1. Page 1
Recording of this session via any media type is strictly prohibited.
ERM Definition
RIMS
A strategic business discipline that supports the achievement
of an organization’s objectives by addressing the full spectrum
of its risks and managing the combined impact of those risks
as an interrelated risk portfolio.
2. Page 2
Recording of this session via any media type is strictly prohibited.
Traditional Risk Management Department
3. Page 3
Recording of this session via any media type is strictly prohibited.
ERM Governance Model
4. Page 4
Recording of this session via any media type is strictly prohibited.
Classifications of Risk
5. Page 5
Recording of this session via any media type is strictly prohibited.
Risk Quadrants
6. Page 6
Recording of this session via any media type is strictly prohibited.
RIMS Risk Maturity Model
Uses 5 maturity levels based on CMM applied
to 7 attributes:
• Adoption of ERM-based approach
• ERM process management
• Risk appetite management
• Root cause discipline
• Uncovering risks
• Performance management
• Business resiliency and sustainability
7. Page 7
Recording of this session via any media type is strictly prohibited.
Enterprise Risk Management
Framework and Process
8. Page 8
Recording of this session via any media type is strictly prohibited.
Framework and Process
9. Page 9
Recording of this session via any media type is strictly prohibited.
ISO 31000 Framework and Process
Source: ISO
31000:2009
10. Page 10
Recording of this session via any media type is strictly prohibited.
COSO ERM
Source: COSO – Enterprise Risk Management – Integrated Framework
11. Page 11
Recording of this session via any media type is strictly prohibited.
SWOT Analysis Table
12. Page 12
Recording of this session via any media type is strictly prohibited.
Key Performance Indicators
A key performance indicator (KPI) measures progress
toward an organization’s goals, provides an
attainable standard for a specific activity, and gives
the focus or direction the activity is to take.
13. Page 13
Recording of this session via any media type is strictly prohibited.
Purpose of Key Risk Indicators (KRIs)
Effective KRIs provide objective, quantifiable
information about emerging risks and trends in existing
risks that can affect an organization’s success. A KRI can
reveal an upward trend in the level of a risk that, if it
continues, will exceed the designated risk threshold for
that risk.
14. Page 14
Recording of this session via any media type is strictly prohibited.
Internal Control and Risk Management
Internal control – a system or process that an
organization uses to achieve its operational goals,
internal and external financial reporting goals, or
legal and regulatory compliance goals.
15. Page 15
Recording of this session via any media type is strictly prohibited.
COSO Internal Control Framework
Source: COSO Internal Control – Integrated Framework
16. Page 16
Recording of this session via any media type is strictly prohibited.
Three Lines of Defense Model
Source: FERMA/ECIIA
17. Page 17
Recording of this session via any media type is strictly prohibited.
Risk Treatment Techniques
18. Page 18
Recording of this session via any media type is strictly prohibited.
Risk Modeling
19. Page 19
Recording of this session via any media type is strictly prohibited.
Influence Diagrams and Probabilities
GEV Industries hires inexperienced and experienced
workers to operate simple and complex machines.
Accident rates vary by worker experience and
complexity of machine.
GEV would like to estimate accident rates if it (a)
assigns workers randomly to machines or (b) assigns
workers to machines based on experience.
20. Page 20
Recording of this session via any media type is strictly prohibited.
Influence Diagram
Worker
Experience
Accident
Rate
? Machine
Complexity
Cost of
Risk
Worker assignment to machines
21. Page 21
Recording of this session via any media type is strictly prohibited.
Simple
machines
Complex
machines
Inexperienced
workers
Experienced
workers
40 160 60 140
Machine and Worker Data
Inexp. worker (30%) Exp. Worker (70%)
Simple machine (20%) 6% 14%
Complex machine (80%) 24% 56%
Random Worker Assignments Probabilities
Accident Conditional Probability
Inexperienced Experienced
Simple Machine 5% 0%
Complex Machine 40% 10%
22. Page 22
Recording of this session via any media type is strictly prohibited.
