ENTERPRISE RISK MANAGEMENT – PERSPECTIVS AND SUCCESS STORIES

TODAY’S DISCUSSION 1. Perspectives on ERM and Introduction – Gunnar Pritsch, McKinsey & Company 2. ERM – PNC’s Journey – Tom Whitford, CRO PNC Bank 3. Enterprise Risk Management at The Hartford, Craig Raymond, CRO The Hartford 4. Enterprise Risk Management at AEGON, Ron Harasym, VP Risk Mgmt., AEGON 5. ERM Success Stories – Optimizing Risk and Capital in Property Insurance Portfolio, Stephen Lowe, Tillinghast 6. Panel discussion

PERSPECTIVES ON ENTERPRISE RISK MANAGEMENT Gunnar Pritsch Principal, McKinsey & Company [email protected] (212) 446 84 27 ERM Symposium - May 2, 2005

TODAY’S DISCUSSION

• Relevance of ERM • Four building blocks of best practice ERM

PERSPECTIVES ON ENTERPRISE RISK MANAGEMENT 1. Regulators and rating agencies worldwide are intensifying focus on enterprise risk management standards; less room for negotiation 2. Recognition across financial service industry that risks are increasingly correlated across businesses and sometimes across different risk types, requiring a much more integrated, enterprise approach to managing them 3. Heightened market sensitivity to risk surprises following major debacles; fiscal surprises of any kind now leading to greater capital (equity and debt) market penalties, often a multiple of actual loss in shareholder value 4. Boards and CEOs have responded by becoming more involved and overhauling their companies’ risk management practices

THE KEY ELEMENTS OF BEST PRACTICE RISK MANAGEMENT ARE ABOUT MANAGEMENT, NOT MODELS

Core elements to best practice risk management

1. Creating full risk transparency 2. Defining the risk strategy / risk appetite 3. Establishing a robust risk organization 4. Instilling effective risk processes and build a shared risk culture

1. BEST-PRACTICE PRINCIPLES FOR RISK TRANSPARENCY Integrated view on risk Management understanding

• “One company view on risk” – e.g., “Heat Map”

• Highlight and explain “hot spots” • Detect new risks, discuss early warning indicators • Review risk-return performance • Shared understanding of nature of key risks, e.g. –Impact of stress scenarios –Impact of cross-cutting risks and key drivers

Robust risk reporting

• Reporting action/decision-oriented (vs. data-driven) • Information consistent as it aggregates from transaction all the way to the Board

• Readers trained Adequate risk measurement methodologies

• Sophistication of measurement approach follows complexity and level of risk exposure

High risk concentration Medium risk concentration

RISK “HEAT MAP” One-year earnings-at-risk (EaR) U.S. $ Millions Business unit 1 Market risk • US$ IR • Local currency IR • Equity market & other Credit risk • Counterparty risk • Lending risk • Investment risk Operational risk Total EaR

Detailed business unit reports

Business unit 2

Business unit 3

2. DEFINING THE RISK APPETITE – HOW MUCH VOLATILITY IS ACCEPTABLE? Quarterly cash flows – 1991-2002 $ Millions 1,000

Trend line Quarterly cash flows

800

Deviation from trend line Percent 110% 80% 50% 20%

600

-10% -40%

400

-70% -100%

200

-130%

0 Q2 Q1 Q4 Q3 Q2 Q1 Q4 Q3 Q2 Q1 Q4 Q3 Q2 Q1 Q4 Q3 Q2 Q1

-190%

01 00 98 97 96 95 93 92 91 90 88 87 86 85 83 82 81 80

-200

-160% -220%

Losses are infrequent, but severe

-250%

-400

-280% -310%

-600

-340% -370%

-800

0%

5%

10%

15%

20%

A RISK APPETITE ‘DASHBOARD’ TO MONITOR RISK PROFILE Current assessment

Green: Desired risk profile

Yellow: Caution! Management focus is necessary to monitor risk profile and improve if appropriate

Red: Danger! Board attention and management action needed to monitor and improve risk profile

Risk adjusted performance

Top quartile of peers in risk adjusted performance and stable/improving risk/return profile

2nd quartile of peers in risk adjusted performance and stable risk/return profile

3rd or 4th quartile of peers in risk adjusted performance and/or deteriorating risk/ return profile

Capital adequacy

Well capitalized with an appropriate cushion

Well capitalized

Undercapitalized or significant excess capital

Risk mix

Risk mix reflects stated strategy

...

