2. “There is no security
on this earth —
there is only opportunity.”
Douglas MacArthur
3. Agenda
• Why this matters
• Increasing level of uncertainty
• Changing business fundamentals
– Increased need for integrated strategy and risk discipline
• ERM discipline to: reduce uncertainty & risk, understand opportunity
– Capabilities maturity journey
– Risk governance model
– Risk Appetite Statement, supported by Risk Tolerance Guardrails (KRIs)
– ERM model for risk assessment, treatment, reporting and monitoring
• ORSA: Links ERM to Capital planning, decision support, transparency
– The ultimate risk management value proposition
• Use Test
– “You were serious about that?”
– “By their fruits ye shall know them”
4. “ERM Valuation Premium of 25%“
“Firms that have successfully integrated the ERM process into both their
strategic activities and everyday practices display superior ability in
uncovering risk dependencies and relationships across the entire
enterprise and as a consequence enhanced [firm] value when undertaking
the ERM maturity journey.” The Journal of Risk and Insurance
“The Valuation Implications of Enterprise Risk Management Maturity,” a wholly independent and peer-reviewed research project conducted by
Mark Farrell of Queen’s University Management School and Dr. Ronan Gallagher of University of Edinburgh Business School, published in The
Journal of Risk and Insurance, using data from the RIMS Risk Maturity Model.
Hoyt and Liebenberg study
“insurers with ERM had a 20%
higher firm value than those
insurers who without ERM” -
reported in Journal of Applied
Corporate Finance
“Risk Management leader
companies showed 10%
greater increases in profit
margins than other
firms…” CGMA Magazine
Reduced volatility,
more resistant to
change – Milliman; the
Journal of Risk &
Insurance
Improved cash flow /
reduced discount
rate – KPMG
Outperform their
peers financially –
E&Y
Growth in firm
value (up to 25%)
– S&P
5. CEB Study:
Looking for Risk in All the Wrong Places
Risk management has historically focused more than half its time on legal,
compliance and financial reporting functions. That’s starting to change as
companies realize that most big hits to shareholder value come from
strategic and operating risks.
6. Increasing Level of Uncertainty:
Health Insurance Industry Example
Top Risks/Opportunities
• Unsustainable medical cost trend
• Disruptive, uncertain regulatory environment
–Impact of the Affordable Care Act (ACA)
• Implementation of Insurance exchanges
–Migration from employer based model to
retail model (individual consumers)
• Increased reliance on web presence
• Overhaul of reimbursement code model (ICD-10)
• Fundamental changes in basic business model
–Care delivery integration
• Aging population (increased utilization of medical
care)
• Alternate reimbursement methods - alignment of
incentives for member, provider, employer,
broker
• Increased cost transparency
• Critical resource constraints
–Access vs. supply, especially primary care
• Consolidation/M&A activity
7. Need Strong Risk Management to
Support Strategy
• Effective ERM discipline enables organization to:
– Take the right risks needed for survival and value growth
– Manage risk; reduce uncertainty of success
– Transform the organization, focus on issues underlying healthcare reform effort
• Access, Affordability, Quality (Health Insurance example)
• Requires making bets, understanding and managing risks
– Strong link to strategic planning discipline; increased confidence in strategy
• Requires confidence in risk management capabilities
– Risk identification
– Resiliency, adaptability, rapid response capabilities
– Contingency and scenario planning capabilities
– Ability to absorb shock
– Understanding of opportunity (Risk Awareness)
– Enables risk taking to create value
• Strategy focused risk assessment aligns organizational direction
– Identifies risks to future course, develops mitigations to reduce uncertainty
– Increases relevance of ERM in daily strategic and business discussions
8. Internal Environment
Risk Management Philosophy – Risk Appetite – Board of
Directors – Integrity and Ethical Values – Commitment to
Competence – Organizational Structure – Assignment of
Authority and Responsibility – HR Standards
Event Identification
Events – Influencing Factors – Methodologies and Techniques –
Event Interdependencies – Event Categories – Risks and
Opportunities
Risk Assessment
Inherent and Residual Risk – Likelihood and Impact –
Methodologies and Techniques – Correlation
Risk Response
Identify Risk Responses – Evaluate Possible Risk Responses –
Select Responses – Portfolio View
Control Activities
Integration with Risk Response – Types of Control
Activities – General Controls – Application Controls –
Entity Specific
Objective Setting
Strategic Objectives – Related Objectives – Selected
Objectives – Risk Appetite – Risk Tolerances
Information and Communication
Information – Strategic and Integrated Systems
– Communication
Monitoring
Separate Evaluations – Ongoing Evaluations
COSO ERM Components
1.0 ERM Mandate & Commitment
(Management commitment, strategic alignment,
accountabilities and responsibilities)
ISO 31000 Components
2.0 Design of framework for managing risk
(context, policy, accountability, integration into
organizational processes, resources
3.0 Risk Assessment
3.1 – Risk Identification
3.2 – Risk Analysis
3.3 – Risk Evaluation
4.0 Risk Treatment
5.0 Monitoring & Review
6.0 Continual Improvement of the Risk
Management Framework
7.0 Communication & Consultation
ERM Framework
Designed to
integrate with a
organizational
processes (i.e.