Inexp. worker Exp. worker
Simple machine .3% 0.0%
Complex machine 9.6% 5.6%
Accident Conditional Probability
Accident Probability
Inexperienced Experienced
Simple Machine 5% 0%
Complex Machine 40% 10%
Inexp. worker (30%) Exp. Worker (70%)
Simple machine (20%) 6% 14%
Complex machine (80%) 24% 56%
Random Worker Assignments Probabilities
Total accident probability = 15.5%
23. Page 23
Recording of this session via any media type is strictly prohibited.
Inexp. worker Exp. worker
Simple machine 1% 0%
Complex machine 4% 7%
Accident Conditional Probability
Accident Probability
Inexperienced Experienced
Simple Machine 5% 0%
Complex Machine 40% 10%
Inexp. worker (30%) Exp. Worker (70%)
Simple machine (20%) 20% 0%
Complex machine (80%) 10% 70%
Worker Assignments by Experience
Total accident probability = 12%
24. Page 24
Recording of this session via any media type is strictly prohibited.
Twenty percent of PDQ Transport’s trucks have advanced
safety equipment and 80% do not. Thirty of PDQ’s drivers are
inexperienced and 90 are experienced. Assuming drivers are
assigned randomly to trucks, what is the probability that an
inexperienced driver is assigned to a truck without advanced
safety equipment?
A: 18%
B: 20%
C: 24%
D: 60%
25. Page 25
Recording of this session via any media type is strictly prohibited.
Value at Risk (VaR)
26. Page 26
Recording of this session via any media type is strictly prohibited.
A $500,000, 2 percent VaR means losses are
expected to be
A: $10,000.
B: less than $500,000 2 percent of the time.
C: $490,000.
D: greater than $500,000 2 percent of the time.
27. Page 27
Recording of this session via any media type is strictly prohibited.
Market Value Surplus (MVS)
28. Page 28
Recording of this session via any media type is strictly prohibited.
Economic Capital
29. Page 29
Recording of this session via any media type is strictly prohibited.
Market Value Surplus Example
Autumn Assurance Group has assets at fair value of $100
million. The present value of Autumn’s liabilities is $85
million. The market value margin is $5 million. Using
probability models, Autumn determines that its VaR is $8
million because it expects to incur an $8 million or greater
loss of capital at a .5 percent probability over a one-year
period.
1. What is Autumn’s MVS?
2. What is Autumn’s economic capital?
3. Does Autumn have excess capital or a deficiency in
capital?
30. Page 30
Recording of this session via any media type is strictly prohibited.
Questions?
31. Page 31
Recording of this session via any media type is strictly prohibited.
Evolution of Risk Management
Insurance
Management
Risk
Management
Enterprise Risk
Management
32. Page 32
Recording of this session via any media type is strictly prohibited.
ERM Value Proposition
• Identify key risks
• Employ risk-based decision making
• Improve internal control
• Improve risk governance
• Comply with legal and regulatory
requirements
33. Page 33
Recording of this session via any media type is strictly prohibited.
Solvency I and II (Insurance Cos)
Solvency I
• Early 1970s
• Focused on capital
adequacy
Solvency II
• 3 pillars
• 1 – Risk-based capital
• 2 – Risk management and
governance
• 3 – Transparent reporting
• Includes an own risk and
solvency assessment (ORSA)
34. Page 34
Recording of this session via any media type is strictly prohibited.
Basel II and III (Banks)
Basel II
• Issued in 2004
• Minimum capital
requirements using weights
for different types of credit
risk
Basel III
• Response to the Great
Recession
• Operational risk added
• Risk management
framework
• Board of directors role
(approve framework, risk
appetite, governance)
35. Page 35
Recording of this session via any media type is strictly prohibited.
ERM Process Model
36. Page 36
Recording of this session via any media type is strictly prohibited.
