risk informed decision making - sedgwick institute...apr 03, 2019 · • can reveal emerging...
TRANSCRIPT
Risk Informed Decision Making
Susan Meltzer Chris Mandel, RIMS-CRMPVP, Risk SVP, Strategic SolutionsAVIVA Director, Sedgwick Institute
Today’s agenda• Tying risks to objectives and decision-making• Emerging risk identification and reporting• Understanding your risk profile• Knowing your stakeholders • Developing a strategic reporting plan• Measuring and monitoring plan performance
• Key take-a-ways & questions
Do some risks matter more than others?
3
The risk type spectrum
Strategic• Acquisitions• Business Model• Competition• Demographic• Brand• Disruptive
innovation• Market.
Operations• Customer service• Infrastructure• Processes• System capabilities• Talent• Technology
Financial• Capital• Cash flow• Credit• Debt obligations• Foreign exchange• Liquidity• Etc.
External• Economy• Environment• Geopolitical• Regulatory• Tax policies• Weather events• Etc.
AN ENTERPISE RISK MANAGEMENT SPECTRUM
The strategic risk dilemma: beyond insurable risks
Source: Corporate Executive Board
FREQ
UEN
CY/
LIK
ELIH
OO
D
SEVERITY/IMPACT
High Performance and the Loss Curve
X Expected Losses
Typically Uninsurable
Copyright ERM, LLC: All rights reserved; distribution prohibited without permission
TypicallyInsurable
The discipline of risk management has evolved from strictly a value preservation-
based focus to a balanced focus between protecting assets and creating or enhancing value.
Strategic Risks
Regulatory Risks
Risk Appetite and Culture
Operational Risks
Financial Risks
Risk Tolerances, Ownershipand Accountability
Effective Risk Management?A flexible and dynamic risk
management discipline is uniquely positioned to quickly adapt to change and identify opportunistic risk to create new streams of revenue and
increase value
Value preservation to value creation
Emerging risks: critical to the strategic plan horizon
Traits of emerging risks
Emerging Risks
High Level of Uncertainty
Lack of Consensus
Uncertain relevance
Difficult to Communicate
Difficult to Assign
Ownership
Systemic or “business practice”
issues
Source: RIMS Executive Report Emerging Risks and Enterprise Risk Management © 2010 RIMS
Providing Clarity & Assurance to Decision Makers
Aligning KPI’s with key risk indicators & the corporate scorecardWhen aligned:• Enables management of its strategic risks by identifying them before incidents occur that can lead to
losses.
• Can reveal emerging risks, identify risk exposure levels, and detect changes or trends in existing risk exposures.
• Can measure risk and volatility related to achieving those objectives
• They are always a leading (predictive) indicator
• Provide objective, quantifiable information about emerging risks and trends that can affect an organization's success
• Can reveal trend level changes that could affect the plan
11
Attributes of “risk intelligence”
Ad-hoc/chaotic;
depends primarily on
individual heroics,
capabilities and verbal wisdom
1. Tribal & Heroic 2. Specialist Silos 3. Top-Down 4. Systematic 5. Risk Intelligent
Reaction to adverse events by specialists
Discrete roles established for
small set of risks
Typically finance,
insurance, compliance
Tone set at the top
Policies, procedures, risk
authorities defined and
communicated
Business function
Primarily qualitative
Reactive
Integrated response to
adverse events
Performance linked metrics
Rapid escalation
Cultural transformation
underway
Bottom-up
Proactive
Built into decision-making
Conformance with enterprise
risk management processes is incentivized
Intelligent risk taking
Sustainable
“Risk management is everyone’s job”
Un-Rewarded Risk
Rewarded Risk
Source: Deloitte
Steps to a “risk intelligent” enterprise1. Establish a framework, policy and process for assessing and managing risks
2. Identify key risks and vulnerabilities and the plans to address them.3. Assess where risks could impact significant value
