Practical Enterprise Risk Management (ERM) : Casualty Loss Reserve Seminar, Fall 2013

9/5/2013
Practical Enterprise Risk Management (ERM)

Casualty Loss Reserve Seminar, Fall 2013
Agenda
ERM 101 2
Building an effective ERM program 8
Case study 28
Lessons learned 34
Q&A 38
1 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
ERM 101
1
9/5/2013
What is risk?
“The potential for loss –

or the diminished
opportunity for gain –
caused by factors that
can adversely affect the
achievement of a
company’s objectives”
Source: ‘The Risk Intelligent Enterprise –
ERM Done Right’
An effective ERM program mayhelp not only preserve value in the traditional risk
management sense but also help create value for the respective organizations
3 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
What is ERM?
• Enterprise Risk Management is a capability that involves identifying,

assessing, measuring, monitoring, and responding to risks across the
enterprise in a way that is aligned with the enterprise’s objectives and
risk appetite.
• The premise of ERM is that it attempts to present an overall and
integrated view of the risks to which an enterprise is exposed.
• Effective ERM programs may ultimately lead to the Risk Intelligent
Enterprise TM
Traditional Risk Management vs. ERM
2
9/5/2013
What is ERM?
ERM can integrate siloed risk management efforts to focus organization
on key risks
Why ERM?
An effective ERM program may help:

• Identify and manage cross-enterprise risks
• Create a risk-aware culture
• Enable focus on the risks that matter most through integrated
management reporting
• Reduce vulnerability to adverse events
• Align risk appetite and strategy
• Link growth, risk, and return
• Decrease operational surprises and losses
• And more…
How to build an effective

ERM program
3
9/5/2013
Roadmap for building an ERM program

Illustrative deliverable showing a high-level roadmap for the implementation of recommendations
# Recommendations <6 months 6-12 months >12 months

Develop a standard definition of risk and
Governance
G1 a framework to enable proactive

Risk
management of risk
Rationalize and realign risk management

G2
function
Develop talent management model to

I1
optimize staffing levels
Risk Infrastructure &
Develop and implement a formal training

I2
Management
and communication program
Develop a technology strategy to support

I3
the Risk and Compliance group
Improve timeliness and ease of obtaining

I4
data
Strengthen documentation and

P1
promulgation of policies and procedures
Risk Ownership
Institutionalize risk assessment and

P2
measurement
Develop Key Risk Indicators (KRIs) tied

P3
to Key Performance Indicators (KPIs)
P4 Enhance reporting standards
Legend
Areas of Immediate Continuous Extends Beyond 12
Focus Improvement Months
Practical next steps
Activity Illustrative Components

Definition of risk, policies and procedures,
Understanding enterprise risk & value
1
business strategies, organization objectives

Develop risk framework Risk map, rating agency framework
2
Risk rating criteria (impact, vulnerability,

Develop risk appetite
3
speed of onset)
Assess & prioritize risk Risk register, heat map

4
Quantify risk SME working groups led by CFO

5
Develop action plan Risk limit, delegation authority

6
Monitor and reporting Risk dashboard

7
Strategic planning process, internal audit

Integrate risks into strategic decisions
8
plan
1. Understanding enterprise value and risk

Risk Intelligence Map
Identify
where risk is
manifested
in the
organization
4
9/5/2013
1. Understanding enterprise value and risk

ERM Program Accountability / Roles
Board of Directors and CEO
The Board of Directors has ultimateaccountability for all risk
but can delegate responsibility to senior management
ERM Steering Committee

“ERM Oversight”
Clearinghouse for risks,
policy, appetite setting, and governance
Business Areas ERM Champions Internal Audit

