operational risk management - institute of actuaries of india 2010/s4_kieth_walter.pdf ·...
Post on 06-Jun-2020
3 Views
Preview:
TRANSCRIPT
© 2010 Towers Watson. All rights reserved.
Operational Risk Management2010 Seminar on Current Issues in Life Assurance
by Keith Walter22 November 2010
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 2Presentation1
We live in a risky world!
In the month of September 2008— Two USA Government-sponsored
enterprises (Fannie Mae and Freddie Mac) were put into conservatorship
— Lehman Brothers filed for bankruptcy
— Merrill Lynch was sold to Bank of America
— AIG struggled under a severe liquidity crunch
On 28 September 2008, the US stock markets crashed, wiping out more than $1.2 trillion of value – the first single day loss to ever to exceed $1 trillion!
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 3Presentation1
Enterprise Risk Management- Context for Operational Risk
towerswatson.com 3
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 4Presentation1
Some definitions
Wikipedia ERM provides a framework for risk management which typically involves
identifying…risks and objectives…assessing them…determining a response strategy and monitoring progress. [Allows businesses to] protect and create value for their stakeholders…
COSO ERM framework …process affected by an entity’s BoD, management and other
personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Basel Operational risk is “the risk of loss resulting from inadequate or failed
internal processes, people, and systems or from external events”.
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 5Presentation1
Risk Management Capability Maturity Model
Risk management is reactive, not consideredcore to business, highlydelegated
Ad hoc
Risk managementconducted by independent functionsby risk type withinbusiness units
Fragmented
Risk management is enterprise-wide and encompasses all risk types; viewed as necessary function
Comprehensive
Risks are treated as a portfolio at the enterpriselevel and aggregated across risk types and business units with dependencies
Integrated
Risk management is built into culture and decision making, and the organization selectively seizes opportunity because of its special ability to exploit risks
Strategic
RiskAdvantage
Adapted from the Capability Maturity Model framework developed by Carnegie Mellon University, 1993
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 6Presentation1
Towers Watson Global Survey on ERM
towerswatson.com 6
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 7Presentation1
Towers Watson has conducted its sixth biennial surveyon Enterprise Risk Management in the insurance sector
During the second quarter of 2010, Towers Watson conducted a web-based survey among senior executives in major insurance companies around the world
Chief risk officers, chief financial officers and chief actuaries were asked to document the approaches to, and current status of, ERM activity within their companies
This is the largest survey of the insurance industry on its topic; over two-thirds of the total 465 insurance executive respondents were C-suite
Respondents include a wide range of insurance organizations from North America (31%), Europe (21%), Asia Pacific (19%) and multiple regions (28%)
Respondents come from all lines of business, including life insurance (37%), property & casualty (P&C) insurance (29%), multiline insurers (18%) and reinsurance (13%)
Geographical termsNorth America: U.S., Canada and BermudaEurope: U.K. and continental EuropeAsia/Pacific: Asia and AustraliaLatin America: Mexico and South AmericaMiddle East/Africa: Middle East and Africa
Company size termsLarge: Annual revenue in excess of U.S. $10 billionMedium: Annual revenue between U.S. $1 billion and $10 billionSmall: Annual revenue less than U.S. $1 billion
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 8Presentation1
The proportion of respondents who have a documented risk appetite has increased from 47% in 2008 to 59% in 2010
2010 Base: Total respondents n = 459 for Q.12 Do you have a documented risk appetite/tolerance statement? Please select one response.
Yes, and further developments are planned within the next 12 months46%
13%Yes, and no further developments are planned over the next 12 months
No, and no plans to develop within the next 12 months
9%
No, but planned to be in place
within the next 12 months
32%
0%9%29%33%71%58%Large
9%11%32%33%59%56%Medium
12%22%35%44%53%34%Small
201020082010200820102008
No PlansNot in Place, but PlannedIn Place
RISK APPETITE
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 9Presentation1
The risk appetite statement significantly impacts decisions about asset strategy and capital management
Base: Those having a documented risk appetite//tolerance statement giving a valid answer (percentages exclude not applicable) n = 247 for Q.22 Within which business processes is risk appetite explicitly referenced or monitored? Please select all that apply.
2%
13%
25%
28%
47%
56%
57%
64%
68%
68%
Strategic planning
Incentive compensation
Other
Risk transfer (e.g., reinsurance, securitization, hedging)
Mergers and acquisitions
Capital management
Business planning
ALM/asset strategy
Performance management
Product or business unit risk management
RISK APPETITE, LIMITS AND REPORTING
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 10Presentation1
While the vast majority of European respondents still expect to use internal models, planned utilization is significantly down since 2008
4%
53%
57%
79%
90%
4%
51%
65%
80%
86%
9%
2%
37%
55%
71%
81%
Market risks
Credit risks
Insurance risks
Operational risks
Other N/A
2010 Base: European insurers only (percentages exclude “don’t know”) n = 180 for S.4 For which type of risks are you likely to take advantage of the ability to use internal models? Please select all that apply.
N/A
Not applicable — unlikely to use internal model
Risk Quantification
Expected use varies by size of company, with 100% of large companies, 94% of midsize companies and 83% of small companies expecting to use internal models for one or more risks
201020082006
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 11Presentation1
Operational Risk Management- External Point of View
towerswatson.com 11
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 12Presentation1
Basel II introduced a standard industry approach for operationalrisk in financial services companies
Direct (cash) losses:
Fraud
Systems failures
Legal claims
Indirect (cash) losses: Loss of recourse
Compensation
Fines
Preventative (cash) costs: Control enhancements
Quality assurance
New systems
Value destruction: Strategic risk
Political risk
Reputational risk
Definition of operational risk
“The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.”
Risks
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 13Presentation1
Best’s five major categories of risk
Default Disputes Sovereign Downgrade Settlement lag Concentration
Credit
Equities Concentration Liquidity Other assets Basis ALM Currencies Reinvestment Interest rate
sensitivity
Market
Underwriting process
Basis Mortality and
morbidity Pricing Frequency and
severity Policyholder
optionality Reserve
development Lapse Concentration Product design Longevity Economic
environment
Underwriting
Monetary controls
Distribution Training Financial
reporting IT systems Turnover Legal controls Regulatory Data capture
Operational
Competition Rating
downgrade Availability Demographic/
social change Customer
demands Technological Negative publicity Regulatory/
political capital
Strategic
Source: A.M. Best.
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 14Presentation1
Insufficient training
Causes Events Consequences
Lack of managementsupervision
Inadequateauditing procedures
Insufficient riskmonitoring
Poor HRpolicies
Poor systemsdesign
Inadequate segregation of duties
Regulatory, Compliance and Taxation Penalties
Restitution
Loss of Recourse
Reputation
Business Interruption
EffectsMonetary Losses
OtherImpactsForgoneIncome
•
•
•
Write-down
Loss or Damageto Assets
Legal Liability
A robust taxonomy provides the foundation for a common language, but the universe of operational risk has three overlapping dimensions: causes, events and consequences
Legal is an impact
Reputation is an Impact
External Fraud
Employment Practices and Workplace Safety
Execution, Delivery andProcess Management
Damage to Physical Assets
Business Disruption and System Failures
Clients, Products and Business Practices
Internal Fraud
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 15Presentation1
Risk identification and management
Source: A.M. Best’s Rating Methodology, January 25, 2008 and Towers Watson
Traditional risk management (from annual rating meeting)
Exception reporting — performance vs. key risk metrics (by functional area and/or risk type)
Action plans for exception items
Operational risk and strategic risk
Emerging risk issues
An objective framework that identifies, monitors and manages emerging risks, risk accumulation and correlations within and across the entire organization
Ongoing process for identifying and managing significant operational risks
Corporate risk profile and ERM process reflect both historical experience and future expectations
Rigorous process for evaluating the impact of emerging risks
A.M. Best’s checklist
Best practices observed by Towers Watson
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 16Presentation1
Guidance from Consultation Paper no. 33
c) the need for an early warning system
b) operational risk events that currently, or may be exposed to, and the mitigation approach
a) All activities and processes including IT systems
Should have an operational risk strategy that takes into account:
c) The arrangements, processes and mechanisms detailed above should be comprehensive and proportionate to the nature, scale and complexity of the undertaking’s activities
b) Effective processes to identify, assess, mitigate , manage, monitor, report operational risks that are, or may be, exposed to and adequate internal control mechanisms
a) Undertaking wide definition of operational risk - for the purpose of internal policies and procedures
Operational risk framework should include:
Companies should have a well-documented assessment and management system for operational risk with clear responsibilities
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 17Presentation1
Guidance from Consultation Paper 33
An effective process to regularly identify, document and monitor exposure to operational risk and track relevant operational risk data - including near misses
Fire Drills!
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 18Presentation1
Reputational Risk
It is important to have an understanding and recognition of the key values affecting the reputation of the firm, considering expectations of stakeholders and sensitivity of the marketplace
Reputational risk is defined as the risk of potential loss through deterioration of a firm's reputation or standing due to a negative perception of the undertaking’s image among customers, counterparties, shareholders and/or supervisory authorities.
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 19Presentation1
Reputational Risk
It is important to have an understanding and recognition of the key values affecting the reputation of the firm, considering expectations of stakeholders and sensitivity of the marketplace
Reputational risk is defined as the risk of potential loss through deterioration of a firm's reputation or standing due to a negative perception of the undertaking’s image among customers, counterparties, shareholders and/or supervisory authorities.
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 20Presentation1
Summary
towerswatson.com 20
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 21Presentation1
1. What risks are you prepared to take?
What is your risk appetite?
How does your risk appetite relate to your business goals
and objectives?
Can you name your most
significant risks?
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 22Presentation1
2. How will you manage those risks?
What sort of risk culture exists in your company?
Who is responsible for managing risks?
What governance structure do you have in place?
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 23Presentation1
3. How will you address hard-to-quantify risks?
Do you include all important risks in your analysis, even
when they’re hard to quantify?
What information do you capture to describe your risk
exposure?
Do you have one measure to
quantify all risks?
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 24Presentation1
4. How will you demonstrate that risk management is working?
Have you defined what you expect to
achieve through your risk
management strategy? How will you measure
“success”?
What time frame have you put on this?
© 2010 Towers Watson. All rights reserved. Proprietary and Confidential. For Towers Watson and Towers Watson client use only.towerswatson.com 25Presentation1
Contact Details
Keith E. WalterDirector, Risk Consulting and SoftwareTel: +65 6880-5655Email: keith.walter@towerswatson.com
top related