Non-Insurance Risks
Sim Segal, FSA, CERA, MAAA
President, SimErgy Consulting
Author, Corporate Value of Enterprise Risk Management
CIA Annual Meeting
June 29, 2011
Key
ey ERM c
criteria
te a #
#2: Include
c ude a
all sou
sources
ces o
of risk
s
 Financial – unexpected
p
changes
g in external markets,,
prices, rates and liquidity supply and demand
 Insurance – inaccurate pricing, underwriting, or
reserving
i
 Strategic – unexpected changes in elements related to
strategy formulation or execution
 Operational – unexpected changes in operations
2
Copyright © SimErgy. All rights reserved.
Most ERM programs not holistic




Myth regarding importance of financial risks
Modeler bias towards financial risks
Lack of broad focus during risk identification
Inability to quantify strategic/operational risks
* Financial risks here meant to include insurance risks
3
Copyright © SimErgy. All rights reserved.
Myth
yt regarding
ega d g importance
po ta ce of
o financial
a c a risks
s s
 Research studies debunk this
– Strategic and operational risks actually represent the majority of key
risks for a company and comprise the biggest threats
– See Corporate Value of Enterprise Risk Management (pages 28-31)
o 1-year WSJ study: Strategic: 64% / Operational 35% / Financial 1% (Source:
‘‘IMPACT Study,” Watson Wyatt)
o 18-year 50% market cap decline study: Strategic: 65% / Operational 20% /
Financial 15% ((<15% / most “financial” were mis-categorized
g
operational)
p
)
(Source: CFO Executive Board, Audit Director Roundtable research)
o 6-year largest 1-month value decline study: Strategic: 61% / Operational
33% / Financial 6% (Source: Mercer Management Consulting)
o Director survey of biggest threats: Strategic outnumbered financial by
margin of >3-to-1 overall, and >2-to-1 in financial services sector (Source:
The Conference Board, The Role of U.S. Corporate Boards in ERM)
 Partly
y due to p
poor risk categorization/definition
g
((monoline example)
p )
4
Copyright © SimErgy. All rights reserved.
Modeler bias
 Education,, training
g and experience
p
are in financial risk,,
e.g., market risk or credit risk
 Methods work best for financial risk
 Discomfort with lack of precision
– Violation of significant digits rule
5
Copyright © SimErgy. All rights reserved.
Broadening
oade g focus
ocus during
du g risk
s identification
de t cat o
 Define risk as deviation from strategic plan
 Include a broad range of individuals in the
qualitative risk assessment survey
q
y
 Provide risk categorization and definition tool
– Includes categories,
g
, sub-categories
g
and divisions of
risk at the appropriate level for the organization
– Includes clear definitions of risk, by source, to provide
a uniform
if
risk
i k llanguage enterprise-wide
t
i
id
– Serves as a prompt to qualitative risk assessment
p
p
surveyy participants
6
Copyright © SimErgy. All rights reserved.
Financial risk
 Market risk – unexpected
p
changes
g in external markets
(e.g., stock markets), prices (e.g., commodities), or rates
(e.g., interest rates)
 Credit
C dit risk
i k – unexpected
t d changes
h
iin credit
dit markets
k t
(availability), prices (credit spreads),
or credit-worthiness
–
of issuers or counterparties
 Liquidity risk – Unexpected changes in liquidity supply
and demand; three levels of impact:
– Untimely asset sales
– Inability to meet contractual demands
– Default
7
Copyright © SimErgy. All rights reserved.
Strategic risk
 Strategy
gy risk – Viabilityy of strategy
gy does not match
expectations (varies by organization and must be customized)
 Execution risk – Strategy is not implemented as expected
 Governance risk – Governance is not functioning as
expected
–
 Strategic relationships risk – Unexpected changes in
strategic relationships, such as a parent company or joint
venture
 Competitor
p
risk – Unexpected
p
changes
g in competitive
p
landscape, such as new entrants, price wars, etc.
 Supplier risk – Unexpected changes in supplier environment,
such as supplier capacity
capacity, supplier failure
failure, or changes in costs
8
Copyright © SimErgy. All rights reserved.
