Assessments Fraudulent Information Tax Law Changes Fraudulent Claims Uninsured Pure Firm Losses Morale Hazard Information Systems Problems Product Development Legal Risk Product Design Financial Disclosure Risk Product Appeal Consumer Misunderstandings
ASSET SIDE Distribution Credit Cost of Distribution Public Bonds Agent Recruitment Private Placements Agent Productivity Mortgages Agent Retention Collateral Risk Policy Churning Counterparty Risk Regulatory Environment Reinsurer Insolvency Compliance Systematic Risks Interest Rate Risk Loss of Tax Benefits Call Risk - Callable Bonds Health Care Reform Prepayment Risk - MBS amp CMO Other Regulatory Changes Duration Convexity Drift Financial Reporting Change in Interest Volatility Surplus Strain Yield Curve Shape Twist GAAP for Mutuals Systematic Risks Other FAS 115 Equity Market Risk Unsound Reporting Basis Risk Mark-to-Market Risk Inflation Risk Reputation Liquidity Ethics amp Compliance Cash Mismatch Quality of Service Disintermediation Corporate Image Run on the Bank Market Maturity Extension Uncontrolled Growth Mortgage Refinancing Untested Markets Loss of Equity Value Market Saturation Real Estate Bank Competition Stocks Globalization Subsidiaries Liability Insurance Derivatives Political amp Currency Diversification Foreign Exchange Risk of Claims Asset Allocation Profits Repatriation Industry and Geographical Risk Political Risk Unstable Covariances Risk Terrorism
Political amp Currency SURPLUS International Investments Capital Adequacy Foreign Exchange Risk Funding Risk Terrorism
CreditRisk
InsuranceRisk
MarketRisk
LiquidityRisk
GroupRisk
OperationalRisk
ERM
8
Risk Assessment
How Significant are your risks
Subjective Assessment
Consensus view Frequency Severity
9
Risk Control Assessment
For Most Significant Risks How effective are your existing
control processes For the best controlled risks
how much risk is left after the control process Are they still significant
Subjective Assessment Not as easy to reach
consensus
10
Heat Map Development
Risk Control Self Assessment
Risk amp Control Heat Map
Large
Medium
SmallMore Effective Control
Less Effective Control
Low Priority
Moderate Priority
High Priority
Ris
k S
ign
ific
anc
e
11
Risk Control Plan
Choose High Priority Risks to address this year
Plan will be toPrepare detailed documentation of existing control
processesResearch and identify best practice control
processesCompare existing to best practiceChoose improvements to makeImplement improvements
12
22 Risk Language
Explicit firmwide words for risk and Risk Management
RISK WORDS
Start with LOSS What are the words for the worst thing that has happened
In the past quarter In the past year Ever
13
Realistic Loss Terminology
Good ndash Company meets plans bonuses paid Adverse ndash Company fails to meet plans by significent
margin no bonuses paid May be some layoffs Terrible ndash Company shows significant loss Top
management loses jobs Horrible ndash Company suffers large loss Downgraded
(or other bad publicity) causes company to lose ability to sell new business
Disaster ndash Company loses almost all surplus Taken over by regulators
Substitute your own words
14
Risk Terminology
Frequency amp Severity
Does ldquoHigh Severityrdquo mean the same thing in different departments
Do different departments have similar time frames in mind
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
8
Risk Assessment
How Significant are your risks
Subjective Assessment
Consensus view Frequency Severity
9
Risk Control Assessment
For Most Significant Risks How effective are your existing
control processes For the best controlled risks
how much risk is left after the control process Are they still significant
Subjective Assessment Not as easy to reach
consensus
10
Heat Map Development
Risk Control Self Assessment
Risk amp Control Heat Map
Large
Medium
SmallMore Effective Control
Less Effective Control
Low Priority
Moderate Priority
High Priority
Ris
k S
ign
ific
anc
e
11
Risk Control Plan
Choose High Priority Risks to address this year
Plan will be toPrepare detailed documentation of existing control
processesResearch and identify best practice control
processesCompare existing to best practiceChoose improvements to makeImplement improvements
12
22 Risk Language
Explicit firmwide words for risk and Risk Management
RISK WORDS
Start with LOSS What are the words for the worst thing that has happened
In the past quarter In the past year Ever
13
Realistic Loss Terminology
Good ndash Company meets plans bonuses paid Adverse ndash Company fails to meet plans by significent
margin no bonuses paid May be some layoffs Terrible ndash Company shows significant loss Top
management loses jobs Horrible ndash Company suffers large loss Downgraded
(or other bad publicity) causes company to lose ability to sell new business
Disaster ndash Company loses almost all surplus Taken over by regulators
Substitute your own words
14
Risk Terminology
Frequency amp Severity
Does ldquoHigh Severityrdquo mean the same thing in different departments
Do different departments have similar time frames in mind
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
