ERM Frameworks

Question 1

Components of Successful ERM Framework (7 + additional)

Answer 1

1. Corporate Governance - Processes and Controls
2. Line Management - Integrate risk management into business strategy (pricing)
3. Portfolio Management - Considering Aggregate Exposures (targets, limits, optimisation in light of conc/div)
4. Risk Transfer - Mitigate Excess Risk
5. Risk Analytics - Measure, Analyse, Monitor, Report
6. Data and Technology Resources - Support Analytics
7. Shareholder Management - Communicate Risk Info

In proportion to size, nature and complexity of company, with positive RISK CULTURE.

Question 2

Good Risk Culture (10)

Answer 2

1. Encourages Consultative Leadership
2. Participation in Decision Making on Risks
3. Openness and knowledge sharing, good internal communication
4. Encourages Accountability, not blame
5. Organisational learning, not box ticking
6. All staff involved in risk identification
7. Risk Management Embedded in Processes of business, becoming way of life for managers
8. Line managers should manage risk in their areas and report important risks to a central point.
9. Board manages short list of most important risks.
10. Framed to achieve success, not avoid criticism.

While avoiding tension between a successful growing company with “can do” culture and risk management.

Question 3

How to Changing Risk Culture (3)

Answer 3

1. Incrementally
2. Top Down
3. With changing new recruit profiles

Question 4

Definition of Corporate Governance

Answer 4

Way board controls organisation and processes and controls to ensure organisation is run by management in the best interests of shareholders/principles.

Question 5

Common Themes in UK Corporate Governance Code and Dey Report in Canada

Answer 5

(Comply/Explain Approach)

1. Composition of Board
2. Independence of Board (1)
3. Frequency of Meetings
4. Terms of Appointments for Directors
5. Skills required and performance assessment of board members (including training for new members, reference to best practice codes, external consultants)
6. Remuneration of Directors (4) (should reflect responsibilities and risk, not overly compensated, and link remunration to RAR e.g. with company stock)
7. Assessment of Board Performance (2)
8. Function of subcommittees: appointments, audit, remuneration, risk
9. Composition of Board Subcommittees
10. Stakeholder Communication and Disclosure (3)

(1-4) are Four Key Principles for Excellence in Corporate Governance. SA also includes fairness and social responsibility.

Question 6

What is Risk Culture

Answer 6

Organisation’s shared attitudes, values, beliefs and behaviours and way of doing things, particularly in relation to risk.

Question 7

Reporting Mechanisms Promoting Risk Culture (5)

Answer 7

1. Mechanisms for reporting new/enhanced threats and opportunities.
2. Suggestions for mitigation of threats
3. Ideas for increasing opportunities.
4. Existence of defective procedures.
5. Failure to operate established procedures properly

Question 8

Key Stake Holders in Corporate Governance (6)

Answer 8

1. Board of Directors
   a. Risk Governance
   i. vision, strategy, culture of organisation
   ii. Establish framework for measuring, managing, monitoring, reporting
   iii. Reviewing outcomes and lessons learned from RM process to achieve goal (annual self-assessment towards ERM)
   b. Setting up ERM Policies
   i. Defining Risk appetite
   ii. Establishing required skills and implementing
   training programs for ERM
   iii. Guiding decisions on approach to ERM and roles and responsibilites
   iv. Approving internal controls and ERM policies and ensuring up to standards (int and ext/regulatory)
   c. Determining Risk Compensation (align management incentives)
2. Chief Risk Officer (implementing board’s strategy)
3. Risk Subcommittee (verify compliance with, and challenge risk policies)
4. Audit Subcommitee (integrity of financial statements, oversight of assurance functions, link with external auditor)
5. Managers (identification/management of risks in area, lead by example, integrating risk information and process into decision making, implementing policies)
6. All Employees (identifying new, altered risks, adhering to codes of conduct, honesty and fair dealing, with clear responsibilities)

Question 9

Aims of Corporate Governance Internal Controls referred to in Corporate Governance Codes of Conduct (5)

Answer 9

1. Ensure Adequate Record Keeping
2. Preventing Fraud and Safe Guarding Company’s assets
3. Guaranteeing accuracy of financial statements.
4. Responding Appropriately to Risk
5. Ensuring compliance with law and supervisory guidance.

