Introduction to ERM

Enterprise Risk Management

PGDM 22-24
N K V Roop Kumar

1
Disclaimer :

The views expressed by the trainer(s) are not those of the trainer’(s)
employer, firm, clients, or any other organization.

The opinions expressed do not constitute legal or risk management

advice.

The notes/slides provided, views discussed are for educational purposes

only and provided only for use during this session.

2
Profile :
N.K.V. Roop Kumar RF, RIMS CRMP, FLMI, FRMAI, ARM™

▪ Trainer , Consultant also Chairman RIMS India Chapter for the RIMS (The Risk
Management Society, USA) . last assignment was EVP, Chief of Risk, Info & Cyber Sec.
Mgmt. at SBI Life Insurance India.
▪ Over 34 Years of experience (20 Years in LIC of India & 14 Years in SBI Life Insurance)
handling critical portfolios in Enterprise Risk Management, Cyber Security, Data
Protection, Business Continuity, Fraud Monitoring, Operations,Insurance &
Marketing etc.
▪ Fellow of RIMS, USA (RF), Fellow of Life Management Office Association (FLMI LOMA-
USA), Fellow of Risk Management Association of India (FRMAI) & International
Council Member of the RIMS, USA.
▪ Visiting faculty in various National Institutes & B Schools like National Insurance
Academy (NIA, Pune), Insurance Institute of India (III), BIMtech, IIRM, ASCII.

LinkedIn Profile- linkedin.com/in/roop-kumar-nagumantry-17492043

Personal Cell- +91 7506639798
eMail- roopkumarn@gmail.com
3
ERM Tools

4
 ERM Tools

Loss data collation and (incident) Reporting

Risk Registers

Business Continuity Management

Indicative List of Tools to
manage Risk Risk Awareness creation

Risk Control Self Assessment (RCSA)

Monitoring Key Risk Indicators

Scenario Analysis
5
 ERM Tools

Loss data collation and (incident) Reporting

Indicative List of Tools to
manage Risk
An Incident is an actual even resulting from failed
internal process/process gaps, People, system,
external events which has or could have led to a loss,
or a gain or an opportunity cost.
❑ Some examples of Incidents
✓ Instances of Data Leakage/Theft
✓ All types of fraud
✓ Information Security Breaches
✓ Business Disruption, damage/theft to assets
✓ Violation of rules & regulations
6
 ERM Tools

Risk Register
✓ A Risk Register is a tool for documenting risks, and
actions to manage each risk. The Risk Register is
essential to the successful management of risk.
Indicative List of Tools to
✓ As risks are identified they are logged on the
manage Risk
register and actions are taken to respond to the
risk.

✓ The responses are documented on the Risk

Register and the register should regularly reviewed
to monitor progress. 7
 ERM Tools

Risk & Control Self Assessment (RCSA)

✓ Risk and control self assessment (RCSA) is a
process through which operational risks and the
effectiveness of controls are assessed and
examined.
Indicative List of Tools to
manage Risk
✓ The objective of RCSA is to provide reasonable
assurance that the Controls are executing efficiently.

✓ RCSA testing can be done on Sampling basis and

based on the results the of Control Testing, Control
Effectiveness is to be decided. 8
 Risk Mgmt. Process
Risk Register
What is the Risk? Information Security Risk - 1) Leakage of sensitive information / data
(Description if any) 2) Hacking / Defacing of Internet facing websites & 3) Virus Attack
Risk Owner Chief Information Security Officer, CIO, Departmental Heads, RDs
Risk Category Operational Risk
Financial loss, Loss of reputation
Risk Impact Legal non-compliance e.g. IT Act
Regulatory scrutiny / intervention
Likelihood/Frequency Possible (3)
Impact/Severity Moderate (3)
Inherent risk Medium
1) Adherence to Information Security policy
2) Mitigation of identified vulnerabilities in specified timeframe
Controls/Mitigations 3) Implementation of MDM /DRM / DLP solutions
4) Purchase of Cyber Insurance
5) User Awareness Creation
Residual Risk Low 9
 Risk Mgmt. Process
Risk Register
What is the Risk? COVID 19 Pandemic, Business Disruption, Spread of virus amongst employee/emp
(Description if any) family members
Chief of Risk, Info & Cyb. Sec. Mgmt., Chief of HR & Administration, Business
Risk Owner
Continuity Coordinator
Risk Category Operational Risk
Impact on Continuity of Business, Impact on employee morale, Loss of reputation,
Risk Impact
Impact on Customer Service
Likelihood/Frequency Almost Certain (5)
Impact/Severity Catastrophic (5)
Inherent risk High
1) Invoking BCP by Crisis Management Team & review of readiness/safety measures
at regular intervals
2) Work From Home Enablement with the help of tools like VPN, VDI, Webmails etc.
Controls/Mitigations
3) Hygiene & Safety Measures at all offices
4) Promoting Virual meetings & discontinuing Physical meetings
5) Promoting Digital Servicing for Customer Service
10
Residual Risk Low
 ERM Tools