9
Risk Control Assessment
For Most Significant Risks How effective are your existing
control processes For the best controlled risks
how much risk is left after the control process Are they still significant
Subjective Assessment Not as easy to reach
consensus
10
Heat Map Development
Risk Control Self Assessment
Risk amp Control Heat Map
Large
Medium
SmallMore Effective Control
Less Effective Control
Low Priority
Moderate Priority
High Priority
Ris
k S
ign
ific
anc
e
11
Risk Control Plan
Choose High Priority Risks to address this year
Plan will be toPrepare detailed documentation of existing control
processesResearch and identify best practice control
processesCompare existing to best practiceChoose improvements to makeImplement improvements
12
22 Risk Language
Explicit firmwide words for risk and Risk Management
RISK WORDS
Start with LOSS What are the words for the worst thing that has happened
In the past quarter In the past year Ever
13
Realistic Loss Terminology
Good ndash Company meets plans bonuses paid Adverse ndash Company fails to meet plans by significent
margin no bonuses paid May be some layoffs Terrible ndash Company shows significant loss Top
management loses jobs Horrible ndash Company suffers large loss Downgraded
(or other bad publicity) causes company to lose ability to sell new business
Disaster ndash Company loses almost all surplus Taken over by regulators
Substitute your own words
14
Risk Terminology
Frequency amp Severity
Does ldquoHigh Severityrdquo mean the same thing in different departments
Do different departments have similar time frames in mind
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
10
Heat Map Development
Risk Control Self Assessment
Risk amp Control Heat Map
Large
Medium
SmallMore Effective Control
Less Effective Control
Low Priority
Moderate Priority
High Priority
Ris
k S
ign
ific
anc
e
11
Risk Control Plan
Choose High Priority Risks to address this year
Plan will be toPrepare detailed documentation of existing control
processesResearch and identify best practice control
processesCompare existing to best practiceChoose improvements to makeImplement improvements
12
22 Risk Language
Explicit firmwide words for risk and Risk Management
RISK WORDS
Start with LOSS What are the words for the worst thing that has happened
In the past quarter In the past year Ever
13
Realistic Loss Terminology
Good ndash Company meets plans bonuses paid Adverse ndash Company fails to meet plans by significent
margin no bonuses paid May be some layoffs Terrible ndash Company shows significant loss Top
management loses jobs Horrible ndash Company suffers large loss Downgraded
(or other bad publicity) causes company to lose ability to sell new business
Disaster ndash Company loses almost all surplus Taken over by regulators
Substitute your own words
14
Risk Terminology
Frequency amp Severity
Does ldquoHigh Severityrdquo mean the same thing in different departments
Do different departments have similar time frames in mind
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
11
Risk Control Plan
Choose High Priority Risks to address this year
Plan will be toPrepare detailed documentation of existing control
processesResearch and identify best practice control
processesCompare existing to best practiceChoose improvements to makeImplement improvements
12
22 Risk Language
Explicit firmwide words for risk and Risk Management
RISK WORDS
Start with LOSS What are the words for the worst thing that has happened
In the past quarter In the past year Ever
13
Realistic Loss Terminology
Good ndash Company meets plans bonuses paid Adverse ndash Company fails to meet plans by significent
margin no bonuses paid May be some layoffs Terrible ndash Company shows significant loss Top
management loses jobs Horrible ndash Company suffers large loss Downgraded
(or other bad publicity) causes company to lose ability to sell new business
Disaster ndash Company loses almost all surplus Taken over by regulators
Substitute your own words
14
Risk Terminology
Frequency amp Severity
Does ldquoHigh Severityrdquo mean the same thing in different departments
Do different departments have similar time frames in mind
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
12
22 Risk Language
Explicit firmwide words for risk and Risk Management
RISK WORDS
Start with LOSS What are the words for the worst thing that has happened
In the past quarter In the past year Ever
13
Realistic Loss Terminology
Good ndash Company meets plans bonuses paid Adverse ndash Company fails to meet plans by significent
margin no bonuses paid May be some layoffs Terrible ndash Company shows significant loss Top
management loses jobs Horrible ndash Company suffers large loss Downgraded
(or other bad publicity) causes company to lose ability to sell new business
Disaster ndash Company loses almost all surplus Taken over by regulators
Substitute your own words
14
Risk Terminology
Frequency amp Severity
Does ldquoHigh Severityrdquo mean the same thing in different departments
Do different departments have similar time frames in mind
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
13
Realistic Loss Terminology
