Enterprise Risk Management Update Executive Summary December 2010

Transcription

1 Enterprise Risk Management Update Executive Summary December 2010 Risk is integral in the pursuit of improvement. Risk, in general, is seldom avoidable and cannot always be mitigated. Accordingly, risk is an inherent element of management and managing risk is an inseparable component of corporate governance. A formal risk management program at Citizens has been developed and implementation is currently under way. The risk management program has support from the Board of Governors and Citizens President and provides reports to Citizens Audit Committee and other stakeholders. Senior management recognizes the importance of the risk management program and certain aspects of the program have been coordinated with the Office of Internal Audit. The Enterprise Risk Management ( ERM ) Unit has hired staff, obtained risk management software, begun training, and drafted a risk management program. Documenting and memorializing the Company s risk management structure and plans is important to clearly communicate the Corporation s commitment and approach to ERM. The majority of efforts since the last update have focused on the development of the specific elements and components of the risk management program at Citizens. Staff has reviewed various risk management program structures at many different organizations. The proposed specific risk management program is reflected in the following governing documents: To the Board of Governors and Audit Committee: ERM Framework Risk Profile Statement with accompanying Exhibits To the Audit Committee: ERM Strategic Implementation Plan ERM Tactical Implementation Plan ERM Frequently-Asked Questions (FAQs) The successful implementation of the risk management program at Citizens requires four essential elements: 1. Endorsement and commitment of executive leadership; 2. Involvement of front-line personnel; 3. Education and training; and 4. Responsibility and accountability. Page 1 of 5

2 The remainder of this summary provides the Audit Committee, Board of Governors, and other stakeholders an overview of the documents governing the company s risk management activities and the significant elements thereof. Staff is currently procuring the approval of these documents in accordance with the respective roles and responsibilities outlined in the ERM Framework, including ratification by the Audit Committee and Board of Governors, as deemed appropriate. Enterprise Risk Management Framework Provides an overview of the structure designed to support ongoing risk management efforts and activities and describes significant roles and responsibilities in risk management processes. Adoption of ERM Framework (AS/NZS 4360) and process components thereof this selection was presented, discussed and made at the Audit Committee meeting on December 10, Describes roles and responsibilities of various bodies involved in the risk management process Business Units (Risk Owners), ERM Business Unit (Risk Administration), Senior Management Team (Tactical Implementation), Executive Leadership Team (Risk Strategy and Strategic Implementation), Board of Governors (Approve overall Risk Management Strategies), Office of Internal Auditor (Independent Verification and Validation). Staff requests ratification of the ERM Framework by the Audit Committee and Board of Governors. Risk Profile Statement and accompanying Exhibits Provides the context for active risk management and is the epicenter of risk management activities it expresses what types of, and how much, risk the Company is willing to take in pursuit of its objectives. The goal of the Risk Profile Statement is twofold: to convey the Company s Risk Profile, Appetite and Tolerance levels and to provide the foundation for a risk-limit/control structure consistent with the Company s initiatives and goals outlined in the Strategic Plan. Risk Profile Progress seldom comes without risk. An organization s risk profile establishes broad parameters in executing its business strategy typically expressed in terms of product lines or classes of business in which it participates. Also included in an organization s risk profile is the market space in which it does not participate. Citizens Risk Profile: Citizens provides insurance protection to individuals and businesses on property located in the state of Florida and superior customer service. Citizens does not engage in overly aggressive strategies (e.g. highlyspeculative investment regimens) or participate in capricious or arbitrary business ventures. Page 2 of 5

