Making Sense of ERM Framework: An Integrated Guide Syed ...
Transcript of Making Sense of ERM Framework: An Integrated Guide Syed ...
Making Sense of ERM Framework: An Integrated Guide
Syed Danish Ali
This report serves as a broader ERM framework structure, which would allow any company (especially
insurance company) to set in-place an ERM implementation approach. ERM framework encapsulates, in
a single structured document, the company-wide risk management principles and processes.
Enterprise Risk Management Framework
Page 2
Contents 1. Background and Objective .............................................................................................3
2. ERM Framework ..............................................................................................................5
3. Risk Identification Process ............................................................................................9
4. Risk Measurement & Management Process ...............................................................13
5. Risk Governance and Reporting Process ...................................................................26
6. ERM Framework – Revisited ........................................................................................30
Enterprise Risk Management Framework
Page 3
1. BACKGROUND AND OBJECTIVE
1.1.1 This report serves as a broader ERM framework structure, which would allow any company to
set in-place an ERM implementation approach. ERM framework encapsulates, in a single
structured document, the company-wide risk management principles and processes. This report
would serve the following objectives in relation to ERM:
➢ Development of an integrated enterprise-wide risk management framework and policy document for implementation and adherence, in order to instill and encourage risk-oriented decision-making within the organization.
➢ Promoting risk identification structure, by monitoring risk areas with the aide of risk register and risk matrix. This would assist in performing risk assessment and would act as a central repository for all risks the company is exposed to.
➢ Setting risk tolerance limits and overall risk appetite for the company based on inputs from capital models. This allows the company to measure the appropriate risks, to monitor them and to set in place control measures and actions.
➢ Create an appropriate risk monitoring structure to ensure risk exposures are within the controllable limits. Where these limits are exceeded, appropriate measures and actions could be taken.
➢ Periodically report the risk exposures to appropriate risk authorities to ensure that the management and the company are well aware of the risk their business is exposed to, and that appropriate decisions are being taken to mitigate them.
1.1.2 In future, enterprise risk management would become a part of regulatory requirements to
assess the company’s financial strength and stability, either in the form of Solvency II or
economic capital approach. This framework forms the basic ground work for regulatory
endeavours as well. However this framework may not ideally serve the purpose of regulatory
requirements in the future.
1.2 Limitations and Restrictions
1.2.1 This framework provides a broad level concept of the implementation of enterprise risk
management principles and global best practices.
1.2.2 This framework supplements the company’s existing enterprise risk management charter, policy
and procedures in effect. The framework provides an enterprise risk management structure to
adopt with the help of existing ERM documents and internal capital model.
1.2.3 ERM Framework has not been developed for regulatory reporting or submission.
Enterprise Risk Management Framework
Page 4
1.2.4 ERM Framework can only be implemented by the company interested in doing so. It cannot be
forcefully implemented by third party external advisors or consultants, as risk-oriented thinking
process has to come from within the individual undertaking decisions and actions.
Enterprise Risk Management Framework
Page 5
2. ERM FRAMEWORK
2.1 Framework
2.1.1 This framework provides a comprehensive approach for the company to adopt in order to
identify and manage risks which could be prevented, to effectively achieve its business goals and
strategies.
2.1.2 This framework has been developed to:
➢ allow the company to proactively manage its risks in a systematic and structured way and to continually refine its processes to reduce its risk profile, thereby maintaining a safer environment for its stakeholders;
➢ ensure appropriate strategies are in place to mitigate risks and maximize opportunities;
➢ embed the Risk Management process and ensure it is an integral part of company’s planning process at a strategic and operational level;
➢ help create a risk awareness culture from a strategic, operational, individual and fraud perspective; and
➢ give credibility to the process and engage management’s attention to the treatment, monitoring, reporting and review of identified risks as well as considering new and emerging risks on a continuous basis.
2.2 Enterprise Risk Management Cycle
2.2.1 In a nutshell, the following control cycle best describes ERM framework:
Enterprise Risk Management Framework
Page 6
Figure 2-1 Enterprise Risk Management Cycle
2.2.2 By the end of document the company should be able to answer:
➢ What is the risk appetite and how is it measured?
➢ What is the board’s and senior management’s role in ERM framework?
➢ How does your organization encourage good risk-based decision making?
➢ What is your organization’s process for identifying and cataloguing key risk across your organization?
➢ How are emerging risk identified and evaluated?
2.3 Purpose of the ERM Framework
2.3.1 Above documents provide operational structure and guidelines to the company for adoption of
ERM principles. However, the ERM Framework discussed within this report serves as a broader
level framework to the holistic ERM implementation in the company.
2.3.2 This document would serve as a central document in defining the ERM Framework whereas
other documents will support ERM implementation program. Implementation of ERM
framework is an iterative and continuous exercise and can only be followed and practiced by the
very people managing the company and those interested in seeing the successful execution of
the underlying concepts.
•Underwriting and Claim Approval Limits
•Policies and Procedures
•Incorporate results from Capital Model
•Make Risk-based Decision
•Each segment directly responsible for Risk
•ERM Committee
•Development of Solid Risk Culture
•Training
•Assess Qualitative and Quantitative Impact
•Evaluate Macro-Risk
•Increase Data Capturing Capacity
•Assign Responsibilities
•Development of Risk Register
•Emerging Risk Analysis
Risk Identification
Risk Measurement
Risk Management
Risk Reporting
Enterprise Risk Management Framework
Page 7
2.3.3 The figure below provides building blocks necessary for successful ERM implementation; they
are also discussed in detail within this framework.