Strategic risk (continued)
 Economic risk – Unexpected
p
changes
g in the economy,
y often
source of other changes, e.g., consumer disposable income,
employment markets, inflation, market risk, and credit risk
 External relations risk – Unexpected changes in company’s
company s
relationship with external stakeholders with public voices,
–
such as the media, consumer advocates, equity analysts,
rating agencies
agencies, regulators
regulators, and politicians
 Legislative/regulatory risk – Unexpected changes in laws or
regulations
 International risk – Unexpected changes in the business
environment of foreign countries where company operates,
e.g., changes in stability, attitude toward foreign firms, etc.
9
Copyright © SimErgy. All rights reserved.
Operational risk







Human resources risk – People not performing as expected, such as
performance, productivity, and conduct
Technology risk – Technology not performing as expected, such as data
security, data privacy, data integrity, capacity, and reliability
Liti ti risk
Litigation
i k – Unexpected
U
t d civil
i il suits
it or jjudgments
d
t
Compliance risk – Level of compliance
not matching expectations, such as
–
financial reports not as accurate as expected
External fraud risk – Unexpected changes in amount of external fraud
Disasters – Unexpected natural or manmade disasters, such as weatherrelated (e.g., hurricane, flood, tornado, earthquake), health-related (e.g.,
pandemic),
p
), accidental ((e.g.,
g , fire),
), general
g
acts of destruction ((e.g.,
g , war,,
terrorism, rioting), and specific acts of destruction against the company
(e.g., attack on employees, sabotage, etc.)
Process risk – Company processes not functioning as expected
10
Copyright © SimErgy. All rights reserved.
Inability
ab ty to qua
quantify
t y strategic/operational
st ateg c/ope at o a risks
s s
Traditional Approach
Method 1:
Qualitative
Q
Cannot support
decision-making
Method 2:
Industry data
Often unavailable or
inappropriate
Method 3:
Risk capital
Understates risk
Arbitrary / often
directionally incorrect
11
Copyright © SimErgy. All rights reserved.
Value-Based ERM Framework
Risk Appetite
Strategy
Qualitative
Assessment
Risk
Mgmt
Tactics
ERM
Committee
Scenario
Development
Value Impact
Enterprise Risk
Exposure
24
32
22
21
17
18
5
15
26
12
3
25
34
1
16
35 27
2
31
19
28
6
23
30
13
11
4
8
20
All
Risks
14
10
9
7
Likelihood
Key Risk
Scenarios
Correlation
Likelihood
Severitty
33
29
Mostly Objective
X
Company
value
Enterprise
Value
FINANCIAL
Market
Credit
…
STRATEGIC
Key
Risks
Strategy
1+ events / sim
1 event / sim
Mostly Subjective
Execution
…
ERM
Model
Baseline
Value
▪ ΔValue
OPERATIONAL
HR
“Pain Point”
Likelihood
ΔValue ≤ -10%
15%
ΔValue ≤ -20%
3%
Individual Risk
Exposures
Company Value Impact
IT Risk 1
Legislatiion Risk
Process
Loss of Critical EEs
…
M&A Risk
Execution Risk
International Risk 1
Loss of Keyy Supplier
pp
Loss of Key Distributor
IT Risk 2
International Risk 2
Union Negotiations
Competitor Risk 1
Consumer Relations Risk
0.0% -5.0% -10.0% -15.0% -20.0% -25.0%
Identification
Quantification
Decision-Making
Modified
Case
Study
Quantifying exposures by company value
Individual Risk Quantification
Company
p y Value Impact
p
IT Risk 1
Legislation Risk
Loss of Critical EEs
M&A Risk
Execution Risk
International Risk 1
Loss of Key Supplier
Loss of Key Distributor
IT Risk 2
International Risk 2
Union Negotiations
Competitor Risk 1
Consumer Relations Risk
0.0%
-5.0%
-10.0%
-15.0%
-20.0%
-25.0%
13
Copyright © SimErgy. All rights reserved.
