The document summarizes a session from the Society of Actuaries Spring Meeting on building and maintaining effective risk dashboards. The session discussed what risk dashboards are, their purpose in providing consolidated risk reporting across an enterprise. Keys to success include integrating different risk types into a single dashboard and ensuring executive sponsorship. The session also provided a case study on how risk dashboards could have helped identify risks in the subprime mortgage crisis. Implementation challenges included issues with data availability, integration into decision making processes, and legal implications of disclosing risk information.
1. Life 2008 Spring Meeting
June 16-18, 2008
Session 42, Building and Maintaining Effective Risk
Dashboards
Moderator
David T. (Todd) Henderson, FSA, MAAA, CERA
Authors
Karen J. DeToro, FSA,MAAA
Michel Rochette, FSA
2. Building & Maintaining Effective
Risk Dashboards
Session 42
Society of Actuaries Spring Meeting
Quebec City
Tuesday, June 17, 2008
8:30am – 10:00am
Building & Maintaining Effective
Risk Dashboards
Todd Henderson
The Western & Southern Financial Group
Michel Rochette
AON Global Risk Consulting
Karen DeToro
Deloitte Consulting LLP
1
3. Risk Dashboards
Tool providing consolidated and timely
reporting of risk exposures across an
enterprise
– All important exposures, at a glance
– Drilled down and sliced as necessary
– Early warnings of emerging exposures
– Allowing preemptive, remedial action
Keys To Success
Algorithmics
– Integrate market risk, credit risk and asset liability
reports in a single dashboard
– Easily created and configured new reports
– Rich set of visualization elements
– Interactive and responsive
Source: www.ermsymposium.org/2007/pdf/handouts/CI/CI5_combo.pdf
2
4. Keys To Success
ABN Amro/LaSalle Bank
– Comprehensive risk assessment
– Integrated view of risk, reward and strategy
– Forward-looking, actionable, risk escalation tool
– Executive sponsorship
Source: www.ermsymposium.org/2007/pdf/handouts/CI/CI5_combo.pdf
Keys To Success
COGNOS
– Data must be trustworthy
– The business must be involved in shaping the
requirements
– Content first, then aesthetics
– Technology and architecture
Source: www.ermsymposium.org/2007/pdf/handouts/CI/CI5_combo.pdf
3
5. Comprehensive View of Risk
Corporate SBU SBU SBU
Credit
Market
Interest Rate
Insurance
Operational
Business
Drill Downs & Diagnostics
Corporate SBU SBU SBU
Value At Risk = $643 Million
Credit
Market
Interest Rate
Insurance
Operational
Business
4
7. Executive Ownership
Each measure must be owned by a senior
manager
– Ongoing monitoring
– Remedial action
Business units should be intricately involved
in developing requirements
– Special knowledge
– Buy-in
Building & Maintaining Effective
Risk Dashboards
Session 42
Society of Actuaries Spring Meeting
Quebec City
Tuesday, June 17, 2008
8:30am – 10:00am
6
8. Risk Dashboards
Society of Actuaries Spring
Meeting
Date June 17th, 2008
What is a Risk Dashboard?
As part of ERM, Decision Makers need an integrated
view of risk across their enterprise.
Provide an approach to see correlation/links within a
risk category and between risks.
Forces the organization to adopt a structured process to
understand risk and opportunities:
– Review outstanding risk issues
– Prioritize management actions
– Be forward looking in risk management.
– Monitor compliance to existing risk policies
2
1
9. Audiences: Different Needs
Risk has to be communicated to different groups:
– Board level:
• To allow them to satisfy their fiduciary duties, making sure that
management is actually managing risk.
• To assess the level of risk in light of the company’s risk appetite.
• To provide with a consolidated view of major threats and opportunities that
may affect the value of the company to the different stakeholders.
– Management level:
• To provide them with a consolidated view of their company’s risks, a
horizontal view instead of a silo view.
• To allow them to assess the cost/benefit of implementing controls to reduce
risk to the company’s desired risk tolerance/appetite.