Question 10

UK - Cadbury Code of Best Practice (1993) to improve confidence in financial reports

Answer 10

1. Full Board Meetings at Regular Intervals
2. Board aware of significant activities (e.g. aquisitions, capital projects)
3. NED should have key responsibilities for certain control/monitoring functions
4. Shareholders should approve director’s service contracts exceeding 3 years
5. Director’s remuneration should be reviewed by committee of NED (at least majority)
6. Company reports should be balanced and understandable

Question 11

UK Corporate Governance Code (2), 1994 Dey Report Canada

+ Companies Act

Answer 11

1. Applies to all UK listed companies
2. Compliance voluntary, non-compliance disclosed and explained (to market) - depending on size, complexity, industry

Dey Report - also comply or explain approach.

Companies Act
Directors must act in accordance with company’s articles of association and act in long term best interests of company, and avoid/declare conflicts of interest.

Question 12

SEC, Sarbanes Oxley and Dodd-Frank Act Rules

Answer 12

1. SEC - Disclosure of board structure, compensation, and role in risk management.
2. Sarbanes Oxley - Independent board audit committees and financial expert
3. Dodd-Frank Act - Board risk sub committee with risk management expert

Question 13

Walker Review 2009 UK (5)

Answer 13

1. Continue comply or explain
2. More challenge in board discussions with greater NED time commitment
3. Increased risk oversight and engagement from board, particularly in regards to risk appetite decisions (recommends new sub-committee with CRO - enterprise wide authority and independence)
4. Increased engagement between fund managers and their board of investees
5. Board remuneration sub-committee also cover senior management, with public disclosure on banded basis, in line with medium to long term risk appetite/strategy

Question 14

Risk Sub-committee Charter (6)

Answer 14

1. Purpose (overseeing and challenging management’s treatment of key risks, setting policy, gathering required information)
2. Responsibilities (Ensuring suitable ERM, ensuring compliance with supervisory requirements, assessing risk management and ensuring objectives met, reporting risk to the board, understanding developments in RM)
3. Membership (knowledge of organisation and expertise, yet objective, split between independent and non-independent directors)
4. Frequency of Meetings
5. Criteria for Performance Assessment
6. Availability of/Access to Resources (incl departments and external consultants)

Question 15

Audit Sub-committee (1a-c,2)

Answer 15

1. Give Auditors direct access to NED, ensuring remain independent and emphasising importance of audit to rest of business.
   Roles
   a) Monitoring integrity of financial statements
   b) Monitoring and Review: Assurance functions (financial control, RM, internal audit)
   c) Recommending, monitoring and reviewing external auditor
2. NED best practice, or even independence of sub-committee.

Question 16

Risk Frameworks (7)

Answer 16

1. RAMP (Risk Analysis and Management of Projects)
2. COSO ERM Integrated Framework
3. IRM/AIRMIC/Alarm Risk Management Standard
4. Treasurey Board of Canada Risk Management Framework
5. AS/NZS 4360
6. ISO 31000

Question 17

S+P Risk Analysis (3 Groups)

and

How is weighting given to risk component

Answer 17

1. Sovereign Risk (taxation, currency)
2. Business Risk (industry prospects, diversification, economies of scale, competitive strength, operational risk, management qualities)
3. Financial Risk (profit, cashflow, capital structure, flexibility)

Weighting depends on complexity of risks and availability of capital.

