Enterprise Risk Management in Ethiopian Private Banks. An Assessment

Table of content

ABSTRACT

Chapter 1
1.1. Introduction
1.2. Statement of the problem
1.3. Research Questions
1.4. Objectives of the study
1.5. Significance of the study
1.6. Scope/Delimitations of the Study
1.7. Limitations of the study
1.8. Organization of the Study

CHAPTER TWO LITERATURE REVIEW
2.1. Definition of Risk and risk Management
2.2. Historical Development of Risk Management
2.3. Definition of Risk Management
2.4. The Process of Effective Risk Management
2.5. Benefits of effective risk management
2.6. Definition of Enterprise Risk Management
2.7. Development of Enterprise Risk Management
2.8. Benefits of Enterprise Risk Management
2.9. Enterprise Risk Management Process
2.10. Types of risks in banks
2.11. Empirical studies
2.12. Research gap
2.13. Conceptual framework

CHAPTER THREE REASERCH METHODOLOGY
3.1. Research Design and Method
3.2. Sources of Data and Sampling Technique the Source of Data
3.3. Instruments and Procedures of Data Collection
3.4. Validity and reliability
3.5. Ethical consideration

CHAPTER FOUR RESULTS AND DISCUSSIONS

CHAPTER FIVE SUMMERY OF FINDING, CONCLUSION AND RECOMMENDATION
5.1 Introduction
5.2 Summary of findings
5.3 Based on the above fact the researcher draws the following conclusions
5.4 Recommendation

References

ACKNOWLEDGEMENT

I want to thank and express my great gratitude to all those who helped with the completion of the thesis. First, I would like to thank my advisor Dr, who helped me to overcome many difficulties, and always lead me in the right direction.

Additionally, I offer my gratitude to my family that supported me through the writing of this research. All of you have contributed to a successful and rewarding writing process.

ABSTRACT

The aim of this research is to explore the practice of Enterprise Risk Management in Ethiopian Private Banks. Currently, there are 16 private commercial banks working in the country, some of which are celebrating their 20 years anniversaries. To represent all the 16 private banks, the researcher grouped them in to two categories. Wegagen Bank, United Bank and Bank of Abyssinia has been selected from the earliest established commercial banks and Abay Bank, Buna international Bank and Berhan Bank were selected from the lately established banks in simple random sampling method with a total number of 51 employees working risk management area from the selected 6 commercial banks.The data were collected through questionnaire and face to face interview. The questionnaires were distributed to all risk management department staff of each selected commercial banks. The interviews were made with NBE’s bank supervision department and directors as well as managers and directors of commercial banks. 51 questionnaires were distributed, properly filled and fully returned to the researcher. The finding of the research reveals that, the major challenge faced by commercial banks are weak ton at the top, absence qualified staff, absence of advanced risk management technology and lower management attention and the recommendations were, Banks should have enterprise risk management committee at management level, Banks should conduct workshops or panel discussion to identify enterprise level risks in each activity and Banks should have comprehensive risk register and database to run their business with smooth operations and absence of interruption..

Key words: Risk, Risk management, banking sector, national bank of Ethiopia, enterprise risk management.

Chapter 1

1.1. Introduction

In the recent years, Enterprise risk management (ERM) has become increasingly relevant for managing corporate risk. In contrast to the traditional based risk management, enterprise risk management (ERM) considers the company’s entire risks portfolio in an integrated and holistic manner. It further constitutes part of the overall business strategy and is intended to contribute to protecting and enhancing shareholders value (Meulbroek, 2002; Hoyt and Liebenerg, 2011).

The need and demand for ERM as a holistic and company -wide risk management framework is a result of several changing internal and external factors in the corporate environment, which involve a broaden risk scope, a higher risk complexity and increasing interactions and dependencies between risk sources. Relevant external factors include e.g. globalization, industry consolidation and deregulation as well as regulatory pressure (Pagach and war 2011).

