Life 2008 Spring Meeting

June 16-18, 2008

Session 42, Building and Maintaining Effective Risk
Dashboards
Moderator
David T. (Todd) Henderson, FSA, MAAA, CERA
Authors
Karen J. DeToro, FSA,MAAA
Michel Rochette, FSA

Building & Maintaining Effective

Risk Dashboards

Session 42
Society of Actuaries Spring Meeting
Quebec City
Tuesday, June 17, 2008
8:30am 10:00am

Building & Maintaining Effective

Risk Dashboards
Todd Henderson
The Western & Southern Financial Group
Michel Rochette
AON Global Risk Consulting
Karen DeToro
Deloitte Consulting LLP

Risk Dashboards
z

Tool providing consolidated and timely

reporting of risk exposures across an
enterprise

All important exposures, at a glance

Drilled down and sliced as necessary
Early warnings of emerging exposures
Allowing preemptive, remedial action

Keys To Success
z

Algorithmics

Integrate market risk, credit risk and asset liability

reports in a single dashboard
Easily created and configured new reports
Rich set of visualization elements
Interactive and responsive

Source: www.ermsymposium.org/2007/pdf/handouts/CI/CI5_combo.pdf

Keys To Success
z

ABN Amro/LaSalle Bank

Comprehensive risk assessment

Integrated view of risk, reward and strategy
Forward-looking, actionable, risk escalation tool
Executive sponsorship

Source: www.ermsymposium.org/2007/pdf/handouts/CI/CI5_combo.pdf

Keys To Success
z

COGNOS

Data must be trustworthy

The business must be involved in shaping the
requirements
Content first, then aesthetics
Technology and architecture

Source: www.ermsymposium.org/2007/pdf/handouts/CI/CI5_combo.pdf

Comprehensive View of Risk

Corporate

SBU

SBU

SBU

Credit
Market
Interest Rate
Insurance
Operational
Business

Drill Downs & Diagnostics

SBU
Value AtCorporate
Risk = $643 Million

SBU

SBU

Credit
Market
Interest Rate
Insurance
Operational
Business

Forward Looking
z

Credit

Credit spread widening

Watchlist increases

Market

Insurance

Value at Risk
Volatility

Underwriting errors
Pandemic Alerts

Operational

Capacity measures

Interest Rate

Volatility

Actionable
Corporate

SBU

SBU

SBU

Credit
Market
Interest Rate

Underwriting Limit Breaches = 7

Insurance
Operational
Business

Chief Underwriter installs

system edit prohibiting limit
breaches

Executive Ownership
z

Each measure must be owned by a senior

manager

Ongoing monitoring
Remedial action

Business units should be intricately involved

in developing requirements

Special knowledge
Buy-in

Building & Maintaining Effective

Risk Dashboards

Session 42
Society of Actuaries Spring Meeting
Quebec City
Tuesday, June 17, 2008
8:30am 10:00am

Risk Dashboards
Society of Actuaries Spring
Meeting

Date June 17th, 2008

What is a Risk Dashboard?

As part of ERM, Decision Makers need an integrated
view of risk across their enterprise.
Provide an approach to see correlation/links within a
risk category and between risks.
Forces the organization to adopt a structured process to
understand risk and opportunities:
Review outstanding risk issues
Prioritize management actions
Be forward looking in risk management.
Monitor compliance to existing risk policies

Audiences: Different Needs

Risk has to be communicated to different groups:
Board level:
To allow them to satisfy their fiduciary duties, making sure that
management is actually managing risk.
To assess the level of risk in light of the companys risk appetite.
To provide with a consolidated view of major threats and opportunities that
may affect the value of the company to the different stakeholders.

Management level:
To provide them with a consolidated view of their companys risks, a
horizontal view instead of a silo view.
To allow them to assess the cost/benefit of implementing controls to reduce
risk to the companys desired risk tolerance/appetite.

Business level:
To allow them to assess the effectiveness of control the risks under their
jurisdiction.