Figure 2-2 Enterprise Risk Management Building Blocks
2.3.4 Having incorporated this framework, any company can align its business opportunities in a
controlled manner and take on further risks in achieving its mission and core business
objectives. The final program would encompass the whole spectrum of risk, ranging from the
high level company & industry wide strategic business risks to individual section operational
risks (including identification of risks at all level).
2.3.5 The company’s objectives in implementing a risk management program would include the
following (keeping in view that this framework shall be implemented in the medium- to long-
term, in line with the objectives of the company; the short term objective and outcomes would
be limited):
➢ Demonstrating due diligence in planning and day-to-day management and operational activities;
➢ Promoting proactive management with early identification and treatment of risks, rather than reacting passively;
➢ Improving the focus on key strategic goals leading to:
i. a more sound basis for strategic planning as key elements of risk have been identified;
•Define risk appetite and measurement techniques
•Defines ERM framework incuding Risk Charter, Risk Policy and Procedures and Risk Governance Structure
•Reporting of risks
Risk Management Framework
•An Excel-based file for Identifying and Measuring Risk
•Risk controls, limits and communicationsRisk Register - Qualitative
Assessment
•An Excel-based internal capital model
•Risk controls, limits and communicationsCapital Model - Quantitative
Assessment
•Policies and Procedures
•Business Plan and BudgetingOther Supporting
Documents
Enterprise Risk Management Framework
Page 8
ii. more effective allocation of resources to key services and areas of high risk improving service delivery;
iii. an improved level of responsibility and accountability;
iv. better informed decisions about opportunities and new initiatives/projects;
v. avoidance of taking unnecessary opportunistic risks; and
vi. acceptance of changing patterns of risk and opportunity in an increasingly competitive environment
2.4 Structure of the Report
2.4.1 The structure of the framework has been developed in such a way that this report can be
treated as a comprehensive manual of enterprise risk management cycle and its principles in
practice.
2.4.2 Primary phases of the risk management cycle are the remaining sections of this framework; their
purpose is to capture the whole ERM framework structurally and provide ease of use.
Section 3: Risk Identification
Section 4: Risk Measurement and Management
Section 5: Risk Appetite &Tolerance Limits
Section 6: Risk Reporting
Section 7: ERM Framework Cycle – Revisited
Enterprise Risk Management Framework
Page 9
3. RISK IDENTIFICATION PROCESS
3.1 Risk Description
3.1.1 Risk description describes the risk associated with any activity which the company undertakes as
part of its business. Significant activities include any major line of business, risk area and risk
categories which are identified from various sources such as company’s organizational chart,
strategic business plan, capital allocations, and internal and external financial reports.
3.1.2 Sound judgment is applied in determining the significance or materiality of any activity in which
the company engages. So as not to exclude critical risks, it is important to undertake a
systematic and comprehensive identification of all risks, including those not directly under the
control of the company.
3.2 Risk Identification
3.2.1 The reasons for the risk assessment being carried out need to be established. In particular:
➢ define the scope and objectives of the assessment ➢ comply with new legislation, project evaluation, etc. ➢ specify the nature of the decisions that have to be made ➢ define the extent of the project activity or function in terms of time and location ➢ identify resources and planning requirements ➢ identify the roles and responsibilities of the various parts of the organization
participating in the risk management process
3.2.2 Defining and measuring risks within each area is an on-going task. Identifying new risks in areas
and summarizing these into a quantifiable measure of risks, inherent in that area is a self-
discovery process and cannot be imposed externally. Therefore, this document needs to be
viewed as a starting point for a dynamic process that will evolve as the company grows,
matures, enters into new areas and adopts new business methods.
3.2.3 Approaches used to identify risks include the following:
➢ use risks already identified in the risk registers, strategic plans, operational plans, and other key documents
➢ checklists, surveys, questionnaires ➢ team based brainstorming, structured interviews, focus groups, personal experiences ➢ facilitated workshops ➢ experience, local and overseas knowledge ➢ records, databases ➢ past organizational experiences ➢ internal and external audits and report
Enterprise Risk Management Framework
Page 10
3.2.4 The company should identify each risk in the organization and prioritize top risks for the
management, viz., inherent risk, perceived effectiveness of existing risk mitigation measures and
thereby the residual risk.
3.2.5 Ideally residual risk should always be very low and this will be the long term objective of the
company. However this might not be practical to achieve immediately in all areas and therefore
the company may need to tolerate higher levels of risks in some areas until it is able to improve
controls and lower the level of residual risk. In certain areas, however, the company would not
be willing to tolerate this higher level.
3.2.6 It is very important that the company identifies its risks on an on-going basis – a practice that
needs to be implemented within the company. A legal risk which appears to be small during
identification might be disastrous. The company should make its own internal assessment of
risk in this regard.
3.2.7 It is important to reiterate that this exercise would need time to be adopted at the grass root
level of the company and considerations should be made in this regard.
