1 © 2014 CSAA Insurance Group. Confidential and proprietary. Day 5 Strategic Risk Management Grace...

1© 2014 CSAA Insurance Group. Confidential and proprietary.© 2014 CSAA Insurance Group. Confidential and proprietary.

Day 5 Strategic Risk ManagementGrace Crickette

Jeff Huebner

Nicole Murray

Risky Business Week

2© 2014 CSAA Insurance Group. Confidential and proprietary.

Grace Crickette, SVP, Chief Risk and Compliance Officer

AAA Northern California, Nevada and Utah (AAA NCNU)


Operational

MEMBER Experience

Strategy

Financial

Human Capital

Legal/Regulatory

Technology

Hazard

Strategy & ERM


Strategic Planning and Risk

Strategy or Strategic Planning manifests as processes and programs in a variety of ways in an operation:

Human Capital: Recruitment, onboarding, training and retention

Technology: IT architecture, security planning, vendor management

Legal/Regulatory: Compliance Programs, Quality Review, Internal & External Audit

Operational: Procurement, Supply Chain, Facilities Planning, Long Range Development Plans

Financial: Budgeting Process

Hazard: Emergency Management and Business Continuity Planning


Risk is Necessary

Overriding Belief – Risk is Necessary

To begin, we believe it is critical to affirm the concept that risk is necessary to create value for AAA NCNU Club Members.

Risk has historically been viewed as something to be avoided or eliminated, with only a negative outcome on an organization

However, there is increasing awareness that successful risk taking leads to a competitive advantage and can maximize stakeholder value

Rather than taking an ad-hoc approach to how the AAA NCNU Club addresses risk, we want to take a strategic approach to identifying, managing, and monitoring risks that can impact our ability to deliver on our Membership Promise


AAA NCNU’s ERM Program

The AAA NCNU Club began implementing some of the key components of an Enterprise Risk Management (ERM) program in the 3rd Quarter of 2013

ERM is a coordinated and strategic approach to assessing and responding to all risks that affect the achievement of delivering our Member Promise


Key Components of AAA NCNU’s ERM Program

2014 Implementation

Principle Risks Identified

Risk Appetite & Tolerance under Development

Department Risk Reports part of F&P Process

Emerging Risk

Insurable Risk Events

Compliance & Accreditation

2013 Implementation

Foundation (Archer/Governance Risk and Control (GRC))

implementation initiated

Risk Registry Completed

Branch Enterprise Scorecard

Branch Self-Assessment Program

Management Risk Report


Jeff Huebner, VP of Treasury

CSAA Insurance Group (CSAA IG)


We make explicit risk decisions, we are in the business of risk

• We aspire to be the #1 insurer in AAA member households across the markets we serve. As an insurer, our job is to assume and manage our member policyholders' personal lines insurance risk. We need to make risk choices and take risk in order to achieve this vision.

• In order to be the #1 insurer across the markets we serve, we need to take an appropriate level of risk for the financial, catastrophic, operational, and execution risk associated with growing books of personal lines business. We need to have a willingness to accept the higher level risk that is associated with growing our business.

• We believe that our strategy needs to be a consistent, aligning, guiding, and a driving force for the enterprise. We believe that frequently changing our strategy represents a very large risk. When it comes to enterprise strategy, we have a moderate appetite for the risk that we don't have the perfect strategy as the greater risk comes with too frequent changing of strategy. To support this, we need consistent communication to all employees to ensure alignment on the strategy.

Risk Category Low Appetite Moderate Appetite High Appetite

Catastrophe Risk n

Competition Risk n

Investment Risk n

Regulatory Risk n

Strategic Risk n


History of our Enterprise Risk Management program

2014

• Pre-separation, we used a high level ERM structure to identify, assess, prioritize, manage, monitor, and report risk.

• Included ERM into Audit Committee Charter

• Developed ERM guiding principles, risk management framework and ERM governance roles and responsibilities

• Identified top enterprise risks through interviews with management and ELT

• Identified risk owners for top enterprise risks and created ERM frameworks for each risk

• Conducted first ERM Leadership Team meetings

• A.M. Best identified our ERM capabilities as strong to superior

• Completed draft ORSA* report and participated in ORSA pilot program with CA DOI

• Created first Risk Appetite Statement

• Internal Audit provided independent assurance of our Business Continuity Planning and IT Disaster Recovery risks

2013201220112005 - 2010

*Own Risk and Solvency Assessment (ORSA) – component of an insurer’s enterprise risk management framework , is a confidential internal assessment appropriate to the nature, scale and complexity of an insurer conducted by the insurer of the material and relevant risks identified by the insurer associated with an insurer’s current business plan and the sufficiency of capital resources to support those risks.