Modified
Case
Study
Quantifying exposures on multiple bases
Risk
Δ Enterprise Value
Δ Revenue Growth
Δ EPS Growth
1
IT Ri
Riskk 1
-23.0%
23 0%
-5.3%
5 3%
-7.4%
7 4%
2
Legislation Risk
-19.0%
-17.0%
5.9%
3
Loss of Critical EEs
-14.5%
-8.9%
-9.5%
4
M&A Risk
-8.7%
8 7%
0.0%
0 0%
-3.7%
3 7%
5
Execution Risk
-7.9%
-1.1%
-4.1%
6
International Risk 1
-5.8%
-1.8%
-4.0%
7
Loss of Key Supplier
-5.5%
5 5%
-0.9%
0 9%
-3.3%
3 3%
8
Loss of Key Distributor
-4.4%
-2.7%
-2.2%
9
IT Risk 2
-3.0%
0.0%
-1.4%
10
International Risk 2
-2 8%
-2.8%
-2 0%
-2.0%
-1 7%
-1.7%
11
Union Negotiations
-2.0%
-1.3%
-1.0%
12
Competitor Risk 1
-2.0%
-1.8%
-0.8%
13
Consumer Relations Risk
-1
1.5%
5%
-1
1.2%
2%
-0
0.5%
5%
14
Copyright © SimErgy. All rights reserved.
ILLUSTRATIVE
EXAMPLE
Developing company/situation-specific
i k scenarios:
i
t h i
risk
FMEA technique
1) Identify interviewees
- Those closest to the risk
- Usually 1 or 2 risk experts
Risk: Legislation Risk
Attendees: xxx, xxx, xxx
Scenario 1: Legislation passes reducing business
opportunity in certain markets
Likelihood: 5%
2) Develop risk scenario
- Begin with credible worst case
- Select specific scenario and think it through
3) Assign likelihood
Financial impact:
• Revenue impact
o 50% loss of planned revenues in market A
• 1st year: -$2.5M
year: -$2.6M
$ 6
• 2nd yea
• etc.
o 100% loss of planned revenues in market B
• 1st year: -$1.0M
• 2nd year: -$1.1M
• etc.
Expense impact
Expense
o Reduction in workforce
• -10% of salary and related benefits
• +$100K severance costs
4) Quantify
- Determine impacts on free cash flow
15
Copyright © SimErgy. All rights reserved.
FMEA guide




Advance communication, but may need to give overview at start
Make them comfortable re (a) lack of precision, (b) chance to modify
Take copious notes
Common challenges/solutions
Challenge: They are resistant to coming up with a specific scenario
 Solution: Prompt them with one of your own
Challenge
g : They
y list several p
possible scenarios and won’t focus on one
 Solution: Pick one for them
Challenge : They start discussing key risks other than the one intended
 Solution: Pay attention. They may be identifying a new key risk to consider.
Challenge : They provide a risk scenario not properly identified by a source of risk
 Solution: Tell them that, and suggest a way to state it as a source of risk
16
Copyright © SimErgy. All rights reserved.
FMEA guide (continued)
 Common challenges/solutions (continued)
Challenge : The risk event may not be fully fleshed out
 Solution: Prompt: “what happens next?” “will other segments be impacted?” etc.
Challenge : They are uncomfortable providing a likelihood
 Solution:
S l ti
P
Prompt:
t “is
“i thi
this is
i 1-in-20
1 i 20 year event?
t? A 1-in-50
1 i 50 year event?”
t?”
Challenge : They hesitate to give you any estimate of financial impact
 Solution: Prompt: “Is it a 5% impact? A 20% impact?”
Challenge : They will only provide a range estimate of financial impact
 Solution: Use midpoint for quantification and ranges for sensitivity testing
Challenge : Answers are clearly biased, or off-base in light of your experience
 Solution: Offer input to correct this / corporate has a right/responsibility to do this
17
Copyright © SimErgy. All rights reserved.
Answering
s e g “But
ut aren’t
a e t tthese
ese just a
all guesses
guesses?”
 Decisions happen
pp anyway
y y
 Expert guesses
 Ranges
– Case study of “cross-over” point leading to decisions
 Documentation/distribution reduces bias
 A crowd of experts
– (“The Wisdom of Crowds,” James Suroweicki)
 Relative comparisons
p
18
Copyright © SimErgy. All rights reserved.
