© Stanhope by Hufton + Crow

ERM: Enterprise Risk ManagementDavid N. Ingram, CERA, FRM, PRM

Senior Vice President, Willis Re

2

The agendaGoal: a better understanding of the following:

The objectives and benefits of ERM

Some fundamental issues in measuring risk

Choosing ERM Objectives

How to get started on implementing Enterprise Loss Controlling

Building a Full ERM Program

Best practices in ERM

Status of ERM Implementation

3

1 ERM: goals & benefits

4

ERM: new name, old stuff?“ERM is just a fancy name for what my colleagues and I here at ABC Insurance do and have been doing every day for thirty years.”

“We know all about ERM. Our trained professionals check every policy we write and every asset we buy.”

“Actuaries don’t need training in ERM. Risk is what our profession is all about. We are already the experts on risk.”

5

Advice from my first bossClients pay insurers to assume some of their risk

The key to an insurer’s success is making sure it is adequately paid for doing so

Be sure to maintain the right balance between risk and return.

Don’t take on risk if you are not adequately paid to do so. Gladly take on risk if the price is right.

It’s all about risk and return (profit)

(Agree?)

6

Key questions about profitHow much profit did our firm make last year?

We ask similar questions about the components of profit: premiums, losses, expenses, and the like

We calculate and report by month and quarter also

Was that more or less than a year/quarter/month ago?

Were our profits in a specific line of business (or state or county) more or less than our profits in another line of business (or state or county)?

7

Questions about profitAt the very least, we expect a firm to know the following:

Its overall profits

Its change in profit over time

Its difference in profit across different lines of business, territories, or functions (e.g., underwriting and investment)

If it doesn’t know these things, we would seriously doubt whether the firm is well-managed. (Agree? Firms know?)

8

It’s hard to manage profit without numbersNumbers focus management attention (a scarce resource) on problems and opportunities

Numbers provide feedback on actions taken.

Are we making or losing money? Why?

Are we more or less profitable than last year? Why?

Where are we especially profitable and especially unprofitable?

What actions can/should we take to improve our overall profitability?

9

My question to my bossSo where are the risk numbers?

I’ve seen numerous reports, spreadsheets, meetings, etc. that analyze our profits

Where are the reports, spreadsheets, meetings, etc. that analyze our risks?

How can you manage risk without risk numbers!

10

Questions about riskShouldn’t we expect a firm to know the following:

Its overall risk

Its change in risk over time

Its difference in risk across different lines of business, territories, or functions (e.g., underwriting and investment)

If it doesn’t know these things, shouldn’t we seriously doubt whether the firm is well-managed. (Agree?)

11

It’s hard to manage risk without numbersNumbers focus management attention (a scarce resource) on problems and opportunities

Numbers provide feedback on actions taken.

Are we taking too much or too little risk? Why?

Are we taking more or less risk than last year? Why?

Where are we taking little risk and where excessive risk?

What actions can/should we take to improve our overall risk?

12

Results of managing risk without numbersWe focus far more on return than on risk

We can’t compare different risks

And we can’t compare the same risk over time

Therefore we can’t really manage risk, since we lack feedback

And we don’t know the risks on which we should focus scarce managerial attention

13

Managing without numbersLack of measurement also means that we become very susceptible to potentially distorted perceptions of risk

We also become complacent, and readily attribute high profits (from low losses) to skill rather than luck

Do we need to revisit the earlier quotes? “We already do ERM” “We know our risks (especially overall)” “We are already the experts on risk”

So where are the reports etc. on risk? Agree? Does your firm have them?

14

What is ERM?It is an evolving body of knowledge – concepts, methods, and techniques –. . .

. . . that enables a firm to understand, measure, and manage its overall risk . . . (objectives)

. . . so as to maximize the firm’s value to shareholders and policyholders. (benefits)

15

2 Measuring risk

16

Measuring risk: How much risk are we taking?To answer this question we need to specify and implement a way of describing and comparing probability distributions of outcomes; we need a risk measure

Conceptually, there has been more emphasis on inventing new risk measures than in comparing or using existing ones in a practical way.

17

Measuring risk: How much risk are we taking?Practically, the need is for a common risk vocabulary across varied groups:

Underwriters: focus on pricing risk Actuaries: focus on reserve risk Portfolio Managers: focus on investment risk Various: focus on credit risk

18

How to measure risk: quizThe table at right shows four alternatives, A through D, and the payoffs for each, with their associated probabilities.

All four alternatives have the same Expected Value (EV): 100

A positive number means that you receive this amount.

A negative number means that you pay or lose this amount.

