1. No category

Enterprise Risk Management Framework

Making Sense of ERM Framework: An Integrated Guide
Syed Danish Ali
This report serves as a broader ERM framework structure, which would allow any company (especially
insurance company) to set in-place an ERM implementation approach. ERM framework encapsulates, in
a single structured document, the company-wide risk management principles and processes.
Enterprise Risk Management Framework
Contents
1.
Background and Objective.........................................................................................................................................3
2.
ERM Framework ............................................................................................................................................................5
3.
Risk Identification Process ..........................................................................................................................................9
4.
Risk Measurement & Management Process ....................................................................................................... 13
5.
Risk Governance and Reporting Process ............................................................................................................. 26
6.
ERM Framework – Revisited ................................................................................................................................... 30
Page 2
Enterprise Risk Management Framework
1.
BACKGROUND AND OBJECTIVE
1.1.1
This report serves as a broader ERM framework structure, which would allow any company to
set in-place an ERM implementation approach. ERM framework encapsulates, in a single
structured document, the company-wide risk management principles and processes. This report
would serve the following objectives in relation to ERM:
 Development of an integrated enterprise-wide risk management framework and policy
document for implementation and adherence, in order to instill and encourage riskoriented decision-making within the organization.
 Promoting risk identification structure, by monitoring risk areas with the aide of risk
register and risk matrix. This would assist in performing risk assessment and would act
as a central repository for all risks the company is exposed to.
 Setting risk tolerance limits and overall risk appetite for the company based on inputs
from capital models. This allows the company to measure the appropriate risks, to
monitor them and to set in place control measures and actions.
 Create an appropriate risk monitoring structure to ensure risk exposures are within the
controllable limits. Where these limits are exceeded, appropriate measures and actions
could be taken.
 Periodically report the risk exposures to appropriate risk authorities to ensure that the
management and the company are well aware of the risk their business is exposed to,
and that appropriate decisions are being taken to mitigate them.
1.1.2
In future, enterprise risk management would become a part of regulatory requirements to
assess the company’s financial strength and stability, either in the form of Solvency II or
economic capital approach. This framework forms the basic ground work for regulatory
endeavours as well. However this framework may not ideally serve the purpose of regulatory
requirements in the future.
1.2
Limitations and Restrictions
1.2.1
This framework provides a broad level concept of the implementation of enterprise risk
management principles and global best practices.
1.2.2
This framework supplements the company’s existing enterprise risk management charter, policy
and procedures in effect. The framework provides an enterprise risk management structure to
adopt with the help of existing ERM documents and internal capital model.
1.2.3
ERM Framework has not been developed for regulatory reporting or submission.
Page 3
Enterprise Risk Management Framework
1.2.4
ERM Framework can only be implemented by the company interested in doing so. It cannot be
forcefully implemented by third party external advisors or consultants, as risk-oriented thinking
process has to come from within the individual undertaking decisions and actions.
Page 4
Enterprise Risk Management Framework
2.
ERM FRAMEWORK
2.1
Framework
2.1.1
This framework provides a comprehensive approach for the company to adopt in order to
identify and manage risks which could be prevented, to effectively achieve its business goals and
strategies.
2.1.2
This framework has been developed to:
 allow the company to proactively manage its risks in a systematic and structured way
and to continually refine its processes to reduce its risk profile, thereby maintaining a
safer environment for its stakeholders;
 ensure appropriate strategies are in place to mitigate risks and maximize opportunities;
 embed the Risk Management process and ensure it is an integral part of company’s
planning process at a strategic and operational level;
 help create a risk awareness culture from a strategic, operational, individual and fraud
perspective; and
 give credibility to the process and engage management’s attention to the treatment,
monitoring, reporting and review of identified risks as well as considering new and
emerging risks on a continuous basis.
2.2
Enterprise Risk Management Cycle
2.2.1
In a nutshell, the following control cycle best describes ERM framework:
Page 5
Enterprise Risk Management Framework
Figure 2-1 Enterprise Risk Management Cycle
•Assign Responsibilities
•Development of Risk
Register
•Emerging Risk Analysis
•Each segment directly
responsible for Risk
•ERM Committee
•Development of Solid
Risk Culture
•Training
2.2.2
Risk
Identification
Risk
Measurement
Risk Reporting
Risk
Management
•Assess Qualitative
and Quantitative
Impact
•Evaluate Macro-Risk
•Increase Data
Capturing Capacity
•Underwriting and Claim
Approval Limits
•Policies and Procedures
•Incorporate results
from Capital Model
•Make Risk-based
Decision
By the end of document the company should be able to answer:
 What is the risk appetite and how is it measured?
 What is the board’s and senior management’s role in ERM framework?
 How does your organization encourage good risk-based decision making?
 What is your organization’s process for identifying and cataloguing key risk across your
organization?
 How are emerging risk identified and evaluated?
2.3
Purpose of the ERM Framework
2.3.1
Above documents provide operational structure and guidelines to the company for adoption of
ERM principles. However, the ERM Framework discussed within this report serves as a broader
level framework to the holistic ERM implementation in the company.
2.3.2
This document would serve as a central document in defining the ERM Framework whereas
other documents will support ERM implementation program. Implementation of ERM
framework is an iterative and continuous exercise and can only be followed and practiced by the
very people managing the company and those interested in seeing the successful execution of
the underlying concepts.
Page 6
Enterprise Risk Management Framework
2.3.3
The figure below provides building blocks necessary for successful ERM implementation; they
are also discussed in detail within this framework.
Figure 2-2 Enterprise Risk Management Building Blocks
Risk Management
Framework
Risk Register - Qualitative
Assessment
Capital Model - Quantitative
Assessment
Other Supporting
Documents
•Define risk appetite and measurement techniques
•Defines ERM framework incuding Risk Charter, Risk Policy and Procedures and
Risk Governance Structure
•Reporting of risks
•An Excel-based file for Identifying and Measuring Risk
•Risk controls, limits and communications
•An Excel-based internal capital model
•Risk controls, limits and communications
•Policies and Procedures
•Business Plan and Budgeting
2.3.4
Having incorporated this framework, any company can align its business opportunities in a
controlled manner and take on further risks in achieving its mission and core business
objectives. The final program would encompass the whole spectrum of risk, ranging from the
high level company & industry wide strategic business risks to individual section operational
risks (including identification of risks at all level).
2.3.5
The company’s objectives in implementing a risk management program would include the
following (keeping in view that this framework shall be implemented in the medium- to longterm, in line with the objectives of the company; the short term objective and outcomes would
be limited):
 Demonstrating due diligence in planning and day-to-day management and operational
activities;
 Promoting proactive management with early identification and treatment of risks,
rather than reacting passively;
 Improving the focus on key strategic goals leading to:
i.
a more sound basis for strategic planning as key elements of risk have been
identified;
Page 7
Enterprise Risk Management Framework
ii.
more effective allocation of resources to key services and areas of high risk
improving service delivery;
iii.
an improved level of responsibility and accountability;
iv.
better informed decisions about opportunities and new initiatives/projects;
v.
avoidance of taking unnecessary opportunistic risks; and
vi.
acceptance of changing patterns of risk and opportunity in an increasingly
competitive environment
2.4
Structure of the Report
2.4.1
The structure of the framework has been developed in such a way that this report can be
treated as a comprehensive manual of enterprise risk management cycle and its principles in
practice.
2.4.2
Primary phases of the risk management cycle are the remaining sections of this framework; their
purpose is to capture the whole ERM framework structurally and provide ease of use.
Section 3:
Section 4:
Section 5:
Section 6:
Section 7:
Risk Identification
Risk Measurement and Management
Risk Appetite &Tolerance Limits
Risk Reporting
ERM Framework Cycle – Revisited
Page 8
Enterprise Risk Management Framework
3.
RISK IDENTIFICATION PROCESS
3.1
Risk Description
3.1.1
Risk description describes the risk associated with any activity which the company undertakes as
part of its business. Significant activities include any major line of business, risk area and risk
categories which are identified from various sources such as company’s organizational chart,
strategic business plan, capital allocations, and internal and external financial reports.
3.1.2
Sound judgment is applied in determining the significance or materiality of any activity in which
the company engages. So as not to exclude critical risks, it is important to undertake a
systematic and comprehensive identification of all risks, including those not directly under the
control of the company.
3.2
Risk Identification
3.2.1
The reasons for the risk assessment being carried out need to be established. In particular:






define the scope and objectives of the assessment
comply with new legislation, project evaluation, etc.
specify the nature of the decisions that have to be made
define the extent of the project activity or function in terms of time and location
identify resources and planning requirements
identify the roles and responsibilities of the various parts of the organization
participating in the risk management process
3.2.2
Defining and measuring risks within each area is an on-going task. Identifying new risks in areas
and summarizing these into a quantifiable measure of risks, inherent in that area is a selfdiscovery process and cannot be imposed externally. Therefore, this document needs to be
viewed as a starting point for a dynamic process that will evolve as the company grows,
matures, enters into new areas and adopts new business methods.
3.2.3
Approaches used to identify risks include the following:
 use risks already identified in the risk registers, strategic plans, operational plans, and
other key documents
 checklists, surveys, questionnaires
 team based brainstorming, structured interviews, focus groups, personal experiences
 facilitated workshops
 experience, local and overseas knowledge
 records, databases
 past organizational experiences
 internal and external audits and report
Page 9
Enterprise Risk Management Framework
3.2.4
The company should identify each risk in the organization and prioritize top risks for the
management, viz., inherent risk, perceived effectiveness of existing risk mitigation measures and
thereby the residual risk.
3.2.5
Ideally residual risk should always be very low and this will be the long term objective of the
company. However this might not be practical to achieve immediately in all areas and therefore
the company may need to tolerate higher levels of risks in some areas until it is able to improve
controls and lower the level of residual risk. In certain areas, however, the company would not
be willing to tolerate this higher level.
3.2.6
It is very important that the company identifies its risks on an on-going basis – a practice that
needs to be implemented within the company. A legal risk which appears to be small during
identification might be disastrous. The company should make its own internal assessment of
risk in this regard.
3.2.7
It is important to reiterate that this exercise would need time to be adopted at the grass root
level of the company and considerations should be made in this regard.
3.3
Risk Register
3.3.1
Risk register is a compilation of all the risks exposed to the company, from day-to-day
operational activities to company’s business strategy and objectives. Risk identification will be
carried out on horizontal and vertical structures of the company in order to fully capture existing
and potential risks into the risk universe.
3.3.2
The company has a risk register in place which categorises more than 400 potential risks into
broader risk categories. Risk register serves as a dashboard of all known and unknown risks the
company is exposed to. Risk register is monitored proactively to consider current risks and
potential risks are considered and incorporated for monitoring within the register.
3.3.3
The company’s risk management register shall be maintained at two levels; company-wide
strategic risk and individual/department-wise operational risks. Each department will be
responsible for identifying risk exposures and report it to the company-wide risk register
maintained and operated by relevant risk authority. Company-wide risk register encourages
integration of risk exposures from one area to others, allowing the company to see how each
exposure affect other areas of the business and the company as a whole.
3.3.4
The risk registers shall be maintained as Excel workbooks. However it would be more suitable to
develop in time, a database and an online system accessible to all appropriate officers.
3.3.5
The purpose of completing a risk identification exercise is to identify, discuss and document the
risks facing the company. The risk register serves three main purposes:
Page 10
Enterprise Risk Management Framework
3.3.6

