Risk Dashboard

Life 2008 Spring Meeting June 16-18, 2008

Session 42, Building and Maintaining Effective Risk

Dashboards

Moderator David T. (Todd) Henderson, FSA, MAAA, CERA

Authors

Karen J. DeToro, FSA,MAAA Michel Rochette, FSA

1

Session 42Society of Actuaries Spring Meeting

Quebec CityTuesday, June 17, 2008

8:30am – 10:00am

Building & Maintaining Effective Risk Dashboards


Todd HendersonThe Western & Southern Financial Group

Michel RochetteAON Global Risk Consulting

Karen DeToroDeloitte Consulting LLP

2

Risk Dashboards

Tool providing consolidated and timely reporting of risk exposures across an enterprise– All important exposures, at a glance– Drilled down and sliced as necessary– Early warnings of emerging exposures– Allowing preemptive, remedial action

Keys To Success

Algorithmics– Integrate market risk, credit risk and asset liability

reports in a single dashboard– Easily created and configured new reports– Rich set of visualization elements– Interactive and responsive

Source: www.ermsymposium.org/2007/pdf/handouts/CI/CI5_combo.pdf

3

Keys To Success

ABN Amro/LaSalle Bank– Comprehensive risk assessment– Integrated view of risk, reward and strategy– Forward-looking, actionable, risk escalation tool– Executive sponsorship


Keys To Success

COGNOS– Data must be trustworthy– The business must be involved in shaping the

requirements– Content first, then aesthetics– Technology and architecture


4

Comprehensive View of Risk

Business

Operational

Insurance

Interest Rate

Market

Credit

SBUSBUSBUCorporate

Drill Downs & Diagnostics

Business

Operational

Insurance

Interest Rate

Market

Credit

SBUSBUSBUCorporateValue At Risk = $643 Million

5

Forward Looking

Insurance– Underwriting errors– Pandemic Alerts

Operational– Capacity measures

Credit– Credit spread widening– Watchlist increases

Market– Value at Risk– Volatility

Interest Rate– Volatility

Actionable

Business

Operational

Insurance

Interest Rate

Market

Credit

SBUSBUSBUCorporate

Underwriting Limit Breaches = 7

Chief Underwriter installs system edit prohibiting limit breaches

6

Executive Ownership

Each measure must be owned by a senior manager– Ongoing monitoring– Remedial action

Business units should be intricately involved in developing requirements– Special knowledge– Buy-in

Session 42Society of Actuaries Spring Meeting

Quebec CityTuesday, June 17, 2008

8:30am – 10:00am


1

Risk DashboardsSociety of Actuaries Spring Meeting

Date June 17th, 2008

2

What is a Risk Dashboard?

As part of ERM, Decision Makers need an integrated view of risk across their enterprise.

Provide an approach to see correlation/links within a risk category and between risks.

Forces the organization to adopt a structured process to understand risk and opportunities:

– Review outstanding risk issues

– Prioritize management actions

– Be forward looking in risk management.

– Monitor compliance to existing risk policies

2

3

Audiences: Different NeedsRisk has to be communicated to different groups:– Board level:

• To allow them to satisfy their fiduciary duties, making sure that management is actually managing risk.

• To assess the level of risk in light of the company’s risk appetite.• To provide with a consolidated view of major threats and opportunities that

may affect the value of the company to the different stakeholders.

– Management level: • To provide them with a consolidated view of their company’s risks, a

horizontal view instead of a silo view.• To allow them to assess the cost/benefit of implementing controls to reduce

risk to the company’s desired risk tolerance/appetite.

– Business level: • To allow them to assess the effectiveness of “control” the risks under their

jurisdiction.

4

Case Study: Sub prime

Sub prime credits were issued in the mortgage department of the retail bank. Treasury department securitized sub prime credits, created SPVsand sponsored CDOs and the like in line with the new strategic models of banks to issue and sell not hold to maturity as before.Asset management departments/pension plans of the same banks invested in CDOs.Retail banks/mutual funds, some owned by the same banks, created new short-term “guaranteed” investment vehicles for retail customers, investing in asset-back securities.Banks provided liquidity enhancements to SPVs.Pricing/Valuation models were not stressed tested.

3

5

How a Dashboard Would Have HelpedA Dashboard should have consolidated the credit exposure for a single FI coming from:

– Issuance of the subprime credit– Credit exposure of the SPV. Fis had to consolidate credit exposure back on

their balance sheet after August 08 due to Reputational considerations. Ex. Banque Nationale/Desjardins in Quebec, c Citigroup in the US.

– Investment by the asset management arm/pension plan.

A Dashboard should have identified the inherent risks of the securitization business:

– Operational risk exposure of models used should have been identified.– Liquidity reports of the FI should have taken into consideration the liquidity

guarantees offered by banks to SPV.– Market risk reports should have taken into consideration the market risk of

position held by the asset management arm/pension plan of Fis.– Potential liabilities/regulatory/compliance issues should have been identified.

