enterprise risk management...enterprise risk management maturity assessment tool framework elements...

The Changing Risk Landscape Delfin Viloria Willis Towers Watson Risk & Analytics, Strategic Risk Consulting

Enterprise Risk Management

© [2018] Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

The Risk Environment is Changing

2 © 2018 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

Source: The State of Risk Oversight: An Overview of Enterprise Risk Management Processes. AICPA_ERM_INITIATIVE_Research_Study_2017 theres-no-reward-without-risk-EYs-global-governance-risk-and-compliance-survey-2015

About 70%of large organizations, public companies, and financial services entities perceive the volume and complexities of risks have increased "mostly" or "extensively" in past 5 years

85% of respondents indicated opportunity exists to further improve the linkage between risk and business performance.

25% of full sample describes their risk management processes as "mature" or "robust", with large organizations, public

companies, and financial services entities having more mature processes (but less than 50% are "mature" or "robust")

The Risk Environment is Changing

3

Macro trends: Increasing business complexity leading to increasing risk complexity

Lower tolerance for business failures & increasing blame culture

Risk mitigation is struggling to keep up with the pace of business change

Global and systemic risks appear to be increasingly interconnected and worsening, e.g. terrorism, mortgage lending, climate change, pandemics, natural perils …

Leading to: Increased focus on detailed understanding of risk exposures

More attention paid to risk management from rating agencies, capital providers, regulators and governments

Greater need for transparency, articulation and execution of risk management strategy

© 2018 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

Risk Management Framework


WTW Risk Maturity Assessment WTW RAPIDSM Risk Assessment Process

© 2018 Willis Towers Watson. All rights reserved.

Case Study – WTW Risk Maturity Assessment

6

Advanced framework to assess clients’ risk maturity against recognised industry standards (ISO31000 and COSO II)


…Overall WTW has provided us with a structured and operational process for

ongoing risk management implementation that is also

easily integrated into existing management processes. The whole process was efficiently and unobtrusively run for us

by WTW, and the deliverables were well

received by the Executive Committee, who endorsed our new Risk Policy and

other documents with their full support for continued

implementation...

Soo Hak Chung, Oil & Gas Division, Daewoo International

Enterprise Risk Management Maturity Assessment Tool

Framework Elements Basic Average Advanced World Class Priority Timeframe

(Months)Resources Basic Average Advanced World Class

1 Stakeholder Management Low 0 to 3 Low

2 Risk Culture Medium 12 + Low

3 Risk Appetite Low 6 to 12 Low

4 Group Strategy Low 12 + Medium

5 Risk Governance and Policies High 6 to 12 Medium

6 Risk Identification and Quantification Low 12 + Medium

7 Risk Articulation, Treatment and Improvement High 12 + Medium

8 People and risk based reward Medium 6 to 12 Medium

9 Monitoring Low 12 + Low

10 Infrastructure and Technology Medium 6 to 12 High

Targeted StatusImprovement PlanningCurrent Status

Priority Sort Timeframe SortCurrent Status

Reset Order

Resource

Case Study – WTW RAPIDSM Risk Assessment Process

7

WTW Risk Profile Diagnostic Tool - Example Risk Articulation


“We engaged Willis to help us understand and improve the

strategic, financial and operational enterprise risks of

some of our key energy facilities. The Willis SRC team

provided valuable new risk insights and their structured

consulting processes enabled our local and international functional leaders to work

together efficiently and effectively.”

Miguel Luque, Director of Insurance, Repsol

willistowerswatson.com

WTW RAPIDSM Risk Assessment Process


Risk No.

Before

2 4

Risk Number1

1 : Unable to Attract Qualified Personnel Risk Scores Impact Likelihood GRSBefore Improvement 4 4 16

After Improvement 3 3 9

Triggers

Unable to attract qualified, specialized personnel in multiple critical positions for 12+ months 5

Underlyng Vulnerabilities

Local area and pay scale; Specialized nature of work; High standards of excellence; Aging workforce; Lack of budgetary agility; HR department understaffed & resources diverted

Like

lihoo

d

4

After

2

3 5

1

Consequences

Lack of leadership and direction; Increased work burden; Decreased employee morale; Further difficulty in recruiting; Higher turnover; Reputational impact; Unable to accomplish goals and objectives of Strategic Plan

Current Controls

HR programs to retain talent; Monitoring of key metrics by HR; Attractive recruitment packages compared to competitors; Outside professional services

1

3

ImpactRisk Name Category

Unable to Attract Qualified Personnel Human CapitalAction Measure of Success Allocated to Delivery

Beth 31-Dec-2015

Evaluate vendors for Talent Management System consolidation

Talent Management System consolidated under a single vendor Beth 31-Dec-2015

Demonstrate additional staffing needs Perform time study on utilization of resources and present conclusions on staffing needs to Senior Execs.