Furthermore, rating agencies have started to incorporate companies’ internal risk management systems in their rating processes (Hoyt and liebenberg 2011). In general the internal factors can reduce the objective of risk management which is to enhance the firm’s shareholder value (Meulbroek, 2002). Overall, an ERM system thus enables the board and senior management to better monitor the company’s risk portfolio as a whole (Beasley, Clune, and Hermanson, 2005).

The benefits implementing ERM are comprehensively discussed in the literature. The consideration of the company’s entire risk Portfolio in a holistic process is said to contribute to reduce the company volatility, stock price volatility and external capital costs as well as a higher capital efficiency, where the consideration of risk dependencies further allow companies to exploit synergy effects in the others the risk management process (Liebenerg and Hort, 2003). However, the necessary financial and human recourse, as well as the required IT systems, constitute an obstacle for ERM (Mcshane, Nair and Rustambekov, 2011).

Banking industry in Ethiopia has a history of more than 100 years. In 1905 the National Bank of Egypt, which was owned by British nationals, established the first Ethiopian bank as Bank of Abyssinia. This bank, though it was private, had a 50 years contractual agreement with Ethiopian government to issue currencies in addition to its commercial banking services. (Mihiretab et al, 2010), Since the establishment of the first bank, the banking industry in Ethiopia has passed through different ups and downs being affected by the regimes of the Monarchy, the Italian invasion, the Derg Juntas and EPRDF, details of which were stated here and there by different scholars. Today, along with the three government owned banks, 16 locally owned Private Commercial Banks are working in Ethiopia.

Thus, the main purpose of this study is to assess the banks enterprise level risk management practices.

1.2. Statement of the problem

Doing a business in general, involves full of uncertainty that negatively or positively affects the objectives of the organization. In the case of banking business specially, certain events may not only affect the respective individual bank involved, but also other banks working in the system, be it national or international, that can call-up-on governments’ interest in controlling the risks that commercial banks faces. (Enterprise Risk Management Committee (ERMC), 2003).

According to Nacco and Stulz (2006) although the key principles of risk management are well established the evaluation on risk management is still on demand. In addition further study is needed to understand the distribution of firm’s value.

However, from different reports which were revealed by the NBE and the commercial bank’s annual report in relation to enterprise level risk management practices, it is recognized that almost all of commercial banks do not have adequate awareness about enterprise level risk management practices (National bank of Ethiopia report).

Furthermore, there are various external and internal risks that affect insurance firms. The management of these external and internal risks is interdependent and the question of how these risks are linked and managed should be central to scholarly attention for further research (Huber, 2002).

Since enterprise risk management is a new concept in the world’s business environment in general and in Ethiopia particular, most of research works are on risk management practice of commercial banks other than enterprise risk management practice but only one study was conducted on the area by Samuel Ademe in 2015, assessment of enterprise risk management practice case of three selected commercial bank , hence this study will seek to fill in the knowledge gap by examining the enterprise risk management practice of six selected commercial bank.

Therefore, the purpose of this study is to qualitatively examine the current practice of private commercial banks in undertaking an Enterprise Risk Management.

1.3. Research Questions

This study tries to address the following research questions in the process of adapting structured risk management practices in the private commercial banks.

1. What are the major problems facing banks to manage their enterprise level risks?
2. How is the enterprise risk management process of Ethiopian commercial banks carried out?
3. What are the major steps to be taken by banks to strengthen their effort on their enterprise risk management functions?

1.4. Objectives of the study

1.1.1 General Objective

The general objective of this study is to assess the level of commitment of Ethiopian private commercial banks towards using ERM Program.

1.1.2 Specific Objectives

- To identify the major problems facing banks to manage their enterprise level risks.
- To evaluate the process of enterprise risk management used in conducting the risk management practices Ethiopian commercial banks.
- To identify the measures taken by banks to strengthen their effort on their enterprise risk management functions.