It is an information source to report the key risks throughout the company, as well as to
stakeholders.

Management can use the risk register to focus their priorities.

It helps the auditors to focus on the company’s top risks.
The following risk registers can be maintained:



















Non motor underwriting
Life and medical underwriting
Motor underwriting
Re-takaful
Non motor claims
Life and medical claims
Motor claims
Finance
Investments
Human resources
Administration
Information technology
Legal
Shariah
Business development
Broker relations
Marketing
Public relations
Company secretary
3.3.7
With the functional risk registers above, the insurance company can monitor the top 20 risks for
active review and management.
3.3.8
Risk management registers shall be reviewed and updated by risk managers and the risk
management committee on regular basis throughout the year. In particular the process will aid
performance reviews and planning procedure.
3.4
Identified Risks Documentation
3.4.1
Key information from risk registers needs to be incorporated into the policy manual to ensure
that it becomes part of the decision-making process for the concerned department. This again is
the responsibility of the company and the respective departments.
3.4.2
Documentation of the risk management process should be carried out at each stage for the
following reasons:

It gives integrity to the process and is an important part of good corporate governance;
Page 11
Enterprise Risk Management Framework

It provides an adequate audit trail and evidence of a structured approach to risk
identification and analysis;

It provides a record of decisions made which can be used and reviewed in the future;

It provides a record of risks which can continuously be developed.
Page 12
Enterprise Risk Management Framework
4.
RISK MEASUREMENT & MANAGEMENT PROCESS
4.1
Risk Analysis and Evaluation
4.1.1
Risk analysis helps in making informed decisions with respect to which risk response to adopt
and what method to use. Companies considers risks based on the combination of the
consequence of occurrence (severity) and likelihood of occurrence (frequency), respectively.
Risk evaluation involves comparing the level of risk found during the analysis process with the
risk criteria established.
4.1.2
There are many tools and techniques available for analysing risks and the following sources of
information may be referred to:








4.1.3
We would recommend evaluating risks at two levels:


4.1.4
Past records;
Practice and relevant experience;
Market research;
Experiments and prototypes;
Economic and system models;
Specialist and expert judgment;
Focus groups;
Structured interviews, questionnaires.
inherent risk rating, i.e. before management controls have been considered, and
residual risk rating, i.e. the gross risk rating combined with an assessment of
management controls.
The management should assess risks on the basis of the likelihood of the risk occurring and the
impact of its occurrence as follows:
Risk = Likelihood x Impact
4.1.5
Likelihood represents the possibility an event will occur; impact represents its effect on the
company. In the process of risk assessment, the company should consider its “risk appetite,”
broadly defined as the amount of risk that an entity is willing to accept in pursuing its objectives.
Higher the risk, higher is the priority of addressing it, in order to keep within the risk appetite of
the company.
4.1.6
While conducting risk assessment is typically considered a “one time activity,” in the context of
enterprise risk management it is actually continuous and on-going; it is part of the daily
responsibility of managers and employees throughout the company.
Page 13
Enterprise Risk Management Framework
4.2
Qualitative Risk Measurement and Management
Inherent Risk Rating Before Management Control
4.2.1
Inherent risk is intrinsic to every business activity and arises from exposure and uncertainty from
potential events. Inherent risks are evaluated by considering the probability of occurrence and
the potential size of an adverse impact on the company’s capital and earnings. Inherent risk
involves considering the likelihood and impact of the risk in the absence of any management
control interventions.
4.2.2
This level of assessment provides a perspective of the consequences of the risk to the company
in the absence of controls to prevent an event from happening. Inherent risk is categorized as:

Very high: Unacceptable level of risk. Take urgent action to further mitigate the risk to
an acceptable level

High: Identify and evaluate additional steps to mitigate the risk to an acceptable level

Moderate: Consider actions that may improve the tradeoff between risk (with its
associated reward) and cost

Low: Keep risk and control under review

Very low: No action required
Likelihood
4.2.3
The probability or likelihood of an event is

Highly probable: The risk is already occurring, or is likely to occur more than once within
the specific duration, subject to management decisions.

Likely: The risk could easily occur, and is likely to occur at least once within the specific
duration, subject to management decisions.