4. Establish your risk appetite, how much you’ve taken on and whether you need to take more or less risk to achieve plan
5. Decide who, inform and hold accountable those who have the authority to take risk
6. Enable and resource risk-taking capabilities on an integrated and sustainable basis
Based in part on Deloitte’s Risk Intelligent Enterprise Model
Influencing leadership and changing culture towards better decisions
What is a risk profile?• Key risks vs all risks?• What matters to whom?• Alignment with KPIs/corporate scorecards• Who owns and is accountable?• Correlation with strategies and objectives• The status of the control environment• The status of targeted mitigation• Trends and relevant changes
What risks and risk info is relevant?• Defining “key risks”• The “emerging risk” dilemma• Understanding or managing risks• Categories and types vs risks• The impact of digitization of the risk profile• Prioritizing for limited treatment resources• Risk process best practices• Risk talent strategy/status• Risk communication strategy/status• Risk training strategy/status• Risk process maturity and improvement
Helping the board succeed• The board’s risk oversight role
• Knowing the “key risks”• Confirming risk management effectiveness
• What else might be relevant?• Threats & opportunities to long term strategy• Validating:
• Risk strategy• Risk appetite• Risk leadership skills
• Tell them what they don’t know (but don’t know they need to)
Consider these key questions….• What are the key risks based on our strategy and business model?• Do we understand the root cause, impact, likelihood and potential velocity?• Are we providing regular updates on changes to key risks to the leadership
team?• Does the leadership team exhibit a healthy level of challenge and
skepticism?
Business unit management reporting
• Key Priorities:• Implement strategies to reach targets• Report to C-Suite
• Need to Know:• Understand & support the risks they have
taken or intentionally avoided
C-suite reporting• Key Priorities:
• Accountable to the board
• Need to Know:• Understand the relationship between risk management
and strategy and how they influence each other• Understand how current and emerging risks impact
strategy execution
Board reporting• Key Priorities:
• Discharge their duties of governance/risk oversight
• Need to Know:• Critical risks to the organization – tied to strategies &
objectives• Risk profile• Mitigation plans• Risk ownership & accountability
Alignments with Stakeholders
Narrow, Specific RiskInterests
All Risk Stakeholders Enable Risk
Identification, Assessment and Management
ERM
Determine the Goals Needed to Achieve the
Plan
Strategic Planning
Collaborate on Risks to Objectives
AchieveObjectives
Control Risks to Success
Risk reporting example• Provide management with actionable risk reporting• Link risks & opportunities to strategic objectives• What’s significant to the business
Strengthen quality & compliance, become world
class
Successfully launch new products
Be #1 in key overseas markets
Risk 1 –Impact of
outsourcing
Risk 2 -Failure to
stay abreast of regulations
Risk 1 –Inadequate
staffing
Risk 2 –Delay in speed to market
Risk 1 –Failure to anticipate
competition
Risk 2 –Misjudged demand
Opp 1 - Ability to re-map authority &
accountability
Risk-based decisions that support the strategy and mission
Key questions addressing risk appetite strategy• How much risk are we taking?
• How much risk can we take?
• How much risk do we prefer to take?
• How much risk do we need to take to reach our strategic goals?
• Which risks do we want to take and which risks are unacceptable to take and why?
• What is the gap between capacity and need?
• If the gap is large between need and capacity, how and which strategies need to be modified?
• What is the cost/benefit of key gap closing activities?