Question 18

Areas of ERM assessment S+P

Answer 18

1. Risk Management Culture
   a) communicaiton, documentation and of past errors, consistency accross business, incentives, governance structure, risk tolerance statements, capabilities of individual risk managers.
2. Risk Control
   a) risk identification process, monitoring process, limits for retained risks, adherence and consequences, execution of RM process
3. Extreme Event Management
   a) Consideration of rare events, adopts appropriate course to measure potential impact and prepare. Stress/Scenario testing and early warning indicators.
4. Risk Models and Capital Models
   a) inputs, assumptions, formulae, consistency across business, modifications for appropriateness.
5. Strategic Risk Management
   a) clear decision making with regards to retained risks (and if should avoid/diversify), b) clear strategy for investing assets owned with broad allocation, ,c) pricing products reflects risk/return payoff, d) appropriate allocation of capital, e) appropriate dividend policy, discuss how it was determined with risk-adjusted return on retained capital, f) good risk adjusted returns rewarded

Question 19

Strengths of S+P

Answer 19

1. Encourages Good ERM practicies
2. Focus on RAROC
3. Consider performance in light of risk
4. Useful breakdown into components of ERM analysis, which can be helpful for own organisations’ process implementation
5. Encourage greater transparancy of ERM practices
6. Intro of classification system should make outcomes of rating agency analysis easier to communicate.
7. Same criteria applied to all insurance companies, but also tailored to each one
8. High rating may help organisations attract and retain sophisticated customers.

Question 20

Independent vs NED

Answer 20

Independent - No ties (e.g. not former executive, not significant shareholder etc.)

Question 21

Companies with Supportive Risk Culture (11)

Answer 21

1. Develop employee behaviour w.r.t. risk and support with training (e.g. on upside and downside)
2. Proactive Risk Response Requirements in Job descriptions
3. Risk management objectives in employee performance assessment process
4. Incentives to risk management objectives with clear targets/measures
5. Risk management responsibilities clearly defined and made known
6. Risk escalation process
7. Environment of openness, where issues can be raised and heard.
8. Avoid blame culture
9. Set tone from top
10. Praise good behaviours reporting successes
11. Evaluate Risk Culture (e.g. surveys)

Question 22

Prudential Supervision Steps (5)

Answer 22

1. Oversight
2. Licensing
3. Requirement to maintain minimum standards
4. Procedures for monitoring compliance
5. Procedures to take action against failure to comply

Question 23

Examples of Multiple Regulatory Regimes for an Enterprise

Answer 23

1. International business
2. Subsidiaries in different sectors
3. Subsidiaries same sector different areas (banking/insurance)
4. Same sector, different regulatory requirements
5. Different lifecycle stage

Question 24

Features of COSO (5)

Answer 24

1. Risk represents opportunity as well as potential downside
2. ERM is parallel and iterative process
3. Everyone has role in risk management at all levels
4. Any risk management process is imperfect
5. Implementation of risk management must balance cost with potential benefits

Question 25

Describe COSO Cube

Answer 25

1. ERM components/processes 1) Internal Environment 2) Objective Setting 3) Risk Assessment 4) Risk Responses 5) Control Activities 6) Information and Communication 7) Monitoring 2. Business Objective 1) Strategic 2) Operational 3) Reporting 4) Compliance 3. Business level of application 1) Entity 2) Division 2) Business Unit 3) Subsidiary

Question 26

Swiss Solvency Test

Answer 26

2011 Risk based regulatory capital regime in Switzerland. Market consistent approach, similar to Solvency II Pillar 1 Requirements, but with 99% TVaR requirement rather than 99.5 VaR.

Question 27

Sarbanes-Oxley Features 5

Answer 27

Resulted from collapse of Enron and WorldCom, issues in accounting reports were uncovered. To improve reliability of corporate disclosure. 1. Formation of PAOB (public accounting oversight board) to inspect published accounts of quoted firms and prosecute those in breach of regulation. 2. Increased accountability of CEOs and CFOs - required to certify financial statements do not contain untrue facts, personally responsible for disclosures in financial reports. 3. Each published report must contain ICR (internal control report), commits management to maintain proper internal controls and review their effectiveness 4. Requirement for external auditors to report on assessments by management. 5. Illegal for management to interfere with audit process 6. Illegal to destroy records or documents with intent to influence investigation.