Steve 30-Jun-2015

Evaluate Compensation Program Provide recommendations on improvements Jim 31-Jul-2015

Develop and deploy a marketing and PR strategy for Local area

Develop and deploy a marketing and PR strategy for Local area

1

2 3 2

2 1

5 3

0

1

2

3

4

5

6

0 1 2 3 4 5 6

Like

lihoo

d

Impact

Risk Distribution With Current Controls

Risk Register

Risk Distribution (before and after)

Risk Matrix and Improvement

plans

Risk Appetite and Risk Tolerance


Case Study – Risk Appetite and Risk Tolerance


Group

Compliance Strategic Reporting Operational Risk Type Risk Registers or subjective allocation

Domestic Operation

Overseas Operation OpCo C OpCo A OpCo B Business

Unit Management account

reports KPI choices

Risk Event

Deep-dive analysis

Risk 1 Risk 2 Risk 3 Risk …

Uninsured

Insured

Uninsured

Insured

Uninsured

Insured

Uninsured

Insured

Insurable & Uninsurable

Events

Risk registers, Actuarial modelling or

Scenarios

Actuarial modelling, or other input to develop

assumptions

…The Risk Tolerance analysis gave us input for the senior

management discussion on how much risk we can and how much risk we will take as a company.

This was then cascaded into: low, medium, high and catastrophic

impact criteria used for our annual risk profile workshops on Group

and BU level. In this case we linked the impact criteria to our key performance indicators –

Equity, Ecology and Economy - as well…

Risk and Insurance Manager

Corporate Crisis Events

11

Drop in share price greater than 20% in 20 working day period


20%

30%

40%

50%

60%

70%

80%

90%

100%

95 97 99 01 03 05 07 09 11 13 15 17

Und

erpe

rfor

man

ce in

Cor

pora

te V

alue

(%)

S&P 500 LatAm Natural Resource Companies

Corporate Crisis Events

12

On average, major corporations face crises every eight years


2,400 events suffered by 1,100 of the worlds largest companies in the last 20 years

Member companies of the S&P 500, FTSE100 and Stoxx 600 Data from Bloomberg Finance L.P. enriched with analysis by Willis Towers Watson

20%

30%

40%

50%

60%

70%

80%

90%

100%

95 97 99 01 03 05 07 09 11 13 15 17

Und

erpe

rfor

man

ce in

Cor

pora

te V

alue

(%)


20%

30%

40%

50%

60%

70%

80%

90%

100%

95 97 99 01 03 05 07 09 11 13 15 17

Und

erpe

rfor

man

ce in

Cor

pora

te V

alue

(%)


Events Suffered by Large Energy and Natural Resources Companies in Latam

13

114 events since 1995


Hochschild – Sept 2013 Likely related to inclusion on list of new additions to a NYSE gold miners index, which investors bought and later sold off after exclusion from the final list

Petrobras – Jan 2016 Likely related to corruption scandals and company selling of assets to reduce its debt level

Ocean Rig – Feb 2016 Likely due to breach of obligations from Premier Oil under the drilling contract for the Eirik Raude

YPF – Mar 2009 Likely related to limited flexibility to react during Economic Crisis

Publicly listed Latam Energy or Metal and Mining companies with a market cap >USD1bn Data from Bloomberg Finance L.P. enriched with analysis by Willis Towers Watson

Case Study – Defining and Allocating Risk Appetite and Tolerance

14

WTW Risk Tolerance Clarified – What would be a Crisis for your Organisation?


Banking covenants

Liquidity / debt

Credit rating

Analysts

Auditors

Risk types can be used to allocate the group’s risk appetite, allowing for the effects of diversification

$37,050,000

$12,350,000

$6,175,000

$6,175,000

Allocation of Risk Appetite across Risk Types Operational Strategic Reporting Compliance


15

Allocation to Risk Type


Diversification allows us to assign a total of $61.75m

Group risk appetite is

$40m

$6,840,000

$27,360,000

Risk Split Between Insurable and Uninsurable

Insurable Uninsurable

$28,200,000

$8,146,667

$5,640,000

$21,933,333

Allocation of Operational Risk across Divisions

BU 1 BU 2 BU 3 BU 4


16

Allocation to Uninsurable and Insurable Risks

Risk tolerances can then be split between into uninsured and insured


Diversification allows an allocation of $34.2m

BU’s operational

risk tolerance, $28.2m


17

Allocation to Insurable Class of Risk

This can be split again into the classes of insurance that are relevant for the business unit and type of risk


$6,520,000

$1,862,857

$931,429

Allocation of Insurable Risk across Risk Lines

PDBI Liability Other

$6,840,000

$27,360,000

Risk Split Between Insurable and Uninsurable

Insurable Uninsurable

Diversification allows for allocation of $9.3m

BU’s insurable

operational risk, $6.8m

Risk Retention and Transfer Optimisation


Case Study – Quantification and Optimization of an Insurable Risk


Captive

$4m EEL & $8m AAD

Reinsurers

$500m Limit

Business Unit

Retention $100k per loss

Current Captive Premium: $5.2m

All monetary amounts in USD

millions

Estimated Captive Transfer Premium

Estimated actuarial pricing is calculated as the cost to captive (expected annual claims $4.34m) plus a volatility loading Current Captive premium of $5.2m is

slightly higher than $4.58m suggested by the actuarial model

Extreme Losses “1 in 200”

