making sense of erm framework: an integrated guide syed

Making Sense of ERM Framework: An Integrated Guide

Syed Danish Ali

This report serves as a broader ERM framework structure, which would allow any company (especially

insurance company) to set in-place an ERM implementation approach. ERM framework encapsulates, in

a single structured document, the company-wide risk management principles and processes.

Enterprise Risk Management Framework

Contents 1. Background and Objective .............................................................................................3

2. ERM Framework ..............................................................................................................5

3. Risk Identification Process ............................................................................................9

4. Risk Measurement & Management Process ...............................................................13

5. Risk Governance and Reporting Process ...................................................................26

6. ERM Framework – Revisited ........................................................................................30


1. BACKGROUND AND OBJECTIVE

1.1.1 This report serves as a broader ERM framework structure, which would allow any company to

set in-place an ERM implementation approach. ERM framework encapsulates, in a single

structured document, the company-wide risk management principles and processes. This report

would serve the following objectives in relation to ERM:

➢ Development of an integrated enterprise-wide risk management framework and policy document for implementation and adherence, in order to instill and encourage risk-oriented decision-making within the organization.

➢ Promoting risk identification structure, by monitoring risk areas with the aide of risk register and risk matrix. This would assist in performing risk assessment and would act as a central repository for all risks the company is exposed to.

➢ Setting risk tolerance limits and overall risk appetite for the company based on inputs from capital models. This allows the company to measure the appropriate risks, to monitor them and to set in place control measures and actions.

➢ Create an appropriate risk monitoring structure to ensure risk exposures are within the controllable limits. Where these limits are exceeded, appropriate measures and actions could be taken.

➢ Periodically report the risk exposures to appropriate risk authorities to ensure that the management and the company are well aware of the risk their business is exposed to, and that appropriate decisions are being taken to mitigate them.

1.1.2 In future, enterprise risk management would become a part of regulatory requirements to

assess the company’s financial strength and stability, either in the form of Solvency II or

economic capital approach. This framework forms the basic ground work for regulatory

endeavours as well. However this framework may not ideally serve the purpose of regulatory

requirements in the future.

1.2 Limitations and Restrictions

1.2.1 This framework provides a broad level concept of the implementation of enterprise risk

management principles and global best practices.

1.2.2 This framework supplements the company’s existing enterprise risk management charter, policy

and procedures in effect. The framework provides an enterprise risk management structure to

adopt with the help of existing ERM documents and internal capital model.

1.2.3 ERM Framework has not been developed for regulatory reporting or submission.


1.2.4 ERM Framework can only be implemented by the company interested in doing so. It cannot be

forcefully implemented by third party external advisors or consultants, as risk-oriented thinking

process has to come from within the individual undertaking decisions and actions.


2. ERM FRAMEWORK

2.1 Framework

2.1.1 This framework provides a comprehensive approach for the company to adopt in order to

identify and manage risks which could be prevented, to effectively achieve its business goals and

strategies.

2.1.2 This framework has been developed to:

➢ allow the company to proactively manage its risks in a systematic and structured way and to continually refine its processes to reduce its risk profile, thereby maintaining a safer environment for its stakeholders;

➢ ensure appropriate strategies are in place to mitigate risks and maximize opportunities;

➢ embed the Risk Management process and ensure it is an integral part of company’s planning process at a strategic and operational level;

➢ help create a risk awareness culture from a strategic, operational, individual and fraud perspective; and

➢ give credibility to the process and engage management’s attention to the treatment, monitoring, reporting and review of identified risks as well as considering new and emerging risks on a continuous basis.

2.2 Enterprise Risk Management Cycle

2.2.1 In a nutshell, the following control cycle best describes ERM framework:


Figure 2-1 Enterprise Risk Management Cycle

2.2.2 By the end of document the company should be able to answer:

➢ What is the risk appetite and how is it measured?

➢ What is the board’s and senior management’s role in ERM framework?

➢ How does your organization encourage good risk-based decision making?

➢ What is your organization’s process for identifying and cataloguing key risk across your organization?

➢ How are emerging risk identified and evaluated?

2.3 Purpose of the ERM Framework

2.3.1 Above documents provide operational structure and guidelines to the company for adoption of

ERM principles. However, the ERM Framework discussed within this report serves as a broader

level framework to the holistic ERM implementation in the company.

2.3.2 This document would serve as a central document in defining the ERM Framework whereas

other documents will support ERM implementation program. Implementation of ERM

framework is an iterative and continuous exercise and can only be followed and practiced by the

very people managing the company and those interested in seeing the successful execution of

the underlying concepts.

•Underwriting and Claim Approval Limits

•Policies and Procedures

•Incorporate results from Capital Model

•Make Risk-based Decision

•Each segment directly responsible for Risk

•ERM Committee

•Development of Solid Risk Culture

•Training

•Assess Qualitative and Quantitative Impact

•Evaluate Macro-Risk

•Increase Data Capturing Capacity

•Assign Responsibilities

•Development of Risk Register

•Emerging Risk Analysis

Risk Identification

Risk Measurement

Risk Management

Risk Reporting


2.3.3 The figure below provides building blocks necessary for successful ERM implementation; they

are also discussed in detail within this framework.