...

Risk mix does not reflect stated strategy, but credit risk is continually decreasing as a proportion of total risk

...

Risk mix does not reflect stated strategy, and credit risk is stable or rising as a proportion of total risk

...

3. DESIGNING A BEST-PRACTICE RISK-MANAGEMENT ORGANIZATION 1. Strong and visible commitment from top management 2. Central oversight of risk management across the enterprise (including subsidiaries, corporate functions) 3. Separation of duties 4. Clearly defined responsibility and accountability

Blueprint for best-practice riskmanagement organization

5. Full ownership of risk and risk management at BU level 6. Business units formally involve and view risk management as a thought partner 7. Cost-effectiveness

4. STRENGTHENING THE RISK CULTURE Putting in place robust risk management processes

“Getting the soft side right”

1. Capital allocation

1. Senior management visibly involved in Risk issues

2. Risk adjusted performance measurement

3. Limit structure & policy setting

2. Building a true partnership between Risk and the Businesses

4. Model validation

3. Aligning incentives

5. …

4. Talent

DRAFT

ERM: PNC’s Journey

EE

Tom Whitford Chief Risk Officer May 2005

DRAFT The ERM Journey 2002 Events

Responses

January

Earnings Restatement

2002

February

Earnings Restatement SEC Investigation

2003

& March

July

Customer Fraud

2004

Regulatory Agreements

2005

Create corporate RM organization

Elevate both corporate and business RM practices towards best practices

Continue to enhance ERM framework

DRAFT Core Risk Management Goals ƒ Linkage of Strategy and Risk Profile ƒ Integration of Credit, Operational and Market Risk Management ƒ Effective Management of Risk Based Capital ƒ Culture with Strong Discipline and Accountability

DRAFT Strategic Plan Consistent With Risk Principles Risk Principles

ƒ

Strategic activities build on key competencies and competitive advantage, reducing execution risk

Only take risks that increase shareholder value

ƒ

Mix of businesses are diversified across major risk types

ƒ

Economic capital allocation model ensures risks are appropriately sized, diversified and capitalized

ƒ

Metrics support risk adjusted performance measurement

ƒ

Regulatory goals of “well-capitalized” and “safe and sound” are core priorities

ƒ

Regular communication to board and executive management on risk levels ensures transparency

Limit business decisions by a set of “boundaries”

Balance risk caution with need to grow

DRAFT Governance Process Board Committees ƒ Approve risk appetite limits and set strategic direction for the Corporation ƒ Provide oversight for Risk Management activities

Management Committees ƒ Develop strategic vision for key enterprise-level activities ƒ Approve policies governing enterprise level activities

Working Committees ƒ Develop framework for implementing key enterprise-level activities ƒ Develop and adopt policies governing key enterprise-level activities

DRAFT Enterprise Risk Policy Hierarchy 1

Enterprise Risk Policy • PNC’s risk principles and management framework. • Incorporates high level strategy and risk appetite set by Board

2

Corporate Risk Management Policies • Establish standards for managing risk across businesses.

3

Business Level Policy Guidelines • Provide further guidance for business-specific risk management processes.

4

Risk Management Procedures • Procedures outline steps to take in a given process, often in support of complying with a related policy.

5

Internal Control Structure • Key and supporting controls for risk management processes that have been identified and tested.

DRAFT Enterprise Risk Policy Hierarchy: Example Strategic Plan

Approval and Exception Reporting:

Board Level

Performance Objectives

Current Examples:

Risk Philosophy/Appetite

• Enterprise Risk Tolerance Limits • Risk Rating Philosophy

Enterprise Risk Policy •Target Risk Profile • Governance

Corporate Risk Management Policies Management Committee Level

Business/Management Committee Level

Business/Credit Administration Level

• Portfolio Management Policy • Credit Approval Policy

• Risk limits/tolerances by risk pool • Absolute standards in line with risk appetite

Business Level Policy Guidelines • Business specific underwriting guidelines • Aligned with CRM Policy standards

• Risk-specific policies: – Healthcare – Leasing

• Credit Administration Procedures

Credit Administration Procedures • Consistent measurement/monitoring of risk • Specific underwriting processes

DRAFT Risk Aggregation & Transparency ƒ Board Risk Reporting − Every Board Meeting − Led by CRO and CReO

Enterprise Risk Profile Risk

Residual Risk

Risk Trend

Risk Management Assessment $

Credit

$

Market

$

Operating

− Enterprise Risk Profile

Economic Capital

Overall

Liquidity

• Profile Changes • Key Developments/Emerging Risks

$ Stable

− Major Risk Issues by Type Residual Risk Alignment: No gap between Current and Desired Residual Risk. One level gap between Current and Desired Residual Risk. Two level gap between Current and Desired Residual Risk.

