Friday, May 11 8 – 9:30 a.m. Session 60 Session Sponsor: Joint Risk Management Emergence of the Chief Risk Officer Moderator: Sim Segal, FSA, MAAA Presenters: Robert G. Lautensack, Jr., FSA; Henry M. McMillan, FSA, MAAA; Michel Rochette, FSA A chief risk officer and an industry expert will explain the function of the CRO and skill sets required to serve in this capacity. What is the CRO’s responsibility and how does it fit within the organizational and decision-making structure of the firm? How is CRO performance evaluated? The discussion will include an examination of the value the actuarial skill set provides to those in, or being considered for, this role You will learn for yourself what skills need to be acquired to sit in the “C” suite. Or, if you are a company executive, understand better how this role can serve the needs of your firm. Targeted Value Ladder Stage: Market Coordinators: Anthony Dardis, FSA, FIA, MAAA; David T. Henderson, FSA, MAAA
Role of the CRO Bob Lautensack Henry McMillan Michel Rochette Sim Segal May 11 2007
Enterprise Risk Advisory, LLC
(1)Main Roles of a CRO: CRO is NOT the Risk Manager of the Risk Managers! Leader, facilitator, integrator, coordinator of risk rather than a
manager of risk. Create a culture risk awareness within the organization. Formally bring consideration of risk into the strategic decision
making. Develop a center of excellence for managing risk using the skills
sets of individual risk managers. Communicate to all stakeholders – internal and external – about
risk. Bring the BIG PICTURE PERSPECTIVE!
Enterprise Risk Advisory, LLC
2
(1)Main Responsibilities of a CRO: Develop, maintain, and update risk governance
framework: Risk policies, risk appetite and risk limits. Risk infrastructure, process and reporting. Risk integration and links between risks. Coordinate with business line: Risk training Risk assessment and action plans Incorporate risk elements in performance metrics Ensure lines of business have risk capacity both in
personnel and risk systems. Enterprise Risk Advisory, LLC
3
(1)Main Responsibilities of a CRO: Senior management: Advice on risk issues in strategic decision making Provide aggregated and detailed reports on risk in
line with risk appetite and limits Keep management appraised of industry standards Committees: ALM, Credit, Operational, IT, Security External Party liaison New regulatory risk initiatives: Ex. NAIC Corporate
Governance for Risk Management Act.
Enterprise Risk Advisory, LLC
4
(1)Skills Required: Some quantitative skills but not be a polymath: analytical,
understands the models and bright!
Excellent understanding of the supply value chains of your
organization: See the links between risks that the risk silos don’t see!
Strategic and tactical thinker. Ability to understand business issues. Ability to compare risk and reward. Leader/ educator in terms of promoting a risk culture. Project manager of risk initiatives. Ability to synthesize a lot of data and see trends and potential
impact on company.
Communication skills are a priority because a
CRO is a C-level Executive: written and oral.
Enterprise Risk Advisory, LLC
5
(1)Differences between Actuaries and CRO Actuaries: Emphasize high
CROs: An analytical background is
quantitative skills Specialize in a field: Valuation, pricing, risk…
Risk field: focus on
measurement of risk Communication with peers Usually function with other
actuaries in actuarial departments. Enterprise Risk Advisory, LLC
sufficient Overall view of the businesses: Integrative view. Can see the links. Some risk can’t be quantified but doesn’t mean that they can be managed. Communication to a broad audience, internal/external. Build links with business units where risks are managed.
