Why Do ERM ? Denny Groner Groner & Associates. President’s Mid-Year Meeting Savannah, GA April 27 – 29, 2014.
Why Do ERM?Denny GronerGroner & Associates President’s Mid-Year Meeting Savannah, GA April 27 – 29, 2014
“Good corporate governance is a system in which those who manage a company — that is, officers and directors — are effectively held accountable for their decisions and performance.” Mary L. Schapiro, SEC
“Managing risk is an ongoing enterprise risk management activity, operating at many levels within the organization.” NAIC ORSA Guidance Manual
What is ORSA? The Own Risk and Solvency Assessment, which is a component of an insurer’s enterprise risk management (ERM) framework, is a confidential internal assessment appropriate to the nature, scale and complexity of an insurer conducted by that insurer of the material and relevant risks identified by the insurer associated with an insurer’s current business plan and the sufficiency of capital resources to support those risks.
An insurer subject to ORSA is expected to: (1) Regularly, no less than annually, conduct an ORSA to assess the adequacy of its risk management framework, and current and estimated projected future solvency position; (2) Internally document the process and results of the assessment; and (3) Provide a confidential high-level ORSA Summary Report annually to the lead state commissioner if the insurer is a member of an insurance group and, upon request, by the domiciliary state regulator. (p. 2)
Exemption a. The individual insurer’s annual direct written and unaffiliated assumed premium, including international direct and assumed premium but excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, is less than $500 million; and, b. If the insurer is a member of an insurance group and the insurance group’s (all insurance legal entities within the group) annual direct written and unaffiliated assumed premium including international direct and assumed premium, but excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program is less than $1billion. (Page 3)
However, some states already require every insurer regardless of size to submit their high level summary of their ERM plans and to assess the adequacy of their risk management framework (e.g., NY), while others (e.g., MN) have their own ERM summary
What is the NAIC’s goal for ORSA? 1. To foster an effective level of ERM at all insurers, through which each insurer identifies, assesses, monitors, prioritizes and reports on its material and relevant risks identified by the insurer, using techniques that are appropriate to the nature, scale and complexity of the insurer’s risks, in a manner that is adequate to support risk and capital decisions; and 2. To provide a group-level perspective on risk and capital, as a supplement to the existing legal entity view
Don’t do ERM just for the regulators, do it because it helps better manage your business. Just don’t forget that sooner or later the regulators will ask for it.
ERM Can Help You… • Align and integrate risk mitigation strategies across different risk areas • Reduce performance variability – by quantifying and qualifying uncertainty and by increasing responsiveness and speed when faced with a crisis • Build regulator confidence in the company and reduce regulatory actions, sanctions and penalties • Improve governance by helping the board focus on high priority issues • More successfully respond to a changing business environment • Improve the efficiency of strategic planning • Facilitate cost control - provide a sound basis for streamlining controls and procedures which no longer apply thus saving time and money • Enhance member value by minimizing losses • Increase preparedness for outside review • Strengthen your culture for continuous improvement • Reinforce best practice culture • Provide a systematic and thorough basis for decision making
Out-of-Date Fraud Plan Company was defrauded by a clerk who used electronic funds transfers (efts) in small amounts to circumvent controls. Had she not been greedy, the company would never have known, because the company’s fraud plan was written before the company allowed efts and there were no controls in it for efts.
“You've got to be very careful if you don't know where you are going because you might not get there." Yogi Berra Had the company done a thorough risk assessment it would have identified this as a potential risk.
Disaster Recovery Plan That Was a Disaster A company did not consider their disaster recovery plan a high priority, because they have never suffered a significant disaster. They obtained a boilerplate of one from a technology consultant and used that to submit it to board of directors and regulators. One summer, there was a tornado in the local area and they experienced a major power surge followed by a two day power outage. The plan did not take that scenario into account sufficiently; e.g., there was no plan in place to replace damaged equipment, telephones would not work and back-up power lasted only 4 hours. They lost data and once power was restored they needed an additional week to get everything back on line.
“If past history was all there was to the game, the richest people would be librarians.” Warren Buffett They did not understand the full extent of the risks they faced so their disaster recovery plan was totally inadequate.
Swiss Cheese Controls When conducting their ERM a company identified a risk that independent agents might churn annuities as the company sought to implement new products with bonus features. They felt additional controls were needed. In developing those controls they discovered that their current replacement screening procedures neglected to include replacements for three current annuities due to a programing error. This also meant that they had been reporting replacement rates to the board of directors and regulators that dramatically underestimated their real replacement rates.
“I was paying so much attention to the game, so I didn’t see it coming.” Comment of spectator who was knocked out by a foul ball. If the company had not done an ERM plan they would never have identified a risk that needed additional controls or that their current controls were full of holes.
Why ERM? • Sooner or later the regulators will want it, but don’t do it because of that. • Do it because it can help your company avoid, better manage and reduce risk which is your job.