Understanding Today s Enterprise Risk Management rograms Joel Tietz, TIAA-CREF Managing Director, Enterprise Risk Management March 23, 2015 TIAA-CREF - UBLIC USE Agenda 1) Enterprise Risk Management rograms ERM Frameworks, Taxonomy & Governance Traditional vs. Modern Approach to ORM / ERM 2) ERM rogram Elements 3) How BCM Integrates within ERM rograms Risk Appetite Risk Assessment & Mitigation Key Risk Indicators Loss Data Risk Capital Models How the C Suite Considers Risk rioritizing BCM within an ERM rogram BCM Improvements Using Risk Capital Analysis TIAA-CREF UBLIC USE 2
1) Enterprise Risk Management Frameworks Commonly Accepted ERM Frameworks Include: COSO Enterprise Risk Management Integrated Framework ISO 31000 Risk Management rinciples and Guidelines on Implementation BS 31100 Code of ractice for Risk Management FERMA - A Risk Management Standard OCEG Red Book 2.0 - GRC Capability Model Basel III and Solvency II are regulatory frameworks for ERM TIAA-CREF UBLIC USE 3 ERM Taxonomy Descriptions Credit Risk Fixed Income Mortgages Reinsurance Credit VaR reflects the risk that the value of the portfolio changes due to unexpected changes in the credit quality of counterparties Considers both default and migration risk for fixed income instruments, mortgages and reinsurance Credit STEC of each Category (Fixed Income, Mortgage and Reinsurance) is obtained by summing the respective default and migration risks Life Risk Cat Lapses Mortality Underwriting Longevity Withdrawals Catastrophe VaR is from a pandemic event Mortality represents increased mortality Longevity represents decreased mortality Lapses represents the VaR due to changes in lapse experience Market Risk Interest Spread Equity FX Volatility Real Estate Hedge Funds rivate Equity Interest reflects the cost of general account guarantees Spread reflects the Value at Risk (VaR) of widening corporate spreads on General & Separate Account assets Equity reflects the VaR of lower separate account fees from lower AUM F/X risk primarily reflects the VaR that F/X changes will reduce the value of Separate Account fees Volatility reflects the VaR of increased implied equity and hedging / Futures / Swaption etc. volatility Strategic & Reputational Risk Strategic risk arises from the pursuit of an unsuccessful business plan, poor business decisions, inadequate resource allocation, or from a failure to respond well to changes in the business environment. Reputational risk is VaR impacts to the brand, market perception or firm reputation TIAA-CREF UBLIC USE 4
ERM Taxonomy Descriptions (cont.) Operational Risk Level 1 Operational Risks Level 2 Operational Risks Business Disruption and System Failures Business Disruption Losses resulting from infrastructure or systems failures, internal or external, not initiated for Infrastructure and Systems Failures either personal or firm benefit, that create financial impact, usually without significant general property damage or physical injury. Clients, roducts and Business ractices Fiduciary Breaches Losses incurred when an internal person obtains an undue benefit for a firm at the expense of a Improper Accounting, Other Regulatory third party (client or customer, competitor, trade counterparty, etc.), and in so doing violates a law of commercial conduct, a regulation, or a contractual covenant or representation. Violations, Regulatory Filings Violations Improper or Aggressive ractices Damage to hysical Assets Natural Disaster and Accident Losses incurred when a force of nature or a terrorist, causes significant property damage or physical injury, and possibly related financial impacts; or when a person by accident causes property damage or physical injury. Employment ractices Violations and Workplace Safety Failures Diversity and Discrimination Violations Losses arising from acts inconsistent with laws or agreements governing employment, employee Employee Relations Violations health or safety, or from diversity or discrimination events involving internal employees. Unsafe Environment Execution, Delivery and rocess Management Direct and indirect losses incurred when a person improperly executes an operational process, for no intended benefit (other than to receive a prearranged fee or payment upon completion), usually through failure to apply the required level of care or expertise needed to carry out such duties. May include indirect losses from errors committed by an outside service provider. Fraud External Fraud Losses incurred when a party obtains an undue personal benefit at the expense of the firm (or at Internal Fraud the expense of a customer or client whose property or interests the firm is responsible for safeguarding), and in so doing violates a public law governing non-commercial conduct. Customer and Client Account Errors Data Management Transaction rocessing Error rogram/roject Failures rogram/roject Management Risks roject ortfolio Management TIAA-CREF UBLIC USE 5 ERM Risk Governance TIAA-CREF UBLIC USE 6
