ERM Part 1

Social risk

Risk arising from uncertainty of future population characteristics (age profile, educational standards, health standards, wealth, attitudes and lifestyles).

Trend risk

Risk of future changes in claims frequency and severity.

Market risk for non-financial companies

Risk of lower sales or profits resulting from changes in market conditions.

Funding liquidity risk

Risk of money markets not being able to supply funding to businesses when required.

Swiss Solvency Test

Risk-based regulatory capital regime in force in Switzerland since 2011. Market consistent approach with solvency capital requirements calibrated to a TVaR at 99% confidence.

Problem of bias in a bad risk culture

Risks are not reported in a true and honest way.

Conduct risk

Risks relating to the relationship between a company and its customers (servicing issues, keeping pace with customer needs).

Level risk

(Underwriting risk) that underlying claims are not as expected.

Questions to consider for GRC systems

1. Are controls identified and documented?; 2. Are controls consistent across business?; 3. Do controls address critical factors?; 4. Do controls include risk management?; 5. What testing procedures are required before signing off on ICR?.

Three Basel accords

1. Basel I (1988) set minimum capital requirements for banks; 2. Basel II (2004) superseded Basel I; 3. Basel III was developed in response to the 2008 financial crisis, focusing on liquidity, systemic and counterparty risks.

Three dimensions of the COSO cube

1. ERM components and processes; 2. in each business objective covered by the framework; 3. at each business level of application.

Economic risk factors

1. aggregate supply and demand; 2. government policies; 3. unemployment levels; 4. inflation, interest and exchange rates; 5. accommodation costs.

Key features of the UK Corporate Governance Code

1. applies to all UK-listed companies; 2. compliance is voluntary (required to disclose compliance and if not compliant, explain why); 3. allows companies to choose approach given their industry and size and explain material differences between their approach and prevailing governance code.

Benefits of the holistic approach

1. appreciates the concentration of risk arising from a variety of sources within an enterprise; 2. allows for the diversifying effects of risks.

Five arguments for risk management

1. benefit society (reduce contagion risk in financial systems); 2. it is part of the job of management; 3. reduce earnings volatility; 4. maximize shareholder value; 5. enhance job security and rewards.

Ways legal risk can arise

1. breaching the law (because of lack of awareness, lack of understanding, changes in court interpretation, deliberate intent); 2. inability to demonstrate compliance.

Key components of good corporate governance

1. communication with stakeholders; 2. independence of the Board; 3. Board performance; 4. Board compensation; (5. fairness and social responsibility).

Five key themes of the Walker Review

1. comply or explain approach is still the best route to better corporate governance; 2. need for more challenges in Board discussions; 3. Board engagement on risk oversight should be materially increased; 4. need for better engagement between fund managers and Boards of investee companies; 5. remuneration should be aligned with medium to longer term goals, be publicly available on a banded basis, and review should include other senior influential employees.

Characteristics encouraged by good risk culture

1. consultative leadership; 2. participation in decision making on risks; 3. openness; 4. accountability instead of blame; 5. organizational learning; 6. knowledge sharing; 7. good internal communication.

Four ways ERM improves operational effectiveness

1. coordinate risk management activities across all parts of organization; 2. encourage and facilitate sharing of risk information; 3. identify and assess links between risks managed by various teams; 4. improve efficiency (management time and business resources).

Seven major components of an ERM framework

1. corporate governance (establish processes and controls); 2. line management (integrate risk management into business strategy); 3. portfolio management (consider aggregate risk exposures); 4. risk transfer (mitigate excessive risk cost-effectively); 5. risk analytics (measure, analyze, report risks); 6. data and technology resources (support analytics); 7. stakeholder management (communicate risk information).

Four parts of setting ERM policies

1. define risk appetite; 2. establish necessary skills for successful implementation and training program to obtain skills; 3. guide decisions on ERM approach, including roles and responsibilities; 4. approve suitable internal controls and ERM policies.

Similarities between Basel II and Solvency II

1. describe requirements in three pillars, each dealing with similar aspects of company risks; 2. largely risk-based in that capital is allocated to business areas that run the highest risk; 3. designed to be suitable for multi-national firms; 4. consistent between banking and insurance arms of a company.

Key principles of AS/NZS 4360

1. detail on risk analysis for non-financial companies; 2. recommendation that the risk management process is formulated into a risk management plan; 3. importance of senior management buy-in; 4. need for adequate resources allocated to risk management.