3.3 Risk Register
3.3.1 Risk register is a compilation of all the risks exposed to the company, from day-to-day
operational activities to company’s business strategy and objectives. Risk identification will be
carried out on horizontal and vertical structures of the company in order to fully capture existing
and potential risks into the risk universe.
3.3.2 The company has a risk register in place which categorises more than 400 potential risks into
broader risk categories. Risk register serves as a dashboard of all known and unknown risks the
company is exposed to. Risk register is monitored proactively to consider current risks and
potential risks are considered and incorporated for monitoring within the register.
3.3.3 The company’s risk management register shall be maintained at two levels; company-wide
strategic risk and individual/department-wise operational risks. Each department will be
responsible for identifying risk exposures and report it to the company-wide risk register
maintained and operated by relevant risk authority. Company-wide risk register encourages
integration of risk exposures from one area to others, allowing the company to see how each
exposure affect other areas of the business and the company as a whole.
3.3.4 The risk registers shall be maintained as Excel workbooks. However it would be more suitable to
develop in time, a database and an online system accessible to all appropriate officers.
3.3.5 The purpose of completing a risk identification exercise is to identify, discuss and document the
risks facing the company. The risk register serves three main purposes:
Enterprise Risk Management Framework
Page 11
• It is an information source to report the key risks throughout the company, as well as to stakeholders.
• Management can use the risk register to focus their priorities.
• It helps the auditors to focus on the company’s top risks.
3.3.6 The following risk registers can be maintained:
➢ Non motor underwriting ➢ Life and medical underwriting ➢ Motor underwriting ➢ Re-takaful ➢ Non motor claims ➢ Life and medical claims ➢ Motor claims ➢ Finance ➢ Investments ➢ Human resources ➢ Administration ➢ Information technology ➢ Legal ➢ Shariah ➢ Business development ➢ Broker relations ➢ Marketing ➢ Public relations ➢ Company secretary
3.3.7 With the functional risk registers above, the insurance company can monitor the top 20 risks for
active review and management.
3.3.8 Risk management registers shall be reviewed and updated by risk managers and the risk
management committee on regular basis throughout the year. In particular the process will aid
performance reviews and planning procedure.
3.4 Identified Risks Documentation
3.4.1 Key information from risk registers needs to be incorporated into the policy manual to ensure
that it becomes part of the decision-making process for the concerned department. This again is
the responsibility of the company and the respective departments.
3.4.2 Documentation of the risk management process should be carried out at each stage for the
following reasons:
• It gives integrity to the process and is an important part of good corporate governance;
Enterprise Risk Management Framework
Page 12
• It provides an adequate audit trail and evidence of a structured approach to risk identification and analysis;
• It provides a record of decisions made which can be used and reviewed in the future;
• It provides a record of risks which can continuously be developed.
Enterprise Risk Management Framework
Page 13
4. RISK MEASUREMENT & MANAGEMENT PROCESS
4.1 Risk Analysis and Evaluation
4.1.1 Risk analysis helps in making informed decisions with respect to which risk response to adopt
and what method to use. Companies considers risks based on the combination of the
consequence of occurrence (severity) and likelihood of occurrence (frequency), respectively.
Risk evaluation involves comparing the level of risk found during the analysis process with the
risk criteria established.
4.1.2 There are many tools and techniques available for analysing risks and the following sources of
information may be referred to:
• Past records;
• Practice and relevant experience;
• Market research;
• Experiments and prototypes;
• Economic and system models;
• Specialist and expert judgment;
• Focus groups;
• Structured interviews, questionnaires.
4.1.3 We would recommend evaluating risks at two levels:
• inherent risk rating, i.e. before management controls have been considered, and
• residual risk rating, i.e. the gross risk rating combined with an assessment of management controls.
4.1.4 The management should assess risks on the basis of the likelihood of the risk occurring and the
impact of its occurrence as follows:
Risk = Likelihood x Impact
4.1.5 Likelihood represents the possibility an event will occur; impact represents its effect on the
company. In the process of risk assessment, the company should consider its “risk appetite,”
broadly defined as the amount of risk that an entity is willing to accept in pursuing its objectives.
Higher the risk, higher is the priority of addressing it, in order to keep within the risk appetite of
the company.
4.1.6 While conducting risk assessment is typically considered a “one time activity,” in the context of
enterprise risk management it is actually continuous and on-going; it is part of the daily
responsibility of managers and employees throughout the company.
Enterprise Risk Management Framework
Page 14
4.2 Qualitative Risk Measurement and Management
Inherent Risk Rating Before Management Control
4.2.1 Inherent risk is intrinsic to every business activity and arises from exposure and uncertainty from
potential events. Inherent risks are evaluated by considering the probability of occurrence and
the potential size of an adverse impact on the company’s capital and earnings. Inherent risk
involves considering the likelihood and impact of the risk in the absence of any management
control interventions.
4.2.2 This level of assessment provides a perspective of the consequences of the risk to the company
in the absence of controls to prevent an event from happening. Inherent risk is categorized as:
• Very high: Unacceptable level of risk. Take urgent action to further mitigate the risk to an acceptable level
• High: Identify and evaluate additional steps to mitigate the risk to an acceptable level
• Moderate: Consider actions that may improve the tradeoff between risk (with its associated reward) and cost
• Low: Keep risk and control under review
• Very low: No action required
Likelihood
4.2.3 The probability or likelihood of an event is
• Highly probable: The risk is already occurring, or is likely to occur more than once within the specific duration, subject to management decisions.
