Improving risk-return and resilience through Enterprise Risk Management — Jul...
DRIDeckFinalMar3
1. Risk and Business Continuity
Management: A Growing Partnership
Opportunity
Chris Mandel, RF, ARM-E, CCSA
SVP, Strategic Solutions
Sedgwick, Inc.
2. Today’s Agenda
• Risk Management Explained
• Risk Management Priorities
• Key Risk Stakeholders
• Risk & Resilience
• A Strategic Risk Perspective
– Managing Along the Loss Curve
• The Risk Mgmt and Business Continuity
Opportunity
• Key Take-a-ways
2
3. A Fuzzy Paradigm of Uncertainty
WHILE THE RISKS LESS UNDERSTOOD ARE DIFFICULT TO ADDRESS,
THEY ARE OFTEN SO SUBSTANTIAL IN IMPACT, THEY CAN’T BE IGNORED
“There are known knowns. These are things
that we know that we know. There are known
unknowns. That is to say, there are things we
know we don’t know, but there are also
unknown unknowns. These are things we
don’t know we don’t know.”
Donald Rumsfeld, U.S. Sec of Defense (2002)
3
4. Traditional
Risk: Possibility of loss or injury (e.g., perils or hazards)
Risk Management: The process of analyzing exposure to risk
and determining how to best handle such exposure.
RIMS
Risk: uncertain future outcome(s) that can either improve or
worsen one’s position.
Risk Management: Risk Management (“ERM”) is a strategic
business discipline that supports the achievement of an
organization’s objectives by addressing the full spectrum of its
risks and managing the combined impact of those risks as an
interrelated risk portfolio.
Defining Risk & Risk Management
4
5. COSO
Risk: Events with a negative impact represent risks, which can
prevent value creation or erode existing value.
Risk Management: A process, effected by an entity’s board of
directors, management and other personnel, applied to strategy
setting and across the enterprise designed to identify potential events
that may affect the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding the achievement
of entity objectives.
ISO 31000
Risk: Effect of uncertainty on objectives
Risk Management: Coordinated activities to direct and control an
organization with regard to risk.
5
6. Traditional/Defensive
• Silo ad hoc approach
• Focus on transferring
risks
• Protect balance sheet
through
• Insurance
• Hedging
• Indemnifications
• Hazard based
• Pure risk –
only loss, no gain
• Not linked to
corporate strategy
Integrated/Advanced
• Business risk approach
• Mitigate controllable risks
• Prevent
• Reduce frequency
• Reduce severity
• Focus on lowering
insurance costs and
retained losses
• Collaborative cross-silo
interactions
• Linked to corporate
strategy through event
risks and financial
objectives
ERM
• Portfolio approach
• Risk-based business
decisions across the
organization
• Address potentially
devastating threats and
weaknesses
• Exploit opportunities and
strengths
• Manage unwanted
variations from expected
outcomes
• Integrated into strategic
planning, operational
planning, and day-to-day
activities
Evolution in Approach
Copyright Sedgwick CMS. All Rights Reserved 6
7. Value
Time
Financial
Operations
Management
Strategy
Enterprise Risk Management
• Focus: All Significant Risks
• Scope: Support Business
Objectives/Consistent, Systematic
Risk Management Practices/Risk as
a Differentiator
Advanced Risk
Management
• Focus: Individual Business
Risks
• Scope: Mitigation of
Controllable Risks/Manage
Risk as an Expense
Defensive Risk
Management
• Focus: Hazard and
Casualty Risks
• Scope: Risk
Transfer/Insurance/Los
s Prevention or
Mitigation of
Insurable Risks
7
A Strong Migration Toward Strategic Influence
8. Risk Types: A Starting Point for a Framework
Strategic
• Acquisitions
• Business Model
• Competition
• Demographic
Changes
• Disruptive
innovation
• Market
• Etc.
Operational
• Customer service
• Infrastructure
• Processes
• System capabilities
• Talent
• Etc.
Financial
• Capital
• Cash flow
• Credit
• Debt obligations
• Foreign exchange
• Liquidity
• Etc.
External
• Economy
• Environment
• Geopolitical
• Regulatory
• Tax policies
• Weather events
• Etc.
8
9. BI’s Top 10 Risks of 2014
• Product recalls - This was especially true in the automotive
sector as industry heavyweights
• Cyber risk - Rapid rise in cyber risk. According to a study by
PricewaterhouseCoopers L.L.P., the number of global cyber
security incidents in 2014 increased 48% over 2013. The Target
breach alone was last estimated at $1B+ in losses.