Which alternative is the most risky? (Vote)

Which is the least risky? (Vote)

Probability

50% 49% 1% EV

A 75 75 2575 100

B -20 220 220 100

C 249 -50 0 100

D 104 100 -100 100

19

How to measure riskAlternative A has the highest standard deviation

But this is due to the high upside potential of this alternative. Is that really relevant?

Does giving you a lottery ticket increase your risk?

Isn’t risk better defined as a potential for loss?

Probability

50% 49% 1% EV

A 75 75 2575 100

B -20 220 220 100

C 249 -50 0 100

D 104 100 -100 100

20

How to measure riskProbability

50% 49% 1% EV

A 75 75 2575 100

B -20 220 220 100

C 249 -50 0 100

D 104 100 -100 100

Alternative B has the highest probability of loss.

But the loss isn’t very big.

Shouldn’t the magnitude of the loss also be taken into account?

21

How to measure riskProbability

50% 49% 1% EV

A 75 75 2575 100

B -20 220 220 100

C 249 -50 0 100

D 104 100 -100 100

Alternative C has the highest expected loss, given that a loss occurs: -50 times 0.49 = -24.5

That is the breakeven cost of buying insurance against loss.

That is also the cost of a put option with a strike price of zero.

22

How to measure riskProbability

50% 49% 1% EV

A 75 75 2575 100

B -20 220 220 100

C 249 -50 0 100

D 104 100 -100 100

Alternative D has the highest loss.

It has the worst case loss among the outcomes shown

This is the same as the highest 1% Value at Risk (VaR)

23

A key concept in the evolution of ERM: VaR1989: Dennis Weatherstone, CEO of J. P. Morgan, asks for a report, to be delivered to him daily at 4:15 pm, that answers the following question:

How much could we lose if tomorrow turns out to be a relatively bad day?

Why 4:15? Because if the number was larger than he was comfortable with, there was still time to change it.

24

Why this was a great questionIt is short and clear. Everyone can understand it.

It provides an alternative to standard deviation as a risk measure

It defines risk as the potential for loss

It focuses on a specific time horizon

It focuses on the firm as a whole (the “enterprise”) and not on numerous individual trading desks

other reports focused on trading desks (where is our risk?)

Its objective was managing risk, not just measuring it (4:15)

25

What is a “relatively bad day”?Analogy to weather: how cold could it get on a relatively cold day?

We could answer by specifying a percentile: “95% of the time (days) the temperature stays above zero”

Value at Risk (VaR): “95% of the time our losses will be less than $125 million”

$125 million is therefore the 95% VaR

26

Benefits of VaRWe can track risk over time: has it changed? Why?

We can compare different risks to one another

We can determine a reward to risk ratio for different risks

Value of measuring risk in dollars, as in VaR

27

Other risk measuresNumerous alternatives to VaR have been created

Academics have designed criteria that an ideal risk measure should satisfy

VaR doesn’t meet one of these requirements

But VaR is nonetheless widely used because it is readily understandable and transparent

28

Risk measurement issuesRisk measurement is necessarily imprecise

But so is profit measurement

Risk measures often focus on rare events, about which relevant data is scarce -- by definition!

Example: firms often purchase reinsurance to protect against events expected to occur once in every 100 to 250 years. But we don’t have that many years of relevant data!

29

Risk measurement issuesNot all risks need to be quantified

Financial risks are those whose potential damange can be reduced by having additional capital or reinsurance.

They can typically be quantified.

Non-financial risks pose potential damages that are best addressed by the use of appropriate controls. They are typically difficult to quantify.

Reputational risk

Criminal activity

30

Risk measurement issues

The rarity of events can change

climate change affects extreme hurricanes

legal changes affect Workers Comp or D&O losses

31

Risk measurement issuesERM is not a contest to identify the largest number of risks

The need is to focus on the most important risks

The most important quantifiable financial risks at many property-casualty firms:

Underwriting risk

Adverse development in loss reserves

Equity (stock market) risk

Reinsurance recoverable default risk

Fixed income default risk

32

Risk measurement issuesAggregation – combining different risks to obtain overall risk – is complex if risks are interdependent (correlated)

