ERM Flashcards
Features of ERM that distinguish it from traditional risk management (6)
- Instead of focusing on risk mitigation or avoidance, ERM creates organizational resilience in achieving corporate goals
- ERM views the organization holistically, rather than in silos
- ERM is embedded within the management framework, rather than being the responsibility of a single risk manager
- ERM provides a common language to discuss risks and opportunities
- ERM provides a framework for identification and evaluation of potentially harmful conditions and events
- ERM ensures the organization assumes no more risk than necessary in order to achieve its goals
The process of the typical risk management approach (3)
- Identifying risk - identifying circumstances and events that may cause harm to the organization. This is where most risk management programs fall short because they are focused only on known risks.
- Evaluating risk - determining the likelihood and severity of those events
- Mitigating risk - applying methods that reduce the possibility these events will occur or reduce the financial impact when they occur
Reasons why organizations fail to detect emerging risks (risk blindness) (5)
- An uncertain future - it is likely to be different than what is expected
- Poor info about the current conditions in the organization and the environment lead to flawed expectations for the future
- Poor understanding of organizational complexity makes it difficult to understand the meaning of the info available
- Poor judgment in deciding how to respond to organizational challenges
- Financial incentives given to management do not align with other stakeholders
The ERM process for managing enterprise-wide risk (4)
The traditional process (see separate list) is still used, but is approached differently
- ERM expands the risk profile by searching for unknown risk. This consists of:
a. Developing a detailed description of the business system (consider questions related to reasons it is difficult to detect emerging risks), and
b. Constructing the risk hypothesis, which is a structured understanding of the organization’s risk profile and its ability to achieve corporate goals under both normal and stressed conditions - Then traditional risk management is used to evaluate and mitigate known risks, with ERM ensuring that an integrated approach is used
a. Risk evaluation includes developing ranges of the likelihood and severity of potential harmful events (creating risk register)
b. Risk mitigation involves deciding what to do about the various potentially harmful conditions - Then an appropriate risk capital is determined - regulators have mandated minimum capital requirements, but insurers should also hold additional surplus to reduce the likelihood of regulatory intervention
- ERM follows up with monitoring and oversight by the board of directors and senior management
Possible indicators of emerging risk (9)
- High employee turnover
- Frequent reassignment or replacement of project managers for major initiatives
- Frequent downtime of computer systems
- Frequent manual overrides or intervention required
- Numerous manual processes
- Frequent complaints from internal or external customers
- Significant variance of key indicators from normal or best practice
- Reactive, rather than proactive, approach to problem solving
- The frequency of surprises
Typical information contained in the risk register (11)
This register is created to record scenarios and events that have been considered in the risk evaluation
1. Description of the risk scenario
2. Details of how and when the scenario was identified
3. Which corporate goals the scenario affects
4. Description of the method used to quantify risk exposure and the time horizon for modeling
5. The range of outcomes considered
6. The outcome of a reverse stress test, which identifies the conditions that would cause risk capital to be exceeded
7. Assessment of likelihood and impact prior to mitigation under both normal and stressed environments
8. Description of mitigation strategies and assessment of their effectiveness and cost
9. Assessment of the likelihood and impact after mitigation
10. Assignment of responsibility for monitoring the risk scenario
11. Details regarding action plans
(Also see risk register list in Sweeting Ch. 8)
Types of risk mitigation strategies (3)
- Risk avoidance - for example, choosing not to expand into new areas. This method will not work on most business risks because they are simply too unavoidable
- Risk transfer - the most common method is through insurance. For example, ceding large claim risk to a reinsurer
- Risk control - done through performance improvement. For example, actuarial and U/W risk is controlled through internal policies and using best practice methodologies
Characteristics to enter into the risk dashboard for each identified risk (10)
The dashboard provides a high-level overview of the organization’s exposure to risk - summary of risk hypothesis and risk register
- Brief description of the risk
- Line of business affected
- Gross likelihood - expected frequency of occurrence prior to mitigation
- Gross impact or severity - potential loss prior to mitigation
- Gross risk rating - the combination of likelihood and severity
- Control effectiveness - ability of mitigation strategies to reduce likelihood or severity
- Net likelihood after mitigation
- Net impact or severity after mitigation
- Net risk rating - combining likelihood and severity after mitigation, and including the effect on capital
- Tolerance - willingness to accept the risk remaining after mitigation
Senior management responsibilities for implementing ERM (7)
- Communicating support of the ERM process to the rest of the company
- Maintaining a culture of performance improvement and learning from successes and failures
- Allowing for open discussion of risk
- Encouraging decision making based on an awareness of risks
- Providing direction to the risk management committee and chief risk officer
- Determining risk appetites and limits
- Establishing limits of authority for risk assumption
Responsibilities of the chief risk officer (CRO) (8)
- Being the primary champion of the ERM process
- Leading the risk management committee
- Directing the ERM process by guiding business units as they prioritize, evaluate, and mitigate risk
- Guiding info collection and performance monitoring
- Directing the evaluation of required risk capial and prospective solvency
- Testing the perceived risk profile
- Modifying the risk profile and risk models using emerging experience and knowledge
- Ensuring the organization continues to learn from emerging experience and that the risk profile is continuously update
Benefits of ERM (5)
- Credit agencies may be willing to offer lower borrowing costs
- Regulators and the board of directors may allow management more flexibility in managing the company
- Management will better understand the business system
- The organization will know how much corporate risk capital should be held
- There will be fewer unknown risks
Common features of ERM frameworks (7)
- An assessment of the context in which the framework is operating. This includes understanding the internal and external environments and the interests of stakeholders
- A consistent risk classification must be established
- The risks to which the organization is exposed must be identified
- The risks must be assessed and compared to target levels of risk
- A decision must be taken on how to deal with risks that exceed targets
- Measures to manage risk are implemented
- The process needs to be monitored, documented, and communicated
Models of risk management (4)
- “Three lines of defense” - consists of the following tiers of risk management:
a. Day-to-day management by first-line business units
b. Ongoing monitoring by the central risk function (CRF)
c. Occasional audits of first-line business units and the CRF - “Offense and defense” - says the first-line business units should take as much risk as they can to maximize returns while the CRF should reduce risk as much as possible to minimize losses. Should be avoided because it sets up the first two lines of defense to be in opposition.
- Policy and policing - says the CRF should set risk management policies and then monitor compliance with those policies. But often results in the CRF being too “hands-off”.
- Partnership - says the first-line business level units and the CRF should work together closely to maximize returns subject to an acceptable level of risk. This may leave the CRF too involved to give and independent assessment of first-line units.
Major steps in the ERM process (3)
- Risk identification and classification - classify risks into categories, such as market risk, credit risk, and operational risk
- Risk measurement and prioritization - includes identifying unfavorable outcomes and the likelihood they will occur
- Risk management and aggregation - involves establishing risk tolerance levels and developing action plans relative to the risks that have been identified
Total economic capital required formula
Credit risk + market risk + operation risk - diversification