6

Applications of a DashboardPresents risk information consistently across the enterprise.Consolidate risks across the enterprise including outsourced operations.Allow enterprise to compare/analyze impact of external/emerging events on firm.Allow firm to monitor adherence to risk appetite using appropriate risk metrics: VAR, EAR, CashFlow at Risk.

Allow firm to publish consistent information to both internal and external audiences.

4

7

Dashboard: In line with Risk Concerns

Reputational Risk(52)

Regulatory Risk(40)

Human Capital Risk(40)

IT RISK(35)

Financial, Market, Credit and Insurance Risk(30)

Crime, security, political, natural hazard, FX, Terrorism, Country Risk(20)

Source: Economist Intelligence Unit, 2005

Max Scale: 100

8

Information on Risk


Regulatory Risk(40)


IT RISK(35)

Financial, Market, Credit, FX and Insurance Risk(30)

Operational Risk: Crime, security, political, natural hazard, Terrorism, Country Risk(20)


Max Scale: 100

Info: Vulnerability to critical processes

Measures:

Physical security breaches

Loss events

Fraud incidents

Environmental risk

5

9

Information on Risk


Regulatory Risk(40)


IT RISK(35)


Operational Risk: Crime, security, political, natural hazard, FX, Terrorism, Country Risk(20)


Max Scale: 100

Info: Assets are impaired/capital at risk

Measures:

Default rates

Liquidity measures

Price risk

ALM risk

10

Information on Risk


Regulatory Risk(40)


IT RISK(35)




Max Scale: 100

Info: Malfunction in systems which

impede business

Measures:

System Downtime

Information security breaches

Business continuity readiness

Disaster recovery

6

11

Information on Risk


Regulatory Risk(40)


IT RISK(35)




Max Scale: 100

Info: Employees unavailable/unwilling to

perform functions.

Measures:

Staff Turnover

Key personnel attrition

Compensation Competiveness

Accident rates

12

Information on Risk


Regulatory Risk(40)


IT RISK(35)




Max Scale: 100

Info: Compliance with external/internal

regulations

Measures:

Fines imposed

# of investigations

Status of implementation of internal policies

New regulations discussions

7

13

Information on Risk


Regulatory Risk(40)


IT RISK(35)




Max Scale: 100

Info: Impact of previous risks on value

of the firm including external factors.

Measures:

Chain of events impacts

Impact of new strategic initiatives

Business risks: Price/volume

competition

14

External Requirements: ConsistencyRegulatory Standards:– Basel II/Solvency II Pillar III: Info on risk exposure and governance

– SEC: information on risks in 10-K

Accounting Standards:– IFRS: Provisions as related to risk events

– Brief description of the obligation, timing and uncertainty of outflows and expected reimbursements;

Risk Standards:– COSO ERM II

– Standards: ISO 31000/ANZ Australian Standards

1

Building and Maintaining Effective Risk Dashboards

Implementation Issues

June 17, 2008

Karen DeToroDeloitte Consulting LLP

- 2 - 042D

eTor

o.pp

t

Key Challenges in Implementation

Data Issues

Integration into Decision Making

Legal Issues

The most common challenges in implementing effective risk dashboards occur in the following key areas:

2

- 3 - 042D

eTor

o.pp

t

Data Issues

Data Availability

Reconciliation to Other Reports

Controls

Different data is required to be aggregated in a different way than for other reportingTimeliness of data is critical for supporting key management decisions

Variety of data sources may create challenges in reconciling data to published internal and external sources

Non-financial data may not be well controlledThe processes for gathering data (financial and non-financial) may not be well controlled

Data issues can be grouped into 3 general areas:

- 4 - 042D

eTor

o.pp

t

Approaches for Addressing Data Issues

Think broadly about universe of needed data at dashboard initiation

Create centralized database to hold all key data to facilitate controls and timely automated reporting

Build in sufficient flexibility to dashboard processes to be responsive as key risks change over time

Implement controls similar to those used for SOX 404; leverage existing controls over data where possible

Leverage commonalities with other data flows in organization

Develop a strong relationship with IT and business units supplying data to better understand the data and build a reliable pipeline for data

3

- 5 - 042D

eTor

o.pp

t

Integration into Decision Making

In order to fully support decision making, the dashboard must be:

Actionable– Data must be relevant to management– There must be the right level and amount of information targeted to the right

audiences

Integrated into a process that drives action– Push v. pull strategies for distributing data

Tied in to incentives– Variable compensation must be partially based on performance against risk

objectives

- 6 - 042D

eTor

o.pp

t

Legal Implications

Companies are concerned about disclosing too much risk information that may be subject to legal discovery

Companies’ responses to this issue fall somewhere on a spectrum:

Many companies (and their general counsel) presume that the middle road is more dangerous than burying one’s head in the sand

