Академический Документы
Профессиональный Документы
Культура Документы
Content
A publication of
Enterprise Risk
Management
Vendor
Management
Regulatory
Compliance
IT Governance
and Security
Financial
Reporting
Business
Continuity
Audit
Management
Performance
Management
Policy
Management
LogicManager's All-in-One
ERM Software
All the content you need & all connected.
Leadership: More than 2000 organizations use
our risk management solution.
Insight: Put your risk picture together.
Cloud Computing: No up-front investment and
no long-term commitment required.
Request a Demo
Chapter 1
Risk Culture & Governance
RMORSA Regulation
With the adoption of the Risk Management and Own Risk and Solvency Assessment
Model Act (RMORSA) by The National Association of Insurance Commissioners (NAIC)
insurers are required to take a broader approach to risk management. The new ORSA
requirement is one component of the NAICs initiative to bring the US into regulatory
alignment with the International Association of Insurance Supervisors Core Principle
16, Enterprise Risk Management.
Starting in 2015 insurers will be required to submit an annual ORSA summary report
to their state commissioner that details an insurers risk management, capital
management, and strategic planning along with the associated relationships between
the three. The first section of the ORSA summary report is a detailed description of
the insurers ERM framework.
3 Lines of Defense
For any organization, risk is an essential part of creating business value and as such it needs to be managed in a way
that is beneficial to the bottom line of the organization. A risk governance structure needs to be put in place to collect
risk information at the activity level, where most operational risks materialize and to aggregate this information to a
level senior management and the NAIC care about.
A best practice approach thats been endorsed by the Institute of Internal Auditors (The IIA) is a 3 lines of defense
structure; Operational Management, or process owners, are expected to take ownership and accountability for the
risks faced by their business area as a primary line of defense.
Specifically, the IIA recognizes that this front line has the primary task of
identifying, assessing, and mitigating risks on a day-to-day basis.
Process Owners
The second line of defense is the risk management function, which provides oversight and
facilitates the implementation of effective risk management. The compliance function is also
considered a second line of defense, however when compared with a risk management
function, compliance is responsible for a specific subset of risks related to applicable laws
and mandates. Whereas the first line of defense is process specific, the second line of
defense is cross-functional or systemic. It serves the critical role of ensuring that mitigations
and risk analysis are taking place as intended, but cannot independently report on an
enterprise picture of risk without input from process owners. The responsibilities of an
enterprise risk manager can include: Providing a risk management framework, identifying
emerging risks and issues, setting standards, Criteria and Tolerance levels, and providing
consulting and mentoring to process owners.
Risk Managers
Officer sign off on each ORSA report. As such, the CRO and risk committee will be largely
responsible for their organizations compliance with ORSA. With clearly defined strategic
objectives set by senior management, the risk managers role is then to close the gap
between strategic level risk and all the operational risks faced at the front line of
organizations.
Risk Managers
Positive
Risk Managers
Risk
Process
Owners
Culture
Process
Owners
Roles and responsibilities need to be clearly defined and articulated so that there is accountability at all risk levels in your
organization. Setting the right tone for your ERM program starts at the top with your board of directors and senior executives.
Getting their support and approval of your ERM program exudes a positive risk culture to the rest of the organization. This will
lead to better engagement in risk management processes at all levels of the organization. The more integrated ERM is in
everyones job descriptions the easier risk assessments will become and the more valuable they will be.
Chapter 2
Risk Identification & Prioritization
Just discussing high level concerns with senior executives may have been sufficient
2-5 years ago, but with the implementation of ORSA insurers are now required to
detail how they identify and categorize all relevant and material risks. This means
that more business value and better decision making are expected from risk
assessments. Formalized risk assessments allow risk managers to leverage existing
activities in an objective, quantifiable, repeatable manner to show how risks and
activities at the process level are impacting strategic objectives.
Strategic Objectives
Risk Assessments
Root
Cause
Root Cause
Root-cause concept
Root Cause 1
Outcome 1
Mitigation
Activity 2
Root Cause 2
Root Cause 3
Mitigation
Activity 1
Outcome 2
Mitigation
Activity 3
However, orienting process owners to root cause is often easier said than done. Typically, management tends to think in
terms of outcomes or events they want to avoid or achieve, and the effects of such events. While there are a limitless set
of outcomes, as risk managers we need to operate at the root cause level in order to design effective mitigation activities.
Root Cause
5 Root-cause categories
External
Risks caused by outside people, entities and environments
People
Risks involving people who work for the organization
Process
Risks arising from the organization's execution of business operations
Relationships
Risks caused by the organization's connection with third parties
Systems
Risks due to data or information assets
Root Cause
Most assessments jump to the What could go wrong aspect of risk identification which is
often just a detailed effect or symptom. Understanding the root cause requires identifying
Prompt root-cause
the drivers of the WHY of the risk. You can begin to implement this root-cause approach in
a facilitated session or you can use a system to prompt assessors on the root causes of their
concerns, which helps implement this solution on an enterprise scale.
Root Cause
As a first step, consider prompting process owners and business areas to select the root
Prompt root-cause
cause category of their concern. Beginning with a root-cause risk library enables
organizations to track the selection of root-cause risks across multiple business areas,
which helps identify systemic risks throughout the organization and areas of upstream
and downstream dependencies.