– Business level:
• To allow them to assess the effectiveness of “control” the risks under their
jurisdiction.
3
Case Study: Sub prime
Sub prime credits were issued in the mortgage department of the
retail bank.
Treasury department securitized sub prime credits, created SPVs
and sponsored CDOs and the like in line with the new strategic
models of banks to issue and sell not hold to maturity as before.
Asset management departments/pension plans of the same banks
invested in CDOs.
Retail banks/mutual funds, some owned by the same banks,
created new short-term “guaranteed” investment vehicles for retail
customers, investing in asset-back securities.
Banks provided liquidity enhancements to SPVs.
Pricing/Valuation models were not stressed tested.
4
2
10. How a Dashboard Would Have Helped
A Dashboard should have consolidated the credit exposure for a
single FI coming from:
– Issuance of the subprime credit
– Credit exposure of the SPV. Fis had to consolidate credit exposure back on
their balance sheet after August 08 due to Reputational considerations. Ex.
Banque Nationale/Desjardins in Quebec, c Citigroup in the US.
– Investment by the asset management arm/pension plan.
A Dashboard should have identified the inherent risks of the
securitization business:
– Operational risk exposure of models used should have been identified.
– Liquidity reports of the FI should have taken into consideration the liquidity
guarantees offered by banks to SPV.
– Market risk reports should have taken into consideration the market risk of
position held by the asset management arm/pension plan of Fis.
– Potential liabilities/regulatory/compliance issues should have been identified.
5
Applications of a Dashboard
Presents risk information consistently across the
enterprise.
Consolidate risks across the enterprise including
outsourced operations.
Allow enterprise to compare/analyze impact of
external/emerging events on firm.
Allow firm to monitor adherence to risk appetite using
appropriate risk metrics: VAR, EAR, CashFlow at Risk.
Allow firm to publish consistent information to both
internal and external audiences.
6
3
11. Dashboard: In line with Risk Concerns
Reputational Risk
(52)
Regulatory Risk
(40)
Human Capital Risk
(40)
IT RISK
(35)
Financial, Market, Credit and Insurance Risk
(30)
Crime, security, political, natural hazard, FX, Terrorism, Country Risk
(20)
Source: Economist Intelligence
Unit, 2005
Max Scale: 100
7
Information on Risk Info: Vulnerability to
critical processes
Measures:
Reputational Risk
(52)
Physical security
Regulatory Risk
breaches
(40)
Loss events
Human Capital Risk
(40)
Fraud incidents
IT RISK
(35)
Environmental risk
Financial, Market, Credit, FX and Insurance Risk
(30)
Operational Risk: Crime, security, political, natural hazard, Terrorism, Country Risk
(20)
Source: Economist Intelligence
Unit, 2005
Max Scale: 100
8
4
12. Information on Risk Info: Assets are
impaired/capital at risk
Measures:
Reputational Risk
(52) Default rates
Regulatory Risk
(40)
Liquidity measures
Human Capital Risk Price risk
(40)
ALM risk
IT RISK
(35)
Financial, Market, Credit, FX and Insurance Risk
(30)
Operational Risk: Crime, security, political, natural hazard, FX, Terrorism, Country Risk
(20)
Source: Economist Intelligence
Unit, 2005
Max Scale: 100
9
Information on Risk Info: Malfunction in
systems which
impede business
Reputational Risk
(52)
Measures:
Regulatory Risk
System Downtime
(40)
Information security
Human Capital Risk
(40) breaches
IT RISK Business continuity
(35)
readiness
Financial, Market, Credit, FX and Insurance Risk
(30)
Disaster recovery
Operational Risk: Crime, security, political, natural hazard, FX, Terrorism, Country Risk
(20)
Source: Economist Intelligence
Unit, 2005
Max Scale: 100
10
5
13. Information on Risk Info: Employees
unavailable/unwilling to
perform functions.
