Enterprise Risk Management

Question 1

Features of ERM that distinguish it from traditional risk management (47)

Answer 1

1. Instead of focusing on risk mitigation or avoidance, ERM creates organizational resilience in achieving corporate goals
2. ERM views the organization holistically, rather than in silos
3. ERM is embedded within the management framework, rather than being the responsibility of a single risk manager
4. ERM provides a common language to discuss risks and opportunities
5. ERM provides a framework for identification and evaluation of potentially harmful conditions and events
6. ERM ensures the organization assumes no more risk than necessary in order to achieve its goals

Question 2

The process of the typical risk management approach (47)

Answer 2

1. Identifying risk - identifying circumstances and events that may cause harm to the organization. This is where most risk management programs fall short because they are focused only on known risks.
2. Evaluating risk - determining the likelihood and severity of those events
3. Mitigating risk - applying methods that reduce the possibility these events will occur or reduce the financial impact when they occur

Question 3

Reasons why organizations fail to detect emerging risks (risk blindness) (47)

Answer 3

1. An uncertain future - it is likely to be different than what is expected
2. Poor info about the current conditions in the organization and the environment lead to flawed expectations for the future
3. Poor understanding of organizational complexity makes it difficult to understand the meaning of the info available
4. Poor judgment in deciding how to respond to organizational challenges
5. Financial incentives given to management do not align with other stakeholders

Question 4

The ERM process for managing enterprise-wide risk (48)

Answer 4

The traditional process (see separate list) is still used, but is approached differently

1. ERM expands the risk profile by searching for unknown risk. This consists of:
   a. Developing a detailed description of the business system (consider questions related to reasons it is difficult to detect emerging risks), and
   b. Constructing the risk hypothesis, which is a structured understanding of the organization’s risk profile and its ability to achieve corporate goals under both normal and stressed conditions
2. Then traditional risk management is used to evaluate and mitigate known risks, with ERM ensuring that an integrated approach is used
   a. Risk evaluation includes developing ranges of the likelihood and severity of potential harmful events (creating risk register)
   b. Risk mitigation involves deciding what to do about the various potentially harmful conditions
3. Then an appropriate risk capital is determined - regulators have mandated minimum capital requirements, but insurers should also hold additional surplus to reduce the likelihood of regulatory intervention
4. ERM follows up with monitoring and oversight by the board of directors and senior management

Question 5

Possible indicators of emerging risk (50)

Answer 5

1. High employee turnover
2. Frequent reassignment or replacement of project managers for major initiatives
3. Frequent downtime of computer systems
4. Frequent manual overrides or intervention required
5. Numerous manual processes
6. Frequent complaints from internal or external customers
7. Significant variance of key indicators from normal or best practice
8. Reactive, rather than proactive, approach to problem solving
9. The frequency of surprises

Question 6

Typical information contained in the risk register (50)

Answer 6

This register is created to record scenarios and events that have been considered in the risk evaluation
1. Description of the risk scenario
2. Details of how and when the scenario was identified
3. Which corporate goals the scenario affects
4. Description of the method used to quantify risk exposure and the time horizon for modeling
5. The range of outcomes considered
6. The outcome of a reverse stress test, which identifies the conditions that would cause risk capital to be exceeded
7. Assessment of likelihood and impact prior to mitigation under both normal and stressed environments
8. Description of mitigation strategies and assessment of their effectiveness and cost
9. Assessment of the likelihood and impact after mitigation
10. Assignment of responsibility for monitoring the risk scenario
11. Details regarding action plans
(Also see risk register list in Sweeting Ch. 8)

Question 7

Types of risk mitigation strategies (51)

Answer 7

1. Risk avoidance - for example, choosing not to expand into new areas. This method will not work on most business risks because they are simply too unavoidable
2. Risk transfer - the most common method is through insurance. For example, ceding large claim risk to a reinsurer
3. Risk control - done through performance improvement. For example, actuarial and U/W risk is controlled through internal policies and using best practice methodologies

Question 8

Characteristics to enter into the risk dashboard for each identified risk (51)

Answer 8

The dashboard provides a high-level overview of the organization’s exposure to risk - summary of risk hypothesis and risk register

1. Brief description of the risk
2. Line of business affected
3. Gross likelihood - expected frequency of occurrence prior to mitigation
4. Gross impact or severity - potential loss prior to mitigation
5. Gross risk rating - the combination of likelihood and severity
6. Control effectiveness - ability of mitigation strategies to reduce likelihood or severity
7. Net likelihood after mitigation
8. Net impact or severity after mitigation
9. Net risk rating - combining likelihood and severity after mitigation, and including the effect on capital
10. Tolerance - willingness to accept the risk remaining after mitigation
11. Net risk rating vs. tolerance
12. Action plan status - implementation status of mitigation strategies