Strategic planning,
Performance
measurement,
Operations
management,
Budgeting/Capital
Expenditures,
Stakeholder
Communication),
strategic and
operational
decision-making
initiatives to
support “risk-
aware” decision
making across the
organization
9. Part time cross
functional Team
– Cross functional
team, no dedicated
resources
– Individual issue
risk assessments,
prioritized by team
– Strong Internal
Control Framework
Dedicated CRO &
Board committee
–Consolidated operational 2nd
line of defense risk areas
into “Risk Office”
–Dedicated ERM function
–Risk Governance Model
–Enterprise risk assessment
(ERA) process established
(typically not strategy
focused)
Dedicated Strategy Office
– Opportunity for alignment of risk
and strategy
ERA revised to focus on
strategy & reducing
uncertainty of success
– Increased relevance in daily
strategic and business
decision process
– Enable risk taking by offering
some control over uncertainty
– Consistently engaged by the
business in key decisions
Linked ERM to Business
Planning, Capital Modeling
– Capital modeling, stress testing
matured to complex model
– Incorporate risk adjusted
planning results into strategic
decision process
“He that will not apply new
remedies must expect new evils;
for time is the greatest innovator.“
Francis Bacon,
British author and statesman
ERM Capability Development: It’s a Journey
Risk Appetite
Statement
– Risk Appetite Statement
– Risk Tolerance Guardrails
– Risk Governance Ground
rules
– Risk Culture Communications
– Risk Appetite Integration
info business operations
ERM capabilities matured past
compliance, to strategic advantage
– Risk-aware decision making
– Drives resource allocation toward risk top
treatment plans
– Increased integration with
planning/strategic objectives
– Focus on Risk Appetite and risk culture
– Developed Stress testing, capital impact
modeling capability
– Realized achievement of ORSA objectives,
ERM link to Capital Planning, Strategy,
decision support tool
10. Risk Governance Model:
3 Lines of Defense; “Risk Office” Concept
BUSINESS UNIT
LEADERS:
1st Line of
Defense
Business Unit
Leaders are
the “Risk
Owners”
who are
accountable
for taking risk
and
responsible for
implementing
related
controls
11. Risk Appetite
Identify organizational goals
and strategic objectives
Obtain data from key
stakeholders on willingness
to take risk in pursuit of
organizational objectives
Current level of risk taking
vs. required level
Identify degree of alignment
on risk appetite from
stakeholders
Resolve gaps between
objectives and risk appetite
Develop and refine Risk
Appetite Statement
Develop Risk Tolerance
Guardrails
Trend vs. performance/time
Establish Risk Appetite
Governance Ground Rules,
defining actions when a
breach occurs
Develop communication and
BU implementation process
12. Strategy Focused ERA Process
Identify risks to the strategic drivers of
organizational value
Prioritize top risks to strategic value
– what could cause failure
Analyze, develop risk mgt. strategy,
measure, report on top risks list
Top Risk Dashboard – for risk
governance dialog & alignment
Key
Enterprise
Risk
Risk
Owner(s)
Risk
Status
Q4
2011
(Prior
Period)
Risk
Status
Q2 2012
(Current
Period)
Risk
Status
Rationale
Key Risk
Manageme
nt
Activities
xxx
Enterprise Risk Inventory key enterprise risks for prioritization, identified through the strategic planning process
TEXT – New risks identified
TEXT – Existing Key Enterprise Risks
Competitive
positioning
Constituent
engagement
Organizational
capacity/ capability
(People)
Organizational
Capability (Process)
Reform/PPACA
Key Enterprise Risks for Prioritization
Financial Compliance
Data management/
Informatics
Product development
and delivery/
optimization
Technology
Medical care
management
Product
underwriting/
pricing
Execution capability
Resource
optimization
Strategic Operational
A
B
C
D
E
F
G
H
I O
N
K
L
M
P
J
Decision
accountability
Star rating
(Medicare)
Medicare margin
optimization
Vendor management
Other Enterprise Risks
Below arethe key enterprise risks
“de-prioritized” through the Risk
Validation Session by ET:
Economies of scale
Membership mix
Revenue diversification
Business model
Provider network
Reimbursement
Resiliency & protection
Data center strategy
Facility planning
Marketing
Service/quality/value
Social media
Administrative costs
Reserve & investment
management
Legal requirements
Ethical compliance
Tax compliance
13. Example Top Risk Treatment Tool
Risk: XXX
Risk Definition: Inability to effectively yyy
Q4 2012 Top Enterprise Risk Current Status
Risk Owner(s):
ZZZ
Key
Stakeholder(s):
ET
OT
SLT
Risk Rating:
Rating Rationale:
• 111
• 222
• 333
• 444
Risk Management Actions In Progress or
Needed
In
Progress
? (Y/N)
Target
Completion Date
Expected/Actual
Completion Date
Status Observations/ Comments
Key Risk Drivers
• Lack of aaa
• bbb
14. KRI Dashboard
• Improved risk governance view, tied to real economic drivers of risk and business results
• Complement, not duplicate, existing KPIs, balanced scorecard
• Incorporate risk tolerance guardrails
• Map to existing Top Risk Status reporting
• Improved risk dialog, and understanding at all levels of risk governance
15. ORSA Background
• Integration of robust risk management
function a basic regulatory expectation
• Responsible to determine capital
standing and adequacy, Stress testing
capability for decision support
Leverage for value
• Meaningful capital behind risks to
offset downside
• Stress test, scenarios analysis
• Track loss events
ORSA supports strong ERM capability
and decision support capability
“Confidential internal assessment … of material and relevant risks … associated with…
current business plan, and the sufficiency of capital resources to support those risks”
“Goal to foster effective level of ERM, through which insurer identifies, assesses,
monitors, prioritizes and reports on its material and relevant risks… appropriate to the
nature, scale and complexity of the insurer’s risk, in a manner that is adequate to support
risk and capital decisions.”
