Who is Responsible for Risk Management?

ORIMS Building Blocks Session

April 16, 2013

Susan Meltzer

VP, Enterprise Risk Management

Aviva Canada

Who is responsible for risk management?

Stakeholder Responsibility

Regulators Stock Exchanges

Board of Directors

Boards of Directors Chief Executive

Chief Executive Senior Management

Senior Management Front Line

Internal AuditExternal Audit

Front Line

Academia Front Line

Douglas Barlow: “All management is risk management”

re•spon•si•bil•i•ty (rɪˌspɒn səˈbɪl ɪ ti)

n., pl. -ties. 1. the state, fact, or quality of being responsible. 2. an instance of being responsible: The responsibility for this mess is yours! 3. a particular burden of obligation upon one who is responsible: the responsibilities of authority. 4. a person or thing for which one is responsible.

ac•count•a•bil•i•ty (əˌkaʊn təˈbɪl ɪ ti)

n. 1. the state of being accountable, liable, or answerable. 2. a policy of holding public officials or other employees accountable for their actions and results: a need for greater accountability in the school system.

What does it mean to be responsible?

Are they synonyms?

Responsibility versus accountability

Responsible / Accountable

Actions

Board of Directors Accountable Ensure that a risk management framework is in placeSet and approve the organization’s risk appetite

Chief Executive Accountable Operate the business within the risk management framework and risk appetite as defined by the Board

Senior Management Responsible Manage their activities within the requirements of the risk management framework

Front Line Responsible Operate the controls and limits that are defined to support the risk management framework

What about the risk manager?

• Advisor to the Board of Directors by designing the risk management framework and the risk appetite framework and limits for their approval

• Author risk policies for approval by the Board of Directors to ensure management knows “what” the Board intends by its risk management framework

• Design the tools, techniques and processes that support the risk management framework and work with senior management and the front line to implement effective and efficient risk management practices

• Develop monitoring and reporting protocols to ensure that management is operating within the framework

• Report to the Board on position against risk appetite

• Recommend (and/or execute) mitigation strategies to bring risks within appetite, for example, insurance and hedging programs

• Support the business in finding ways that they can accept risks to achieve competitive advantage

Risk Management Framework

IdentifyMeasure

Manage

Monitor

Report

Risk Appetite

• Management is responsible to implement and embed the framework

• The risk team supports and provides oversight to management during the implementation and embedding of the framework

• Review and refresh the framework to ensure that it continues to be fit-for-purpose

Risk Aware Culture

Governance

7

Three Lines of Defence for the Management of Risk

1st Line of Defence

Categorize RiskIdentify & Measure

• Risk identification based on drivers to Aviva’s economic capital, liquidity and franchise value and changes in the environment• Risk registers• Likelihood/Impact (risk maps)• Operational loss data• Stress and scenario testing• Key risk indicators• Internal model outputs

Management Actions

• Risk taking /transfer decisions• Contingency plans• Control effectiveness• Operational effectiveness

including business standards and performance management objectives

• Capital management activities• Re-planning as needed

2nd Line of Defence

3rd Line of Defence Independent assurance of the risk and control environment

Credit

Market

Liquidity

Insurance

Assurance

Custodianship of Risk Policies Challenge

Reporting

• Dynamic, focused on material risks and trends

• Performance and the impact on the risk profile, historical and prospective

• Decisions, taking in to account risk reward trade-offs

• Mitigating actions• Risk vs. Appetite

Measure Monitor Manage Report

Effectiveness of the RM Framework View on the risk profile

Bu

sin

ess

Man

agem

ent

Operational

Identify

Ris

k F

un

ctio

nIn

tern

al A

ud

it

Adding value to the discussion of risk:Risk Manager’s perspective of risk

Management

Key Risk Indicator/Risk Measure

Pro

bab

ility

TargetToleranceVAR/EC

Risk Management Governance

a

bc

You'll always miss 100% of the shots you don't take.  ~Wayne Gretzky

Business people focus on upside and quantification

• When we focus on expected losses we miss the tail and the extreme catastrophe

• When we focus on the tail, we miss managing the opportunities within the expected volatility and we miss the potential for extreme catastrophes

• We need to stand back and understand all of the dimensions of risk in order to make appropriate decisions

• The risk manager can play an invaluable role in leading and facilitating discussions that uncover the risks that can occur beyond the tail

The more frequently you look at data, the more noise you are disproportionately likely to get (rather than the valuable part, called the signal)Nicholas Taleb, “Antifragile”

Presentation title here 00.00.00 page 10

Three dimensions of risk

Various Risk Types /CategoriesProbability Analysis

Catastrophe ModellingAssessment of Tail Scenarios

Qualitative Assessment(includes the upside risks ofmissed opportunities)- High, Medium, Low- Risk Maps- Risk Workshops- Ranking of priorities

All three types of anlaytical tools must be applied to each risk category in order to perform complete analysis. Risk to reputation has aspiral effect on risks. When a seemingly minor incident is analyzed through these processes, the risk to reputation may far outweighfinancial/operational consequences.

Business judgement includingconsideration of 3 types ofconsequences- Financial- Operational- Reputation

- Accumulation of tail events- One time occurrences

- High frequency- Credible data-Misestimation of probabilitycould lead to accumulationand catastrophe