3 Risk Appetite An organization s risk appetite is the overall level of uncertainty it is willing to accept in pursuit of its goals and objectives, considering the corresponding reward associated with the risks. An organization with a high risk appetite accepts more uncertainty for potential higher reward. Likewise, an organization with a low risk appetite seeks less uncertainty for which it accepts a lower return. Citizens Risk Appetite: Citizens vision is to be an important insurance safety net for Floridians. Therefore, Citizens seeks a relatively minor level of overall uncertainty from potential risk-events. Accordingly, Citizens Risk Appetite is low to moderate and it typically accepts an overall lower return from potential risk-events. Risk Tolerance An organization s risk tolerance is the more specific measures of willingness to accept risk in executing its business strategy. Risk can either be avoided, accepted as is, accepted with treatment, or transferred to a third-party. Acceptable risk, as determined in accordance with the Risk Profile Statement, is usually expressed in quantitative terms (or scores) of frequency and severity. Risk Scores are assigned both before (inherent risk) and after (residual risk) treatment Residual Risk Scores consider treatment currently in place and can help identify opportunities for further mitigation/treatment. The major Risk Dimensions for Citizens are Financial, Reputational, Compliance, Operational, and Workplace Safety & Environment. See Page 3 of the Risk Profile Statement for overall Maximum Residual Impact Ratings for each Risk Dimension as well as a company-wide Maximum Residual Impact Rating. In addition, see Risk Profile Statement Exhibits 1 and 2 for specific measures for Risk Tolerance (Audit Committee). Each potential Risk-Event s Risk Score (inherent and residual) is plotted using the Risk Tolerance Heatmap on Page 5 of the Risk Profile Statement. Citizens preference for low to moderate overall risk corresponds to an overall maximum Residual Risk Score (i.e. after the application of all control mitigation/treatment) of 9 or less on the Risk Tolerance Heatmap. However, certain business units and functional or operational areas or groups may operate at and accept a higher risk-level to achieve potential associated benefits, provided appropriate management approval is obtained (see next bullet). Risk exposures must be appropriately assigned and efficiently managed and controlled to prevent or limit damage to the Company. The larger the Risk Score the greater the exposure to the potential Risk-Event and the higher up on the management chain the risk should be managed and appropriate mitigation measures determined. Risk-Events with Inherent Risk Scores within the green area of the heatmap are assigned an overall low level of risk exposure and should be managed by and within the Business Unit that owns the risk. Risk-Events with Inherent Risk Scores within the yellow area of the heatmap are assigned an overall moderate level of risk exposure and should be managed by the Director of the Page 3 of 5

4 respective Business Unit that owns the risk. Risk-Events with Inherent Risk Scores within the red area of the heatmap are assigned an overall high level of risk exposure and should be managed by the member of Executive Management with primary and direct responsibility for the respective Business Unit that owns the risk. If at any point, the Risk Score, Inherent or Residual, of a Risk-Event changes, either as a result of a change in the Impact Rating or the Likelihood Rating, consideration should be given to 1) moving the risk up or down the management chain based on the Risk-Event s Risk Level (i.e. low, moderate, or high), and 2) the appropriateness of mitigation/treatment measures. Various reporting mechanisms ensure appropriate monitoring by executive leadership of the Company s risk position in relation to the risk profile as described in the Risk Profile Statement. These reports include heatmaps, riskmaps, Risk Response Plans, and a Risk Dashboard. These reports will be prepared or assembled and reviewed and distributed by the ERM Business Unit. Staff requests ratification of the Risk Profile Statement by the Audit Committee and Board of Governors. Important Note the use of quantitative techniques is only a risk management tool. Professional judgment should be exercised at all times to validate the output of quantitative tools. The techniques and tools used to manage risk will evolve as the Company s risk management efforts and programs mature. Enterprise Risk Management Strategic Implementation Plan Describes the broad and overarching long-term plan for implementing a company-wide intelligent risk management function. Four essential elements required for successful implementation of the ERM program Steps required to embed the risk framework into Company operations Important Note The ERM Business Unit will assist and collaborate with each Business Unit in developing and/or modifying a Risk Response Plan. Each Business Unit will conduct selfassessments on an annual basis initially, and eventually on a semi-annual basis once the Company s risk management activities mature. The ERM Business Unit will complete an overall annual assessment of all risk management efforts company-wide. Enterprise Risk Management Tactical Implementation Plan Describes the intended procedures necessary to carry out the Strategic Plan. Phase I (Estimated completion April 2011) Introduction and Preliminary Education Initial Self-Assessment Phase II (Estimated completion December 2011) Page 4 of 5

5 Detailed Self-Assessment Phase III (Ongoing) Business Continuity Team to be included as needed and appropriate Consider Risk Opportunities to help the Corporation meet its goals and objectives Enterprise Risk Management Frequently-Asked Questions presents potential questions and answers that may be posed during the implementation of risk management programs and activities. ***** Two proof of concepts are nearing completion on the accounts payable function in accounting and on the records management function in the ERM Business Unit. These proofs will help authenticate the risk management approach, some of the tools and techniques and their implementation. The Tactical Implementation Plan provides specific steps and a timeline for initially integrating the risk management framework into company operations. The ERM Business Unit will fulfill the risk assessment role in the planning and implementation of significant projects, programs and initiatives and advising project sponsors accordingly. The ERM Business Unit has completed such an assessment on the CORE project, with the assistance of an outside vendor, and is currently performing a risk assessment on the inspection program. The ERM Business Unit will assist and collaborate with each Business Unit in developing a Risk Response Plan and will continuously monitor, evaluate and advise Business Units as the Company s risk management program matures. The benefits and rewards of implementing ERM could be significant, providing executive leadership, the Board of Governors and other stakeholders the ability to construe the Company s risk position into action at operational levels. In addition, the risk management program allows executive leadership to delineate their vision to other stakeholders and demonstrate how this vision is guiding the Company s daily operations and activities. Page 5 of 5