ERMOverview

September 2011

Yin Lawn, Taipei

www.pwc.com

PwC

Agenda

• The definition of ERM.

• Important Information

• The classification of Risk

• The Risk Management Process

• The Technology of ERM

• The Organization Structure of ERM Implementation

• Some Experience Learned

• Recommendation for Actuaries in ERM

• Recommended Reading

2

PwC

The Definition of ERM

• What is ERM?- Difficult to say because there are so many different definitions :

� ���������� ������������approach to addressing risks from all sources thatthreaten strategic objectives or opportunities to exploit competitive advantage.

� ����� ���������������������������process, effected by the entity’s boardof directors, management, and other personnel, applied in strategy setting andacross the enterprise, designed to identify potential events that may affectthe entity, and manage risk to be within the risk appetite, to provide reasonableassurance regarding the achievement of objectives

� ��������� �����������approach that fully integrates risk management into howa company conducts its business and communicates with stakeholders.

� ����� ���disciplined approach aligning strategy, processes, people,technology, and knowledge to manage uncertainties as the enterprise createsvalue.

� ����� ���!����� ������""�������find an integrated, optimal way ofmanaging risk by balancing financial techniques with organizational practicesand processes.

3

PwC

The Definition of ERM (2)

� ���� �����assessment of collective risks that affect value and theimplementation of a company-wide strategy.

� ���� �#�������� ���������$%�&������������'���������%��� ���%�assesses,controls, exploits, finances, and monitors risks from all sources for thepurpose of increasing the organization's short- and long-term value to itsstakeholders.

� ���(��#�� ������������������������)�#�*������ process of coordinatedrisk management that places a greater emphasis on cooperation amongdepartments to manage the organization’s full range of risks as a whole. ERMoffers a framework for effectively managing uncertainty, responding to risk andharnessing opportunities as they arise.

� �&�� �#����a process, effected by an entity’s board of directors, managementand other personnel, applied in strategy setting and across the enterprise,designed to identify potential events that may affect the entity, and manage riskto be within its risk appetite, to provide reasonable assurance regarding theachievement of entity objectives.

4

PwC

The Definition of ERM (3)

• So, what is ERM ?

- Depends on who you ask and they are probably all correct.

- However, a scientific discovery without practical use of benefit to society is just atrivial fact.

- So, a better definition is perhaps the one includes “ultimate objective.”

- An enterprise’s ultimate objective is to increase its value to its shareholders; so apreferred summary of ERM is probably :

- Everything you do with risks that increase the value of the stakeholders.

5

PwC

Important Information

• COSO• Committee of Sponsoring Organizations of the Treadway Commission• Sponsored by• American Accounting Association• American Institute of Certified Public Accountants• Financial Executives International• The Association for Accountants and Financial Professionals inBusiness

• The Institute of Internal Auditors• Formed in 1985 to deal with issues on fraudulent financial reporting:• Over the years, it has developed its research and guidance to internalcontrol, ERM and fraud deterrence.

• First guidance on ERM is issued on 2004.• Its guidance has been adopted by companies all over the world.• Their guidance has became the international best practice.

6

PwC

Important Information

• Definition of a risk• Risk is not losses.• Uncertainty (of loss, of profit, of anything that have monetary impact)• Upside of risk• The uncertainty of achieving a goal, or make profit.

• Potential to a loss.• The uncertain of negative impact, loss, and injury

• Characteristic of risk• Uncertainty in amount• Uncertainty in time

• Risk Measures• Value at Risk• Values at different probability• Use model to measure value at different probability

• Tail value at Risk• Conditional expected value

• Standard deviation, CV• Risk and reward composite index (2006)• Capital level and liquidity risk composite index (2008)

7

PwC

Important Information

• Black Swan

• Theory developed from the book “The Black Swan” (Random House, 2007)by Nassim Taleb.

• An outlier event outside our expectation with huge impact.

• It can not be predicted and can only be explained after it has happened.