Question 28

Key Themes RM and GRC after SOX (5)

Answer 28

1. Are controls identified and documented 2. Consistent across business? 3. Address critical factors 4. Include Risk Management 5. Testing procedures required before signing ICR

Question 29

Similarities and Differences Basal and Solvency II

Answer 29

+ Both three pillars + Risk based frameworks (Solvency I volume) including embeded options, guarantees + Suitable for multinational firms + Consistent for enterprises with banking and insurance arms But Basal assumes market participants are dependent on one another, significant contagion risk in banking sector. Basal more prescriptive, Solvency - principles.

Question 30

Aims of Solvency II

Answer 30

1. Introduce economic risk based solvency requirements accross all EU member states 2. More comprehensive requirements than in past, taking into account asset and liability side 3. Hold capital against market, credit, operational and underwriting risk 4. Emphasis capital is not the only way to militate risk 5. More prospective focus 6. Streamlined approach aims to recognise economic reality of how groups operate.

Question 31

Pillars of Solvency II

Answer 31

1. Quantitative (SCR (regulatory action) and MCR (authorisation) for underwriting, credit, market, operational, liquidity and event risk. 2. Qualitative - including ORSA, and ability to meet SCR and MCR in future ORSA (Own Risk and Solvency Assessment) Purpose: - Adequacy of risk management - Current, and likely future, solvency position. Requires: - Identifying risks - Identify risk management processes and controls in place - Quantify ongoing ability to continue to meet MCR and SCR - Analyse quantitative and qualitative elements of bus strategy - Identify relationship between RM and level and quality of financial resources available and needed. (Included in International Association of Insurance Supervisors standards, as a tool for both improving business and enhanced regulatory assessment and stress testing) 3. Disclosure and Reporting

Question 32

Describe Basel and Three Pillars

Answer 32

By Basel Committee on Banking Supervision under auspices of BIS. 1. MCR (credit, market, operational) 2. Supervisory Review of Internal risk management processes (internal systems, processes, limits, capital, liqudity and concentration risks) 3. Disclosure (facilitate market discipline)

Question 33

Aim of Basel I, II and III

Answer 33

I - Credit, later Market Risk II - Superceed I (Operational) Criticisms: a) Too much emphasis on single aggregate number b) Operational risk hard to quantify c) Liquidity hardly considered d) More complex, but not more reliable e) Cost of implementation of internal model f) Risk-herding g) Undervalue mark-to market h) Spurious confidence in CDOs i) Mark to market Pro-cyclicality j) Overconfident III - After GFC, liquidity risk, systematic and counterparty a) Strengthens capital requirements, limiting cross-holding in other financial institutions and associated assets (limiting systemic risk) b) Conservation buffer c) Changes in min Tier 1/2 ratios d) Flexibility during financial crisis

Question 34

RAMP vs AS/NZS 4360 (2)

