Understanding The Enterprise Risk Management Process

Understanding The Enterprise Risk Management Process Through The Risk Manager’s Eyes Casualty Actuarial Society Special Interest Seminar San Francisco, April 3, 2001

Presenters • Robert Wolf - Principal • William M. Mercer Inc./MMC Enterprise Risk - Chicago • Laurie Champion - Manager, Corporate Insurance • Ford Motor Company - Treasurer’s Office - Dearborn • Ken Zignorski - Managing Director • MMC Enterprise Risk - New York

Agenda • Introduction • ERM Trends - What’s Going On? • Integrated Risk Management Programs - What Does this Mean? • Risk Manager Response - Industry Examples • Risk Manager Response - Ford Motor • Q&A

Actuarial Perspective • ERM Evolution Actuarial Evolution • Traditional Roles • Evaluating Hazard/Financial Risk in a silo • Insurance Company • Determine what to charge in order to meet profits targets (Ratemaking) • What to set aside to meet future obligations of past events (Reserving) • Insurance Customers • What to budget in order to pay for self-insured obligations and premiums • What to set aside to meet future obligations of retained risk

Actuarial Perspective • Continuing Evolution Actuarial Evolution • Evolving Demands for Risk Integration • Insurance Company • Holistic Evaluation of Assets and Liabilities (Dynamic Financial Analysis (DFA)) • Optimum Capital Structure • Realization of Business Plan • Insurance Customers • Optimum Risk Financing • What risks to retain/insure - captives, retros, large deductibles • ..but still only Hazard and Financial Risk

Actuarial Perspective • ERM Evolution Actuarial Evolution • All sectors of Corporate America • Not merely Insurance Companies and their Customers

Evolution of Risk Management • As the quantification/approach to measuring/handling risk evolves, so too does our job description. • Risk Manager • From Insurance Buyer to Integrated/Consolidated Risk Strategy • Actuary • Traditional: Evaluate Hazard/Financial Risk • Evolution: DFA (Insurance Companies)/ ERM

Why the Evolution of ERM • New/Larger Risk • E-Commerce, Market/Book Values • New Risk Products • Merger of Insurance and Financial Institutions • Realization that Silo-Based Approaches are Flawed • Ignores inherent hedges and correlation • Increased Management Accountability • New Regulations requiring corporate governance

Why the Evolution of ERM • In short, because Society Demands it • Computer and Information Age • We couldn’t do what we are doing today if we needed to use slide-rules or abacus. • Focus Optimize Shareholder Value

Fortune 1000 Group Analysis10% of the Fortune 1000 companies suffered a loss of over 25% of shareholder value within one month % of top 100 Primary Cause of Stock Drop (# of Companies) Law-suits Natural Disasters Competitive Pressure Mis-aligned Products Loss of Key Customer R&D Delays Manage-ment ineffective- ness Foreign Macro-Economic Issues High Input Comm-odity Price Interest Rate Fluct-uation Cost Overruns Customer Demand Shortfall Customer Pricing Pressure Regulatory Problems Supplier Problems M&A Integration Problems Accounting irregularities Supply Chain Issues Strategic Operational Financial Hazard Source: Compustat, Mercer Management Consulting analysis - Period Examined was June 1993 to May 1998 Note: There were also 5 stock drops for which the primary cause could not reliably be determined. These 5 stock drops are not depicted. How Does Risk Manifest Itself?

Two Ways to Interpret Graph • Hazard and Financial Risk is Not Important • Hazard and Financial Risk has been and continues to be managed well • Testimonial for risk managers, actuaries, brokers, and financial analysts. • We need to continue the process • …The opportunity now is to work on the left side of the graph.

Today’s Risk Manager Is Seeing Many Things • Emerging ERM Trends • Enhanced Financial Management & Sophisticated Analysis • Integrated Risk Management Thinking • Changing & Competing Risk Management Roles & Responsibilities • Evolving Risk Management Practices & Needs

Risk Managers and Senior Executives Are Hearing More and More About Risk Management

What is Enterprise Risk Management? - EIU Survey Selected views of ERM by Senior Management: • “ERM assesses and manages all risks while looking for upsides in identifying risks.” • “The goal of Enterprise Risk Management is to understand all of the risks on a quantitative and intuitive level and to manage them through a central risk area - to take advantage of the synergies of managing risk in one area.” • “Enterprise Risk Management is about information and capital management.” • “Good risk management is reflected in share price indirectly, but the market is not giving a premium for ERM yet, it’s still too new.” • “The ultimate goal of Enterprise Risk Management is preservation of shareholder value.” • “Managing risk enterprise wide means two things: bringing all the pieces of the enterprise together to add the exposures, and using the whole enterprise to manage risk - making sure at the corporate level that all the different oversight departments are working together.” • “The job of Enterprise Risk Management is figuring out where the edge of the cliff is, and making sure the risk takers know where it is.”