• The concept refers to the problems we deal with risks. We only see what wecan predict and do analysis on things we feel comfortable with.

• The book exams our logic and the risk associated with the way we think.

• How often do we say “this will not happen” and then it happened?

• The moral of the theory : We can not just look at the past and predict thefuture. Need to think the unimaginable!

8

PwC

Important Information

• Key Risk Indicators

• Published by COSO on December 2010.

• Recommending companies set up Key Risk Indicators and monitor them

• COSO believes that just as KPI will allow senior management identifyunderperforming area of a company, KRI will allow senior managementand board to set up company strategies better.

• The idea is to identify risk-events that may prevent company to achieve itsobjectives and design quantitative measures for these risks:

• Objective -> Strategic Initiative -> Risks -> KRI

9

PwC

Important Information

• Risk Appetite

• Refer to amount of risks an enterprise is willing to accept given acorresponding amount of reward.

• For example: 15 % of ROE with volatility consistent to equity market

• Risk Tolerance

• A stated amount of risk a company is willing to take in executing itsbusiness strategy : risk capacity.

• For example : USD 1M maximum retention on any one risk.

10

PwC

The Classification of Risks

• Unlike definition of ERM, risk classification is more consistent.• CAS• Hazard Risks• Financial Risks• Operational Risks• Strategic Risks

• Marsh, Aon, CFO Magazine, and Economist Intelligence Unit• Hazard• Operational• Financial• Strategic

• KPMG• Strategic• Operational• Reputation• Regulatory/contractual• New risks

11

PwC

The Classification of Risks• SOA• Interest rate risk• Pricing risk• Credit risk• Equity market risk• Liquidity risk• Operational risk

• PwC• Credit Risk• Market Risk• Insurance Risk• Operational Risk

• So, how should risk classified?• Depend on who you ask, but following categories align business function of aninsurance company with above risks classification:• Production Risk• Technology Risk• Solvency Risk• Marketing Risk• Administration Risk

12

PwC

The Risk Management Process

• Establish Context• Identify Risks• Analyze/Quantify Risks• Integrate Risks• Treat/Exploit Risks• Monitor & Review

13

PwC

The Technology of ERM

• The technology used for ERM :• Spreadsheet and Database• Visual Cluster• Idea :

• Some companies develop application allow user easily recorddetails of each risk and link them together. User can expand,collapsing, filtering, and tagging these risks.

14

Declined profitability

Increase Expenses

Inefficient processMore competition

Declined revenue

PwC

The Organization Structure of ERM Implementation

• The following is a list of common characteristics in major insurancecompanies’ ERM practice :

• Centralized policy making and monitoring• Execution at local level.• Board is always involved as the final approval of risk managementpolicy.

• Each risk has a centralized committee to oversees and monitor it.• There are more than one committees, the committees areseparated by risks (market risk, insurance risk…etc).

• The committee make recommendation to the board and monitorhow company comply with the RM policy.

• Different company has different risk committees and professionals

15

PwC

Some Experience Learned

• The key of ERM is execution and implementation• Fancy models and process without any execution and implementation is just ascientific exercise

• Need “Use test” on models• Communication is the Key• This is not a job of a particular profession or department• The entire organization needs to communicate throughorly.

• Be practical• Not everyone has same view risk appetite and risk tolerance.• Objective is not to eliminate risk but to manage risk.• Do not try to change your company’s existing culture, work with what you have.• Need to implement ERM at a pace that does not disrupt company’s normaloperation.

• Need a process to resolve a dispute• Not everyone will agree to a same level of risk tolerance level when comes down toaccepting a business or investment

• An endless dispute can put organization in great uncertainty and drag on resource.• Thus, a process that can help company to make a decision and move on is veryimportant.