A common example: underwriting risk and reserve risk

Interdependence can increase in times of financial stress

Example: bond defaults and stock returns

33

Effective Risk MeasurementRelevance

• Relationship to financial results reporting

Comprehensiveness

• All types of risks

• All significant aspects of those risks

Responsiveness

• Reflecting changes in levels of risks over reporting period

Practicality

• Schedule comparable to financial results reports

• Reasonable cost to produce

• Ability to project alternatives over planning period

34

3. Choosing ERM Objectives

35

ERM ObjectivesLink with strategy

High

Low

Medium

Risk control Balance sheet protection

Risk/return optimization

Value creation

Compliance

Loss minimization

Risk management

Risk measurement

Strategic integration

Value optimization

Adapted from Standard & Poor’s

Loss Controlling

Risk Trading

Risk Steering

Objective of ERM

36

ERM Objectives Loss controlling

limit exposures and therefore losses

ERM adds aggregate approach to risk tolerance

Risk trading

getting paid for risks taken

ERM adds consistent approach to risk margins

Risk steering

strategic choices to improve value

ERM adds risk vs. reward point of view

37

4 Getting started on Enterprise Loss Controlling

38

Key Risks & Controls Process Self Assessment

Five Steps

Risk Identification

Risk Assessment

Risk Control Assessment

Heat Map Development

Risk Plan

39

Risk Identification

Which are your Risks?

A List of Risks Facing Insurers (compiled by Dave Babbel, Wharton School)

CORPORATE LIABILITY SIDE Capital Utilization Pricing Expense Control, Overhead Burden Pricing Adequacy Regulatory Compliance Expense Margin Ethics & Employee Behavior Unrealistic Competition Accountability Policy Lapses Meritocracy Long Tail of Liabilities Quality of Management Inflation Risk Quality of Training Actuarial Quality of Workforce, Service Mortality Management Succession Morbidity Recruitment/Retention Longevity Industry Reputation Subsidized Early Retirement Industry Concentration Disintermediation Company Reputation Secular Trend Teamwork Over Turf Utilization of Covenants Coping With Change Antiselection Technological Breakdown Natural Catastrophe Nontraditional Ventures Moral Hazard Guaranty Fund Assessments Fraudulent Information Tax Law Changes Fraudulent Claims Uninsured Pure Firm Losses Morale Hazard Information Systems Problems Product Development Legal Risk Product Design Financial Disclosure Risk Product Appeal Consumer Misunderstandings

ASSET SIDE Distribution Credit Cost of Distribution Public Bonds Agent Recruitment Private Placements Agent Productivity Mortgages Agent Retention Collateral Risk Policy Churning Counterparty Risk Regulatory Environment Reinsurer Insolvency Compliance Systematic Risks: Interest Rate Risk Loss of Tax Benefits Call Risk - Callable Bonds Health Care Reform Prepayment Risk - MBS & CMO Other Regulatory Changes Duration, Convexity, Drift Financial Reporting Change in Interest Volatility Surplus Strain Yield Curve Shape, Twist GAAP for Mutuals Systematic Risks: Other FAS 115 Equity Market Risk Unsound Reporting Basis Risk Mark-to-Market Risk Inflation Risk Reputation Liquidity Ethics & Compliance Cash Mismatch Quality of Service Disintermediation Corporate Image Run on the "Bank" Market Maturity Extension Uncontrolled Growth Mortgage Refinancing Untested Markets Loss of Equity Value Market Saturation Real Estate Bank Competition Stocks Globalization Subsidiaries Liability Insurance Derivatives Political & Currency Diversification Foreign Exchange Risk of Claims Asset Allocation Profits Repatriation Industry and Geographical Risk Political Risk Unstable Covariances Risk Terrorism

Political & Currency SURPLUS International Investments Capital Adequacy Foreign Exchange Risk Funding Risk Terrorism

CreditRisk

InsuranceRisk

MarketRisk

LiquidityRisk

GroupRisk

OperationalRisk

ERM

Too Broad

Too

Narro

w

40

Risk Assessment

How Significant are your risks?

Subjective Assessment

Consensus view

Frequency / Severity

Rank largest

41

Risk Prioritization

Level 1 – For Board & Top Management

Level 2 – For Middle Management

Level 3 – For Supervisors

42

Risk Prioritization Level 1 Risks

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

Actionable

Top Management Focus

Take to Board

Take to AM Best

43

Risk Control AssessmentFor Most Significant Risks

How effective are your existing control processes?

For the best controlled risks, how much risk is left after the control process? Are they still significant?

Subjective Assessment

Not as easy to reach consensus

44

Heat Map DevelopmentRisk Control Self Assessment

Risk & Control Heat Map

Large

Medium

SmallMore Effective Control

Less Effective Control

Low Priority

Moderate Priority

High Priority

Ris

k S

ign

ific

ance

45

Risk Control PlanChoose High Priority Risks (In the Red) to address this year

Plan will be to:

Prepare detailed documentation of existing control processes

Research and identify best practice control processes

Compare existing to best practice

Choose improvements to make

Implement improvements

46

5. Building a Full ERM Program

47

Key “First Step” Issues Your audience

Key risks

Aspects of risk

Risk Appetite

Developing best practices

Communicating ERM

48

Your Audience CEO

Board of Directors

Public disclosures

Analyst calls

Rating agencies

General management

Customers

Vendors, partners, counterparties

49

Know your Audience For each audience identify:

risk appetite types of risks quantum of risk (compared to capacity)

needs and expectations their perspective of what is inside vs. outside of ERM to what extent do they expect management to be

Desirability of minimal/maximal satisfaction goals? what is considered success?