Good ndash Company meets plans bonuses paid Adverse ndash Company fails to meet plans by significent
margin no bonuses paid May be some layoffs Terrible ndash Company shows significant loss Top
management loses jobs Horrible ndash Company suffers large loss Downgraded
(or other bad publicity) causes company to lose ability to sell new business
Disaster ndash Company loses almost all surplus Taken over by regulators
Substitute your own words
14
Risk Terminology
Frequency amp Severity
Does ldquoHigh Severityrdquo mean the same thing in different departments
Do different departments have similar time frames in mind
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
14
Risk Terminology
Frequency amp Severity
Does ldquoHigh Severityrdquo mean the same thing in different departments
Do different departments have similar time frames in mind
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
15
Risk Management Terminology
What is it called when someone doing risk management
Risk Treatment Risk Mitigation Underwriting Hedging ALM Quality Control
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
16
Make a List
Of Risk amp Risk Management words that we use this week that are NOT part of company vocabulary
And another list of words that are used
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
17
23 Risk Measurement
What gets measured gets managed
Includes Gathering data risk models multiple views of risk and standards for data and models
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
18
Risk Measurement ndash Minimal Practice
Do not have needed data readily availableModels for some risksOnly one measure of risks where there are anyMay be calculating something that is slightly or significantly different from risk definition
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
19
Adequate Risk Measures1 Information is not too late to drive any action
2 Gives broad indication of the amount of risk ndash mostly reflecting differences to volumes
3 Inexpensive
4 May be understood by primary users and misunderstood by occasional users
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
20
Good Risk Measure1 Timely
2 Accurately distinguishes broad degrees of riskiness within the broad risk class
3 Not too expensive or time intensive to produce
4 Understood by all who must use
5 Actionable
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
21
Excellent Risk MeasureGood Risk Measure Plus
6 Can help to identify changes to risk quality
7 Provides information that is consistent across different Broad Classes of Risk
8 For most sensitive risks will pinpoint variations in risk levels
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
22
Best Practices Risk Measurement
Gathering data for risk measurement is regular output of operational processes
Risk Models exist and are used for every risk Multiple views of risk are developed Risk Measurements are consistent with Risk
definitions amp Risk Language Clear standards for Data Models and measures
of risk
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
23
Improving Risk Measurement
Identify existing risk measures Classify as Adequate Good Excellent Look to create additional risk measures where
needed Look to improve quality of measures where
needed
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
24
Risk Measures
RISK Measure Quality Keep Improve Add
1
2
3
4
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
25
Risk Measurement
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Assessment
Risk Metrics
Gross Exposure
Expected Losses
Volatility of Losses
Ruin Tail Losse
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Gross Exposure
Credit ndash Amount invested in single group of companies (Name)
Equity Market Risk ndash Direct Holdings + Separate Account Holdings + Maximum value of guarantees
Interest Market Risk ndash Direct Holdings
Insurance ndash Face Amount + Max Probable Loss
Operational ndash Largest losses known adjusted by size of operation
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Expected Losses
Credit ndash Average per period Expected Loss over cycle ndash Maximum Loss per period over cycle
Market ndash may not apply
Insurance ndash Net Premium
Operational ndash Average losses per period
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Volatility of Losses
Market Credit Insurance
Standard Deviation of losses based onHistorical experience
Expected future of next cycle
Implied Volatility from market price of derivatives
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Ruin Tail Losses
Stress Tests
VaR
CTE
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Measurement Tools
Market Risk Measures
Cash Flow Testing
Duration
Convexity
Value at Risk
Option Adjusted Spread
Sharpe Ratio
Key Rate Durations
Tracking Error
General amp Insurance MeasuresAE Experience MonitoringLiquidity Analysis Scenario AnalysisStress TestingEmbedded ValueEarnings at RiskProbable Maximum LossPerformance AttributionEarnings by SourceRBC Ratios
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
AE Experience Monitoring