Case Study: Sub prime

Sub prime credits were issued in the mortgage department of the
retail bank.
Treasury department securitized sub prime credits, created SPVs
and sponsored CDOs and the like in line with the new strategic
models of banks to issue and sell not hold to maturity as before.
Asset management departments/pension plans of the same banks
invested in CDOs.
Retail banks/mutual funds, some owned by the same banks,
created new short-term guaranteed investment vehicles for retail
customers, investing in asset-back securities.
Banks provided liquidity enhancements to SPVs.
Pricing/Valuation models were not stressed tested.

How a Dashboard Would Have Helped

A Dashboard should have consolidated the credit exposure for a
single FI coming from:
Issuance of the subprime credit
Credit exposure of the SPV. Fis had to consolidate credit exposure back on
their balance sheet after August 08 due to Reputational considerations. Ex.
Banque Nationale/Desjardins in Quebec, c Citigroup in the US.
Investment by the asset management arm/pension plan.

A Dashboard should have identified the inherent risks of the

securitization business:
Operational risk exposure of models used should have been identified.
Liquidity reports of the FI should have taken into consideration the liquidity
guarantees offered by banks to SPV.
Market risk reports should have taken into consideration the market risk of
position held by the asset management arm/pension plan of Fis.
Potential liabilities/regulatory/compliance issues should have been identified.

Applications of a Dashboard
Presents risk information consistently across the
enterprise.
Consolidate risks across the enterprise including
outsourced operations.
Allow enterprise to compare/analyze impact of
external/emerging events on firm.
Allow firm to monitor adherence to risk appetite using
appropriate risk metrics: VAR, EAR, CashFlow at Risk.
Allow firm to publish consistent information to both
internal and external audiences.

Dashboard: In line with Risk Concerns

Reputational Risk
(52)

Regulatory Risk
(40)

Human Capital Risk

(40)

IT RISK
(35)

Financial, Market, Credit and Insurance Risk

(30)

Crime, security, political, natural hazard, FX, Terrorism, Country Risk

(20)

Source: Economist Intelligence

Unit, 2005
Max Scale: 100
7

Info: Vulnerability to
critical processes

Information on Risk

Measures:
Reputational Risk
(52)

Regulatory Risk
(40)

Physical security
breaches
Loss events

Human Capital Risk

(40)

IT RISK
(35)

Fraud incidents
Environmental risk

Financial, Market, Credit, FX and Insurance Risk

(30)

Operational Risk: Crime, security, political, natural hazard, Terrorism, Country Risk
(20)

Source: Economist Intelligence

Unit, 2005
Max Scale: 100
8

Info: Assets are

impaired/capital at risk

Information on Risk

Measures:
Reputational Risk
(52)

Regulatory Risk
(40)

Default rates
Liquidity measures
Price risk

Human Capital Risk

(40)

ALM risk
IT RISK
(35)

Financial, Market, Credit, FX and Insurance Risk

(30)
Operational Risk: Crime, security, political, natural hazard, FX, Terrorism, Country Risk
(20)

Source: Economist Intelligence

Unit, 2005
Max Scale: 100
9

Info: Malfunction in
systems which
impede business

Information on Risk
Reputational Risk
(52)

Regulatory Risk
(40)

Human Capital Risk

(40)

IT RISK
(35)
Financial, Market, Credit, FX and Insurance Risk
(30)

Measures:
System Downtime
Information security
breaches
Business continuity
readiness
Disaster recovery

Operational Risk: Crime, security, political, natural hazard, FX, Terrorism, Country Risk
(20)

Source: Economist Intelligence

Unit, 2005
Max Scale: 100
10

Info: Employees
unavailable/unwilling to
perform functions.

