erm for small to mid-sized 2015...periodic presentation to and evaluation by key...

IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

ERM for Small to Mid-sized Companies

Session #304


Today’s Presenters

Technology & Finance Transformation

Consultant

Greg Fritsky Jerry Ravi Rita Linterno

ERM / Internal Audit Specialist & Technology

Consultant

External Audit & ERM Specialist

Course Objective and Outcomes

To discuss implementation standards of Enterprise Risk Management (ERM) practices for small to medium size insurers, and discuss the impact of ORSA and how to embrace ERM practices to be successful in achieving short and long term goals.

Learning Outcomes: Participants will be able to:

Discuss ORSA and the impact to current ERM practices

Understanding the key implementation factors for a successful ERM program

Develop a preliminary plan use a transformation framework within ERM practices across the organization, starting with Finance

Discuss impact to the external audit and areas to consider for leverage and risk knowledge sharing

What’s New with ERM

Increased need for ERM reporting at the Board Level

(regardless of the size of the organization)

Getting a pulse on key emerging risks and alignment to

strategy (MEASURMENT is Key)

Impact on regulatory requirements (ORSA, SEC, etc..)

Technology, operational and overall financial reporting

enhancement

Outsourcing relationships continue to grow (risk of

outsourcing and monitorin – Cybersecurity)


STATE OF ERM TODAY

25% believe their organization has a “complete formal enterprise risk

management process in place.”

23% describe their organization’s level of risk management maturity as

“mature” or “robust.”

52% indicate that their organization’s risk management process is “not

at all” or “minimally” viewed as a proprietary strategic tool that provides

unique competitive advantage.

Source: 2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities—Research

Conducted by the ERM Initiative at North Carolina State University on behalf of the American Institute of CPAs Business,

Industry & Government Team


CALLS FOR IMPROVED

ENTERPRISE-WIDE RISK OVERSIGHT

68% indicate that the board of directors is asking for increased senior

executive involvement in risk oversight “somewhat” to “extensively.”

65% of organizations experience pressure from external parties

“somewhat” to “extensively” to provide more information about risks.

Source: 2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities—Research

Conducted by the ERM Initiative at North Carolina State University on behalf of the American Institute of CPAs Business,

Industry & Government Team


Breakdown of ERM / ORSA Process

Risk Management Framework (Section 1)

• Risk Culture and Governance

• Board Oversight

• Formalize Risk Management Structure

Assessment of Risk Exposures (Section 2)

• Identification and Categorization

• Assessment and Prioritization (Risk Tolerances / Appetite)

• Mitigation, Monitoring, and Reporting

Group Risk Capital and Prospective

Solvency Assessment (Section 3)

• Capital Adequacy (i.e., Models)

• Capital Management

• Solvency Assessment


States that have Adopted ORSA

9

AR


Key ORSA Components

• Utilize Best Practices - RIMS Risk Maturity Model (RMM)

• Evaluate key principles on an ongoing basis – start with a health check

• Define Risk Profile, Appetite and Tolerances

• Ensure integration and communication throughout the organization (leverage existing risk functions and assurance activities)

Evaluate the Maturity of the ERM Framework

• Organize information into main risk categories or risk objectives

• Ensure documentation and rationale for risk exposures under both normal and stressed scenarios

• Conduct workshops to evaluate exposures

• Prioritize and align to strategy, decisions and capital allocation

• Measurement and alignment to capital allocation / compensation

Assess Risk Exposure

• Relying on various models including internal and external models (RBC, BCAR, etc…)

• Review / utilize technology and software solutions (Igloo, MG-ALFA, etc…)

• Quantify necessary capital for different risks using various assumptions (stochastic and deterministic)

Determine internal capital assessment


Section 2 – Assessment of Risk Exposure

Phase 1 – Communicate /

Align to Objectives

Phase 2 – Identify, Analyze and

Prioritize

Phase 3 – Validate and Collaborate

Phase 4 –Report and Monitor


Think “RISK TAXONOMY”

Taxonomy

Financial Reporting

Vendor Management

Technology

Compliance and Audit

Management

Policy Management

Strategic Planning


Root Cause Approach to Collecting Risk Data

Event

Cause 1

Cause 2

Cause 3

Effect 1 Effect 2 Effect 3


Root Cause Approach Example

Reference: LogicManager 2014


Top Down & Bottom Up



Responsibilities Changing



Risk Based Decision Making

Risk Profile Monitoring &

Reporting

Company Structure

DECISIONS

Risk Processes & Tools

What types and levels of risk support objectives?

