Date post: | 13-Jan-2017 |
Category: |
Economy & Finance |
Upload: | kpmg-canada |
View: | 24 times |
Download: | 0 times |
Navigating today and tomorrow’s risk landscape
25th Annual KPMG National Insurance Conference
2© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
With you today…
Stephen SmithPartner
+1 416 777 3194 [email protected]
Kevvie FowlerPartner
+1 416 777 3742 [email protected]
Alexander ShipilovPartner
+1 416 777 3026 [email protected]
Colin HilkowitzSenior Manager
+1 416 777 8274 [email protected]
How do insurers protect their business, manage their capital and meet regulatory expectations?
4© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
KPMG’s Opportunities and Risks Survey
61% of respondents to KPMG’s Canadian Risk and Opportunity Survey noted Improved management of risk and use of capital as the biggest opportunity over the next 12 months.
Opportunity in ERM
50% of respondents to KPMG’s Canadian Risk and Opportunity Survey noted Cyber risk as the biggest risk over the next 12 months.
Risk
5© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Agenda
Deep dive on Cyber Risk
Q&A
Internal Audit (Line 3)
Operational Risk Guideline E-21
Operational Risk Guideline (E-21)
Implementation
7© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Regulatory Evolution of Operational Risk Framework
Basel Committee of Banking Supervision Basic Indicator Approach (2003) Standardized Approach (2003) Advanced Measurement Approach (2003) Principles of Sound Management of
Operational Risk (2014) Standardized Measurement Approach
(proposed 2016)OSFI Capital Adequacy Requirements (2007) E-19: ICAAP (2010)
Solvency II MCT/MCSSR/LICAT (September 2016) E-19: ORSA (2013) Institute and Faculty of Actuaries: Model
Risk Working Party Report (2015) Actuarial Standards Board: Modelling
(second exposure draft 2014) AMF: Governance Guideline (updated
September 2016) AMF: ORM Guideline (draft October
2016)
Banking Insurance
OSFI E-21 Operational Risk Management (ORM)(June 2016)
8© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
OSFI Guideline E-21: Operational Risk ManagementOperational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputation risks. FRFIs to comply by June 2017.
Principle 1
Principle 3
ORM is integrated within the overall risk management framework and appropriately documented
Challenges:
• ORM is integral part of ERM framework• Breadth of the risk – many sub risks• Scope of impacts – $$ and reputational• Consistent, complete taxonomy of risks• Not always quantifiable
Robust accountability structure (e.g. 3 Lines of Defense) separates the components of ORM and provides for independent overview and challenge
Challenges:
• Who owns the risks and controls across organizations boundaries
• Subject matter experts becoming risk managers• Having both 1st and 2nd Line of Defense obligations• Place of Corporate Actuarial Function
Principle 2:
Principle 4
ORM supports the overall corporate governance structure and utilizes an operational risk appetite statement
Challenges:
• Setting appetite and limits for subjective risks and behaviors (quantifiable and non-quantifiable)
• Zero tolerance is not realistic• Setting up reporting/escalation thresholds
FRFI’s use ORM tools to identify and assess operational risk along with collection and reporting Op Risk information
Challenges:
• Granularity (too detailed vs. too summarized) & thresholds• Op Risk taxonomy. Boundary risks (e.g. Underwriting, investments)• Motivation of reporting issues or losses • How do you know you’ve covered and captured everything?• Challenge of aggregating non-quantitative information• Assessment of Model Risk
9© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Operational Risk Management Framework
Risk Management Tools
Risk definitions & ORCs Measurement &
Simulation MethodologiesRCSA / ORSA
Loss Data Management
Risk Controls
Org. Units & business line
mapping
Risk Controls KRIs / DashboardMitigation Approaches Economic Capital
Supporting Infrastructure
People IT Systems and databases
Risk-based Performance Evaluation
Risk Governance
ORM Structure (centralized vs. decentralized)
ORM Committees
Op. Risk Guidelines &
Policies
Roles & Responsibilities
Risk Strategy
Risk Appetite Risk Tolerance Risk Limits
High performance in ORM
How much:Capacity,
Ability, and willingness
Who is:Responsible,Accountable,
To be consulted, andInformed
How to:Identify,
Measure,Manage,
Control, and Mitigate / transfer
Can it be executable and sustainable?