50

Key Risks Change – not on most lists, but

most important

Insurance – the most obvious

Investment – the most recent

Operational – “people” risks

51

ChangesPeople

Business Environment

M&A

New Activity

52

Managing Risk From Changes1. How does risk profile change?

Does the change make the firm more risky or less?

What are your options for dealing with that?

What are you going to do?

2. Is your Risk Management still adequate after the change?

Can you manage any new risks?

Do you have the right people, structure, accountability & reporting?

What are you going to do?

3. Are you executing your change process & change risk management plan effectively?

Monitoring, feedback and adjusting the plan.

53

Aspects of RiskType A - Short term volatility of cash flows in 1 year

Type B - Short term tail risk of cash flows in 1 year

Type C - Uncertainty risk (also known as parameter risk)

Type D - Inexperience risk relative to full multiple market cycles

Type E - Correlation to a top 10 risk

Type F - Market value volatility in 1 year

Type G - Execution risk regarding difficulty of controlling operational losses

54

Aspects of RiskType H - Long term volatility of cash flows over 5 or more years

Type J - Long term tail risk of cash flows over 5 years or more

Type K - Pricing risk (cycle risk)

Type L - Market liquidity risk

Type M - Instability risk regarding the degree that the risk parameters are stable

55

Impact of Multiple Risk Aspects There is a danger that any aspect of Risk that you ignore

will accumulate in your portfolio.

i.e. CDS risk management. ignored liquidity risk

56

Risk AppetiteUnderstanding Risk Capacity (Tolerance) and

Risk Appetite (How much of Capacity will be used)

Discussions of:

Peer Comparisons, RBC, Rating Agency Views, Historical Loss Scenarios, Future Loss Scenarios, Economic Capital, Franchise Value, Effective Risk Appetite, Risk Preferences , earnings volatility, ruin

57

Risk Appetite Key Questions:1. What have been the most successful decisions over the past 5 – 10 years?

2. What adverse experience was avoided due to management/board actions and decisions over the past 5 – 10 years?

3. What is the worst experience over the past 20 years?

4. What is the worst experience that a peer company have in the past 20 years?

5. What are the most significant risks at the current time?

6. Where does the company expect to be in relation to peers 5 or 10 years in the future?

7. What are the financial measures that are the most important to management and board?

8. Based upon those financial measures, how would management and board define a great year, a good year, a fair year, a poor year, a terrible year and a disastrous year?

9. What are the sorts of business opportunities that company would never consider doing? would like to be doing more of? might do if the returns look to be very good?

10. How would company see itself performing in a year when experience for the risks taken by company are at a worst in 20 year level?

58

Types of Risk Appetite Statements

Ratings Based – Insurer will not take risks that will endanger their rating from AM Best.

Risk Based Capital Based – Insurer will maintain an RBC Ratio of at least xxx%

Event Based – Insurer will maintain capital to support a loss at least as large as experienced from Hurricane Katrina along with an investment loss like 2001.

Probability Based – Insurer will maintain capital so that the probability of a loss exceeding capital is no more than 3 in 10,000 (AA S&P level)

Value Based – Insurer will maintain a level of capital the produces the best franchise value for the firm with the risks taken

Earnings Based – Insurer will not take any risks that could result in the loss of earnings of more one quarter’s average earnings over the past 5 years.

Capital Based – Insurer will not take risks that will produce a loss of more than 25% of capital at the 1/250 probability level.

59

20 ERM Best Practices Risk identification

Risk language

Risk Measurement

ERM policies and standards

Risk organization

Risk limits

Risk management culture

Risk learning

Measurement validation

Risk diagnosis

Stress testing

Risk capital

Risk reporting

Risk disclosure

Risk management governance

Risk optimization

Risk-adjusted performance measurement

Risk-adjusted compensation

Action orientation

Change risk

60

ERM Fundamentals1. Risk Identification: Systematic identification of principal risks

Identify and classify risks to which the firm is exposed and understand the important characteristics of the key risks

2. Risk Language: Explicit firm-wide words for risk

A risk definition that can be applied to all exposures, that helps to clarify the range of size of potential loss that is of concern to management and that identifies the likelihood range of potential losses that is of concern. Common definitions of the usual terms used to describe risk management roles and activities.

3. Risk Measurement: What gets measured gets managed

Includes: Gathering data, risk models, multiple views of risk and standards for data and models.

