Risk Management Case Study: Aioi Presented by Peter Dyer | 12 November 2014 Aioi Nissay Dowa
© 2014 Finity Consulting Pty Limited
Risk Management Case Study Implementation of Promapp at Aioi Australia
Peter Dyer
Aioi Risk Management Process The risk management process at Aioi, prior to their implementation of Promapp, relied on basic systems, not dissimilar to other small to medium general insurers. Risks are managed in accordance with a Risk Management Framework (RMF) that includes: 1. Risk Appetite Statement (RAS) 2. Risk Management Strategy (RMS), that: a. Establishes the Risk Management Principles b. Identifies the high level classifications of the types of risk that Aioi Australia is exposed c. Documents the responsibilities of key positions with regard to their role in the Risk Management Framework, including the Board of Directors, Risk Committee, CEO, CFO, Approved Actuary, Approved Auditor, Internal Auditor, Compliance Manager & Risk Manager 3. Business Systems & Business Processes a. Now includes Promapp 4. Policies & plans that support the RMS including the Business Plan, Capital Management Plan, Business Continuity Plan, Disaster Recovery Plan, Outsourcing Policy & the Reinsurance Management Strategy
3
Risk Management Framework - GI • APRA Prudential Standard CPS 220 – Risk Management (for general insurers) Risk Appetite Statement (RAS)
Business Plan, Capital Management Plan & ICAAP
Risk Management Strategy (RMS)
PROMAPP Processes & Procedures Includes risk mitigation activities, controls & reviews
Risk Register
Risk Log, Inherent Risk Assessment, Risk Treatment & Controls, Residual Risk
Risks that require treatment/control to reduce the inherent risk ratings should have a process which outlines how the treatments are conducted. Within Promapp these processes can be linked to the risk register, for future tests. 4
THE RISK & PROCESSES RELATIONSHIP RAS
Need to know what the risk appetite is before you generate a business plan. The RAS will impact the level of RI. Need to know the operational risk appetite to determine the expense ratio required to deliver this. Also impacts premium growth & loss ratios the business is prepared to accept
Business Plan, Capital Management Plan & ICAAP
RAS
Need to know what you are trying to achieve to be able to assess the risks associated with achieving or not achieving the business objective (BP & CMP)
Insurance Risk Etc
Operational Risk
≈8
High Level risks
Asset Risk
BUSINESS & CAPITAL MANAGEMENT PLAN Specific Risks in the Risk Register
RISKS: ≈80 Risk: A, B, C etc etc…….
BUSINESS PROCESSES: 600-1000??
P R O M A P P
463 currently in Promapp
The business process usually contain the controls and mitigating activities that manage the inherent risks and ensure any residual risk complies with the RAS
BUSINESS UNITS: UW CLAIMS FINANCE IT CUSTOMER SERVICE HR COMPLIANCE LEGAL ETC
5
Risk identification The risk identification process includes: 1.
Staff Training on Risk Management a. b. c. d. e.
2. 3. 4. 5.
Staff identify risks (Risk Manager & Managers) Risks are raised with the Risk Manager throughout the year Risk Manager reviews risks with Managers at least once per annum Business process alterations require a risk assessment during the planning and implementation phases of the change Industry experience, industry forums and external advice on emerging risks that may impact Aioi Australia - The risk manager communicates these risks to risk owners & managers for assessment
Risk registration (Risk register – Excel & Promapp) Risk assessment & rating to determine the Inherent Risk Identify & evaluate controls & mitigating activities Re-evaluate the risk assessment & rating to determine the Residual Risk
6
Risk Management process 1. 2. 3.
4. 5.
6.
Material risks are logged on the Risk Register based on the inherent risk assessment The assessment processes involves a scale of 1-5 for both likelihood and consequence
a.
The assessment scale is relative
a. b. c.
Managers identify risk & assess inherent risk Develop processes that control and mitigate the risk Assess residual risk
a.
Where collective residual risk exceeds the risk appetite, the risk manager works with Managers to enhance the risk mitigation procedures Senior Management and the Risk Committee are advised of the situation
Managers are responsible for the management of risk
Risk manager reviews identified controls to ensure they are sufficient to mitigate the risk Risk manager accesses whether risks collectively (for each high level category) are being managed in accordance the Risk Appetite statement
b.
Verification and testing of controls is completed periodically by both internal & external audit
7
Risk Management benefits to be realised from the Promapp implementation 1. Promapp raises awareness of risk across all levels of staff and improves transparency of links between risks and processes 2. Risks have direct links to the processes that mitigate risk 3. Promapp enhances document version control to ensure staff are referring to appropriate & current documents 4. Managers will have an increased visibility of the risk register and make the risk management process more transparent Potential impacts from risks that managers do not own will become more visible
5. Provides a clear audit trail 6. Enhances the MIS systems used in the Aioi business to measure, assess & report on material risks
8
Why a Business Process Management tool? Australia Aioi: 1. 2. 3.
transferred the underwriting operations to a locally incorporated subsidiary placed the existing branch operations into “run off” is generating business growth of 20% p.a.
These changes contributed to Aioi’s decision to implement a Business Process Management (BPM) tool. Aioi Australia & New Zealand had identified Promapp as a tool that would enhance the risk management environment and the local incorporation project provided the justification required to approve the acquisition & implementation 9
Why Promapp? 1. The key selling points were: a. b. c. d.
Simplicity and ease of use Addressed the business needs Linked processes to risk management Upfront and ongoing cost were…… appropriate!!
2. Being a Cloud based software made it very easy to implement a.
b.
A few spreadsheets of data and we were away user names, roles etc company logo etc Access is available from anywhere with internet
3. Obtaining Promapp via “software as a service” (SaaS) has delivered upgraded functionality several times since implementation 4. Training requirements were not significant a.
A free demo site was available to determine this
5. New functionality being delivered by Promapp has been applied and is proving useful 10
What is Promapp? Promapp is process management software that helps to document, improve and share process knowledge from a central online repository. Promapp drives process improvement by simplifying process mapping and assist the business to improve their processes. Promapp is an integrated risk management software solution that integrates risk and compliance requirements directly into processes, resulting in risk and compliance awareness becoming an everyday activity. • Refer Promapp.com for more info.
11
Existing Aioi Process Documentation MS Word
Screens shots If screen is updated in system developments then updating the process documents was a significant task. Made significantly easier with Promapp!!
12
Aioi Process Maps in Promapp Process: - “Cancel policy” Sub processes
Process Map tab Sub process - “Generate a document”
13
Procedure tab
PDF Process document
Weblink to the PX system Note on username etc
Hyperlink & email
https://au.promapp.com/andia/vie w/Process/Minimode/Permalink/Cn nh5gVA2vdBpBwt5bNcuf
14
A process with a common sub process…. Process - “Endorse an MVI policy” Sub process - “Generate a document”
15
Aioi’s process maps are for: Assisting staff to execute processes effectively & consistently Facilitation of process improvement
via “Feedback – Suggest an Improvement” functionality in Promapp
Training of new staff Management of risk Ensure process compliance Regulatory compliance (APRA, ASIC, FOS etc) Depository for business documents, policies, forms & manuals etc To ensure current documents are used
16
Implementation areas so far? 1. 2. 3. 4. 5. 6. 7.
Finance Policy Administration Customer Service IT Internal Audit Compliance Risk
Business units still to implement Promapp: 1. Human Resources 2. Underwriting & Distribution 3. Claims 4. Aioi New Zealand 17
Implementation approach Promapp trial site was used in assessment in May & June 2013 Test processes created to demonstrate the product to key stakeholders
Signed up to implement Promapp in late July 2013 Implementation workshop held in mid September 2013 – Site visit by a Promapp consultant for 3 days • Training – about 8 staff were trained to document processes with 2-3 doing Promapp Administrator training • Initial process mapping commenced as part of this site visit/training • Risk module training and set up was completed – all existing risks on the risk register were entered to the Promapp risk module
– Follow up site visit from consultant in March 2014 • Review process mapping for each area and suggest improvements • Further staff training & train the trainer completed – We can now train our own new users
18
Other benefits from Promapp Document library Aioi is transitioning to using Promapp as their master document library A single source for staff to access the most current documents for each process • Includes policies, procedures, training materials, screen shots or forms
System Inventory Which systems are used in each process
19
Document Categories: Policy documents
Document Library
Promapp will be the Aioi Australia master document library. This is currently being implemented.
Processes that refer to this document
Previous versions of the document
20
Systems – Linking processes & systems
System
Processes that Processes use this system
21
Risk Management Module
Risk Assessment Inherent
Risk Assessment Residual
Risk Treatment – (Can be linked to a process)
22
22
Risk Management Module Risk heat map – Inherent risk
Risk heat map – Residual Risk
Risk by portfolio
23
Questions?
24