Figure 2-2 Enterprise Risk Management Building Blocks

2.3.4 Having incorporated this framework, any company can align its business opportunities in a

controlled manner and take on further risks in achieving its mission and core business

objectives. The final program would encompass the whole spectrum of risk, ranging from the

high level company & industry wide strategic business risks to individual section operational

risks (including identification of risks at all level).

2.3.5 The company’s objectives in implementing a risk management program would include the

following (keeping in view that this framework shall be implemented in the medium- to long-

term, in line with the objectives of the company; the short term objective and outcomes would

be limited):

➢ Demonstrating due diligence in planning and day-to-day management and operational activities;

➢ Promoting proactive management with early identification and treatment of risks, rather than reacting passively;

➢ Improving the focus on key strategic goals leading to:

i. a more sound basis for strategic planning as key elements of risk have been identified;

•Define risk appetite and measurement techniques

•Defines ERM framework incuding Risk Charter, Risk Policy and Procedures and Risk Governance Structure

•Reporting of risks

Risk Management Framework

•An Excel-based file for Identifying and Measuring Risk

•Risk controls, limits and communicationsRisk Register - Qualitative

Assessment

•An Excel-based internal capital model

•Risk controls, limits and communicationsCapital Model - Quantitative

Assessment

•Policies and Procedures

•Business Plan and BudgetingOther Supporting

Documents


ii. more effective allocation of resources to key services and areas of high risk improving service delivery;

iii. an improved level of responsibility and accountability;

iv. better informed decisions about opportunities and new initiatives/projects;

v. avoidance of taking unnecessary opportunistic risks; and

vi. acceptance of changing patterns of risk and opportunity in an increasingly competitive environment

2.4 Structure of the Report

2.4.1 The structure of the framework has been developed in such a way that this report can be

treated as a comprehensive manual of enterprise risk management cycle and its principles in

practice.

2.4.2 Primary phases of the risk management cycle are the remaining sections of this framework; their

purpose is to capture the whole ERM framework structurally and provide ease of use.

Section 3: Risk Identification

Section 4: Risk Measurement and Management

Section 5: Risk Appetite &Tolerance Limits

Section 6: Risk Reporting

Section 7: ERM Framework Cycle – Revisited


3. RISK IDENTIFICATION PROCESS

3.1 Risk Description

3.1.1 Risk description describes the risk associated with any activity which the company undertakes as

part of its business. Significant activities include any major line of business, risk area and risk

categories which are identified from various sources such as company’s organizational chart,

strategic business plan, capital allocations, and internal and external financial reports.

3.1.2 Sound judgment is applied in determining the significance or materiality of any activity in which

the company engages. So as not to exclude critical risks, it is important to undertake a

systematic and comprehensive identification of all risks, including those not directly under the

control of the company.

3.2 Risk Identification

3.2.1 The reasons for the risk assessment being carried out need to be established. In particular:

➢ define the scope and objectives of the assessment ➢ comply with new legislation, project evaluation, etc. ➢ specify the nature of the decisions that have to be made ➢ define the extent of the project activity or function in terms of time and location ➢ identify resources and planning requirements ➢ identify the roles and responsibilities of the various parts of the organization

participating in the risk management process

3.2.2 Defining and measuring risks within each area is an on-going task. Identifying new risks in areas

and summarizing these into a quantifiable measure of risks, inherent in that area is a self-

discovery process and cannot be imposed externally. Therefore, this document needs to be

viewed as a starting point for a dynamic process that will evolve as the company grows,

matures, enters into new areas and adopts new business methods.

3.2.3 Approaches used to identify risks include the following:

➢ use risks already identified in the risk registers, strategic plans, operational plans, and other key documents

➢ checklists, surveys, questionnaires ➢ team based brainstorming, structured interviews, focus groups, personal experiences ➢ facilitated workshops ➢ experience, local and overseas knowledge ➢ records, databases ➢ past organizational experiences ➢ internal and external audits and report


3.2.4 The company should identify each risk in the organization and prioritize top risks for the

management, viz., inherent risk, perceived effectiveness of existing risk mitigation measures and

thereby the residual risk.

3.2.5 Ideally residual risk should always be very low and this will be the long term objective of the

company. However this might not be practical to achieve immediately in all areas and therefore

the company may need to tolerate higher levels of risks in some areas until it is able to improve

controls and lower the level of residual risk. In certain areas, however, the company would not

be willing to tolerate this higher level.

3.2.6 It is very important that the company identifies its risks on an on-going basis – a practice that

needs to be implemented within the company. A legal risk which appears to be small during

identification might be disastrous. The company should make its own internal assessment of

risk in this regard.

3.2.7 It is important to reiterate that this exercise would need time to be adopted at the grass root

level of the company and considerations should be made in this regard.

3.3 Risk Register

3.3.1 Risk register is a compilation of all the risks exposed to the company, from day-to-day

operational activities to company’s business strategy and objectives. Risk identification will be

carried out on horizontal and vertical structures of the company in order to fully capture existing

and potential risks into the risk universe.

3.3.2 The company has a risk register in place which categorises more than 400 potential risks into

broader risk categories. Risk register serves as a dashboard of all known and unknown risks the

company is exposed to. Risk register is monitored proactively to consider current risks and

potential risks are considered and incorporated for monitoring within the register.

3.3.3 The company’s risk management register shall be maintained at two levels; company-wide

strategic risk and individual/department-wise operational risks. Each department will be

responsible for identifying risk exposures and report it to the company-wide risk register

maintained and operated by relevant risk authority. Company-wide risk register encourages

integration of risk exposures from one area to others, allowing the company to see how each

exposure affect other areas of the business and the company as a whole.

3.3.4 The risk registers shall be maintained as Excel workbooks. However it would be more suitable to

develop in time, a database and an online system accessible to all appropriate officers.

3.3.5 The purpose of completing a risk identification exercise is to identify, discuss and document the

risks facing the company. The risk register serves three main purposes:


• It is an information source to report the key risks throughout the company, as well as to stakeholders.

• Management can use the risk register to focus their priorities.

• It helps the auditors to focus on the company’s top risks.

3.3.6 The following risk registers can be maintained:

➢ Non motor underwriting ➢ Life and medical underwriting ➢ Motor underwriting ➢ Re-takaful ➢ Non motor claims ➢ Life and medical claims ➢ Motor claims ➢ Finance ➢ Investments ➢ Human resources ➢ Administration ➢ Information technology ➢ Legal ➢ Shariah ➢ Business development ➢ Broker relations ➢ Marketing ➢ Public relations ➢ Company secretary

3.3.7 With the functional risk registers above, the insurance company can monitor the top 20 risks for

active review and management.

3.3.8 Risk management registers shall be reviewed and updated by risk managers and the risk

management committee on regular basis throughout the year. In particular the process will aid

performance reviews and planning procedure.

3.4 Identified Risks Documentation

3.4.1 Key information from risk registers needs to be incorporated into the policy manual to ensure

that it becomes part of the decision-making process for the concerned department. This again is

the responsibility of the company and the respective departments.

3.4.2 Documentation of the risk management process should be carried out at each stage for the

following reasons:

• It gives integrity to the process and is an important part of good corporate governance;


• It provides an adequate audit trail and evidence of a structured approach to risk identification and analysis;

• It provides a record of decisions made which can be used and reviewed in the future;

• It provides a record of risks which can continuously be developed.


4. RISK MEASUREMENT & MANAGEMENT PROCESS

4.1 Risk Analysis and Evaluation

4.1.1 Risk analysis helps in making informed decisions with respect to which risk response to adopt

and what method to use. Companies considers risks based on the combination of the

consequence of occurrence (severity) and likelihood of occurrence (frequency), respectively.

Risk evaluation involves comparing the level of risk found during the analysis process with the

risk criteria established.

4.1.2 There are many tools and techniques available for analysing risks and the following sources of

information may be referred to:

• Past records;

• Practice and relevant experience;

• Market research;

• Experiments and prototypes;

• Economic and system models;

• Specialist and expert judgment;

• Focus groups;

• Structured interviews, questionnaires.

4.1.3 We would recommend evaluating risks at two levels:

• inherent risk rating, i.e. before management controls have been considered, and

• residual risk rating, i.e. the gross risk rating combined with an assessment of management controls.

4.1.4 The management should assess risks on the basis of the likelihood of the risk occurring and the

impact of its occurrence as follows:

Risk = Likelihood x Impact

4.1.5 Likelihood represents the possibility an event will occur; impact represents its effect on the

company. In the process of risk assessment, the company should consider its “risk appetite,”

broadly defined as the amount of risk that an entity is willing to accept in pursuing its objectives.

Higher the risk, higher is the priority of addressing it, in order to keep within the risk appetite of

the company.

4.1.6 While conducting risk assessment is typically considered a “one time activity,” in the context of

enterprise risk management it is actually continuous and on-going; it is part of the daily

responsibility of managers and employees throughout the company.


4.2 Qualitative Risk Measurement and Management

Inherent Risk Rating Before Management Control

4.2.1 Inherent risk is intrinsic to every business activity and arises from exposure and uncertainty from

potential events. Inherent risks are evaluated by considering the probability of occurrence and

the potential size of an adverse impact on the company’s capital and earnings. Inherent risk

involves considering the likelihood and impact of the risk in the absence of any management

control interventions.

4.2.2 This level of assessment provides a perspective of the consequences of the risk to the company

in the absence of controls to prevent an event from happening. Inherent risk is categorized as:

• Very high: Unacceptable level of risk. Take urgent action to further mitigate the risk to an acceptable level

• High: Identify and evaluate additional steps to mitigate the risk to an acceptable level

• Moderate: Consider actions that may improve the tradeoff between risk (with its associated reward) and cost

• Low: Keep risk and control under review

• Very low: No action required

Likelihood

4.2.3 The probability or likelihood of an event is

• Highly probable: The risk is already occurring, or is likely to occur more than once within the specific duration, subject to management decisions.

• Likely: The risk could easily occur, and is likely to occur at least once within the specific duration, subject to management decisions.

• Possible: There is an above average chance that the risk will occur at least once within the specific duration, subject to management decisions.

• Unlikely: The risk occurs infrequently and is unlikely to occur.

• Rare: The risk is conceivable but is only likely to occur in extreme circumstances.

Impact

4.2.4 The impact of each likelihood event is categorized as:


• Critical: Negative outcomes or missed opportunities that are of critical importance to the achievement of objectives

• Major: Negative outcomes or missed opportunities that are likely to have a relatively substantial impact on the ability to meet objectives

• Material: Negative outcomes or missed opportunities that are likely to have a relatively moderate impact on the ability to meet objectives

• Minor: Negative outcomes or missed opportunities that are likely to have a relatively low impact on the ability to meet objectives.

• Insignificant: Negative outcomes or missed opportunities that are likely to have a relatively negligible impact on the ability to meet objectives

4.2.5 Inherent risks can be found by the probability and severity of the risk from the table below:

Figure 4-1 Inherent Risk Levels Exposure Chart

Inherent Risk Perceived Control Effectiveness

Exposure Insignificant Minor Material Major Critical

Pro

ba

bil

ity

Highly Probable Medium High High Very High Very High

Likely Low Medium High High High

Possible Low Low Medium Medium Medium

Unlikely Very Low Low Low Low Low

Rare Very Low Very Low Very Low Very Low Very Low

Perceived Controls Effectiveness

4.2.6 After identifying the impact and likelihood of each risk it is ERMC’s responsibility to check

whether controlling that particular risk is possible for the company. This will be done by

identifying the personnel/officers/staff involved in the activity/operation related to that risk

area.

4.2.7 After applying the current controls of management, effectiveness will be assessed as:

• Very Good: Risk exposure is effectively controlled and managed.

• Good: Majority of risk exposure is effectively controlled and managed.

• Satisfactory: The controls are at satisfactory level, there is some room for improvement.

• Weak: Some of the risk exposure appears to be controlled, but there are major deficiencies.

• Unsatisfactory: Control measures are ineffective and need urgent attention.


Residual Risk Rating after Management Control

Residual Risk Exposure & Risk Rating

4.2.8 Residual risk is the level of risk remaining after the mitigating influences of the existing control

interventions are considered. Normally, management would introduce sufficient controls to

reduce the risk to within a pre-determined level, as per the risk appetite of the Company. The

residual risk is a critical indicator of whether the existing controls are effective in reducing the

risk to an acceptable level.

• Very High: Unacceptable level of residual risk – Implies that the controls are either fundamentally inadequate (poor design) or ineffective (poor implementation). Controls require substantial redesigning, or there needs to be greater emphasis on proper implementation.

• High: Slightly better than Very High.

• Medium: Unacceptable level of residual risk – Implies that the controls are either inadequate (poor design) or ineffective (poor implementation).Controls require some redesigning, or there needs to be more emphasis on proper implementation.

• Low: Mostly acceptable level of residual risk – Requires minimal control improvements.

• Very Low: Slightly better than Low.

4.2.9 The table below shows how Residual Risk Rating of the company can be calculated from the

inherent risk of the business and its perceived control effectiveness:

Figure 4-2 Residual Risks Exposure Levels

Residual Risk Perceived Control Effectiveness

Exposure Insignificant Minor Material Major Critical

Pro

ba

bil

ity

Highly Probable Medium High High Very High Very High

Likely Low Medium High High High

Possible Low Low Medium Medium Medium

Unlikely Very Low Low Low Low Low

Rare Very Low Very Low Very Low Very Low Very Low

Varying Risk Directions

4.2.10 It is important to determine the change in probability of the risk, over time. We have to

ascertain whether the likelihood of the risk is changing till the next risk assessment. The risk

direction can be characterized into the following:

• Increasing: The Risk will increase at the next assessment period. The management actions should be stronger for increasing risk over time.


• Constant: The Risk will remain constant till the next assessment period.

• Decreasing: The Risk will decrease at the next assessment period.

4.3 Treatment and Management of Risks

Determination of Risk Tolerance Level

4.3.1 Companies can determine risk tolerance based on three common values; solvency, ratings, and

earnings’ volatility in measuring the risk level. The risk tolerance level depends primarily upon

stakeholders which include its shareholders, regulators, customers, distributors, management,

employees, and/or business community. Investor concerns could be stated in terms of earnings

or stock price, while regulator concerns could be stated in terms of regulatory minimum capital

requirements.

4.3.2 There is no one-size-fits-all preference at all times which should drive company’s risk tolerances.

What is crucial is that the company should know how it will interpret its priorities among its

constituencies in a dynamic framework.

4.3.3 For quantitative risk modules, the company has set in place internal capital models which assist

in determining the risk exposures and in setting quantitative risk tolerance limits. The risk

appetite can then be represented by a number which can be subsequently used to develop a risk

tolerance limit for that situation—most often one that is at an extremely unlikely level such as

99.5% or 99.9%.

4.3.4 For the company, risk preferences can articulate its attitude toward various aspects of risk. We

understand that the company has clear preferences towards efficient risk management process

and that the management would not be wasting time considering risks that it would never agree

to accept.

4.3.5 Aspects of risk that can be addressed through Risk Preferences include:

• Uncertainty: the degree to which loss distribution aspects such as Volatility and Ruin are thought to be known.

• Complexity (also called model risk): many insurance contracts transactions have extremely complex structures that could pay off in varying amounts under a wide range of possible situations.

• Location: company’s concern for micro concentration of their risks as well as macro concentrations of any type of risk like in one legal jurisdiction etc.

• Experience: the degree of experience of the company and expertise of the management to deal with the risk is a key aspect.


• Type: the company will have low or zero tolerance for some risk types or more commonly for specific subcategories of risk types.

• Tradability: Risk's tradability can be a major determinant of risk tolerance. For long term contract, tradability is a proxy for ability to exit a position.

• Time Frame: the time frame needs to be considered as transactions can be short, medium or long term and each category has particular characteristics which have to be satisfied for optimum risk management.

• Consistency: some risks will stay in a reliable frequency/severity pattern for a long time. Other will change characteristics periodically. Risks can be mistakenly evaluated while patterns transition from one type of frequency/severity to other.

4.3.6 Qualitative risk limits can be set via delegation of responsibilities, setting limits on acceptable

exposures on inherent and residual risks, creation of policy manuals and documented structure

within the company.

Management Controls & Actions to improve

4.3.7 Event identification and assessment involves a cross-section of management. Key steps to

achieving event identification & assessment objectives include examining each business

objective with relevant managers to determine interdependencies and interrelationships.

Management needs to understand how events interrelate, because they do not occur in

isolation. By assessing interrelationships, a determination of where risk management efforts are

best directed can be made and actions can be taken to improve the position within the

appropriate time.

4.3.8 Simply put, event identification is a process of systematically recognizing potential events that

affect the achievement of business objectives. An event is an incident or occurrence resulting

from internal or external sources that affects the implementation of a strategy or achievement

of objectives.

4.3.9 When identifying and assessing risks, it is also important to bear in mind that “risk” also has an

opportunity component. This means there must also be deliberate effort expended in

identifying potential opportunities that could be exploited to improve institutional performance.

It’s the management’s role to assess and develop controls that may reduce the likelihood of

occurrence of a potential risk, the impact of such a risk, or both within the required and

appropriate time. Management then needs to assess the control effectiveness based on their

understanding of the control environment currently in place. Risk Register will therefore inform

management of the actual level of control effectiveness.


Set Risk Priorities

4.3.10 The company’s management will identify and categorize the risk of each risk groupings and risk

areas outlined above. There are two levels of risk assessment, namely:

• Company-wide Strategic Risks: These will be monitored and reported to the RMC and Audit Committee on biyearly basis by the assigned Accountable and Responsible officers.

• Management and Operational Risks: These will be closely monitored and reported to the Senior Management twice per year and progress against action plans will be signed off by the Accountable Officer.

Treat and Manage the Risks

4.3.11 It is important that where risks have been assessed as extreme or high, that action plan is put

into place to manage and mitigate the risks. It is unlikely that risks will ever be entirely

eliminated, but by demonstrating that actions are being implemented, the risks may be reduced

to a more acceptable level.

4.3.12 There are a number of options available for treating risks. These should be considered on the

basis of a cost/benefit analysis:

• Avoid the Risk: This can be done by deciding not to start or continue with a particular activity that gives rise to the risk. However, the business objectives must always be kept in mind and inappropriate risk aversion may increase other risk areas.

• Reduce the Likelihood and Impact: This may be achieved by introducing more preventive and corrective measures by having policies and procedures.

• Accept the Risk: Where risks are identified as unavoidable or no suitable treatment plans are available, company should accept the risk.

• Transfer the Risk: This involves other parties bearing or sharing the risk either partially or in full. This may be through reinsurance arrangements, contracts, partnerships and/or joint ventures.

4.3.13 Selecting the most appropriate risk treatment option should be made by considering the

following issues:

• The cost of managing risks must be balanced against the benefits obtained;

• The extent of risk reduction gained;

• The extent to which there is an ethical or legal duty to implement a risk treatment option which may override any cost/benefit analysis;

• How sensitive is the risk to company’s image and reputation and its perception by stakeholders and external parties? This may warrant implementing costly actions.


Prepare and implement treatment plans

4.3.14 The risk management treatment plan includes the following:

• Risk identified;

• Proposed actions;

• Cost/benefit analysis (where appropriate);

• Cross referenced to the operational plan

• Accountable and Responsible Officers

• Timescales

4.3.15 For the treatment plans to be successfully implemented, there is a requirement for an on-going

review and reporting of the progress against the actions stated.

4.4 Qualitative Risk Tolerance and Controls

4.4.1 Companies uses the qualitative risk indicators described above and sets up risk tolerance limits

of inherent and residual risks it is exposed to and places focus on top 20 high risks in order to

control them as a part active of risk monitoring and management.

4.4.2 Each risk identified and listed in risk registers has been classified with respect to these three

measures, viz., inherent risk, perceived effectiveness of existing risk mitigation measures and

thereby the residual risk. This section seeks to define the residual risk classification that the

company is willing to tolerate as inherent risks have been assumed to be managed efficiently

and effectively. Inherent risk management has already been discussed above.

4.4.3 Residual risk is based on a matrix which maps inherent risk against control effectiveness. This is

set out in the Risk Management Framework document but is being reproduced below for ease

of reference.


Table 4-1 Residual Risk Exposures

Residual Risk Perceived Control Effectiveness

Exposure Very Good Good Satisfactory Weak Unsatisfactory P

rob

ab

ilit

y Very High Medium High High Very High Very High

High Low Medium High High High

Moderate Low Low Medium Medium Medium

Low Very Low Low Low Low Low

Very Low Very Low Very Low Very Low Very Low Very Low

4.4.4 Ideally residual risk should always be very low and this will be the long term objective of the

company. The management recognizes, however, that this is not practical to achieve

immediately in all areas and therefore the company may need to tolerate higher levels of risks in

some areas until it is able to improve controls and lower the level of residual risk. In certain

areas, however, the company would not be willing to tolerate this higher level.

4.4.5 The table below sets out a sample, for each risk area (this being defined as a group of functions

for which either a Risk Register was prepared), the overall objective of the function and the

default tolerance level for the residual risk:


Table 4-2 Qualitative Risk Evaluation- Hypothetical Example

Area Objective of Risk Management System Level of

Residual Risk

Planning/Pricing

• Planning

• Product Design

and Pricing

To ensure that the company’s plans are realistic and that

products are designed and priced from a competitive

position in line with the company’s plans

Low

Brand Image/

Awareness

• Marketing

To ensure that the company’s brand image as a takaful

operator (as opposed to an Islamic Bank) is projected and

that the market is aware that the company offers Shariah

compliant takaful products

Low

Sales

• Retail Sales

• Corporate Sales

To ensure that actual sales for each line of business meet

targets and are made on terms within the company’s

underwriting and pricing policies.

Low

Underwriting,

Operations and

Claims

• Non-Life

Underwriting

• Motor Claims

• Health Insurance

• Life Insurance

To ensure that risks are only accepted in line with the

company’s underwriting policy and risk acceptance

guidelines; that adequate risk mitigation, especially with

respect to reinsurance arrangements with reputable and

financially sound reinsurers, are in place; and that claims

are paid only when due.

To ensure a high level of customer service so as to build

the company’s reputation as an efficient and fair takaful

operator.

Low

Financial Position

• Balance Sheet

• Investment

• Financial

Accounts

To ensure that the financial position of the company as

set out in its financial statements (balance sheet) reflects

assets at values at which these can be realized and makes

adequate provision for liabilities and especially liabilities

under takaful contracts.

Very Low

• Compliance/

Regulatory

To ensure that the company is fully compliant with

regulatory provisions prevalent in United Arab Emirates

relating to takaful operations in particular and

corporations in general.

Very Low


Area Objective of Risk Management System Level of

Residual Risk

• Reputation To ensure that the company’s position as a fully Shariah

compliant financial institution and as a fair and equitable

takaful operator is maintained at all times.

Very Low

• Corporate

Governance

• Internal Audit

To ensure that the powers and responsibilities of various

levels of management (from the Board of Directors

downwards) are clearly defined and that management

policies are implemented in letter and spirit.

Very Low

Financial /HR

Management

• Fixed Asset

Management

• Cash Mgmt

• Procurement to

Pay Cycle

• Human Resource

Mgmt

To ensure that the company’s financial management with

respect to fixed assets, cash and purchases and payables

is carried out efficiently and correctly.

To ensure that the company’s management of HR

functions is carried out diligently and efficiently so as to

foster a sense of security and trust amongst its

employees.

Low

• Country of

Business

To ensure that the company only carries out business in

countries after it is fully able to professionally underwrite

risks in that country and only in full compliance of the

country’s regulations.

Very Low

• Outsourcing To ensure that functions are only outsourced to

reputable and capable organizations and that standards

maintained are comparable to those maintained

internally within the company.

Low

• Information

Technology

To ensure that IT general controls ensure full security,

minimum down time and a high level of compliance with

the functional needs of user departments.

Low

4.4.6 Once the risks have been quantified, aggregate risk limits should be set by the management and

allocated to different lines of business and risk categories. This is done via allocating specified

risks to their respective departments.


4.4.7 The company should evaluate each risk as proportion of undiversified total risk exposure and

plan to set a maximum exposure to each risk at 99.5% level of confidence. This would allow the

company to make risk-oriented decisions.

4.4.8 As the company shall designate individuals to be responsible for undertaking risk-related

decisions it should limit responsibilities delegated in terms of risk limits to each risk owner. For

instance, permission should be granted to risk owners to manage and mitigate risks arising from

their line of business. Beyond the limit, risks should be communicated to senior management

and recommended steps should be taken. Where risks are substantial, such as market risk in the

current case, the board should be apprised of such risk, and rectifying measures should be set in

place to manage that risk.

4.4.9 To introduce risk-oriented decision making into the company’s culture, the decision makers

should weigh their prospective decisions in light of changing risk exposures.

4.4.10 The greater the capital risk exposures, the greater the sensitivity of risk capital. Responsible risk

champion and risk owners must understand the impact of changing risk exposures as in the case

above.


4.5 Emerging Risk Management

4.5.1 The risk control processes focuses on everyday risk management, including the management of

identifiable risks or risks that have certain predictability. Emerging risk management concerns

risks that have not yet materialized or are not yet clearly defined; they usually appear slowly.

4.5.2 For managing emerging risks having some sort of early warning system in place, methodically

identified either through internal or external sources, is very important.

4.5.3 For assessing the relevance (i.e. potential losses) of the emerging risks the degree of

concentration and correlation of the risks in an insurer's portfolio are two important parameters

to be considered.

4.5.4 Responses to emerging risks might be part of the normal risk control process, i.e., risk mitigation

or transfer, either through reinsurance (or retrocession) in case of insurance risks, through the

financial markets for financial risks, or through general limit reduction or hedging.

4.5.5 Planning access to liquidity is a basic part of emerging risk management. Asset-selling priorities,

credit facilities with banks, and notes programs are possible ways of managing a liquidity crisis.

4.5.6 For each of the risk identified in the risk register, the company should start risk planning as if

there is a breach in the current control process as there is potential emerging risk.

4.5.7 For the existing risk in place, a change in the level of frequency and severity might affect the

total outcome which needs to be monitored. Frequent updates and peer review will help the

management in anticipating emerging risks.

4.5.8 Out of the box risk comprises risk that is not identified in the risk register but might eventually

come through. The company should have frequent brainstorming session to identify these types

of risks. Any material risk identified needs to go through a defined control process.


5. RISK GOVERNANCE AND REPORTING PROCESS

5.1 Risk Governance Structure

5.1.1 Following hierarchical chart depicts the risk reporting structure of any company which has been

derived from the company’s risk governance charter, risk policy and procedures.

Figure 5-1 Risk Reporting Hierarchy

5.2 Responsibility of Board of Directors

5.2.1 The ultimate responsibility for risk management lies with the board of directors (BOD) of the

company. Therefore the board will be responsible for:

• Understanding the risks associated with the company’s activities

• Approval of Risk Beyond the limits of Senior Management

• Approval of the risk management policies in writing – in particular Risk Limits for Underwriting and Claim Processing

• Evaluating top risks identified and action plans to mitigate that risk

5.2.2 The BOD will be assisted by Board Audit and Risk Committee (BARC) which will overview the

responsibilities of Executive Risk Management Committee (ERMC), appointed from the

company’s management, and will periodically apprise BOD about the developments of

enterprise risk management. BARC will also ensure committee members are qualified and have

enough experience and understanding to do this on an ongoing basis.

B.O.D

Board Audit & Risk Committee

Executive Risk Management Committee

Internal Control / Risk Management Department

Head of Functions / Risk Champions

Risk Owners


5.3 Role of Board Audit & Risk Committee

5.3.1 We understand that the board of the company has an established Board Audit & Risk

Committee. This committee should be responsible for providing independent counsel, advice

and direction with regards to risk management.

5.3.2 BARC will seek input from internal auditors, external auditors and actuaries including others in

carrying out its responsibilities. The committee should have an understanding of the risk

management policy, risk management strategy and risk management implementation plan

followed in the company and oversight responsibilities relating to risk management. This

understanding helps them to add value to the risk management process when giving

recommendations on the basis of audit.

5.4 Role of Executive Risk Management Committee

5.4.1 The Executive Risk Management Committee (ERMC) will ultimately be responsible for:

➢ Assisting the board in defining company’s risk profile and appetite, and setting risk tolerance limits (long term objective);

➢ Reviewing performance of the company and recommending revised risk management policies to the board for approval in light of new developments;

➢ Monitoring current functional risk indicators and following up on outstanding matters; ➢ Ensuring that Senior Management is effectively involved; ➢ Reporting to the audit committee as mandated.

5.5 Role of Risk Manager and Risk Management Department

5.5.1 The company has in-place a risk manager for development and maintenance of overall risk

management infrastructure. This risk manager is responsible for:

➢ Serving as a secretary to the risk management committee; ➢ Facilitating other departments to ensure that risk management policies are reflected in

procedures and computer systems adopted and implemented; ➢ Being the custodian of risk management registers; and ➢ Acting as a conscience for the risk owners.

5.6 Role of Risk Champions

5.6.1 Risk registers are maintained by respective divisional heads who can be referred as risk

champions who face the risk themselves. They are assisted by subordinates who manage the

risks at granular level and develop continuous risk monitoring within their usual activities.

5.6.2 Rick champions will jointly be responsible for ensuring that suitable risk management policies

and procedures are formulated and implemented, and that each member:

➢ Clearly understands the company’s risk management policies and procedures;


➢ Ensures that activities of the company are conducted within the framework of approved policies and systems; and

➢ Apprise the ERMC and Risk Manager of any material breaches of risk management practices along with recommendations of rectification response and most suitable preventive measures for the future.

5.6.3 Departmental heads, the risk champions, shall be responsible for:

➢ Identifying risks which the company faces with respect to their functional areas in achieving its core business objectives;

➢ Determining quantitative exposures relating to company’s ability to accept risks within defined limits of overall risk tolerance framework such as underwriting permissions, investment limits, etc.;

➢ Devising a suitable risk response; ➢ Developing and reviewing risk management policies, based on all above.

5.7 Risk Reporting and Documentation

Risk Reporting

5.7.1 We suggest the progress of the management action plans be reported to the BARC at least

quarterly and as needed. It should become an integral part of the annual performance review

against objectives.

5.7.2 Under the quarterly reporting, the BOD and BARC are apprised of all the enterprise risk

management activities of the ERMC, risk management department, Risk Manager, and the Risk

Champion.

5.7.3 ERMC should submit a report to the BOD and BARC on annual basis based on:

• The risk profile of the organization

• The changes in that risk profile since the last year

• The performance of risk management framework

5.7.4 The BOD should be apprised by the Risk Manager and ERMC of high level risk register containing

strategic and consolidated risks from each division. Risk report should be prepared based on:

• What are most significant risk and why;

• How these are controlled;

• Any particular report gap to be and how these are proposed to be filled.


Documentation

5.7.5 Documentation of the risk management process should be carried out at each stage for the

following reasons:

• It gives integrity to the process and is an important part of good corporate governance;

• It provides an adequate audit trail and evidence of a structured approach to risk identification and analysis;

• It provides a record of decisions made which can be used and reviewed in the future;

• It provides a record of risks which can be continuously developed.


6. ERM FRAMEWORK – REVISITED

6.1 Benefits of ERM

6.1.1 The sole purpose of implementing ERM Framework within the company’s operations and

management is to link each and every action to the long-term strategic objectives from risk

perspective. This shall lead to risk-controlled management of the business and allows the

company to sail towards its objectives successfully and cater for any upcoming risks.

6.1.2 Enterprise risk management enables management to operate more effectively in a business

environment filled with fluctuating risks. Enterprise risk management provides enhanced

capability to:

• Align risk appetite Risk appetite is the degree of risk, on a board-level, that a business is willing to accept in pursuit of its objectives. Management considers the business’s risk appetite first in evaluating strategic alternatives, then in setting boundaries for downside risk.

• Minimize operational surprises and losses Businesses have enhanced capability to identify potential risk events, assess risks and establish responses, thereby reducing the occurrence of unpleasant surprises.

• Enhance risk response decisions ERM provides the rigor to identify and select among alternate risk responses – risk removal, reduction, transfer or acceptance.

• Resources A clear understanding of the risks facing a business can enhance the effective direction and use of management time and the business’s resources to manage risk.

• Identify and manage cross-enterprise risks Every business faces a myriad of risks affecting different parts of the organization. The benefits of ERM are only optimized when an enterprise-wide approach is adopted, integrating the disparate approaches to risk management within the company. Integration has to be effected in three ways: centralized risk reporting, the integration of risk transfer strategies and the integration of risk management into the processes of a business. Rather than being purely a defensive mechanism, it can be used as a tool to maximize opportunities.

• Link growth, risk and return


Businesses accept risk as part of wealth creation and preservation and they expect return commensurate with risk. ERM provides an enhanced ability to identify and assess risk and establish acceptable levels of risk relative to potential growth and achievement of objectives.

• Rationalize capital More robust information on risk exposure allows management to more effectively assess overall capital needs and improve capital allocation

• Seize opportunities The very process of identifying risks can stimulate thinking and generate opportunities as well as threats. Responses need to be developed to seize these opportunities in the same way that responses are required to address identified threats to a business.

6.1.3 ERM adoption leads to improved business performance, increased organisational integration &

effectiveness and better risk reporting.

6.2 ERM Framework Summary

6.2.1 ERM Framework is summarised in the figure below.

Figure 6-1 ERM Framework Summary

I. Corporate Governance

(board oversight)

II. Internal Control

(sound system of internal control)

III. Implementation

(appointment of external support)

IV. Risk Management Process

(incremental phases of an iterative process)

Analysis - Risk Identification - Risk Assessment - Risk Evaluation - Risk Planning - Risk Management

V. Sources of Risk

(internal to the business and emanating from the environment)

Internal Processes - Business Operating Enviroment


6.2.2 This is summarised in five elements:

I. Corporate governance is required to ensure that the board of directors and

management have established the appropriate organisational processes and corporate

controls to measure and manage risk across the business.

II. The creation and maintenance of a sound system of internal control is required to

safeguard shareholder’s investment and a business’s assets

III. A specific resource must be identified to implement the internal controls with sufficient

knowledge and experience to derive the maximum benefit from the process.

IV. A clear risk management process is required which sets out the individual processes,

their inputs, outputs, constraints and enablers

V. The value of risk management process is reduced without a clear understanding of the

sources of risk and how they should be responded to. The framework breaks the source

of risks down into two key elements labelled internal processes and the business

operating environment.