6
(2)Internal: Interaction with the Board 92% report on risk to their Board of Directors at least annually 12%
Once a month
53%
Once a quarter 15%
Twice a year
11%
Once every year Other Do not formally report
1% 8%
TP 2006 ERM Survey Enterprise Risk Advisory, LLC
7
(2)Internal: Interaction with Senior Management More frequent than with the Board, about 40% monthly
Once a month
39%
Once a quarter Twice a year
35% 8%
Once every year
6%
Other
5%
Do not formally report
7%
TP 2006 ERM Survey Enterprise Risk Advisory, LLC
8
(2)External: Interaction with Shareholders The majority (61%) of respondents indicate they report on risk to shareholders at least annually
Once a month
4%
Once a quarter Twice a year
18% 8%
Once every year Other Do not formally report
27% 4% 39%
TP 2006 ERM Survey Enterprise Risk Advisory, LLC
9
(2)External Interaction with Regulators 62% of the participants formally report on risk to regulators
Once a month
4% 18%
Once a quarter Twice a year
3% 32%
Once every year Other Do not formally report
5% 38%
TP 2006 ERM Survey Enterprise Risk Advisory, LLC
10
(2)External Interaction with Rating Agencies 63% report on risk to the rating agencies at least annually
Once a month
0%
Once a quarter
6%
Twice a year
6%
Once every year Other Do not formally report
48% 3% 37%
TP 2006 ERM Survey Enterprise Risk Advisory, LLC
11
(2)Internal Communication of Risk (75%) provide reports on key risk exposures and risk management activities to the executive committee or Board of Directors
75%
Regular reports to executive committee/board of directors
45%
On an ad hoc, as-needed basis Regular reports to CRO
32%
Risk “dashboards� at the risk category, business or corporate level
29%
Regulatory reporting formats Other Enterprise Risk Advisory, LLC
25% 4%
TP 2006 ERM Survey 12
(2)External Communication ď ŽMore common with European insurers (68%) ď ŽNorth America (26%) Provide separate information to rating agencies Separate section devoted to risk management in annual report Provide supplementary information to regulators
59% 45% 32% 31%
Use regulatory reporting formats Provide separate information to financial analysts Do not externally communicate with stakeholders Hold focus groups with key customers/suppliers/community Other Enterprise Risk Advisory, LLC
18% 14% 3% 4%
TP 2006 ERM Survey 13
(3)Decision Making by CROS: Risk/Control High Level position => High level involvement Oversight role, not a cop! Must exist at the same level as CFO. Areas of focus: Risk identification, particular emerging risks Risk approval process of new initiatives making sure that all
risks are taken into account Risk exception authorization Risk prioritization and escalation. Risk mitigation strategies and alternatives Risk compliance and business continuity. Risk communication
Enterprise Risk Advisory, LLC
14
(4) Risks under CRO’s Purview Now Financial risks: Interest rate (97%) Equity(81%) Credit (asset default/migration) (80%) Liquidity (41%) Demographic risks: Mortality (92%) Lapse ( 84%) Longevity (73%) Policy holder behavior (58%) Operational risks (70%) TP 2006 ERM Survey Enterprise Risk Advisory, LLC
15
(4)Risks under CRO’s Purview: Emerging Reputational Risk (52)
Regulatory Risk (40)
Human Capital Risk (40)
IT RISK (35)
Financial, Market, Credit and Insurance Risk (30)
Crime, security, political, natural hazard, FX, Terrorism, Country Risk (20) Source: Economist Intelligence Unit, 2005 Max Scale: 100 Enterprise Risk Advisory, LLC
16
(5) TOP RISKS Economic risks: Credit losses are at historical lows: Risk of downturn is
increasing. No spill over yet from SubPrime meltdown. Political risks are increasing everywhere. Liquidity risk: private equity, structured deals. Thus: Scenarios and Stress tests still RELEVANT.
Compliance with the new regulatory environment: NAIC Corporate Governance For Risk Management Act Solvency II. Principles-based Others: AML Monitoring and identifying emerging risks: Longevity risk. Impact of new lifestyles, drugs on health. Extreme events: Avian Flu, terrorism and business continuity Concentration of risks and links between risks.
Enterprise Risk Advisory, LLC
17
(6)Reporting relation of the CRO ď ŽThe person responsible for risk management most often reports to
the CEO (45%) Responsible for Risk Management
Chief Risk Officer
43%
Chief Fin. Officer
18%
Enterprise Risk Advisory, LLC
CFO or Financial Director
24% 17%
16% 8%
Chief Actuary
Other
45%
CEO
Board of Directors
Risk Management Committee
Head of Internal Audit
To Whom Primarily Reports
1%
COO
4%
Risk Committee
4%
Other 14%
6%
TP 2006 ERM Survey 18
(7)ERM Culture Evolutionary process: Must see a trend in a company from: Existing risk identification in silos. Start establishing links between risks: Ex. Natural Hedge
between life and annuity operations. Start being proactive in risk assessment: Forward looking, not just reporting on existing situation. Embed risk analysis in new initiatives – new product, new IT system, M & A, Communicate internally and externally about your risk situation.
Enterprise Risk Advisory, LLC
19
(7) ERM Culture: Enshrined in organizations when: Business lines takes the initiative on risk issues: Behaviors have
changed. Prevention: Scanning for risks, consciously choosing the risks we
want to retain, then managing them proactively. Detection: Early identification of risks from internal or external
sources. CRO focuses only on emerging risk. Recovery after risk occurrence and learn quickly: continuous
improvement. Risk analysis becomes as important as revenue generation:
activities are evaluated on a risk-adjusted basis. Compensation becomes tied to risk.