Reputational Risk
(52)
Measures:
Regulatory Risk
Staff Turnover
(40)
Key personnel attrition
Human Capital Risk
(40)
Compensation
IT RISK
(35)
Competiveness
Financial, Market, Credit, FX and Insurance Risk
Accident rates
(30)
Operational Risk: Crime, security, political, natural hazard, FX, Terrorism, Country Risk
(20)
Source: Economist Intelligence
Unit, 2005
Max Scale: 100
11
Information on Risk Info: Compliance with
external/internal
regulations
Reputational Risk
(52)
Measures:
Regulatory Risk
Fines imposed
(40)
# of investigations
Human Capital Risk
(40)
Status of
IT RISK
(35)
implementation of
internal policies
Financial, Market, Credit, FX and Insurance Risk
(30)
New regulations
discussions
Operational Risk: Crime, security, political, natural hazard, FX, Terrorism, Country Risk
(20)
Source: Economist Intelligence
Unit, 2005
Max Scale: 100
12
6
14. Information on Risk Info: Impact of
previous risks on value
of the firm including
external factors.
Reputational Risk
(52)
Measures:
Regulatory Risk
(40)
Chain of events
Human Capital Risk
impacts
(40)
Impact of new strategic
IT RISK
(35) initiatives
Financial, Market, Credit, FX and Insurance Risk
(30)
Business risks:
Price/volume
Operational Risk: Crime, security, political, natural hazard, FX, Terrorism, Country Risk
(20)
competition
Source: Economist Intelligence
Unit, 2005
Max Scale: 100
13
External Requirements: Consistency
Regulatory Standards:
– Basel II/Solvency II Pillar III: Info on risk exposure and governance
– SEC: information on risks in 10-K
Accounting Standards:
– IFRS: Provisions as related to risk events
– Brief description of the obligation, timing and uncertainty of outflows
and expected reimbursements;
Risk Standards:
– COSO ERM II
– Standards: ISO 31000/ANZ Australian Standards
14
7
15. Building and Maintaining Effective
Risk Dashboards
Implementation Issues
Karen DeToro
Deloitte Consulting LLP
June 17, 2008
Key Challenges in Implementation
The most common challenges in implementing effective risk dashboards
occur in the following key areas:
Data Issues
Integration into Decision Making
Legal Issues
042DeToro.ppt
-2-
1
16. Data Issues
Data issues can be grouped into 3 general areas:
Different data is required to be aggregated in a
Data different way than for other reporting
Availability Timeliness of data is critical for supporting key
management decisions
Non-financial data may not be well controlled
The processes for gathering data (financial and
Controls
non-financial) may not be well controlled
Variety of data sources may create challenges in
Reconciliation
reconciling data to published internal and external
to Other
sources
Reports
042DeToro.ppt
-3-
Approaches for Addressing Data Issues
Think broadly about universe of needed data at dashboard initiation
Create centralized database to hold all key data to facilitate controls and
timely automated reporting
Build in sufficient flexibility to dashboard processes to be responsive as
key risks change over time
Implement controls similar to those used for SOX 404; leverage existing
controls over data where possible
Leverage commonalities with other data flows in organization
Develop a strong relationship with IT and business units supplying data
to better understand the data and build a reliable pipeline for data
042DeToro.ppt
-4-
2
17. Integration into Decision Making
In order to fully support decision making, the dashboard must be:
Actionable
– Data must be relevant to management
– There must be the right level and amount of information targeted to the right
audiences
Integrated into a process that drives action
– Push v. pull strategies for distributing data
Tied in to incentives
– Variable compensation must be partially based on performance against risk
objectives
042DeToro.ppt
-5-
Legal Implications
Companies are concerned about disclosing too much risk information
that may be subject to legal discovery
Companies’ responses to this issue fall somewhere on a spectrum:
Ideal State Middle Road Head in the Sand
Acknowledge the risk Acknowledge the risk Do not acknowledge
Collect data Collect data the risk
Do the right thing Do the “wrong” thing Do not collect data
Many companies (and their general counsel) presume that the middle