1.5. Significance of the study

The findings and conclusion of this study would give a picture of the risk management process used in practice by commercial banks in Ethiopia. This would be highly informative to the banking industry, government regulatory bodies (Mainly the National Bank of Ethiopia). It can be also be additional resource material for academic and professional society regarding risk management practices. Additionally the study will have the following significances:

- It provides the regulatory bodies (Mainly the National Bank of Ethiopia) on the status of Ethiopian commercial banks risk management and finding would be used in risk management policy formulation.
- It would provide banking firms essential information in evaluating their operations and in identification and rectification of possible risk exposures.
- It can serve as a base for further studies on the subject of risk management for national or international study undertaking

1.6. Scope/Delimitations of the Study

The scope of the study is limited in terms of content, space and time. It assesses the level of risk management practice by focusing on the responses all managements and operational staffs working under risk management departments of commercial banks.

Moreover, the study covers the risk management practice of commercial banks within Ethiopian banking industry. So the study achievements and implications are only the reflection of the property and behaviour of the Ethiopian banking business environment.

1.7. Limitations of the study

It is to be recalled that primary objective of this study would be to assess the enterprise level risk management practices of commercial bank within Ethiopian banking industry. But the study will focuses on the views of managements and staffs that have a direct responsibility and accountability for the day to day risk management activity of every commercial bank. Therefore the study is limited to the opinion, attitude and perception of management and operational staff of selected banks risk management department. Thus there would be exists a limitation over the opinions, attitudes and perceptions of other management members and staffs other than risk management department under this research which might limit the comprehensiveness of the assessment of risk management practice with regards to involving all stakeholders or participants in the sector.

1.8. Organization of the Study

The study was organized into five chapters. Chapter one was made up of background to the study, problem statement, aims of the study, research questions, and significance of the study as well as scope and limitation of the study.

Chapter two was constitute the literature review by providing theories related to the construct under study. And reviews of related studies to the topic under study were also made available here.

Chapter three was deliberate on the methodology by providing the research design, population, sample size, sampling technique, materials for data collections, procedure involved in data collection.

Chapter four of the study constituted the presentation of data gathered, analysis and discussion. Data will analyse and interpret with respect to the aims and objectives of the study.

Chapter five was constitute the summary of the findings, conclusion and recommendations for the study as well as recommendations for further studies.

Operational definitions

- Strategic Risks: - Strategic risk is the risk of loss or damage to reputation as a result of strategic or policy decisions.
- Operational Risks: - Operational risks are those risks resulting from inadequate or failed internal processes, people, system, or from external events leading to financial losses, reputational damage or inability to achieve business objective.
- Financial Risks: - Financial risk as the term suggests is the risk that involves financial and reputational loss to the Bank. Financial risks can be generally classified into liquidity risk, credit risk and market risk for risk management purpose.
- Employee:- means employee of the six selected commercial banks working on risk management area.
- Enterprise Risk Management (ERM) is also defined by the Committee of Sponsoring Organizations (COSO) as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

CHAPTER TWO LITERATURE REVIEW

2.1. Definition of Risk and risk Management

2.1.1. Definition of risk

In the older time the term ‘Risk’ refers to the situation where there is the possibility of something bad happenings (Kate Woodford, et al, 2003). Oxford English Dictionary also defines risk as “a chance or possibility of danger, loss, injury or other adverse consequences”.

The above definitions show that the former understanding of risk more emphasizes the negative part only. Now days, however, taking risk can also result in a positive outcome (Paul Hopkin, 2010). Hence risk is an event where both positive and negative outcomes might happen.