Possible: There is an above average chance that the risk will occur at least once within
the specific duration, subject to management decisions.

Unlikely: The risk occurs infrequently and is unlikely to occur.

Rare: The risk is conceivable but is only likely to occur in extreme circumstances.
Impact
4.2.4
The impact of each likelihood event is categorized as:
Page 14
Enterprise Risk Management Framework
4.2.5

Critical: Negative outcomes or missed opportunities that are of critical importance to
the achievement of objectives

Major: Negative outcomes or missed opportunities that are likely to have a relatively
substantial impact on the ability to meet objectives

Material: Negative outcomes or missed opportunities that are likely to have a relatively
moderate impact on the ability to meet objectives

Minor: Negative outcomes or missed opportunities that are likely to have a relatively
low impact on the ability to meet objectives.

Insignificant: Negative outcomes or missed opportunities that are likely to have a
relatively negligible impact on the ability to meet objectives
Inherent risks can be found by the probability and severity of the risk from the table below:
Figure 4-1 Inherent Risk Levels Exposure Chart
Probability
Inherent Risk
Perceived Control Effectiveness
Insignificant
Minor
Material
Major
Critical
Exposure
Highly Probable
Medium
High
High
Very High Very High
Likely
Low
Medium
High
High
High
Possible
Low
Low
Medium Medium Medium
Unlikely
Very Low
Low
Low
Low
Low
Rare
Very Low
Very Low Very Low Very Low Very Low
Perceived Controls Effectiveness
4.2.6
After identifying the impact and likelihood of each risk it is ERMC’s responsibility to check
whether controlling that particular risk is possible for the company. This will be done by
identifying the personnel/officers/staff involved in the activity/operation related to that risk
area.
4.2.7
After applying the current controls of management, effectiveness will be assessed as:

Very Good: Risk exposure is effectively controlled and managed.

Good: Majority of risk exposure is effectively controlled and managed.

Satisfactory: The controls are at satisfactory level, there is some room for improvement.

Weak: Some of the risk exposure appears to be controlled, but there are major
deficiencies.

Unsatisfactory: Control measures are ineffective and need urgent attention.
Page 15
Enterprise Risk Management Framework
Residual Risk Rating after Management Control
Residual Risk Exposure & Risk Rating
4.2.8
4.2.9
Residual risk is the level of risk remaining after the mitigating influences of the existing control
interventions are considered. Normally, management would introduce sufficient controls to
reduce the risk to within a pre-determined level, as per the risk appetite of the Company. The
residual risk is a critical indicator of whether the existing controls are effective in reducing the
risk to an acceptable level.

Very High: Unacceptable level of residual risk – Implies that the controls are either
fundamentally inadequate (poor design) or ineffective (poor implementation). Controls
require substantial redesigning, or there needs to be greater emphasis on proper
implementation.

High: Slightly better than Very High.

Medium: Unacceptable level of residual risk – Implies that the controls are either
inadequate (poor design) or ineffective (poor implementation).Controls require some
redesigning, or there needs to be more emphasis on proper implementation.

Low: Mostly acceptable level of residual risk – Requires minimal control improvements.

Very Low: Slightly better than Low.
The table below shows how Residual Risk Rating of the company can be calculated from the
inherent risk of the business and its perceived control effectiveness:
Figure 4-2 Residual Risks Exposure Levels
Probability
Residual Risk
Perceived Control Effectiveness
Insignificant
Minor
Material
Major
Critical
Exposure
Highly Probable
Medium
High
High
Very High Very High
Likely
Low
Medium
High
High
High
Possible
Low
Low
Medium Medium Medium
Unlikely
Very Low
Low
Low
Low
Low
Rare
Very Low
Very Low Very Low Very Low Very Low
Varying Risk Directions
4.2.10 It is important to determine the change in probability of the risk, over time. We have to
ascertain whether the likelihood of the risk is changing till the next risk assessment. The risk
direction can be characterized into the following:

Increasing:  The Risk will increase at the next assessment period. The management
actions should be stronger for increasing risk over time.
Page 16
Enterprise Risk Management Framework
4.3

Constant: The Risk will remain constant till the next assessment period.

Decreasing:  The Risk will decrease at the next assessment period.
Treatment and Management of Risks
Determination of Risk Tolerance Level
4.3.1
Companies can determine risk tolerance based on three common values; solvency, ratings, and
earnings’ volatility in measuring the risk level. The risk tolerance level depends primarily upon
stakeholders which include its shareholders, regulators, customers, distributors, management,
employees, and/or business community. Investor concerns could be stated in terms of earnings
or stock price, while regulator concerns could be stated in terms of regulatory minimum capital
requirements.
4.3.2
There is no one-size-fits-all preference at all times which should drive company’s risk tolerances.
What is crucial is that the company should know how it will interpret its priorities among its
constituencies in a dynamic framework.
4.3.3
For quantitative risk modules, the company has set in place internal capital models which assist
in determining the risk exposures and in setting quantitative risk tolerance limits. The risk
appetite can then be represented by a number which can be subsequently used to develop a risk
tolerance limit for that situation—most often one that is at an extremely unlikely level such as
99.5% or 99.9%.
4.3.4
For the company, risk preferences can articulate its attitude toward various aspects of risk. We
understand that the company has clear preferences towards efficient risk management process
and that the management would not be wasting time considering risks that it would never agree
to accept.
4.3.5
Aspects of risk that can be addressed through Risk Preferences include:

Uncertainty: the degree to which loss distribution aspects such as Volatility and Ruin are
thought to be known.

