Archive for the ‘Chief Risk Officer’ category

ERM: Who is Responsible?

November 7, 2014

Masks

The Board is Responsible.

The CEO is Responsible.

Top Management is Responsible.

The CRO is Responsible.

The Business Unit Heads are Responsible.

The CFO is Responsible.

And on and on…

But this sounds like a recipe for disaster.  When everyone is responsible, often no one takes responsibility.  And if everyone is responsible, how is a decision ever reached?

Everyone needs to have different responsibilities within an ERM program.  So most often, people are given partial responsibility for ERM depending upon their everyday job responsibilities.

And in addition, a few people are given special new responsibilities and new roles (usually part time) are created to crystallize those new roles and responsibilities.  Those new roles are most often called:

  • Risk Owners
  • Risk Committee Members

But there are lots and lots of ways of dishing out the partial responsibilities.  RISKVIEWS suggests that there is no one right or best way to do this.  But instead, it is important to make sure that every risk management task is being done and that there is some oversight to each task.  (Three Lines of Defense is nice, but not really necessary.  There are really only two necessary functions – doing and assurance.)

To read more about a study of the choices of 12 insurers &

Hierarchy Principle of Risk Management

September 8, 2014

The purpose of ERM is NOT to try to elevate all risk decisions to the highest possible level, but to master discerning the best level for making each risk decision and for getting the right information to the right person in time to make a good risk decision.

This is the Hierarchy Principle as it applies to ERM.  It is one of the two or three most important principles of ERM.  Why then, might you ask, haven’t we ever heard about it before, even from RISKVIEWS.

But most insurers follow the hierarchy principle for managing their Underwriting process for risk acceptance of their most important risks.  

You could argue that many of the most spectacular losses made by banks have been in situations where they did not follow the hierarchy principle.  

  • Nick Leeson at Barings Bank was taking risks at a size that should have been decided (and rejected) by the board.
  • Jerome Kerviel at Soc Gen was doing the same.
  • The London Whale at JP Morgan is also said to have done that.  

On the other hand, Jon Corzine was taking outsized risks that eventually sank MF Global with the full knowledge and approval of the board.  Many people suggest that the CRO should have stopped that.  But RISKVIEWS believes that the Hierarchy Principle was satisfied.  

ERM is not and cannot be held responsible for bad decisions that are made at the very top of the firm, unless the risk function was providing flawed information that supported those decisions.  If, as happened at MF Global, the board and top management were making risk decisions with their eyes fully open and informed by the risk function, then ERM worked as it should.  

ERM does not prevent mistakes or bad judgment.

What ERM does that is new is that

  1. it works to systematically determine the significance of all risk decisions, 
  2. it ranks the significance and uses that information, along with other information such as risk velocity and uncertainty, to determine a recommendation of the best level to make decisions about each risk,
  3. it assesses the ability of the firm to absorb losses and the potential for losses within the risks that are being held by the firm at any point in time,
  4. it works with management and the board to craft a risk appetite statement that links the loss absorbing capacity of the firm with the preferences of management and the board for absorbing losses.

ERM does not manage the firm.  ERM helps management to manage the risks of the firm mainly by providing information about the risks.  

So why have we not heard about this Hierarchy Principle before?  

For many years, ERM have been fighting to get any traction, to have a voice.  The Hierarchy Principle complicates the message, so was left out by many early CROs and other pioneers.  A few were pushing for the risk function to be itself elevated as high as possible and they did not want to limit the risk message, deeming everything about risk to be of highest importance. But RISKVIEWS believes that it was mostly because the Hierarchy Principle is pretty fundamental to business management and is usually not explicitly stated anywhere else, even though it is applied almost always.

ERM now receives a major push from regulators, to a large extent from the ORSA.  In writing, the regulators do not require that ERM elevate all risk decisions.  But in practice, they are seeing some insurers who have been elevating everything and the regulators are adopting those examples as their standard for best in class.  

Just one more way that the regulatory support for ERM will speed its demise.  If regulators advocate for consistent violation of the Hierarchy principle, then ERM will be seen mainly as a wasteful burden.  