Actual experience is regularly compared to pricing andor budgetplan expectations to show the degree to which liability assumptions are being met Trend analysis is often performed on AE ratios to see whether to expect continuation of favorable or unfavorable experience
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Stress Testing
Process to identify and manage situations that could cause extraordinary losses Stress Testing uses scenario analysis stress models correlations and volatilities and policy responses
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Probable Maximum Loss
The maximum loss that is incurred for the entire company in a pre-defined disaster scenario situation PML is usually the ultimate stress test selected subjectively by the company management to reflect the worst situation that they think has any significant likelihood PML is also the term sometimes used to describe the exposure to loss from a single event such as a natural disaster or the default of a bond issuer
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Scenario Analysis
Evaluation of the asset and liability portfolios under various economic assumptions Typically involves large movements in key variables and full cash flow projections
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Liquidity Analysis
Analysis of a companyrsquos ability to withstand a stress liquidity situation over a short term horizon The analysis takes into account the companyrsquos capital position the liquidity of the asset portfolio the surrender potential of the liability portfolio the degree of cash matching employed the number of contract-holders distribution channels target markets and size of the company
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Embedded Value
The present value of future profits that are ldquoembededrdquo in the existing inforce business
May be best estimates discounted at a risk adjusted interest rate
Some use accounting system profits (with margins for adverse deviation) and discount at an after-tax return on underlying assets
Used as a proxy for market value of liabilities
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Earnings at Risk
The expected decrease in earnings over a specified time period within a given confidence level Using GAAP values avoids some of the difficult problems of marking insurance company liabilities to market However the full GAAP impact from a shock to certain risk factors does not necessarily emerge in the short time frame generally captured in these types of calculations
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Performance Attribution Earnings by Source
Process of disaggregating actual return into pre-defined components This is a retrospective measure that can be designed to show which risk factors are causing losses
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
RBC Ratios
The ratio of RBC to adjusted statutory surplus is used as the standard for surplus adequacy related to company risks Some companies use Rating Agency surplus formulas while others use internally developed Required Surplus formulas
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
VaR
Value at Risk
Quick Measure of Risk ndash originally for derivatives trading book of bank
Has become primary measure for Banks
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
VaR ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
VaR = 498 ndash 232 = 266
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
VaR
Advantages
Quick amp Easy to calculate
Easy to explain and understand
Disadvantages
Shortcuts commonly used may render result meaningless
Ignores much of tail
Can be ldquogamedrdquo
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
VaR
Definition
Value at Risk is expected loss at a particular level of probability (usually 95 or 98)
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
VaR
Calculation Methods
Historical
Mean Variance
Simulation
Usually calculated for 1 day and extrapolated to 10 days
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
VaR ndash Historical Calculation
Collect historical values for past 250 trading days
Rank Values
95 VaR is 238th worst value
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
VaR Mean Variance Calculation
Determine Mean and Variance of loss function
Historical
Expectations for Future
Risk neutral ndash Implied by Current Market Prices
Assuming Normal Distribution of loss determine 9598 loss
95 loss = mean ndash 1645 x Std Dev
98 loss = mean ndash 2052 x Std Dev
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
VaR Stochastic Calculation
Usually used where
market values are not available and
distribution of losses is know to be non-normal
Develop stochastic scenarios of fundamental market elements
interest rates equity
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
CTE
Contingent Tail Expectation
aka Tail VaR
Average of values worse than VaR
CTE90 means average of worst 10 of values
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
CTE ndash Monte CarloEmbedded Value
Product A
-600
-400
-200
0
200
400
600
8001 39 77 115
153
191
229
267
305
343
381
419
457
495
533
571
609
647
685
723
761
799
837
875
913
951
989
90th Percentile
Expected Value = 498
