The Role of Auditing
in the ERM Process
SOA Annual Meeting
Chicago – October 2006
Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD
Director, Actuarial Science Program
State Farm Companies Foundation Scholar in
Actuarial Science
University of Illinois at Urbana-Champaign
Agenda
• Background
• Enterprise risk management
• Internal audit and ERM
• NAIC risk-focused surveillance framework
• Conclusion
“Who am I? Why am I here?”
- Admiral Stockdale, 1992
• Currently
– Director, Actuarial Science Program
– State Farm Companies Foundation Scholar in Actuarial
Science
– Professor, Depts. of Mathematics, Statistics & Finance
– University of Illinois at Urbana-Champaign
• Prior
– Senior Vice President
– Director of Internal Audit & Risk Management
•
•
•
•
•
Internal Audit
Corporate Investigations
Risk Management
Enterprise Risk Management
Business Continuity
An Initial ERM Comment
• You don’t become a famous writer by…
– Reading a book
– Reading about other authors
– Watching someone else write
• Similarly, you don’t become an “Enterprise
Risk Manager” by…
– Reading a book
– Taking a course
– Listening to a presentation
Rather, ERM is…
A complex process…
… involving broad-based and in-depth
knowledge and understanding,…
… requiring an appropriate corporate culture,…
… and creativity…
… born of a variety of experiences…
… and insatiable curiosity.
ERM Definition from IIA
From Position Statement, The Institute of
Internal Auditors:
ERM “is a structured, consistent and continuous
process across the whole organization for
identifying, assessing, deciding on responses
to and reporting on opportunities and threats
that affect the achievements of its objectives.”
Steps in the
Risk Management Process
•
•
•
•
•
•
•
Determine the corporation’s objectives
Identify the risk exposures
Quantify the exposures
Assess the impact
Examine alternative risk management tools
Select appropriate risk management approach
Implement and monitor program
Enterprise Risk Management
• Or “Enterprise Risk and Assurance
Management”
• What is ERM?
– Concerned with a broad financial and operating
perspective
– Recognizes interdependencies among corporate,
financial, and environmental factors
– Strives to determine and implement an optimal
strategy to achieve the primary objectives: e.g.,
maximize the value of the firm
Evolution of ERM
• Historically: “risk silo” mentality
• Mid-1990s:
– First “Chief Risk Officer”
– First use of ERM terminology
• Late-1990s:
– Risk-related regulatory requirements (e.g., Turnbull)
– Earnings protection insurance debuts
• 2001:
– September 11
– Corporate scandals
– Beginning of efforts to improve corporate governance (e.g.,
Sarbanes-Oxley)
A Paradigm Shift
Traditional
Emerging
• Risks managed in silos
• Concentrates on
physical hazards and
financial risks
• Insurance orientation
• Ad hoc / one-off
projects
• Centralized mgt., with
exec-level coordination
• Integrated consideration
of all risks, firm-wide
• Opportunities for
hedging, diversification
• Continuous and
embedded
Current State
• Findings from various surveys
– An acknowledged need to improve risk
management
– A recognition that a holistic approach is
appropriate and preferable
– ERM can improve overall capital management and
thus enhance corporate value and competitiveness
– A variety of approaches to improving risk
management
– There are still problems to overcome
Types of Risks
• Operational
– Hazard
– Physical
• Strategic
– Capital / resource allocation
– Industry / competitors
• Technological
– Databases
– Security
– Confidential information
• Stakeholder
• Legal
– Compliance
– Regulatory
• Financial
– Capital markets
– Credit risks
– Taxes
• Human capital
– Retention
– Training
• Reputational
Issues in ERM Implementation
• Different corporate cultures require different
ERM approaches
• Who is going to be the ERM champion within
the company
– Among senior executives
– Among departments / functions
• How to embed a risk management culture and
responsibilities throughout the firm
Components of the ERM Process
• Determine corporate objectives
Likelihood
• Risk identification
– Goal: comprehensiveness
Impact
– E.g., self-assessment
– Volatility measures
– Value at Risk (VaR)
Likelihood
• Risk measurement
Size of loss
Components of ERM (cont.)
• Assessing the impact
– Stress or scenario testing
– Stochastic simulation
• Examine and select alternative risk
management tools and techniques
– Traditional risk transfer
– Natural hedging / diversification
– Integration of risks
E.g.,
“dynamic
financial
analysis”
Keys to Success in ERM
• Senior management commitment and
sponsorship
• Embed a “risk management culture” in the
corporation at the operational level
• Provide for accountability, both specific and
widespread
• Clearly defined responsibilities for
coordination and maintenance
• Adequate communication
Internal Audit and ERM
Overview
• Provide independent and objective assurance
for Board on effectiveness of ERM
– Identify/assess/manage key risks
– Internal controls
• IA has assurance and consulting roles
– Function of other resources
– Relative time/effort between roles may vary
among firms and over time
Internal Audit and ERM
“The Role of Internal Auditing in Enterprise-wide Risk
Management” - The Institute of Internal Auditors
Core Roles
• Assurance regarding, and evaluation of, the risk
management process
– Risk reporting, evaluation, management
• Assurance regarding handling of key risks
Internal Audit and ERM (cont.)
“The Role of Internal Auditing in Enterprise-wide Risk
Management” - The Institute of Internal Auditors
NOT Roles
• Establishment of “risk appetite”
• Imposing / implementing risk responses /
management
Internal Audit and ERM (cont.)
“The Role of Internal Auditing in Enterprise-wide Risk
Management” - The Institute of Internal Auditors
Possible Roles
• Facilitating risk management
– Identification, evaluation, championing
• Coordinating ERM
• “Developing risk management strategy for board
approval”
NAIC
“Risk-Focused Surveillance Framework”
Main Objectives
• Focus on areas posing greatest risk to solvency
• Focus on “the assessment of governance structure,
corporate culture, and management processes in
insurance companies to identify, assess and manage
(where manage is defined as measurement, mitigation
and monitoring) risk”
NAIC (cont.)
Risk Classifications
•
•
•
•
•
•
•
•
•
Credit
Market
Pricing and underwriting
Reserving
Liquidity
Operational
Legal
Strategic
Reputation
NAIC (cont.)
Conclusion
“The revolutionary idea that defines the
boundary between modern times and the past
is the mastery of risk”
- Peter Bernstein, Against the Gods