Four elements of the Canadian government's 2001 IRM framework

1. develop corporate risk profile; 2. establish an integrated risk management function; 3. practice integrated risk management; 4. ensure continuous risk management learning.

Advantages of unified regulation

1. easier for financial conglomerates; 2. ensures consistent approach; 3. limits incentives for regulatory arbitrage; 4. economics of scale; 5. ideas shared between regulatory staff; 6. improved accountability for regulators.

Five goals of internal controls

1. ensure accurate and adequate record-keeping; 2. prevent fraud and safeguard company assets; 3. guarantee accuracy of financial statements; 4. respond appropriately to risk; 5. ensure compliance with laws.

Seven elements of the AS/NZS 4360 process

1. establish context (SWOT); 2. identify risks; 3. analyze risks; 4. evaluate risks; 5. treat risks; 6. monitor and review; 7. communicate and consult.

Four situations leading to contagion risk

1. failure of commonly-used financial infrastructure (VISA); 2. funding liquidity risk (2008 crash); 3. common market positions; 4. exposure to common counterparty.

Six key features of SOX

1. formation of a Public Accounting Oversight Board (PAOB) to inspect published accounts and prosecute accounting firms in breach of regulations; 2. increased accountability of CEO and CFO of public companies; 3. each published report must contain an internal control report (ICR); 4. external auditors are required to report on management assessment; 5. illegal for management to interfere with audit; 6. illegal to destroy records with intent to influence investigation.

Five categories of supervisors

1. government; 2. professional bodies (IFoA); 3. professional regulators (CFA, FRC); 4. industry bodies (BBA, ABI); 5. industry regulators (PRA, FCA, LSE).

Difference between ERM and traditional risk management

1. holistic approach; 2. value creation (integration into decision making).

Three step process for risk management

1. identify risks faced by organization; 2. assess likelihood and potential impact of risks; 3. decide how to deal with each risk.

Key principles of the Canadian governments's 2001 IRM framework

1. importance of establishing a comprehensive risk profile, appetite and tolerance; 2. focus on the RMF and integration of risk management activities; 3. value of continuous and supportive learning environment; 4. need to establish the "relationship between the organization and its operating environment, revealing the interdependence of individual activities and the horizontal linkages."

Key principles of The Orange Book

1. importance of linking risks to objectives; 2. distinction between risk and its impact; 3. need to distinguish inherent and residual risks; 4. prioritization of risk is more important than quantification; 5. risk appetite should be subdivided into corporate, delegate and project; 6. dedicated risk committee is recommended.

Benefits of reduced earnings volatility

1. increase market value; 2. improve credit rating; 3. reduce cost variability; 4. reduce capital requirements.

Advantages of outsourcing

1. increased capacity; 2. reduced costs; 3. reduced time to market; 4. better quality; 5. transfer operational and other risks to third party.

Disadvantages of outsourcing

1. legal risks arising from outsourcing contract; 2. no direct control over risks managed by third party (product quality standards).

Empirical support for ERM

1. many investors avoid entities with poor governance standards; 2. investors are willing to pay a premium (12%-30%) for well-governed companies; 3. companies with strong governance structures outperform others (effect is amplified for larger companies); 4. insurance companies with ERM have lower volatility of returns, improved shareholder value, financial stability and a 16% equity premium; 5. stock price performance for companies with "excellent" S&P ERM rating was better than "weak" during the 2008 market crash.

Four basic risk categorizations for insurance

1. market risk; 2. credit (or default or counterparty) risk; 3. operational risk; 4. underwriting or insurance risk.

Four types of financial risk

1. market; 2. credit; 3. business; 4. liquidity.

Benefits of proactive engagement with regulators

1. may reduce level of risk regulators place on a company and thus reduce the supervisory burden on the company; 2. best practice advice from regulators based on seeing a wide range of risk management practices.

Six ways ERM improves business performance

1. more efficient allocation of capital; 2. minimize losses and unpleasant surprises; 3. better pricing, managing and/or transferring of risks; 4. optimize risk mitigation strategies (allow for natural hedges between business units); 5. react more quickly; 6. derive value from risk management (instead of box-ticking).

Two types of non-financial risk

1. operational; 2. external.