Different institutions and organs had defined Risk in different ways among them the most popular according to Poul Hopkin, (2010) are:

- The definition given by the Institute of Risk Management (IRM) states that “Risk is the combination of the probability of an event and its consequence, where, consequence can range from positive to negative”.
- The other definition is that of ISO 31000 or ISO Guide 73. It defines risk as “Effect of uncertainty on objectives”. This definition is somehow very brief which requires clarification as for example ‘effect in this case may be positive, negative or a deviation from the expected (Poul Hopkin, 2010) which denote opportunity, Hazard and uncertainty respectively.
- Institute of Internal Auditors also defines risk as “the uncertainty of an event occurring that could have an impact on the achievement of the objectives”. It also state that risk is measured in terms of consequences and likelihood (Poul Hopkin, 2010).

2.2. Historical Development of Risk Management

Risk Management is originated in the United States out of the insurance management (Poul Hopkin, 2010). In 1950, due to measures taken by the insurance companies, the cost of insurance increased tremendously while the coverage of perils decreased. This called organizations to realize that, they should not only be relied on transferring risks to insurance companies, as the coverage was not only insufficient to handle all their risks specially related to health and safety, product liability issues and other risk control concerns but also it was not economical (Poul Hopkin, 2010). Furthermore, as stated before, insurance can only be used for the portion of hazard risks. Therefore, risks related to finance, commercial, marketplace and reputational issues are recognized as being hugely important but outside the historical scope of insurance (Poul Hopkin 2010) and hence risk management has become a must.

2.3. Definition of Risk Management

Similar to that of risk, different institutions and standards define risk management in their context. The following are some of these definitions sited by Giancarlo Nota, (2010):

IRM:

“Risk Management is a process which aims to help organization understand, evaluate, and take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure.”

Business Continuity Institute (BCI):

“Risk Management is a culture, processes and structures that are put in place to effectively manage potential opportunities and adverse effects”.

COSO (Committee of Sponsoring Organizations of the Tread way commission):

“Risk Management is a process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and accrues the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regard in the achievement of entity objectives”.

2.4. The Process of Effective Risk Management

Hopkin, (2010) indicates that historically, the term risk management has been used to describe an approach that was applied only to hazard risks. Hence, IRM develops the following model, which is called 7Rs & 4Ts of Hazard risk Management (Poul Hopkin, 2010). Gradually, however, it is developed to cover the improved management of control Risks and opportunity risks.

Abbildung in dieser Leseprobe nicht enthalten

Figure 1. 7 Rs and 4 Ts Hazard Risk Management Model

The first step, according to this model is Recognizing the risk or identification of risks along with its nature and the circumstances in which it could materialize. After recognizing the risk that has impact in our objective the second step is Ranking or evaluation of risks in terms of magnitude and likelihood to produce the ‘risk profile’ that is recorded in a risk register.

As resources are limited, it is not possible to handle all identified risk; therefore Responding to significant risks is the third steps that include the decisions on the appropriate action regarding the following options:

Abbildung in dieser Leseprobe nicht enthalten

Resourcing controls to ensure that adequate arrangements are made to introduce and sustain necessary control activities which will then follow as the fourth step. Then after, Reaction, which means planning and/or event management; Reporting and monitoring of risk performance, and Reviewing the risk management system, including internal audit procedures and arrangements for the review and updating of the risk architecture, strategy and protocols are the fifth, sixth and seventh steps respectively.

When we come to Ranking, different scholars use different approaches to denote the degree of severity of identified risks. Some group classify risks into five while others into four but, the most common one is to categorize all risk issues in to three groups that use the traffic light system Red, Yellow and Green. The Red means ‘stop’ it is either bad threat or great opportunity; therefore, priority should be given to these risks. Yellow indicates ‘be careful’ ‘think twice before you act’ that indicates management should monitor these risks as situation may convert them to red or green. And the Green one indicates to hurry up as there is none or minimal danger or opportunity – management can seldom review them for their status. (Taken from the lecture of Dr. David Hillson at Munich in June 2006)

As we have discussed earlier, risk can be positive or negative, which means we have to prepare two Probability Impact Matrix, one for the Threat that results negative impact and one for the Opportunity that results positive impact. By putting these two matrices in a mirror wise as Hillson, (2006) puts it, we will get to the following figure that puts our focus in between.

