the institute of internal auditors bermuda chapter ... · the institute of internal auditors...
TRANSCRIPT
© Grant Thornton. All rights reserved.
The Institute of Internal Auditors Bermuda Chapter
September 24, 2015
Emerging Risks and The Role of Internal Audit
"It is not the strongest or most intelligent who will survive but those who can
best manage change."
– Charles Darwin
Mark Lastner
Managing Director
Business Advisory Services
Insurance Regulator LeaderT (direct) +1 215 814 1750
T (mobile) +1 267 844 2029
1
John Swanick
National Insurance Advisory
Practice Leader
Business Advisory Services
Insurance Regulator Leader
T (direct) 215 814 4070
T (mobile) +610 246 2156E [email protected]
© Grant Thornton. All rights reserved.
Emerging Risks
Today's Agenda Page
• Understanding the Challenge 3
• The Importance of Managing Emerging Risks 4
• Definition of Emerging Risk 5-6
• Components of an Emerging Risk Process 7-13
• Global Risks 2015 14-20
• Approach to managing to Internal Risks 21
• Examples of Implementing Emerging Risk Processes 22-24
• ERM Considerations/Solutions 25
• Regulatory Guidance 26-27
• Possible Internal Audit Roles 28-33
• Conclusion – Achieving Improved Performance 34-35
2
© Grant Thornton. All rights reserved.
Understanding the Challenge
3
Internal Company
Risks Emerging
Today's Company
Enterprise Risks
© Grant Thornton. All rights reserved.
Business Case The Importance of Managing Emerging Risks
• Potential to avoid significant negative surprises
• Fundamental component of an effective ERM program
• Potential to identify new business opportunities/strategic directions
• Align points of view from the Board level to the management team
through regular communication.
• Fulfill regulatory requirements.
4
© Grant Thornton. All rights reserved.
What is an Emerging Risk?
Per the North American Chief Risk OfficerCouncil:
• New or Evolving Risk
• Extent and Nature of Potential Losses are Uncertain
• Insufficient Information or Time to Have Been Fully Analyzed
5
© Grant Thornton. All rights reserved.
Lloyd's defines an emerging risk as an issue that is perceived to be
potentially significant but which may not be fully understood or allowed
for in insurance terms and conditions, pricing, reserving or capital
setting.
6
What is an Emerging Risk?
Swiss Re defines emerging risks as newly developing or
changing risks which are difficult to quantify and which may
have a major impact on as organization.
© Grant Thornton. All rights reserved.
Emerging Risk Management
• Part of an overall risk management process
• Initial qualitative assessment that includes four basic dimensions:
― Potential likelihood of occurrence
― Potential magnitude of losses
― Potential direction of change
― Potential speed of change
• Process for more comprehensive immediate evaluation of risks
distilled from above.
7
© Grant Thornton. All rights reserved.
Creation of a Risk Sensing Process
• Look to leverage existing in-house activities where possible
• Adopt clear and simple definitions for terms such as:
― evolving risk
― emerging risk
― enterprise risk
• Communicate the business case for a new formalized process
• Keep it simple by leveraging agreed-upon external data sources.
8
© Grant Thornton. All rights reserved.
Specific Components of an ER Process
• Understand and assess potential impacts of mega-risk trends (global
risks)
• Determine how and when an emerging risk becomes an enterprise
risk.
• Understand and assess potential impacts of internal risks that are not
currently considered enterprise level but are receiving attention.
9
© Grant Thornton. All rights reserved.
Deeper Dives into most likely ERs
• Consider adding an ERM process step that analyses and tracks, if
needed, each one
• Analysis is initially qualitative and consensus driven
• Move to quantitative steps if you determine it is beneficial
• Keep it understandable and easy to communicate
10
© Grant Thornton. All rights reserved.
Deeper Dive
• Identify potential impacts, positive and negative, to current strategic
plans and business models
• Identify the path forward to manage changes/disruptions
• Emphasize leadership, urgency and change management abilities
11
© Grant Thornton. All rights reserved.
Selecting Emerging Risks for Future Monitoring
• Based upon assessments, which risks are…
– Potentially disruptive to company plans
– Potentially disastrous to earnings expectations
– Potentially ruinous to company continuation
• If you monitor these risks
– Will that give you an advantage over your competitors?
• If you do not monitor these risks
– Will your competitors have an advantage over you?
12
© Grant Thornton. All rights reserved.