Enterprise Risk Advisory, LLC
20
(8) Risk Appetite: Definition: Risk appetite is defined as the
organization’s willingness to accept risk in pursuit of its strategic objectives. Risk appetite is assessed against the organization’s
key drivers of success: financial and non financial. The establishment of the statement on risk appetite is
intended to guide employees in their actions and ability to accept and manage risks. Preferable if determined from top down rather than
bottom up. Define metric: Debt rating, earnings volatility. Enterprise Risk Advisory, LLC
21
(8) Risk Appetite: Link with overall strategic goal. Ex. Insurance financial strength rating or desired debt rating -
which implies a desired capital to keep that rating over a given time horizon-. Translate into day-to-day management: Allocate risk appetite to each type of risk by setting up
appropriate limits including the zero tolerance risk.. Ex. Fraud.. Allocate risk appetite even for the non quantifiable risk: Ex. Reputation risk. Firm not willing to compromise its reputation. Define risk tolerances around that risk appetite. Communicate internally and externally: Build expectations about risk. When risk materializes within limits, markets will not react as they have already built it into their pricing.
Enterprise Risk Advisory, LLC
22
(9) Challenges of the CROs Ensuring that the organization is in compliance with
the ever changing regulatory environment. Informing the Board about significant risk issues. Assuring business continuity and prepare for crisis:
crisis management and fight inertia to do so. Monitor emerging risks: Operational, reputation,
environmental. Get an integrated picture of risk: Establish links. Embed risk management in day-to-day operations. Linking risk management in capital management. Enterprise Risk Advisory, LLC
23
(9) Challenges of the CROs Improving the risk measurement and quantification processes Acting to manage the risk profile of your organization
77% 64% 63%
Improving internal risk reporting processes Ensuring that risk management considerations are explicitly factored into decision making Improving the risk identification and prioritization processes
59% 54% 53%
Establishing a risk framework and/or risk policy Improving education and internal communication of risk management principles and approach Establishing a risk management organization and governance structure
46% 42% 14%
Improving external communications Incorporating risk management considerations into incentive compensation Other 1% Enterprise Risk Advisory, LLC
8%
TP 2006 ERM Survey 24
Thanks ď Ž Ellen Bull, Librarian at the SOA for useful references
and help for my two presentations
Enterprise Risk Advisory, LLC
25
SOCIETY OF ACTUARIES Life Spring Meeting (May 2007) Session Topic:
Emergence of the Chief Risk Officer
Value Ladder
Market
Overall Rating
All Sessions
60
Expected Attendance
2,690
32
Actual Attendance
2,238
17
All Sessions
Number of responses
998
11
Return rate (# of resp./actual att.)
45%
65%
Overall rating of this session
3.78
4.30
Provided you with practical technical information
3.97
3.60
3.83
4.10
4.10 3.83
Prepared you to impact industry-wide changes
3.64
4.00
4.00 3.64
Knowledge of Subject
4.28
4.36
Effectiveness of Delivery
3.79
4.50
1
Learning Experience
2
Indicate your level of Will enable you to make better business agreement with the following. This session: decisions
Robet Lautensack
Presenter Effectiveness1
This Session
Number of participants indicating presenter included commercial promotion in presentation
Henry McMillan
0
Knowledge of Subject
4.28
4.27
Effectiveness of Delivery
3.79
3.90
Number of participants indicating presenter included commercial promotion in presentation
Michel Rochette
0
Knowledge of Subject
4.28
4.55
Effectiveness of Delivery
3.79
4.30
Number of participants indicating presenter included commercial promotion in presentation
Sim Segal
Moderator Effectiveness 1 : Rate the moderator's skills in managing this session
0 3.80
4.30 3.78 3.60 3.97
4.36 4.28 4.50 3.79 0 4.27 4.28 3.90 3.79 0 4.55 4.28 4.30 3.79 0
4.64
1
The rating scale used: Excellent (5), Very Good (4), Good (3), Fair (2), Poor (1), and N/A (no value).
2
The rating scale used: Strongly Agree (5), Agree (4), Neither Agree nor Disagree (3), Disagree (2), Strongly Disagree (1), and N/A (no value).
4.64 3.80
Evaluation Tips to keep in mind when reviewing the responses: Numerical evaluations tend to give you a pretty good feeling for how well the attendees responded to the session as a whole. Scores in the range of 3 to 5 are considered successful programs. Written comments come from people who may have a strong opinion, therefore they tend to be very good or very bad. Repetitive comments that point to the same theme could be an indication of an area you may want to capitalize on in the future or work on for future presentations.
Perception Solutions, Inc.
www.perceptionsolutions.com
7/17/2007
SOCIETY OF ACTUARIES Life Spring Meeting (May 2007) Session Evaluation (Participants' Comments) Session
Value Ladder
60 60
Market Market
Perception Solutions, Inc.
Overall Comments Regarding This Session
Good discussion - should be repeated so more attend. Great format!
www.perceptionsolutions.com 7/18/2007
Comments- 1