= 232
90 CTE
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Effective Risk MeasurementRelevance
Relationship to financial results reporting
Comprehensiveness
All types of risks
All significant aspects of those risks
Responsiveness
Reflecting changes in levels of risks over reporting period
Practicality
Schedule comparable to financial results reports
Reasonable cost to produce
Ability to project alternatives over planning period
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
56
24 Risk Management Policies and Standards
Clear and comprehensive documentation
Clearly document the firms policies and standards regarding how the firm will take risks and how and when the firm will look to offset transfer or retain risks Definitions of risk-taking authorities definitions of risks to be always avoided underlying approach to risk management measurement of risk validation of risk models approach to best practice standards
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
57
Minimal Practice
Some policies are fully documented Some documentation is out of date Everybody knows what risks to avoid without writing down
Middle management regularly brings proposals for new projects that are rejected because risk is unacceptable
Risk measures might change at any time Models are often used without any documented validation Best practice standards are unknown No verification of risk management activities
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Management Policies Case Study
bull Large Diversified Companybull Risk Management is a strong fundamental
cultural valuendash Operation of Risk Management Systemndash Review of new initiativesndash Care amp Feeding of RM Culture
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Operation of RM System
bull A system of limits and flagsndash Limits ndash for credit market and insurance risk
for each companybull Timely measurement of exposuresbull Actual vs Limit reports are widely distributedbull Limits roll-up company and corporate org chart
ndash Every manager up the line has limits
bull Limits are re-evaluated every year based on financial results prior period limits and flags
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Limits and Flags
bull Flagsndash Include annual evaluation of macro risks of each
businessbull Regulatory Riskbull Political Riskbull Credit Market and Underwriting risk
ndash Portfolio Quality Analysisndash Business Performance
bull Annual review of Flagsndash Renewalupdate of Limits
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Review of New Initiatives
bull 10 step processndash Several go-no go checkpoints
bull Including review of proposals forndash Risk Measurementndash Risk Limitsndash Risk Mgt ndash Hedging Reinsurance etc
ndash Risk Management needs to be detailed before significant developmental resources are committed
ndash Review Committee consists of bull Chief Actuarybull Chief Risk Officer (May be Chief Actuary)bull CFObull Chief Marketing Officer
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Care amp Feeding of RM Culture
1 Installing RM process is a major part of any acquisition 90 day transition process
2 Risk Officer position established in every business unit Expectations of Risk Officer are uniform across firm
3 Risk Officers are provided with tools to comply with corporate requirements
Intranet website contains full sets of templates and actual reports
Global Risk Officer meetings
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Management Policy Statement
From Manulife Annual Report
goal in managing risk is to strategically optimize risk taking and risk management to support long-term revenue and earnings growth and shareholder value growth
seek to achieve this by capitalizing on business opportunities that are aligned with the Companyrsquos risk taking philosophy risk appetite and return expectations
bull by identifying monitoring and measuring all keyrisks taken and
bull by proactively executing effective risk control and mitigation programs
Risks will only be assumed that are
bull prudent in relation to the Companyrsquos capital strength and earnings capacity
bull are aligned with our operational capabilities
bull meet our corporate ethical standards
bull allow us to remain diversified across risk categories businesses andgeographies and
bull for which we expect to be appropriately compensated
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
What Additional Policies amp Standards
bull Need to exist to make the Manulife Policy Statement totally effective
1
2
3
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
More from Manulife
To ensure consistency these strategies incorporate policies and standards of practice that are aligned with those within the enterprise risk management framework covering
bull Assignment of risk management accountabilities across the organization
bull Delegation of authorities related to risk taking activities
bull Philosophy related to assuming risks
bull Establishment of specific risk limits
bull Identification measurement monitoring and reporting of risks and
bull Activities related to risk control and mitigation