Complexity (also called model risk): many insurance contracts transactions have
extremely complex structures that could pay off in varying amounts under a wide range of
possible situations.

Location: company’s concern for micro concentration of their risks as well as macro
concentrations of any type of risk like in one legal jurisdiction etc.

Experience: the degree of experience of the company and expertise of the management
to deal with the risk is a key aspect.
Page 17
Enterprise Risk Management Framework
4.3.6

Type: the company will have low or zero tolerance for some risk types or more commonly
for specific subcategories of risk types.

Tradability: Risk's tradability can be a major determinant of risk tolerance. For long term
contract, tradability is a proxy for ability to exit a position.

Time Frame: the time frame needs to be considered as transactions can be short, medium
or long term and each category has particular characteristics which have to be satisfied for
optimum risk management.

Consistency: some risks will stay in a reliable frequency/severity pattern for a long time.
Other will change characteristics periodically. Risks can be mistakenly evaluated while
patterns transition from one type of frequency/severity to other.
Qualitative risk limits can be set via delegation of responsibilities, setting limits on acceptable
exposures on inherent and residual risks, creation of policy manuals and documented structure
within the company.
Management Controls & Actions to improve
4.3.7
Event identification and assessment involves a cross-section of management. Key steps to
achieving event identification & assessment objectives include examining each business
objective with relevant managers to determine interdependencies and interrelationships.
Management needs to understand how events interrelate, because they do not occur in
isolation. By assessing interrelationships, a determination of where risk management efforts are
best directed can be made and actions can be taken to improve the position within the
appropriate time.
4.3.8
Simply put, event identification is a process of systematically recognizing potential events that
affect the achievement of business objectives. An event is an incident or occurrence resulting
from internal or external sources that affects the implementation of a strategy or achievement
of objectives.
4.3.9
When identifying and assessing risks, it is also important to bear in mind that “risk” also has an
opportunity component. This means there must also be deliberate effort expended in
identifying potential opportunities that could be exploited to improve institutional performance.
It’s the management’s role to assess and develop controls that may reduce the likelihood of
occurrence of a potential risk, the impact of such a risk, or both within the required and
appropriate time. Management then needs to assess the control effectiveness based on their
understanding of the control environment currently in place. Risk Register will therefore inform
management of the actual level of control effectiveness.
Page 18
Enterprise Risk Management Framework
Set Risk Priorities
4.3.10 The company’s management will identify and categorize the risk of each risk groupings and risk
areas outlined above. There are two levels of risk assessment, namely:

Company-wide Strategic Risks: These will be monitored and reported to the RMC and
Audit Committee on biyearly basis by the assigned Accountable and Responsible officers.

Management and Operational Risks: These will be closely monitored and reported to the
Senior Management twice per year and progress against action plans will be signed off by
the Accountable Officer.
Treat and Manage the Risks
4.3.11 It is important that where risks have been assessed as extreme or high, that action plan is put
into place to manage and mitigate the risks. It is unlikely that risks will ever be entirely
eliminated, but by demonstrating that actions are being implemented, the risks may be reduced
to a more acceptable level.
4.3.12 There are a number of options available for treating risks. These should be considered on the
basis of a cost/benefit analysis:

Avoid the Risk: This can be done by deciding not to start or continue with a particular
activity that gives rise to the risk. However, the business objectives must always be kept in
mind and inappropriate risk aversion may increase other risk areas.

Reduce the Likelihood and Impact: This may be achieved by introducing more preventive
and corrective measures by having policies and procedures.

Accept the Risk: Where risks are identified as unavoidable or no suitable treatment plans
are available, company should accept the risk.

Transfer the Risk: This involves other parties bearing or sharing the risk either partially or
in full. This may be through reinsurance arrangements, contracts, partnerships and/or
joint ventures.
4.3.13 Selecting the most appropriate risk treatment option should be made by considering the
following issues:




The cost of managing risks must be balanced against the benefits obtained;
The extent of risk reduction gained;
The extent to which there is an ethical or legal duty to implement a risk treatment option
which may override any cost/benefit analysis;
How sensitive is the risk to company’s image and reputation and its perception by
stakeholders and external parties? This may warrant implementing costly actions.
Page 19
Enterprise Risk Management Framework
Prepare and implement treatment plans
4.3.14 The risk management treatment plan includes the following:






Risk identified;
Proposed actions;
Cost/benefit analysis (where appropriate);
Cross referenced to the operational plan
Accountable and Responsible Officers
Timescales
4.3.15 For the treatment plans to be successfully implemented, there is a requirement for an on-going
review and reporting of the progress against the actions stated.
4.4
Qualitative Risk Tolerance and Controls
4.4.1
Companies uses the qualitative risk indicators described above and sets up risk tolerance limits
of inherent and residual risks it is exposed to and places focus on top 20 high risks in order to
control them as a part active of risk monitoring and management.
4.4.2
Each risk identified and listed in risk registers has been classified with respect to these three
measures, viz., inherent risk, perceived effectiveness of existing risk mitigation measures and
thereby the residual risk. This section seeks to define the residual risk classification that the
company is willing to tolerate as inherent risks have been assumed to be managed efficiently
and effectively. Inherent risk management has already been discussed above.
4.4.3
Residual risk is based on a matrix which maps inherent risk against control effectiveness. This is
set out in the Risk Management Framework document but is being reproduced below for ease
of reference.
Page 20
Enterprise Risk Management Framework
Table 4-1 Residual Risk Exposures
Probability
Residual Risk
Exposure
Very High
High
Moderate
Low
Very Low
Very Good
Medium
Low
Low
Very Low
Very Low
Perceived Control Effectiveness
Good
Satisfactory
Weak
High
High
Very High
Medium
High
High
Low
Medium
Medium
Low
Low
Low
Very Low
Very Low
Very Low
Unsatisfactory
Very High
High
Medium
Low
Very Low
4.4.4
Ideally residual risk should always be very low and this will be the long term objective of the
company. The management recognizes, however, that this is not practical to achieve
immediately in all areas and therefore the company may need to tolerate higher levels of risks in
some areas until it is able to improve controls and lower the level of residual risk. In certain
areas, however, the company would not be willing to tolerate this higher level.
4.4.5
The table below sets out a sample, for each risk area (this being defined as a group of functions
for which either a Risk Register was prepared), the overall objective of the function and the
default tolerance level for the residual risk:
Page 21
Enterprise Risk Management Framework
Table 4-2 Qualitative Risk Evaluation- Hypothetical Example
Objective of Risk Management System
Level of
Residual Risk
Planning/Pricing
 Planning
 Product Design
and Pricing
To ensure that the company’s plans are realistic and that
products are designed and priced from a competitive
position in line with the company’s plans
Low
Brand Image/
Awareness
 Marketing
To ensure that the company’s brand image as a takaful
operator (as opposed to an Islamic Bank) is projected and
that the market is aware that the company offers Shariah
compliant takaful products
Low
Sales
 Retail Sales
 Corporate Sales
To ensure that actual sales for each line of business meet
targets and are made on terms within the company’s
underwriting and pricing policies.
Low
Underwriting,
Operations and
Claims
 Non-Life
Underwriting
 Motor Claims
 Health Insurance
 Life Insurance
To ensure that risks are only accepted in line with the
company’s underwriting policy and risk acceptance
guidelines; that adequate risk mitigation, especially with
respect to reinsurance arrangements with reputable and
financially sound reinsurers, are in place; and that claims
are paid only when due.
Financial Position
 Balance Sheet
 Investment
 Financial
Accounts
To ensure that the financial position of the company as
set out in its financial statements (balance sheet) reflects
assets at values at which these can be realized and makes
adequate provision for liabilities and especially liabilities
under takaful contracts.
Very Low
 Compliance/
Regulatory
To ensure that the company is fully compliant with
regulatory provisions prevalent in United Arab Emirates
relating to takaful operations in particular and
corporations in general.
Very Low
Area
Low
To ensure a high level of customer service so as to build
the company’s reputation as an efficient and fair takaful
operator.
Page 22
Enterprise Risk Management Framework
Area
 Reputation
 Corporate
Governance
 Internal Audit
Financial /HR
Management
 Fixed Asset
Management
 Cash Mgmt
 Procurement to
Pay Cycle
 Human Resource
Mgmt
Level of
Residual Risk
To ensure that the company’s position as a fully Shariah
compliant financial institution and as a fair and equitable
takaful operator is maintained at all times.
Very Low
To ensure that the powers and responsibilities of various
levels of management (from the Board of Directors
downwards) are clearly defined and that management
policies are implemented in letter and spirit.
Very Low
To ensure that the company’s financial management with
respect to fixed assets, cash and purchases and payables
is carried out efficiently and correctly.
To ensure that the company’s management of HR
functions is carried out diligently and efficiently so as to
foster a sense of security and trust amongst its
employees.
Low
 Country of
Business
To ensure that the company only carries out business in
countries after it is fully able to professionally underwrite
risks in that country and only in full compliance of the
country’s regulations.
 Outsourcing
To ensure that functions are only outsourced to
reputable and capable organizations and that standards
maintained are comparable to those maintained
internally within the company.
Low
To ensure that IT general controls ensure full security,
minimum down time and a high level of compliance with
the functional needs of user departments.
Low
 Information
Technology
4.4.6
Objective of Risk Management System
Very Low
Once the risks have been quantified, aggregate risk limits should be set by the management and
allocated to different lines of business and risk categories. This is done via allocating specified
risks to their respective departments.
Page 23
Enterprise Risk Management Framework
4.4.7
The company should evaluate each risk as proportion of undiversified total risk exposure and
plan to set a maximum exposure to each risk at 99.5% level of confidence. This would allow the
company to make risk-oriented decisions.
4.4.8
As the company shall designate individuals to be responsible for undertaking risk-related
decisions it should limit responsibilities delegated in terms of risk limits to each risk owner. For
instance, permission should be granted to risk owners to manage and mitigate risks arising from
their line of business. Beyond the limit, risks should be communicated to senior management
and recommended steps should be taken. Where risks are substantial, such as market risk in the
current case, the board should be apprised of such risk, and rectifying measures should be set in
place to manage that risk.
4.4.9
To introduce risk-oriented decision making into the company’s culture, the decision makers
should weigh their prospective decisions in light of changing risk exposures.
4.4.10 The greater the capital risk exposures, the greater the sensitivity of risk capital. Responsible risk
champion and risk owners must understand the impact of changing risk exposures as in the case
above.
Page 24
Enterprise Risk Management Framework
4.5
Emerging Risk Management
4.5.1
The risk control processes focuses on everyday risk management, including the management of
identifiable risks or risks that have certain predictability. Emerging risk management concerns
risks that have not yet materialized or are not yet clearly defined; they usually appear slowly.
4.5.2
For managing emerging risks having some sort of early warning system in place, methodically
identified either through internal or external sources, is very important.
4.5.3
For assessing the relevance (i.e. potential losses) of the emerging risks the degree of
concentration and correlation of the risks in an insurer's portfolio are two important parameters
to be considered.
4.5.4
Responses to emerging risks might be part of the normal risk control process, i.e., risk mitigation
or transfer, either through reinsurance (or retrocession) in case of insurance risks, through the
financial markets for financial risks, or through general limit reduction or hedging.
4.5.5
Planning access to liquidity is a basic part of emerging risk management. Asset-selling priorities,
credit facilities with banks, and notes programs are possible ways of managing a liquidity crisis.
4.5.6
For each of the risk identified in the risk register, the company should start risk planning as if
there is a breach in the current control process as there is potential emerging risk.
4.5.7
For the existing risk in place, a change in the level of frequency and severity might affect the
total outcome which needs to be monitored. Frequent updates and peer review will help the
management in anticipating emerging risks.
4.5.8
Out of the box risk comprises risk that is not identified in the risk register but might eventually
come through. The company should have frequent brainstorming session to identify these types
of risks. Any material risk identified needs to go through a defined control process.
Page 25
Enterprise Risk Management Framework
5.
RISK GOVERNANCE AND REPORTING PROCESS
5.1
Risk Governance Structure
5.1.1
Following hierarchical chart depicts the risk reporting structure of any company which has been
derived from the company’s risk governance charter, risk policy and procedures.
Figure 5-1 Risk Reporting Hierarchy
B.O.D
Board Audit &
Risk Committee
Executive Risk
Management Committee
Internal Control / Risk Management
Department
Head of Functions / Risk Champions
Risk Owners
5.2
Responsibility of Board of Directors
5.2.1
The ultimate responsibility for risk management lies with the board of directors (BOD) of the
company. Therefore the board will be responsible for:
5.2.2