Question 9

Senior management responsibilities for implementing ERM (53)

Answer 9

1. Communicating support of the ERM process to the rest of the company
2. Maintaining a culture of performance improvement and learning from successes and failures
3. Allowing for open discussion of risk
4. Encouraging decision making based on an awareness of risks
5. Providing direction to the risk management committee and chief risk officer
6. Determining risk appetites and limits
7. Establishing limits of authority for risk assumption

Question 10

Responsibilities of the chief risk officer (CRO) (53)

Answer 10

1. Being the primary champion of the ERM process
2. Leading the risk management committee
3. Directing the ERM process by guiding business units as they prioritize, evaluate, and mitigate risk
4. Guiding info collection and performance monitoring
5. Directing the evaluation of required risk capial and prospective solvency
6. Testing the perceived risk profile
7. Modifying the risk profile and risk models using emerging experience and knowledge
8. Ensuring the organization continues to learn from emerging experience and that the risk profile is continuously update

Question 11

Benefits of ERM (54)

Answer 11

1. Credit agencies may be willing to offer lower borrowing costs
2. Regulators and the board of directors may allow management more flexibility in managing the company
3. Management will better understand the business system
4. The organization will know how much corporate risk capital should be held
5. There will be fewer unknown risks

Question 12

Common features of ERM frameworks (56)

Answer 12

1. An assessment of the context in which the framework is operating. This includes understanding the internal and external environments and the interests of stakeholders
2. A consistent risk classification must be established
3. The risks to which the organization is exposed must be identified
4. The risks must be assessed and compared to target levels of risk
5. A decision must be taken on how to deal with risks that exceed targets
6. Measures to manage risk are implemented
7. The process needs to be monitored, documented, and communicated

Question 13

Models of risk management (56)

Answer 13

1. “Three lines of defense” - consists of the following tiers of risk management:
   a. Day-to-day management by first-line business units
   b. Ongoing monitoring by the central risk function (CRF)
   c. Occasional audits of first-line business units and the CRF
2. “Offense and defense” - says the first-line business units should take as much risk as they can to maximize returns while the CRF should reduce risk as much as possible to minimize losses. Should be avoided because it sets up the first two lines of defense to be in opposition.
3. Policy and policing - says the CRF should set risk management policies and then monitor compliance with those policies. But often results in the CRF being too “hands-off”.
4. Partnership - says the first-line business level units and the CRF should work together closely to maximize returns subject to an acceptable level of risk. This may leave the CRF too involved to give and independent assessment of first-line units.

Question 14

Major steps in the ERM process (99)

Answer 14

1. Risk identification and classification - classify risks into categories, such as market risk, credit risk, and operational risk
2. Risk measurement and prioritization - includes identifying unfavorable outcomes and the likelihood they will occur
3. Risk management and aggregation - involves establishing risk tolerance levels and developing action plans relative to the risks that have been identified

Question 15

ASOP #46 - Definition of ERM (101)

Answer 15

The discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders

Question 16

ASOP #46 - Processes included in the ERM control cycle (101)

Answer 16

1. Risks are identified
2. Risks are evaluated
3. Risk appetites are chosen
4. Risk limits are set
5. Risks are accepted or avoided
6. Risk mitigation activities are performed
7. Actions are taken when risk limits are breached

Question 17

ASOP #46 - Considerations when performing services related to risk evaluation (101)

Answer 17

1. Info about the financial strength, risk profile, and risk environment of the organization. For example, the nature and complexity of the risks faced by the organization, and the degree to which the organization’s different risks interact with one another.
2. Info about the organization’s risk management system, including:
   a. The risk tolerance of the organization
   b. The risk appetite of the organization
   c. The components of the organization’s ERM control cycle
   d. The knowledge and experience of management and the board of directors regarding risk assessment and risk management
   e. The actual execution of the organization’s ERM control cycle
3. The relationship between the organization’s financial strength, risk profile, and risk environment and the organization’s risk management system
4. The intended purpose and uses of the actuarial work product

Question 18

Required disclosures for communications subject to ASOP #46 on risk evaluation in ERM (104)

Answer 18

1. The results of the economic capital model, their intended use, and any known limitations of the model
2. The results of the stress and scenario tests, their intended use, and any known limitations of these tests
3. The methodologies and sources of info for identifying and evaluating emerging risks
4. Any material changes in the system, process, methodology, or assumptions from those previously used
5. Significant assumptions used in the risk evaluation and interdependencies among risks and statistical distributions
6. The risks included in the risk evaluation and their relative significance, as well as known material risks not included and the rationale for not including them
7. Whether and how the modeled future economic conditions have been reviewed and tested for reasonableness