1 © 2014 CSAA Insurance Group. Confidential and proprietary. Day 5 Strategic Risk Management Grace...
-
Upload
norman-carroll -
Category
Documents
-
view
217 -
download
0
Transcript of 1 © 2014 CSAA Insurance Group. Confidential and proprietary. Day 5 Strategic Risk Management Grace...
1© 2014 CSAA Insurance Group. Confidential and proprietary.© 2014 CSAA Insurance Group. Confidential and proprietary.
Day 5 Strategic Risk ManagementGrace Crickette
Jeff Huebner
Nicole Murray
Risky Business Week
2© 2014 CSAA Insurance Group. Confidential and proprietary.
Grace Crickette, SVP, Chief Risk and Compliance Officer
AAA Northern California, Nevada and Utah (AAA NCNU)
3© 2014 CSAA Insurance Group. Confidential and proprietary.
Operational
MEMBER Experience
Strategy
Financial
Human Capital
Legal/Regulatory
Technology
Hazard
Strategy & ERM
4© 2014 CSAA Insurance Group. Confidential and proprietary.
Strategic Planning and Risk
Strategy or Strategic Planning manifests as processes and programs in a variety of ways in an operation:
Human Capital: Recruitment, onboarding, training and retention
Technology: IT architecture, security planning, vendor management
Legal/Regulatory: Compliance Programs, Quality Review, Internal & External Audit
Operational: Procurement, Supply Chain, Facilities Planning, Long Range Development Plans
Financial: Budgeting Process
Hazard: Emergency Management and Business Continuity Planning
5© 2014 CSAA Insurance Group. Confidential and proprietary.
Risk is Necessary
Overriding Belief – Risk is Necessary
To begin, we believe it is critical to affirm the concept that risk is necessary to create value for AAA NCNU Club Members.
Risk has historically been viewed as something to be avoided or eliminated, with only a negative outcome on an organization
However, there is increasing awareness that successful risk taking leads to a competitive advantage and can maximize stakeholder value
Rather than taking an ad-hoc approach to how the AAA NCNU Club addresses risk, we want to take a strategic approach to identifying, managing, and monitoring risks that can impact our ability to deliver on our Membership Promise
6© 2014 CSAA Insurance Group. Confidential and proprietary.
AAA NCNU’s ERM Program
The AAA NCNU Club began implementing some of the key components of an Enterprise Risk Management (ERM) program in the 3rd Quarter of 2013
ERM is a coordinated and strategic approach to assessing and responding to all risks that affect the achievement of delivering our Member Promise
7© 2014 CSAA Insurance Group. Confidential and proprietary.
Key Components of AAA NCNU’s ERM Program
2014 Implementation
Principle Risks Identified
Risk Appetite & Tolerance under Development
Department Risk Reports part of F&P Process
Emerging Risk
Insurable Risk Events
Compliance & Accreditation
2013 Implementation
Foundation (Archer/Governance Risk and Control (GRC))
implementation initiated
Risk Registry Completed
Branch Enterprise Scorecard
Branch Self-Assessment Program
Management Risk Report
14© 2014 CSAA Insurance Group. Confidential and proprietary.
Jeff Huebner, VP of Treasury
CSAA Insurance Group (CSAA IG)
15© 2014 CSAA Insurance Group. Confidential and proprietary.
We make explicit risk decisions, we are in the business of risk
• We aspire to be the #1 insurer in AAA member households across the markets we serve. As an insurer, our job is to assume and manage our member policyholders' personal lines insurance risk. We need to make risk choices and take risk in order to achieve this vision.
• In order to be the #1 insurer across the markets we serve, we need to take an appropriate level of risk for the financial, catastrophic, operational, and execution risk associated with growing books of personal lines business. We need to have a willingness to accept the higher level risk that is associated with growing our business.
• We believe that our strategy needs to be a consistent, aligning, guiding, and a driving force for the enterprise. We believe that frequently changing our strategy represents a very large risk. When it comes to enterprise strategy, we have a moderate appetite for the risk that we don't have the perfect strategy as the greater risk comes with too frequent changing of strategy. To support this, we need consistent communication to all employees to ensure alignment on the strategy.