• Likely: The risk could easily occur, and is likely to occur at least once within the specific duration, subject to management decisions.
• Possible: There is an above average chance that the risk will occur at least once within the specific duration, subject to management decisions.
• Unlikely: The risk occurs infrequently and is unlikely to occur.
• Rare: The risk is conceivable but is only likely to occur in extreme circumstances.
Impact
4.2.4 The impact of each likelihood event is categorized as:
Enterprise Risk Management Framework
Page 15
• Critical: Negative outcomes or missed opportunities that are of critical importance to the achievement of objectives
• Major: Negative outcomes or missed opportunities that are likely to have a relatively substantial impact on the ability to meet objectives
• Material: Negative outcomes or missed opportunities that are likely to have a relatively moderate impact on the ability to meet objectives
• Minor: Negative outcomes or missed opportunities that are likely to have a relatively low impact on the ability to meet objectives.
• Insignificant: Negative outcomes or missed opportunities that are likely to have a relatively negligible impact on the ability to meet objectives
4.2.5 Inherent risks can be found by the probability and severity of the risk from the table below:
Figure 4-1 Inherent Risk Levels Exposure Chart
Inherent Risk Perceived Control Effectiveness
Exposure Insignificant Minor Material Major Critical
Pro
ba
bil
ity
Highly Probable Medium High High Very High Very High
Likely Low Medium High High High
Possible Low Low Medium Medium Medium
Unlikely Very Low Low Low Low Low
Rare Very Low Very Low Very Low Very Low Very Low
Perceived Controls Effectiveness
4.2.6 After identifying the impact and likelihood of each risk it is ERMC’s responsibility to check
whether controlling that particular risk is possible for the company. This will be done by
identifying the personnel/officers/staff involved in the activity/operation related to that risk
area.
4.2.7 After applying the current controls of management, effectiveness will be assessed as:
• Very Good: Risk exposure is effectively controlled and managed.
• Good: Majority of risk exposure is effectively controlled and managed.
• Satisfactory: The controls are at satisfactory level, there is some room for improvement.
• Weak: Some of the risk exposure appears to be controlled, but there are major deficiencies.
• Unsatisfactory: Control measures are ineffective and need urgent attention.
Enterprise Risk Management Framework
Page 16
Residual Risk Rating after Management Control
Residual Risk Exposure & Risk Rating
4.2.8 Residual risk is the level of risk remaining after the mitigating influences of the existing control
interventions are considered. Normally, management would introduce sufficient controls to
reduce the risk to within a pre-determined level, as per the risk appetite of the Company. The
residual risk is a critical indicator of whether the existing controls are effective in reducing the
risk to an acceptable level.
• Very High: Unacceptable level of residual risk – Implies that the controls are either fundamentally inadequate (poor design) or ineffective (poor implementation). Controls require substantial redesigning, or there needs to be greater emphasis on proper implementation.
• High: Slightly better than Very High.
• Medium: Unacceptable level of residual risk – Implies that the controls are either inadequate (poor design) or ineffective (poor implementation).Controls require some redesigning, or there needs to be more emphasis on proper implementation.
• Low: Mostly acceptable level of residual risk – Requires minimal control improvements.
• Very Low: Slightly better than Low.
4.2.9 The table below shows how Residual Risk Rating of the company can be calculated from the
inherent risk of the business and its perceived control effectiveness:
Figure 4-2 Residual Risks Exposure Levels
Residual Risk Perceived Control Effectiveness
Exposure Insignificant Minor Material Major Critical
Pro
ba
bil
ity
Highly Probable Medium High High Very High Very High
Likely Low Medium High High High
Possible Low Low Medium Medium Medium
Unlikely Very Low Low Low Low Low
Rare Very Low Very Low Very Low Very Low Very Low
Varying Risk Directions
4.2.10 It is important to determine the change in probability of the risk, over time. We have to
ascertain whether the likelihood of the risk is changing till the next risk assessment. The risk
direction can be characterized into the following:
• Increasing: The Risk will increase at the next assessment period. The management actions should be stronger for increasing risk over time.
Enterprise Risk Management Framework
Page 17
• Constant: The Risk will remain constant till the next assessment period.
• Decreasing: The Risk will decrease at the next assessment period.
4.3 Treatment and Management of Risks
Determination of Risk Tolerance Level
4.3.1 Companies can determine risk tolerance based on three common values; solvency, ratings, and
earnings’ volatility in measuring the risk level. The risk tolerance level depends primarily upon
stakeholders which include its shareholders, regulators, customers, distributors, management,
employees, and/or business community. Investor concerns could be stated in terms of earnings
or stock price, while regulator concerns could be stated in terms of regulatory minimum capital
requirements.
4.3.2 There is no one-size-fits-all preference at all times which should drive company’s risk tolerances.
What is crucial is that the company should know how it will interpret its priorities among its
constituencies in a dynamic framework.
4.3.3 For quantitative risk modules, the company has set in place internal capital models which assist
in determining the risk exposures and in setting quantitative risk tolerance limits. The risk
appetite can then be represented by a number which can be subsequently used to develop a risk
tolerance limit for that situation—most often one that is at an extremely unlikely level such as
99.5% or 99.9%.