Identifying Emerging Risks
• Consider experts' predictions but remember they are only predictions
• Review the potential domino effect of risks
• Obtain multiple inputs and be open to the possibilities
• Be aware of changing trends, very infrequent events, cascading
impacts, slow mega trends and tipping points.
13
© Grant Thornton. All rights reserved.
Global Risks 2015
• As defined by the World Economic Forum, "A global risk is an uncertain
event or condition that, if it occurs , can cause significant negative
impact for several countries or industries within the next 10 years".
• "Faster communication systems, closer trade and investment links,
increasing physical mobility and enhanced access to information have
combined to bind countries, economics and businesses more tightly
together"
Klaus Schwab
Executive Chairman
World Economic Forum
14
© Grant Thornton. All rights reserved.
Global Risks Categories
Economic
Environmental
Geopolitical
Societal
Technological
1
2
3
4
5
15
Includes
― Asset bubbles, Inflation, Energy price shock
― Natural catastrophes, Man-made catastrophes
― Interstate conflicts, Large scale terrorism
― Large scale migration, Food/water crises
― Large scale cyber attacks, IT infrastructure
breakdown
© Grant Thornton. All rights reserved.
Top Ten Global Risks –
2015
Most Likely
Interstate Conflict
Extreme Weather Events
Failure of National Governance
State Collapse or Crisis
Unemployment/Underemployment
Natural Catastrophes
Failure of Climate Change Adoption
Water Crisis
Data Fraud or Theft
Cyber Attacks
Most Impactful
Water Crisis
Spread of Infectious Diseases
Weapons of Mass Destruction
Interstate Conflict
Failure of Climate Change Adaptation
Energy Price Shock
Critical information infrastructure breakdown
Fiscal Crisis
Unemployment/Underemployment
Biodiversity Loss/Ecosystem Collapse
2
3
3
3
2
2
4
5
5
4
4
3
3
21
1
5
1
1
2
16
© Grant Thornton. All rights reserved. 17
Global Risk Interconnections Map 2015
© Grant Thornton. All rights reserved.
The Evolving Risks Landscape (2007-2015)
18
© Grant Thornton. All rights reserved.
The Evolving Risks Landscape (2007-2015)
19
© Grant Thornton. All rights reserved.
Example of Emerging Risk Analysis
20
Large scale cyber attacksI.T. infrastructure Data Security
Centralized controls Limited Sensitive Data
Cyber Insurance
Add to Emerging Risk List for Annual
Reassessment
Global Risk Considered`Identify Links to existing Risks in
the Company
Evaluate Potential Impacts
Elevate to an Enterprise Risk
with management
Maintain on an
Emerging Risk
watch List
© Grant Thornton. All rights reserved.
Approach to Managing Internal Risks
21
• Risk profiles shift with organizational changes
• ERM process needs to include a risk focus refresh
• Build an emerging risk monitoring process around
correlations to broad categories and existing enterprise
risks.
• Focus on organizational topics including: strategy, org.
structure, product portfolios
• Know your competitor's views on risk
© Grant Thornton. All rights reserved.
Examples of Implementing Emerging Risk Processes
Focusing on global (external) risks:
• Investment Fund-research firm, Morningstar, is adding environmental,
social and governance factors to ratings
• Swiss asset-management fir, RobecoSam, includes a "water-risk filter"
on all investment analysis
• J.P. Morgan recently hired retired chief of staff of the Army to advise on
geopolitical risk
• Lloyd's has been evaluating "Realistic Disaster Scenarios" since 1995
• AM Best stress tests look to assess outlier scenarios.
22
© Grant Thornton. All rights reserved.
Examples of Emerging Risk Evaluations
• Florida Windstorm
• Gulf of Mexico Windstorm
• European Windstorm
• Japanese Windstorm
• California Earthquake
• New Madrid Earthquake
• Japanese Earthquake
• UK Flood
• Terrorism
• Marine
• Loss of Major Complex
• Aviation Collision
• Satellite Risks
• Liability Risks
• Political Risks
23
Lloyd's Realistic Disaster Scenarios
© Grant Thornton. All rights reserved.
Examples of Stress Tests
AM Best SRQ• Market Risk:
– Stocks: Losses equal to peak to trough of 2008 crash
– Interest rates shift by 2.0% which has happened once every 8 years over the past 50 years.
• Underwriting Risk
– Catastrophe: Experience a catastrophic loss at 1/100 level per cat model
– Reserves: Experience excess loss development equal to worst one year loss development in past __
years
– Pricing: Experience underwriting loss equal to worst combined ratio for past __ years for two largest lines of
business at the same time.
• Credit Risks A reinsurer fails and it was the largest unsecured reinsurer.
