1. ERM Theory and Practice Stephen P. D’Arcy University of Illinois Concurrent Session ERM 2 CAS Spring Meeting May 2006

2. Current Situation ERM TheoryERM Practice

3. ERM Theory ERM considers all risks an organization can or does face holistically Organizations have a well defined risk appetite All participants have a common language for, and understanding of, risk Risk is fully quantified Risk management is applied consistently within the organization ERM adds value to the organization

4. ERM Theory – Risk Aggregation Aggregate Risk Management Hazard Risk - Hurricanes - Lawsuits - Injuries Financial Risk - Credit Risk - Market Risk - Interest Rates Operational Risk - Internal Fraud - Recalls Strategic Risk - Regulation - Reputation - Competition

5. ERM Theory – Risk Appetite Limits for adverse event –Severity –Frequency Same values used for all risks Examples –99.97% chance of remaining solvent –95% chance of retaining AA rating or higher –0.1% chance of losses exceeding $1 billion –Need 25% return (or $250 million) to increase 0.1% loss probability from $1 billion to $1.1 billion

6. ERM Theory – Common Language

7. ERM Theory – Quantification Firm has a set aggregate risk tolerance Entire distribution of outcomes is known Correlations between risk factors specified –Constant –Tail Need for a CAPM approach to risk –250 risk factors → 31,125 correlations –Covariance with market risk → 250 correlations

8. Effect of Correlation

9. ERM Theory – Consistent Application Concentration of homeowners policies accepted up to point the overall risk to firm reaches risk tolerance level Reinsurance retention selected based on risk tolerance level Investment portfolio asset allocation determined based on risk tolerance level Chance of IT system failure in line with risk tolerance level

10. ERM Theory – Value Added Policyholders pay risk premium on auto insurance Aggregate loss variation of auto insurer –Directly related to loss frequency Oil prices impact driving patterns –Inversely related to auto loss frequency Auto insurer can reduce aggregate risk by assuming oil price risk Insurer will be paid to accept oil price risk Combining risk adds value to insurer

11. ERM Practice ERM coordinates hazard and financial risk Organizations can verbalize risk appetite (remote chance of insolvency) but not quantify it Participants have different languages for risk, but might understand some of the other participants’ terminology Only hazard and financial risk is quantified ERM is used primarily to monitor risk exposure

12. ERM Practice – Coordination Asset-Liability Management (ALM) –Duration matching Combining hazard and financial risk –WC and foreign exchange risk –Longevity risk and interest rate risk

13. ERM Practice – Risk Appetite Common level of risk of insolvency: 0.03% –Based on old study of AA bond defaults –One year happened to be this level –Does not reflect chance of downgrade, then defaulting

14. ERM Practice – Risk Languages “amministrazione di rischio ” “ リスク管理 ” “ 위험 관리 ” “διαχείριση Κινδύνου” “управления при допущении риска” “gerencia de riesgo ” “ 风险管理 ” “Risikomanagement” “ gestion des risques” “risk management”

15. ERM Practice – Risk Languages Hazard risk language has developed over last four centuries –Frequency, severity, retentions –Probable Maximum Loss (PML) –Maximum Possible Loss (MPL) Financial risk language developed over last four decades –Duration and convexity –Derivatives – forwards, futures, options, swaps –Value-at-Risk (VaR), Tail VaR New ERM language being created now

16. ERM Practice – Quantification Hazard risk can be quantified well –Loss distributions – empirical and theoretical –Cat risk modeling Financial risk is also quantified –VaR – historical or analytical –Term structure models –Option pricing models –Delta hedging –Volatility smiles Operational risk measurement minimal –“Still in its infancy” or “Pre-infancy stage”

17. ERM Practice – Risk Monitoring Sarbanes-Oxley Act of 2002 COSO – checklist of risks Basil II – risk treatment Rating agencies –Organizational structure –Use of models

18. What’s Needed for ERM to Grow Quantify Operational Risk Integrate Risk Effectively Develop Reliable Risk Metrics Communicate Risk to Decision Makers Weed out Ineffective Risk Managers –Positive impact of disasters –Survival of the fittest