Traditional vs. Modern Approaches to Risk Assessment Modern ORM is a top-down approach, which focuses first on the major risks within a comprehensive and mutually exclusive risk architecture and drills down only in those risk areas where more granularity is required. [1] Traditional ORM / ERM rograms Modern ORM / ERM rograms [1] A New Approach to Managing Operational Risk, TIAA-CREF UBLIC USE Society of US Actuaries & Canadian Institute of Actuaries, 2008 7 2) Enterprise Risk Management rogram Elements The amount of risk an Appetiteorganization wants to take to further its business goals Top risks require risk models Loss history confirms RCSAs Identify and qualitative risk RCSAs and controls self-assessment Quantitative identification of Losses risk events and loss amounts KRIs confirm RCSAs Risk tolerance monitored with KRIs Allowable risk capital is limited by risk appetite Loss data provides model inputs KRIs Quantitative measure of risk drivers against established thresholds Quantitative analysis of risks, Models expressed as capital, within a confidence timeframe TIAA-CREF UBLIC USE 8
Risk Appetite Risk Appetite vs. Risk Tolerance Risk Appetite Risk appetite is the strategy of seeking of prudent and agreed-upon risks in order to obtain expected business results. High rates of return on capital exposures can be achieved by taking more risks, so appetite will drive management decisions Operational risk is different from financial risks in that it is the consequence of failure and always generates a loss. Some firms have no appetite for operational risks Risk Tolerance Risk tolerance is the level of risk beyond which management action will be triggered and should be actively monitored and managed. Firms with no appetite for operational risk will have a tolerance for these risks Risk Appetite Influences Consideration of Controls BCM Risk Appetite Statements Risk appetite influences management decisions when investing in controls or process improvements to reduce risk losses or taking the right amount of risk When a risk/loss event has been identified and assessed to be beyond management s risk appetite, an appropriate risk treatment will be implemented Critical business processes and IT operations will be recovered within X hours -OR- Risks above $XXm in economic capital must be mitigated within two quarters unless accepted or transferred TIAA-CREF UBLIC USE 9 Risk Assessment & Mitigation Risk Assessment is typically conducted as a Risk and Controls Self-Assessment (RCSA), with various 2 nd and 3 rd line review & challenge The result is a risk register with mitigations for priority risks 1. rocess Identification Gathering and analysis of existing process information Gathering of information needed for the Risk Identification phase 2. Risk Identification Identification of risk events and causal factors by each individual process 3. Inherent Risk Rating Finalization and approval of risk register Assess impact and likelihood of risk with the absence of controls 4. Control Strength/ Residual Risk Identification of key controls & assessment of the control strength Derive residual Risk from inherent risk and control strength 5. Risk Treatment Evaluate residual risk rating to determine the appropriate approach to manage the risk (Accept, Mitigate, Transfer, and/or Defer) 6. Monitor & Reassess The ongoing managing of risks events according to the organization s risk appetite and tolerance TIAA-CREF UBLIC USE 10
Loss Data Assessment Identify the full range of risk events (losses) to learn from mistakes, improve processes, and identify emerging risks Develop a better understanding of actual exposure to and costs of enterprise risks to inform risk appetite and Key Risk Indicators Supports the quantification of risk appetite, Key Risk Indicator limits, and risk capital scenario models Identification Analysis and Costs Reporting Data Modeling Capture initial information on incident description, dates of event and detection, business area, risk taxonomy, causal categories Identify & calculate cost impacts from all affected business areas, describe control failures Includes mitigation and root cause analysis for significant risk events Business area, Risk Committee and Management reporting rogress of risk treatments, trend analysis and revisited RCSAs where required Utilize internal loss data within risk capital models rogress of Risk Treatments where required TIAA-CREF UBLIC USE 11 Key Risk Indicator Design and Tolerances Focus on risk drivers of top risks to become predictive or leading indicators of risk Alert Level Limit Level Focus on trends over time Risk is at acceptable level Risk receives increased monitoring De-risking occurs unless risk exception obtained Management establishes its risk tolerances as KRI levels Increasing level of risk KRI Tolerance Level Limit level Alert level (targeted at of limit level) Required actions Management will cease any activities that are increasing the risk (if possible) and take immediate steps to bring the risk into tolerance -OR- obtain a risk acceptance and re-obtain every X months. Management will be informed of the KRI limit level breach a soon as possible Weekly KRI reporting until the KRI is within its acceptable level Initiate weekly KRI reporting to management Business area managers will pre-identify required actions to bring the risk into tolerance should it continue to degrade TIAA-CREF UBLIC USE 12