What data / analysis are needed?

What structure supports effective decision making?

What information is

needed to make the decision?


Risk Management and Controls Assessment

• The less aware/prepared the entity is to a risk, the higher the impact will

be should the event occur

• If risk responses, including controls, are not in place and operating as

designed, then the likelihood of an event increases

• Assessing risk mitigation allows entities to gauge how well they’re

managing risks

• Risk mitigation assessment criteria include capabilities such as:

oScenario planning

oRisk responses in place

oAbility to respond and adapt quickly as events unfold

oCapacity to withstand events such as capital buffer and financial

strength


Risk Management and Controls An Overview

Risk Management is the options to manage and mitigate risks, including:

• Risk Avoidance – not proceeding with the process or activity that contains unacceptable risk (exit activity)

• Risk Reduction – take action to reduce the likelihood or impact

• Risk Acceptance – take no action due to the cost/benefit; low risk category; risk is acceptable

• Risk Sharing – sharing all or part of the risk to another department or party (e.g., insurance)

• Risk Transfer – transferring all of the risk to another department, group or committee

Risk Reduction may be achieved through the use of Control Activities or other methods. Any system of risk treatment should provide, at a minimum:

• Effective and efficient operation of the organization

• Effective internal controls

• Compliance with laws and regulations

19


Risk Reporting and Communication

Key Risks Monitored and Managed by Risk Owners

Dashboard with Clear and Concise Information on Top Risks- including

Assessment, Prioritization, and Response

Periodic Presentation to and Evaluation by Key

Stakeholders/Committee

Feedback Provided to Manage Key Risks including update to risk

tolerances, Limits and Appetite

20


Risk Prioritization – HEAT MAP


Risk Identification & Prioritization

Risk identification is the continuous process by which Risk Management

creates and updates its catalog of risks. • Cataloged by risk categories and sub-categories tailored to the insurer

• Risks have to be assessed for prioritization; too many risks to be monitored and managed at the

enterprise level

• Perform Risk Assessment to prioritize risks and to identify key risks

Leverage Internal and External Audit Process

Focus on continuous monitoring and follow-up

Operational Risk Management Approach to Your Audit Process

Enterprise and Operational Risk Focused

• Work closely with your management team, including the ERM Committee to identify critical enterprise risks and prospective risks facing the company including: strategic, market, credit, reputational, operational, liquidity, financial, and compliance risks

• Evaluate and critique risk mitigation strategies designed to address the critical risks

• Consider downside threats (potential of a negative outcome) and upside threats (failure to capitalize on an opportunity) when evaluating the ERM framework

• Benchmark the risk management framework to best practices and provide valuable insight to improve risk management framework and activities

Integrated Audit Process

• Our planning and detailed testing approach will allow us to provide insights and identify potential improvements related to the organization’s critical risk areas and increase audit process efficiency

• Throughout our audit process we will maintain a risk catalog and evaluate alignment to management’s overall risk appetite and risk mitigation activities

Focus on continuous monitoring and follow-up

• Assess the process for identifying potential future events that create uncertainty, as well as evaluating their ongoing risk mitigation process (i.e., response) to reduce the likelihood of downside outcomes.

Tailored Audit Approach

Interviews

•Enterprise Risk Committee

• Internal Audit

•Audit Committee

Review of company prepared risk assessment documents

• Inventory of risks

• Internal strategy documents

• Meeting minutes

Evaluate how changes to the environment are factored

• Rapid growth

• Change in business mix

• New products

• Changes in technology

ERM Evaluation

Financial Risks (Competition, Credit, Capital needs)

Operational Risks (Profitability, U/W, control Structure, key indicators, related party transactions, business continuity, business mix)

Prospective Risks (Regulatory, Liquidity, Reputational)