61

ERM Fundamentals4. Policies and Standards: Clear and comprehensive documentation

Clearly document the firm's policies and standards regarding how risks will be taken and how and when the firm will look to offset, transfer or retain risks. Definitions of risk-taking authorities; definitions of risks to be always avoided; underlying approach to risk management; measurement of risk; validation of risk models; approach to best practice standards.

5. Risk Organization: Roles & responsibilities Coordination of ERM through: High-level risk committees; risk

owners; Chief Risk Officer; corporate risk department; business unit management; business unit staff; internal audit. Assignment of responsibility, authority and expectations.

6. Risk Limits: Set, track, enforce Comprehensively clarifying expectations and limits regarding

authority, concentration, size, quality; a distribution of risk targets and limits, as well as plans for resolution of limit breaches and consequences of those breaches.

62

ERM Fundamentals7. Risk Management Culture: ERM & the staff

ERM can be much more effective if there is risk awareness throughout the firm. This is accomplished via a multi-stage training program, targeting universal understanding of how the firm is addressing risk management best practices.

8. Risk Learning: Commitment to constant improvement

A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses, both within the firm and from outside the firm.

63

Self Assessment Exercise

64

Self Assessment Exercise List of existing good ERM

practices – In ERM language

List of practices that may need improvement or development

65

66

Creating an ERM Plan

OBJECTIVES NEEDS

IMPROVEMENTERMPLAN

RESO

URCE

S

67

Communicating ERM

ERMPLAN

CEOBoard of DirectorsPublic DisclosuresAnalyst CallsRating AgenciesGeneral ManagementCustomersVendors, Partners, Counterparties

68

Communicating ERM ResultsRisk dashboard

Reports

Tables, charts, graphs

Stories

Loss diagnostics

Limit breaches

Model improvements

Risk profile

CEOBoard of DirectorsPublic disclosuresAnalyst callsRating agenciesGeneral managementCustomersVendors, partners, counterparties

69

6. Status of ERM Implementation

Benefits of Risk Management(James Lam)1. Market Value Improvement

– Due to decreased volatility

2. Early Warning of Risks

– Risk management replaces

Crisis Management

3. Reduction of Losses

4. Rating Agency Capital Relief

5. Risk Transfer Rationalization

– Reinsurance cost/benefit

6. Corporate Insurance Savings

Potential Benefits of Effective Risk Management

Reduction in management

time spent “fire-fighting”

Increased likelihood of

change initiatives being achieved.

Potential Benefits

(ICA)

More focus internally on

doing the right things properly.

Lower cost of capital.Better basis for

strategy setting.

Competitive advantage.

Fewer sudden shocks and unwelcome surprises.

Better able to take advantage

of new business opportunities.

Higher share price

Moody’s View of Risk Management

Environment More Risky

More complex products

Higher regulatory scrutiny

Reinsurers leaving markets

Insurers Response

Stress Testing

Risk Management Committee/CRO

73

What is the difference between Risk Management and ERM?

An ERM Program comprehensively applies Risk Management…

across ALL of the significant risks of the Enterprise

Consistently across the risks

Consistently with the fundamental objectives of the enterprise

Standard & Poor's

74

Full Benefits of an ERM Program

Once a firm’s enterprise wide risks are identified and objectives are set, an ERM Program should…

Develop and maintain systems to periodically measure the capital needed to support the retained risks of the company

Reflect the risk capital in:

• strategic decision making,

• product design and pricing,

• strategic and tactical investment selection

• financial performance evaluation

The product of a fully-realized ERM Program is the optimization of enterprise risk adjusted return

Standard & Poor's

Benefits of Integrated Risk Management Strategy

Avoid “land mines” and other surprises

Improve Stability & Quality of Earnings

Enhance growth and shareholder return

By more knowledgeably exploiting risk opportunities

Identify specific opportunities such as natural synergies & risk arbitrage

Reassure stakeholders that the business is well managed

Life Office Management Association (USA)

Management – Level 1 Planning

Planning Projection

Management – Level 2 Scenario Testing

Management – Level 3 Scenario Analysis

Planning Projection

Average Scenario

Confidence Interval

Management – Level 4 Risk Management

Planning Projection

Average Scenario

Confidence Interval

ERM Benefits & Uses

Insurance = Risk Taking

Risk Management = Management

for Insurance Companies

Risk Management => systematic risk selection

as more insurance companies adopt risk management they will select the better risks

companies without RM will not know

ERM Benefits & Uses

Communicating with Regulators & Rating Agencies

Risk Management can provide language for dialogue with RA

Communicating with Board

Markets become more volatile

as more financial institutions use Risk Management

Solvency 2 & ERM

Pillar 2

Article 43 requires firms to have an effective risk management system.