Information on Risk

Measures:

Reputational Risk
(52)

Staff Turnover

Regulatory Risk
(40)

Key personnel attrition

Human Capital Risk
(40)

Compensation
Competiveness

IT RISK
(35)

Financial, Market, Credit, FX and Insurance Risk

(30)

Accident rates

Operational Risk: Crime, security, political, natural hazard, FX, Terrorism, Country Risk
(20)

Source: Economist Intelligence

Unit, 2005
Max Scale: 100
11

Info: Compliance with

external/internal
regulations

Information on Risk
Reputational Risk
(52)

Regulatory Risk
(40)

Measures:
Fines imposed
# of investigations

Human Capital Risk

(40)
IT RISK
(35)

Financial, Market, Credit, FX and Insurance Risk

(30)

Status of
implementation of
internal policies
New regulations
discussions

Operational Risk: Crime, security, political, natural hazard, FX, Terrorism, Country Risk
(20)

Source: Economist Intelligence

Unit, 2005
Max Scale: 100
12

Information on Risk
Reputational Risk
(52)

Info: Impact of
previous risks on value
of the firm including
external factors.
Measures:

Regulatory Risk
(40)

Chain of events
impacts

Human Capital Risk

(40)

IT RISK
(35)

Impact of new strategic

initiatives

Financial, Market, Credit, FX and Insurance Risk

(30)

Business risks:
Price/volume

Operational Risk: Crime, security, political, natural hazard, FX, Terrorism, Country Risk
(20)

competition
Source: Economist Intelligence
Unit, 2005
Max Scale: 100
13

External Requirements: Consistency

Regulatory Standards:
Basel II/Solvency II Pillar III: Info on risk exposure and governance
SEC: information on risks in 10-K

Accounting Standards:
IFRS: Provisions as related to risk events
Brief description of the obligation, timing and uncertainty of outflows
and expected reimbursements;

Risk Standards:
COSO ERM II
Standards: ISO 31000/ANZ Australian Standards

14

Building and Maintaining Effective

Risk Dashboards
Implementation Issues
Karen DeToro
Deloitte Consulting LLP
June 17, 2008

Key Challenges in Implementation

The most common challenges in implementing effective risk dashboards
occur in the following key areas:
Data Issues
Integration into Decision Making

-2-

042DeToro.ppt

Legal Issues

Data Issues
Data issues can be grouped into 3 general areas:

Controls

Reconciliation
to Other
Reports

Non-financial data may not be well controlled

The processes for gathering data (financial and
non-financial) may not be well controlled
Variety of data sources may create challenges in
reconciling data to published internal and external
sources

-3-

042DeToro.ppt

Data
Availability

Different data is required to be aggregated in a

different way than for other reporting
Timeliness of data is critical for supporting key
management decisions

Approaches for Addressing Data Issues

Think broadly about universe of needed data at dashboard initiation
Create centralized database to hold all key data to facilitate controls and
timely automated reporting
Build in sufficient flexibility to dashboard processes to be responsive as
key risks change over time
Implement controls similar to those used for SOX 404; leverage existing
controls over data where possible
Leverage commonalities with other data flows in organization

-4-

042DeToro.ppt

Develop a strong relationship with IT and business units supplying data

to better understand the data and build a reliable pipeline for data

Integration into Decision Making

In order to fully support decision making, the dashboard must be:
Actionable
Data must be relevant to management
There must be the right level and amount of information targeted to the right
audiences

Integrated into a process that drives action

Push v. pull strategies for distributing data

Tied in to incentives

042DeToro.ppt

Variable compensation must be partially based on performance against risk

objectives

-5-

Legal Implications
Companies are concerned about disclosing too much risk information
that may be subject to legal discovery
Companies responses to this issue fall somewhere on a spectrum:

Ideal State
Acknowledge the risk
Collect data
Do the right thing

Middle Road
Acknowledge the risk
Collect data
Do the wrong thing

Head in the Sand

Do not acknowledge
the risk
Do not collect data

-6-

042DeToro.ppt

Many companies (and their general counsel) presume that the middle
road is more dangerous than burying ones head in the sand

Ford Motor Company: The Middle Road Done Wrong

The situation: 1970s Ford Pinto
The risk: Gas tanks would rupture easily in the
event of a rear-end collision
The data: The risk became apparent during the
design and crash studies of the Ford Pinto
Cost of repairing the flaw: $11 per car ($137 million cost)1
Value of the benefit: $200,000 saved per life lost ($49.5 million
benefit)2
Internal documents indicated that a cost-benefit analysis did not
support fixing the flaw

-7-

042DeToro.ppt

Outcome: Estimates put the impact at over 500 deaths3, and

significant financial and reputational damage to Ford

Major Conglomerate: The Middle Road Done Right

The situation: Income tax return for a major US conglomerate
The risk: The company pursued a tax accounting policy, despite some
concern that it might not be deemed acceptable by the IRS
The data: The company documented their rationale for interpreting the
tax law as they did, and quantified the impact of their interpretation
versus another interpretation commonly in use. This information was
clearly documented

-8-

042DeToro.ppt

Outcome: The company was taken to court by the IRS. Although the
companys interpretation was ruled to be invalid, fines and penalties
were substantially reduced because of the companys ability to
document its rationale

Taking the Middle Road Other Lessons

Lessons can be learned from the approaches hospitals have taken in
dealing with medical errors
1999 Institute of Medicine report: medical errors cost $17B to $29B per
year and are the 8th leading cause of death in the US4
Pressure on hospitals to disclose errors so patients can make informed
choices about where to obtain care
Hospitals have mechanisms in place to disclose adverse medical
events as learning opportunities for doctors
Weekly Mortality & Morbidity (M&M) conferences

-9-

042DeToro.ppt

Hospital risk managers

Taking the Middle Road Hospitals Responses

Hospitals have responded to pressures for full disclosure in several ways:
Traditional approach was defend and deny No admission of wrongdoing
Cases cited of risk managers and doctors denying knowledge of
medical errors to protect colleagues
Proposed legislation IOM proposed mandatory reporting of errors to
make health care safer; simultaneously proposed legislation to extend
peer-review protections to reports of errors (currently extend to M&M)
Improve processes to reduce errors Medical community adopting
similar checks and protocols to the airline industry
Apologize and disclose Discussed in next case study

- 10 -

042DeToro.ppt

With malpractice premiums soaring and a national patients

rights movement pushing for full disclosure of medical errors,
the industry is rethinking the traditional approach known as
defend and deny.5

Lexington VA: The Middle Road Refined

The situation: Hospitals use weekly Mortality & Morbidity (M&M)
conferences and other disclosures of adverse events as learning
opportunities to teach doctors how to address complications
The risk: Admissions of mistakes may be used against doctors in
malpractice suits.
The data: Lexington VA implemented a mandatory disclosure policy,
requiring all doctors to report errors to a committee which then informed
the family and offered compensation.
Outcome: Instead, after implementation, the average cost of errorrelated payouts was only $15,632, which was in the lowest quarter of
the 35 VA hospitals in the country, and Lexington VA is deemed one of
the safest VA hospitals in the country.6

042DeToro.ppt

Being honest defused situations that would otherwise lead to

litigation.7
- 11 -

Legal Issues - Summary

Companies can live more comfortably with the middle road by:
Acting responsibly, prudently and reasonably with the data they gather
Disclosing and apologizing when things go wrong
Utilizing lessons learned from risk events to move closer to the ideal
state by improving processes to limit future adverse events

Middle Road
Acknowledge the risk
Collect data
Do the wrong thing

- 12 -

Head in the Sand

Do not acknowledge
the risk
Do not collect data

042DeToro.ppt

Ideal State
Acknowledge the risk
Collect data
Do the right thing

Bibliography
End Notes

Mark Dowie. Pinto Madness. Mother Jones. Sept / Oct 1977.

Ibid.

Ibid.

Stephanie Mencimer, Casualties of Medicine. Legal Affairs. May / June 2003.

Rachel Zimmerman. Doctors New Tool to Fight Lawsuits: Saying Im Sorry. Wall
Street Journal. May 18, 2004, page A1.

Ibid.

Stephanie Mencimer, Casualties of Medicine. Legal Affairs. May / June 2003.

Sara Nathan and Guillermo X. Garcia. Ford visit led to settlement. USA Today. Jan.
9, 2000.

Jane Garbutt et al. Lost Opportunities: How Physicians Communicate About Medical
Errors. Health Affairs. Vol. 27, No. 1, 2008.

Karen Lundegaard. Study Raises Roof-Safety Questions. Safety Issues. Vol. 4,

Issue 41, April 2005.
- 13 -

042DeToro.ppt

Other Sources

Copyright 2008 Deloitte Development LLC. All rights reserved.