Risk Trend: Provides a current assessment of how the risk is expected to move over the next quarter, but does not necessarily indicate that the risk level will change.

Risk Management Assessment: Indicates how well the current risk management infrastructure manages inherent risk. • Strong – Effectively identifies and controls all major inherent risks posed by the relevant activity or function. • Satisfactory – Overall, risk management activities are equivalent to inherent risks posed by the relevant activity or function, but may be lacking to some modest degree. • Marginal – Risk management weaknesses exist that need to be addressed in the near term. • Weak – The control environment is not adequately structured to identify, measure, and monitor inherent risks posed by the relevant activity or function.

DRAFT Enterprise Risk Management Roadmap Success Factors

Objective

ƒ

Enterprise-wide View

ƒ

“Best-in-class” Risk Management Organization

Effective Governance

ƒ

Separation of Duties

ƒ

Aggregation of Risks

ƒ

Transparency of Risks

ƒ

Consistency of Practices

ƒ

ACCOUNTABILITY

Drivers of Success ƒ

Board Involvement

ƒ

Management Leadership

ƒ

Corporate-wide Initiative

ƒ

Values Based Process

ƒ

Regulatory Partnership

ERM

Enterprise Risk Management

Craig Raymond SVP & Chief Risk Officer May 1, 2005

ERM

ERM at The Hartford Hartford Financial Services Group

Hartford Property & Casualty

Hartford Life

„ Strong Ingrained Risk Management Discipline „ Decentralized „ Entrepreneurial

Hartford Investment Management Co

ERM

ERM Key Design Principles „ „ „ „ „ „

Full ownership of risks and risk management at business unit level Clear accountability and responsibilities Central oversight Cost-efficiency Involvement of risk management with businesses as “thought partner” Complement Hartford’s two-company structure, build on existing risk culture and utilize existing resources whenever possible „ Achieve visible risk management excellence both internally and externally „ Add value (not just bureaucracy) both defensively and offensively

ERM

ERM Objectives “No Surprises”

“Maximize Shareholder Value”

• Create common understanding of risk appetite and tolerances • Understand and report on significant risk exposures across enterprise • Develop and share risk mitigation/transfer methods • Build framework that: … enables business leaders to make appropriate and consistent risk/return decisions … facilitates management of overall enterprise risk profile and capital

ERM

ERM Structure HIG CFO HIG CRO

Corporate

Life CRO

P&C CRO

HIMCO CRO

„ Hartford CRO position established … Dedicated position … Reports to Hartford CFO with regular Board reporting responsibility

„ Each operating company established CRO position … Senior leaders in companies with scope of responsibilities greater than just risk management … CROs report to HIG CRO for risk management responsibilities and to line management for all other matters

„ CROs act as virtual risk management team, pooling resources to staff ERM activities „ Enterprise risk committee (OOC plus Actuaries, CFOs and CROs) sets risk policy and limits based on CRO recommendations

ERM

Lesson Learned „ Commitment from the top is critical „ Process can be good „ Communication is key … Value in sharing across enterprise … Behavior changes occur when you get understanding and buy-in

Enterprise Risk Management Ron Harasym Vice-President Risk Management

Agenda ƒ Overview of AEGON Canada Inc ƒ Overview of Tools & Metrics ƒ Integration into the Decision Making Process ƒ ERM in Practice

Overview of AEGON Canada Inc AEGON International N.V.

Transamerica International Holdings Inc. 100%

27%

AEGON Canada Inc. 73% 100%

Transamerica Life Canada

100%

AEGON Capital Management Inc.

AEGON Fund Management Inc.

100% National Financial Corporation

100%

100%

AEGON Dealer Services Canada Inc. 50%

Money Concepts (Canada) Limited 50%

National Financial Insurance Agency Inc.

