• No results found

Understanding Today s Enterprise Risk Management Programs

N/A
N/A
Protected

Academic year: 2021

Share "Understanding Today s Enterprise Risk Management Programs"

Copied!
10
0
0

Loading.... (view fulltext now)

Full text

(1)

TIAA-CREF - PUBLIC USE

Understanding Today’s Enterprise Risk

Management Programs

Joel Tietz, TIAA-CREF

Managing Director, Enterprise Risk Management

March 23, 2015

TIAA-CREF— PUBLIC USE 2

Agenda

1) Enterprise Risk Management Programs

• ERM Frameworks, Taxonomy & Governance • Traditional vs. Modern Approach to ORM / ERM

2) ERM Program Elements

• Risk Appetite

• Risk Assessment & Mitigation • Key Risk Indicators

• Loss Data

• Risk Capital Models 3) How BCM

Integrates within ERM Programs

• How the “C Suite” Considers Risk • Prioritizing BCM within an ERM Program • BCM Improvements Using Risk Capital Analysis

(2)

TIAA-CREF— PUBLIC USE 3

1) Enterprise Risk Management Frameworks

Commonly Accepted ERM Frameworks Include:

COSO Enterprise Risk Management – Integrated Framework

ISO 31000 Risk Management – Principles and Guidelines on Implementation

BS 31100 Code of Practice for Risk Management

FERMA - A Risk Management Standard

OCEG Red Book 2.0 - GRC Capability Model

• Basel III and Solvency II are regulatory frameworks for ERM

ERM Taxonomy Descriptions

Market Risk

Interest reflects the cost of general account guarantees Spread reflects the Value at Risk (VaR) of widening corporate spreads on General & Separate Account assets

– Interest – Spread – Equity – FX

– Volatility – Real Estate – Hedge Funds – Private Equity

Credit Risk

Credit VaR reflects the risk that the value of the portfolio changes due to unexpected changes in the credit quality of counterparties

Considers both default and migration risk for fixed income instruments, mortgages and reinsurance

– Fixed Income – Mortgages – Reinsurance

(3)

TIAA-CREF— PUBLIC USE 5

ERM Taxonomy Descriptions (cont.)

Operational Risk

Level 1 Operational Risks Level 2 Operational Risks

Business Disruption and System Failures

Losses resulting from infrastructure or systems failures, internal or external, not initiated for either personal or firm benefit, that create financial impact, usually without significant general property damage or physical injury.

• Business Disruption

• Infrastructure and Systems Failures Clients, Products and Business Practices

Losses incurred when an internal person obtains an undue benefit for a firm at the expense of a third party (client or customer, competitor, trade counterparty, etc.), and in so doing violates a law of commercial conduct, a regulation, or a contractual covenant or representation.

• Fiduciary Breaches

• Improper Accounting, Other Regulatory Violations, Regulatory Filings Violations • Improper or Aggressive Practices Damage to Physical Assets

Losses incurred when a force of nature or a terrorist, causes significant property damage or physical injury, and possibly related financial impacts; or when a person by accident causes property damage or physical injury.

• Natural Disaster and Accident

Employment Practices Violations and Workplace Safety Failures

Losses arising from acts inconsistent with laws or agreements governing employment, employee health or safety, or from diversity or discrimination events involving internal employees.

• Diversity and Discrimination Violations • Employee Relations Violations • Unsafe Environment Execution, Delivery and Process Management

Direct and indirect losses incurred when a person improperly executes an operational process, for no intended benefit (other than to receive a prearranged fee or payment upon completion), usually through failure to apply the required level of care or expertise needed to carry out such duties. May include indirect losses from errors committed by an outside service provider.

• Customer and Client Account Errors • Data Management

• Transaction Processing Error Fraud

Losses incurred when a party obtains an undue personal benefit at the expense of the firm (or at the expense of a customer or client whose property or interests the firm is responsible for safeguarding), and in so doing violates a public law governing non-commercial conduct.

• External Fraud • Internal Fraud

Program/Project Failures • Program/Project Management Risks

• Project Portfolio Management

TIAA-CREF— PUBLIC USE 6

(4)

TIAA-CREF— PUBLIC USE 7

Traditional vs. Modern Approaches to Risk Assessment

[1] A New Approach to Managing Operational Risk,

Society of US Actuaries & Canadian Institute of Actuaries, 2008

Traditional ORM / ERM Programs Modern ORM / ERM Programs “Modern ORM is a top-down approach, which focuses first on the major risks within a comprehensive and mutually exclusive risk architecture and drills down only in those risk areas where more granularity is required.” [1]

2) Enterprise Risk Management Program Elements

RCSAsIdentify and qualitative riskand controls self-assessment AppetiteThe amount of risk anorganization wants to take

to further its business goals

Risk tolerance monitored Loss history

(5)

TIAA-CREF— PUBLIC USE 9

Risk Appetite

Risk Appetite vs. Risk Tolerance

Risk Appetite • Risk appetite is the strategy of seeking of prudent and agreed-upon risks in order to obtain expected business results. High rates of return on capital exposures can be achieved by taking more risks, so appetite will drive management decisions • Operational risk is different from financial risks in that it is the consequence of failure

and always generates a loss. Some firms have no appetite for operational risks Risk Tolerance • Risk tolerance is the level of risk beyond which management action will be triggered

and should be actively monitored and managed.