Answer 34

RAMP also has: 1. Project launch and close down analysis 2. Go/No Decision Step

Question 35

7 Elements of AS/NZS 4360 4 Uniques

Answer 35

``` 1. Establish context (SWOT) 2-4. Identify, analyse, evaluate risk 5. Treat Risk 6. Monitor and Review 7. Communicate and Consult ``` 1. Detail on risk analysis for non-financial organisations (operational risk for financial) 2. RM process to be formulated into RM plan 3. Importance of senior management buy-in 4. Need for adequate resources to RM

Question 36

IRM/AIRMIC/Alarm Standard

Answer 36

Similar to COSO providng methodological approach to RM, structured approach to reporting, and focus on risk management champion. 1. In-house approach to RM preferred. 2. Internal Audit importance for control 3. Clarity over roles of stakeholders 4. Highly structured approach to risk reporting

Question 37

ISO 31000

Answer 37

1. Emphasis on possibility of an effect rather than event 2. Focus on effects on objectives 3. Dynamic RM - continuous cycle

Question 38

Elements Treasury Board of Canada (Integrated RMF 2001) 4

Answer 38

1. Developing Corporate Risk Profile (environmental scanning to review int and ext risk factors, assessed current status of RM, and profile) 2. Establishing Integrated Risk Management Function (Management direction understood and applied, implemented through existing decision making and reporting structures) 3. Practising Integrated Risk Management (all levels, integrated into decision making, consultation and communication stakeholders) 4. Ensuring Continuous risk Management Learning (lessons, shared, analysis for continual improvement, experience and best practices shared internally and across government)

Question 39

UK Government Management of Risk Principles and Concepts

Answer 39

1. Importance of horizon scanning 2. Importance of RM activities relating to wider environment. 3. Importance of linking risks to objectives 4. Distinction between risk and its impact 5. Inherent vs Residual distinction 6. Prioritisation of Risks more important than Quantification 7. Risk appetite divided into corporate, delegated and project 8. Dedicated Risk Committee Recommended.

Question 40

List Four Categories of Supervisors excluding Govt, examples and function

Answer 40

1. Professional Bodies (IFOA) a) Training/Qualification b) CPD c) Discipline 2. Professional Regulators (Chartered Financial Analyst Institute, Financial Reporting Council) a) Standards b) Monitoring Adherence c) Disciplining 3. Industry Bodies (BBA, ICA) a) Lobbying b) Promotion 4. Industry Regulators (APRA, PRA, FCA, LSE) a) Public Interest

Question 41

Functional Vs Unified Regulation. Advantage of Unified 6

Answer 41

Functional: Separate authorities for activities Unified: Single regulator covers broad range. 1. Easier to Regulate 2. Consistent across activity 3. Decreased regulatory arbitrage incentive 4. Economies of Scale 5. Sharing ideas between staff 6. Improved accountability (less buck passing)

Question 42

Regulators Look at...

Answer 42

1. Nature of Business 2. Governance Arrangements 3. Financial Reports 4. Risk Management STrategies and Processes

Question 43

Why Proactive Regulator Engagement

Answer 43

1. Key component of ERM 2. Reduce level of risk placed on insurer, reducing supervisory burden through risk-based reg 3. Greater opp to benefit

Question 44

Engage with Regulator

Answer 44

1. Link insurer's regulatory strat with corporate 2. Implement transparant and comprehensive regulatory strategy and communicate to regulator 3. Ensure principles of regulatory strategy are understood, accepted and adopted 4. Ensure feedback focuses on important issues and is unbiased and practical 5. Adopt best practice early 6. Proactive 7. Communicate openly and regularly

Question 45

FCA/PRA/LSE

Answer 45

FCA - Financial Conduct Authority (financial services industry) - Stable industry and promote competition - Includes UK listing Authority (UKLA) a) Ensures listed companies comply with certain standards in listing rules b) Requires listed companies comply with disclosure rules c) Comply with Corporate Governance code or explain d) Power to suspend trading/delist PRA - Prudential Regulation Authority (part of bank of England, prudential regulation and supervision of banks, builidng societies, credit unions, insurers, investment firms) - Standards and supervises financial institutions at individual firm level LSE (London Stock Exchange) - Main Market and ALternative Investment Market - Regulated by Office of Fair Trading, EU market standards set out in Investment Services Directive.

Question 46

Senior Insurance Managers Regime

Answer 46

SIMR 2016 - Individuals who run insurance companies have clearly defined responsibilities, and behave with integrity, honesty and skill. 1. Development of Governance map giving details of: a) Company and Corporate Governance Structures b) Identified key functions (including RM functin), key function holders (accountablity), key function performers c) All individuals included within regime, responsibilities and reporting line d) Rationale applied in identifying individuals and allocating responsibilities 2. Requirement to carry out assessment of fitness and propriety of senior insurance managers and directors based on their responsibilities as allocated through the governance map. (CRO, Chair Rcommittee)

Question 47

Weaknesses of S+P Document

Answer 47

1. Limited to insurance and reinsurance companies 2. Document overly optimistic (marketing literature) 3. Limited description of actual procedures, or details of how investigations carried out, or what is measured. 4. No explicit agency risk mention 5. Reference to "complicated and powerful simulation models" is highly subjective and can cause problems itself. 6. RM was already covered by SP when rating companies. Unclear formalised approach had significant impact on views of insurance/reinsurance companies. 7. Reliance should not be placed solely on opinion of rating agencies. Company may have better understanding.