Risk Identification Tools – Risk Register
Event
ID
Risk
Scenario
Likelihoo
d
Impact Risk Level Risk
Treatment
(present)
Proposed
improvement
action
Next
Review
Date
1
Loss of
personal
computer
3 1
None None Remove
from list
2
Damage to
reputation
2 4
Review policy Implement … 2 months
3
Loss of
state
funding 3 5
None •Increase
lobbying
•Step up
giving
campaign
1 month
….
Public University
37. Page 37
Recording of this session via any media type is strictly prohibited.
Risk IdenficationTools - Risk Map
2
1
3 1
2
3
Loss of a personal computer
Damage to reputation
Loss of state funding
Public University
38. Page 38
Recording of this session via any media type is strictly prohibited.
Inherent and Residual Risk
Inherent
Treat
Residual
Treat
Optimum
39. Page 39
Recording of this session via any media type is strictly prohibited.
A risk map showing a large difference between
inherent and residual risk indicates that the
A: current risk treatment is ineffective.
B: risk does not need to be treated.
C: current risk treatment is effective.
D: risk exceeds the organization’s risk tolerance.
40. Page 40
Recording of this session via any media type is strictly prohibited.
Decision Tree
41. Page 41
Recording of this session via any media type is strictly prohibited.
Earnings at Risk
42. Page 42
Recording of this session via any media type is strictly prohibited.
Earnings at risk of $200,000 with 90 percent
confidence are projected to be
A: $180,000.
B: less than $200,000 10 percent of the time.
C: $200,000 90 percent of the time.
D: greater than $200,000 10 percent of the
time.
43. Page 43
Recording of this session via any media type is strictly prohibited.
Risk Management Environment and Culture
44. Page 44
Recording of this session via any media type is strictly prohibited.
Risk Centers and Owners
Risk center – unit within an organization at
which level a risk (or risks) is most effectively
managed
Risk owner – individual accountable for
identification, assessment, treatment, and
monitoring of risks in a specific environment
45. Page 45
Recording of this session via any media type is strictly prohibited.
Advantages of Risk Centers
Reduces the scope of risk analysis
Allows for the involvement of operational
managers
Helps focus on the organization’s strategic goals
and operational objectives
Ensures that risks are managed at the most
appropriate level in the organization
46. Page 46
Recording of this session via any media type is strictly prohibited.
Risk Attitude
Risk Avoiding Risk Seeking
Risk
Optimizing
Editor's Notes
p. 1.4
Strategic business discipline/process
Support business objectives
Full spectrum of risks
p. 1.5
Explain each of the parts
pp. 1.6
Risk committee could be the entire board, subset of the board, or the audit committee
CRO relating to other members of the organization.
May or may not have insurance responsibility
Might have executive risk committee reporting to the board
Page 1.9.
Understand definitions; and be able to differentiate between the different types of classifications.
Pure: - A chance of loss or no loss, but no chance of gain
Speculative – A chance of loss, no loss, or gain
Subjective - The perceived amount of risk based on an individual’s or organization’s opinion
Objective – The measurable variation in uncertain outcomes based on facts or data.
Diversifiable – A risk that affects only some individuals, businesses, or small groups – not highly correlated
Nondiversifiable – A risk that affects a large segment of society at the same time, ie, inflation, unemployment, catastrophes – correlated risks.
p. 1.14
See elements of these in the risk management standards and guidelines.
Note how the framework and process interrelate
Establish context – (internal and external environments) articulates objectives; defines internal and external parameters that impact risk; sets risk criteria
Risk Assessment – identify, analyze, and evaluate risks
Treat risks – treat the residual risk
Grew out of internal control
Has elements of both a framework and a process
Defines risk as negatively affecting objectives, but says an event can have either positive or negative results
p. 7.3
p. 7.10
COSO internal control (1992) defined internal control as a process for providing reasonable assurances that an organization is meeting its objectives.
It named risk assessment as an essential element in designing controls, thus aligning internal control with risk management.
Also – control environment – degree of importance a board of directors and management place on the organization’s internal control system and their related actions.