1. Risk management is a systematic, critical-risk focused activity 2. Risk is quantified to make informed business decisions 3. Risk management is an integral part of strategic planning and budgeting 4. Pricing, capital allocation, performance measures consider potential risk as well as returns 5. Risk is not automatically avoided, but weighed against opportunity to optimize risk versus return 6. Risk mitigation/financing focuses on events and volatilities that could compromise financial and strategic objectives Enterprise Risk Management Enterprise Risk Management is a process for identifying and prioritizing critical risks facing an organization, quantifying their impact on financial and strategic objectives, and implementing financial and organizational solutions to address them.

Economist Intelligence Unit ERM Study

Plan To Plan To Economist Intelligence Unit ERM Study

Some Candidate Models - Random Walk & Mean Reverting

Comparison of Sample Price Paths Random Walk vs. Mean Reverting Process 250 200 150 Price 100 50 0 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51 Week Random Walk Mean Reverting Process Comparison of Price PathsRandom Walk vs. Mean Reverting Process RW: lnSt - lnSt-1 = et MR: lnSt - lnSt-1 = .10 [ln100 - lnSt-1] + et

All Risks Integrated Risks (1 to 8) Currency Separate Treatment Individual Risks Effect of Integrating $1.6B $764M $700m D E V I A T I O N F R O M M E A N 99% $500m 90% $100m $10m Mean - $10m $4B $2.4B $434M $4B $4B $(43)M $115M $433M $332M $1M $173M $132M - $100m Mean values 10% 1% -$500m -$700m Combined Risks (1 to8) Summed Total Combined Total Currency Risk 1 Risk 2 Risk 3 Risk 4 Risk 7 Risk 8 Risk 5 Risk 6 Volatility Around Annual Expected Cost • Diversification / covariance effect captured through integration of financial risks • Reduces capital required to manage volatility

Many New Analytical Models • Value at Risk • Dynamic Financial Analysis • Monte Carlo Simulation • Time Series Analysis • Data Segregation and Analysis • GARCH Analysis

Enterprise Total Risk . . . Risk Risk Risk Risk N 1 2 3 DECISION Retained Risk “unknown” RETAIN + Premium “unknown” PREMIUM Often leads to a sub-optimal enterprise result: • Over insurance/hedging of non-correlated and negatively correlated risks • Under insurance/hedging of positively correlated risks • Higher than understood exposure to event risk • Missed opportunities to place risks in different markets Financing Risks Via Silo Management

Enterprise Total Risk . . . Risk Risk Risk Risk N 1 2 3 DECISION Retained Risk “known” RETAIN + Premium “known” PREMIUM Some risks should stay in silos Some risks should be split out from silos in which they currently reside Some risks should be combined in larger portfolios And, “Overlay” decisions may be necessary to produce the desired result. Silo Risk Management as a Portfolio of Interrelated Decisions

Enterprise Total Risk . . . Risk Risk Risk Risk N 1 2 3 DECISION Retained Risk “known” RETAIN + Premium “known” PREMIUM Managing Risk Financing Strategies on a Portfolio of Risk Basis

Who manages what risk and how do they relate? How are decisions made? Understanding Current Risk Management Systems Strategic/Tactical • Take Risk • Shed Risk • Avoid Risk What information and performance measures are used to make decisions? Operating Decisions & Responses • Prevention • Mitigation • Recovery Results Financial • Capital Structure • Capital Budgeting • Pricing • Ins./Hedge/Retain

So What is The Result? • Evolving Risk Management Positions • Chief Risk Officer, ERM Councils, Global Director of Risk Management • Rise of, and Partnership with, Internal Audit • Corporate governance issues and perspectives • Rise of, and Partnership with, Treasury • Financial Management perspectives and insights • Rise of Board Audit Committees • Evolving Skill Base for Risk Managers