16. ORSA Example: Table of Contents – Steering Team
Executive
Summary
Legal Entity
Structure
ORSA Strategy
Risk Appetite
Risk
Governance
Model
Risk Dashboard
Cap. Solvency
Model & Forward
Looking Results
Stress Testing
Results
Capital
Liquidity Plan
Evidence of
“Use Test”
ORSA Position
During Period
Risk Process &
Framework
Top Risks Independent
Review
Chief Financial
Officer
Chief Risk
Officer
Chief Audit
Executive
Chief
Actuarial
Officer
General
Counsel
EVP
Strategy
Controller
Chief Information
/ Data Officer
17. “Use Test”
• “You were serious about dat?”
• “By their fruit ye shall know them”
• “Own” Risk and Solvency Assessment
• How did you use it?
• ERM, Capital modeling, Stress testing, Scenario analysis
• What key decisions were made based on risk adjusted data analysis?
• What evidence do you have that an understanding of risk was
effectively considered in key strategic decisions?
• Model, stress test results
• Risk governance meeting(s) presentations, actions, minutes
• Strategic changes, alignment subsequent to decision
• Budget funding changes supporting risk informed decisions
• Description of how risk and capital modeling capability is integrated
into business operations
Evidence of
“Use Test”
18. ORSA: Links Risk Management
with Strategy and Capital Planning
• Links ERM (i.e. Risk Appetite, Identification, Assessment, Prioritization,
Measurement, Treatment, Monitoring & Communication) to both Capital
and Strategic planning
• Regulator looking for Non-prescriptive “Own” assessment
• Need to staff and train assessors
– Layout report plainly
– Must meet differing interpretations: Strategy, Capital modeling, Insurance, BC/DR,
Information Security… It’s all of these +
• Many components may already be in place for ORSA Report
• Don’t underestimate “the lift”
– Capital model complexity,
– More prep than expected
• Value for the effort
– Move to more complex capital models, better Financial Planning, Financial Statement
modeling
– Improve operations
– Improve risk vs. reward decision support
19. Key Takeaways:
• Move past compliance to decision support, for
strategic advantage
– “Use Test” Evidence
• Top down appreciation, of ERM-ORSA value
proposition for strategic advantage, needed
– Investment in capabilities, tools development
• ORSA completes the value proposition
– Rigor for Risk & Opportunity information assurance
• Look for effective level of ERM in place
• Culture change the hardest part
– Transparency
– Process discipline
• CRO - People skills important
20. THE CONSULTANCY FOR THE DIGITAL WORLD
Driving improved capabilities and breakthrough business value from digital marketing &
advertising, customer & audience intelligence, and enterprise risk management
Washington DC • New York • London
Chicago • Boston • Philadelphia •
Denver
DIGITAL
MEDIA
DATA
ANALYTICS
RISK
MANAGEMENT
21. Lou DiSerafino
Lou leads risk programs in various risk disciplines for Infinitive. He counsels
clients on how to leverage risk management to reduce uncertainty, enhance the
organizational brand and achieve strategic objectives.
Prior to joining Infinitive, Lou was the Chief Risk Officer at Independent Health,
where he provided strategic insight into risks threatening organizational value
and supported risk-informed decision-making at strategic and operational levels.
He created and led the Risk Office, which included ERM/ORSA, as well as Business
Continuity and Crisis Management, Information Risk (Security and Privacy), Fraud
Control, Vendor Management, and Internal Audit.
Lou’s business continuity and crisis management skills were developed while
building and leading the Business Continuity Office at Nextel Communications. His
work in leading Nextel’s recovery efforts through a period of several high profile
disasters was recognized with a nomination for best recovery of the year by the
Business Continuity Institute. Lou also led Information Risk, Fraud Management,
and New Product Risk Management while at AT&T, where he developed his
understanding of risk, cost, and opportunity trade-offs, opportunity risk, and risk
appetite.
Lou holds an MBA and BS in Accounting from Rider University and also attended
the Harvard Business School Executive Education course on Achieving
Breakthrough Customer Service.
Lou DiSerafino
Executive
Infinitive Insight
703.872.9001
lou.diserafino@
infinitiveinsight.com