Explain each of the sides of the cube.
p. 7.8
This is an internal control system that involves risk assessment, control, and mitigation
1st - operational management responsible for assessing, controlling, and mitigating risks and for maintaining effective internal controls
2nd – risk management supports operational management’s implementation of risk management practices. Compliance function monitors compliance risk. Others include health and safety, supply chain, and quality.
3rd – internal audit provides assurance to the board and senior management on organizational effectiveness of risk management and assessment efforts.
External auditors – may be considered the fourth line defense as they provide independent assurance that the financial statements provide an accurate assessment of the financial position of the organization.
p. 26
Explain each of the ways to treat critical risks
Avoid – example – not undertake an activity
Remove – continue activity, but change input
Change likelihood and/or consequences – draw a risk map
Finance – hedging; insurance
Mitigate the risks – assess the gap between current mitigation and potential mitigation
p. 10.18
p. 10.21
Explain influence diagram. High level. Shows decisions, accident rate, cost.
Are worker experience and machine complexity independent in terms of their influence on the accident rate is there interaction between them.
Apply probabilities.
Go over data.
Explain how random worker assignment developed.
Explain conditional probability.
Explain how accident probability developed.
Total accident probability = 15.5%
Assign based on experience
Total accident probability = 12% - reduction
Training option could change experience level of the workers.
p. 10.40
Explain probability
p. 11.13
Fair value of assets and liabilities
Difficult to determine fair value of insurance liabilities
Explain market value margin
Explain economic capital
Explain excess capital
Otherwise called economic capital modeling
p. 11.15
Based on the VaR concept.
Questions
MVS = Fair value of assets – (Present value of liabilities + Market value margin)
Autumn’s MVS = $100 million – ($85 million + $5 million) = $10 million
Autumn’s economic capital is $8 million. The VaR is $8 million at the threshold determined by Autumn.
Autumn’s MVS of $10 million is larger than its economic capital of $8 million. Therefore, Autumn has excess capital. of $2 million.
These are only some of the possible goals
See p. 1.22 for a more complete list
Risk adjusted return on capital
Internal controls – risk-based audits; when risk is present and how current controls are working
Strategic risk management
Risk committees – Dodd Frank
pp. 8.16-8.17
Pillar 1 – can use internal models – risk-based capital - economic capital (we will cover later)
Pillar 2 – standards of risk management and governance; ORSA – forward-looking self-assessment of risks
Pillar 3 - reporting requirements for more transparency – public solvency and financial condition report
pp. 8.17-8.18
p. 9.3
ISO 31000 uses identification, analysis and evaluation for risk assessment
p. 9.15
Try to think of a better example
RIMS adds immediacy and impact on reputation
Used to record risks - can be later placed on a risk map
List the key risks – usually the top ten – remove loss of personal computer from list
Prioritize – so the red one should be on top
p. 9.19
Best for showing the downside of risk
Best for independent, uncorrelated risks
Also called a heat map – does a good job of capturing uncorrelated risks
Explain green, yellow, red in terms of retention, transfer
Explain in terms of risk appetite.
For a public university
Loss of personal computer – moderate, negligible – unless a large number; retain
Damage to reputation – unlikely, very high – control in some way
Loss of state funding – moderate, extreme – control, modify
p. 9.20
Can show these on a risk map
Inherent – current risk (no treatment)
Residual - after current treatment
Optimum – risk treatment opportunity to further reduce the risk
p. 10.10
Know differences between decision trees and event trees – see chart on p. 10.13
Monte Carlo simulation on factors such as prices, sale, expenses – things that influence earnings.
Similar to VaR
For example, if earnings at risk are $100,000 with 95 percent confidence, then earnings at risk are projected to be $100,000 or greater 95 percent of the time and less than $100,000 5 percent of the time.
EO is
Explain how an organization’s attitude toward risk is influenced by organizational culture.
Types of culture:
Adaptive
Inert
Fragmented
Must take risk to survive
Can have too little or too much risk