16

PwC

Summary

• There are 3 problems with ERM today:• Definition is not clear• Risk categories are not clear• Too much theory and talk, no actions• The key to ERM is execution and implementation

• There are many perspectives to look at ERM:• The organization structure needed to implement• The technology used to analyze• The risk measure used to quantify• The models used to calculate such risk measure

• The process taken to analyze and manage a risk

17

PwC

Recommendation for Actuaries in ERM

• Need to redefine your “norm”• Risk is no longer just pure risk• it includes upside of risk, speculative risk

• Risk analysis is no long building and running a model• Certainly more than running a dynamic model

• Need to measure more than just insurance or investment losses• Operational risk

• Need to innovate (able to imagine the impossible)• Can not just look at past the project the future• Can not just follow a set of rules to derive a result

• Need to work on soft skill• Need to be risk-aware• Need to be solution driven, not process driven• Need to expand knowledge beyond insurance industry• Expose yourself beyond traditional actuarial science.

• Need to expand expertise beyond insurance losses.

18

PwC

Recommended Reading

• This Presentation• “The Black Swan” (Random House, 2007) by Nassim Taleb.• COSO guidance, in particular :• “Developing Key Risk Indicators to Strengthen Enterprise RiskManagement”

• “Effective Enterprise Risk Oversight : The Role of the Board ofDirectors”

• “Strengthening Enterprise Risk Management for StrategicAdvantage”

• CAS , “Overview of Enterprise Risk Management”• SOA, “Enterprise Risk Management Specialty Guide”• “Fundamentals of Enterprise Risk Management : How TopCompanies Assess Risk, manage Exposure, and Seize Opportunity”(American Management Association 2009) by John J. Hampton

19

PwC 20

No institution can possibly survive if it needs geniuses or supermen tomanage it. It must be organized in such a way as to be able to get alongunder a leadership composed of average human beings

Peter Ferdinand Drucker

PwC 21

Yin Lawn Curriculum Vitae

Telephone: (02)2729 6666(22406)(+886 2) 2729 6666 Ext 22406

E-mail:yin.lawn@tw.pwc.comyin.lawn@tw.pwc.com

Yin Lawn is a senior manager of PwC’s actuarial service practice inAsia.

Yin is a Fellow of the Casualty Actuarial Society and SingaporeActuarial Society. He worked in the U.S. insurance industry for sixyears, where he held pricing and reserving roles for large U.S. mult-lineinsurers including Travelers, Aetna and CNA.

Over last 10 years, Yin has project managed the appraisal valuationsfor the set up of the four financial holding companies in Taiwan, anappraisal valuation for a general insurer in Taiwan and an appraisalvaluation of an general insurance company in China.

In addition, Yin has also been given risk management, solvency,reserving and pricing advices to more than 100 insurers in Asia overlast 10 years.

He graduated with a Bachelor of science degree in actuarial sciencefrom the University of Connecticut in 1993. Originally from Taiwan, heis also fluent in both mandarin and English.

�

Property Insurance RiskManagement : Based onERM Process

September 2011

www.pwc.com

PwC

Agenda

1. Limitation

2. Background

3. Risk Management Process

4. Actual Examples

5. Some Experience Learned From This Process

6. Success factors for this project

7. Before and After

8. Others

9. Recommended Actions for ERM

Appendix A : Actual Model Structure

Appendix B :PwC

2

PwC

1. Introduction

• The contents in this document are for discussion only

• The contents are based on actual projects we did in several companies.

• Contents have been modified for illustrative purposes only.

3

PwC

2. Background

• The fire in China central television building, flood in Singapore, andearthquake with tsunami in Japan have caused many insurance companiesto reconsider risks.

• Insurance risks are apparently higher than expected.

• Thus, it appears necessary to re-assess companies’ risk.

• Either reconfirm its expectation or reconsider risk mitigation if risks aremore than expected.

4

PwC

3. Risk Management Process

5

• Our process for managing property insurance risk is as follow:

• Establish Context

• Identify risks

• Quantify Risks

• Prioritize Risks

• Setup Scenarios and Assess Losses

• Analyze Results

• Treat Risks

• Monitor and Reviews

• This is similar to a standard risk management process

PwC

4. Actual Example – Establish Context

6

• A company writes quite number of large commercial fire policies.

• Company has substantial commercial fire exposure.

• Management believe it should be well protected.

• Company has good reinsurance arrangement

• Underwriters are extremely careful in underwriting such risks. Thus,risks are well spread.

• Thus, does the reality meet company’s expectations?

PwC

4. Actual Example – Identify Risks

7

• We first plotted its commercial fire exposures geographically.

• According to above graph, company seems to have certain concentration ofrisk issue

PwC

4. Actual Example : Quantify Risks

8

• We then classify properties by zones. A zone is defined as a city blockseparated by a major street. This is to assume that a fire from one zonewill not cross a major street to damage another zone.

For example, one concentrated area will have at least three zones :

PwC

4. Actual Example : Prioritize Risks

9

• Base on the sum insured in each zone, we rank the zone based on amount ofexposure within each zone.

Zone SI (Property,USD millions)

SI (BI, USDmillions)

A 1000 250B 800 100C 500 250D 400 100E 100 90F 75 50G 60 40

PwC

4. Actual Example : Setup Scenarios and AssessLosses

10

For zones with significant exposures, we set up several types of loss scenarios.• For example, the following result is based on large fire loss in each zone.

• We calculated amount of losses and its impact to company’s financials.

Zone TotalLosses(US

millions)

Cededlosses(facultative)

CededLosses(Treaty)

Net Losses SolvencyRatio

A 750 650 50 50 150%B 600 500 50 50 150%C 500 400 50 50 150%D 280 180 50 50 150%E 300 200 50 50 150%F 250 150 50 50 150%G 200 100 50 50 150%

PwC

4. Actual Example : Analyze results

11

Based on the results from different types of scenarios, we have found thefollowing :• Company is well protected against large size of losses or exposure

• However, company is particular vulnerable against a particular size oflosses.

• This is because company’s reinsurance arrangement is extremelyconservative for large exposures and aggressive against medium sizeexposure.

• Company is not well protected against large number of losses.• This is because company is worry about large loss event, say once every150 years, but did not consider several (smaller) events happening atsame time.

PwC

4. Actual Example : Treat Risks

12

Based on the results and our industry information, we also research severaloptions company can choose to deal with the risk:� Reinsurance options:

� Underwriting options : certain zone where exposure is significant, companyneeds special approval process.

Company’s risk appetite and risk tolerance level will determinemanagement’s action.

PwC

5. Some experience learned from this process

13

• Too Optimistic• Companies are usually vulnerable in areas where they are most confident.• In these areas, things are usually worse than expected.• For example, smaller catastrophe.

• Too Pessimistic• Companies are usually well protected in areas they worried the most• In these areas, thing are usually better than expected.• For example, extremely large exposure and catastrophe

• Need to be very careful when using a ERM model to decide a managementaction• The best action is neither the one that minimize risk nor the one that

maximize profit.• Management need to consider the balance between profitability and risk.• When company is at an extremely vulnerable situation, it needs to consider

more on reducing risk rather than increasing profit.• Since most model is designed with high risk/high return assumptions, it may

not be able to suggest a right management action in a stressed situation.• This is often an ignored item in ERM model: the change in risk appetite.

PwC

6. Success factors for this project

14

• Expertises :• Model designing capability

• Design financial models (Balance Sheet, Profit & Loss, and Solvency)• Design Scenario Models

• Underwriting knowledge• Need to understand specific information behind key policy coverage and

insureds.• Reinsurance Expertise

• Need to know exactly how losses to be ceded, to whom, for every policies,under different sizes of losses.

• Model Testing• Calibration Test : to ensure the impact of the assumptions are consistent with past

experience.• Use Test : To ensure model user can use it appropriately and run it appropriately.• Structure Test : To ensure relationship for items in Balance Sheet and P&L are

consistent with past experience.• Consistency test : To ensure a smooth transition between actual to projected

future.• Technical Test : to ensure the formulas in the model are correct• Reasonableness Test : to ensure results are reasonable.

PwC

7. Before and After

15

• The following table shows the difference this exercise makes :

• * One of the client’s rating was actually upgraded. Although rating increase isattributed to many factors, it appears that the rating bureau approves company’simprovement in risk management.

Item Before After

Risk Control Did not have good control ofits risk concentration

Have a much better controlof its risk concentration

Transparency of Risk Did not fully understand its riskexposure

Have much betterunderstand its risk exposure

ReinsuranceArrangement

Vulnerable to high claimfrequency

Will adjust reinsurance so itwill provide better protectionagainst high claim frequency.

Value of Company* Did not realize it can increaseits value.

Able to reduced riskswithout changing expectedreturn : increase company’svalue.

PwC

8. Others

16

• This is just a small part of ERM.• Company should know its risk tolerance and risk appetite.

• If not, suggest not to be too extreme• Same process can be applied to other risks

• Market Risk• Operational risk• IT Risks• Risks in other line of business

• ERM is very broad, there are a lot of work involved• We suggest started from something small such as what we haveshowed you in this presentation.

PwC

9. Recommended actions for ERM

17

• Identify and manage risk in the following area :• Underwriting process,• Claim handling process• Fraud prevention process• Claim recovery process• Product development process

• Identify and propose measurements of concentration risk.• Identify and measure the counter-party risk

• Reinsurance receivables and recovery• Premium receivables

• Review risk management function’s structure• Review reserving process• Produce a monthly, risk monitor report or business report formanagement to control the risk of the company.

PwC

Appendix A : Actual Model Structure (Before andafter management actions)

18

Company Assumptions Projection Output

- Premium - Accounts Projection - Balance sheet

- Reinsurance - Cashflow - Profit & loss

- Expenses - Underwriting

- Loss ratios - Solvency

- Investment return

- Investment return

Investment RiskModel

Property Risk Modules• Commercial• Residential

Equity Market Risk Modules• Developing Market• Emerging market

Debt Market Risk Modules• Government• Corporate

Currency Risk Modules• USD• RMB

Large Loss Model

Property Risk Module

Motor Risk Module

Credit Insurance Module

WC Insurance Module

Multiple Events Module

Stress-to-FailureModel

PwC

Appendix B :

PwC

19

PwC 20

Appendix B :PwC

ERM.

/�

�

�

/ / /�

�

�

�

�

�

�

PwC

PwC (ERM)

21

Appendix B :PwC

1

2

3

4

6

7

8 9 10

(RAROC

1 2

3 4

6

7 8

9 10

55

PwC 22

Appendix :PwC

/

IT

PwC 23

ERM

��

��

�

�

�

���

Appendix B:PwC

PwC 24

Yin Lawn Curriculum Vitae

Telephone: (02)2729 6666(22406)(+886 2) 2729 6666 Ext 22406

E-mail:yin.lawn@tw.pwc.comyin.lawn@tw.pwc.com

Yin Lawn is a senior manager of PwC’s actuarial service practice inAsia.

Yin is a Fellow of the Casualty Actuarial Society and SingaporeActuarial Society. He worked in the U.S. insurance industry for sixyears, where he held pricing and reserving roles for large U.S. mult-lineinsurers including Travelers, Aetna and CNA.

Over last 10 years, Yin has project managed the appraisal valuationsfor the set up of the four financial holding companies in Taiwan, anappraisal valuation for a general insurer in Taiwan and an appraisalvaluation of an general insurance company in China.

In addition, Yin has also been given risk management, solvency,reserving and pricing advices to more than 100 insurers in Asia overlast 10 years.

He graduated with a Bachelor of science degree in actuarial sciencefrom the University of Connecticut in 1993. Originally from Taiwan, heis also fluent in both mandarin and English.