Encouraged communications under a good risk culture

1. perceptions of new or enhanced threats or opportunities; 2. suggestions for mitigating threats; 3. ideas for increasing opportunities; 4. existence of defective procedures; 5. failure to operate established procedures.

Pressures leading to ERM implementation

1. previous management failures or near misses within own organization; 2. high profile disaster in similar organization; 3. criticism or demands from a regulatory body or auditor; 4. concerns from other stakeholders.

Possible components of operational risk

1. process risk; 2. people risk; 3. system or technology risk; 4. event risk; 5. business risk (includes reputational risk); 6. crime risk.

Key content of a risk subcommittee charter

1. purpose; 2. responsibilities; 3. membership; 4. frequency of meetings; 5. performance assessment; 6. resources available.

Potential responses to risk

1. retain; 2. remove; 3. reduce; 4. transfer.

Risk management responsibilities of the Board

1. risk governance; 2. set ERM policies; 3. determine risk compensation.

Five principles of the COSO framework

1. risk represents opportunity and potential downside; 2. ERM is a parallel and iterative process; 3. everyone has a role in risk management; 4. any risk management process is imperfect; 5. implementation of risk management must balance cost with potential benefits.

Causes of concentration risk

1. self or externally-imposed constraints; 2. choice; 3. poor risk management.

Three parts of risk governance

1. set vision, strategy, risk culture; 2. establish framework for measuring, managing and monitoring risks; 3. review outcomes and lessons learned from risk management process.

Changes in Basel III that address prior criticism

1. strengthen capital requirements (limit cross holding in other financial firms); 2. introduce conservation buffer to provide breathing space in times of financial stress; 3. change minimum ratios of Tier 1 and Tier 2 capital; 4. allow flexibility in capital requirements in times of financial crisis to limit pro-cyclicality.

Recommendations from the Cadbury Code of Best Practice (1993, UK)

1. there should be a full Board meeting at regular intervals; 2. Board should be made aware of significant activities; 3. non-executive directors should have key responsibility for certain control and monitoring functions; 4. shareholders should approve director contracts in excess of three years; 5. director remuneration should be subject to review by a majority NED committee; 6. company reports should be balanced and understandable.

Criticisms of Basel II

1. too much emphasis placed on a single number that aggregates a wide variety of risk; 2. some risks are difficult to quantify; 3. some risks (e.g. liquidity) are only given cursory consideration; 4. complex calculations do not imply reliability; 5. costly to implement, especially if using internal credit and market models; 6. banks all measure risks and protect themselves in the same way at times of crisis; 7. market may under value certain assets; 8. implied levels of confidence could be spurious for new securities; 9. assets need to be sold when market value falls (pro-cyclicality); 10. complexity of risk model may lead to overconfidence in risk control.

Three types of market risk

1. trading risk (interest, exchange); 2. asset/liability mismatch; 3. liquidity risk.

Reserving risk

1. volatility risk; 2. catastrophe risk; 3. trend or cycle risk.

Business risk

All risks that a business is exposed to, or the subset of risks specific to the type of business undertaken.

Risk appetite

Amount of risk a company is willing to accept on an ongoing basis.

Define culture

Approach taken to activities describing a company's shared values, beliefs and behaviors (the way we do things around here).

Differences between Basel II and Solvency II

Basel II assumes significant contagion risk, Solvency II is not designed with systemic risk in mind (unlikely for insurers). Basel II takes a more prescriptive approach, Solvency II is more principles based.

Pillar 3 of Solvency III

Covers supervisory reporting and disclosure.

Functional regulation

Different authorities oversee different activities (separate regulators for banks, insurance companies, charities, etc.). This is the system used in the UK.

Role of professional bodies

Ensure members are adequately trained and maintain competence through continuing professional development. Some also have the power to discipline members.

Role of an audit subcommittee of the Board

Exists to give auditors direct access to non-executive directors to ensure independence. Role includes 1. monitor integrity of financial statements; 2. monitor and review internal assurance functions (financial control, risk management, internal audit); 3. recommend, monitor and review external auditor.

FSA

FCA and PRA were combined under the Financial Services Authority until 2013. The FSA was an independent non-government body that regulated the UK financial services industry with a Board appointed by HM Treasury.

FCA

Financial Conduct Authority regulates the financial services industry in the UK. Their aim is to protect consumers, ensure industry remains stable and promote healthy competition.