0.5% probability that total losses could exceed $43.90m

Insurance Limit

Probability of the limit being breached is less than 1 in 1,000 years

Value for money of insurance

insurer’s expected annual claims forecast as $1.2m

Deductibles and Aggregates

$8m stop loss aggregate activated 1 year in 10

Return Period (Years)

Percentile Total Loss

Total Number

Retained within BU

Retained within

Captive

Ceded to Reinsurers

Exceeding Limit

1 in 2 50% 6.68 80 2.50 4.04 - - 1 in 4 75% 10.17 113 3.55 6.43 - -

1 in 10 90% 14.35 152 4.74 8.00 2.06 - 1 in 20 95% 17.91 178 5.60 8.00 5.03 - 1 in 100 99% 29.07 237 7.47 8.00 15.73 - 1 in 200 99.5% 43.90 259 8.18 8.00 33.38 - 1 in 1000 99.9% 164.19 313 9.82 8.00 153.08 -

Mean 8.41 88 2.74 4.34 1.20 0.13 Std Dev 20.78 47.9 1.51 2.40 10.74 12.73

Actuarial Premium Estimate 4.58 1.88

Gross Losses Losses Modelled under Current Programme “Willis’ Strategic Risk Consulting team worked with our finance, risk

and insurance functions to help PEMEX optimize the risks of our

upstream and downstream exposures, with due regard to the

wider business environment in which we operate and facing the Energy Reform in Mexico. Their

team provided important new insights, demonstrating the value of an analytical approach to risk

assessment and risk finance strategy. The agreed deliverables for this complex consultancy were all provided with high quality and

according to our required timescales.”

David Ruelas Rodríguez, Managing Director Risk Management & Insurance, Corporate Finance Office, PEMEX

Case Study – Quantification and Optimization of a NON Insurable Risk

20

LossPIQSM


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

$1,000 $10,000 $100,000 $1,000,000 $10,000,000 $100,000,000 $1,000,000,000

CO

NFI

DE

NC

E L

EV

EL

TOTAL EXPECTED AGGREGATE LOSSES (UNDISCOUNTED) - Logarithmic Scale

CYBER RISKS BY TYPE AND IN TOTALLOSS DISTRIBUTION CURVE AT VARIOUS CONFIDENCE LEVELS

Abuse of authorized network access Targeted attacks Crimeware Cyber espionage Other Total

Model Output - Total Gross

Return Period (Years)

Percentile Expected Loss (€m)

1 in 2 50% 5.8 1 in 4 75% 13.7 1 in 5 80% 17.2 1 in 10 90% 30.7 1 in 20 95% 44.4 1 in 50 98% 59.5

1 in 100 99% 72.4 1 in 200 99.5% 82.8 1 in 500 99.8% 94.9 1 in 1000 99.9% 103.6

Mean 11.3 Std Dev 15.2

Reasonably likely: 1 in 10 years

Remote scenario: 0.5% probability that

losses are of this magnitude

Long-term weighted average:

Starting point for Transfer/mitigation

costs

“Like many others, our organization has identified the need to develop a

deeper understanding of our vulnerability to cyber risks, and how we can manage and insure them. Using their unique Cyber LossPIQ process, Willis Towers Watson not only brought us the latest available industry research (as long as we have our knowledge), but also

helped us to harness the combined knowledge of our IT, financial,

operational and risk resources...”

Tommaso Masarucci E., Jefe del departamento de Financiación de Riesgos (PFR), ECOPETROL

Case Study – WTW “Risk Optimizer”

21

The Efficiency Frontier reveals the options that optimize the Retention / Cost equation


"Willis conducted a Risk Optimization for CBRE to

determine whether efficiency in the insurance programs could be

achieved. CBRE implemented strategies recommended to get to the efficient frontier, such as

buying more limit on some classes and removing primary

covers on others. The optimizer also demonstrated the value on

the existing insurance arrangements…"

Tim Bunt | Senior Vice President & Chief Risk Officer CBRE | Global Risk Management

Auto

Worker’s Comp

GL

EPLI

Cyber

8.435

21.012

29.447

28.837

8.825

22.067

30.892

20.096

8.698

20.256

28.954

25.367

1 45 0.975

10 50 0.856

0.500 20 1.257

0.250 5 3.135

0.100 20 2.212

0.500 45 1.157

5 50 0.978

0.500 15 1.167

0.500 10 2.955

0.100 25 2.568

0.250 45 1.231

5 50 0.978

0.500 10 1.125

1 10 2.575

0.100 30 2.789

Move your company’s risk program ontoThe Efficient Frontier

We model thousands of marketable strategies to provide an easy comparison to the current program

Why Should You Care?

22

The cost of poor Governance, Risk Management & Compliance Investors, Regulatory and Boards scrutiny

CEOs looking for a structured approach to managing

risk CFOs looking for reduced financial volatility


Reputation is critical

Gracias


Delfin Viloria Partner | Latin America Risk & Analytics | Strategic Risk Consulting Willis Towers Watson 1450 Brickell Ave, Miami 33131, USA [email protected]

mailto:delfin.viloria@WillisTowersWatson

enterprise risk management...enterprise risk management maturity assessment tool framework elements...

Documents