Risk Assessments
Best Practice favors a 1-10 scale, with 10 having the most unfavorable
consequences to the organization, split into 5 buckets to provide a high and low
of each bucket. Using a 1-10 scale makes the math easy and having the 5
buckets gives process owners doing the assessments flexibility to select the
high or low of a bucket.
Giving people more flexibility in their assessments will give you better accuracy
and more ability to determine what your top risks really are.
Risk Assessments
3-4
Minor
Financial
Legal
Operational
Regulatory
Strategic
5-6
Moderate
Financial
Legal
Operational
Regulatory
Strategic
7-8
Serious
7-8
Serious
Financial
Legal
Operational
Regulatory
Strategic
9 - 10
Major
Financial
Legal
Operational
Regulatory
Strategic
9 - 10
Major
For example:
If we are looking at the Impact criteria:
9-10 Major
Only one of the criteria listed for an impact level has to be met in order
to rate a risk factor at that level. This way, any qualitative criterion can
Risk Assessments
Strategic Objectives
Chapter 3
Risk Appetite & Tolerance
Risk
Environment
In the chart shown, the organizations projected path of performance is plotted in green. This line and the immediate area around it
represents the risk appetite, or goal of the organization. If the organization was to pursue or retain all risks in their environment, their
performance could fall anywhere between the grey lines. Most organizations are uncomfortable taking on all available risk, and new
laws and regulations require companies to implement more narrow tolerances (Purple area).
Operating within risk tolerances provides management greater assurance that the company remains within its risk appetite, which in
turn, provides a higher degree of comfort that the company will achieve its objectives.
Risk
Tolerance
Risk Tolerance
In other word, while risk appetite is a higher level statement that considers broadly the levels of risk that management
deems acceptable, risk tolerance sets acceptable levels of variation around risk and can be more readily measured.
For example a company that says it does not accept risks that could result in a significant loss of its revenue base is
expressing appetite. When the same company says that it does not wish to accept risks that would cause revenue from
its top 10 customers to decline by more than 1% it is expressing tolerance.
Because all risk assessment are conducted on standardized criteria, you can discuss with your board or senior management to determine a uniform
tolerance, or cut level, throughout the organization based on the resulting assessment indexes. This will help you prioritize resources to the risks that
need stronger coverage.
Everyday process owners are making operational decisions about risk far
When risk tolerances are aligned with both overall risk appetite and
from the organizations risk appetite statement. Process owners must look at
their assessments and if a risk exceeds or is below the range of set tolerance,
risk appetite and strategic goals can be challenging but by trending risks
over time, you can get a more accurate picture of where you are and where
you need to be to reach your goals.
Chapter 4
Risk Monitoring, Controls &
Action Plans
on risks that have decreasing indexes. This allows you to allocate resources to the issues and areas that will yield the
greatest benefits to the organization.
Actual
Tolerance
Prioritize Activities
Collect Business
Measures
Conduct Risk
Assessments
business measures that they rely on daily are tied to their risks.
If a risk or activity changes, organizations have no way of
knowing how, or even if, these changes will affect their
metrics. By conducting risk assessments and linking risks to
activities, organizations can start prioritizing which activities
need to be monitored.
Prioritize
Activities to be
Monitored
Link Risks to
Activities
Boards and CEOs, public and private, are depending on risk managers to monitor key risk indicators (KRIs) at
the business process level and have the proven capability to escalate up to the board as appropriate.
Tolerance
levels
What They Found: The necessary expertise is not available during down time to
work on the issues.
Typical Solution: Provide Cross-training program to more individuals, giving the
appearance that a preventative measure has been put in place.
Testing:
Business Metrics:
Collecting business metrics enables you to track the progress of your mitigation
the control, such as, Has every new IT hire completed the training within the
first 6 months?
In this situation, if the bank was tracking system uptime, they would have seen
Testing provides a high level view of whether a control is effective, usually in
that there was no improvement from the control activity put in place, and
the form of pass or fail. Testing does not necessarily provide you with
reinvestigated to realize that the system was going down during peak usage times,
like lunch, when the subject matter expert was away from their desk! They could
organizations lose sight of why the activity was implemented in the first place,
then institute effective activities, like adding more memory to the system.
Chapter 5
5
Key
Principles
Risk Reporting & Communication
Strategic
Goals
Not sure
Transparency:
Assurance
of
Risk
Coverage
DASHBOARD #3: ERM PROGRESS
Percentage of risks mitigated
The next critical value measure is Transparency: Risk management doesnt stop at just risk identification and assessment. Its also critical to show the state
of ERM in terms of how many of those risks identified and evaluated are covered by mitigation activities. Notice the gap between the red bar measuring
number of risks identified and assessed and the green bar measuring the number covered by mitigation activities. Notice each quarter the gap is getting
smaller between the 2 bars. This shows how the State of ERM has evolved over the past several quarters.
Enterprise Risk
Management
Vendor
Management
Regulatory
Compliance
IT Governance
and Security
Financial
Reporting
Business
Continuity
Audit
Management
Performance
Management
Policy
Management
LogicManager's All-in-One
ERM Software
All the content you need & all connected.
Leadership: More than 2000 organizations use
our risk management solution.
Insight: Put your risk picture together.
Cloud Computing: No up-front investment and
no long-term commitment required.
Request a Demo