The Institute of Internal Auditors Bermuda Chapter ... · The Institute of Internal Auditors Bermuda Chapter September 24, ... T (mobile) +610 246 2156 E John ... Lloyd's defines

© Grant Thornton. All rights reserved.

The Institute of Internal Auditors Bermuda Chapter

September 24, 2015

Emerging Risks and The Role of Internal Audit

"It is not the strongest or most intelligent who will survive but those who can

best manage change."

– Charles Darwin

Mark Lastner

Managing Director

Business Advisory Services

Insurance Regulator LeaderT (direct) +1 215 814 1750

T (mobile) +1 267 844 2029

E [email protected]

1

John Swanick

National Insurance Advisory

Practice Leader

Business Advisory Services

Insurance Regulator Leader

T (direct) 215 814 4070

T (mobile) +610 246 2156E [email protected]


Emerging Risks

Today's Agenda Page

• Understanding the Challenge 3

• The Importance of Managing Emerging Risks 4

• Definition of Emerging Risk 5-6

• Components of an Emerging Risk Process 7-13

• Global Risks 2015 14-20

• Approach to managing to Internal Risks 21

• Examples of Implementing Emerging Risk Processes 22-24

• ERM Considerations/Solutions 25

• Regulatory Guidance 26-27

• Possible Internal Audit Roles 28-33

• Conclusion – Achieving Improved Performance 34-35

2


Understanding the Challenge

3

Internal Company

Risks Emerging

Today's Company

Enterprise Risks


Business Case The Importance of Managing Emerging Risks

• Potential to avoid significant negative surprises

• Fundamental component of an effective ERM program

• Potential to identify new business opportunities/strategic directions

• Align points of view from the Board level to the management team

through regular communication.

• Fulfill regulatory requirements.

4


What is an Emerging Risk?

Per the North American Chief Risk OfficerCouncil:

• New or Evolving Risk

• Extent and Nature of Potential Losses are Uncertain

• Insufficient Information or Time to Have Been Fully Analyzed

5


Lloyd's defines an emerging risk as an issue that is perceived to be

potentially significant but which may not be fully understood or allowed

for in insurance terms and conditions, pricing, reserving or capital

setting.

6

What is an Emerging Risk?

Swiss Re defines emerging risks as newly developing or

changing risks which are difficult to quantify and which may

have a major impact on as organization.


Emerging Risk Management

• Part of an overall risk management process

• Initial qualitative assessment that includes four basic dimensions:

― Potential likelihood of occurrence

― Potential magnitude of losses

― Potential direction of change

― Potential speed of change

• Process for more comprehensive immediate evaluation of risks

distilled from above.

7


Creation of a Risk Sensing Process

• Look to leverage existing in-house activities where possible

• Adopt clear and simple definitions for terms such as:

― evolving risk

― emerging risk

― enterprise risk

• Communicate the business case for a new formalized process

• Keep it simple by leveraging agreed-upon external data sources.

8


Specific Components of an ER Process

• Understand and assess potential impacts of mega-risk trends (global

risks)

• Determine how and when an emerging risk becomes an enterprise

risk.

• Understand and assess potential impacts of internal risks that are not

currently considered enterprise level but are receiving attention.

9


Deeper Dives into most likely ERs

• Consider adding an ERM process step that analyses and tracks, if

needed, each one

• Analysis is initially qualitative and consensus driven

• Move to quantitative steps if you determine it is beneficial

• Keep it understandable and easy to communicate

10


Deeper Dive

• Identify potential impacts, positive and negative, to current strategic

plans and business models

• Identify the path forward to manage changes/disruptions

• Emphasize leadership, urgency and change management abilities

11


Selecting Emerging Risks for Future Monitoring

• Based upon assessments, which risks are…

– Potentially disruptive to company plans

– Potentially disastrous to earnings expectations

– Potentially ruinous to company continuation

• If you monitor these risks

– Will that give you an advantage over your competitors?

• If you do not monitor these risks

– Will your competitors have an advantage over you?

12


Identifying Emerging Risks

• Consider experts' predictions but remember they are only predictions

• Review the potential domino effect of risks

• Obtain multiple inputs and be open to the possibilities

• Be aware of changing trends, very infrequent events, cascading

impacts, slow mega trends and tipping points.

