ERM Flashcards — Part 1 FINAL

Foundations of ERM

Final versions: [Pt.1] [Pt.2] [Pt.3] [Pt.4] [Pt.5] [Pt.6]

• [01] Risk management process (3): 1. identify risks faced by organisation; 2. assess likelihood and impact of risks; 3. decide how to respond to each risk and take appropriate action
• [01] Elements of an ERM holistic approach (5): 1. apply risk management consistently across whole enterprise; 2. led by Board, co-coordinated through a central risk management function led by CRO; 3. incorporated into the day-to-day operations of all personnel; 4. recognize that risks interact (concentration/diversification); 5. recognize that risks are dynamic (ongoing concern)
• [01] Elements of ERM value creation (2): 1. integrate risk management and measurement into business processes and strategic decision making; 2. consider both upside and downside risks
• [02] Key arguments for risk management (5): 1. can benefit society (reduce contagion); 2. part of the job of management; 3. reduce earnings volatility; 4. maximize shareholder value; 5. enhance job security and rewards
• [02] Benefits of reduced earnings volatility (4): 1. increase market value; 2. improve credit rating; 3. reduce cost variability; 4. reduce capital requirements
• [02] Pressures leading to ERM adoption (5): 1. previous management failures; 2. near miss within own organization; 3. high profile disaster in similar organization; 4. demands from regulatory body or auditor; 5. concerns from other stakeholders
• [02] Benefits of ERM over traditional RM (3): 1. better risk reporting, transparency, understanding; 2. improved organizational effectiveness; 3. improved business performance
• [02] Benefits of risk transparency (3): Better alignment of business strategy with risk appetite and a more accurate assessment of the risk/return trade-offs if management can better understand; 1. risk exposure; 2. links between risk and return; 3. impact of changing external factors
• [02] Ways ERM improves business performance (6): 1. more efficient allocation of capital; 2. minimize losses and unpleasant surprises; 3. better pricing, managing and/or transferring of risks; 4. optimize risk mitigation strategies (allow for natural hedges between business units); 5. react more quickly; 6. derive value from risk management (instead of box-ticking)
• [02] Ways ERM improves operational effectiveness (4): 1. coordinate risk management activities across all parts of organization; 2. encourage and facilitate sharing of risk information; 3. identify and assess links between risks managed by various teams; 4. improve efficiency (management time and business resources)
• [02] Empirical evidence for ERM value add (5): 1. many investors avoid entities with poor governance standards; 2. investors willing to pay 12%-30% premium for well-governed companies; 3. companies with strong governance structures outperform those with weaker governance, effect is amplified for larger companies; 4. insurance companies with ERM have lower volatility of returns, improved shareholder value, financial stability and 16% equity premium; 5. stock performance for companies with “excellent” S&P ERM rating was better than those of “weak” ERM ratings during 2008 crash
• [03] Types of financial risks (4): 1. market; 2. credit; 3. business; 4. liquidity
• [03] Types of non-financial risks (2): 1. operational; 2. external
• [03] Elements of market risk (3): 1. trading risk; 2. asset and liability mismatch; 3. liquidity risk
• [03] Examples of economic risk (5): 1. aggregate supply and demand; 2. government policies; 3. unemployment levels; 4. inflation, interest, exchange rates; 5. accommodation costs
• [03] Ways to interpret liquidity risk (3): 1. funding liquidity (risk that markets are not able to supply funding to business when required); 2. more broadly, management of short term cashflow requirements; 3. market liquidity (insufficient capacity in market to handle asset transactions when deal is required)
• [03] Define operational risk: Risk of losses resulting from inadequate or failed internal processes, people and systems, or from external events
• [03] Advantages of outsourcing (5): 1. increased capacity; 2. reduced costs; 3. reduced time to market; 4. better quality; 5. transfer operational risks to third party
• [03] Disadvantages of outsourcing (2): 1. legal risks from contract; 2. loss of direct control over risks
• [03] Situations leading to financial contagion (4): 1. shared financial infrastructure; 2. funding liquidity risk (2008 crash); 3. common market positions; 4. exposure to common counterparty
• [04] Components of ERM (7): 1. corporate governance (establish organisational processes and controls, create positive risk culture); 2. line management (integrate risk management into business strategy); 3. portfolio management (aggregate risk exposures and identify diversification effects and concentrations of risk); 4. risk transfer (mitigate excessive risk exposures cost-effectively); 5. risk analytics (measure, analyse and report on risk); 6. data and technology (support analytics); 7. stakeholder management(communicate risk information)
• [04] Risk management responsibilities of the Board (3): 1. risk governance; 2. guide and approve ERM policies; 3. determine risk compensation
• [04] Aspects of risk governance (3): 1. set vision, strategy, risk culture; 2. establish framework for measuring, managing and monitoring risks; 3. review outcomes and lessons learned from risk management process