Corporate Governance Establishing a Chief Risk Officer Crisis Management Integrating Hazard and Financial Risks into a Single Contract “Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof.” E.J. Smith Captain, H.M.S. Titanic Enterprise Risk Management Can Mean All These Things

CRO functions as advisor regarding business risks, with decision responsibility falling solely on business units. Market and credit risks are isolated in specific areas of the business, whereas operational risks are inherent in all business processes. All categories of risk are managed by senior line executives, supported by control specialists. Market and credit risk specialists are traditional risk managers Metrics used include VaR, cash flow volatility, claims exposures with analytical expertise and industry expertise. and notional exposure amounts; earnings-at-risk is not used due to Operational control team includes auditors, high day-to-day volatility of amounts of exposure and earnings. contingency planners, security specialists, compliance experts and traditional risk managers. CRO views risks broadly but is weary of trying to reduce them to too few metrics because “you lose track of the numbers.” Strategy is to make ERM even more nimble – company has formed a horizontal, cross functional, rapid-response team to quickly evaluate risks of e- business initiatives across the units. CRO does not believe that risks should be “run high up in the company.” Also, past experience with one CFO resulted in too much focus on controller type risks. CRO has spent a lot of energy trying to defuse issues of clout, turf, etc. while trying to make risk management an automatic, not too complicated part of ongoing business practices. Financial Services Institution Company / Title ERM Perspectives, Roles & Responsibilities Reporting Structure CRO reports to CFO. Mutual Fund Company CRO only responsible for financial and operational risks. Risk Group, consisting of risk, audit, compliance, & security, meets regularly. Chief Risk Officer Ensures that Company’s financial risks are well integrated. Source: EIU Study , 2000

Company / Title ERM Perspectives, Roles & Responsibilities Reporting Structure CFO has enterprise risk management responsibility, and the Risk Manager reports to him. The firm takes a portfolio approach via “profit at risk” and they do analyze correlations across commodities, but they haven’t found correlations in other areas such as cash-flow volatility vs. other kinds of risks. They do much to offset or manage risks across business units (e.g., determining how to handle being long power and short gas without artificially limiting what the power and gas sides can do). The risks they manage include commodity, foreign exchange, interest rate and credit risk, and they believe that most of their risks are quantifiable They are also focused on bringing top management to a fundamental agreement on “profit at risk.” Then they will consider plans to take positions at holding company level to balance the risks in the business units. Risk Manager faces cultural hurdles, spending lots of time teaching managers who grew up in a regulated environment about risk. CFO is creating a broad conceptual framework to help traders think about risk, to evolve the company away from micro-management. CFO is ERM champion with support from Risk Manager, who reports directly. Large company that markets energy services and products throughout North America. Business also includes a Gas and Electric Company that delivers natural gas and electricity service to one in every 20 Americans. Chief Financial Officer Risk Manager Source: EIU Study, 2000 Power & Energy Industry

ERM Manager thinks good risk management is indirectly reflected in share price, but thinks it’s too early for the market to give premiums for ERM. To determine company risks, ERM group meets – twice a year for major units and once a year for smaller units -- with the line manager of each unit, along with direct reports, and identifies the processes having a major effect on shareholder value (major is defined as accounting for 10% or more of capital earnings for the unit). Then they examine how sound the decision-making tools are behind each process. They do scenario-based planning: identify four events that could affect each unit’s value; quantify the likely impact on cash flows; and, develop action plans to manage the risk(s). Senior managers are evaluated on action plan implementation. They would like to begin compensating senior management on risk-adjusted returns. They tie compensation to EVA for now. They hope ERM will help reduce volatility in earnings. Other metrics include cash flow volatility, VAR with their debt profiles due, and interest rate volatility. ERM group considers whether various risks need to be managed in coordination among various units or among different levels of the corporation. They have an intranet application that lets everyone see the various risks throughout the company and explains how they’re being managed. One major challenge in implementing ERM is the lack of other companies that are doing it well – few examples for comparison. Chemical/Agricultural Industry Company / Title ERM Perspectives, Roles & Responsibilities Reporting Structure ERM Manager reports to the CEO Company’s ERM goal is to maximize shareholder value while minimizing capital outlays. Large global producer & and is viewed as the equivalent of a marketer of agricultural CRO. products, operating in nearly 70 countries worldwide ERM Manager They’re not at the point of measuring correlations, domino effects etc. Source: EIU Study , 2000