Risk Category Low Appetite Moderate Appetite High Appetite
Catastrophe Risk n
Competition Risk n
Investment Risk n
Regulatory Risk n
Strategic Risk n
16© 2014 CSAA Insurance Group. Confidential and proprietary.
History of our Enterprise Risk Management program
2014
• Pre-separation, we used a high level ERM structure to identify, assess, prioritize, manage, monitor, and report risk.
• Included ERM into Audit Committee Charter
• Developed ERM guiding principles, risk management framework and ERM governance roles and responsibilities
• Identified top enterprise risks through interviews with management and ELT
• Identified risk owners for top enterprise risks and created ERM frameworks for each risk
• Conducted first ERM Leadership Team meetings
• A.M. Best identified our ERM capabilities as strong to superior
• Completed draft ORSA* report and participated in ORSA pilot program with CA DOI
• Created first Risk Appetite Statement
• Internal Audit provided independent assurance of our Business Continuity Planning and IT Disaster Recovery risks
2013201220112005 - 2010
*Own Risk and Solvency Assessment (ORSA) – component of an insurer’s enterprise risk management framework , is a confidential internal assessment appropriate to the nature, scale and complexity of an insurer conducted by the insurer of the material and relevant risks identified by the insurer associated with an insurer’s current business plan and the sufficiency of capital resources to support those risks.
17© 2014 CSAA Insurance Group. Confidential and proprietary.
Management owns risk and its management
The ERM team owns the risk process and focuses on key risks. The ERM team does not provide assurance
Strong and visible commitment from all members of the ERM leadership team, C-suite executives and Board of Directors
Clearly defined ownership for all key risks
Leverage ERM to ensure explicit risk choices rather than implicit or default decisions
Employ a single, consistent framework to achieve clarity and common understanding on disparate risks
Enterprise Risk Management Guiding Principles
18© 2014 CSAA Insurance Group. Confidential and proprietary.
Enterprise Risk Management Five Lines of Defense
Each enterprise risk is reviewed by five lines of defense, which is a four step process at each line of defense:
Identify and preliminary asses
Assess and prioritize likelihood and severity
Assign accountability and risk response
Monitor and reporting
Risk Owner
ERM Core Team
ERM Leadership
Team
Executive Leadership
Team
Board or Committee
19© 2014 CSAA Insurance Group. Confidential and proprietary.
Each top enterprise risk is evaluated through a consistent and extensive risk review process
Our risk identification process includes emerging risk discussions with the ERM Leadership Team and Executive Leadership Team, annual Board survey and review of risks within the industry and our peers
Once a risk is identified as a top enterprise risk, we use the following ERM process for each risk:
• Identify a risk owner• Identify C-suite owner• Identify Board or Committee
ownership• Define the risk• Set risk tolerance• Identify risk drivers and action
items• Identify and publish key risk and
performance indicators• Evaluate risk’s potential impact on
strategic initiatives and key company goals
• Quantify gross risk score• Identify mitigating controls• Evaluate mitigating control status• Quantify residual risk score• Determine current risk status• Identify target risk status• Determine current status of
mitigation efforts• Identify target status of mitigation
efforts• Speed of onset spectrum• Top risks correlations mapped
The risk owner then presents the completed ERM framework to the following groups:
• ERM Leadership Team – a body of 7 cross functional executives
• Executive Leadership Team (C suite)
• The Board or Board Committee that oversees the risk
20© 2014 CSAA Insurance Group. Confidential and proprietary.
ERM risks classified by speed of onset
Speed of Onset Spectrum
Near TermLong Term
Business Resiliency
Risk
CAT Risk
Competition Risk
Reinsurance Risk
Concentration Risk
Cyber-Security
Digital Effectiveness
Enterprise Portfolio
Project Risk
Investment Risk
Auto Insurance Relevance
Reputational Risk
21© 2014 CSAA Insurance Group. Confidential and proprietary.