Understanding the risks associated with the company’s activities
Approval of Risk Beyond the limits of Senior Management
Approval of the risk management policies in writing – in particular Risk Limits for
Underwriting and Claim Processing

Evaluating top risks identified and action plans to mitigate that risk
The BOD will be assisted by Board Audit and Risk Committee (BARC) which will overview the
responsibilities of Executive Risk Management Committee (ERMC), appointed from the
company’s management, and will periodically apprise BOD about the developments of
enterprise risk management. BARC will also ensure committee members are qualified and have
enough experience and understanding to do this on an ongoing basis.
Page 26
Enterprise Risk Management Framework
5.3
Role of Board Audit & Risk Committee
5.3.1
We understand that the board of the company has an established Board Audit & Risk
Committee. This committee should be responsible for providing independent counsel, advice
and direction with regards to risk management.
5.3.2
BARC will seek input from internal auditors, external auditors and actuaries including others in
carrying out its responsibilities. The committee should have an understanding of the risk
management policy, risk management strategy and risk management implementation plan
followed in the company and oversight responsibilities relating to risk management. This
understanding helps them to add value to the risk management process when giving
recommendations on the basis of audit.
5.4
Role of Executive Risk Management Committee
5.4.1
The Executive Risk Management Committee (ERMC) will ultimately be responsible for:
 Assisting the board in defining company’s risk profile and appetite, and setting risk
tolerance limits (long term objective);
 Reviewing performance of the company and recommending revised risk management
policies to the board for approval in light of new developments;
 Monitoring current functional risk indicators and following up on outstanding matters;
 Ensuring that Senior Management is effectively involved;
 Reporting to the audit committee as mandated.
5.5
Role of Risk Manager and Risk Management Department
5.5.1
The company has in-place a risk manager for development and maintenance of overall risk
management infrastructure. This risk manager is responsible for:
 Serving as a secretary to the risk management committee;
 Facilitating other departments to ensure that risk management policies are reflected in
procedures and computer systems adopted and implemented;
 Being the custodian of risk management registers; and
 Acting as a conscience for the risk owners.
5.6
Role of Risk Champions
5.6.1
Risk registers are maintained by respective divisional heads who can be referred as risk
champions who face the risk themselves. They are assisted by subordinates who manage the
risks at granular level and develop continuous risk monitoring within their usual activities.
5.6.2
Rick champions will jointly be responsible for ensuring that suitable risk management policies
and procedures are formulated and implemented, and that each member:
 Clearly understands the company’s risk management policies and procedures;
Page 27
Enterprise Risk Management Framework
 Ensures that activities of the company are conducted within the framework of approved
policies and systems; and
 Apprise the ERMC and Risk Manager of any material breaches of risk management
practices along with recommendations of rectification response and most suitable
preventive measures for the future.
5.6.3
Departmental heads, the risk champions, shall be responsible for:
 Identifying risks which the company faces with respect to their functional areas in
achieving its core business objectives;
 Determining quantitative exposures relating to company’s ability to accept risks within
defined limits of overall risk tolerance framework such as underwriting permissions,
investment limits, etc.;
 Devising a suitable risk response;
 Developing and reviewing risk management policies, based on all above.
5.7
Risk Reporting and Documentation
Risk Reporting
5.7.1
We suggest the progress of the management action plans be reported to the BARC at least
quarterly and as needed. It should become an integral part of the annual performance review
against objectives.
5.7.2
Under the quarterly reporting, the BOD and BARC are apprised of all the enterprise risk
management activities of the ERMC, risk management department, Risk Manager, and the Risk
Champion.
5.7.3
ERMC should submit a report to the BOD and BARC on annual basis based on:
5.7.4