• [04] Aspects of setting ERM policies (4): 1. define risk appetite; 2. establish necessary skills for successful implementation and training program to obtain skills; 3. guide decisions on ERM approach, including roles and responsibilities; 4. approve suitable internal controls and ERM policies
• [04] Goals of internal controls (5): 1. ensure accurate and adequate record-keeping; 2. prevent fraud and safeguard company assets; 3. guarantee accuracy of financial statements; 4. respond appropriately to risk; 5. ensure compliance with laws
• [04] Key content of a risk subcommittee charter (6): 1. purpose; 2. responsibilities; 3. membership; 4. frequency of meetings; 5. performance assessment; 6. resources available
• [04] Role of the audit subcommittee (3): 1. monitor integrity of financial statements; 2. monitor and review internal assurance functions (financial control, RM, internal audit); 3. recommend, monitor and review external auditor
• [04] Cadbury Code-UK-1993 recommendations (6): 1. there should be a full Board meeting at regular intervals; 2. Board should be made aware of significant activities; 3. non-executive directors should have key responsibility for certain control and monitoring functions; 4. shareholders should approve director contracts in excess of three years; 5. director remuneration should be subject to review by a majority NED committee; 6. company reports should be balanced and understandable
• [04] Walker Review recommendations (5): 1. “comply or explain” is still the best route to better corporate governance; 2. need more challenge in Board discussions; 3. Board involvement in risk oversight should be materially increased; 4. need better engagement between fund managers and Boards of investee companies; 5. remuneration committees should also cover influential employees, remuneration should be aligned with medium- and long-term goals and be publicly available on a banded basis
• [04] Characteristics encouraged by good risk culture (4): 1. consultation / participation; 2. communication / openness / sharing; 3. accountability; 4. organisational learning
• [04] Ways to change company culture (3): 1. from the top; 2. on an incremental basis; 3. as the profile of new recruits changes the views of the staff
• [05] Categories of supervisors (4): 1. professional bodies; 2. professional regulators; 3. industry bodies; 4. industry regulators
• [05] Role of professional bodies (2): 1. ensure members are adequately trained (exams); 2. ensure members maintain competence (professional development)
• [05] Role of professional regulators (3): 1. set standards (to maintain public confidence); 2. monitor standards; 3. discipline in cases of non-adherence
• [05] Purpose of industry bodies: Promote member interests through lobbying, shared research projects, etc.
• [05] Purpose of industry regulators: Protect the public on behalf of government
• [05] Advantages of unified regulation (6): 1. easier to regulate conglomerates; 2. consistent across various financial service activities; 3. limits incentives for regulatory arbitrage; 4. economies of scale; 5. ideas shared among regulatory staff; 6. improved accountability for regulators
• [05] Benefits of proactive engagement with regulators (2): 1. may reduce level of risk regulators place on a company and thus reduce the supervisory burden on the company; 2. best practice advice from regulators based on seeing a wide range of risk management practices
• [05] Aims of each Basel accord: Basel I (1998) set minimum capital requirements for banks; Basel II (2004) intended to supersede Basel I; Basel III was developed in response to 2008 crisis and focuses on liquidity, systemic and counterparty risks
• [05] Three pillars of Basel II: Pillar 1 — minimum regulatory capital for credit, market and operational risks; Pillar 2 — supervisory review of internal processes; Pillar 3 — disclosure requirements
• [05] Criticisms of Basel II (10): 1. too much emphasis placed on a single number that aggregates a wide variety of risk; 2. some risks are difficult to quantify; 3. some risks (e.g. liquidity) are only given cursory consideration; 4. complex calculations do not imply reliability; 5. costly to implement, especially if using internal credit and market models; 6. banks all measure risks and protect themselves in the same way at times of crisis; 7. market may under value certain assets; 8. implied levels of confidence could be spurious for new securities; 9. assets need to be sold when market value falls (pro-cyclicality); 10. complexity of risk model may lead to overconfidence in risk control
• [05] Changes in Basel III that address prior criticism (4): 1. strengthen capital requirements (limit cross holding in other financial firms); 2. introduce conservation buffer to provide breathing space in times of financial stress; 3. change minimum ratios of Tier 1 and Tier 2 capital; 4. allow flexibility in capital requirements in times of financial crisis to limit pro-cyclicality
• [05] Three pillars of Solvency II: Pillar 1 — quantitative requirements (SCR, MCR); Pillar 2 — qualitative requirements; Pillar 3 — supervisory reporting and disclosure
• [05] Requirements of ORSA (3): 1. identify risk exposure; 2. identify risk management processes and controls; 3. quantify ongoing ability to meet solvency capital requirements (MCR, SCR)