Documentation
10© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Actions for First Half 20171 Plan
Gain an understanding and agreement regarding the scope and objectives of the proposed regulatory requirements
3 Policy designDesign an Operational Risk
Management Policy and Framework, risk taxonomy, and
conduct ORSA (incl. risk appetite)
6 ReportingDevelop, monitor, and report KRIs and communicate effectively with senior and junior management
5 Risk ModellingDevelop a roadmap to move from basic to more advanced measurement approaches
4 ProcessDevelop operational risk measurement, management,
and mitigation processes commensurate to the risk profile and regulatory requirements
The band represents the
replay of the whole ORM process
Policy design
Plan
Reporting & Monitoring
Risk Modelling
2 AssessmentPerform a gap analysis and
develop a roadmap to mitigate gaps around
policy, process, people, data, and technology
Assessment
7 ReviewReview all components and improve them, if necessary, in the next run
Manage change
Process
Review
Cyber security
The vulnerability of health data
12© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
13© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
OtherPics., vids., docs., email
AOL20MMichaels
3M
Securus70M
Turkish Citizenship
50M
2014
Snapchat4.6M
US Voter Database191M
2015
2016
Anthem78.8M
T-MobileExperian 15M
Premera11M
Top data breaches December 2013 –April 30, 2016Data breaches of recognized organizations involving at least 1M records by size and type
CarPhoneWarehouse 2.4M
Adult Friend Finder 4M
CareFirst2.4M
Excellus10M
Ashley Madison
32M
OPM25M Rate My
Professor 4M
VTech5M
Hello Kitty3.3M
LifeboatMinecraft
7M
“Panama Papers” Mossack Fonseca11.5M
Alibaba TaoBao20M
Mexican Voters93.4M Philippine
Voters
55M
Ebay145M
Ashley Madison
32M
Home Depot109M
Sony11TB
Sony11TB
Target110M
Financial dataPayment card records,account numbers
Personal & Health dataHealth & medical insurance claims, PII, SIN, usernames & passwords
JP MorganChase83M
days between breach occurrence and detection
145
of breaches were by outsiders58%
M-Trends, 2016
Breach Level Index, 2015
of breaches involved an unknown number of compromised records
47%
Breach Level Index, 2015
Risk #1 – A data breach
14© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Source: http://sensorstechforum.com/remove-jigsaw-ransomware-and-restore-fun-kkk-btc-encrypted-files/
Ransomware (reactive) Cyber extortion (proactive)
Source: Data Breach Preparation & Response,
Kevvie Fowler (ISBN: 0128034513)
Risk #2 – Cyber extortion-driven attacks
15© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Risk of reputational and financial loss due Negative media profile about defects
within products Risk without defect Changing EULA standards
Risk #3 – Security researchers
16© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
OSFI Cyber Self Assessment GuidelinesAssists federally regulated financial institutions in ensuring their cyber risk management policies and practices remain appropriate and effective.1. Organization and Resources 2. Cyber Risk and Control Assessment 3. Situational Awareness 4. Threat and Vulnerability Risk Management 5. Cyber Security Incident Management
6. Cyber Security Governance
http://www.osfi-bsif.gc.ca/eng/wn-qn/Pages/cbrsk.aspx
• Establishment of a Senior Management committee
• Senior Management provides adequate funding and sufficient resources to support the implementation of a cyber security framework.
• Processes are in place to escalate breaches of limits and thresholds to Senior Management for significant or critical cyber security incidents.
• The Board, or a committee of the Board, is engaged on a regular basis to review and discuss the implementation of the Bank’s cyber security framework and implementation plan, including the adequacy of existing mitigating controls.
Senior Management & Board Oversight
Managing cyber risk
Stress testing is a risk management technique used to evaluate the potential effects on an institution’s financial condition in response to an to exceptional but plausible event. Risk identification and control Providing a complementary risk perspective to other risk
management tools Supporting capital management Improving liquidity management
http://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/e18.aspx
Stress testing
http://www.osfi-bsif.gc.ca/eng/fi-if/rg-ro/gdn-ort/gl-ld/pages/cg_guideline.aspx
17© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
You can establish effective cyber security by answering 3 questions
Where are we?
1Where do we want to
be?
▪ Perform a whole-business security maturity assessment
▪ Conduct an in-depth technological security assessment
▪ Determine your Cyber Defensible Position
How do we get there?
▪ Develop a prioritized roadmap to get to your Cyber Defensible Position
▪ Ensure proper cyber security oversight
2 3
Managing cyber risk (continued)
Integrated Assurance–Internal Audit’s Role In Operational Risk Management
19© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Risk in the Boardroom – Discussion FrameworkBoard Responsibilities with respect to Risk Management & Internal Controls include:1) Exercising Responsibilities2) Establishing Systems3) Monitoring and ReviewTraditional – Three lines of defense
20© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
The role of internal audit in ERM
21© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Internal Audit - The art of possible
QUALITY ASSESSMENTReviews of strategic or significant projects and initiatives at
the organization in order to provide assurance over quality of program.
REGULATORY COMPLIANCECompliance reviews related to product development, marketing, distribution, pricing and claim practices, and sustainability reviews.
DIGITAL MEDIA Digital media strategy and governance assessments, social media monitoring reviews (SnapChat), third party alliances and customer sentiment analysis.
INFORMATION TECHNOLOGYInformation protection, cyber security, system implementation pre/post reviews and production system reviews.
SOX COMPLIANCESOX risk assessment, documentation and testing, guidance and training for new locations/ acquisitions.
DATA AND ANALYTICS
THIRD PARTY REVIEWS
ENTERPRISE RISK MANAGEMENT
STRATEGIC PROJECTS/INITIATIVES
Revenue Growth: Customer acquisition, compensation and incentives, pricing, and product managementOperating Expenses: Vendor/contract management, budgeting and forecasting, Claims and distribution Invested Capital: Corporate strategy and management, IT management
OPERATIONS
ERM coordination, planning, monitoring and working with the business to coordinate risk management efforts; proactive insights to signals of change affecting overall risk profile.
