erm for small to mid-sized 2015...periodic presentation to and evaluation by key...
TRANSCRIPT
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
ERM for Small to Mid-sized Companies
Session #304
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Today’s Presenters
Technology & Finance Transformation
Consultant
Greg Fritsky Jerry Ravi Rita Linterno
ERM / Internal Audit Specialist & Technology
Consultant
External Audit & ERM Specialist
Course Objective and Outcomes
To discuss implementation standards of Enterprise Risk Management (ERM) practices for small to medium size insurers, and discuss the impact of ORSA and how to embrace ERM practices to be successful in achieving short and long term goals.
Learning Outcomes: Participants will be able to:
Discuss ORSA and the impact to current ERM practices
Understanding the key implementation factors for a successful ERM program
Develop a preliminary plan use a transformation framework within ERM practices across the organization, starting with Finance
Discuss impact to the external audit and areas to consider for leverage and risk knowledge sharing
What’s New with ERM
Increased need for ERM reporting at the Board Level
(regardless of the size of the organization)
Getting a pulse on key emerging risks and alignment to
strategy (MEASURMENT is Key)
Impact on regulatory requirements (ORSA, SEC, etc..)
Technology, operational and overall financial reporting
enhancement
Outsourcing relationships continue to grow (risk of
outsourcing and monitorin – Cybersecurity)
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
STATE OF ERM TODAY
25% believe their organization has a “complete formal enterprise risk
management process in place.”
23% describe their organization’s level of risk management maturity as
“mature” or “robust.”
52% indicate that their organization’s risk management process is “not
at all” or “minimally” viewed as a proprietary strategic tool that provides
unique competitive advantage.
Source: 2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities—Research
Conducted by the ERM Initiative at North Carolina State University on behalf of the American Institute of CPAs Business,
Industry & Government Team
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
CALLS FOR IMPROVED
ENTERPRISE-WIDE RISK OVERSIGHT
68% indicate that the board of directors is asking for increased senior
executive involvement in risk oversight “somewhat” to “extensively.”
65% of organizations experience pressure from external parties
“somewhat” to “extensively” to provide more information about risks.
Source: 2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities—Research
Conducted by the ERM Initiative at North Carolina State University on behalf of the American Institute of CPAs Business,
Industry & Government Team
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Breakdown of ERM / ORSA Process
Risk Management Framework (Section 1)
• Risk Culture and Governance
• Board Oversight
• Formalize Risk Management Structure
Assessment of Risk Exposures (Section 2)
• Identification and Categorization
• Assessment and Prioritization (Risk Tolerances / Appetite)
• Mitigation, Monitoring, and Reporting
Group Risk Capital and Prospective
Solvency Assessment (Section 3)
• Capital Adequacy (i.e., Models)
• Capital Management
• Solvency Assessment
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
States that have Adopted ORSA
9
AR
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Key ORSA Components
• Utilize Best Practices - RIMS Risk Maturity Model (RMM)
• Evaluate key principles on an ongoing basis – start with a health check
• Define Risk Profile, Appetite and Tolerances
• Ensure integration and communication throughout the organization (leverage existing risk functions and assurance activities)
Evaluate the Maturity of the ERM Framework
• Organize information into main risk categories or risk objectives
• Ensure documentation and rationale for risk exposures under both normal and stressed scenarios
• Conduct workshops to evaluate exposures
• Prioritize and align to strategy, decisions and capital allocation
• Measurement and alignment to capital allocation / compensation
Assess Risk Exposure
• Relying on various models including internal and external models (RBC, BCAR, etc…)
• Review / utilize technology and software solutions (Igloo, MG-ALFA, etc…)
• Quantify necessary capital for different risks using various assumptions (stochastic and deterministic)
Determine internal capital assessment
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Section 2 – Assessment of Risk Exposure
Phase 1 – Communicate /
Align to Objectives
Phase 2 – Identify, Analyze and
Prioritize
Phase 3 – Validate and Collaborate
Phase 4 –Report and Monitor
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Think “RISK TAXONOMY”
Taxonomy
Financial Reporting
Vendor Management
Technology
Compliance and Audit
Management
Policy Management
Strategic Planning
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Root Cause Approach to Collecting Risk Data
Event
Cause 1
Cause 2
Cause 3
Effect 1 Effect 2 Effect 3
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Root Cause Approach Example
Reference: LogicManager 2014
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Top Down & Bottom Up
Reference: LogicManager 2014
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Responsibilities Changing
Reference: LogicManager 2014
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk Based Decision Making
Risk Profile Monitoring &
Reporting
Company Structure
DECISIONS
Risk Processes & Tools
What types and levels of risk support objectives?