road is more dangerous than burying one’s head in the sand
042DeToro.ppt
-6-
3
18. Ford Motor Company: The Middle Road Done Wrong
The situation: 1970’s Ford Pinto
The risk: Gas tanks would rupture easily in the
event of a rear-end collision
The data: The risk became apparent during the
design and crash studies of the Ford Pinto
Cost of repairing the flaw: $11 per car ($137 million cost)1
Value of the benefit: $200,000 saved per life lost ($49.5 million
benefit)2
Internal documents indicated that a cost-benefit analysis did not
support fixing the flaw
Outcome: Estimates put the impact at over 500 deaths3, and
significant financial and reputational damage to Ford
042DeToro.ppt
-7-
Major Conglomerate: The Middle Road Done Right
The situation: Income tax return for a major US conglomerate
The risk: The company pursued a tax accounting policy, despite some
concern that it might not be deemed acceptable by the IRS
The data: The company documented their rationale for interpreting the
tax law as they did, and quantified the impact of their interpretation
versus another interpretation commonly in use. This information was
clearly documented
Outcome: The company was taken to court by the IRS. Although the
company’s interpretation was ruled to be invalid, fines and penalties
were substantially reduced because of the company’s ability to
document its rationale
042DeToro.ppt
-8-
4
19. Taking the Middle Road – Other Lessons
Lessons can be learned from the approaches hospitals have taken in
dealing with medical errors
1999 Institute of Medicine report: medical errors cost $17B to $29B per
year and are the 8th leading cause of death in the US4
Pressure on hospitals to disclose errors so patients can make informed
choices about where to obtain care
Hospitals have mechanisms in place to disclose adverse medical
events as learning opportunities for doctors
– Weekly Mortality & Morbidity (“M&M”) conferences
– Hospital risk managers
042DeToro.ppt
-9-
Taking the Middle Road – Hospitals’ Responses
Hospitals have responded to pressures for full disclosure in several ways:
Traditional approach was “defend and deny” – No admission of wrong-
doing
– Cases cited of risk managers and doctors denying knowledge of
medical errors to protect colleagues
Proposed legislation – IOM proposed mandatory reporting of errors to
make health care safer; simultaneously proposed legislation to extend
peer-review protections to reports of errors (currently extend to M&M)
Improve processes to reduce errors – Medical community adopting
similar checks and protocols to the airline industry
Apologize and disclose – Discussed in next case study
“With malpractice premiums soaring and a national patients’
rights movement pushing for full disclosure of medical errors,
the industry is rethinking the traditional approach known as
‘defend and deny’.”5
042DeToro.ppt
- 10 -
5
20. Lexington VA: The Middle Road Refined
The situation: Hospitals use weekly Mortality & Morbidity (“M&M”)
conferences and other disclosures of adverse events as learning
opportunities to teach doctors how to address complications
The risk: Admissions of mistakes may be used against doctors in
malpractice suits.
The data: Lexington VA implemented a mandatory disclosure policy,
requiring all doctors to report errors to a committee which then informed
the family and offered compensation.
Outcome: Instead, after implementation, the average cost of error-
related payouts was only $15,632, which was in the lowest quarter of
the 35 VA hospitals in the country, and Lexington VA is deemed one of
the safest VA hospitals in the country.6
“”Being honest defused situations that would otherwise lead to
litigation.”7
042DeToro.ppt
- 11 -
Legal Issues - Summary
Companies can live more comfortably with the middle road by:
Acting responsibly, prudently and reasonably with the data they gather
Disclosing and apologizing when things go wrong
Utilizing lessons learned from risk events to move closer to the ideal
state by improving processes to limit future adverse events
Ideal State Middle Road Head in the Sand
Acknowledge the risk Acknowledge the risk Do not acknowledge
Collect data Collect data the risk
Do the right thing Do the “wrong” thing Do not collect data
042DeToro.ppt
- 12 -
6