Requires firms to consider all risks

Risk management system to be fully integrated into the organisation

GFC & ERM

“Progress has been made in strengthening . . . Risk Management”

Leaders' Statement from G20 Summit, 2009

© Stanhope by Hufton + Crow

Risk Management & the Board of DirectorsNine Themes For Interaction with Management

86

Risk Management & The Board1. An advance agreement with management regarding:

• the quantity and quality of risks that the firm is expected to take in the coming year and

• how much variability management expects there to be in what actually happens.

This will naturally lead to a discussion of how far away from plan things can get before another discussion between management and the board is in order.

87

Risk Management & the Board2. Regular updates in the quantity and quality of risks that are actually

being taken by the firm as well as the quantity and quality of risks retained.

One of the major issues that banks have faced in the current crisis is that some of their risk offset programs were not as effective as management had expected and very large gross risk positions that were thought to be transferred or offset did become the responsibility of the bank when the losses started to occur.

Board reporting had focused only on net retained risks which put the board outside the discussions of how much gross risk was acceptable.

88

Risk Management & The Board3. Information about the changes in the environment that

might indicate that certain risks might be increasing.

This information would be in the form of trending of key risk indicators

89

Risk Management & The Board4. Information about the continuous changes that management is

making to the plans in response to the changing environment as they relate to the quantity and quality of risk.

Too often management appropriately changes course and defers mentioning that to the board. The lack of mention of “course corrections” should be seen as a sign of potential trouble by the board.

Management and the board should agree how far things can drift from plan before management is expected to both do something different and mention that to the board.

90

Risk Management & The Board5. An advance discussion of losses.

Management and the board must recognize that the word “risk” is short for “risk of loss”.

It is uncommon to have these advance discussions.

When firms experiences losses, there is often a period of uncertainty during which no one knows whether this loss exceeds the tolerance of the board and how the board might react.

While it does not make sense to expect there to be an exact list of expected reactions, there is much to be gained by having this discussion before a real loss occurs.

91

Risk Management & The Board6. Appointing members of top management to be individually assigned

personal responsibility for each of the major risks and risk/loss aversion practices of the firm

a risk management best practice that is internationally recognized.

A regular update by the top management individuals that have been given these responsibilities, confirming that they have sufficient resources, both in quantity and quality, to achieve the objectives for loss limitation and reporting on the status of projects to improve capabilities.

92

Risk Management & The Board7. A periodic discussion of the unusual and adverse events that might unpredictably impact on the firm and the ways in which management expects to prepare for such events.

93

Risk Management & The Board8. When a major corporate strategic initiative comes to the board for

notice or approval, discussion of the ways that this action changes the risk of the firm. The board should know whether a headline action further

concentrates the risks of a firm or whether is broadens the risk exposures.

If there are additional concentrations of risks, then it would be important to hear more about the additional diligence to the existing loss aversion actions.

If it is a diversifying risk, then the board should be hearing about the new risk/loss aversion actions that are contemplated.

Too often, management diversifies into a new risk and thinks that loss aversion is unnecessary because of diversification. The term for that type of risk management decision is de_WORSE_ification. For new risks, risk/loss aversion plans are particularly needed because of management’s lower experience wit the new risk.

94

Risk Management & The Board9. When management discusses the major strategies of

the firm with the board discussions should include recognition of the

implications of the strategic plans on the firm's risks and the risk/loss aversion plans.

The board should be sure that the plans for growth of the firm reach for faster growth of expected profits than the rate of growth of risks.

95

Thank You

David N Ingram, CERA, FRM, PRM

Willis Re, New York, USA

Dave.ingram@willis.com

+1 212 915 8039

96

ERM Learnings from the School of Very Hard Knocks

David Ingram, CERA, FRM, PRM

98

Who Got the Knocks?Knocked Down

HSBC

IKB

NIBC

UBS

Goldman Sachs

JP Morgan

Rating Agencies

Investors

Taxpayers

Knocked Out

Bear Stearns

Countrywide, New Century

SachsenLBLehman Brothers

Merrill Lynch

Northern Rock

Wachovia

Freddie Mac

Fannie Mae

AIG

Washington Mutual

99

PRELUDE - Where to Start?June 2003: Federal Reserve Chair Alan Greenspan lowers federal reserve’s key interest rate to 1%, the lowest in 45 years.

2004-2005: Arizona, California, Florida, Hawaii, and Nevada record housing price increases in excess of 25% per year.

2005: Booming housing market halts abruptly in many parts of the U.S. in late summer.

2006: Prices are flat, home sales fall, resulting in inventory buildup. U.S. Home Construction Index is down over 40% as of mid-August 2006 compared to a year earlier.