Management owns risk and its management

The ERM team owns the risk process and focuses on key risks. The ERM team does not provide assurance

Strong and visible commitment from all members of the ERM leadership team, C-suite executives and Board of Directors

Clearly defined ownership for all key risks

Leverage ERM to ensure explicit risk choices rather than implicit or default decisions

Employ a single, consistent framework to achieve clarity and common understanding on disparate risks

Enterprise Risk Management Guiding Principles


Enterprise Risk Management Five Lines of Defense

Each enterprise risk is reviewed by five lines of defense, which is a four step process at each line of defense:

Identify and preliminary asses

Assess and prioritize likelihood and severity

Assign accountability and risk response

Monitor and reporting

Risk Owner

ERM Core Team

ERM Leadership

Team

Executive Leadership

Team

Board or Committee


Each top enterprise risk is evaluated through a consistent and extensive risk review process

Our risk identification process includes emerging risk discussions with the ERM Leadership Team and Executive Leadership Team, annual Board survey and review of risks within the industry and our peers

Once a risk is identified as a top enterprise risk, we use the following ERM process for each risk:

• Identify a risk owner• Identify C-suite owner• Identify Board or Committee

ownership• Define the risk• Set risk tolerance• Identify risk drivers and action

items• Identify and publish key risk and

performance indicators• Evaluate risk’s potential impact on

strategic initiatives and key company goals

• Quantify gross risk score• Identify mitigating controls• Evaluate mitigating control status• Quantify residual risk score• Determine current risk status• Identify target risk status• Determine current status of

mitigation efforts• Identify target status of mitigation

efforts• Speed of onset spectrum• Top risks correlations mapped

The risk owner then presents the completed ERM framework to the following groups:

• ERM Leadership Team – a body of 7 cross functional executives

• Executive Leadership Team (C suite)

• The Board or Board Committee that oversees the risk


ERM risks classified by speed of onset

Speed of Onset Spectrum

Near TermLong Term

Business Resiliency

Risk

CAT Risk

Competition Risk

Reinsurance Risk

Concentration Risk

Cyber-Security

Digital Effectiveness

Enterprise Portfolio

Project Risk

Investment Risk

Auto Insurance Relevance

Reputational Risk


For each top enterprise risk, we have articulated risk tolerances, with the following as representative examples

Overall risk tolerance

We want to manage risk to ensure we can do all of the following:

• Pay 100% of all claims to support our policyholders’ needs (including major catastrophe)

• Have the financial position to be able, if we choose, to renew all of our existing policies and continue to support AAA members with their existing insurance needs

• Have the additional capital to support growth, both in support of the strategy we have outlined, and in a post-catastrophe, dislocated market where AAA members reach to us to support them

• Maintain a minimum BCAR score of 250 and a capital position above required economic capital

Catastrophe and Reinsurer credit risk

We have a risk tolerance of up to 15% of surplus lost in a 1-in-250 year event

We will not tolerate excessive exposure to individual reinsurer credit risk and use allocation caps based on AM Best ratings as follows:

• $55 million cap for A++, $50 million cap for A+, $30 million cap for A, and $10 million cap for A-

Loss Reserves

We have little tolerance for the risk of adverse loss development and we set the loss reserve margin at a 95% confidence level that carried personal lines reserves will not be exceeded, given anticipated inflation


CSAA IG’s ERM Framework Template

Appendix

23© 2014 CSAA Insurance Group. Confidential and proprietary.© 2014 CSAA Insurance Group. Confidential and proprietary.

Risk NameEnterprise Risk Management


Risk Name

Risk Definition:

Business Owner: ELT Owner: Board/Committee:

Risk Tolerance:

Current Target Commentary

Risk Status

Status of mitigation efforts

Action Owner Date

Risk status legend: l Unacceptable Risk l Elevated Risk/Area of Focus l Acceptable Risk l Well Within Tolerance

Mitigation Status: l Unsatisfactory l Needs Improvement l Satisfactory l Exemplary


Risk Name

Risk Drivers Owner

Risk status legend: l Unacceptable Risk l Elevated Risk/Area of Focus l Acceptable Risk l Well Within Tolerance



Risk Name

Impact on Strategic Initiatives Impact on Enterprise OGSM

High Perf Culture

World-Class Agency Partnership

Exceptional Marketing & Direct Sales

Member-Centric Product Dev &

Mgt

Top-Tier Claims Experience

Easy Selling & Servicing

Strong Financial

Health

Top-tier Customer Experience

Significant PIF Growth

Competitive Expense &

Combined Ratios

High Level Of Employee

Engagement

Key performance indicator/Key risk indicator

Owner Target Year end 2011

Year end 2012

Q1/Q2 2013

Q3/Q42013

Year end 2013


Commentary:

Gross Risk Score =

Assurance

Description of Control Likelihood Severity Owner Status

Residual Risk Score =

Risk Assurance Matrix – Risk Name



Risk Name

Status Update: Organizational Response:

Conclusion:


Enterprise Risk Management & Our Risk Road MapWe want to deliver on our Member Promises. Sometimes we can be so focused on serving our member, that we don’t notice “what could go wrong” until it has happened, and that means that our Member’s experience has been interrupted. Not everyone can know everything all of the time – we need guidance, a Road Map.

Enterprise Risk Management is a forward thinking approach for looking at risk The ERM programs we have put in place allow us to easily find best practices so that we are not re-inventing the wheel, and helps us know where there might be hazards that we want to avoid.

.

1 © 2014 CSAA Insurance Group. Confidential and proprietary. Day 5 Strategic Risk Management Grace...

Documents

Transcript of 1 © 2014 CSAA Insurance Group. Confidential and proprietary. Day 5 Strategic Risk Management Grace...