presentation slides

Report
An Overview of Risk Management
based on a Disclosure from an
Annual Report
Jon Wu, [email protected]
November 19, 2014
Contents
 Organizational Structure
 Risk Management
 Risk Assessment (Quantitative/Qualitative)
 Risk Reporting and Communication
Proprietary
2
Organizational Structure
BoD
CEO
CIO
COO
HR
Audit
SALES
CFO & Chief
Actuary
CRO
LEGAL &
COMPLIANCE
• We will focus on CRO organization structure, its job responsibility, and its
relationship with other department (management and collaboration)
• Keep in mind, no matter where you are in the organizational chart, the
bottom line is to create value of the organization under a certain limits
(e.g., risk limits – maintain appropriate risk capital level) and let define
the value of the company is:
V = EV + PV of FVNB + Intangible
Proprietary
3
Organizational Structure
• The concept of “three lines of defense”1&2 is important to implement the
basic foundation of risk management:
• First line: Front line functions such as sales, CFO, CIO, pricing
actuaries, etc.
• Second line: Risk and compliance department
• Third line: Internal auditor and external auditor
• In Europe, the Pillar II of Solvency II describes Own Risk Solvency
Assessment (ORSA). But, it is a principle basis. Insurers have to figure it
out themselves.
• In US, NAIC just updated its ORSA manual. Insurance company
(depending on its size) may need to adopt the requirements in 2015.
Don’t forget SOX already required some kinds of risk management from
COSO – ERM.
1.
2.
3.
http://www.ey.com/Publication/vwLUAssets/EY-Maximizing-value-from-your-lines-of-defense/$File/EY-Maximizing-value-from-your-lines-of-defense.pdf
https://na.theiia.org/standardsguidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf
http://www.naic.org/store/free/ORSA_manual.pdf
Proprietary
4
Risk Management - Summary
 In general, risk management structure
consists of
 Risk Management Framework: Include
governance, standard of Practice (SoP),
organizational structure, risk identification, risk
appetite, risk tolerance/limit, risk
monitoring/control, and reporting, etc.
 Risk Assessment (quantitative and qualitative)
 Risk Disclosure
Proprietary
5
Risk Management - Governance
 In the governance, company disclose how risk
management is organized. It includes description of
various committees and how those committees are
functioned and related to each other. Those
committees include:







Risk Committee
ALM Committee
Model Validation Committee
Models and Assumptions Changes Committee
ORM Committee
Compliance Committee
Finance Committee
Proprietary
6
Risk Management - SoPs
 SoPs are used to enforce the standards throughout a
big organization in addition to the SoPs and other
guidelines specified by various industry group.
Examples of SoPs include:








EC SoP
EC Reporting SoP
EV/MCEV SoP
EV/MECV Reporting SoP
Assumption Setting SoP
Product Approval and Review Process SoP
New Investment Class Approval and Review SoP
Etc.
Proprietary
7
Risk Management – Org. Chart
CRO
Market Risk
Business Risk
Credit Risk
Insurance Risk
Model
Validation
ORM
COMPLIANCE
Risk Committee
ALM Committee
Model Validation Committee
ORM & Compliance Committee
Models and Assumptions Changes Committee


Risk organizational structure is normally structured by risk type. CRO reports to CEO
directly.
CRO in general works with CFO, CIO, and actuaries to organize those committee
meetings. In general, CRO is the chair. Any changes affecting financial statements have
to be worked out with CFO. CIO normally get authority from Risk Committee or ALM
Committee to invest per mandated requirements and pricing actuaries have to use
models and assumptions agreed-upon based on the decision per Models and
Assumptions Changes Committees.
Proprietary
8
Risk Management – Risk Appetite,
Risk Tolerance, and Risk Limits
 Risk Appetite: It is a qualitative term in general. It
reflects company’s business strategy, financial
objective, and capital resource.
 Risk Tolerance: It can be in qualitative or quantitative
term. It should be consistent with risk appetite
statement.
 Risk Limits: It is quantitative statement in more
detailed manners. It describes the limits the company
will take and should be consistent with risk tolerance.
 Considerations include confidence level, Earnings at
Risk, Value at Risk, Capital at Risk, etc.
Proprietary
9
Risk Management – Risk Appetite,
Risk Tolerance, and Risk Limits
Risk Tolerance Statement - ABC Company
Description
New Business:
No new business if market risk can't be hedged
.
.
Inforce Business
Convert guaranteed Life to xxx Policy
.
.
Others
Maintain optimal operational risk score card
.
.
Limit
No no-lapse guarantee
At least 30% in 2014
Stay in the top tier of the organization
Proprietary
10
Risk Management – Risk Monitoring
and Mitigation
 Describe tools and methods used to monitor
the risks.
 Mitigation can be described in aggregate
manner or separately by risk type.
Proprietary
11
Risk Assessment – Risk Factors
(Example per Solvency II)
Proprietary
12
Risk Assessment – Market Risk





Interest Rate Risk
Interest Rate Spread Risk
Equity Risk
Real Estate Risk
Implied Volatility Risk (for guarantees, e.g., no
lapse guarantee, ratchet, reset, etc.)
 FX Risk
 Illiquidity Risk
 Concentration Risk
Proprietary
13
Risk Assessment – Credit Risk
 Credit Spread Risk
 Default Risk (based on in rating of investment
class)
 Counter-party Risk (e.g., reinsurers)
Proprietary
14
Risk Assessment – Business Risk
 Lapse Risk (e.g., policyholders’ behavior)
 Premium Renewal Risk (e.g., annual
renewable health)
 Expense Risk (e.g., how fast expense can be
reduced in a stressed situation)
Proprietary
15
Risk Assessment – Insurance Risk





Life Mortality/Morbidity Risk
Annuity Mortality and Morbidity Risk
Health/Auto/P&C Claim Risk
Concentration Risk
Catastrophe Risk
Proprietary
16
Risk Assessment – Operational Risk
 Mostly qualitative (data security, BCP, failure
of adhering to internal policy and procedure)
 Reputation risk
 Nevertheless, consider number of occurrence
and severity (amount per occurrence) and if
you have the data you can fit the distribution
 Usually, score card approach is used and a
factor approach is used.
Proprietary
17
Risk Assessment – Compliance Risk
 Mostly qualitative - failure of adhering to law
and regulation, internal policy and procedure
 Sometimes, it is confusing who is responsible
for what – ORM, compliance, and internal
audit
 Can be quantified like operational risk
Proprietary
18
Risk Reporting and Communication
 Disclosure of risk management structure
 Disclosure of the risk identification and
exposure
 Disclosure of the assessment
 Disclosure of the mitigation process
 List of the reporting and how they are used
to manage company’s business (use test)
Proprietary
19
Questions and Comments
Proprietary
20

similar documents