4.3.4 For the company, risk preferences can articulate its attitude toward various aspects of risk. We
understand that the company has clear preferences towards efficient risk management process
and that the management would not be wasting time considering risks that it would never agree
to accept.
4.3.5 Aspects of risk that can be addressed through Risk Preferences include:
• Uncertainty: the degree to which loss distribution aspects such as Volatility and Ruin are thought to be known.
• Complexity (also called model risk): many insurance contracts transactions have extremely complex structures that could pay off in varying amounts under a wide range of possible situations.
• Location: company’s concern for micro concentration of their risks as well as macro concentrations of any type of risk like in one legal jurisdiction etc.
• Experience: the degree of experience of the company and expertise of the management to deal with the risk is a key aspect.
Enterprise Risk Management Framework
Page 18
• Type: the company will have low or zero tolerance for some risk types or more commonly for specific subcategories of risk types.
• Tradability: Risk's tradability can be a major determinant of risk tolerance. For long term contract, tradability is a proxy for ability to exit a position.
• Time Frame: the time frame needs to be considered as transactions can be short, medium or long term and each category has particular characteristics which have to be satisfied for optimum risk management.
• Consistency: some risks will stay in a reliable frequency/severity pattern for a long time. Other will change characteristics periodically. Risks can be mistakenly evaluated while patterns transition from one type of frequency/severity to other.
4.3.6 Qualitative risk limits can be set via delegation of responsibilities, setting limits on acceptable
exposures on inherent and residual risks, creation of policy manuals and documented structure
within the company.
Management Controls & Actions to improve
4.3.7 Event identification and assessment involves a cross-section of management. Key steps to
achieving event identification & assessment objectives include examining each business
objective with relevant managers to determine interdependencies and interrelationships.
Management needs to understand how events interrelate, because they do not occur in
isolation. By assessing interrelationships, a determination of where risk management efforts are
best directed can be made and actions can be taken to improve the position within the
appropriate time.
4.3.8 Simply put, event identification is a process of systematically recognizing potential events that
affect the achievement of business objectives. An event is an incident or occurrence resulting
from internal or external sources that affects the implementation of a strategy or achievement
of objectives.
4.3.9 When identifying and assessing risks, it is also important to bear in mind that “risk” also has an
opportunity component. This means there must also be deliberate effort expended in
identifying potential opportunities that could be exploited to improve institutional performance.
It’s the management’s role to assess and develop controls that may reduce the likelihood of
occurrence of a potential risk, the impact of such a risk, or both within the required and
appropriate time. Management then needs to assess the control effectiveness based on their
understanding of the control environment currently in place. Risk Register will therefore inform
management of the actual level of control effectiveness.
Enterprise Risk Management Framework
Page 19
Set Risk Priorities
4.3.10 The company’s management will identify and categorize the risk of each risk groupings and risk
areas outlined above. There are two levels of risk assessment, namely:
• Company-wide Strategic Risks: These will be monitored and reported to the RMC and Audit Committee on biyearly basis by the assigned Accountable and Responsible officers.
• Management and Operational Risks: These will be closely monitored and reported to the Senior Management twice per year and progress against action plans will be signed off by the Accountable Officer.
Treat and Manage the Risks
4.3.11 It is important that where risks have been assessed as extreme or high, that action plan is put
into place to manage and mitigate the risks. It is unlikely that risks will ever be entirely
eliminated, but by demonstrating that actions are being implemented, the risks may be reduced
to a more acceptable level.
4.3.12 There are a number of options available for treating risks. These should be considered on the
basis of a cost/benefit analysis:
• Avoid the Risk: This can be done by deciding not to start or continue with a particular activity that gives rise to the risk. However, the business objectives must always be kept in mind and inappropriate risk aversion may increase other risk areas.
• Reduce the Likelihood and Impact: This may be achieved by introducing more preventive and corrective measures by having policies and procedures.
• Accept the Risk: Where risks are identified as unavoidable or no suitable treatment plans are available, company should accept the risk.
• Transfer the Risk: This involves other parties bearing or sharing the risk either partially or in full. This may be through reinsurance arrangements, contracts, partnerships and/or joint ventures.
4.3.13 Selecting the most appropriate risk treatment option should be made by considering the
following issues:
• The cost of managing risks must be balanced against the benefits obtained;
• The extent of risk reduction gained;
• The extent to which there is an ethical or legal duty to implement a risk treatment option which may override any cost/benefit analysis;
• How sensitive is the risk to company’s image and reputation and its perception by stakeholders and external parties? This may warrant implementing costly actions.
Enterprise Risk Management Framework
Page 20
Prepare and implement treatment plans
4.3.14 The risk management treatment plan includes the following:
• Risk identified;
• Proposed actions;
• Cost/benefit analysis (where appropriate);
• Cross referenced to the operational plan
• Accountable and Responsible Officers
• Timescales
4.3.15 For the treatment plans to be successfully implemented, there is a requirement for an on-going
review and reporting of the progress against the actions stated.
4.4 Qualitative Risk Tolerance and Controls
4.4.1 Companies uses the qualitative risk indicators described above and sets up risk tolerance limits
of inherent and residual risks it is exposed to and places focus on top 20 high risks in order to
control them as a part active of risk monitoring and management.