May 5: In possibly the first casualty of the looming subprime crisis, Washington based Merit Financial Inc. files for bankruptcy and closes its doors, firing all but 80 of its 410 employees, kept to wind down the business. Chief financial officer, Ryan Kidd, said that Merit’s marketplace had declined about 40% and sales were not bringing in enough revenue to support the overhead of running the company.

2007: Home sales continue to fall. The plunge in existing-home sales is the steepest since 1989. In Q1/2007, S&P/Case-Shiller house price index records first year-over-year decline in nationwide house prices since 1991. The subprime mortgage industry collapses, and a surge of foreclosure activity (twice as bad as 2006) and rising interest rates threaten to depress prices further as problems in the subprime markets spread to the near-prime and prime mortgage markets. The U.S. Treasury secretary calls the bursting housing bubble "the most significant risk to our economy."

100

2007February 8 – HSBC: Europe's biggest bank, HSBC Holdings, blames soured US subprime loans for its first-ever profit warning in February. On September 21, it announces the closure of its US subprime unit, Decision One Mortgage, and records an impairment charge of about $880 million.

April 2 – New Century: The US subprime lender files for Chapter 11 bankruptcy protection in the biggest collapse of a mortgage lender in this crisis.

July – IKB & SachsenLB: Two banks in Germany, IKB and state bank SachsenLB, suffer exposure by investing in the US subprime market. The German banking industry bails out IKB, but SachsenLB almost goes under and is quickly sold to state-backed Landesbank Baden-Wuerttemberg (LBBW).

August 9 – BNP Paribas: The French bank bars investors from redeeming cash in $2.2 billion worth of funds, telling the markets it is unable to calculate the value of the three funds due to turmoil in the subprime market.

101

2007August 9 – NIBC: The Dutch merchant bank discloses 137 million Euros ($189 million) of losses on US asset-backed securities in the first half, and shelves plans for an initial public offering indefinitely.

September 13 – Northern Rock: The British mortgage lender experiences a bank run following a credit crunch sparked by the subprime crisis. The Bank of England steps in to rescue it.

September 17: Former Fed Chairman Alan Greenspan said "we had a bubble in housing" and warns of "large double digit declines" in home values "larger than most people expect."

September 18: The Fed lowers interest rates by half a point (0.5%) in an attempt to limit damage to the economy from the housing and credit crises.

October 1 – Credit Suisse: The bank says its results will be "adversely impacted" by the market turmoil, but it will remain profitable in the third quarter of 2007.

October 15 – Citigroup: The largest US bank by market value says third-quarter profit fell 57 percent due to losses, with net income down to $2.38 billion from $5.51 billion a year earlier.

102

2007October 15–17: A consortium of U.S. banks backed by the U.S. government announced a "super fund" of $100 billion to purchase mortgage-backed securities whose mark-to-market value plummeted in the subprime collapse. Both Fed chairman Ben Bernanke and Treasury Secretary Hank Paulson said "the housing decline is still unfolding and I view it as the most significant risk to our economy. … The longer housing prices remain stagnant or fall, the greater the penalty to our future economic growth."

October 19 – Wachovia: The fourth-largest US bank posts a 10 percent decline in third-quarter profit, to $1.69 billion from $1.88 billion a year earlier, having suffered $1.3 billion of writedowns resulting from credit market turmoil.

October 24 – Merrill Lynch: The financial services giant stuns Wall Street by reporting the biggest quarterly loss in its history after writing down $8.4 billion, mostly from bad investments related to risky subprime mortgages.

October 26 – Countrywide: US mortgage lender Countrywide Financial Corp. posts a $1.2 billion third-quarter loss after writing down $1 billion in subprime-lending losses.

October 29 – Mitsubishi UFJ Financial Group Inc.: Japan's largest bank says it will write down the value of subprime related investments by as much as 30 billion yen ($260 million) – six times more than previously announced.

103

2007October 30 – UBS: Swiss bank UBS reports a third-quarter pretax loss of 726 million Swiss francs ($624.8 million) after it took a charge of 4.2 billion francs on subprime-related losses in its fixed income investments.

November 1: Federal Reserve injects $41B into the money supply for banks to borrow at a low rate. The largest single expansion by the Fed since $50.35B on September 19, 2001.

November 4 – Citigroup: May write off $8 to $11 billion of subprime mortgage losses, on top of a $6.5 billion write-down in its third quarter.

November 8 – Merrill Lynch: Its exposure to CDOs is now $15.82 billion or about $600 million more than what the company revealed in its third-quarter earnings release on October 24. The figure is larger because a hedge against potential loss was terminated recently after a dispute with a counterparty, which Merrill declined to name.