“Manage Risks” “Supports ERM Steering “Provides Independent
Committee, Management, and the Assurance”
§ Risk identification Board” § Monitor, advise, coordinate
§ Risk self-assessments and facilitate ERM process
§ ERM Program Management
§ Strategy and actions to § Objective review of risk
address risk within policy § Governance, policy, and
management process
appetite implementation and
§ Ensure compliance with ERM § Independent assuranceto
coordination
policies and procedures management and Board on
§ Risk assessment methods
§ Provide assertions on risk assertions of risk exposure
exposure § Measurement, aggregation,
reporting rules and tools
§ Monitor risk exposure status
and report to Board
2. Develop risk framework
• Framework allows for organization Level 1: Risk Classes
of risks and determines Level 2: Risk Categories

comprehensive review across:
Level 3: Risk Sub-categories
• Governance
Level 4: Individual Risks
• Strategy and Planning
• Operations/ Infrastructure
• Compliance
• Reporting
• Boil it down to only the most

significant existing and emerging
risks and opportunities
• Consider objective sources, e.g.,

rating agency framework, etc.
3. Develop risk appetite

New strategies / initiatives should be evaluated against the company’s
risk appetite / tolerance – and vice versa.
Inherent Risk Risk Appetite &
Risk Management
Tolerance
Risk Appetite Too Much Risk-Taking

Maximum amount of risk
management is willing to
accept to achieve strategic
goals / objectives
Acceptable Risk Taking:
The intrinsic risk a • Key Risk Indicators
Risk Tolerance
company takes in
• Trend Analysis
operating its business in
the absence of actions
+ The range / variability
of risk management
= • Business Decisions
management might take to
control risk is willing to accept to
achieve strategic goals
/ objectives Insufficient Risk-Taking
5
9/5/2013
q Risk appetite is the criteria used to assess and prioritize the identified potential
risks
q Risk appetite contains the following dimensions:

– Impact: The impact of the risk without considering any controls /strategies/
mitigation factors.
– Vulnerability: The remaining impact of the risk (residual) which takes into
account any controls/ strategies/ mitigation factors.
– Speed of onset: The speed in which this event can occur.

Sample impact rating criteria
Impact Criteria Financial Reputation Customers Operations Em ployees Legal/ Regulatory
HIGH 5 rating: International/national Wide-spread impact Significant Unplanned loss of Major federal or state
(4-5 Rating) Greater than $XX media attention on customer interruptions of several key and senior scrutiny
million impact on satisfaction business operations of employees
earnings before taxes Significant negative 2 or more divisions or Investigations subject
impact on reputation Serious threat to future countries Serious injury to to substantial fines and
4 rating: and brand, likely to grow th. employees and/or penalties including
Greater than $XX have long-lasting Potential losses may dangerous near miss criminal charges
million and less than impact Inability to sell be considered and/or cease-and-
$XX million impact on irrecoverable Significant impact on desist orders
earnings before taxes employee relations,
retention rates, and Possible regulatory
morale action
MEDIUM 3 rating: Regional media Decline in customer Moderate interruptions Unplanned loss of Moderate or routine
(3 Rating) Greater than $XX attention satisfaction of business operations several employees federal and state
million and less than of 1 or more divisions litigation subject to
$XX million impact on Some negative impact Impact on sales or countries Some impact on substantial fines or
earnings before taxes on reputation and employee relations, penalties, subject to
brand, not likely to Potential losses are retention rates, and regulatory proceedings
have long-lasting likely recoverable in morale and/or hearings
impact the short term (12 - 24
months)
LOW 2 rating: Minimal local media Minimal or isolated Moderate interruptions Unplanned loss of a Unlikely or remote
(1-2 Rating) Greater than $XX attention impact on customer of business operations single employee chance of criminal
million and less than satisfaction w ithin 1 division or enforcement, civil
$XX million impact on Minimal or no negative country No impact on enforcement, and/or
earnings before taxes impact on reputation Minimal complaints employee relations, litigation
and brand w ith and recovery costs Potential losses are retention rates, and
1 rating: primarily short-term considered to be morale
Less than $XX million impact temporary (less than
impact on earnings 12 months)
before taxes

