1.2k likes | 1.44k Views
ERM: Enterprise Risk Management. David N. Ingram, CERA, FRM, PRM Senior Vice President, Willis Re. The agenda. Goal: a better understanding of the following: The objectives and benefits of ERM Some fundamental issues in measuring risk Choosing ERM Objectives
E N D
ERM: Enterprise Risk Management David N. Ingram, CERA, FRM, PRM Senior Vice President, Willis Re
The agenda • Goal: a better understanding of the following: • The objectives and benefits of ERM • Some fundamental issues in measuring risk • Choosing ERM Objectives • How toget started on implementing Enterprise Loss Controlling • Building a Full ERM Program • Best practices in ERM • Status of ERM Implementation
ERM: new name, old stuff? • “ERM is just a fancy name for what my colleagues and I here at ABC Insurance do and have been doing every day for thirty years.” • “We know all about ERM. Our trained professionals check every policy we write and every asset we buy.” • “Actuaries don’t need training in ERM. Risk is what our profession is all about. We are already the experts on risk.”
Advice from my first boss • Clients pay insurers to assume some of their risk • The key to an insurer’s success is making sure it is adequately paid for doing so • Be sure to maintain the right balance between risk and return. • Don’t take on risk if you are not adequately paid to do so. Gladly take on risk if the price is right. • It’s all about risk and return (profit) • (Agree?)
Key questions about profit • How much profit did our firm make last year? • We ask similar questions about the components of profit: premiums, losses, expenses, and the like • We calculate and report by month and quarter also • Was that more or less than a year/quarter/month ago? • Were our profits in a specific line of business (or state or county) more or less than our profits in another line of business (or state or county)?
Questions about profit • At the very least, we expect a firm to know the following: • Its overall profits • Its change in profit over time • Its difference in profit across different lines of business, territories, or functions (e.g., underwriting and investment) • If it doesn’t know these things, we would seriously doubt whether the firm is well-managed. (Agree? Firms know?)
It’s hard to manage profit without numbers • Numbers focus management attention (a scarce resource) on problems and opportunities • Numbers provide feedback on actions taken. • Are we making or losing money? Why? • Are we more or less profitable than last year? Why? • Where are we especially profitable and especially unprofitable? • What actions can/should we take to improve our overall profitability?
My question to my boss • So where are the risk numbers? • I’ve seen numerous reports, spreadsheets, meetings, etc. that analyze our profits • Where are the reports, spreadsheets, meetings, etc. that analyze our risks? • How can you manage risk without risk numbers!
Questions about risk • Shouldn’t we expect a firm to know the following: • Its overall risk • Its change in risk over time • Its difference in risk across different lines of business, territories, or functions (e.g., underwriting and investment) • If it doesn’t know these things, shouldn’t we seriously doubt whether the firm is well-managed. (Agree?)
It’s hard to manage risk without numbers • Numbers focus management attention (a scarce resource) on problems and opportunities • Numbers provide feedback on actions taken. • Are we taking too much or too little risk? Why? • Are we taking more or less risk than last year? Why? • Where are we taking little risk and where excessive risk? • What actions can/should we take to improve our overall risk?
Results of managing risk without numbers • We focus far more on return than on risk • We can’t compare different risks • And we can’t compare the same risk over time • Therefore we can’t really manage risk, since we lack feedback • And we don’t know the risks on which we should focus scarce managerial attention
Managing without numbers • Lack of measurement also means that we become very susceptible to potentially distorted perceptions of risk • We also become complacent, and readily attribute high profits (from low losses) to skill rather than luck • Do we need to revisit the earlier quotes? • “We already do ERM” • “We know our risks (especially overall)” • “We are already the experts on risk” • So where are the reports etc. on risk? • Agree? Does your firm have them?
What is ERM? • It is an evolving body of knowledge – concepts, methods, and techniques –. . . • . . . that enables a firm to understand, measure, and manageits overall risk . . . (objectives) • . . . so as to maximize the firm’s value to shareholders and policyholders. (benefits)
Measuring risk: How much risk are we taking? • To answer this question we need to specify and implement a way of describing and comparing probability distributions of outcomes; we need a risk measure • Conceptually, there has been more emphasis on inventing new risk measures than in comparing or using existing ones in a practical way.
Measuring risk: How much risk are we taking? • Practically, the need is for a common risk vocabulary across varied groups: • Underwriters: focus on pricing risk • Actuaries: focus on reserve risk • Portfolio Managers: focus on investment risk • Various: focus on credit risk
How to measure risk: quiz • The table at right shows four alternatives, A through D, and the payoffs for each, with their associated probabilities. • All four alternatives have the same Expected Value (EV): 100 • A positive number means that you receive this amount. • A negative number means that you pay or lose this amount. • Which alternative is the most risky? (Vote) • Which is the least risky? (Vote)
How to measure risk • Alternative A has the highest standard deviation • But this is due to the high upside potential of this alternative. Is that really relevant? • Does giving you a lottery ticket increase your risk? • Isn’t risk better defined as a potential forloss?
How to measure risk • Alternative B has the highest probability of loss. • But the loss isn’t very big. • Shouldn’t the magnitude of theloss also be taken into account?
How to measure risk • Alternative C has the highest expected loss, given that a loss occurs: -50 times 0.49 = -24.5 • That is the breakeven cost of buying insurance against loss. • That is also the cost of a put option with a strike price of zero.