November 13 – Bank of America: Writes off $3 billion in subprime losses.

November 14 – HSBC: Raised its subprime bad debt provision by $1.4 billion (£670 million) to $3.4 billion.

104

2007November 15 – Barclays: Subprime write-downs at Barclays’ capital investment bank arm now total £1.3 billion, taking into account a £500 million write-down in the third quarter.

November 15: FASB Statement no. 157 becomes effective for annual statements for fiscal years beginning after Nov. 15, 2007, and for interim reports prepared in that initial fiscal year.

16 November - Goldman Sachs forecasts sub-prime losses for entire financial sector at $400bn (£200bn). Northern Rock's boss resigns Nationwide warns of no UK house price growth in 2008

19 November - Northern Rock says bids to buy bank are "below current market value." Swiss Re expects to lose $1bn on insurance a client took out against any fall in the value of its mortgage debt.

20 November - US mortgage guarantor Freddie Mac sets aside $1.2bn to cover bad loans and reports a $2bn loss. The US Federal Reserve cuts its 2008 growth forecast citing credit and housing market woes. UK buy-to-let mortgage lender Paragon sees its shares fall nearly 40% after revealing funding difficulties. Construction of new US homes in October remains sharply lower than a year earlier, figures show.

22 November - UK lender Kensington Mortgages withdraws its entire range of sub-prime mortgages because of market conditions. The Nationwide, the UK's largest building society, benefits from being seen as a haven from troubled banks.

105

2007

December 6: President Bush announced a plan to voluntarily and temporarily freeze the mortgages of a limited number of mortgage debtors holding adjustable rate mortgages (ARM). He also ask Members Of Congress to: 1. pass legislation to modernize the FHA. 2. temporarily reform the tax code to help homeowners refinance during this time of housing market stress. 3. pass funding to support mortgage counseling. 4. pass legislation to reform Government Sponsored Enterprises (GSEs) like Freddie Mac and Fannie Mae.

106

2008March 14, 2008: Bear Stearns gets Fed funding as shares plummet.

March 16, 2008: Bear Stearns gets acquired for $2 a share by JPMorgan Chase in a fire sale avoiding bankruptcy. The deal is backed by Federal Reserve providing up to $30B to cover possible Bear Stearn losses.

May 6, 2008: UBS AG Swiss bank announced plans to cut 5,500 jobs by the middle of 2009

107

2008September 7, 2008: Federal takeover of Fannie Mae and Freddie Mac

September 14, 2008: Merrill Lynch sold to Bank of America amidst fears of a liquidity crisis and Lehman Brothers collapse

September 15, 2008: Lehman Brothers files for bankruptcy protection

September 16, 2008: Moody's and Standard and Poor's downgrade ratings on AIG's credit on concerns over continuing losses to mortgage-backed securities, sending the company into fears of insolvency.

September 17, 2008: The US Federal Reserve loans $85 billion to American International Group (AIG) to avoid bankruptcy.

108

2008September 19, 2008: Paulson financial rescue plan unveiled after a volatile week in stock and debt markets.

September 25, 2008: Washington Mutual was seized by the Federal Deposit Insurance Corporation, and its banking assets were sold to JP MorganChase for $1.9bn.

September 29, 2008: Emergency Economic Stabilization Act defeated 228-205 in the United States House of Representatives.

September 29, 2008: Federal Deposit Insurance Corporation announces that Citigroup Inc. would acquire banking operations of Wachovia.

October 1, 2008: The U.S. Senate passes HR1424, their version of the bailout bill.

109

US GDP 1996 $7.82 trillion

2007 $13.84 trillion

110

Some things to think about1. Short Term Compensation for long tailed risks

2. It must be ok if everyone else is doing it

3. Gone is not always gone

4. “The market knows”

5. Marginality

6. Leverage

7. Counterparty

8. Observed Volatility models

9. Growth & Risk

10. Inflexible risk model

111

Things to Think About11. Diversification vs. Correlation

12. Liquidity

13. The end of the cycle

14. Disclosures

15. Greater fool theory

16. Valuation model procyclical

17. Recognition of Uncertainty

18. Risk limit for new risks

19. Law of One Price and replication

20. Underwriting

21. Giving away the pen

22. Excess complexity

112

Think About 23. Compliance Culture

24. Adversarial Risk Management functions

25. Regulation Dismantled

26. Keeping potential losses within the family

27. Empowering the Business units

28. Reliance on third party risk evaluations

29. Risk falls into the cracks

30. Ignoring second order consequences

31. Keeping it Simple

32. Stress Tests were not credible

33. Directors and Management Responsibility

34. Structural inability to participate in workout

113

An Old Question . . .

Do you want to Eat Well

Or Sleep Well