13


Global Risks 2015

• As defined by the World Economic Forum, "A global risk is an uncertain

event or condition that, if it occurs , can cause significant negative

impact for several countries or industries within the next 10 years".

• "Faster communication systems, closer trade and investment links,

increasing physical mobility and enhanced access to information have

combined to bind countries, economics and businesses more tightly

together"

Klaus Schwab

Executive Chairman

World Economic Forum

14


Global Risks Categories

Economic

Environmental

Geopolitical

Societal

Technological

1

2

3

4

5

15

Includes

― Asset bubbles, Inflation, Energy price shock

― Natural catastrophes, Man-made catastrophes

― Interstate conflicts, Large scale terrorism

― Large scale migration, Food/water crises

― Large scale cyber attacks, IT infrastructure

breakdown


Top Ten Global Risks –

2015

Most Likely

Interstate Conflict

Extreme Weather Events

Failure of National Governance

State Collapse or Crisis

Unemployment/Underemployment

Natural Catastrophes

Failure of Climate Change Adoption

Water Crisis

Data Fraud or Theft

Cyber Attacks

Most Impactful

Water Crisis

Spread of Infectious Diseases

Weapons of Mass Destruction

Interstate Conflict

Failure of Climate Change Adaptation

Energy Price Shock

Critical information infrastructure breakdown

Fiscal Crisis

Unemployment/Underemployment

Biodiversity Loss/Ecosystem Collapse

2

3

3

3

2

2

4

5

5

4

4

3

3

21

1

5

1

1

2

16

© Grant Thornton. All rights reserved. 17

Global Risk Interconnections Map 2015


The Evolving Risks Landscape (2007-2015)

18


The Evolving Risks Landscape (2007-2015)

19


Example of Emerging Risk Analysis

20

Large scale cyber attacksI.T. infrastructure Data Security

Centralized controls Limited Sensitive Data

Cyber Insurance

Add to Emerging Risk List for Annual

Reassessment

Global Risk Considered`Identify Links to existing Risks in

the Company

Evaluate Potential Impacts

Elevate to an Enterprise Risk

with management

Maintain on an

Emerging Risk

watch List


Approach to Managing Internal Risks

21

• Risk profiles shift with organizational changes

• ERM process needs to include a risk focus refresh

• Build an emerging risk monitoring process around

correlations to broad categories and existing enterprise

risks.

• Focus on organizational topics including: strategy, org.

structure, product portfolios

• Know your competitor's views on risk


Examples of Implementing Emerging Risk Processes

Focusing on global (external) risks:

• Investment Fund-research firm, Morningstar, is adding environmental,

social and governance factors to ratings

• Swiss asset-management fir, RobecoSam, includes a "water-risk filter"

on all investment analysis

• J.P. Morgan recently hired retired chief of staff of the Army to advise on

geopolitical risk

• Lloyd's has been evaluating "Realistic Disaster Scenarios" since 1995

• AM Best stress tests look to assess outlier scenarios.

22


Examples of Emerging Risk Evaluations

• Florida Windstorm

• Gulf of Mexico Windstorm

• European Windstorm

• Japanese Windstorm

• California Earthquake

• New Madrid Earthquake

• Japanese Earthquake

• UK Flood

• Terrorism

• Marine

• Loss of Major Complex

• Aviation Collision

• Satellite Risks

• Liability Risks

• Political Risks

23

Lloyd's Realistic Disaster Scenarios


Examples of Stress Tests

AM Best SRQ• Market Risk:

– Stocks: Losses equal to peak to trough of 2008 crash

– Interest rates shift by 2.0% which has happened once every 8 years over the past 50 years.

• Underwriting Risk

– Catastrophe: Experience a catastrophic loss at 1/100 level per cat model

– Reserves: Experience excess loss development equal to worst one year loss development in past __

years

– Pricing: Experience underwriting loss equal to worst combined ratio for past __ years for two largest lines of

business at the same time.

• Credit Risks A reinsurer fails and it was the largest unsecured reinsurer.

