ERM Chapter 12

Question 1

Discuss the degree to which the Board might delegate some of its responsibilities for RM and outline how that may be best achieved.

Answer 1

It is particularly important that the relationship between the CRO and other officers are unambiguous. A CFO reporting to the CEO or CFO may mean conflicts of interest inhibit communication to the Board - adding a dotted reporting line can help address this issue.
It is common for Boards to delegate RM to a risk subcommittee. The subcommittee will take responsibility for setting RM strategy and policies and monitoring. It should be independent from the day-to-day business and those appointed should be suitably qualified.
The accountabilities, responsibilities and relationship between the Board, subcommittee, CRO and line management should be clearly defined and distinct. While the board may delegate some responsibilities to a subcommittee, they retain overall accountability for RM.

Question 2

Outline the key responsibilities of the CRO.

Answer 2

• Manage the various risk functions
• Provide leadership and direction
• Design and implement an ERM framework across the company
• Ongoing risk policy development
• Risk reporting (internally and externally)
• Allocation of capital across the firm
• Communicating with stakeholders about the organisation’s risk profile
• Developing systems to analyse, monitor and manage risk.

Question 3

List five skills required of a CRO.

Answer 3

1. Leadership - to develop the ERM vision and recruit/retain a RM team
2. Communication skills - to influence and persuade the business about ERM
3. Stewardship - the ability to act as a guardian of the organisation’s assets
4. Technical competence - needed to assess and manage financial and operational risks
5. Consulting skills - needed to influence and educate the Board and implement policy

Question 4

Outline what a CRO will need to establish upon or soon after their appointment to the role.

Answer 4

The CRO will need to establish whether:

• there is a clear understanding of the company’s risk tolerance
• management’s compensation is aligned with prudent RM
• there are good risk reporting channels, so that risks are assessed and information about them is shared in a timely manner
• there are gaps in the skills, capability and experience of the team
• each part of the insurer’s business increases its overall value
• RM is linked into capital management, pricing and reserving processes
• the quality and extent of the information given to stakeholders enables them to assess the financial condition of the insurer
• the governance structures are robust
• the RM operating model is appropriate

The CRO will need:

• to establish a close working relationship with the CFO - since they each have a role in making earnings more predictable and less likely to reduce in the future
• authority within the organisation i.e. on or close to the executive board
• to understand the insurer’s key stakeholders and drivers of performance

Question 5

Outline what the Centralised Risk Function (CRF) is and what its roles include.

Answer 5

The CRF could be a team of specialist risk managers or just one person, and reports to the Board via the CRO. Its roles include:

• giving advice to the Board on risk
• assessing the overall risks being run by the business (taking account of hidden risks and correlations, as well as general uncertainty)
• making comparisons of the overall risks being run by the business with its risk appetite
• acting as a central focus point for staff to report new and enhanced risks
• giving guidance to line managers about the identification and management of risks, making suggestions for risk responses
• monitoring progress on RM; and
• pulling the whole picture together

Question 6

Outline the nature of the relationships between the three lines of defence, and state any disadvantages.

Answer 6

Offence vs defence - the first two lines are setup in opposition to each other. BU’s focus on maximising income and RM focuses on minimising losses. Potentially destructive and damaging to the organisation as BU’s and RM function have opposing objectives (and incentives).

Policy and policing - BU’s operate within rules set by the RM function and policed by the RM, audit and compliance functions.
Potential problems include:
- policies may be out of date as RMF is not in touch with day-to-day operations
- audit and compliance reviews do not occur continuously, so may fail to identify problems
- there may be friction between line management and risk management as each fails to understand each other’s viewpoint
- line management have little incentive to report problems, policy violations and issues where it is uncertain whether a violation has occurred. The issue is mitigated somewhat by arguments about the ‘greater good’ or if incentives are linked to policy compliance and reporting violations.