Benefit: An Audit that addresses your key risks, a

more efficient audit process, value added

recommendations


Three Lines of Defense Drives Governance Structure

Senior Management

Board of Directors / Audit Committee

1st

Line of Defense 2nd

Line of Defense 3

rd Line of

Defense

Ad

min

istratio

n

Con

tro

ls

In

te

rn

al C

on

tro

l

Me

asu

re

s

Financial Control

Security

Risk Management

Quality

Compliance

Legal

Assurance

&

Validation

Ex

te

rn

al A

ud

ito

r /

Re

gu

lato

r


Emerging Technology

Technology Trends

Data Analytics

Social Media

Collaborative

Applications

In Memory Computing

Mobile Devices

Cloud Computing


ERM Framework

ERM Framework

Predictive Analytics

Streaming Social Media

ERM Software

Risk Dashboards


Leveraging Data Analytics

Data analytics can be used to…

Identify the risks that have resulted from the exponential growth of technology

and the internet, and our increasing reliance on both.

Provide a comprehensive view of internal and external risks by alerting decision

makers about potential fraud, unusual network traffic patterns, hardware

failures, and security breaches.

Convert data into actionable information, helping businesses move their

cybersecurity measures from a reactive state to a proactive state.


ERM Solutions and Dashboard Reporting

Several ERM solutions

currently exist and most

integrate well into an existing

platform.

When combined with a data

and social media analytics

program, an effective ERM

program can be realized.

Risk Dashboards can provide

“top-down” risk reporting and

details that can help detect

and prevent control failures.

Source: Gartner


Detecting Fraud with Data Analytics

Millions of transactions can be analyzed to detect certain anomalies that may

indicative of a fraud

Fraud Analytics software can analyze 75 million insurance claims in just 1.5

seconds

Investigation

Detection

Prevention

Monitoring

Alert

Notification

Fraud

Pattern

Analysis

Claim Handling

& Settlement

Inquire &

Analyze Investigation

Inte

gra

tio

n

Con

fig

ura

tio

n

Pla

tfo

rm

Evaluation &

Decision

Fraud Monitoring & Performance Optimization

From Claim Notification to Claim Closure

Rules &

Predictive

Analysis

Fraud

Detection

Strategy

Calibration &

Simulation

Online

Detection

Mass

Detection

Source: SAP


Area Issues Impact

Focus of ERM

Program

• ERM process is solely focused on output

to the Board, not utilized as a tool for

management.

• ERM is focused solely on WCGW or

hazards.

• Risk assessment is not embedded in

strategic planning and business process.

• Management is disengaged from the

process because they don’t feel that a

value is added.

Risk Analysis • Risk appetite is not adequately defined

and communicated.

• Risk levels are not measured against risk

tolerance levels.

• Risk does not define inherent vs. residual

risk.

• Risk impact is not quantified.

• Board/management lacks transparency to

determine if risk levels are appropriate, if

risks require further mitigation action or

possible exploitation and whether certain

activities should be continued, given risk

levels and current mitigation steps.

ERM Reporting • Reporting is limited to enterprise level

and/or only a subset of risks or business

areas are considered and/or reported.

• Risk reported to the board are reported out

of context.

• Board lacks transparency into overall risk

profile/specific business unit risk.

Managing Risks • Action/mitigation plans and owners are

not effectively assigned to mitigate key

risks.

• Lack of clear accountability and proactive

action plans may lead to risks going

unattended.

Common Pitfalls


Thank You!!!

Greg Fritsky, Director

Redwood Software

10 Denise Drive

Allentown, NJ 08501

[email protected]

(609) 468-6994

www.redwood.com

Jerry Ravi, Partner

Eisner Amper LLP

111 Wood Avenue South

Iselin, NJ 08830

[email protected]

(732) 243-7590

www.eisneramper.com

Rita Linterno, Senior Manager

Eisner Amper LLP

750 Third Avenue

New York, New York 10017

[email protected]

(347) 735.4679

www.eisneramper.com

mailto:[email protected]

http://www.redwood.com/


http://www.eisneramper.com/


http://www.eisneramper.com/


Please Complete the Session Evaluation Form on the Conference App

erm for small to mid-sized 2015...periodic presentation to and evaluation by key...

Documents