• Operational Risk

– Fraud by investment manager resulting in loss of 10% of funds under management.

– IT data security breach which results in release of sensitive customer data for all personal lines

clients and costs from fines and remedies for individuals

– Employee class action lawsuit

– Misplace the largest claims resulting in unexpected jump in claims as well as penalties for late payments

• Liquidity Risk Experience Underwriting and Operational losses described above and must pay out while interest

rates move by 2% and must raise any funds needed by selling bonds that have dropped in value

• Strategic Risk New competitor takes away 50% of sales with new and innovative product and/or sales strategy.

Company is unable to cut fixed expenses immediately.

24


ERM Considerations/Solutions

25

Company Action

• Assess vulnerabilities and

cascading impacts

• Develop scenarios

• Inform sensible exercises in crisis

situations

• Prepare crisis exercises

• Train leadership to inform

decisions

• Model risks external to the direct

company environment

• Insurance/Reinsurance program

updated

Marketplace Action

• Amend regulatory requirements

• Align global practices

• Organize Industry-wide crisis

exercise

• Research specific risk topics

• Product innovations to address

emerging needs.


Regulatory Guidance – Global Progress

Insurance Industry

26

Region/Country Risk Management Requirement Regulator

Bermuda CISSA + Equivalence BMA

Canada ORSA OFSI

Europe Solvency II ORSA EU

U.K. Solvency II PRA

U.S. ORSA, SOX NAIC NYSE SEC


Regulatory Guidance – Global Progress

Bank Industry

27

Region/Country Risk Management Requirement Regulator

BermudaBASEL

BASEL

BMA

Canada Basel OFSI

Europe Basel EBA (EU)

U.K. Basel PRA (Bank of England)

U.S. Various (CCAR) etc SOXFDIC, OCC, Federal Reserve SEC,

NYSE


Possible Roles for Internal Audit

• Ensure role clarity upfront using the IIAs "three lines of defense" best

practice model. Communicate regularly.

• Make sure audit plans (and audit resources) are focused on major risks

• Provide assurance that the risk management function is addressing

current and future risks

• Contribute to the discussion of emerging risks in an insightful manner

• Identify risk management "operations" improvement opportunities (i.e.

use of technology)

• Be aware of available risk/control frameworks/approaches

• All of the above in a real time fashion/"think urgent"

• Consider evaluating aspects of the insurance/reinsurance program in

place

28



29


Popular Risk Frameworks to Understand

• COSO

• ISO 31000

• Debt Rating Agencies

• RIMS

• Actuarial Societies (CERA)

• NIST

30


COSO Framework for Emerging Risk

Components Example Action Plan

Objective Setting Add Emerging Risk to ERM expectations

Event Identification Decide on the approach to inventorying

Risk Assessment Conduct initial assessment to identify most significant Emerging

Risks

Control Activities Develop new reporting formats that highlight the nature of risk.

Monitoring Evaluate the effectiveness of the new process on an

organization-wide basis

31



• Align very closely with the ERM function

• Thoroughly understand the ERM processes and best practices

• Consider more frequent audit plan amendments

• Challenge risk indicator data

• Understand point of interconnection of risks

• Change communication frequency on major risks

• Evaluate the current reporting of identified emerging risks.

• Determine compliance with applicable risk-focus regulations.

32


Possible Roles for Internal Audit in Risk Management

33


Conclusion

Achieving Improved Performance

• By improving the ERM process, negative surprises are avoided.

• Awareness and communication of potential issues is enhanced.

• An organization's ability and openness to change is improved.

• Actual shareholder value is added over time.

• For Internal Audit, being part of change is a great opportunity to add

value.

34


Conclusion

"I… make a claim, against many of our habits of thought, that our world is

dominated by the extreme, the unknown, and the very improbable

(improbable according to our current knowledge)… This implies the need to

use the extreme event as a starting point and not treat it as exception to be

pushed under the rug".

-Nassim Nicholas Taleb

from The Black Swan

35

The Institute of Internal Auditors Bermuda Chapter ... · The Institute of Internal Auditors Bermuda Chapter September 24, ... T (mobile) +610 246 2156 E John ... Lloyd's defines

Documents