Sample vulnerability rating criteria
Risk Management Capability
Vulnerability
Mitigation/ Monitoring Complexity Technology (if technology
Criteria People Process
enabled process)
HIGH 5 rating: Risk affects a high Limited level of internal 5 rating: Major system performance,
(4-5 Rating) No mitigation/monitoring # of transactions staff capable of managing No effective process in place to manage reliability and validity issues
plans exist or a high # of risk potential the risk
processes Significant security exposures
4 rating: Limited access to 4 rating:
Mitigation/monitoring Transactions are resources Process in place but not consistently Outdated and ineffective
plans exist but are not highly subject to follow ed and/or no monitoring, testing or technology
consistently applied judgment and Significant level of change reporting of process
estimation experienced by resources Significant changes required
as a result of risk event Significant level of change required to to systems as a result of risk
business process as a result of risk event event
MEDIUM Mitigation/monitoring Risk affects a Moderate level of internal Process is in place but is in need of Moderate data & system
(3 Rating) plans need to be medium # of staff capable of managing improvement (e.g., may be overly performance, reliability, and
updated and/or improved transactions or a risk potential complex or manually driven) validity issues
medium # of
processes Moderate access to Monitoring, testing and/or reporting of Moderate level of change
resources process needs improvement required to systems as a
Moderate result of risk event
subjectivity to Moderate level of change Moderate level of change required to
judgment and experienced by resources business process as a result of risk event
estimation as a result of risk event
LOW 2 rating: Risk affects a low Sustainable level of Clear, effective and consistently follow ed Minimal data & system
(1-2 Rating) Mitigation/monitoring # of transactions employees capable of process to manage the risk is in place performance, reliability and
plans are in place, or a low # of managing risk potential validity issues
consistently applied and processes and low Any necessary monitoring, testing and/or
routinely tested; subjectivity to Readily available reporting of process has been effectively Minimum level of changes
judgment and resources implemented required to system as a result
1 rating: estimation of risk event
Mitigation/monitoring Minimal level of change Minimal level of change required to
plans are an integral part experienced by resources business process as a result of risk event
of standard operations as a result of risk event
6
9/5/2013

Sample speed of onset rating criteria
SPEED OF ONSET – How quickly could this risk event occur, i.e., how much time would
GLDD have to react?
Criteria Definition
HIGH Very rapid onset;little or no warning, instantaneous.
(4-5 Rating)
MEDIUM Moderate onset; several days or weeks to occur

.
(3 Rating)
LOW Very slow onset; several months or years to occur.

(1-2 Rating)
4. Assess & prioritize risk
Risk : Impact + Vulnerability + Speed of Onset
What can How prepared How quickly could it happen?

happen? are we to react? • How much time would we have to react?
• Financial • Mitigation Plans
• People
•
•
Reputation
Legal • Process
H
Assurance of Enhance Risk
• Customer • Technology Preparedness Mitigation
• Coworker
• Partners A M
Impact
R CI
Risk appetite/tolerance discussions with executives Assess/ Redeploy Measure for
Resources Cumulative
and board will help define “High”, “Medium” Impact
and “Low” for each of these components
L Vulnerability H
*MARCI chart used with permission of Deloitte Development LLC. All Rights Reserved.
4. Assess & prioritize risk

High
B ID Risks
A
D A Foreign Exchange Rate
E B Competition
F I C Transfer Pricing
K H
D Debt Management
G
L E Contracts
Assure Risk Mitigation Enhance Risk
is Effective Mitigation F Financial Accounting
Medium
Impact
M J G Information Security
N H Cash Management/Liquidity
C I Regulatory Compliance
J Quality
K Succession Planning
L Reputation
M Intellectual Property
Redeploy Measure for N Insurance Coverage
resources Cumulative Impact
Low
Low Medium High
Vulnerability
Dot size reflects Speed of Onset: Low Medium High
7
9/5/2013
5. Quantify risk
Perform risk quantification on key risks identified from risk prioritization
6. Develop action plan
Risk Response Model