• Firms with no appetite for operational risk will have a tolerance for these risks Risk Appetite

Influences Consideration of Controls

• Risk appetite influences management decisions when investing in controls or process improvements to reduce risk losses or taking the right amount of risk • When a risk/loss event has been identified and assessed to be beyond

management’s risk appetite , an appropriate risk treatment will be implemented BCM Risk

Appetite Statements

• Critical business processes and IT operations will be recovered within X hours

OR

-• Risks above $XXm in economic capital must be mitigated within two quarters unless accepted or transferred

TIAA-CREF— PUBLIC USE 10

Risk Assessment & Mitigation

Risk Assessment is typically conducted as a Risk and Controls Self-Assessment (RCSA), with various 2ndand 3rdline review & challenge

The result is a risk register with mitigations for priority risks

1. Process Identification Gathering and analysis of existing process information Gathering of information needed for the Risk Identification phase 2. Risk Identification Identification of risk events and causal factors by each individual process 3. Inherent Risk Rating Finalization and approval of risk register Assess impact and likelihood of risk with the absence of controls 4. Control Strength/ Residual Risk Identification of key controls & assessment of the control strength Derive residual Risk from inherent risk and control strength 5. Risk Treatment Evaluate residual risk rating to determine the appropriate approach to manage the risk (Accept, Mitigate, Transfer, and/or Defer)

6. Monitor & Reassess The ongoing managing of risks events according to the organization’s risk appetite and tolerance

(6)

TIAA-CREF— PUBLIC USE 11

Loss Data Assessment

• Identify the full range of risk events (losses) to learn from mistakes, improve processes, and identify emerging risks

• Develop a better understanding of actual exposure to and costs of enterprise risks to inform risk appetite and Key Risk Indicators

• Supports the quantification of risk appetite, Key Risk Indicator limits, and risk capital scenario models

Identification Analysis and Costs Reporting Data Modeling

• Capture initial information on incident description, dates of event and detection, business area, risk taxonomy, causal categories

• Identify & calculate cost impacts from all affected business areas, describe control failures • Includes mitigation and

root cause analysis for significant risk events

• Business area, Risk Committee and Management reporting • Progress of risk

treatments, trend analysis and revisited RCSAs where required

• Utilize internal loss data within risk capital models • Progress of Risk

Treatments where required

Key Risk Indicator Design and Tolerances

Increasing level of risk

Risk is at acceptable level Risk receives increased monitoring De-risking occurs unless risk exception obtained

Alert Level Limit Level

• Focus on risk drivers of top risks to become predictive or leading indicators of risk

• Focus on trends over time • Management establishes its risk

(7)

TIAA-CREF— PUBLIC USE 13

Target Target risk level to achieve desired performance

Inner limit Growing risk exposure ‐Need to closely monitor, assess root cause and take remediation action where applicable Outer limit Significant risk exposure ‐Need to assess root cause and take immediate action to mitigate the underlying risk

Key Risk Indicators – BCM Examples

XX% XX% XX% XX% XX% XX% XX% XX% XX% XX% ERM Risks and KRIs/KCIs Qtrly / 

Mthly Q1 ‐15 / 

March Q2 ‐15 / 

June Q3 ‐15 / 

Sept Q4 ‐15 / 

Dec

Trend LTM Issues MRPs Commentary Operational Risks

Business Disruptions

% Critical Internal Application out of testing compliance Q XX%

% Critical Internal Application with RTO/RTC gaps Q XX%

% of IT DR test staff inside region Q

# of IT Staff required to recover from Site A to Site B Q

% of BC plan with past due gaps Q

# of Incident Management Process  Critical gaps Q

% of critical business functions with Skill Set Distribution Gaps  for which Risk has been accepted Q % of critical business functions with Skill Set Distr. Gaps Q

% of occupied workspaces across TC internal portfolio Q

% of employees info updates in notification system Q

% employees  participation in BC annual exercise Q

% new BC Coordinator Designees (< 6 months) Q

# of Risk Events  Residual Risk Level

H M L

VH

X X

X

Key Risk Indicators provide directional trends to supplement risk assessments. Effective KRIs provide real-time monitoring of the risk

profile and drive the proactive management of Operational Risk before risk events occur.