 

Key Ideas of ERM

July 24, 2014

For a set of activities to be called ERM, they must satisfy ALL of these Key Ideas…

  1. Transition from Evolved Risk Management to planned ERM
  2. Comprehensive – includes ALL risks
  3. Measurement – on a consistent basis allows ranking and…
  4. Aggregation – adding up the risks to know total
  5. Capital – comparing sum of risks to capital – can apply security standard to judge
  6. Hierarchy – decisions about risks are made at the appropriate level in the organization – which means information must be readily available

Risk management activities that do not satisfy ALL Key Ideas may well be good and useful things that must be done, but they are not, by themselves ERM.

Many activities that seek to be called ERM do not really satisfy ALL Key Ideas.  The most common “fail” is item 2, Comprehensive.  When risks are left out of consideration, that is the same as a measurement of zero.  So no matter how difficult to measure, it is extremely important to really, really be Comprehensive.

But it is quite possible to “fail” on any of the other Key Ideas.

The Transition idea usually “fails” when the longest standing traditional risk management practices are not challenged to come up to ERM standards that are being applied to other risks and risk management activities.

Measurement “fails” when the tails of the risk model are not of the correct “fatness“.  Risks are significantly undervalued.

Aggregation “fails” when too much independence of risks is assumed.  Most often ignored is interdependence caused by common counter parties.

Capital “fails” when the security standard is based upon a very partial risk model and not on a completely comprehensive risk model.

Hierarchy “fails” when top management and/or the board do not personally take responsibility for ERM.  The CRO should not be an independent advocate for risk management, the CRO should be the agent of the power structure of the firm.

In fact Hierarchy Failure is the other most common reason for ERM to fail.

Supporting Success with Risk Management

May 12, 2014

Risk Management is often seen as the Business Prevention Department and the Chief Risk Officer as the Wizard of NO.

But in some ways that can be seen as a glass half full, half empty sort of thing.

A major and sometimes neglected aspect of risk management relates to dealing with the planning for and execution of major changes.  We call this CHANGE RISK MANAGEMENT.

If we think of the Control Cycle as the major manifestation of risk management, Change Risk Management is the special process that is followed to make sure that important new things get on to the Control Cycle without stumbling.

Many times, these changes are the future of the company.  They are the new products, new distribution systems, new territories and acquisitions that will change the course of the company’s path forward.

The Change Risk management process can be performed as Business Prevention or it can be a support to the success of the company.  A good Change Risk Management process will help to identify the ways that the new activity might fail or might harm the firm.  If the Change Risk Management process is designed properly, the Risk Management inputs of that sort can be brought into the process in plenty of time to correct the problems that cause the concerns.  In that sense, fixing those problems adds to the potential success of the company.

But if Risk Management is brought very late to the process, many people have become invested in the change as it is currently planned and any input from risk management that something might go wrong is seen as an attempt to scuttle the project.

Listingship

So timing and attitude are the two things that make the Change Risk Management process something that supports the success of the company.

 

 

Whose Job is it to do ERM?

January 28, 2014

“We are not big enough to need ERM.” says the smaller company CEO.  “So we all do it together.”

But what is everyone’s job, is no one’s responsibility.  No one is held accountable for how or even whether ERM functions actually happen.

If a company wants to have ERM, then they must make assignments – assignments to individuals.

This process, these assignments, are what RISKVIEWS calls Risk Organization.  Everyone does not need the same Risk Organization, but everyone who is serious about ERM needs to clearly assigning responsibility for the risk identification, measurement and management of risks.

This week’s post on the WillisWire series on ERM Practices is about Risk Organization:

This is Part 4 of a 14 part series on the ERM practices that support an ORSA. The other pieces in that series so far are:

Risk Measurement

RISKVIEWS has also posted discussions of Risk Organization.  Here are a few examples:

Sean Ringsted, ACE Group, Named CRO of the Year

December 2, 2013

Insurance Risk Awards 2013: Chief risk officer of the year: Sean Ringsted, Ace

Sean Ringsted is Chief Risk Officer and Chief Actuary for ACE Limited since 2008.  Ringsted is responsible for the continued development and implementation of ACE’s risk management strategy and processes, and for ensuring a consistent risk management framework across the company. Ringsted also oversees all major actuarial functions, including reserving, pricing, and capital performance measurement. Ringsted’s previous roles at ACE include Chief Actuary for ACE Group from 2004 to 2008, Executive Vice President and Chief Risk Officer for ACE Tempest Re from 2002 to 2004, and Senior Vice President and Chief Actuary for ACE Tempest Re from 1998 to 2002. Mr. Ringsted holds a Bachelor of Science in biochemistry from Bristol University and a doctorate in biochemistry from Oxford University. He also is a Fellow of the Institute of Actuaries (FIA).  Ringsted is also chairman of the North American CRO Council, which has been increasingly active in promoting best practice in risk management and is gaining respect from regulators and standard-setting bodies at a domestic and international level.