Risk management responsibilities of line managers

Implement ERM policies agreed to by the Board (set up risk management processes and integrate risk information into business decisions).

Pillar 1 of Basel accords

Imposes minimum regulatory capital requirement determined by amount of credit, market and operational risk.

Main benefit of ERM

Improved business performance from 1. increased risk transparency; 2. better operational effectiveness.

Definition of risk

Includes 1. uncertainty of possible future random events; 2. nature and degree of harm associated with each such event.

Market liquidity risk

Insufficient capacity in the market to handle asset transactions at the time when deal is required.

Role of professional regulators

Maintain public confidence in the profession by 1. setting standards; 2. monitoring adherence to standards; 3. disciplining in cases of non-adherence.

Benefits of risk transparency

Management can better understand 1. risk exposure; 2. links between risk and return; 3. impact of changing external factors. This allows for better alignment of business strategy with risk appetite and a more accurate assessment of the risk/return trade-offs for a particular decision.

MCR

Minimum Capital Requirement is part of Pillar 1 of Solvency II. Authorization is foregone if capital falls below MCR.

Key problem with silo approach

Misses the interactions and interdependencies between risks faced by different business units.

Define good risk culture

One in which people know, and do, the right thing rather than acting in their own interests, even if there is no specific rule or policy telling them what to do.

Key objective of risk management

Optimize risk-adjusted returns.

Role of a risk subcommittee of the Board

Oversee management of risks within an organization (accountability delegated by Board).

Role of industry bodies

Promote member interests (e.g. shared research projects, lobbying).

Role of industry regulators

Protect the public on behalf of government.

PRA

Prudential Regulation Authority is part of the Bank of England and is responsible for the prudential regulation and supervision of banks, building societies, credit unions, insurers and major investment firms. It sets standards and supervises individual financial firms.

Pillar 2 of Solvency II

Qualitative requirements on undertakings such as risk management and supervisory activities. Insurers must carry out ORSA to quantify their ability to meet the SCR and MCR.

Pillar 1 of Solvency II

Quantitative requirements designed to capture underwriting, credit, market, operational, liquidity and event risk. SCR and MCR can be assessed with a standardized approach or internal model.

Pillar 3 of Basel accords

Requires disclosures to the public and the market to facilitate market discipline.

SIMR

Senior Insurance Managers Regime was introduced by UK financial services regulators at the start of 2016. This regime brought together rules to ensure individuals who run insurance companies have clearly defined responsibilities and behave with integrity, honesty and skill.

Unified regulation

Single regulator covers a broad range of activities. This is the system used in Australia.

SCR

Solvency Capital Requirement is part of Pillar 1 of Solvency II. Regulatory action is taken if capital falls below SCR.

Compliance to US corporate governance standards

Statutory approach to compliance in the form of 1. SEC rules requiring disclosures of Board structure, compensation and role in risk management; 2. Sarbanes-Oxley Act requiring independent Board audit committees and at least one financial expert; 3. Dodd-Frank Act requiring bank Boards to have a risk subcommittee that includes a risk management expert.

Define risk culture

Subset of overall culture that relates to risk management.

Pillar 2 of Basel accords

Supervisory review of internal systems, processes and risk limits to ensure bank has set aside sufficient capital for its risk.

Define corporate governance

The way that the Board controls the company (the processes and controls put in place to ensure company is run by management in the best interest of shareholders).

Define ERM

There is no single definition of ERM but key concepts include 1. *holistic* approach (rather than a *silo* approach) — consider *all* risks (*upside* and *downside*), *interactions* between dynamic risks, *consistency* of treatment, *central coordination* (led by Board); 2. *value creation* — integrate *risk measurement* (*quantifiable* and *unquantifiable*) and *management* (retain, remove, reduce, transfer) into business processes to influence decision making.

Risk profile

Types of risks that a company faces and its current exposure to those risks.

UKLA

UK Listing Authority is part of the FCA that ensures compliance of listed companies to standards and rules. It has the power to suspend trading of company shares or cancel their listing.

The Orange Book

UK government's publication called Management of Risk — Principles and Concepts. Provides general guidance on principles of risk management in public and private sectors.

Volatility risk

Uncertainty due to only having a finite pool of policies.

Persistency risk

Uncertainty in number of policies renewing.

Compliance to Canada corporate governance standards

Voluntary compliance with published standards (like UK) following the 1994 Dey report.