Risk Management For

Small to Mid-Sized
Companies
Michael A. Cohen, Principal
Cohen Strategic Consulting
September 16, 2010
 Todays Presentation
Philosophy
Process
Focus of a Small-to-Midsized Companys
ERM Program
Internal/External Identification, Review of
Risks
Financial Analysis/Capital Analysis/Metrics
Risk Tolerances, Thresholds

2
 Todays Presentation
(continued)
Investment Strategy, Management
Governance Structure/Process,
Responsibilities, Communications
Stakeholders, Discussions
Case Study
Business Psychology
Rating Agency Expectations
Conclusion

3
 ERM Philosophy
Leadership/involvement from the top - the CEO
has to drive ERM in a meaningful way,
enhancing the companys risk culture
Supports attainment of (and ideally exceeding)
corporate goals, objectives, interests of
stakeholders
Concentrate on the companys major/material risks
(prioritization) at the core of the ERM process, but
be perceptive about other risks; dont let the
process get bogged down with theoretical concepts

4
 ERM Philosophy
(contd)
Risk thresholds and tolerances quantified/
qualified; events that can cause their breaching
need to be highlighted and mitigated
Integrate ERM with and into strategic, operational
and financial planning, decision making not a
silo!
Use ERM as a problem solving, or better yet, a
problem avoidance effort

5
 ERM Process
Actionable, hands-on process pragmatic!
Communication/integration processes up and down, and across the
organization; this is easier to accomplish in a small to mid-sized
company
Everyone is a risk manager, and a companys communications process
needs to be an effective, non- threatening enabler whereby staff can
alert executives/ managers with a need to know about risk issues
All associates should be students of the business, ideally beyond their
own areas of expertise and responsibility
Modeling must be done insightfully, and deliver reliable decision-
making data and analyses
Decision making processes need to be effective (more on this later)

6
 Focus of a Small-to-Midsized
Companys ERM Program
A small-to-midsized company does not have the resources to do
everything (as a large company does), but it can develop and
implement a very effective ERM process:
Tailor program to fit the organization, its resources, and decision-
making processes
Risk identification, quantification/qualification, prioritization,
coordination, mitigation; problem solving
Focusing on the most impactful areas in the launch phase
Integration of ERM into strategic and operational planning
Utilize existing committee structures and decision-making protocols
Determine risk tolerance, thresholds, tail risks
Implement risk mitigation processes
Were going to talk about rating agencies expectations a little bit later
in the presentation

7
 Internal/External Identification,
Review of Risks
Designate an experienced, knowledgeable
executive to coordinate risk committee and the
identification and review of risks; it may be a
dedicated Chief Risk Officer (CRO), but doesnt
have to be
Committee with key executives:
- Finance
- Actuarial
- Investments
- Businesses
- Legal
- Audit
- Others with relevant expertise

8
 Risk Tolerance (adverse impact),
Thresholds (behavioral triggers)
How much adverse risk impact can your company
tolerate?
Capital
Earnings
Business volume type and amount
Ratings

Miscalculations are common!

If your company is exposed to more risk (impact) than can be
comfortably absorbed (your thresholds are breached), you
may well need to make some changes.

9
 Financial Analysis/Capital
Analysis/Metrics
Growing earnings, while preventing earnings
eroders
Growing capital, while preventing capital
eroders
Economic capital (modeling)
Cost of capital, capital allocation, returns on
capital (risk adjusted returns)
Metrics (of performance)

10
 Investment Strategy, Management
Asset classes invested in
Net yield performance
Realized capital losses/defaults/ impairments
Liquidity
Concentration
Higher yield/higher risk investment options
Counterparty issues

Investment risk issues and magnitudes are growing and

becoming (much) more uncertain

11
 Governance Structure/Process,
Responsibilities, Communications
Senior management
Board of Directors
Key managers
The organization

12
 Key Constituencies:
Stakeholders
Customers
Producers
Board of directors
Investors/shareholders
Rating agencies
Regulators
Counterparties
Financial and business partners, supply chain
Executives, management and critical staff

How might they react to risk and uncertainty, and their adverse
impacts in your company?

13
 Discussions For Key Constituencies
ERM Charter, Goals/Objectives
Risk thresholds, tolerances
Process in place, including governance; committees
overseeing the most important corporate functions integrate
ERM into their activities, missions; communications
Integration into strategic and operational planning
Financial, actuarial analysis /capital allocation/risk
tolerances, thresholds/metrics/modeling
Improvements in decision making, problems headed off,
lessons learned

14
 Actions Dissatisfied
Stakeholders Might Take
Cease doing business with you, or diminish the volume of
business they do with you (Customers, Producers,
Counterparties - financial/business partners, supply chain,
Executives/ Management/Critical staff
Sell stock, lowering the price in the process (Investors)
Replace management, lower compensation (Board of Directors,
Investors)
Charge you a higher price (interest rate) for capital (Lenders)
Downgrade your company (Rating Agencies)
Mandate that you cannot participate in your business
(Regulators, Institutional Customers - if ratings are not high
enough)

15
 Case Study
Visualize a hypothetical company, with the
following attributes:
- $10 billion in assets
- $700 million in capital (7% C&S/Assets)
- $60 million in annual net income
- $100 million in new life insurance annualized
premium
- $200 million in annual fixed annuity sales
- A rating, stable outlook from A. M. Best
- A+ rating, stable outlook from Standard and
Poors
16
 Case Study (continued)
Risk (impact) tolerance: How much capital
could this company lose, and what level of
reduced earnings could it accept
comfortably, without feeling that significant
changes needed to be made?