Expressions of risk appetite• Quantitative
• Our Target Regulatory Capital should not fall below X• Our Economic Capital surplus should be Y• We are targeting to maintain a Financial Strength rating of A++• We intend to earn a return on Equity of Z% • We intend to pay a dividend of YY• We wish to limit our concentration to a single customer to X%
• Qualitative:• We strive to ensure that we have the best reputation in the market • Human Capital is our strength. We wish to hire the best people in the business to execute
our objectives• We will limit our markets to Canada and only in the widgets market
Developing a strategic reporting planKey questions to address:
• What are your key goals for risk reporting?• Who are the targets of information?• What information do each of them need, when and in what form?• What are the sources of inputs for your reporting?• Are your inputs reliable and can they be secured timely?• What frequency of reporting is sufficient for your goals?• Do you have sufficient tools to achieve your reporting goals?• What resources do you need to achieve your reporting goals?• From whom do you need to get support and approval for your plan?• Will your plan tell your story adequately? How will you know?
Risk management framework
Identify
Measure
Monitor
Manage
Report
Risk AwareCulture
Responsible risk taking contributes to value creation and improves ability to offer products and services to customers. Board approved Risk Appetite governs the level or risk willing to accept. Any risks outside appetite will be proactively managed in a timely manner.Accept risks where we have the required organizational capability, expertise and infrastructure to manage the risks in addition to sufficient capital to withstand risk materializing even under extreme stressed conditions.
Risk Management Principles:
Being prepared for the new normal:Practicality is the key• Risk management is not a project or an initiative
• It is an enhancement to a business model and to management’s processes• Risk management informs the business in its decision-making:
• It doesn’t make decisions for the business• Risk management strikes a balance of quantification, controls and a variety of risk mitigation
techniques• Risk management clearly supports risk-taking by the business
• While providing clearly articulated risk appetite and tolerance statements to promote risk-taking in a structured manner
• Risk management is talking about, considering, discussing and embedding risk techniques into the activities of the organization
The challenge: How do we improve our awareness and capabilities surrounding the risks that matter most?
• Take better steps to anticipate prospective risks rather than reacting to issues as they materialize.
• Raise the bar in the way that we identify, assess, manage and report on risks by focusing on material risks to the business.Material
Proactive
• Eliminate silo view of risks by focusing on the integration of financial and operational risks across the organization.
Integrated
• Directly incite action to help us to monitor and prepare for potential emerging risks.
Action
• Avoid reliance on bottom up risk identification process and find new ways to identify important risks. Top Down
Risk is what happens to you in the tail
Management
Key Risk Indicator/Risk Measure
Prob
abili
tyTargetToleranceVAR/EC
Risk ManagementGovernance
a
bc
How do we identify scenarios?
• What are the events that keep you up at night?• Which events could trigger a $1 billion loss to the franchise?• How could your company’s name get into the news in an unflattering way?• What events is the organization underprepared for?• What events will fundamentally change the way the business operates?
Page 32
My Take on Emerging risks
© Aviva Canada Private and confidential
1st line 2nd line 3rd line
Inflation
Global recession
European financial crisis
Changes in the regulatory environment
at the federal and provincial levels
Employees engagement, morale and behaviour
Change in the shape of the yield curves in the
USA and CanadaLocal impact of a Pandemic
Sudden increases on credit spreads
Cyber attacks and Data TheftMacroeconomic
Threats
Potential disruptors (Google etc.)
Federal Election
Loss of key resources
A Risk Spectrum summarizes the emerging risks, with clear indication of the proximity and expected impact.
Considerations for more effective risk management• Appetite, tolerances and materiality understood
Identify the risks the board and sr management need to take, know and manage most effectively
• Risk strategy and profile defineddrive a consensus around risk strategy, the risk profile and ensuring risk a key consideration in planning/decision making
• Capable, informed & aligned risk stakeholders
Involve the right stakeholders in an effective and coordinated risk strategy that adds value in executing corporate strategy
• Clear, understandable risk process
Enable board members, managers, and employees to understand and be appropriately engaged in the risk process
• Embedding risk intelligence into culture – build resilience
Integrate risk management into all key business processes, including planning, operating, and financing activities
Key Take-a-ways• The way you measure and communicate risk should reinforce the tie between
risks and strategies• Effective emerging risk reporting is critical to long term success• You must be able to clearly communicate the status of your risk profile• You must know your stakeholders, their priorities and their in a successful risk
program and strategy• Your risk management strategy must include a measurement and reporting
strategy and plan• You must be able to reliably measure and monitor both risk plan performance
and its impact on enterprise performance
Thank you. Questions?