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Potential Topics for Policies amp Standards
21 Risk Identification systematic identification principal risks
22 Risk Language explicit firmwide words for risk and Risk Management
23 Risk Measurement What gets measured gets managed
24 Risk Management Policies and Standards Clear and comprehensive documentation
25 Risk Organization Roles amp Responsibilities
26 Risk Limits Set track enforce
27 Risk Management Culture ERM amp the staff
28 Risk Learning Commitment to constant improvement
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Basic Elements of Policies amp Standards
Who What policy applies to
Who approved policy when effective
Actions and communications required
Actions prohibited
Who has authority to grant exceptions to policy modify policy
Consequences of violation of policy
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
69
25 Risk Organization
Roles amp Responsibilities
Coordination of ERM through High-level risk committees risk owners Chief Risk Officer corporate risk department business unit management business unit staff internal audit Assignment of responsibility authority and expectations
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Management Organization
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Board amp Top ManagementRisk Management Responsibilities
bull Supporting Risk Managementndash Decisions Actions Incentives Access
bull Establishing Risk Mgt Organizationbull Specifying
ndash Loss Tolerancendash Earnings Volatility Tolerancendash Capital Targetndash Rating Target
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Supporting Risk Mgt
bull Decisions ndash Insisting on Risk information before making decisionsndash Using Risk information to influence decisions
bull Actions ndash Backing enforcement of Risk Mgt policy violations
bull Incentivesndash Including risk mgt criteria in incentivesndash Eliminating incentives that directly work against risk
management
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Establishing Risk Mgt Organization
Board Risk CommitteeCorporate CRO positionCorporate Risk Mgt CommitteeSufficient Staff
Number of peopleTraining
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Chief Risk Officer
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Chief Risk Officer
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Chief Risk Officer
Provides Leadership and Vision for ERMActs as point person in establishing integrated ERM Champion of Intelligent Risk Management
Balance of Caution amp Encouragement
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Chief Risk Officer
Balancing ActSTOP
Caution
GO
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Chief Risk OfficerResponsible forRisk PolicyRisk Analytics and ReportingBusiness Unit CROrsquosCommunication
Member ofCapital Management Committee
Leader ofRisk Management Committee
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
CRO Staff
bull Head of Credit Risk Mgtbull Head of Market Risk Mgtbull Head of Insurance Risk Mgtbull Head of Operational Risk Mgt
ndash Insurance Manager
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Management Committee
MembersChief Financial OfficerChief Investment OfficerChief ActuaryInternal AuditorChief Risk OfficerChief Operating Officer
Members Members (possible)(possible)ndash Chief Marketing OfficerChief Marketing Officerndash Chief Service OfficerChief Service Officerndash Chief CounselChief Counselndash Chief UnderwriterChief Underwriterndash Chief Information OfficerChief Information Officer
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Oversight Committee Responsibilities
Review amp approve risk policyOversee enforcementEnsure RM objectives are met Review amp approve RM Strategies of business unitsPeriodic review of RM programs
especially focusing on impact of environmental changes on impact and effectiveness of programs
Review of new products amp programs
CCRO White Paper
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Oversight Committee Responsibilities
bull Set amp enforce requirements for regular risk reporting
bull Periodic independent review of risk management
bull Review models used to evaluate risks
CCRO White Paper
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk amp Loss Tolerances
bull Risk Oversight Committeendash Transforms Board amp Senior
Management Preferences into specific actionable clear measurable standards
ndash Monitoring of compliance with standardsndash Enforcement of consequences for
violations of standards
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Reporting
PampL from risksCurrent exposure
AggregateBy typeLargest exposures
Limit utilizationRecord amp status of exceptions
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Management Organization Examples
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Sun Life of Canada ERM Organization
A Central (Corporate) Risk Officendash headed by CROndash 3 Direct Reports - Responsible for
(1) operational risk management amp corp ins programs (2) risk assessment amp modeling Stds (3) Insurance risk - underwriting mortality morbidity amp