Key Risk Indicators BCM Examples ERM Risks and KRIs/KCIs Qtrly / Mthly Q1 15 / March Operational Risks Business Disruptions % Critical Internal Application out of testing compliance Q Q2 15 / June Q3 15 / Sept Q4 15 / Dec Trend LTM # of Risk Events Residual Risk Level VH H M L Issues MRs Commentary % Critical Internal Application with RTO/RTC gaps Q % of IT DR test staff inside region Q # of IT Staff required to recover from Site A to Site B Q % of BC plan with past due gaps Q # of Incident Management rocess Critical gaps Q Q % of critical business functions with Skill Set Distribution Gaps for which Risk has been accepted % of critical business functions with Skill Set Distr. Gaps Q % of occupied workspaces across TC internal portfolio Q % of employees info updates in notification system Q % employees participation in BC annual exercise Q % new BC Coordinator Designees (< 6 months) Q X X X X Target Inner limit Outer limit Target risk level to achieve desired performance Growing risk exposure Need to closely monitor, assess root cause and take remediation action where applicable Significant risk exposure Need to assess root cause and take immediate action to mitigate the underlying risk Key Risk Indicators provide directional trends to supplement risk assessments. Effective KRIs provide real-time monitoring of the risk profile and drive the proactive management of Operational Risk before risk events occur. TIAA-CREF UBLIC USE 13 Why do Insurers Require Capital? Before Stress After Stress Without capital After Stress With capital Inflows Outflows Inflows Outflows Inflows Outflows Investment income Cash Excess Cash Shortfall Investment income Expenses RB Capital Investment income Cash Excess Expenses Expenses remiums remiums Claims remiums Claims Claims Risk-based capital provides a buffer against unexpected events and protects clients TIAA-CREF UBLIC USE 14
Traditional vs. Modern Approaches to Risk Assessment Either provides effective results, and are frequently combined Traditional / Qualitative Approach to Operational Risk Assessment An internal controls-based approach All processes, associated controls & risks Highest impact risks are not typically highly likely Modern / Quantitative Approach to Operational Risk Assessment A risk-based approach Focuses on the most critical risks (highest severity) Directly prioritized by amount of capital Difficult to prioritize assessment results TIAA-CREF UBLIC USE 15 Operational Risk Capital Modeling Scenario Approach Risk identification Description of the risk, causes, drivers & impacts Risk measurement Frequency & severity distribution for each risk scenario Frequency Severity Risk quantification VaR Median 99.5th Monte Carlo simulation of Value at Risk (VaR) over one year for a specific confidence interval (i.e. once every XXX years) to determine stand-alone risk capital charge Aggregation L L Correlation VaR Median 99.5th Risk correlation and aggregation to factors to calculate diversified risk capital charge (risks are not added since they all do not occur at once) TIAA-CREF UBLIC USE 16
3) How BCM Integrates within ERM rograms How the C Suite Considers Risk: 1. Executive Management and Boards of Directors consider risk from two perspectives Is this risk within our risk appetite? Will this risk get us on the cover of the Wall Street Journal? 2. They will listen to the priorities of your Chief Risk Officer Does he/she know you and are you updating them on your program in their terminology? 3. Business Continuity, like all other risks, will need to begin speaking in terms of risk-based capital Boards are challenging business leaders to efficiently use available capital, this is the context in which they consider spending expense dollars and ROI TIAA-CREF UBLIC USE 17 rioritizing BCM within an ERM rogram There s good and bad news here: With an enterprise risk taxonomy, business disruption risks must be considered along with other risks for a comprehensive view of risks faced by the business Using an objective Risk Assessment methodology, your BC risks may not be among the most significant risks faced by the business To help your case, consider that unlike most other risks, business disruptions will involve multiple parts of your taxonomy: Operational impacts for direct losses and process failures Reputational impacts for client service failures Regulatory impacts for compliance failures and processing timeliness Strategic impacts for loss of sales and market share TIAA-CREF UBLIC USE 18
BCM rogram Improvement using Capital Analysis roposal: Spend $1 M for new program that will reduce the potential (frequency or impacts) from a BC event Description of the business case: cost/benefit analysis of the risk mitigation actions Step 1 - Calculation of the resent Value of risk mitigating measures $1,000,000 using 5 year accrual with 6% interest resent value of risk mitigation actions = $0.8 M Step 2 Calculation of the capital charge variation before and after mitigation VaR BC risk scenario = $33.7 M existing model VaR BC risk scenario = $30.0 M after mitigations VaR total = $3.7 M (total of VaR risk capital) Step 3 Calculation of the present value of reduced capital costs CFi/year = 6% x $3.7 M = $0.2 M resent value = Σ 5yrr CFi / (1 + ri)^ti = $0.9 M The present value of risk mitigation measures at $0.8 M is lower than the present value of reduced capital cost $0.9 M If Risk Based Capital is part of your balance sheet, your CFO will incur this expense for your BC improvement every time! TIAA-CREF UBLIC USE 19 Questions? Joel Tietz Managing Director Enterprise Risk Management 8500 Andrew Carnegie Boulevard Charlotte, NC 28262 T 704 988 4665 joel.tietz@tiaa cref.org www.tiaa cref.org TIAA-CREF UBLIC USE 20