4.4.2 Each risk identified and listed in risk registers has been classified with respect to these three
measures, viz., inherent risk, perceived effectiveness of existing risk mitigation measures and
thereby the residual risk. This section seeks to define the residual risk classification that the
company is willing to tolerate as inherent risks have been assumed to be managed efficiently
and effectively. Inherent risk management has already been discussed above.
4.4.3 Residual risk is based on a matrix which maps inherent risk against control effectiveness. This is
set out in the Risk Management Framework document but is being reproduced below for ease
of reference.
Enterprise Risk Management Framework
Page 21
Table 4-1 Residual Risk Exposures
Residual Risk Perceived Control Effectiveness
Exposure Very Good Good Satisfactory Weak Unsatisfactory P
rob
ab
ilit
y Very High Medium High High Very High Very High
High Low Medium High High High
Moderate Low Low Medium Medium Medium
Low Very Low Low Low Low Low
Very Low Very Low Very Low Very Low Very Low Very Low
4.4.4 Ideally residual risk should always be very low and this will be the long term objective of the
company. The management recognizes, however, that this is not practical to achieve
immediately in all areas and therefore the company may need to tolerate higher levels of risks in
some areas until it is able to improve controls and lower the level of residual risk. In certain
areas, however, the company would not be willing to tolerate this higher level.
4.4.5 The table below sets out a sample, for each risk area (this being defined as a group of functions
for which either a Risk Register was prepared), the overall objective of the function and the
default tolerance level for the residual risk:
Enterprise Risk Management Framework
Page 22
Table 4-2 Qualitative Risk Evaluation- Hypothetical Example
Area Objective of Risk Management System Level of
Residual Risk
Planning/Pricing
• Planning
• Product Design
and Pricing
To ensure that the company’s plans are realistic and that
products are designed and priced from a competitive
position in line with the company’s plans
Low
Brand Image/
Awareness
• Marketing
To ensure that the company’s brand image as a takaful
operator (as opposed to an Islamic Bank) is projected and
that the market is aware that the company offers Shariah
compliant takaful products
Low
Sales
• Retail Sales
• Corporate Sales
To ensure that actual sales for each line of business meet
targets and are made on terms within the company’s
underwriting and pricing policies.
Low
Underwriting,
Operations and
Claims
• Non-Life
Underwriting
• Motor Claims
• Health Insurance
• Life Insurance
To ensure that risks are only accepted in line with the
company’s underwriting policy and risk acceptance
guidelines; that adequate risk mitigation, especially with
respect to reinsurance arrangements with reputable and
financially sound reinsurers, are in place; and that claims
are paid only when due.
To ensure a high level of customer service so as to build
the company’s reputation as an efficient and fair takaful
operator.
Low
Financial Position
• Balance Sheet
• Investment
• Financial
Accounts
To ensure that the financial position of the company as
set out in its financial statements (balance sheet) reflects
assets at values at which these can be realized and makes
adequate provision for liabilities and especially liabilities
under takaful contracts.
Very Low
• Compliance/
Regulatory
To ensure that the company is fully compliant with
regulatory provisions prevalent in United Arab Emirates
relating to takaful operations in particular and
corporations in general.
Very Low
Enterprise Risk Management Framework
Page 23
Area Objective of Risk Management System Level of
Residual Risk
• Reputation To ensure that the company’s position as a fully Shariah
compliant financial institution and as a fair and equitable
takaful operator is maintained at all times.
Very Low
• Corporate
Governance
• Internal Audit
To ensure that the powers and responsibilities of various
levels of management (from the Board of Directors
downwards) are clearly defined and that management
policies are implemented in letter and spirit.
Very Low
Financial /HR
Management
• Fixed Asset
Management
• Cash Mgmt
• Procurement to
Pay Cycle
• Human Resource
Mgmt
To ensure that the company’s financial management with
respect to fixed assets, cash and purchases and payables
is carried out efficiently and correctly.
To ensure that the company’s management of HR
functions is carried out diligently and efficiently so as to
foster a sense of security and trust amongst its
employees.
Low
• Country of
Business
To ensure that the company only carries out business in
countries after it is fully able to professionally underwrite
risks in that country and only in full compliance of the
country’s regulations.
Very Low
• Outsourcing To ensure that functions are only outsourced to
reputable and capable organizations and that standards
maintained are comparable to those maintained
internally within the company.
Low
• Information
Technology
To ensure that IT general controls ensure full security,
minimum down time and a high level of compliance with
the functional needs of user departments.
Low
4.4.6 Once the risks have been quantified, aggregate risk limits should be set by the management and
allocated to different lines of business and risk categories. This is done via allocating specified
risks to their respective departments.
Enterprise Risk Management Framework
Page 24
4.4.7 The company should evaluate each risk as proportion of undiversified total risk exposure and
plan to set a maximum exposure to each risk at 99.5% level of confidence. This would allow the
company to make risk-oriented decisions.
4.4.8 As the company shall designate individuals to be responsible for undertaking risk-related
decisions it should limit responsibilities delegated in terms of risk limits to each risk owner. For
instance, permission should be granted to risk owners to manage and mitigate risks arising from
their line of business. Beyond the limit, risks should be communicated to senior management
and recommended steps should be taken. Where risks are substantial, such as market risk in the
current case, the board should be apprised of such risk, and rectifying measures should be set in
place to manage that risk.
4.4.9 To introduce risk-oriented decision making into the company’s culture, the decision makers
should weigh their prospective decisions in light of changing risk exposures.
4.4.10 The greater the capital risk exposures, the greater the sensitivity of risk capital. Responsible risk
champion and risk owners must understand the impact of changing risk exposures as in the case
above.
Enterprise Risk Management Framework
Page 25
4.5 Emerging Risk Management
4.5.1 The risk control processes focuses on everyday risk management, including the management of
identifiable risks or risks that have certain predictability. Emerging risk management concerns
risks that have not yet materialized or are not yet clearly defined; they usually appear slowly.
4.5.2 For managing emerging risks having some sort of early warning system in place, methodically
identified either through internal or external sources, is very important.
4.5.3 For assessing the relevance (i.e. potential losses) of the emerging risks the degree of
concentration and correlation of the risks in an insurer's portfolio are two important parameters
to be considered.
4.5.4 Responses to emerging risks might be part of the normal risk control process, i.e., risk mitigation
or transfer, either through reinsurance (or retrocession) in case of insurance risks, through the
financial markets for financial risks, or through general limit reduction or hedging.
4.5.5 Planning access to liquidity is a basic part of emerging risk management. Asset-selling priorities,
credit facilities with banks, and notes programs are possible ways of managing a liquidity crisis.
4.5.6 For each of the risk identified in the risk register, the company should start risk planning as if
there is a breach in the current control process as there is potential emerging risk.
4.5.7 For the existing risk in place, a change in the level of frequency and severity might affect the
total outcome which needs to be monitored. Frequent updates and peer review will help the
management in anticipating emerging risks.
4.5.8 Out of the box risk comprises risk that is not identified in the risk register but might eventually
come through. The company should have frequent brainstorming session to identify these types
of risks. Any material risk identified needs to go through a defined control process.
Enterprise Risk Management Framework
Page 26
5. RISK GOVERNANCE AND REPORTING PROCESS
5.1 Risk Governance Structure
5.1.1 Following hierarchical chart depicts the risk reporting structure of any company which has been
derived from the company’s risk governance charter, risk policy and procedures.
Figure 5-1 Risk Reporting Hierarchy
5.2 Responsibility of Board of Directors
5.2.1 The ultimate responsibility for risk management lies with the board of directors (BOD) of the
company. Therefore the board will be responsible for:
• Understanding the risks associated with the company’s activities
• Approval of Risk Beyond the limits of Senior Management
• Approval of the risk management policies in writing – in particular Risk Limits for Underwriting and Claim Processing
• Evaluating top risks identified and action plans to mitigate that risk
5.2.2 The BOD will be assisted by Board Audit and Risk Committee (BARC) which will overview the
responsibilities of Executive Risk Management Committee (ERMC), appointed from the
company’s management, and will periodically apprise BOD about the developments of
enterprise risk management. BARC will also ensure committee members are qualified and have
enough experience and understanding to do this on an ongoing basis.
B.O.D
Board Audit & Risk Committee
Executive Risk Management Committee
Internal Control / Risk Management Department
Head of Functions / Risk Champions
Risk Owners
Enterprise Risk Management Framework
Page 27
5.3 Role of Board Audit & Risk Committee
5.3.1 We understand that the board of the company has an established Board Audit & Risk
Committee. This committee should be responsible for providing independent counsel, advice
and direction with regards to risk management.
5.3.2 BARC will seek input from internal auditors, external auditors and actuaries including others in
carrying out its responsibilities. The committee should have an understanding of the risk
management policy, risk management strategy and risk management implementation plan
followed in the company and oversight responsibilities relating to risk management. This
understanding helps them to add value to the risk management process when giving
recommendations on the basis of audit.
5.4 Role of Executive Risk Management Committee
5.4.1 The Executive Risk Management Committee (ERMC) will ultimately be responsible for:
➢ Assisting the board in defining company’s risk profile and appetite, and setting risk tolerance limits (long term objective);
➢ Reviewing performance of the company and recommending revised risk management policies to the board for approval in light of new developments;
➢ Monitoring current functional risk indicators and following up on outstanding matters; ➢ Ensuring that Senior Management is effectively involved; ➢ Reporting to the audit committee as mandated.
5.5 Role of Risk Manager and Risk Management Department
5.5.1 The company has in-place a risk manager for development and maintenance of overall risk
management infrastructure. This risk manager is responsible for:
➢ Serving as a secretary to the risk management committee; ➢ Facilitating other departments to ensure that risk management policies are reflected in
procedures and computer systems adopted and implemented; ➢ Being the custodian of risk management registers; and ➢ Acting as a conscience for the risk owners.
5.6 Role of Risk Champions
5.6.1 Risk registers are maintained by respective divisional heads who can be referred as risk
champions who face the risk themselves. They are assisted by subordinates who manage the
risks at granular level and develop continuous risk monitoring within their usual activities.
5.6.2 Rick champions will jointly be responsible for ensuring that suitable risk management policies
and procedures are formulated and implemented, and that each member:
➢ Clearly understands the company’s risk management policies and procedures;
Enterprise Risk Management Framework
Page 28
➢ Ensures that activities of the company are conducted within the framework of approved policies and systems; and
➢ Apprise the ERMC and Risk Manager of any material breaches of risk management practices along with recommendations of rectification response and most suitable preventive measures for the future.
5.6.3 Departmental heads, the risk champions, shall be responsible for:
➢ Identifying risks which the company faces with respect to their functional areas in achieving its core business objectives;
➢ Determining quantitative exposures relating to company’s ability to accept risks within defined limits of overall risk tolerance framework such as underwriting permissions, investment limits, etc.;
➢ Devising a suitable risk response; ➢ Developing and reviewing risk management policies, based on all above.
5.7 Risk Reporting and Documentation
Risk Reporting
5.7.1 We suggest the progress of the management action plans be reported to the BARC at least
quarterly and as needed. It should become an integral part of the annual performance review
against objectives.
5.7.2 Under the quarterly reporting, the BOD and BARC are apprised of all the enterprise risk
management activities of the ERMC, risk management department, Risk Manager, and the Risk
Champion.
5.7.3 ERMC should submit a report to the BOD and BARC on annual basis based on:
• The risk profile of the organization
• The changes in that risk profile since the last year
• The performance of risk management framework
5.7.4 The BOD should be apprised by the Risk Manager and ERMC of high level risk register containing
strategic and consolidated risks from each division. Risk report should be prepared based on:
• What are most significant risk and why;
• How these are controlled;
• Any particular report gap to be and how these are proposed to be filled.
Enterprise Risk Management Framework
Page 29
Documentation
5.7.5 Documentation of the risk management process should be carried out at each stage for the
following reasons:
• It gives integrity to the process and is an important part of good corporate governance;
• It provides an adequate audit trail and evidence of a structured approach to risk identification and analysis;
• It provides a record of decisions made which can be used and reviewed in the future;
• It provides a record of risks which can be continuously developed.
Enterprise Risk Management Framework
Page 30
6. ERM FRAMEWORK – REVISITED
6.1 Benefits of ERM
6.1.1 The sole purpose of implementing ERM Framework within the company’s operations and
management is to link each and every action to the long-term strategic objectives from risk
perspective. This shall lead to risk-controlled management of the business and allows the
company to sail towards its objectives successfully and cater for any upcoming risks.
6.1.2 Enterprise risk management enables management to operate more effectively in a business
environment filled with fluctuating risks. Enterprise risk management provides enhanced
capability to:
• Align risk appetite Risk appetite is the degree of risk, on a board-level, that a business is willing to accept in pursuit of its objectives. Management considers the business’s risk appetite first in evaluating strategic alternatives, then in setting boundaries for downside risk.
• Minimize operational surprises and losses Businesses have enhanced capability to identify potential risk events, assess risks and establish responses, thereby reducing the occurrence of unpleasant surprises.
• Enhance risk response decisions ERM provides the rigor to identify and select among alternate risk responses – risk removal, reduction, transfer or acceptance.
• Resources A clear understanding of the risks facing a business can enhance the effective direction and use of management time and the business’s resources to manage risk.
• Identify and manage cross-enterprise risks Every business faces a myriad of risks affecting different parts of the organization. The benefits of ERM are only optimized when an enterprise-wide approach is adopted, integrating the disparate approaches to risk management within the company. Integration has to be effected in three ways: centralized risk reporting, the integration of risk transfer strategies and the integration of risk management into the processes of a business. Rather than being purely a defensive mechanism, it can be used as a tool to maximize opportunities.
• Link growth, risk and return
Enterprise Risk Management Framework
Page 31
Businesses accept risk as part of wealth creation and preservation and they expect return commensurate with risk. ERM provides an enhanced ability to identify and assess risk and establish acceptable levels of risk relative to potential growth and achievement of objectives.
• Rationalize capital More robust information on risk exposure allows management to more effectively assess overall capital needs and improve capital allocation
• Seize opportunities The very process of identifying risks can stimulate thinking and generate opportunities as well as threats. Responses need to be developed to seize these opportunities in the same way that responses are required to address identified threats to a business.
6.1.3 ERM adoption leads to improved business performance, increased organisational integration &
effectiveness and better risk reporting.
6.2 ERM Framework Summary
6.2.1 ERM Framework is summarised in the figure below.
Figure 6-1 ERM Framework Summary
I. Corporate Governance
(board oversight)
II. Internal Control
(sound system of internal control)
III. Implementation
(appointment of external support)
IV. Risk Management Process
(incremental phases of an iterative process)
Analysis - Risk Identification - Risk Assessment - Risk Evaluation - Risk Planning - Risk Management
V. Sources of Risk
(internal to the business and emanating from the environment)
Internal Processes - Business Operating Enviroment
Enterprise Risk Management Framework
Page 32
6.2.2 This is summarised in five elements:
I. Corporate governance is required to ensure that the board of directors and
management have established the appropriate organisational processes and corporate
controls to measure and manage risk across the business.
II. The creation and maintenance of a sound system of internal control is required to
safeguard shareholder’s investment and a business’s assets
III. A specific resource must be identified to implement the internal controls with sufficient
knowledge and experience to derive the maximum benefit from the process.
IV. A clear risk management process is required which sets out the individual processes,
their inputs, outputs, constraints and enablers
V. The value of risk management process is reduced without a clear understanding of the
sources of risk and how they should be responded to. The framework breaks the source
of risks down into two key elements labelled internal processes and the business
operating environment.