reinsurancendash CRO - board mandate - open access
throughout company bull access to SrMgt amp Board- regularly meets
alone whead of board risk review committee
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Management Organization
A Board Risk Review Committee
B Exec Risk Committee - chaired by CEO - lead by CROndash President CFO Chief Counsel Appointed Actuary Inv
Risk Management Head Internal Auditorndash Policy Setting - Emerging issues - Monitoring special
problemsC Central Risk Steering Committee
ndash CRO SBU Risk Officers SBU auditors Chief Actuary Chief Compliance Officer Chief Auditor
ndash Implementation of RM policy
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
92
26 Risk Limits
Set track enforce
Control Cycle
Bottom Up Top Down Process
Comprehensively clarifying expectations and limits regarding authority concentration size quality a distribution of risk targets and limits as well as plans for resolution of limit breaches and consequences of those breaches
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
93
Actuarial Control Cycle
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
COSO Control Cycle
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Cycle
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
96
Control Cycle Elements
Identify Risks Evaluate Risks Monitor Risks Diversify Risks Limit Avoid Risks amp Offset Risks Transfer Risks New Product Risk amp Risk Control Review Process Reporting
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Control Cycle
IdentifyAssess
Plan
MonitorManage
Adjust
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Control Cycle
1 Identify
2 Assess
3 Plan
4 Manage
5 Monitor
6 Adjust
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
99
Risk Appetite
Understanding Risk Capacity (Tolerance) and
Risk Appetite (How much of Capacity will be used)
Discussions of
Peer Comparisons RBC Rating Agency Views Historical
Loss Scenarios Future Loss Scenarios Economic
Capital Franchise Value Effective Risk Appetite Risk
Preferences earnings volatility ruin
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
100
Risk Appetite Key Questions1 What have been the most successful decisions over the past 5 ndash 10 years
2 What adverse experience was avoided due to managementboard actions anddecisions over the past 5 ndash 10 years
3 What is the worst experience over the past 20 years
4 What is the worst experience that a peer company have in the past 20 years
5 What are the most significant risks at the current time
6 Where does the company expect to be in relation to peers 5 or 10 years in the future
7 What are the financial measures that are the most important to management and board
8 Based upon those financial measures how would management and board define
a great year a good year a fair year a poor year a terrible year and a disastrous year
9 What are the sorts of business opportunities that company
1048707 would never consider doing
1048707 would like to be doing more of
1048707 might do if the returns look to be very good
10 How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
101
Types of Risk Appetite Statements
Ratings Based ndash Insurer will not take risks that will endanger their rating
from AM Best
Risk Based Capital Based ndash Insurer will maintain an RBC Ratio of at least xxx
Event Based ndash Insurer will maintain capital to support a loss at least as large
as experienced from Hurricane Katrina along with an investment loss like 2001
Probability Based ndash Insurer will maintain capital so that the probability of a
loss exceeding capital is no more than 3 in 10000 (AA SampP level)
Value Based ndash Insurer will maintain a level of capital the produces the best
franchise value for the firm with the risks taken
Earnings Based ndash Insurer will not take any risks that could result in the loss
of earnings of more one quarterrsquos average earnings over the past 5 years
Capital Based ndash Insurer will not take risks that will produce a loss of more
than 25 of capital at the 1250 probability level
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
102
Risk Treatment
Risks can be kept within limits by either
1) Controlling the amount of GROSS risk taken to keep it within limits
Includes management of the terms of gross risk taken
1) Using Risk Treatment techniques to make sure that NET risk retained is within limits
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
103
Risk Treatment Techniques
Financial Market Risks
ndash Hedging - ExternalInternal
ndash Asset Liability Management
Insurance Risks
ndash Reinsurance
ndash Capital Markets Instruments
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
104
27 Risk Management Culture
ERM amp the staff
ERM can be much more effective if there is risk awareness throughout the firm This is accomplished via a multi-stage training program targeting universal understanding of how the firm is addressing risk management best practices
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Management Culture
Culture ndash a set of shared beliefs goals ways of doing things among a group of people
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