2.5. Benefits of effective risk management

Effective risk management helps a company to reduce the negative and enhance the positive impacts of risks and company to sustainably stay in business. A company that has effective risk management thereby assist the can make informed decisions; exploiting can increase the likelihood of successful risk taking, i. e. opportunity risks; can protect its reputation/ goodwill; can improve the quality and reliability of its products and services; can increase the likelihood of achieving strategic goals or objectives; can reduce costs and/or increase profits; can reduce failure or downtime; and above all can properly utilize competitive Osborne, 2012).

2.6. Definition of Enterprise Risk Management

The word enterprise for Enterprise Risk Management (ERM) itself shows a different meaning than Traditional Risk Management (TRM). Enterprise means to integrate or aggregate all types of risks; using integrated tools and techniques to mitigate the risks and to communicate across business lines or level compared to Traditional Risk Management. Integration refers to both combination of modifying the firm’s operations, adjusting its capital structure and employing targeted financial instruments (Meulbroek, 2002).

It was argued that the term ERM has quite similar meaning with Enterprise-Wide Risk Management (EWRM), Holistic Risk Management (HRM), Corporate Risk Management (CRM), Business Risk Management (BRM), Integrated Risk Management (IRM) and Strategic Risk Management (SRM) (D’Arcy, 2001; Liebenberg and Hoyt, 2003; Kleffner et al., 2003; Hoyt and Liebenberg, 2006; Manab et al., 2007; and Yazid et al., 2009). There are various definitions of ERM. For example, in the middle of 2004, the Committee of Sponsoring Organization of the Tread way Commission (COSO) released the Enterprise Risk Management Integrated Framework.

COSO defines Enterprise Risk Management as a process, affected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. CAS or Casualty Actuarial Society (2003) defines Enterprise Risk Management as disciplines by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purposes of increasing the organization’s short and long term value to its stakeholders. Lam (2000) on the other hand, defines Enterprise Risk Management as an integrated framework for managing credit risk, market risk, operational risk, economic capital, and risk transfer in order to maximize firm value. Makomaski (2008) defines Enterprise Risk Management as a decision making discipline that addresses variation in company goals.

Makomaski (2008) defines Enterprise Risk Management as a decision-making discipline that addresses variation in company goals. Alviunessen and Jankensgård (2009) point out that Enterprise Risk Management is concerned about a holistic, company-wide approach in managing risks, and centralized the information according to the risk exposures. They use the term Risk Universe, which is the risk that might impact on the future cash flow, profitability and continued existence of a company.

In other words, risk universe is risk that could affect the entity of the company. If risk universe can be identified, the next step is to take an appropriate action such as risk mapping process, accessing the likelihood and impact and curb the risk based on the organizations’ objective. Therefore, Enterprise Risk Management can be defined as a systematically integrated and discipline approach in managing risks within organizations to ensure firms achieves their objective which is to maximize and create value for their stakeholders. There are two key points that must be highlighted according to the definitions given above. The first key point is the main role of ERM itself it integrates and coordinates all types of risks across the entire organization. It means that risks cannot be managed in silo approach.

All risks occurred in the entity must be combined and managed in enterprise approach. The second key point is by using ERM, users are able to identify any potential incidents that may affect the organization and know their risk appetite. If the risk appetite is specifically known, any decision made by the organization to curb risks may be parallel with the firm’s objective (Walker et al., 2003).

2.7. Development of Enterprise Risk Management

This section will discuss briefly the development of ERM especially on the emerging factors that influence companies to shift from risk management practices (Traditional Risk Management) to Enterprise Risk Management. The discussions will focus from the theoretical perspectives; academic and professional bodies. D’Arcy (2001) has postulated that the origin of risk management was developed by group of innovative insurance professors i.e. Robert I. Mehr and Bob Hedges in 1950s.