• [05] Similarities between Basel II and Solvency II (4): 1. both have three pillars, each dealing with similar aspects of company risks; 2. both are largely risk-based and allocate capital to areas running the highest risk; 3. suitable for multi-national firms; 4. similar regulation for banking and insurance arms
• [05] Differences between Basel II and Solvency II (2): 1. Basel II assumes significant contagion risk and Solvency II considers contagion unlikely for insurance companies; 2. Basel II is more prescriptive and Solvency II is more principles based
• [05] Key features of SOX (5): 1. formation of a Public Accounting Oversight Board (PAOB) to inspect published accounts and prosecute accounting firms in breach of regulations; 2. increased accountability of CEO and CFO of public companies; 3. each published report must contain an internal control report (ICR); 4. external auditors are required to report on management assessment; 5. illegal for management to interfere with audit; 6. illegal to destroy records with intent to influence investigation
• [05] Principles of COSO (5): 1. risk represents opportunity and potential downside; 2. ERM is a parallel and iterative process; 3. everyone has a role in RM; 4. any RM process is imperfect; 5. implementation of RM must balance costs with benefits
• [05] Three dimensions of the COSO cube: 1. ERM components and processes; 2. in each business objective covered by the framework; 3. at each business level of application
• [06] Key principles in The Orange Book-UK (6): 1. importance of linking risks to objectives; 2. distinction between risk and impact; 3. need to distinguish inherent and residual risk; 4. prioritization of risk is more important than quantification; 5. risk appetite should be subdivided into corporate, delegated and project; 6. dedicated risk committee is recommended
• [06] Elements of the Canadian Integrated Risk Management Framework (4): 1. develop corporate risk profile; 2. establish an integrated risk management function (RMF); 3. practice integrated risk management; 4. ensure continuous RM learning
• [06] Elements of the AS/NZS 4360 process (7): 1. establish context (SWOT); 2. identify risks; 3. analyze risks; 4. evaluate risks; 5. treat risks; 6. monitor and review; 7. communicate and consult
• [06] Differences between AS/NZS 4360 and RAMP (2): 1. RAMP process includes a project launch and a project close analysis; 2. RAMP process has a go/no-go decision step
• [06] Principles of the IRM/AIRMIC/Alarm standard (4): 1. methodical and structured approach, similar to COSO; 2. in-house risk management is preferable (need internal risk champion); 3. internal audit is an important control; 4. clarity over stakeholder roles is important
• [07] Risk elements of S&P’s rating framework (3): 1. sovereign risk — taxation, currency; 2. business risk — industry prospects, competitive strength, management quality, operational risks; 3. financial risk — profit level, cashflow, capital structure and flexibility
• [07] Features affecting the significance of ERM in an insurance company’s overall rating (2): 1. complexity of risk; 2. amount of available capital and ease of access
• [07] Practices assessed in S&P’s ERM rating (5): 1. capabilities to consistently identify, measure and manage risk exposures; 2. optimization of risk-adjusted returns; 3. unexpected losses; 4. consideration of risk and risk management in insurer’s corporate decision making; 5. risk tolerance guidelines
• [07] Main areas of S&P’s ERM assessment (5): 1. risk management culture; 2. risk control; 3. extreme event management; 4. risk models and capital models; 5. strategic risk management
• [07] S&P’s review of risk management culture (2): 1. look for indicators of positive risk culture; 2. evaluate governance structure, risk tolerance statements and individual risk manager capabilities
• [07] S&P’s review of risk control (4): 1. risk identification process; 2. risk monitoring on an ongoing basis; 3. limits set for retained risk, adherence to limits, consequences when limits are not met; 4. execution of risk management process
• [07] S&P’s review of extreme event management (3): 1. various possible events are considered; 2. potential impacts are measured (stress testing, scenario analysis); 3. events are prepared for (early warning indicators, cat insurance)
• [07] S&P’s review of risk and capital models (4): 1. model usage / formula; 2. inputs / assumptions; 3. consistency across business units; 4. appropriate modifications to standard formula
• [07] S&P’s review of strategic risk management (7): 1. clear decision making on retained risks; 2. clear strategy for investing assets; 3. product pricing reflects risks and returns; 4. clear standards set for what is acceptable based on risk appetite; 5. appropriate capital allocation; 6. appropriate dividend policy, influenced by risk-adjusted return on retained capital; 7. incentives for good risk-adjusted returns
• [07] Key strength of S&P ERM framework: Encourages good ERM practices (analyse risks holistically, link strategic decisions to risk management, transparency)
• [07] Key weakness of S&P ERM framework: Limited application (only to insurance and reinsurance companies and represents only the opinion of S&P)
• [07] Categories of the S&P ERM rating (6): 1. excellent; 2. strong; 3. adequate; 4. weak; (5. adequate with strong risk controls; 6. adequate with positive trend.)