The partnership model - risk management staff are integrated into BU’s and the two functions share some measures of performance.
Under this approach:
- BU’s and RM staff work together in a client-consultant type relationship to manage risk
- BU’s must recognise the benefit to long-term performance of a risk management function
- RM staff must recognise the importance of their role as consultants i.e. meeting the needs of the BU’s
- independence may suffer in this structure. It is hard for RM staff who are integrated into BU’s to have a corporate oversight role

An appropriate governance structure will depend on factors such as:

• the structure of existing committees and decision-making bodies
• the size and nature of the business
• the risks faced by the business
• the autonomy and accountability of the elements of the current corporate structure. If BU’s are run autonomously, the RMF needs to support each individual BU, rather than only operating at the whole organisation level.

Question 7

What are the four key challenges in managing the relationship between BU’s and RM staff? Outline their nature.

Answer 7

1. Conflict and conflict resolution - conflict arises as a result of parties perceiving risks differently (opportunity for profit or loss?). BU’s often want to increase volumes and may argue pricing based on marginal costs, but finance departments want to grow revenue ad control risk and argue for full-cost pricing.
2. Management of RM staff within BU’s - RM staff embedded within BU’s may not be trusted by BU staff and may feel stuck between two opposing sides. It may be best if RM staff report to BU head and have a dotted line to the CRO.
3. Aligning incentives - aligning incentives for BU and RM staff can reduce conflict between them, although in practice the design of suitable performance measurement and incentive systems can be difficult.
4. Measuring operational risks - operational risks can be difficult to assess and take into account performance measurement systems. It is particularly important to ensure a common taxonomy around operational risk to help minimise the risk of confusion.

Question 8

Outline six (risk-focused) questions management should ask themselves when developing their unit(s) plans and strategies.

Answer 8

1. What risks may prevent us from achieving our objectives
2. How do we assess and monitor these risks
3. How can we mitigate or transfer these risks
4. What level of risk-adjusted performance can we expect
5. What risk limits/tolerances should be adopted
6. Who will measure and monitor the risks involved

Benefits of addressing such questions include:

• BU’s will focus on their key risks and ways to mitigate them
• Management receives advanced warnings of changes in the risks to which the company is exposed
• They encourage RM and line management staff to work together at any early stage in a project to address risks and business issues
• They promote effective RM by linking high-level business objectives and risk appetite to risk reporting

Question 9

Decisions about a new product or business rely on many assumptions about the business e.g. likely sales. Outline how management might address the risk that these assumptions are not borne out in practice.

Answer 9

• set trigger points for each assumption - levels above or below which will trigger a specific action or plan. e.g. a strategic review might be triggered automatically if actual sales in a quarter are more than 20% below the assumed level
• set up a specific risk committee for a new product and business development, particularly when expanding into new/foreign markets

Question 10

Pricing products should take into account all the costs of risk including expected losses, the cost of capital and the cost of risk transfer.
State a key risk for an insurance company arising from not pricing adequately?

Answer 10

They will likely be subject to selection risk.

Question 11

Outline a financial reporting method that should include risk assessment.

Answer 11

The balanced scorecard approach integrates business and financial reporting. A scorecard usually assesses four main areas: finance, key stakeholders, growth and learning and internal business processes. Risk assessment should be incorporated into the scorecard.

Question 12

Outline the compliance process.

Answer 12

Compliance requires a good understanding of regulations and other rules with which an organisation must comply. Penalties for failing to observe these standard can be severe, including loss of reputation.
It is good practice to ensure that line managers have identified the provisions within which they must comply in exercising their own responsibilities, and have documented their compliance with each specific provision.
In cases where there is not yet full compliance, risks of non-compliance must be identified, and a plan should be drawn up for achieving full compliance within a timeframe. In the case of regulatory non compliance, a decision needs to be made on whether regulators should be told.

Question 13

Outline the internal audit function.

Answer 13

Risks are an important concern of the internal audit function. It should ensure, for example, that the organisation’s systems are as secure as possible to prevent fraud.
Other responsibilities may include:
- monitoring compliance with laws and regulations
- checking for system errors
- looking for non-observance of internal governance codes
- examination of key spreadsheets in use at the company, to ensure they do not contain errors which might only occur occasionally but with devastating effect
- examination of procedures for paying insurance premiums on time, and observing insurance conditions, to ensure that there is no risk of an organisation being left uncovered when a claim arises.

Question 14

Why may external auditing be performed?

Answer 14

• it may be a requirement by the regulator (e.g. under Basel II and Solvency II)
• potentially provides as an additional source of learning.