For each top enterprise risk, we have articulated risk tolerances, with the following as representative examples
Overall risk tolerance
We want to manage risk to ensure we can do all of the following:
• Pay 100% of all claims to support our policyholders’ needs (including major catastrophe)
• Have the financial position to be able, if we choose, to renew all of our existing policies and continue to support AAA members with their existing insurance needs
• Have the additional capital to support growth, both in support of the strategy we have outlined, and in a post-catastrophe, dislocated market where AAA members reach to us to support them
• Maintain a minimum BCAR score of 250 and a capital position above required economic capital
Catastrophe and Reinsurer credit risk
We have a risk tolerance of up to 15% of surplus lost in a 1-in-250 year event
We will not tolerate excessive exposure to individual reinsurer credit risk and use allocation caps based on AM Best ratings as follows:
• $55 million cap for A++, $50 million cap for A+, $30 million cap for A, and $10 million cap for A-
Loss Reserves
We have little tolerance for the risk of adverse loss development and we set the loss reserve margin at a 95% confidence level that carried personal lines reserves will not be exceeded, given anticipated inflation
22© 2014 CSAA Insurance Group. Confidential and proprietary.
CSAA IG’s ERM Framework Template
Appendix
23© 2014 CSAA Insurance Group. Confidential and proprietary.© 2014 CSAA Insurance Group. Confidential and proprietary.
Risk NameEnterprise Risk Management
24© 2014 CSAA Insurance Group. Confidential and proprietary.
Risk Name
Risk Definition:
Business Owner: ELT Owner: Board/Committee:
Risk Tolerance:
Current Target Commentary
Risk Status
Status of mitigation efforts
Action Owner Date
Risk status legend: l Unacceptable Risk l Elevated Risk/Area of Focus l Acceptable Risk l Well Within Tolerance
Mitigation Status: l Unsatisfactory l Needs Improvement l Satisfactory l Exemplary
25© 2014 CSAA Insurance Group. Confidential and proprietary.
Risk Name
Risk Drivers Owner
Risk status legend: l Unacceptable Risk l Elevated Risk/Area of Focus l Acceptable Risk l Well Within Tolerance
Mitigation Status: l Unsatisfactory l Needs Improvement l Satisfactory l Exemplary
26© 2014 CSAA Insurance Group. Confidential and proprietary.
Risk Name
Impact on Strategic Initiatives Impact on Enterprise OGSM
High Perf Culture
World-Class Agency Partnership
Exceptional Marketing & Direct Sales
Member-Centric Product Dev &
Mgt
Top-Tier Claims Experience
Easy Selling & Servicing
Strong Financial
Health
Top-tier Customer Experience
Significant PIF Growth
Competitive Expense &
Combined Ratios
High Level Of Employee
Engagement
Key performance indicator/Key risk indicator
Owner Target Year end 2011
Year end 2012
Q1/Q2 2013
Q3/Q42013
Year end 2013
27© 2014 CSAA Insurance Group. Confidential and proprietary.
Commentary:
Gross Risk Score =
Assurance
Description of Control Likelihood Severity Owner Status
Residual Risk Score =
Risk Assurance Matrix – Risk Name
Mitigation Status: l Unsatisfactory l Needs Improvement l Satisfactory l Exemplary
28© 2014 CSAA Insurance Group. Confidential and proprietary.
Risk Name
Status Update: Organizational Response:
Conclusion:
29© 2014 CSAA Insurance Group. Confidential and proprietary.
Enterprise Risk Management & Our Risk Road MapWe want to deliver on our Member Promises. Sometimes we can be so focused on serving our member, that we don’t notice “what could go wrong” until it has happened, and that means that our Member’s experience has been interrupted. Not everyone can know everything all of the time – we need guidance, a Road Map.
Enterprise Risk Management is a forward thinking approach for looking at risk The ERM programs we have put in place allow us to easily find best practices so that we are not re-inventing the wheel, and helps us know where there might be hazards that we want to avoid.
.