• Operational Risk
– Fraud by investment manager resulting in loss of 10% of funds under management.
– IT data security breach which results in release of sensitive customer data for all personal lines
clients and costs from fines and remedies for individuals
– Employee class action lawsuit
– Misplace the largest claims resulting in unexpected jump in claims as well as penalties for late payments
• Liquidity Risk Experience Underwriting and Operational losses described above and must pay out while interest
rates move by 2% and must raise any funds needed by selling bonds that have dropped in value
• Strategic Risk New competitor takes away 50% of sales with new and innovative product and/or sales strategy.
Company is unable to cut fixed expenses immediately.
24
© Grant Thornton. All rights reserved.
ERM Considerations/Solutions
25
Company Action
• Assess vulnerabilities and
cascading impacts
• Develop scenarios
• Inform sensible exercises in crisis
situations
• Prepare crisis exercises
• Train leadership to inform
decisions
• Model risks external to the direct
company environment
• Insurance/Reinsurance program
updated
Marketplace Action
• Amend regulatory requirements
• Align global practices
• Organize Industry-wide crisis
exercise
• Research specific risk topics
• Product innovations to address
emerging needs.
© Grant Thornton. All rights reserved.
Regulatory Guidance – Global Progress
Insurance Industry
26
Region/Country Risk Management Requirement Regulator
Bermuda CISSA + Equivalence BMA
Canada ORSA OFSI
Europe Solvency II ORSA EU
U.K. Solvency II PRA
U.S. ORSA, SOX NAIC NYSE SEC
© Grant Thornton. All rights reserved.
Regulatory Guidance – Global Progress
Bank Industry
27
Region/Country Risk Management Requirement Regulator
BermudaBASEL
BASEL
BMA
Canada Basel OFSI
Europe Basel EBA (EU)
U.K. Basel PRA (Bank of England)
U.S. Various (CCAR) etc SOXFDIC, OCC, Federal Reserve SEC,
NYSE
© Grant Thornton. All rights reserved.
Possible Roles for Internal Audit
• Ensure role clarity upfront using the IIAs "three lines of defense" best
practice model. Communicate regularly.
• Make sure audit plans (and audit resources) are focused on major risks
• Provide assurance that the risk management function is addressing
current and future risks
• Contribute to the discussion of emerging risks in an insightful manner
• Identify risk management "operations" improvement opportunities (i.e.
use of technology)
• Be aware of available risk/control frameworks/approaches
• All of the above in a real time fashion/"think urgent"
• Consider evaluating aspects of the insurance/reinsurance program in
place
28
© Grant Thornton. All rights reserved.
Possible Roles for Internal Audit
29
© Grant Thornton. All rights reserved.
Popular Risk Frameworks to Understand
• COSO
• ISO 31000
• Debt Rating Agencies
• RIMS
• Actuarial Societies (CERA)
• NIST
30
© Grant Thornton. All rights reserved.
COSO Framework for Emerging Risk
Components Example Action Plan
Objective Setting Add Emerging Risk to ERM expectations
Event Identification Decide on the approach to inventorying
Risk Assessment Conduct initial assessment to identify most significant Emerging
Risks
Control Activities Develop new reporting formats that highlight the nature of risk.
Monitoring Evaluate the effectiveness of the new process on an
organization-wide basis
31
© Grant Thornton. All rights reserved.
Possible Roles for Internal Audit
• Align very closely with the ERM function
• Thoroughly understand the ERM processes and best practices
• Consider more frequent audit plan amendments
• Challenge risk indicator data
• Understand point of interconnection of risks
• Change communication frequency on major risks
• Evaluate the current reporting of identified emerging risks.
• Determine compliance with applicable risk-focus regulations.
32
© Grant Thornton. All rights reserved.
Possible Roles for Internal Audit in Risk Management
33
© Grant Thornton. All rights reserved.
Conclusion
Achieving Improved Performance
• By improving the ERM process, negative surprises are avoided.
• Awareness and communication of potential issues is enhanced.
• An organization's ability and openness to change is improved.
• Actual shareholder value is added over time.
• For Internal Audit, being part of change is a great opportunity to add
value.
34
© Grant Thornton. All rights reserved.
Conclusion
"I… make a claim, against many of our habits of thought, that our world is
dominated by the extreme, the unknown, and the very improbable
(improbable according to our current knowledge)… This implies the need to
use the extreme event as a starting point and not treat it as exception to be
pushed under the rug".
-Nassim Nicholas Taleb
from The Black Swan
35