17
 Case Study (continued)
Event: The company suffers a $100 million,
investment related capital loss (that had
been funded with excess capital of
course)

18
 Case Study (continued)
After the event, the hypothetical company now has the
following attributes:
- $9.9 billion in assets
- $600 million in capital (6.1% C&S/Assets)
- $55 million in annual net income
- Less than $100 million in new life insurance annualized
premium
- Less than $200 million in annual fixed annuity sales
- A rating, negative outlook or possibly a downgrade to
an A- rating from A. M. Best
- A+ rating, negative outlook or possibly a downgrade to
an A rating from Standard and Poors

19
 Reflecting on the Actions Dissatisfied
Stakeholders Might Take
What stakeholder reactions are most onerous?
Avoiding those (most onerous) reactions are clearly
your greatest imperative, and define your ultimate
tolerance for risk and what your risk thresholds need
to be

Hypothesis: A rating downgrade is the most serious

stakeholder reaction a company can experience, as it
has the most impact on triggering other undesirable
stakeholder reactions

20
 Business Psychology:
How People Analyze Situations and
Make Decisions Has a Big Impact on
How They Manage Risk

People work on problems they think they can solve, and they
avoid those they don't think they can solve. Therefore, if the
elements of risk are in the latter category, they won't be
addressed.

They are slow and cautious in reacting to new information.

Solutions to risk reduction may exist, but they might not be
implemented without an inordinate amount of study, or
possibly not at all.

21
 Business Psychology (contd)
They are reluctant to admit ignorance or mistaken assumptions and
tend to forget misassumptions that have been made. An ill-
conceived initiative can be expected to have additional risk, and if
learning doesn't follow, further mistakes may be made.

They are inclined to be risk averse when they have made gains and
can be risk seeking when they have incurred losses. This leads to a
strategy basically opposite of what should be pursued, which is to
invest more when gaining and less when losing.

They look at fewer as opposed to more perspectives, possibly

missing a better solution.

22
 Business Psychology (contd)
They do not realize when they are at an information disadvantage.

They are inclined to blame others for poor results, as opposed to

studying the causes for their own mistakes and fixing them.

They frequently place greater value on what they have created than on
what others have done, either individually or collectively, and may well
miss out on higher-order thinking generated by a group and on critical
perspectives of others.

23
 Black Swans:
Unforeseeable Events
with Huge Consequences
These events arent in our mind-sets; when you develop
risk scenarios, many times these events wont be foreseen
Q: How can we protect our companys assets (broadly
defined) from risks we cant anticipate?
- Increased capital, liquidity (or access to it)
- Diversification: into sound options, not just diversifying
for the sake of it
- Conservatism
- Understanding thoroughly the elements (and risks) of our
businesses (from internal and external views)

24
 Rating Agency Expectations
S&P:
* Has the most intense ERM analysis/expectations
of any rating agency
* Few small-to-midsized life insurance companies
are followed on an interactive basis by S&P
Others

Large companies
Small-to-midsize companies

25
 What S&P is Looking For
in Insurers ERM Programs:
Large Companies
Risk management culture, process
Top management commitment
Governance
Risk tolerance, thresholds; note that the
word appetite was not used!
Risk mitigation, controls

26
 What S&P is Looking For
in Insurers ERM Programs:
Large Companies
Preparedness for emerging and unpredictable risks
Risk models, assumptions
Strategic risk management: controlled risk taking
in the pursuit of strategic initiatives
Effective communications

Whats behind the Power Point?

27
 What S&P is Looking For
in Insurers ERM Programs:
Small to Mid-sized Companies
(they follow only a few of them)
Q: Why cant small to mid-sized companies do many
of the ERM-related activities that large companies
do?

A: They can. They have to perform the most

important elements of ERM with fewer
resources but can benefit from closer coordination.

28
 Conclusion
ERM is an integral part of sound management and
decision making, not a fad nor an isolated activity
Knowing how much risk impact you can
comfortably absorb, and making the necessary
changes if you are beyond your tolerance(s), can
literally save your company
Risk mitigation/problem solving critical
Guard against the unpredictable, while not be
paralyzed by fear
You can do this!

29
 Contact Information

Michael A. Cohen, Principal

Cohen Strategic Consulting
(215) 595-7259
mcohen@cohenstrategicconsulting
www.cohenstrategicconsulting.com

30