How to measure risk • Alternative D has the highest loss. • It has the worst case loss among the outcomes shown • This is the same as the highest 1% Value at Risk (VaR)
A key concept in the evolution of ERM: VaR • 1989: Dennis Weatherstone, CEO of J. P. Morgan, asks for a report, to be delivered to him daily at 4:15 pm, that answers the following question: • How much could we lose if tomorrow turns out to be a relatively bad day? • Why 4:15? Because if the number was larger than he was comfortable with, there was still time to change it.
Why this was a great question • It is short and clear. Everyone can understand it. • It provides an alternative to standard deviation as a risk measure • It defines risk as the potential for loss • It focuses on a specific time horizon • It focuses on the firm as a whole (the “enterprise”) and not on numerous individual trading desks • other reports focused on trading desks (where is our risk?) • Its objective was managing risk, not just measuring it (4:15)
What is a “relatively bad day”? • Analogy to weather: how cold could it get on a relatively cold day? • We could answer by specifying a percentile: “95% of the time (days) the temperature stays above zero” • Value at Risk (VaR): “95% of the time our losses will be less than $125 million” • $125 million is therefore the 95% VaR
Benefits of VaR • We can track risk over time: has it changed? Why? • We can compare different risks to one another • We can determine a reward to risk ratio for different risks • Value of measuring risk in dollars, as in VaR
Other risk measures • Numerous alternatives to VaR have been created • Academics have designed criteria that an ideal risk measure should satisfy • VaR doesn’t meet one of these requirements • But VaR is nonetheless widely used because it is readily understandable and transparent
Risk measurement issues • Risk measurement is necessarily imprecise • But so is profit measurement • Risk measures often focus on rare events, about which relevant data is scarce -- by definition! • Example: firms often purchase reinsurance to protect against events expected to occur once in every 100 to 250 years. But we don’t have that many years of relevant data!
Risk measurement issues • Not all risks need to be quantified • Financial risks are those whose potential damange can be reduced by having additional capital or reinsurance. • They can typically be quantified. • Non-financial risks pose potential damages that are best addressed by the use of appropriate controls. They are typically difficult to quantify. • Reputational risk • Criminal activity
Risk measurement issues • The rarity of events can change • climate change affects extreme hurricanes • legal changes affect Workers Comp or D&O losses
Risk measurement issues • ERM is not a contest to identify the largest number of risks • The need is to focus on the most important risks • The most important quantifiable financial risks at many property-casualty firms: • Underwriting risk • Adverse development in loss reserves • Equity (stock market) risk • Reinsurance recoverable default risk • Fixed income default risk
Risk measurement issues • Aggregation – combining different risks to obtain overall risk – is complex if risks are interdependent (correlated) • A common example: underwriting risk and reserve risk • Interdependence can increase in times of financial stress • Example: bond defaults and stock returns
Effective Risk Measurement Relevance • Relationship to financial results reporting Comprehensiveness • All types of risks • All significant aspects of those risks Responsiveness • Reflecting changes in levels of risks over reporting period Practicality • Schedule comparable to financial results reports • Reasonable cost to produce • Ability to project alternatives over planning period
ERM Objectives Link with strategy Value optimization High Strategic integration Medium Risk measurement Loss Controlling Risk management Risk Steering Loss minimization Low Risk Trading Compliance Balance sheet protection Risk/return optimization Risk control Value creation Objective of ERM Adapted from Standard & Poor’s
ERM Objectives • Loss controlling • limit exposures and therefore losses • ERM adds aggregate approach to risk tolerance • Risk trading • getting paid for risks taken • ERM adds consistent approach to risk margins • Risk steering • strategic choices to improve value • ERM adds risk vs. reward point of view
Key Risks & Controls Process Self Assessment • Five Steps • Risk Identification • Risk Assessment • Risk Control Assessment • Heat Map Development • Risk Plan
Risk Identification Insurance Risk Credit Risk Market Risk ERM Liquidity Risk Operational Risk Group Risk • Which are your Risks? Too Narrow Too Broad
Risk Assessment • How Significant are your risks? • Subjective Assessment • Consensus view • Frequency / Severity • Rank largest
Risk Prioritization • Level 1 – For Board & Top Management • Level 2 – For Middle Management • Level 3 – For Supervisors
Risk Prioritization Level 1 Risks Actionable Top Management Focus Take to Board Take to AM Best
Risk Control Assessment • For Most Significant Risks • How effective are your existing control processes? • For the best controlled risks, how much risk is left after the control process? Are they still significant? • Subjective Assessment • Not as easy to reach consensus
Risk Control Plan • Choose High Priority Risks (In the Red) to address this year • Plan will be to: • Prepare detailed documentation of existing control processes • Research and identify best practice control processes • Compare existing to best practice • Choose improvements to make • Implement improvements
Key “First Step” Issues • Your audience • Key risks • Aspects of risk • Risk Appetite • Developing best practices • Communicating ERM
Your Audience • CEO • Board of Directors • Public disclosures • Analyst calls • Rating agencies • General management • Customers • Vendors, partners, counterparties
Know your Audience • For each audience identify: • risk appetite • types of risks • quantum of risk (compared to capacity) • needs and expectations • their perspective of what is inside vs. outside of ERM • to what extent do they expect management to be • Desirability of minimal/maximal satisfaction • goals? • what is considered success?
Key Risks • Change – not on most lists, but most important • Insurance – the most obvious • Investment – the most recent • Operational – “people” risks