RM claims not to believe in enterprise risk management or in CRO roles. RM’s opinion is that company is happy managing risks in boxes—they have 12 different groups having something to do with risk management. But, in practice company is working to integrate too. RM has, for instance, started something called Riskweb, where every department having anything to do with risk can post information, contacts, etc; they are even putting some outside consultants on the site. RM emphasizes that company’s Board, with delegated responsibility to the CFO, has always looked at risk across its activities. RM states that under the new CEO company is getting much less conservative and much more interested in taking more risk. Part of this shift involves stopping attempts to mitigate risk down to a zero tolerance. Company plans to micro-manage less, particularly as they move more to third party suppliers (micro-managing them loses the savings of moving to them in the first place). Company is very concerned about e-commerce risks. Two main facets: - They are concerned about security risks as they use e-commerce increasingly in their supply chain. - They are setting up and investing in new dotcoms. Information Technology Industry Company / Title ERM Perspectives, Roles & Responsibilities Reporting Structure Board responsible for looking at Large Computer risks across activities, with CFO Manufacturer ultimately responsible for risk management. Risk Management function reports to CFO Risk Manager A key challenge in risk management is getting accurate data.

Risk management is implicit in firm’s strategic planning process, financial planning and budgeting process, and pre- and post-investment appraisal process. - They bring together senior management from each branch of the business with the senior risk manager identifying risk. - Company officers are interviewed and asked what other areas they can identify as being vulnerable to risk. - The expense of a given risk is ranked on a scale of one to five and multiplied by a similar measure of probability, also ranked on a scale of one through five. - Risk is then examined on a gross basis and on a net basis (current exposure). - Twice a year, a summary of significant risks is presented to the audit committee. - This is extended into an action plan, the progress of which is monitored throughout the year. Crisis management skills, continuity planning and business continuity skills are all managed centrally by the risk management group. Future risk management, within firm, must evolve towards providing management with greater analysis of how to treat risk on an integrated basis. Director of risk management is anxious to see risk insurance policies that cover a broad range of possibilities. He believes that risk management will “manage down” impact and probability operationally. Consumer Brands Company Company / Title ERM Perspectives, Roles & Responsibilities Reporting Structure The Director of Risk Management UK based international reports to the Corporate Secretary, hospitality and leisure who is a member of the executive group focusing on Board. Company believes that explicitly identifying risk is Enterprise Risk Management. hotels, leisure retail and Twice a year, a summary of branded drinks. significant risks is presented to the Firm has a major risk identification process that is similar to ERM. audit committee. Director of Risk Management The primary variable monitored is impact on earnings.

Ford Motor Company • Risk Management At Ford • External Service Providers • What Risk Management Services is Ford Expecting in the Future

Risk Management at Ford • Ford’s approach to risk management in general • Ford’s Approach to Hazard Risk Management • Ford’s use of external service providers • What external service providers does Ford see now? • What does Ford value? • Ford’s requirements for the future • Skill sets • Infrastructure

Ford Risk Management - Purpose, Statement and Vision • To improve the business’ ability to understand manage and mitigate global corporate risk in real time, • In such a way that we make better risk/return decisions and manage capital more efficiently, • So that shareholder value materializes and unforeseen risks do not.

Hazard Risk Management at Ford • Centralized, global, “consistent” • Treasury function • Matrix approach (Legal, Safety, Facilities, HR, Business Ops, Finance) • Risk retention vs. transfer • Risk management practices • Culture

External Service Providers • What external service providers does Ford see now? • Actuarial Firms • Insurance and Reinsurance Companies • Risk Management Consulting Firms • Big 5 Accountants • Brokers • Integrated Risk Management

Understanding The Enterprise Risk Management Process

Understanding The Enterprise Risk Management Process

Presentation Transcript

Enterprise Risk Management

Enterprise Risk Management

ENTERPRISE RISK MANAGEMENT

ENTERPRISE RISK MANAGEMENT

Enterprise Risk Management

Enterprise Risk Management

Enterprise Risk Management

Enterprise Risk Management

Enterprise risk management

Enterprise Risk Management

Enterprise Risk Management

Enterprise Risk Management

ENTERPRISE RISK MANAGEMENT

Enterprise Risk Management

ENTERPRISE RISK MANAGEMENT

Enterprise Risk Management

Enterprise Risk Management

Enterprise Risk Management

Enterprise Risk Management

ENTERPRISE RISK MANAGEMENT

Enterprise Risk Management