Business Continuity Management

✓ Business continuity planning (or business continuity

and resiliency planning) is the process of creating
systems of prevention and recovery to deal with
Indicative List of Tools to potential threats to a company.
manage Risk
✓ In addition to prevention, the goal is to enable
ongoing operations before and during execution of
disaster recovery.

✓ BCM focuses on People, Process, & Technology

11
 ERM Tools

Creating a Risk Aware Culture

✓ Risk awareness may also be defined as a capability
of the organization to recognize risks before they
threaten, mitigate them when they arise, and
recover from the damages they may cause.
Indicative List of Tools to
manage Risk
✓ Creating a risk aware culture suggests that the
capability is present throughout the organization
and it is woven into the normal routines, rituals, and
behaviors of all those involved

12
 ERM Tools

Monitoring Key Risk Indicators (KRIs)

✓ key risk indicator (KRI) is a measure used in
management to indicate how risky an activity is.
Key risk indicators are metrics used by
Indicative List of Tools to organizations to provide an early signal of
manage Risk increasing risk exposures in various areas of the
enterprise.
Some qualities of a good key risk indicator include
✓ Ability to measure the right thing (e.g., supports the
decisions that need to be made)
✓ Quantifiable (e.g., damages in dollars of profit loss)
✓ Capability to be measured precisely and accurately 13
 ERM Tools

Scenario Analysis
• Scenario analysis is a challenging element in the
operational risk framework. Scenario analysis
provides the operational risk framework with a tool to
explore the rare but plausible losses that could arise
Indicative List of Tools to
as a result of operational risk.
manage Risk
Role Of Scenario Analysis
✓ Firms use scenario analysis to evaluate their
exposure to high-severity events.
✓ Scenario Analysis uses both Historical Data &
hypothetical scenarios
✓ Useful in Operational Risk Modeling 14
Let’s Start with
some Stories
Let’s Discuss .
– Designing .
Organizational Risk Strategy
.

15
Integrating Risk Governance into Organization Structure ->

Source- COSO ERM 2017 Executive Summary 16

How Risk Management contributes at four levels of Decision Making within an organization-

Source: www.rims.org 17
Integrating Risk
Governance into Board of Directors • Ultimate Risk Oversight Responsibility
Organization
Structure -> • Overall Execution of Risk Management
Management • Establishes Risk Policies, reviews & reports top
(Risk) Committee
risks affecting the company

Business
• Engaging in Risk Assessment at defined frequency
Manager/Risk
Owners/Risk • Identify & report risk exposures in their day to day
Champions activities/business area

Risk Mgmt. function as a Facilitator enables Executive

Mgmt. & Risk Owners to carry out their respective
responsibilities 18
19
Risk oversight by
the Board

20
Risk oversight by the Board

1. Oversight responsibility : Corporate Risk taking and monitoring of Corporate Risk

2. Review if the Risk management Policies and procedures are consistent with the
Risk appetite, Risk Tolerance and is consistent with its Strategies.