In the 1963s, the first risk management text entitled ―Risk Management and the Business Enterprise‖ were published. The objective of risk management at that time was to maximize the productive efficiency of the enterprise. At that time, risk management was specifically focused on pure risks and speculative risks. In the 1970s, when Organization of Petroleum Exporting Countries (OPEC) decided to reduce production in order to increase the price, financial risk management became an interesting issue highlighted by firms because the increment in oil price has affected the instability in exchange rates and inflation rate (D’Arcy, 2001; Skipper and Kwon, 2007).

Later in 1980s, political risks attracted more attention from multinational corporations as a result of different political regimes in different countries. For example, when the government announced a new policy, investors and corporations must make decision to reduce risk (Skipper and Kwon, 2007). According to D’Arcy (2001), during this era, organizations did not properly apply risk management because they did not apply the risk management tools and technique such as options.

Therefore, it had increased the cost of operations of the organizations. During this era, the silo mentality still remains (Skipper and Kwon, 2007). In the 1990s, the use of financial tools such as forwards and futures are widely practiced in the United States. In addition, pressure from shareholders and stakeholders to take more action rather than buying insurance to fight against uncertain loss or financial crisis, influenced managers to mitigate risks more proactively. It demanded managers to retrieve better risk information and risk management techniques. During this time, risk management was closely related to financial, operational and strategic risks, not only hazard risks (Skipper and Kwon, 2007).

Li and Liu (2002) define strategic risk as the uncertainty of loss of a whole organization and the loss may be profit or non-profit, while Mango (2007) points out that there is no specific definition of strategic risk due to the inability to well-define and understand it. Strategic risk may arise from regulatory, political impediments or technological innovation. For example a specific guide entitled the Basel Committee (2001) define operational risk as the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.

Operational risk is more related to internal problems, such as employee fraud, corporate leadership, segregation of duties, information risk and product flaws. For example, Marc Dreier was found guilty and charged for 20 years of imprisonment due to fraud of fictitious promissory notes, which is valued at approximately USD700 million (Weiser, 2009). As the results that risks might occur in multiple perspectives, it can be concluded that risk management (Traditional Risk Management) could not be managed separately. It has to be integrated in a holistic manner. These factors are among the main cause of the emergence of Enterprise Risk Management in late 1990s. Organizations face risks and the risks depend on many factors. For example operational risk, strategic risk, political risk, technology risk, legal risk, financial risk, reputational risk and human capital risk. Most of the literature mainly concern on four types of risk i.e. financial risk, hazard risk, Operational risk and strategic risk (D’ Arcy, 2001; CAS, 2003; Cassidy, 2005). Cassidy (2005) found that Enterprise Risk Management existed in planning, organizing, and leading and controlling organizations activities in order to minimize firms’ major risks such as financial, strategic and operational risks.

2.8. Benefits of Enterprise Risk Management

ERM is important in many perspectives which have four main reasons (KPMG International, 2006)

- Organization desire to reduce potential financial losses;
- Organization desire to improve business performance;
- Due to the regulatory compliance requirements; and
- Organization desire to increase risk accountability.

On the other hand, (PricewaterhouseCoopers, 2008) found that firms in are motivated to implement ERM because of the following reasons:

- To adopt good business practice;
- To corporate governance pressure;
- It gives firms a competitive advantage; and
- It comes from regulatory pressure and also investment community pressure.

2.9. Enterprise Risk Management Process

Enterprise risk management (ERM) process is described as the risk based approach to managing enterprises. ERM is evolving to address the need of various stakeholders and broad spectrum of risk complex organizations (Enterprise Risk Management Committee, 2003).

In 2003, the Causality Actuarial Society (CAS) defined ERM as the discipline by which an organization in any industry assessed, controls, exploits, finances and monitors risk from all sources for the main objective of maximizing organizational value.