The Enterprise Risk Management program at ACE from their annual report.
As an insurer, ACE is in the business of profitably managing risk for its customers. Since risk management must permeate an organization conducting a global insurance business, we have an established Enterprise Risk Management (ERM) framework that is integrated into management of our businesses and is led by ACE’s senior management. As a result, ERM is a part of the day-to-day management of ACE and its operations.

Our global ERM framework is broadly multi-disciplinary and its objectives include:

  • support core risk management responsibilities at division and corporate levels through the identification and management of risks that aggregate and/or correlate across divisions;
  • identify, analyze, and mitigate significant external risks that could impair the financial condition of ACE and/or hinder its business objectives;
  • coordinate accumulation guidelines and actual exposure relative to guidelines, risk codes, and other risk processes;
  • provide analysis and maintain accumulation and economic capital and information systems that enable business leaders to make appropriate and consistent risk/return decisions;
  • identify and assess emerging risk issues; and
  • develop and communicate to our business lines consistent risk management processes

ACE’s Enterprise Risk Management Board (ERMB) reports to and assists the Chief Executive Officer in the oversight and review of the ERM framework which covers the processes and guidelines used to manage insurance risk, financial risk, strategic risk, and operational risk. The ERMB is chaired by ACE’s Chief Risk Officer and Chief Actuary. The ERMB meets at least monthly, and is comprised of ACE’s most senior executives, in addition to the Chair: the Chief Executive Officer, Chief Financial Officer, Chief Investment Officer, Chief Claims Officer, General Counsel, Chief Executive Officer for Insurance – North America, Chief Executive Officer for ACE Overseas General, and our Chief Executive Officer for Global Reinsurance.
The ERMB is provided support from various sources, including the Enterprise Risk Unit (ERU) and Product Boards. The ERU is responsible for the collation and analysis of two types of information. First, external information that provides insight to the ERMB on risks that might significantly impact ACE’s key objectives and second, internal risk aggregations from its business writings and other activities such as investments. The ERU is independent of the operating units and reports to our Chief Risk Officer and Chief Actuary. The Product Boards exist to provide oversight for products that we offer globally. A Product Board currently exists for each of the following products; property/energy, marine, casualty, professional lines, aviation, and political risk. Each Product Board is responsible for ensuring consistency in underwriting and pricing standards, identification of emerg- ing issues, and guidelines for relevant accumulations.
ACE’s Chief Risk Officer and Chief Actuary also reports to the Board’s Risk & Finance Committee, which helps execute the Board’s supervisory responsibilities pertaining to ERM. The role of the Risk & Finance Committee includes evaluation of the integrity and effectiveness of our ERM procedures and systems and information; governance on major policy decisions pertain- ing to risk aggregation and minimization, and assessment of our major decisions and preparedness levels pertaining to perceived material risks. The Audit Committee, which regularly meets with the Risk & Finance Committee, provides oversight of the financial reporting process and safeguarding of assets.
Others within the ERM structure contribute toward accomplishing ACE’s ERM objectives, including regional management, Internal Audit, Compliance, external consultants, and managers of our internal control processes and procedures.