Value-based approach properly quantifies
operational
ti
l and
d strategic
t t i risks
i k
Traditional Approach
Value-based Approach
Method 1:
Qualitative
Q
Cannot support
decision-making
Quantifies impact to value /
supports decision-making
d i i
ki
Method 2:
Industry data
Often unavailable or
inappropriate
Company/situation-specific
Understates risk
Fully quantifies risk impacts
Arbitrary / often
directionally incorrect
Risk-based
Method 3:
Risk capital
19
Copyright © SimErgy. All rights reserved.
Case
Studies
Case studies: Quantifying impact to
value
l supports
t decision-making
d i i
ki
A) Technology – External attack
B) Human resources – Critical employees
C) Fraud – Money Laundering
D) Supplier – Disruption
E) Technology – Data Privacy
F) Strategy – Strategic Planning Process
20
Copyright © SimErgy. All rights reserved.
Case study A
T h l
Technology
– External
E t
l attack
tt k
Sector
Financial services
Event
External attack through unprotected wireless device leading to
numerous impacts on systems, data and customers
Quantification
Ranked as #3 risk by value impact
Primary driver found to be customer privacy data violation
Management
action(s)
Make two immediate decisions:
1) Identified and secured PCs with customer data
2) Purged ex-customer data, cutting exposure in half
Lessons
Value metric leads to decision-making
Attribution focuses mitigation
g
opportunities
pp
21
Copyright © SimErgy. All rights reserved.
Case study B
H
Human
R
Resources – Critical
C iti l employees
l
Sector
Insurance
Event
Plane crash results in death of some top salespeople, sales
managers and executives
Quantification Attribution identified sales managers as primary driver
Management
actions(s)
Decision to strengthen adherence to company policy limiting
concentration of key employees on flights, particularly for
sales managers
Lessons
Value metric superior to traditional capital metric, which does
not rank this risk properly
Attribution focuses mitigation
g
opportunities
pp
22
Copyright © SimErgy. All rights reserved.
Case study C
F
Fraud
d – Money
M
L
Laundering
d i
Sector
Insurance
Situation
Decision needed on whether to resume AML spending
Event
Money laundering violation with fines and criminal prosecutions
Quantification Destroys approximately half the company’s value
Management
actions(s)
Immediate decision to continue AML spending
Lessons
Quantification exercise adds value, despite approximate
nature of inputs
Value metric leads to decision-making
23
Copyright © SimErgy. All rights reserved.
Case study D
S
Supplier
li – Disruption
Di
ti
Sector
Chemical manufacturer
Event
Sole source supplier facility destroyed by fire
Ranked as #1 risk by value impact
Quantification 100% destruction of minor product line
Market share loss in major product line, some permanent
Management
actions(s)
Immediate decision to qualify backup supplier
Lessons
Value metric fully quantifies impact, including future years
FMEA process translates and shares experts’ knowledge
24
Copyright © SimErgy. All rights reserved.
Case study E
T h l
Technology
– Data
D t P
Privacy
i
Sector
Telecommunications
Situation
Rapid decision needed on response to customer request to
guarantee data privacy
Event
Multiple scenarios under each of three decision options
Quantification Produced within required short time frame
Management
actions(s)
ti
( )
ERM information helped
p management
g
arrive at their decision
Lessons
Value-based ERM model can be modified and run rapidly,
making it practical to include in decision-making process
Value metric is the language of business decision-makers
25
Copyright © SimErgy. All rights reserved.
Case study F
St t
Strategy
– Strategic
St t i Planning
Pl
i Process
P
Sector
Technology
Event
Strategic plan process is unrealistic, and 4 elements of the plan
are not achieved
Quantification
20% drop in enterprise value from baseline valuation
Attribution identified which of the 4 elements most impactful
Management
actions(s)
Realized source of bias, vis-à-vis stock options
Focused attention on achieving most impactful elements
Focused
Lessons
Value metric is relatable to existing business metrics
Attribution focuses mitigation opportunities
26
Copyright © SimErgy. All rights reserved.
Contact
Co
tact information
o at o
Sim Segal, FSA, CERA, MAAA
President
SimErgy Consulting LLC
Chrysler Building
405 Lexington Ave., 26th Flr
New York, NY 10174
(917) 699-3373 Mobile
(646) 862-6134 Office
((347)) 342-0346 Fax
sim@simergy.com
www.simergy.com
27
Copyright © SimErgy. All rights reserved.