Overview of Tools & Metrics ƒ Business Plan ƒ Dynamic Capital Adequacy Testing ƒ Embedded Value ƒ Shock Testing ƒ Economic Capital

Integration into the Decision Making Process

ƒ Accountabilities ƒ Risk Categorization ƒ Risk Triggers ƒ Exposure & Consequences ƒ Potential Risk Mitigation

ERM in Practice

ƒ Pre-Emptive Strikes ƒ Fire-Fighting

ERM Success Stories: Optimizing Risk and Capital in a Property Insurance Portfolio 2005 ERM Symposium – Chicago Stephen Lowe, FCAS, MAAA Managing Director 2 May 2005

© 2005 Towers Perrin

The Client „ Major property & casualty insurer „ Writes personal and commercial property insurance

nationally „ Concentrations of exposure are an obvious issue „ Extensive knowledge of property insurance risks „ Detailed database of insured exposure „ Licenses variety of catastrophe models „ While analytical tools are in place to measure risk, the

client wanted to more actively manage risk

© 2005 Towers Perrin

2

Key issues and obstacles 1. ERM too high level and intangible

— Not actionable — Value creation not apparent 2. Inconsistent metrics and analytics 3. Resistance to changes in traditional decision

processes — Staff versus line — Black box models

3

© 2005 Towers Perrin

ERM Value Framework Maximize value by using economic capital to relate a firm’s decisions on the risks it takes to the decisions on the capital it uses to finance its business

Value Creation

Capital Costs

Return on Risk Value Management Portfolio of Enterprise Risks

Capital Adequacy

Portfolio of Capital Resources

Risk and Capital Management

Risk Structure How much capital do I need?

Capital Structure What type of capital do I need?

Economic Capital

© 2005 Towers Perrin

4

Phase 1: Decisions about the portfolio of risks

Is this a good risk?

Is this risk a good addition to our existing portfolio?

Concentrations of exposure create the need for additional economic capital

5

© 2005 Towers Perrin

1: Decisions about the portfolio of risks Because property risk pricing is imperfect, one can create value by improving the geographic diversification of the portfolio

Value Creation

Capital Costs

Return on Risk Value Management Portfolio of Enterprise Risks

Capital Adequacy

Portfolio of Capital Resources

Risk and Capital Management

Risk Structure How much capital do I need?

Capital Structure What type of capital do I need?

Economic Capital

© 2005 Towers Perrin

6

1: New analysis facilitated better risk decisions, leading to higher value creation

Constrained optimization to determine best possible portfolio ƒ 10% targeted growth in portfolio ƒ 8% reduction in required economic capital

Underwriting Status Closed (266) Manager Approval (391) Open (210)

Optimization results were translated into zip code growth priorities for local underwriting decisions

7

© 2005 Towers Perrin

Phase 2: Decisions about portfolio of capital resources Debt Conventional approach Debt

Net Risks Equity Reinsurance

Gross Risks Debt

Equity Framework approach

Gross Risks

Equity Reinsurance

Strategic: Should I change the mix between paid up capital and contingent capital? © 2005 Towers Perrin

Tactical: Given the amount of paid up capital, how much contingent should I buy? 8

2: Decisions about the portfolio of capital One can also create value by altering the mix of capital, for example by shifting from expensive contingent capital to less expensive debt

Value Creation

Capital Costs

Return on Risk Value Management Portfolio of Enterprise Risks

Capital Adequacy

Portfolio of Capital Resources

Risk and Capital Management

Risk Structure How much capital do I need?

Capital Structure What type of capital do I need?

Economic Capital

© 2005 Towers Perrin

9

2: New analysis facilitated better risk decisions, leading to higher value creation

© 2005 Towers Perrin

10

Success 1. Reconciling different internal points of view

— Actuarial versus corporate finance 2. Communicating successfully

— Translating approaches / results into traditional measures 3. Focusing on actionable areas 4. Clearly demonstrating value creation

© 2005 Towers Perrin

11

1. What keeps you awake at night? What are the top 3 risks your businesses faces? How do you think these will change?

0

2. Where do you see the benefit of ERM? Given it’s a cost center, how do you show the value?

1

3. What do you see as the main catalyst (e.g., Board, Rating Agency, felt need, regulator) for a successful ERM initiative?

2

4. How do you enable the board of directors to have an effective dialogue on risk?

3

5. What should be the mandate of ERM and the role of the CRO?

4

6. What should be the relationship between corporate ERM and the businesses?

5

7. How do you build the “E” into risk management? How should ERM influence decision making and what change effort is required?

6