What data / analysis are needed?
What structure supports effective decision making?
What information is
needed to make the decision?
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk Management and Controls Assessment
• The less aware/prepared the entity is to a risk, the higher the impact will
be should the event occur
• If risk responses, including controls, are not in place and operating as
designed, then the likelihood of an event increases
• Assessing risk mitigation allows entities to gauge how well they’re
managing risks
• Risk mitigation assessment criteria include capabilities such as:
oScenario planning
oRisk responses in place
oAbility to respond and adapt quickly as events unfold
oCapacity to withstand events such as capital buffer and financial
strength
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk Management and Controls An Overview
Risk Management is the options to manage and mitigate risks, including:
• Risk Avoidance – not proceeding with the process or activity that contains unacceptable risk (exit activity)
• Risk Reduction – take action to reduce the likelihood or impact
• Risk Acceptance – take no action due to the cost/benefit; low risk category; risk is acceptable
• Risk Sharing – sharing all or part of the risk to another department or party (e.g., insurance)
• Risk Transfer – transferring all of the risk to another department, group or committee
Risk Reduction may be achieved through the use of Control Activities or other methods. Any system of risk treatment should provide, at a minimum:
• Effective and efficient operation of the organization
• Effective internal controls
• Compliance with laws and regulations
19
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk Reporting and Communication
Key Risks Monitored and Managed by Risk Owners
Dashboard with Clear and Concise Information on Top Risks- including
Assessment, Prioritization, and Response
Periodic Presentation to and Evaluation by Key
Stakeholders/Committee
Feedback Provided to Manage Key Risks including update to risk
tolerances, Limits and Appetite
20
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk Prioritization – HEAT MAP
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk Identification & Prioritization
Risk identification is the continuous process by which Risk Management
creates and updates its catalog of risks. • Cataloged by risk categories and sub-categories tailored to the insurer
• Risks have to be assessed for prioritization; too many risks to be monitored and managed at the
enterprise level
• Perform Risk Assessment to prioritize risks and to identify key risks
Leverage Internal and External Audit Process
Focus on continuous monitoring and follow-up
Operational Risk Management Approach to Your Audit Process
Enterprise and Operational Risk Focused
• Work closely with your management team, including the ERM Committee to identify critical enterprise risks and prospective risks facing the company including: strategic, market, credit, reputational, operational, liquidity, financial, and compliance risks
• Evaluate and critique risk mitigation strategies designed to address the critical risks
• Consider downside threats (potential of a negative outcome) and upside threats (failure to capitalize on an opportunity) when evaluating the ERM framework
• Benchmark the risk management framework to best practices and provide valuable insight to improve risk management framework and activities
Integrated Audit Process
• Our planning and detailed testing approach will allow us to provide insights and identify potential improvements related to the organization’s critical risk areas and increase audit process efficiency
• Throughout our audit process we will maintain a risk catalog and evaluate alignment to management’s overall risk appetite and risk mitigation activities
Focus on continuous monitoring and follow-up
• Assess the process for identifying potential future events that create uncertainty, as well as evaluating their ongoing risk mitigation process (i.e., response) to reduce the likelihood of downside outcomes.