3. Discuss the types and Magnitude of the company’s Principal Risks

4. Verify if Risk management is an integral component of Strategy, Culture and

Business operations
21
Risk oversight by the Board

5. Review primary elements comprising Risk Culture i.e. “ Tone at the Top “.

6. Review corporate communication both within and external to the organization.

7. Review Company’s ability to manage ESG Risks ( Env.,Social, Governance)

8. Analyse and assess the most likely areas of future risks and strategies for the same
.

22
 Assessing Organisational Risk Competency

Approach :

▪ Top risks facing the Company are identified annually

▪ Top Risk identification exercise aligned with the
requirements of ISO 31000:2018 standard and COSO 2017
framework.
▪ List of 74 risks collated based on Internal & External context
and Probability of Occurrence & Impact
Internal Context External Context
• Loss events • Regulatory environment
• Risk / Audit observations • Economic, Industry & Political Outlook
• RCSAs & Risk Registers • Market performance
• Key Risk Indicators (KRIs) • Cyber / Terror threats
• Customer complaints • Manmade / Natural Disasters
• Infosec assessments

23
 Assessing Organisational Risk Competency

Method : ▪ Perception of the Management obtained on a 4 point

rating (Likert) scale
*Note - Very High – 4, High – 3, Medium – 2, Low – 1

▪ The responses were converted into a numeric scale* of

1 to 4 and analysed.

▪ Weighted average / standard deviation of each sub risk

was aggregated to arrive at the average value /
standard deviation for the risk

▪ Risks presented to Risk Management Committee (RMC)

for shortlisting Top Risks for the year.

▪ RMC identified Top Risks out of the risks post

24
discussions / deliberations
 Assessing Organisational Risk Competency
Top Risks: Current Year vs Previous Year

Top Risks Current Year Previous Year

Claims Risk 1 1
Information Security Risk 2 4
Product Risk 3 8
Low Persistency Risk 4 NA
Market Risk 5 3
IT Systems Risk 6 5
Mis-selling Risk 7 2
Regulatory Risk 8 6
Reputation Risk 9 7
Fraud Risk 10 9
People Risk 11 10
Catastrophic Risk 12 NA
25
Assessing Organisational Risk Competency
Way Forward:

▪ Each Top risk to be assigned to risk owner responsible for its mitigation.

▪ Detailed mitigation strategies for every Top Risk to be obtained from

relevant risk owner.

▪ Risk Metrics to monitor each Top Risk to be finalised with risk owner.

▪ Status update of the mitigation strategies to be obtained every quarter

▪ Risk metrics for each Top Risk to be obtained & presented to RMC on a
quarterly basis.

▪ Justification / action plan for Top Risks whose risk metrics are out of
acceptable range
26
 Assessing Organisational Risk Competency
Metrics to Monitor Top Risks (1/2)

Rank Top Risk Metric Green Amber Red Q2 Q3

Actual vs Expected death claims for the 101% -
1 Death Claims <= 100% > 125% 99% 101%
year 125%
Information
2 Instances of information security breaches 0 >=1 0 0
Security Risk
Contribution of Top 2 Products to Total 40 % - 50
3 Product Risk < 40% > 50% 39% 42%
Business %
Low 90% -
4 Persistency Ratio >95% <90% 95% 89%
Persistency 95%
60% -
5 Market Risk %age of funds in top quartile >80% < 60% 82% 65%
80%
IT Systems
6 Downtime of critical systems < 2% 2% - 5% >5% 0.5% 1%
Risk
Misselling 0.1% -
7 Misselling complaints Ratio < 0.1% > 0.2% 0.09% 0.08%
Risk 0.2%

27
 Assessing Organisational Risk Competency
Metrics to Monitor Top Risks (2/2)

Rank Top Risk Metric Green Amber Red Q2 Q3

Regulatory
8 No of non compliances observed 0 >= 1 0 0
Risk

Reputation No of adverse media coverage having

9 0 >= 1 0 0
Risk national impact

10 Fraud Risk Frauds loss vis-à-vis Net Profit < 1% 1% - 3% > 3% 0.9% 0.7%

People 15% -
11 Attrition Ratio <15% > 20% 15% 12%
Risk 20%

Catastrophi No of business continuity tests exceeding

12 0 >= 1 0 0
c Risk RTO

28
29