Ideal StateAcknowledge the riskCollect dataDo the right thing

Head in the SandDo not acknowledge the riskDo not collect data

Middle RoadAcknowledge the riskCollect dataDo the “wrong” thing

4

- 7 - 042D

eTor

o.pp

t

Ford Motor Company: The Middle Road Done Wrong

The situation: 1970’s Ford Pinto

The risk: Gas tanks would rupture easily in the event of a rear-end collision

The data: The risk became apparent during the design and crash studies of the Ford Pinto

Cost of repairing the flaw: $11 per car ($137 million cost)1

Value of the benefit: $200,000 saved per life lost ($49.5 million benefit)2

Internal documents indicated that a cost-benefit analysis did not support fixing the flaw

Outcome: Estimates put the impact at over 500 deaths3, and significant financial and reputational damage to Ford

- 8 - 042D

eTor

o.pp

t

Major Conglomerate: The Middle Road Done Right

The situation: Income tax return for a major US conglomerate

The risk: The company pursued a tax accounting policy, despite some concern that it might not be deemed acceptable by the IRS

The data: The company documented their rationale for interpreting the tax law as they did, and quantified the impact of their interpretation versus another interpretation commonly in use. This information was clearly documented

Outcome: The company was taken to court by the IRS. Although the company’s interpretation was ruled to be invalid, fines and penalties were substantially reduced because of the company’s ability to document its rationale

5

- 9 - 042D

eTor

o.pp

t

Taking the Middle Road – Other Lessons

1999 Institute of Medicine report: medical errors cost $17B to $29B per year and are the 8th leading cause of death in the US4

Pressure on hospitals to disclose errors so patients can make informed choices about where to obtain care

Hospitals have mechanisms in place to disclose adverse medical events as learning opportunities for doctors

– Weekly Mortality & Morbidity (“M&M”) conferences

– Hospital risk managers

Lessons can be learned from the approaches hospitals have taken in dealing with medical errors

- 10 - 042D

eTor

o.pp

t

Taking the Middle Road – Hospitals’ Responses

Traditional approach was “defend and deny” – No admission of wrong-doing

– Cases cited of risk managers and doctors denying knowledge of medical errors to protect colleagues

Proposed legislation – IOM proposed mandatory reporting of errors to make health care safer; simultaneously proposed legislation to extend peer-review protections to reports of errors (currently extend to M&M)

Improve processes to reduce errors – Medical community adopting similar checks and protocols to the airline industry

Apologize and disclose – Discussed in next case study

Hospitals have responded to pressures for full disclosure in several ways:

“With malpractice premiums soaring and a national patients’rights movement pushing for full disclosure of medical errors, the industry is rethinking the traditional approach known as

‘defend and deny’.”5

6

- 11 - 042D

eTor

o.pp

t

Lexington VA: The Middle Road Refined

The situation: Hospitals use weekly Mortality & Morbidity (“M&M”) conferences and other disclosures of adverse events as learning opportunities to teach doctors how to address complications

The risk: Admissions of mistakes may be used against doctors in malpractice suits.

The data: Lexington VA implemented a mandatory disclosure policy, requiring all doctors to report errors to a committee which then informed the family and offered compensation.

Outcome: Instead, after implementation, the average cost of error-related payouts was only $15,632, which was in the lowest quarter of the 35 VA hospitals in the country, and Lexington VA is deemed one of the safest VA hospitals in the country.6

“”Being honest defused situations that would otherwise lead to litigation.”7

- 12 - 042D

eTor

o.pp

t

Legal Issues - Summary

Acting responsibly, prudently and reasonably with the data they gather

Disclosing and apologizing when things go wrong

Utilizing lessons learned from risk events to move closer to the ideal state by improving processes to limit future adverse events

Ideal StateAcknowledge the riskCollect dataDo the right thing

Head in the SandDo not acknowledge the riskDo not collect data

Middle RoadAcknowledge the riskCollect dataDo the “wrong” thing

Companies can live more comfortably with the middle road by:

7

- 13 - 042D

eTor

o.pp

t

BibliographyEnd Notes

Mark Dowie. “Pinto Madness.” Mother Jones. Sept / Oct 1977.

Ibid.

Ibid.

Stephanie Mencimer, “Casualties of Medicine.” Legal Affairs. May / June 2003.

Rachel Zimmerman. “Doctors’ New Tool to Fight Lawsuits: Saying I’m Sorry.” Wall Street Journal. May 18, 2004, page A1.

Ibid.

Stephanie Mencimer, “Casualties of Medicine.” Legal Affairs. May / June 2003.

Other Sources

Sara Nathan and Guillermo X. Garcia. “Ford visit led to settlement.” USA Today. Jan. 9, 2000.

Jane Garbutt et al. “Lost Opportunities: How Physicians Communicate About Medical Errors.” Health Affairs. Vol. 27, No. 1, 2008.

Karen Lundegaard. “Study Raises Roof-Safety Questions.” Safety Issues. Vol. 4, Issue 41, April 2005.

Copyright © 2008 Deloitte Development LLC. All rights reserved.

Economy & Finance

Risk Dashboard