• Ebola fear - The Ebola outbreak that hit several West African
nations
• Aviation disasters - High-profile mishaps and attacks also
affected the aviation and space sector.
9
10. More of the 2014 Top 10
• Catastrophe losses - 2014 was notable for a relative lack of
losses due to hurricanes and convective storms in North
America; Napa Valley quake losses ranges from $250 million to
$1 billion.
• Competition - Abundant capacity throughout much of the
commercial insurance sector in 2014
• Acquisitions - Market conditions prompted strategic
recalculations as mergers and acquisitions continued to reshape
the insurance landscape.
Most “emerging” risks are not truly emerging
10
11. Top “Emerging” Risks for 2015
• Political: Oil Volatility
• Cyber: Risk of the Cloud
• Aviation: Drones
• Terrorism: Islamic
Extremism
• FI’s: Technology Partners
• ERM: Outsourcing
• Analytics: Balance Sheet
Overconfidence
• Environment: Extreme
Weather
• D&O: Certification
Requirements
• Executive Risk: Derivatives
• Asset Mgmt: Demand for
Transparency
• Real Estate: Cyber Risk of
Tenant Data
• Benefits: The Changing Face
of Human Capital
• Brazil: Corruption
• Personal Risk: Device
Ubiquity
• Global: A Risk is a Risk
12. Top 5 “Uninsurable” Risks
• Nuances and Complexities
• Regulation
• Reputation
• Trade Secrets
• Political Risk
• Pandemic Risk
Source: Risk and Insurance magazine 9/1/14
Falling oil prices, political violence & separatist movements will
influence the 2015 global risk landscape
13. What is an Emerging Risk?
• Those issues hat have not manifested themselves sufficiently to
be managed using the tools commonly applied to more
developed exposures. They are “those risks an organization has
not yet recognized or those which are known to exist, but are not
well understood RIMS’ “Emerging Risks and ERM”
– SwissRe
• A condition, situation or trend that could significantly impact the
Company’s financial strength, competitive position or reputation
within the next 5 years. Emerging risks involve a high degree of
uncertainty. It is unclear where an emerging risk will land on the
loss curve. - anonymous actuary
14. Other Definitions
• Lloyds: An issue that is perceived to be potentially significant
but which may not be fully understood or allowed for in
insurance terms and conditions, pricing, reserving or capital
setting.
• PWC: Those large scale events or circumstances beyond one’s
direct capacity to control, that impact in ways difficult to imagine
today.
• S&P: Risks that do not currently exist.
What about black or grey swans?
17. Healthcare
• Aging workforce
• Rising medical costs
– Pharmaceuticals
• Affordable Care Act (ACA) aka ObamaCare
• Wellness programs
– Discounted health care costs/employee contribution
• Changing employee demographics
– Ethnic
– Age/Sex/Skills
– Priorities
– Cultural shift
17
18. Workforce issues: Talent attraction and retention
• Baby boomers retiring
– 10,000 baby boomers a day have been turning 65 since 1/1/11 and will
continue until 2030
– Smaller future workforce
• Future workforce will be very technology savvy
• Future workforce will be more demanding
– Telecommuting
– Flexible hours, etc.
• Work/life integration vs. balance
• M&A Integration
18
19. Risk Management and BCP Cause and Effect
• Identifies and Assesses Risk
• Measurement: Impact and
Likelihood
• Recommends and Implements
Mitigation Strategies
• Monitoring and Reporting
19
20. Risk Management Process
Framework for managing risk
(Clause 4)
Risk treatment (5.5)
Communicationandconsultation(5.2)
Monitoringandreview(5.6)
Process for managing risk
(Clause 5)
Establishing the context
(4.2)
Risk assessment (5.4)
Process
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk identification (5.4.2)
20
21. In Search of a
Champion
Chief Risk Officer
Ensure all Risks are
Managed
Treasurer
Reduce Cost of Capital
Increase Cash Flow
Chief Financial Officer
Protect Against Earnings
Volatility
Competitive Advantage
Rating Agencies
Chief Executive Officer
Manage Risk Profile
Increase Value
Board of Directors
Governance
Risk Oversight
Key Common Focus of Risk & BCP:
SIGNIFICANT EVENTS & RESILIENCE
General Counsel
Compliance /
Contracts & Liitigation
21
22. Standards in BCP
• FFIEC – Gold standard
• BS25999 – British
standard, first to be
“auditable”
• ASIS 2010
• NFPA 1600– First U.S.