No Further Action
Three General Categories of Act
Response
Learn More
Response Variations by Quadrant:
Alternative Responses:
1. NFA – Appropriate assurance activities
H Alternative Responses:
1. NFA – Appropriate response currently
Assurance of Enhance Risk
exist, confirm accountability/metrics Preparedness Mitigation underw ay – Confirm accountability/metrics
and monitor and monitor
2. ACT – Conduct additional assurance 2. ACT – Do something now to mitigate risk
activities now or otherw ise add to audit A M and/or exploit opportunity
plan 3. LEARN MORE – Further inquiry
3. LEARN MORE – Further inquiry necessary/deep dive
Impact
necessary/deep dive
R CI
No immediate action planned Measure for Confirm accountability/metrics and monitor
Assess Cumulative
Resources Impact
L Vulnerability
H
7. Monitoring and reporting

Develop a dashboard for ongoing risk monitoring
Key Risk Summary
Progress Against Action Plan
8
9/5/2013
7. Monitoring and reporting

Risk Name Owner:
Risk Description Advisor:
Key Risk Drivers:

Owner / Advisor BRAT Trend
Assessment: Assessment:
• Factor 1
• Factor 2
Key Response Activities/ Initiatives:
• Factor 3
• Factor 4
• Activity 1
• Activity 2
• Activity 3
• Activity 4
Key Metrics:
• Metric 1
• Metric 2
• Metric 3
• Metric 4
• Metric 5
Owner / Advisor Assessment Key BRAT Trend Assessment Key

Risk/Lost Risk /Lost
Opportunity Opportunity Stable Change from
Stay the Course Modify/ Change Course Change from last report
last report Increasing Decreasing
8. Integrate risks into strategic decisions

Build risk considerations into strategic planning process
• What are potential risks (both internally and externally driven) to the
success of this strategic initiative?
– How will each potential risk be monitored?
– What contingency plans and/or mitigation mechanisms are in place to manage
these potential risks?
• What new potential risks does this strategic initiative create?
– What are their potential impacts?
– How will the Company manage its vulnerability to those risks?
• What opportunities does this strategic initiative pursue?
– What are their potential impacts?
– How will the Company manage successful achievement of those objectives?
• Conduct scenario analysis focused on top priority risks
ERM and Internal Audit

Internal Audit’s Role in ERM
9
9/5/2013
ERM and Internal Audit

Inputs to Internal Audit Plan
Case study
Case – risk self assessment manual

Client
A large Financial Services firm (Firm B)
Background
Firm B was seeking to develop a Risk Self-Assessment (RSA) Manual to be used
within the business units (BU) to enable specific and consistent methodology for
the assessment of risk.
Project Sponsor
Chief Risk Officer (CRO)
10
9/5/2013
Case two – risk self assessment manual
• Enhanced existing enterprise risk map
• Developed a risk rating criteria to be appplied by BUs in assessing risks
• Leveraged existing Firm B and Deloitte tools, developed and documented

a process and supporting templates for the risk assessment, including:
• Overall procedures and protocols
• Facilitation (survey) questions to be used in the BU RSA process
• Templates to support risk identification, assessment and reporting processes, e.g., risk
register, risk/opportunity heat map, reporting & analysis dashboards, etc.
• Developed a change management plan toincrease the probability of

successful adoption of the RSA manual and lay the groundwork for
adoption of future ERM enhancements
• Designed and assisted with pilot BU RSA workshop