What is the Culture of an Insurance Company
bull The Culture of a business can be thought of as the shared beliefs about the organizationndash We always do hellipndash We are really good at hellipndash We would never hellipndash hellip Is the most important thing around
here
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Culture includes the Company line on hellip
bull Salesbull Productsbull Servicebull Expense Controlbull Profitbull Marketsbull Compliance
bull Competitorsbull Financial Strengthbull Company Ratingsbull Participation in
industry civic charitable amp national affairs
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Risk Management Culture
Importance of Financial Strength Exposure to risk of insolvency Exposure to earnings Volatility
Awareness of risk and importance of risk management at all levels of the companyEmbedding risk management concepts into every business decision
Second nature
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Cultural Imperatives
Expense Management Culture
bull How much does it costbull How can we achieve the
same objective at a lower cost
bull Expenses are tracked frequently and expense reports are important management tools
bull If you spend over budget you will have to explain variance immediately
bull Compensation programs reward good expense management
Risk Management Culture
bull How much risk does it createbull How can we achieve the
same objective at a lower risk
bull Risks are tracked frequently and risk reports are important management tools
bull If your risk exposure goes over the limit you will have to explain variance immediately
bull Compensation programs reward good risk management
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
110
28 Risk Learning
Commitment to constant improvement
A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses both within the firm and from outside the firm
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Outward
InwardForwardBackward
Lessons Learned Framework
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
112
Risk Learning - Inward
Periodically revisit bull Risk Identification amp Control Assessment
bull Best Practices Implementation
bull Loss Experiences
bull Limit Violations
bull Measurement Problems
bull Successes
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
113
Risk Learning - Outward
What has happened to Peers Successes and Failures Developments in Best Practices Enhancements to Measurement Tools
What has happened in other Businesses and Regions
In Academia How many times do companies ask their new
college graduates to apply their education
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
114
Risk Learning - Backward
Look at historical risk management failures
ndash See Introduction
raquo Identify historical risk maangement successes
Companies who survived the major crises of the past generation
ndash How did they do it
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
115
Risk Learning - Forward
Risk Environment never stays static
ndash Imagine how risks might b e changing
ndash How might the company respond to the potential changes
bull Changes to limits measures mitigation techniques
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
116
29 Developing a First Stage Implementation Plan
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Building a Risk Management Program
bull Phase I ndash Assessmentbull Phase II ndash Best Practicesbull Phase III ndash Supportbull Phase IV ndash Communicationbull Phase V ndash Reinforcement
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Building a Risk Management Program
Build Risk Awareness Identify Risks Assess Risks
ndash Frequency ndash Severity
Assess Risk Offset Assess Risk Controls Assess Communication Identify Barriers
Phase I - Assessment
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Building a Risk Management Program
There are many Best Practices that have developed in Risk Management
Each Company will need to choose which they will emphasize
Include some already in practice Some that can be implemented easily Some difficult but important goals
Choices based on Assessment
Phase II ndash Best Practices
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Building a Risk Management Culture
bull Risk Management must have Board amp Broad Top Management support to develop Culture
bull Support has to take the form ofndash Budgetndash Priorityndash Accessndash Authority
bull And Public Statements
Phase III ndash Support
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Building a Risk Management Culture
bull Transparency - Major Component of Risk Managementndash Means that everyone can see what is
happening
bull Risk Reports ndash Broadly availablebull Successes amp Failures are disclosed
and discussed
Phase IV ndash Communications
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
Building a Risk Management Program
Must continually feed the culture incorporate new employees provide training amp growth for existing employees
Periodically revisit Assessment Phase Best Practices Phase
Revise or Reaffirm Risk Management Path
Phase V ndash Reinforcement
123
123