National Preparedness
Standard
• HIPAA – seven specific
items
• NIST – Technology focus
• CSA Z1600 (Canada)
• ISO/TS16949 – 6.3.2 in the
quality standard
• SEC/NASD standards
(NASD 3500)
• DRI best practices
• SPRING (Singapore)
• HB221 – Australia/NZ
• Many more…
22
23. Standards in Risk Management
TOOLS
GUIDELINES
REQUIREMENTS
TERMINOLOGY
FRAMEWORK
RISK QUALITY TECHNOLOGY ENVIRONMENTAL
ISO GUIDE 73
ISO 14001
ISO/IEC 27001
ISO/IEC 15408
OHSAS 18001
ISO 31010
NFPA 101
NFPA 75ANSI/ASHRAE 62
HB 436
AS/NZS 4360
ISO 9001
ISO GUIDE 14050
ISO/IEC 27002ISO 10005
SAFETY
CSA Q850
SAQ ONR 49001
AFNOR CN FD_X50-252
ISO 31000 PRINCIPLES
23
24. Most Widely Used Risk Frameworks
ISO 31000:2009
• Risk Management – Principles and
Guidelines
COSO:2004
• Enterprise Risk Management – Integrated
Framework
OCEG “Red Book” 2.0:2009
• GRC Capability Model™
24
27. Risk Management Stakeholders
Key
Focus
Targeted
Outcome
Enterprise Risk Management Process
Enterprise Risk
Management
Risk Process
Effectiveness
Identification and
Management of
Significant Risks
BCP
Resilience
Recovery &
Normalcy
Internal Audit
Control Testing
Effective
Controls
Compliance
Compliance
Risks
Regulatory
Compliance
Controller
Financial
Reporting
Sox 404
Compliance
Business Units
Business
Performance
Controlling Risks
to as well as
Meeting
Objectives
Unified
Strategy
31. Two Key Perspectives on Risk
Proactive
• Objectives Focused
• Predictive Indicators
• Foresight
• Strategic
• Creates and captures value
Reactive
• Event Focused
• Post Action Response
• After-thought
• Transactional
• Protects Value
31
DRIVING CONSISTENCY BETWEEN DISCIPLINES IS ONE KEY
32. Identification, assessment and
ownership effectiveness of risks
Calculation of investment ,
resource needs
Risk appetite and tolerance
statements for key risk
categories
Evidence of control
environment/effectiveness
Actions to close gaps
Risks to objectives
Risks arising from plans to
meet objectives
Confirmation of risk appetite
and tolerance
Strategic
Planning
Risk
Appetite
Framework
Emerging
and Dynamic
Risks
Integrated
Enterprise
Risk Profile
Control
Framework
Scenario
and Stress
Testing
Strategic View in Risk
32
37. Risk Issues Critical to Strategic Success
• Identifying emerging risks to plan
• Rating emerging risks on:
• Relevance
• Importance
• Uncertainty
• Ensuring key risks are addressed/treated
• Ensuring an ability to respond for rapid recovery
• Monitoring impact of and reporting on emerging risks &
plan impacts
38. RIMS Risk Maturity Model
Root Cause Discipline
Degree of discipline applied to measuring root cause by: 1) determining sources 2) understanding
impacts 3) identifying trends, and 4) measuring effectiveness of controls .
Risk Appetite Management
Degree of accountability for (1) defining acceptable boundaries 2) calculating and articulating risk
tolerance 3) developing a risk portfolio 4) considering scenarios, and 5) attacking gaps between
perceived and actual risks.
ERM Process Management
Degree that a repeatable and scalable risk management process is integrated into business and
resource/support units, using a sequential series of steps that support uncertainty reduction and
promote opportunity exploitation.
Adopt ERM Approach
Denotes the degree of executive support for an ERM-based approach within the corporate culture.
Activities cut across all processes, functions, business lines, roles and geographies.
39. Business Resiliency and Sustainability
Extent to which an organization integrates business resiliency and sustainability aspects for its
operational planning into its ERM process.
Performance Management
Degree to which organizations are able to execute on vision and strategy in tandem with risk
management activities.
Uncovering Risks
Degree of quality and coverage (penetration) throughout the organization for uncovering
uncertainties related to organizational goals achievement.