The risk profile of the organization

The changes in that risk profile since the last year

The performance of risk management framework
The BOD should be apprised by the Risk Manager and ERMC of high level risk register containing
strategic and consolidated risks from each division. Risk report should be prepared based on:

What are most significant risk and why;

How these are controlled;

Any particular report gap to be and how these are proposed to be filled.
Page 28
Enterprise Risk Management Framework
Documentation
5.7.5
Documentation of the risk management process should be carried out at each stage for the
following reasons:

It gives integrity to the process and is an important part of good corporate governance;

It provides an adequate audit trail and evidence of a structured approach to risk
identification and analysis;

It provides a record of decisions made which can be used and reviewed in the future;

It provides a record of risks which can be continuously developed.
Page 29
Enterprise Risk Management Framework
6.
ERM FRAMEWORK – REVISITED
6.1
Benefits of ERM
6.1.1
The sole purpose of implementing ERM Framework within the company’s operations and
management is to link each and every action to the long-term strategic objectives from risk
perspective. This shall lead to risk-controlled management of the business and allows the
company to sail towards its objectives successfully and cater for any upcoming risks.
6.1.2
Enterprise risk management enables management to operate more effectively in a business
environment filled with fluctuating risks. Enterprise risk management provides enhanced
capability to:

Align risk appetite
Risk appetite is the degree of risk, on a board-level, that a business is willing to accept in
pursuit of its objectives. Management considers the business’s risk appetite first in
evaluating strategic alternatives, then in setting boundaries for downside risk.

Minimize operational surprises and losses
Businesses have enhanced capability to identify potential risk events, assess risks and
establish responses, thereby reducing the occurrence of unpleasant surprises.

Enhance risk response decisions
ERM provides the rigor to identify and select among alternate risk responses – risk
removal, reduction, transfer or acceptance.

Resources
A clear understanding of the risks facing a business can enhance the effective direction
and use of management time and the business’s resources to manage risk.

Identify and manage cross-enterprise risks
Every business faces a myriad of risks affecting different parts of the organization. The
benefits of ERM are only optimized when an enterprise-wide approach is adopted,
integrating the disparate approaches to risk management within the company.
Integration has to be effected in three ways: centralized risk reporting, the integration
of risk transfer strategies and the integration of risk management into the processes of a
business. Rather than being purely a defensive mechanism, it can be used as a tool to
maximize opportunities.

Link growth, risk and return
Page 30
Enterprise Risk Management Framework
Businesses accept risk as part of wealth creation and preservation and they expect
return commensurate with risk. ERM provides an enhanced ability to identify and assess
risk and establish acceptable levels of risk relative to potential growth and achievement
of objectives.

Rationalize capital
More robust information on risk exposure allows management to more effectively
assess overall capital needs and improve capital allocation

Seize opportunities
The very process of identifying risks can stimulate thinking and generate opportunities
as well as threats. Responses need to be developed to seize these opportunities in the
same way that responses are required to address identified threats to a business.
6.1.3
ERM adoption leads to improved business performance, increased organisational integration &
effectiveness and better risk reporting.
6.2
ERM Framework Summary
6.2.1
ERM Framework is summarised in the figure below.
Figure 6-1 ERM Framework Summary
I. Corporate Governance
(board oversight)
II. Internal Control
(sound system of internal control)
III. Implementation
(appointment of external support)
IV. Risk Management Process
(incremental phases of an iterative process)
Analysis - Risk Identification - Risk Assessment - Risk Evaluation - Risk Planning - Risk Management
V. Sources of Risk
(internal to the business and emanating from the environment)
Internal Processes - Business Operating Enviroment
Page 31
Enterprise Risk Management Framework
6.2.2
This is summarised in five elements:
I.
Corporate governance is required to ensure that the board of directors and
management have established the appropriate organisational processes and corporate
controls to measure and manage risk across the business.
II.
The creation and maintenance of a sound system of internal control is required to
safeguard shareholder’s investment and a business’s assets
III.
A specific resource must be identified to implement the internal controls with sufficient
knowledge and experience to derive the maximum benefit from the process.
IV.
A clear risk management process is required which sets out the individual processes,
their inputs, outputs, constraints and enablers
V.
The value of risk management process is reduced without a clear understanding of the
sources of risk and how they should be responded to. The framework breaks the source
of risks down into two key elements labelled internal processes and the business
operating environment.
Page 32

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz