the role of auditing in the erm process soa annual meeting chicago – october 2006 rick gorvett,...

24
The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program State Farm Companies Foundation Scholar in Actuarial Science University of Illinois at Urbana- Champaign

Upload: jamari-philpot

Post on 29-Mar-2015

215 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

The Role of Auditingin the ERM Process

SOA Annual Meeting

Chicago – October 2006

Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD

Director, Actuarial Science Program

State Farm Companies Foundation Scholar in Actuarial Science

University of Illinois at Urbana-Champaign

Page 2: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Agenda

• Background

• Enterprise risk management

• Internal audit and ERM

• NAIC risk-focused surveillance framework

• Conclusion

Page 3: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

“Who am I? Why am I here?”- Admiral Stockdale, 1992

• Currently– Director, Actuarial Science Program– State Farm Companies Foundation Scholar in Actuarial

Science– Professor, Depts. of Mathematics, Statistics & Finance– University of Illinois at Urbana-Champaign

• Prior– Senior Vice President– Director of Internal Audit & Risk Management

• Internal Audit• Corporate Investigations• Risk Management• Enterprise Risk Management• Business Continuity

Page 4: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

An Initial ERM Comment

• You don’t become a famous writer by…– Reading a book– Reading about other authors– Watching someone else write

• Similarly, you don’t become an “Enterprise Risk Manager” by…– Reading a book– Taking a course– Listening to a presentation

Page 5: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Rather, ERM is…

A complex process…

… involving broad-based and in-depth knowledge and understanding,…

… requiring an appropriate corporate culture,…

… and creativity…

… born of a variety of experiences…

… and insatiable curiosity.

Page 6: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

ERM Definition from IIA

From Position Statement, The Institute of Internal Auditors:

ERM “is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievements of its objectives.”

Page 7: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Steps in theRisk Management Process

• Determine the corporation’s objectives

• Identify the risk exposures

• Quantify the exposures

• Assess the impact

• Examine alternative risk management tools

• Select appropriate risk management approach

• Implement and monitor program

Page 8: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Enterprise Risk Management

• Or “Enterprise Risk and Assurance Management”

• What is ERM?– Concerned with a broad financial and operating

perspective– Recognizes interdependencies among corporate,

financial, and environmental factors– Strives to determine and implement an optimal

strategy to achieve the primary objectives: e.g., maximize the value of the firm

Page 9: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Evolution of ERM

• Historically: “risk silo” mentality• Mid-1990s:

– First “Chief Risk Officer”– First use of ERM terminology

• Late-1990s:– Risk-related regulatory requirements (e.g., Turnbull)– Earnings protection insurance debuts

• 2001:– September 11– Corporate scandals– Beginning of efforts to improve corporate governance (e.g.,

Sarbanes-Oxley)

Page 10: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

A Paradigm Shift

Traditional• Risks managed in silos• Concentrates on

physical hazards and financial risks

• Insurance orientation• Ad hoc / one-off

projects

Emerging• Centralized mgt., with

exec-level coordination• Integrated consideration

of all risks, firm-wide• Opportunities for

hedging, diversification• Continuous and

embedded

Page 11: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Current State

• Findings from various surveys– An acknowledged need to improve risk

management– A recognition that a holistic approach is

appropriate and preferable– ERM can improve overall capital management and

thus enhance corporate value and competitiveness– A variety of approaches to improving risk

management– There are still problems to overcome

Page 12: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Types of Risks• Operational

– Hazard

– Physical

• Strategic– Capital / resource allocation

– Industry / competitors

• Technological– Databases

– Security

– Confidential information

• Stakeholder

• Legal– Compliance

– Regulatory

• Financial– Capital markets

– Credit risks

– Taxes

• Human capital– Retention

– Training

• Reputational

Page 13: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Issues in ERM Implementation

• Different corporate cultures require different ERM approaches

• Who is going to be the ERM champion within the company– Among senior executives

– Among departments / functions

• How to embed a risk management culture and responsibilities throughout the firm

Page 14: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Components of the ERM Process

• Determine corporate objectives

• Risk identification– Goal: comprehensiveness

– E.g., self-assessment

• Risk measurement– Volatility measures

– Value at Risk (VaR)

Impact

Lik

elih

ood

Size of lossL

ikel

ihoo

d

Page 15: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Components of ERM (cont.)

• Assessing the impact– Stress or scenario testing

– Stochastic simulation

• Examine and select alternative risk management tools and techniques– Traditional risk transfer

– Natural hedging / diversification

– Integration of risks

E.g.,“dynamicfinancialanalysis”

Page 16: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Keys to Success in ERM

• Senior management commitment and sponsorship

• Embed a “risk management culture” in the corporation at the operational level

• Provide for accountability, both specific and widespread

• Clearly defined responsibilities for coordination and maintenance

• Adequate communication

Page 17: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Internal Audit and ERM

Overview

• Provide independent and objective assurance for Board on effectiveness of ERM– Identify/assess/manage key risks– Internal controls

• IA has assurance and consulting roles– Function of other resources– Relative time/effort between roles may vary

among firms and over time

Page 18: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Internal Audit and ERM

“The Role of Internal Auditing in Enterprise-wide Risk Management” - The Institute of Internal Auditors

Core Roles • Assurance regarding, and evaluation of, the risk

management process– Risk reporting, evaluation, management

• Assurance regarding handling of key risks

Page 19: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Internal Audit and ERM (cont.)

“The Role of Internal Auditing in Enterprise-wide Risk Management” - The Institute of Internal Auditors

NOT Roles • Establishment of “risk appetite”• Imposing / implementing risk responses /

management

Page 20: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Internal Audit and ERM (cont.)

“The Role of Internal Auditing in Enterprise-wide Risk Management” - The Institute of Internal Auditors

Possible Roles • Facilitating risk management

– Identification, evaluation, championing

• Coordinating ERM• “Developing risk management strategy for board

approval”

Page 21: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

NAIC

“Risk-Focused Surveillance Framework”

Main Objectives

• Focus on areas posing greatest risk to solvency• Focus on “the assessment of governance structure,

corporate culture, and management processes in insurance companies to identify, assess and manage (where manage is defined as measurement, mitigation and monitoring) risk”

Page 22: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

NAIC (cont.)

Risk Classifications • Credit

• Market

• Pricing and underwriting

• Reserving

• Liquidity

• Operational

• Legal

• Strategic

• Reputation

Page 23: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

NAIC (cont.)

Page 24: The Role of Auditing in the ERM Process SOA Annual Meeting Chicago – October 2006 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program

Conclusion

“The revolutionary idea that defines the

boundary between modern times and the past

is the mastery of risk”

- Peter Bernstein, Against the Gods