Reinsurance Protection
As part of our risk management strategy, we purchase reinsurance protection to mitigate our exposure to losses, including catastrophes, to an acceptable level. Although reinsurance agreements contractually obligate our reinsurers to reimburse us for an agreed-upon portion of our gross paid losses, this reinsurance does not discharge our primary liability to our insureds and, thus, we ultimately remain liable for the gross direct losses. In certain countries, reinsurer selection is limited by local laws or regulations. In most countries there is more freedom of choice, and the counterparty is selected based upon its financial strength, claims settlement record, management, line of business expertise, and its price for assuming the risk transferred. In support of this process, we maintain an ACE authorized reinsurer list that stratifies these authorized reinsurers by classes of business and acceptable limits. This list is maintained by our Reinsurance Security Committee (RSC), a committee comprising senior management personnel and a dedicated reinsurer security team. Changes to the list are authorized by the RSC and recommended to the Chair of the Enterprise Risk Management Board. The reinsurers on the authorized list and potential new markets are regularly reviewed and the list may be modified following these reviews. In addition to the authorized list, there is a formal exception process that allows authorized reinsurance buyers to use reinsurers already on the authorized list for higher limits or different lines of business, for example, or other reinsurers not on the authorized list if their use is supported by compelling business reasons for a particular reinsurance program.
A separate policy and process exists for captive reinsurance companies. Generally, these reinsurance companies are established by our clients or our clients have an interest in them. It is generally our policy to obtain collateral equal to the expected losses that may be ceded to the captive. Where appropriate, exceptions to the collateral requirement are granted but only after senior management review. Specific collateral guidelines and an exception process are in place for ACE USA and Insurance – Overseas General, both of which have credit management units evaluating the captive’s credit quality and that of their parent company. The credit management units, working with actuaries, determine reasonable exposure estimates (collateral calculations), ensure receipt of collateral in an acceptable form, and coordinate collateral adjustments as and when need-
ed. Currently, financial reviews and expected loss evaluations are performed annually for active captive accounts and as needed for run-off exposures. In addition to collateral, parental guarantees are often used to enhance the credit quality of the captive.
In general, we seek to place our reinsurance with highly rated companies with which we have a strong trading relationship.

Investments
Our objective is to maximize investment income and total return while ensuring an appropriate level of liquidity, investment quality and diversification. As such, ACE’s investment portfolio is invested primarily in investment-grade fixed-income securities as measured by the major rating agencies. We do not allow leverage or complex credit structures in our investment portfolio.
The critical aspects of the investment process are controlled by ACE Asset Management, an indirect wholly-owned subsidiary of ACE. These aspects include asset allocation, portfolio and guideline design, risk management and oversight of external asset managers. In this regard, ACE Asset Management:

  • conducts formal asset allocation modeling for each of the ACE subsidiaries, providing formal recommendations for the portfolio’s structure;
  • establishes recommended investment guidelines that are appropriate to the prescribed asset allocation targets;
  • provides the analysis, evaluation, and selection of our external investment advisors;
  • establishes and develops investment-related analytics to enhance portfolio engineering and risk control;
  • monitors and aggregates the correlated risk of the overall investment portfolio; and
  • provides governance over the investment process for each of our operating companies to ensure consistency of approach and adherence to investment guidelines.

Under our guidance and direction, external asset managers conduct security and sector selection and transaction execution. This use of multiple managers benefits ACE in several ways – it provides us with operational and cost efficiencies, diversity of styles and approaches, innovations in investment research and credit and risk management, all of which enhance the risk adjusted returns of our portfolios.
ACE Asset Management determines the investment portfolio’s allowable, targeted asset allocation and ranges for each of the operating segments. These asset allocation targets are derived from sophisticated asset and liability modeling that measures correlated histories of returns and volatility of returns. Allowable investment classes are further refined through analysis of our operating environment, including expected volatility of cash flows, potential impact on our capital position, as well as regulatory and rating agency considerations.

Under the overall supervision of the Risk & Finance Committee of the Board, ACE’s governance over investment management is rigorous and ongoing. Among its responsibilities, the Risk & Finance Committee of the Board:

  • reviews and approves asset allocation targets and investment policy to ensure that it is consistent with our overall goals, strategies, and objectives;
  • reviews and approves investment guidelines to ensure that appropriate levels of portfolio liquidity, credit quality, diversification, and volatility are maintained; and
  • systematically reviews the portfolio’s exposures including any potential violations of investment guidelines.

We have long-standing global credit limits for our entire portfolio across the organization and for individual obligors. Exposures are aggregated, monitored, and actively managed by our Global Credit Committee, comprised of senior executives, including our Chief Financial Officer, our Chief Risk Officer, our Chief Investment Officer, and our Treasurer. Additionally, the Board has established a Risk & Finance Committee which helps execute the Board’s supervisory responsibilities pertaining to enterprise risk management including investment risk.
Within the guidelines and asset allocation parameters established by the Risk & Finance Committee, individual investment committees of the operating segments determine tactical asset allocation. Additionally, these committees review all investment- related activity that affects their operating company, including the selection of outside investment advisors, proposed asset allocations changes, and the systematic review of investment guidelines.