Considerations for more effective risk management• Appetite, tolerances and materiality understood
Identify the risks the board and sr management need to take, know and manage most effectively
• Risk strategy and profile defineddrive a consensus around risk strategy, the risk profile and ensuring risk a key consideration in planning/decision making
• Capable, informed & aligned risk stakeholders
Involve the right stakeholders in an effective and coordinated risk strategy that adds value in executing corporate strategy
• Clear, understandable risk process
Enable board members, managers, and employees to understand and be appropriately engaged in the risk process
• Embedding risk intelligence into culture – build resilience
Integrate risk management into all key business processes, including planning, operating, and financing activities
RIMS Report (2017): Five steps for communicating with executives
• Prepare for the meeting• Listen carefully• Speak their language• Propose solutions• Challenge yourself
What is risk management effectiveness?• Accomplishing stated goals• Influencing planning and strategy
• Improving the chances of success• Reducing performance volatility
• Being prepared for the unexpected• Getting ahead of emerging risks
• Evidence that risk management is reflected in core processes• Enabling the board’s risk oversight role• Reducing the frequency of near misses• Reducing cost of capital & improving shareholder value• Increased risk sensitivity and awareness in the culture
Source: Board Perspectives: Risk Oversight, Protitivi
Strategic objective:Example - Expand presence in emerging markets (Asia, Africa, LatAm)
• Countries not able to pay in a timely fashion
• Fragile production process – inability to obtain product
• Political instability – assets seized
• PLAN
• Weakening intellectual property laws• Country regulations• Government-controlled pricing• Competition
• ACT
• Supplier, distributor, customer liquidity• Slows sales expansion• Inability to retain qualified personnel
• AWARE
• Competitor landscape• Weak economic and financial environment• Lower ethics & compliance standards•
• MONITOR
IMPACT
LIKELIHOOD
Significant
Major
MinorUnlikely Possible Likely
How does strategic risk management shape decisions?
Source: RIMS Integrating ERM and Strategy workshop, 2011-2016. All rights reserved.
Mission AccomplishmentCorporate Business Strategy
CO
LLAB
OR
ATIO
NAM
ON
G L
EAD
ERS
RIS
KS M
ATC
HED
TO
OBJ
ECTI
VES
MEA
SUR
EMEN
T AL
IGN
MEN
T
Risk Management Strategy
Components of risk-strategy alignment
Risk stakeholders?• Who are your risk stakeholders?• What do they need to know?• Giving them what they need to succeed• Engaging them:
• First for their success; and• Second for yours
• Developing them into your:• Sensing mechanisms• Source of emerging exposure• Partners in risk innovation and improvement
Do you know your stakeholders?
Business Unit Management
C-Suite
Board
Know your stakeholders
• Map your stakeholders to prioritize your efforts
• Know your high touch, low touch customer
• How much do you need to socialize your information
• If they don’t know what they need, you get to tell them!
Examples of using big data• Rapidly contacting customers to verify suspicious transactions based on
real-time analysis• Using predictive models to distinguish between legitimate and fraudulent
transactions• Tracking customer spending patterns across 100% of transactions• Analyzing employee traits and behaviors to uncover regulatory violations
before they become findings and fines• Assessing employee safety vulnerabilities across entire industries
A VUCA world
• Volatile: nature, dynamics and speed of change
• Uncertain: Lack of predictability, subject to surprises
• Complex: Multiplex of forces, confounding issues, chaos and confusion
• Ambiguous: Haziness of reality, mixed meanings, potential for misreads
What is an emerging risk?• Those issues that have not manifested themselves sufficiently to be managed
using the tools commonly applied to more developed exposures. They are “those risks an organization has not yet recognized or those which are known to exist, but are not well understood
RIMS’ “Emerging Risks and ERM
• A condition, situation or trend that could significantly impact the Company’s financial strength, competitive position or reputation within the next 5 years. Emerging risks involve a high degree of uncertainty. It is unclear where an emerging risk will land on the loss curve.
Anonymous actuary
Risk capability as a feeder to strategy
Four areas of improvement necessary for risk-strategy success:1. Aligning, if not integrating business strategy with risks2. Adopting and applying dynamic risk appetite strategies/frameworks3. Managing the diversity of stakeholder expectations4. Improving risk sensing, monitoring and reporting
Source: PwC’s Re-evaluating how your company addresses risk
Vision
Mission
Goal 1 Goal 2 Goal 3
Strategy 1.2
Strategy 1.1
What we want to be?
What we will do to get there?
What approach should we take?
What is the desired outcome?
Objectives 1.1
Objectives 1.2
What measurable steps should we take?
What are the key uncertainties?
Getting beyond Excel spreadsheets“Despite decades of evolving RMIS, ERMIS, GRC and ERM system platforms, the number of
risk leaders still using only spreadsheets is astounding.” anonymous
• Nevertheless, risk leaders should do what they’re organizations hired/need them to do. Fundamentally, that should be:
• To clearly define the problems you need to solve• Analyzing the right data• Providing concise, timely and reliable reporting to the right recipients
• Challenges:• Sourcing the skills/expertise needed for the right, most insightful analysis• Driving as much reporting as possible into actionable elements• Deciding what tools you should and CAN use• Aligning risk reporting to business priorities• Avoiding overkill in both tools and output
Big or actionable data?• Big data - what is it?
• Vast in scope• Varied in form• Instantaneous in velocity• Manipulated by mainframes to hand-helds• Extracted from internal and external sources
• How can risk managers exploit it?• Using tools to integrate, manipulate and access structured and unstructured data• Using advanced tools to enable predictive and prescriptive analytics and visualization• Apply big data to the biggest, most complex risks• Being able to integrate, manipulate and query BD to create/update risk profiles• Feed simulation analysis• Inform scenario analysis Source: Big data as the key to better risk management, The Economist
The spectrum of analytical methodsDescriptive analytics is a preliminary stage of data processing that creates a summary of historical data to yield useful information and possibly prepare the data for further analysis. It is sometimes said to provide information about what happened.
Predictive analytics is the branch of advanced analytics used to make predictions about unknown future events. It uses many techniques from data mining, statistics, modeling, machine learning, and artificial intelligence to analyze current data to make predictions about future events
Prescriptive analytics is the area of business analytics dedicated to finding the best course of action for a given situation. It is the higher order evolution of both descriptive and predictive analytics.
Measuring and monitoring plan performance• Know and understand the organization’s KPIs• Use KRIs that are aligned with the KPIs• Ensure risk ownership is assigned and accepted/accountable• Develop process for risk information flow from risk owners/Bus (ROs) to the risk reporting
function/team• Develop collaborative alignment with key risk information stakeholders like audit, legal and
compliance• Develop process for gap identification and closure with ROs• Develop channel for risk info flow and feedback to/from planning, BU risk leadership and the
board
8 steps to integrating risk and strategy1. Build meaningful relationships with planning leaders
2. Demonstrate to planners the direct relationship between specific key risks and the strategic goals of the firm
3. Demonstrate to planners the ability to treat these risks including the clear understanding of the cost benefit of mitigation
4. Articulate examples of how new or greater risks taken can create value
5. Identify and challenge fundamental assumptions
6. Identify and look for signals regarding unexpected events
7. Clarify whether these events are risks or opportunities or both
8. Develop a plan with options that allow for resiliency in adversity through agility Source: Deloitte’s Shaping a Risk Intelligent Strategy