Tailored Audit Approach
Interviews
•Enterprise Risk Committee
• Internal Audit
•Audit Committee
Review of company prepared risk assessment documents
• Inventory of risks
• Internal strategy documents
• Meeting minutes
Evaluate how changes to the environment are factored
• Rapid growth
• Change in business mix
• New products
• Changes in technology
ERM Evaluation
Financial Risks (Competition, Credit, Capital needs)
Operational Risks (Profitability, U/W, control Structure, key indicators, related party transactions, business continuity, business mix)
Prospective Risks (Regulatory, Liquidity, Reputational)
Benefit: An Audit that addresses your key risks, a
more efficient audit process, value added
recommendations
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Three Lines of Defense Drives Governance Structure
Senior Management
Board of Directors / Audit Committee
1st
Line of Defense 2nd
Line of Defense 3
rd Line of
Defense
Ad
min
istratio
n
Con
tro
ls
In
te
rn
al C
on
tro
l
Me
asu
re
s
Financial Control
Security
Risk Management
Quality
Compliance
Legal
Assurance
&
Validation
Ex
te
rn
al A
ud
ito
r /
Re
gu
lato
r
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Emerging Technology
Technology Trends
Data Analytics
Social Media
Collaborative
Applications
In Memory Computing
Mobile Devices
Cloud Computing
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
ERM Framework
ERM Framework
Predictive Analytics
Streaming Social Media
ERM Software
Risk Dashboards
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Leveraging Data Analytics
Data analytics can be used to…
Identify the risks that have resulted from the exponential growth of technology
and the internet, and our increasing reliance on both.
Provide a comprehensive view of internal and external risks by alerting decision
makers about potential fraud, unusual network traffic patterns, hardware
failures, and security breaches.
Convert data into actionable information, helping businesses move their
cybersecurity measures from a reactive state to a proactive state.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
ERM Solutions and Dashboard Reporting
Several ERM solutions
currently exist and most
integrate well into an existing
platform.
When combined with a data
and social media analytics
program, an effective ERM
program can be realized.
Risk Dashboards can provide
“top-down” risk reporting and
details that can help detect
and prevent control failures.
Source: Gartner
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Detecting Fraud with Data Analytics
Millions of transactions can be analyzed to detect certain anomalies that may
indicative of a fraud
Fraud Analytics software can analyze 75 million insurance claims in just 1.5
seconds
Investigation
Detection
Prevention
Monitoring
Alert
Notification
Fraud
Pattern
Analysis
Claim Handling
& Settlement
Inquire &
Analyze Investigation
Inte
gra
tio
n
Con
fig
ura
tio
n
Pla
tfo
rm
Evaluation &
Decision
Fraud Monitoring & Performance Optimization
From Claim Notification to Claim Closure
Rules &
Predictive
Analysis
Fraud
Detection
Strategy
Calibration &
Simulation
Online
Detection
Mass
Detection
Source: SAP
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Area Issues Impact
Focus of ERM
Program
• ERM process is solely focused on output
to the Board, not utilized as a tool for
management.
• ERM is focused solely on WCGW or
hazards.
• Risk assessment is not embedded in
strategic planning and business process.
• Management is disengaged from the
process because they don’t feel that a
value is added.
Risk Analysis • Risk appetite is not adequately defined
and communicated.
• Risk levels are not measured against risk
tolerance levels.
• Risk does not define inherent vs. residual
risk.
• Risk impact is not quantified.
• Board/management lacks transparency to
determine if risk levels are appropriate, if
risks require further mitigation action or
possible exploitation and whether certain
activities should be continued, given risk
levels and current mitigation steps.
ERM Reporting • Reporting is limited to enterprise level
and/or only a subset of risks or business
areas are considered and/or reported.
• Risk reported to the board are reported out
of context.
• Board lacks transparency into overall risk
profile/specific business unit risk.
Managing Risks • Action/mitigation plans and owners are
not effectively assigned to mitigate key
risks.
• Lack of clear accountability and proactive
action plans may lead to risks going
unattended.
Common Pitfalls
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Thank You!!!
Greg Fritsky, Director
Redwood Software
10 Denise Drive
Allentown, NJ 08501
(609) 468-6994
www.redwood.com
Jerry Ravi, Partner
Eisner Amper LLP
111 Wood Avenue South
Iselin, NJ 08830
(732) 243-7590
www.eisneramper.com
Rita Linterno, Senior Manager
Eisner Amper LLP
750 Third Avenue
New York, New York 10017
(347) 735.4679
www.eisneramper.com
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Please Complete the Session Evaluation Form on the Conference App