Risk Rating Criteria

RSA Process
11
9/5/2013

Risk Quantification
Lessons learned
Leading practices
• Risk management should be integrated into corporate culture, starting at the
Board level and with the governance capability.
• Ensure the ERM fundamentals, i.e., the framework, methodology, and tools are
established before developing more advanced risk management practices
• Buy in from CEO and executive team is imperative to the program’s success
• Elevated CRO visibility and responsibility: direct reporting to the board and/or
CEO, and increasing frequency of CRO executive sessions with the board
• The integration of ERM with other management practices (performance
management, process management, compliance management, quality
management, etc.)
• Leaders actively shape their risk culture into something purposeful that is
aligned with business strategy — and where each employee takes personal
responsibility for managing risk in their work every day understands how to
make the right risk-based decisions
• Integration of risk discussions and ERM monitoring into everyday business is
essential – not a documentation exercise
• Build common language and common metrics
12
9/5/2013
Potential challenges
• ERM training is still limited to risk specialists and people directly involved in the
Risk Management activities
• Just in this past decade, many companies’ failures were the result of bad
decisions on the part of a handful of people – in these cases, the human factor
is the root cause
• In the midst of the recent economic challenges, many companies with well-
established ERM functions, processes, and controls still failed
• Missing the cultural and organizational components that may help guard against
ineffective or just plain poor decision-making on the part of individuals
• ERM processes are implemented but organizations may still face challenges
with respect to effective monitoring and reporting
• Lack of awareness is a common barrier to effectiveness
Current trends
• There is increasing link between risk and performance management
• More emphasis has been put on risk related to strategy and its execution
• The focus is shifting from the unrewarded risks to the rewarded risks
• The role of HR in managing risk is expanding
• Social media risk rivals financial risk as an area of concern
• Continuous risk monitoring is rare today, but on the rise
• The Changing Role of Internal Auditors is not just focused on risk mitigation but
also value creation
• Data integrity and data analysis become increasingly important as systems are
integrated and reporting needs increase
• Boards have been increasingly proactive in risk management and this will likely
continue
• The CRO is increasingly a more senior executive position
Q&A
13
9/5/2013
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering
accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is
not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action
that may affect your business. Before making any decision or taking any action that may affect your business, you
should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on
this presentation.
Copyright © 2012 Deloitte Development LLC. All rights reserved.

Member of Deloitte Touche Tohmatsu Limited
14

Practical Enterprise Risk Management (ERM) : Casualty Loss Reserve Seminar, Fall 2013

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Practical Enterprise Risk Management (ERM) : Casualty Loss Reserve Seminar, Fall 2013

Uploaded by

Copyright:

Available Formats

9/5/2013

Practical Enterprise Risk Management (ERM)

Building an effective ERM program 8

“The potential for loss –

• Enterprise Risk Management is a capability that involves identifying,

Traditional Risk Management vs. ERM

An effective ERM program may help:

How to build an effective

Roadmap for building an ERM program

# Recommendations <6 months 6-12 months >12 months

G1 a framework to enable proactive

Rationalize and realign risk management

Develop talent management model to

Develop and implement a formal training

and communication program

Develop a technology strategy to support

Improve timeliness and ease of obtaining

Strengthen documentation and

Institutionalize risk assessment and

Develop Key Risk Indicators (KRIs) tied

P4 Enhance reporting standards

Practical next steps

Activity Illustrative Components

business strategies, organization objectives

Risk rating criteria (impact, vulnerability,

Assess & prioritize risk Risk register, heat map

Quantify risk SME working groups led by CFO

Develop action plan Risk limit, delegation authority

Monitor and reporting Risk dashboard

Strategic planning process, internal audit

1. Understanding enterprise value and risk

1. Understanding enterprise value and risk

ERM Steering Committee

Business Areas ERM Champions Internal Audit

2. Develop risk framework

• Framework allows for organization Level 1: Risk Classes

of risks and determines Level 2: Risk Categories

• Boil it down to only the most

• Consider objective sources, e.g.,

3. Develop risk appetite

Risk Appetite Too Much Risk-Taking

achieve strategic goals

/ objectives Insufficient Risk-Taking

3. Develop risk appetite

q Risk appetite contains the following dimensions:

– Speed of onset: The speed in which this event can occur.

3. Develop risk appetite

3. Develop risk appetite

3. Develop risk appetite

MEDIUM Moderate onset; several days or weeks to occur

LOW Very slow onset; several months or years to occur.

4. Assess & prioritize risk

Risk : Impact + Vulnerability + Speed of Onset

What can How prepared How quickly could it happen?

4. Assess & prioritize risk

Low Medium High

Dot size reflects Speed of Onset: Low Medium High

6. Develop action plan

Risk Response Model

Response Variations by Quadrant:

7. Monitoring and reporting

Key Risk Summary

Progress Against Action Plan