ERM is now essential process for insurance for planning, organizing, leading and controlling the activities of an organization in order to minimize the effect of risk on an organization capital and earnings enterprise risk management extends to integrate financial, operational and other risks with a company functions. ERM provides a good frame work for risk management that involves identifying particular risks relevant to an organizations objective, determining a response strategy and monitoring process (Enterprise Risk Management Committee, 2003).

In a more comprehensive manner ERM aims to create value to an organization through the management of risks areas identified in relation to the organizations strategy and performance (COSO, 2016). Risk management on an enterprise level requires the recognition of the organizational culture, capabilities and practices as a fundamental step in order to fully integrate and implement a successful ERM framework that is well integrated with the strategic setting of an organization and able to create, preserve and realize value (COSO, 2016).

The ERM process effectiveness require full attention and participation of an organization’s board of directors, management staffs and other personnel involved in setting and implementing the organization strategy. In addition the ERM process should stretch across an organization business unit in order to integrate and fit the risk management process with the business operation an organizational culture. This is important in identifying where and when potential events that may negatively affect the organization (Protiviti, 2006). Thus, in this manner an organization will be able to manage risks within its risk appetite with reasonable assurance regarding the achievement of entity objectives.

The establishment of a sound ERM frame work shall be established and based within the overall governance structure of an organization. This is essential for the effective implementation of ERM process. It is therefore recommended for insurers to integrate their ERM framework with the insurer business operation in order to reflect the desired business culture and behavioural expectation and address the potential risks faced by the insurer. Hence, the establishment and operation of the ERM framework should be led and controlled by the insurer’s board of directors and senior management (IAA, 2009).

ERM framework differ form organization to organization depending on the nature of their business operation and culture of insurer. The ERM framework for a small motor insurer operating in one country will differ from the ERM framework established by a global insurer. Thus the major objectives when setting ERM framework is to proportionally integrate the ERM process with the nature, scale and complexity of the insurer (IAA, 2009).

In addition it is often essential to consider the combination of work behaviours of people in the organization when setting ERM strategy, function and framework. This directly refers to the risk culture of the insurer, which affects the effective implementation of ERM frame work. Employees of an insurer should be willing and able to use the appropriate behaviours to support risk related activities so that over time these behaviours will create the desired risk management culture (IAA, 2009).

2.9.1. Establishing context

It is necessary to have a contextual reference to a firm status in order to understand the nature and character of the internal and external risk faced by an organization. Hence, it will be the first step to assess the internal and external environment. The internal environment is the context in which other components of ERM are applied because the internal environment of the bank possesses a significant impact over how ERM is implemented and executed. Particularly an entity is expected to develop a risk philosophy at this primary stage of the ERM process that expresses the sets of shared beliefs and attitudes characterizing how the entity considers risks in each business operation of an entity that is highly integrated with the entity risk culture (COSO, 2004).

In addition, establishing a context regarding integrity and ethical values of the people who create, administer and monitor entity functions essential for the development of a transparent ERM frame work that ensure the accountability on each risk management activity. Individual experiences such as value judgments, attitudes should be addressed in a code of conduct that expresses an entities statement of position on integrity and ethical value (COSO, 2004).

At this stage of the ERM process it is essential to set the risk appetite and tolerance limit that will be applicable to entities strategic objectives (COSO, 2004). Similarly insurers develop risk management policy that contains a well-defined risk preference, risk appetite, risk tolerance limits along with the escalation procedures then the limits are approached or breached. Risk management policy should also include portfolio risk assessment of assets and liabilities, performance measurement based on risk adjusted returns and communication by management of the risk responses and metrics for the organizations (AAA, 2013).

2.9.2. Risk identification and assessment

According to Enterprise Risk Management Committee (2003) insurers may use different kind of mechanism, for documenting the material threats faced by an organization that pose risk on organizations objectives, such as surveys, internal workshops, brainstorming sessions and internal auditing. Moreover it a mechanism by which in identifying the competitive advantages that can be exploited to achieve organizational value.. In order to ensure the effectiveness of the risk management process it is important to primarily define and understand the risk an insurer is exposed to. Particularly the range of risks faced by insurers that emanate from the assets of the organization; the liabilities generated underwriting the insurance risks and the strategies and operations of the organization itself (AAA, 2013).