Tug of War Between Intertwined Roles

December 3, 2012

Tug

A question posed to RISKVIEWS:

Do you have a clear distinction between “What’s Risk vs What’s Actuarial?”  It seems that the roles of Risk Management and Actuarial are utterly intertwined and overlapping, thus causing utter confusion, within the company of my employ. While we have internally agreed to a segregation of duties over two years ago, the organization has barely moved forward to align itself accordingly.

Any attempt I have made to seek external guidance has not resulted in any definitive clarity. In response to the question “What’s Risk vs What’s Actuarial?”, most consultants offer “it depends on the company”. Solvency II guidance seems to indiscriminately interchange, say, risk management function (risk management is everyone’s job) with Risk Management Department.

I should clarify – when I refer to Actuarial, I am referring to “all four legs of the actuarial stool” – namely, Pricing, Modeling/Projections, Valuation, and Experience Studies.

In fact, it really does depend upon the company.  That is because actuarial roles are extremely broad in some companies and very narrow in others.

The four legs of the actuarial stool referenced, “Pricing, Modeling/Projections, Valuation, and Experience Studies” are in fact a moderately broad definition.  In the most narrowly drawn situations, the actuarial role is limited solely to situations where an actuarial opinion is required by law or regulation.  In companies that define the actuarial role in that manner, there is almost no overlap with the Risk function.

But Risk can be defined differently in different companies as well.  In some companies, the definition of the Risk function takes in only what is needed to get capital relief from regulators or rating agencies.  Or to satisfy other requirements of the same audiences.

In companies where both the Actuarial and Risk roles are broadly defined, there is great potential for overlap.

  • The Actuarial Function in these firms will include not only “Pricing, Modeling/Projections, Valuation, and Experience Studies” but may also have a role in broad financial oversight and or broad risk oversight.  In fact, RISKVIEWS worked for two insurers with such a broad definition of the actuarial function.
  • A broadly defined Risk function in these firms will overlap most clearly with those last two roles.  With the installation of a separate Risk function, it seems clear that the broad risk oversight once performed by the Actuarial function needs to be surrendered.  But there are Risk aspects of all five of the other functions listed.
    • Pricing – A strong Risk function will want to make sure that pricing is appropriate for the risks of the activities
    • Modeling/Projections – A strong Risk function will want to perform stress tests that are in fact simple projections.
    • Valuation – Since the definition of the capital of the firm is totally dependent upon the valuation of the liabilities of the firm and the Risk function usually has a major role regarding capital adequacy, a strong Risk function will have a high interest in Valuation of Liabilities.
    • Experience Analysis – The process that has been developed by actuaries to update Liabilities from year to year includes the collection and analysis of quite a large amount of information about the emerging experience of the firm.  This information is also used in Pricing.  And should be a main part of the information needed to evaluate the risks of the firm.  Which makes this area of high importance to Risk.
    • Broad Financial Oversight – Actuaries in many insurers have already lost this role to CFOs years ago.  But in the cases where they have not, the CRO becomes a new challenger with the idea that Risk should oversee the strategic risk and capital budgeting processes.

Some of the conflict is a matter of competition between the leader of a “new” function within the firm and the leader of an “old” function.  The firms where this conflict is the worst would be the firms where there is a broadly defined Actuarial and Risk function.  The development of a new Risk function in these firms can be interpreted as Actuarial losing influence.  This perception would add to the conflict and to the confusion.  Risk will want to control its own destiny, so would naturally want to control much of what had “always” been Actuarial.  Actuarial would not want to lose any responsibility and may therefore seek to maintain parallel activities even where Risk is now performing a former Actuarial function.

At the other extreme, a number of companies see the very high degree of overlap between the Actuarial function and the Risk function and have named their Chief Actuary to be their Chief Risk Officer.  The success of that approach will depend upon the degree to which the Chief Actuary is willing to appropriately prioritize the activities needed to support the new responsibilities.  In these cases, the conflict described above between Risk and Actuarial will take place, but a large part of it will be inside the Chief Actuary / CRO’s head.


Follow

Get every new post delivered to your Inbox.

Join 671 other followers

%d bloggers like this: