Risk Management For Small to Mid-Sized Companies

Michael A. Cohen, Principal Cohen Strategic Consulting September 16, 2010

Today’s Presentation

• Philosophy • Process • Focus of a Small-to-Midsized Company’s ERM Program • Internal/External Identification, Review of Risks • Financial Analysis/Capital Analysis/Metrics • Risk Tolerances, Thresholds 2

Today’s Presentation (continued)

• Investment Strategy, Management • Governance Structure/Process, Responsibilities, Communications • Stakeholders, Discussions • Case Study • Business Psychology • Rating Agency Expectations • Conclusion 3

ERM Philosophy

• Leadership/involvement from the ‘top’ -

has to drive ERM in a meaningful way,

enhancing the company’s risk culture

the CEO

• Supports attainment of (and ideally exceeding) corporate goals, objectives, interests of stakeholders • Concentrate on the company’s major/material risks (prioritization) at the core of the ERM process, but be perceptive about other risks; don’t let the process get bogged down with theoretical concepts 4

ERM Philosophy (cont’d)

• Risk thresholds and tolerances quantified/ qualified; events that can cause their ‘breaching’ need to be highlighted and mitigated • Integrate ERM with and into strategic, operational and financial planning, decision making – not a silo!

• Use ERM as a problem solving, or better yet, a problem avoidance effort 5

ERM Process

• Actionable, hands-on process – company

pragmatic!

• Communication/integration processes up and down, and across the organization; this is easier to accomplish in a small to mid-sized • Everyone is a risk manager, and a company’s communications process needs to be an effective, non- threatening enabler whereby staff can alert executives/ managers with a need to know about risk issues • All associates should be ‘students of the business’, ideally beyond their own areas of expertise and responsibility • Modeling must be done insightfully, and deliver reliable decision making data and analyses • Decision making processes need to be effective (more on this later) 6

Focus of a Small-to-Midsized Company’s ERM Program

A small-to-midsized company does not have the resources to ‘do everything’ (as a large company does), but it can develop and implement a very effective ERM process: • Tailor program to fit the organization, its resources, and decision making processes • Risk identification, quantification/qualification, prioritization, coordination, mitigation; problem solving • Focusing on the most impactful areas in the launch phase • Integration of ERM into strategic and operational planning • Utilize existing committee structures and decision-making protocols • Determine risk tolerance, thresholds, tail risks • Implement risk mitigation processes • We’re going to talk about rating agencies’ expectations a little bit later in the presentation 7

Internal/External Identification, Review of Risks

• Designate an experienced, knowledgeable executive to coordinate risk committee and the identification and review of risks; it may be a dedicated Chief Risk Officer (CRO), but doesn’t have to be • Committee with key executives: - Finance - Actuarial - Investments - Businesses - Legal - Audit - Others with relevant expertise 8

Risk Tolerance (adverse impact), Thresholds (behavioral triggers)

How much adverse risk impact can your company ’tolerate’?

• Capital • Earnings • Business volume – type and amount • Ratings •

Miscalculations are common!

If your company is exposed to more risk (impact) than can be comfortably absorbed (your ‘thresholds’ are breached), you may well need to make some changes.

9

Financial Analysis/Capital Analysis/Metrics

• Growing earnings, while preventing earnings ‘eroders’ • Growing capital, while preventing capital ‘eroders’ • Economic capital (modeling) • Cost of capital, capital allocation, returns on capital (risk adjusted returns) • Metrics (of performance) 10

Investment Strategy, Management

• Asset classes invested in • Net yield performance • Realized capital losses/defaults/ impairments • Liquidity • Concentration • Higher yield/higher risk investment options • Counterparty issues • Investment risk issues and magnitudes are growing and becoming (much) more uncertain 11

Governance Structure/Process, Responsibilities, Communications

• Senior management • Board of Directors • Key managers • The organization 12

Key Constituencies: Stakeholders

• Customers • Producers • Board of directors • Investors/shareholders • Rating agencies • Regulators • Counterparties • Financial and business partners, supply chain • Executives, management and critical staff • How might they react to risk and uncertainty, and their adverse impacts in your company? 13

Discussions For Key Constituencies

• ERM Charter, Goals/Objectives • Risk thresholds, tolerances • Process in place, including governance; committees overseeing the most important corporate functions integrate ERM into their activities, ‘missions’; communications • Integration into strategic and operational planning • Financial, actuarial analysis /capital allocation/risk tolerances, thresholds/metrics/modeling • Improvements in decision making, problems headed off, lessons learned 14

Actions Dissatisfied Stakeholders Might Take

• Cease doing business with you, or diminish the volume of business they do with you (Customers, Producers, Counterparties - financial/business partners, supply chain, Executives/ Management/Critical staff • Sell stock, lowering the price in the process (Investors) • Replace management, lower compensation (Board of Directors, Investors) • Charge you a higher price (interest rate) for capital (Lenders) • Downgrade your company (Rating Agencies) • Mandate that you cannot participate in your business (Regulators, Institutional Customers - if ratings are not high enough) 15

Case Study

• Visualize a hypothetical company, with the following attributes: - $10 billion in assets - $700 million in capital (7% C&S/Assets) - $60 million in annual net income - $100 million in new life insurance annualized premium - $200 million in annual fixed annuity sales - ‘A’ rating, stable outlook from A. M. Best - ‘A+’ rating, stable outlook from Standard and Poors 16

Case Study (continued)

• Risk (impact) tolerance: How much capital could this company lose, and what level of reduced earnings could it accept …

comfortably

, without feeling that significant changes needed to be made?

17

Case Study (continued)

• Event: The company suffers a $100 million, investment related capital loss (that had been funded with excess capital …

of course

) 18

Case Study (continued)

• After the event, the hypothetical company now has the following attributes: - $9.9 billion in assets - $600 million in capital (6.1% C&S/Assets) - $55 million in annual net income - Less than $100 million in new life insurance annualized premium - Less than $200 million in annual fixed annuity sales - ‘A’ rating, negative outlook or possibly a downgrade to an ‘A-’ rating from A. M. Best - ‘A+’ rating, negative outlook or possibly a downgrade to an ‘A’ rating from Standard and Poors 19

Reflecting on the Actions Dissatisfied Stakeholders Might Take

• What stakeholder reactions are most onerous? • Avoiding those (most onerous) reactions are clearly your greatest imperative, and define your ultimate tolerance for risk and what your risk thresholds need to be • Hypothesis: A rating downgrade is the most serious stakeholder reaction a company can experience, as it has the most impact on triggering other undesirable stakeholder reactions 20

Business Psychology:

How People Analyze Situations and Make Decisions Has a Big Impact on How They Manage Risk • People work on problems they think they can solve, and they avoid those they don't think they can solve. Therefore, if the elements of risk are in the latter category, they won't be addressed. • They are slow and cautious in reacting to new information. Solutions to risk reduction may exist, but they might not be implemented without an inordinate amount of study, or possibly not at all. 21

Business Psychology (cont’d)

• They are reluctant to admit ignorance or mistaken assumptions and tend to forget misassumptions that have been made. An ill conceived initiative can be expected to have additional risk, and if learning doesn't follow, further mistakes may be made. • They are inclined to be risk averse when they have made gains and can be risk seeking when they have incurred losses. This leads to a strategy basically opposite of what should be pursued, which is to invest more when gaining and less when losing. • They look at fewer as opposed to more perspectives, possibly missing a better solution. 22

Business Psychology

(cont’d)

• They do not realize when they are at an information disadvantage. • They are inclined to blame others for poor results, as opposed to studying the causes for their own mistakes and fixing them. • They frequently place greater value on what they have created than on what others have done, either individually or collectively, and may well miss out on higher-order thinking generated by a group and on critical perspectives of others. 23

Black Swans: Unforeseeable Events with Huge Consequences

• These events aren’t in our mind-sets; when you develop risk scenarios, many times these events won’t be foreseen • Q: How can we protect our company’s assets (broadly defined) from risks we can’t anticipate? - Increased capital, liquidity (or access to it) - Diversification: into sound options, not just diversifying for the sake of it - Conservatism - Understanding thoroughly the elements (and risks) of our businesses (from internal and external views) 24

Rating Agency Expectations

• S&P: * Has the most intense ERM analysis/expectations of any rating agency * Few small-to-midsized life insurance companies are followed on an interactive basis by S&P • Others • Large companies • Small-to-midsize companies 25

What S&P is Looking For in Insurers’ ERM Programs:

Large Companies • Risk management culture, process • Top management commitment • Governance • Risk tolerance, thresholds; note that the word ‘appetite’ was not used! • Risk mitigation, controls 26

What S&P is Looking For in Insurers’ ERM Programs:

Large Companies • Preparedness for emerging and unpredictable risks • Risk models, assumptions • Strategic risk management: controlled risk taking in the pursuit of strategic initiatives • Effective communications • “What’s behind the Power Point?” 27

What S&P is Looking For in Insurers’ ERM Programs:

Small to Mid-sized Companies (they follow only a few of them) Q: Why can’t small to mid-sized companies do many of the ERM-related activities that large companies do?

A: They can. They have to perform the most important elements of ERM … with fewer resources but can benefit from closer coordination.

28

Conclusion

• ERM is an integral part of sound management and decision making, not a fad nor an isolated activity • Knowing how much risk impact you can comfortably absorb, and making the necessary changes if you are beyond your tolerance(s), can literally save your company • Risk mitigation/problem solving critical • Guard against the unpredictable, while not be paralyzed by fear • You can do this!

29

Contact Information

Michael A. Cohen, Principal Cohen Strategic Consulting (215) 595-7259 mcohen@cohenstrategicconsulting www.cohenstrategicconsulting.com

30