RIMS Risk Maturity Model
40. Risk & BC Pyramid
Working Collaboratively Between Risk and BC will support a
Culture of Risk Awareness and Resilience
$
Planning
Robust
Communications
Collaborative
Knowledge
Shared Accountability for a
Resilient Enterprise
Standard based Risk & BC
Framework & Process
41. Take-a-ways
• Resilience is an emerging priority for risk managers
• Risk and BC have many common interests including:
– Understanding the unknown or poorly understood threats to
businesses
– Leveraging scenario analysis to drive consensus among
stakeholders about relevant scenarios
– Leverage stakeholders and resources to embed a resilience
strategy into the culture
• Developing and leveraging emerging risk processes
to get ahead of black and grey swans
• Building competitive advantage & ensuring
efficiencies through the optimization of risk and BC
43. Chris Mandel. RF. CPCU, ARM
SVP, Strategic Solutions
Sedgwick, Inc.
Chris.Mandel@sedgwick.com
www.sedgwickcms.com
210-845-5804
Contact Information
44. Christopher E. Mandel, CPCU, ARM
SVP, Strategic Solutions, Sedgwick, Inc.
Christopher E. Mandel is the SVP for Strategic Solutions at Sedgwick, Inc. He is engaged in helping Sedgwick chart its
future through the long term planning for products, services and strategic solutions for this claims and productivity
management firm. He is also co-founder and EVP, Professional Services for rPM3 Solutions, LLC as well as
founder and president of Excellence in Risk Management, LLC. both independent consulting firms specializing in
governance, risk and compliance, with a special emphasis on enterprise risk management. rPM3 Solutions holds a
patent for a unique risk measurement process known as ARQ™. Prior to electing early retirement and for ten
years from 2001-2010, Mr. Mandel was head of enterprise risk management for USAA Group, a $165 billion
diversified financial services organization. At USAA, he designed, developed and led the enterprise-wide risk
management and corporate insurance centers of excellence. He also served as President and Vice Chairman,
Enterprise Indemnity CIC, Inc., an Arizona based alternative risk financing facility.
Mr. Mandel has more than 25 years of experience in risk management and insurance in large, global corporates. He
has pioneered the development of cross-enterprise risk management capabilities resulting in S&P rating USAA as
“excellent and a leader in ERM” from 2006 through 2010. In 2007, Treasury and Risk Magazine bestowed the
Alexander Hamilton Award for “Excellence in ERM” on USAA. Mr. Mandel has been a long term senior leader in
the Risk and Insurance Management Society including being elected President and Chief Risk Officer and was
named Risk Manager of the Year in 2004.
Mr. Mandel’s deep, wide and diverse experience in all facets of risk management and insurance allows him to offer
those interested in managing risk with excellence to engage him to provide everything from a comprehensive
strategy and complete ERM framework to targeted guidance, tools, techniques and/or training. Mr. Mandel’s
innovative approach to making risk a key strategically placed and results oriented function results from solidly
connecting risk management outputs to a company’s key performance metrics and ultimately, mission
accomplishment.
Mr. Mandel received his B.S. in Business Management from Virginia Polytechnic Institute and State University and an
MBA in finance from George Mason University. He holds the CCSA, CPCU, ARM and AIC designations and is a
frequent industry speaker, teacher and writer. He writes the “Risk Innovation” column for Risk and Insurance
magazine and in 2008 was elected a member of Risk Who’s Who (RWW). He also wrote the Ask a Risk Manager
column for Business Insurance from 1996 through 2008.
CONTACT: Chris.Mandel@sedgwick.com 210-698-8056 o 210-845-5804 m
https://www.sedgwick.com
47. Uncertainty
• Low frequency / high
impact
• Potential to grow rapidly
Consensus
• Lack of recognition
internally and externally
• Drivers, impacts,
probability not clear
Relevance
• Uncertainty over effect
on objectives
• Perception of being too
futuristic to matter
Copyright Sedgwick CMS. All Rights Reserved
Communicate
• Perception as “unlikely”
• Little perceived bearing
on existing
circumstances
Ownership
• No one champion /
accountable individual
• Potential consequences
impact multiple
resources and objectives
Issues
• Embedded in existing
practices
• Complexity not clearly
understood
Characteristics of Emerging Risks
48. Risk Management and BCP Cause & Effect
BCP – Building Resilience
What are the implications of failing to mitigate or prevent losses?
Preparation
Structure, planning, resources, testing
Execution
Relocation, operating under duress
48