Contract compliance reviews for significant third party relationships.
Data analytics enabled Internal Audit plan to deliver better scope coverage and insights through quantitative trend analysis. leveraging data & analytics and integrating Continuous Auditing/Continuous Monitoring (CA/CM).
Moving beyond focus on compliance driven activities towards value delivery across the enterprise enhancing assurance capabilities and providing valuable business insights.
22© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Example outcome – Three lines of defense
Converged Activities
Discrete Activities
Risk & controlidentification
Risk & controlassessment
Quantification &
measurement
Monitoring,testing,
& verification
Reporting
Internal audit
3rd Line
BU’s
1st Line
Divisions ERM
2nd Line
Compliance SOX/ ICFRActuarial Informationsecurity Legal
Test controls periodically or continuously throughout the year Share test results with respective risk and control groups using common risk language and
Governance, Risk & Compliance (GRC) platform
Provide integrated guidance on risk assessment, quantification, and measurement
Independent testing
Develop IA Plan
Report on compliance
with regulations
Develop Compliance
Program
Develop SOX / ICFR Testing
Plan
Report on enterprise
risk exposure
Develop Enterprise
Risk management
Program, Risk
Taxonomy
Develop Actuarial Program
Develop Legal
Program
Review and challenge current risk assessments performed within the businessCoordinate calendars to perform additional procedures, as needed
Identify controls to be tested
Stakeholders
• Identify KRI• Capture risk loss data• Perform scenario
analyses• Perform trend
analyses• Consider ORSA
• Flowchart process • Identify risk and
controls• Link to SOX
oversight• Perform risk and
control self assessments (RCSA)
Provide assurance
Report on status of IS
program and compliance
Report on financial reporting controls
Report on servicer
compliance
Develop IS Program
Report on Actuarial Program
23© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Integrated assurance…..What is it?
Integrated Assurance is the alignment of governance, risk and assurance activities –linking them with company strategy and business model – to better co-ordinate efforts and reporting with the aim of improving business performance and resilience.
Integrated assuranceWhat it is…
Starts with understanding strategic objectives, mission and business model
Involves co-ordination of assurance efforts and reporting across various oversight functions (e.g., Internal Audit, Compliance, ERM)
Encompasses people, processes and technology considerations
Promotes better leveraging of the “Three Lines of Defense” model
Converges risk, control and compliance data
Requires effective change management
Integrated assuranceWhat is it NOT…
— Just a new reporting approach
— Just a technology solution
— An elimination of the need for existing assurance functions (e.g., Compliance, Internal Audit, ERM)
— An additional bureaucratic layer that adds additional paperwork/administrative input
— Just a conceptual framework – it must be practical
— Achievable without buy-in from all key risk, control and compliance functions
24© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Benefits to integrated assuranceStakeholders Objectives Business case
CEO/Board
CFO/COO
Chief Risk Officer
Chief Compliance
Officer
Chief Audit Executive
Clear reporting linking strategy,
risk, performance and controls
Lower cost of business without
increasing risk
Enhanced oversight over cross-functional risk
management activities and assurance
Integrated compliance at
lower cost
Reduced costs and more “value add”
Reduced Cost
Increased Stakeholder Confidence
Enhanced Insights
Improved Risk Management
Integrated assurance
25© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Where we need to be Streamlined, transparent and focused management reporting
Integrated assurance
Multi-purpose Risk Assessment
Joint Activity Planning and Sequencing
Coordinated Control Testing
Shared Access to Data and ResultsJoint Risk and Control
Monitoring
26© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Drivers
Growth pressures Regulatory compliance
Risk content Talent management
Board/Leadership is focusing on emerging risks and questioning completeness/quality of risk content
Increased risk of inadequate talent management due to pace of change, market conditions and organizational change
Right sizing
Redundancy and/or overlap in risk management and assurance given lack of clarity in roles and responsibilities (convergence, single view of risk, assurance mapping)
Risk that regulations and their compliance implications may not have been considered in new countries, new verticals or while developing new service offerings (innovation – related)
Pressure to sustain growth & profitability increases risks related to product innovation, operating model transformations (i.e., shared services, use of technology, outsourcing etc.), and new markets
Key enterprise challenges Need for integrated assurance
Performance
Strategy
— Enhanced regulatory compliance
— Reduction of costs
— Improved risk intelligence
— Improved linkage to strategy
— Better alignment to business
— Competitive advantage
Governance
Goa
l
A number of key enterprise challenges (some examples provided below) are compelling businesses to transform their various assurance functions –acting as key drivers to move towards integrated assurance that is leaner, safer and better.
LeanerInsights in Cost of Assurance
SaferRe-balance Lines of Defence
BetterIncreased Quality of information and Efficiency of Assurance Activities
— Greater transparency
— Alignment through GRC tools
Questions?
kpmg.ca
© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.