X

TIAA-CREF— PUBLIC USE 14

Why do Insurers Require Capital?

Premiums Claims Expenses Before Stress… Investment income

… After Stress Without capital Inflows Outflows Cash Excess Premiums Claims Expenses Investment income Inflows Outflows Cash Shortfall

… After Stress With capital Premiums Investment income Inflows Outflows Cash Excess RB Capital Claims Expenses

Risk-based capital provides a buffer against unexpected events and protects clients

(8)

TIAA-CREF— PUBLIC USE 15

Traditional vs. Modern Approaches to Risk Assessment

Either provides effective results, and are frequently combined

Traditional / Qualitative Approach to Operational Risk Assessment • An internal controls-based approach • All processes, associated controls & risks • Highest impact risks are not typically

highly likely

• Difficult to prioritize assessment results

Modern / Quantitative Approach to Operational Risk Assessment • A risk-based approach

• Focuses on the most critical risks (highest severity)

• Directly prioritized by amount of capital

Operational Risk Capital Modeling – Scenario Approach

Risk identification

Risk measurement

P P

 Description of the risk, causes, drivers & impacts

 Frequency & severity distribution for each risk scenario

(9)

TIAA-CREF— PUBLIC USE 17

3) How BCM Integrates within ERM Programs

How the “C Suite” Considers Risk:

1. Executive Management and Boards of Directors consider risk from two perspectives

• Is this risk within our risk appetite?

• Will this risk get us on the cover of the Wall Street Journal? 2. They will listen to the priorities of your Chief Risk Officer

• Does he/she know you and are you updating them on your program in their terminology?

3. Business Continuity, like all other risks, will need to begin speaking in terms of risk-based capital

• Boards are challenging business leaders to efficiently use available capital, this is the context in which they consider spending expense dollars and ROI

TIAA-CREF— PUBLIC USE 18

Prioritizing BCM within an ERM Program

There’s good and bad news here:

• With an enterprise risk taxonomy, business disruption risks must be

considered along with other risks for a comprehensive view of risks faced by the business

• Using an objective Risk Assessment methodology, your BC risks may not be among the most significant risks faced by the business

To help your case, consider that unlike most other risks, business disruptions will involve multiple parts of your taxonomy:

• Operational impacts for direct losses and process failures • Reputational impacts for client service failures

• Regulatory impacts for compliance failures and processing timeliness • Strategic impacts for loss of sales and market share

(10)

TIAA-CREF— PUBLIC USE 19

BCM Program Improvement using Capital Analysis

Proposal: Spend $1 M for new program that will reduce the potential (frequency or impacts) from a BC event

If Risk Based Capital is part of your balance sheet, your CFO will incur this expense for your BC improvement every time!

Step 1- Calculation of the Present Value of risk mitigating measures $1,000,000 using 5 year accrual with 6% interest

Present value of risk mitigation actions = $0.8 M

Step 2– Calculation of the capital charge variation before and after mitigation VaR BC risk scenario = $33.7 M existing model

VaR BC risk scenario = $30.0 M after mitigations VaR total = $3.7 M (totalof VaR risk capital)

Step 3– Calculation of the present value of reduced capital costs CFi/year = 6% x $3.7 M = $0.2 M Present value = Σ5yrrCFi / (1 + ri)^ti = $0.9 M

The present value of risk mitigation measures at $0.8 M is lower than the present value of reduced capital cost $0.9 M Description of the business case: cost/benefit analysis of the risk mitigation actions

Questions?

Joel Tietz

Managing Director

References

Related documents

If the fuel limiter assembly has a torque spring: Screw in the fuel limiter torque spring adjustment screw (Figure 6-7, (4)) to obtain the specified injection amount

Pennsylvania need someone to do my dissertation introduction on capital punishment now, Illinois need someone to type my dissertation conclusion on equality for 10 how to

PrEmo is daarnaast een geschikt instrument voor het meten van advertentie-emoties wanneer: (1) PrEmo verschillen in emotie tussen open en gesloten advertenties meet in de richting

The Roles of Risk Appetite The Roles of Risk Appetite and Risk Tolerance in an Effective ERM Program.. Eric Gerner, Risk Advisory

Meet with Burke’s Wellness Initiative Network (WIN) Committee, an internal wellness committee which strives to provide programs that will enhance and contribute to Burke’s

Through time, social communication networks seem to be more cohesive than functional networks, which is shown in a consistently higher network density (Figure 8(c)) and

In order to compare the computational costs of cuTauLeaping with respect to a standard CPU-based implementation of the original tau-leaping algorithm, we carry out different batches

• Debt for Energy Efficiency Projects Green (DEEP Green) is an EIB initiative that aims at developing a suite of new financial products for four key groups of players in the EE