Internationally many insurance organizations consider adopting and conducting periodic senior management workshops that serve as a qualitative assessment of risk, with the support from information on risk registers, surveys or interview and established common risk language (ERMC, 2003).

Similarly, as discussed in the previous section of the literature review the NBE, ISD has identified eight minimum standards for inherent and significant risks. Base on these minimum national standards insurers are expected to develop a comprehensive list of all the significant material risks that is unique to the insurer in terms of size, complexity of business operation and risk characteristics (COSO, 2016).

2.9.3. Risk analysis and quantification

Analysis and quantification of risk follows the risk identification phase of the ERM cycle and may involve wide range of methods and approaches. Analysis and quantification is measuring of risks, if possible using a probabilistic distribution outcome for each risk to materialize. Analysis may differ on the company’s nature of operation, type of investment involved in and sophistication of operations. Usually analysis might be performed on qualitative and/or quantitative measures, with sensitivity analysis, scenario analysis, and/or simulation analysis applied. Insurers based on their claim data over a period of time and the cost exposure data they might be able to determine reasonable forecast of costs and variability in cost (ERMC, 2003).

Assessment of risk that compares the impact and likelihood of risk occurrences is valuable for management for decision making. In order to make a clear distinction on the level of impact of each risk it is necessary to primarily measure and quantify each type of risk an insurer is exposed to. Different types of risks may require different types of modelling techniques. For instance, the range of techniques used or considered appropriate for most insurance business are listed below with a more general and broad standard categorization (IAIS, 2007).

Most measures used in ERM practice are either related to solvency measures or measurements of volatility of the organizations performance. Solvency related measures concentrate on the adverse “tail” of risk probability distribution relevant for economic capital requirement (ERMC, 2003).

2.9.4. Risk integration and prioritization

The Causality Actuarial Society (CAS) describe the process of integrating risk as the expression of aggregate risk distribution and portfolio effect in terms of impact on enterprise key performance indicators which is called the aggregate risk profile (Enterprise Risk Management Committee, 2003).

Several risk exposure of an organization especially in the financial sector, are highly correlated. It is one of the major effects of ERM to capture these correlations. For instance interest rates and inflation rate often are said to generate a cause and effect relationship to a common higher level inputs (ERMC, 2003).

It is necessary to develop a separate impact and likelihood of occurrence of each risk exposure in order to form an aggregate risk profile that serve as a „risk map‟ to give management the state of condition and future expectations for heir organization regarding wide range of risks across all functional units of an organization (ERMC, 2003).

Risk profiling is necessary to provide insurers a systematic way of recording to provide insurers a systematic way of recording and reporting that facilitates common understanding and articulation of risk (IAA, 2009). According to the International Association of Insurance Supervision (2007) Risk profiling is not a stale or one time activity but requires frequent maintenance to be mindful about the potential risks and their related impact and likelihood effect on the aggregate risk profile. Risk profile serves as a snap shot of management information about the top 10 risk exposures (IAIS, 2007).

Risk profiling also known as risk map is necessary for management at this stage of ERM process to make the decision of which risk to prioritize for treatment phase of ERM process because a risk map depicts each risk exposure in a way that highlights which risks are more significant (much higher likelihood and/or impact) and vice versa (COSO, 2004).

After the so called aggregate risk profile is determined prioritizing accordingly in order of the level of impact on performance and objective of an organization becomes the next step i.e. prioritization of risks. This is important for making the appropriate treatment for each risk. In prioritizing risk an organization might use different technique in order to develop a “risk map” of an organization that can be supportive for decision making (ERMC, 2003).

[...]