04/19/2304/19/23 11

Enterprise Risk & Assurance Enterprise Risk & Assurance Management in Zurich North Management in Zurich North

AmericaAmerica

Brian SelbyBrian SelbyMA (Audit), FIIA, QiCA, MBCS, CISAMA (Audit), FIIA, QiCA, MBCS, CISA

04/19/2304/19/23 22

Zurich North AmericaZurich North America

Zurich North America, a leader in business Zurich North America, a leader in business insurance, provides property, casualty and insurance, provides property, casualty and specialty insurance and risk management solutions specialty insurance and risk management solutions to businesses throughout the United States. Zurich to businesses throughout the United States. Zurich North America also offers customers a range of North America also offers customers a range of financial services in more than 60 countries financial services in more than 60 countries worldwide through the affiliated companies of the worldwide through the affiliated companies of the Zurich Financial Services Group. Zurich Financial Services Group.

04/19/2304/19/23 33

Management focus

Significant risk and control issues Risk management and control aspects of the

operations Risk identification, quantification and mitigation

procedures Reliable assurance In short (and in the news!) …..

CORPORATE GOVERNANCE

04/19/2304/19/23 44

What is Corporate What is Corporate Governance?Governance?

The system by which companies are The system by which companies are directed and controlleddirected and controlled

The accountability of a board of directors The accountability of a board of directors and the chief executive to their stakeholders and the chief executive to their stakeholders and the risk management architecture and the risk management architecture underpinning the actual and perceived underpinning the actual and perceived fulfillment of this accountabilityfulfillment of this accountability

04/19/2304/19/23 55

Corporate Governance Corporate Governance componentscomponents

© ICAEW, 2000 ISSN 1367-2517

04/19/2304/19/23 66

Corporate Governance best Corporate Governance best practicepractice

Enterprise Risk Management (ERM):Enterprise Risk Management (ERM):– A rigorous and coordinated approach to assessing and A rigorous and coordinated approach to assessing and

responding to responding to allall risks that affect the achievement of an risks that affect the achievement of an organization’s strategic, operational and financial organization’s strategic, operational and financial objectives (a ‘portfolio’ approach)objectives (a ‘portfolio’ approach)

Chief Risk Officer (CRO)Chief Risk Officer (CRO)– Assures continuity and consistency in risk management Assures continuity and consistency in risk management

within an organization, bears direct responsibility for within an organization, bears direct responsibility for directing the organizations entire risk management directing the organizations entire risk management process. process.

04/19/2304/19/23 77

The Zurich governance The Zurich governance solutionsolution

Enterprise level: Group Level GovernanceEnterprise level: Group Level Governance Chief Risk Officer: in Group Head OfficeChief Risk Officer: in Group Head Office ‘‘Local’ Risk Managers & NetworksLocal’ Risk Managers & Networks Risk Policy Manual & Procedures Risk Policy Manual & Procedures (ZRP)(ZRP) Risk Based CapitalRisk Based Capital Total Risk Profiling Total Risk Profiling (TRP)(TRP) Internal Control Assessments Internal Control Assessments (ICA)(ICA)

04/19/2304/19/23 88

Strategy componentsStrategy components

Control Environment and Control ActivitiesControl Environment and Control Activities– Oversight structure and committeesOversight structure and committees– Delegated Authorities and Powers ReservedDelegated Authorities and Powers Reserved– ComplianceCompliance– SecuritySecurity– Risk management policyRisk management policy– Leadership commitment (to risk management)Leadership commitment (to risk management)

04/19/2304/19/23 99

Strategy components Strategy components (continued)(continued)

Information and CommunicationInformation and Communication– Communicate business objectivesCommunicate business objectives– Communication of risk management policy & Communication of risk management policy &

goalsgoals– Internal risk reporting systemsInternal risk reporting systems– Effective management informationEffective management information

04/19/2304/19/23 1010

Strategy components Strategy components (continued)(continued)

Risk AssessmentRisk Assessment– Common risk language and approachCommon risk language and approach– Identify emerging and existing risksIdentify emerging and existing risks– Source emerging and existing risksSource emerging and existing risks– Estimate, evaluate and prioritize risks identified Estimate, evaluate and prioritize risks identified – Establish accountability and actions at levels Establish accountability and actions at levels

commensurate with riskcommensurate with risk

04/19/2304/19/23 1111

Strategy components Strategy components (continued)(continued)

MonitoringMonitoring– Internal monitoring (of risk management and Internal monitoring (of risk management and

internal control effectiveness)internal control effectiveness)– Risk Key Performance IndicatorsRisk Key Performance Indicators– Internal Audit roleInternal Audit role– Internal Control ReportingInternal Control Reporting

04/19/2304/19/23 1212

So it’s that easy? No!!So it’s that easy? No!! This is a management cultural shiftThis is a management cultural shift A change in the “Tone at the Top” is A change in the “Tone at the Top” is

requiredrequired The strategy is prioritized:The strategy is prioritized:

– Initial actions - get momentum; early ‘wins’Initial actions - get momentum; early ‘wins’– Transform (crawl, walk, run …)Transform (crawl, walk, run …)– Target end state - level 3 of the Zurich ICA Target end state - level 3 of the Zurich ICA

maturity modelmaturity model Management Board endorsement and active Management Board endorsement and active

support for the strategy is essentialsupport for the strategy is essential

04/19/2304/19/23 1313

Assurance?Assurance?

A positive declaration intended to give confidenceA positive declaration intended to give confidence Driver – the level of assurance of the effectiveness Driver – the level of assurance of the effectiveness

of risk management and control requiredof risk management and control required– Low - self-assessment reports within operationLow - self-assessment reports within operation– Medium – separate quality assurance activity within, or Medium – separate quality assurance activity within, or

commissioned by, the operationcommissioned by, the operation– High – independent assurance from Internal Audit or High – independent assurance from Internal Audit or

other advisors independent of the operationother advisors independent of the operation The higher the assurance level, the higher the costThe higher the assurance level, the higher the cost

04/19/2304/19/23 1414

Assurance in Zurich North Assurance in Zurich North AmericaAmerica

Coordinate the results of review activity within the Coordinate the results of review activity within the ERM framework:ERM framework:– self-assessments on risk & control issues self-assessments on risk & control issues – underwriting auditsunderwriting audits– claims technical auditsclaims technical audits– premium auditspremium audits– profitability reviewsprofitability reviews– Internal AuditInternal Audit– External AuditExternal Audit

04/19/2304/19/23 1515

Finally ….Finally …. Any questions?Any questions? Any ideas you would like to share?Any ideas you would like to share?

Brian

Thank you for Thank you for your attention, your attention, questions & ideas questions & ideas