Effective Risk Reporting Sunder Krishnan Chief Risk Officer

Effective Risk Reporting Sunder Krishnan Chief Risk Officer Reliance Life Insurance Company

2007 Global crisis • One of the most significant lessons learned from the global financial crisis that began in 2007. • Information technology (IT) and data architectures were inadequate to support the broad management of financial risks. • Weak risk data aggregation capabilities and risk reporting practices. • Severe consequences on the stability of the financial system as a whole. • As a result, the Basel Committee has issued supplemental Pillar 2 (supervisory review process) to enhance ability to identify and manage risks Confidential Slide

The Anthem case – Hackers stole massive data q q q q q Tens of Millions of Anthem Inc. Customers in a massive data breach Largest in Corporate History Personal Information compromised - Name, Birthdays, Medical IDs, Social Security Numbers, Street Addresses, e-mail addresses, employment information, Income data Damage is being assessed – not yet known whether credit card data is compromised – FBI is investigating Very Sophisticated external cyber attack Largest in the series of companies to suffer severe data breaches Very swiftly informed the authorities Personal Apology by CEO to all the customers / members Everyone urged to change their passwords – all customers would receive some Identity Fraud Protection ? ? ? Last year hackers obtained credit card data of 40 Million Target Shoppers as well as personal information of 70 Million Customers Confidential Slide 3

Risks - Traditional q q q q Insurance – Morbidity & Mortality Risks for Life & claims & pricing for Non-life Lower Persistency than expected Expenses / costs – underestimated Customers / agents / advisors not adequately identified Inadequate distribution or product roll out Inappropriate selling practices Morbidity & Mortality estimations deviate from actual Financial / Reporting reliability New Businesses lower than expected Risk Inferior return on investment Solvency / fund crunch issues Compliance issues with Agents exams & training Infrastructure not geared up for new businesses Inadequate investigation of death / accident claims Inadequate underwriting guidelines – lack of tie ups with adequate number of quality medical centers, inadequate documentation & information obtained from policy holders Reputation Risk Confidential Investments Risk Legal / Regulatory / Ethics / fraud Risk Operational – People, Technology & Process Risk Slide 4

Emerging Risks q q q q q Unforeseen risks from technology – hacking, malfunction, not meeting requirements International terrorism New diseases Untested areas of insurance High competition and thin margins – leading to inferior risk basket of proposals (wrong end of the cycle) Need for scale – expectations of high volumes and market versus reality Need for Intermediation – banks, MF, Distributors…. . support infrastructure § Not adequately geared yet Infrastructure issues – not adequately supporting micro Insurance Thinning talent pool of updated insurance professionals compared with the demand § High attrition rates Changing technology – necessitating constant upgrading – funds guzzler Increasing customer awareness and expectations Risks on processes, technology and people – leverage required to grab opportunities and meet severe competition Outsourcing risks Innovations – face regulatory risks Alliance risks Corporate Governance Risks Marketing – Hype risks Confidential Slide 5

Need for Effective Risk Reporting • Enhance the infrastructure for reporting key information, particularly that used by the board and senior management to identify, monitor and manage risks • Improve the decision-making process throughout the organisation; • Enhance the management of information across legal entities, while facilitating a comprehensive assessment of risk exposures at the global consolidated level; • Reduce the probability and severity of losses resulting from risk management weaknesses; • Improve the speed at which information is available and hence decisions can be made; • Improve the organisation’s quality of strategic planning and the ability to manage the risk of new products and services. Confidential Slide

Principles of Effective Risk Reporting 1. Governance 2. Data architecture and IT infrastructure 3. Accuracy and Integrity 4. Completeness 5. Timeliness 6. Adaptability 7. Accuracy 8. Comprehensiveness 9. Clarity and usefulness 10. Frequency 11. Distribution 12. Review 13. Remedial actions and supervisory measures 14. Home/host cooperation Confidential Slide

Internal Financial Framework Overview Clause 49, listing agreement Listed • CEO/ CFO Certification • Establish and maintain internal Control • Evaluate effectiveness of the internal control systems • Deficiencies in design or operations of internal controls • Steps taken to rectify the deficiencies Listed / Unlisted Companies Act 2013, Sec 134: As per section 134 (5) (e) of the Companies Act 2013, directors need to make an assertion in Directors Responsibility Statement that they have laid down internal financial controls to be followed and that such IFCs are adequate and operating effectively. Section 177: Under section 177 (4) (vii), the duties of the Audit Committee include evaluation of internal financial controls. Section 143: Under section 143 (3) (i), Statutory Auditors are required to make a statement in their Auditors Report, whether the company has adequate IFC system in place and the operating effectiveness of such controls. Schedule IV: The roles and functions codified in Schedule IV of The Companies Act 2013 clearly state that independent directors shall satisfy themselves on the integrity of financial information and that financial controls and systems of risk management are robust and defensible. Framework Confidential Adequate Operating Effectively Slide

Internal Financial Framework Overview Definition of Internal Financial Controls as per Companies Act, 2013 Internal Financial Controls (IFC) “policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information” Confidential Financial Reporting Controls Operational Controls Technical Controls to address Financial Assertions (includes Fraud and IT risk) Fraud Implications Efficiency / Service Implications Quality / Maintenance / etc Slide

Enterprise wide Risk Management – The Building Blocks Effective Risk Reporting is an important part of ERM governance Confidential Slide

RISK MANAGEMENT WORKING STRUCTURE Operational Risk Market & Credit Risk IT Risk & BCP Insurance Risk 1. Risk Investigation • 1. 2. Risk Projects 3. KRI Dashboard 4. Risk Mate / Automation 5. MIS and reporting 1. 2. 3. 4. Risk Review Continuous Monitoring Risk Assessments Risk & Control Self Assessment Risk based internal audit Co-ordination BCM audit monitoring 5. 6. Confidential • • • Mid office Investments Market Risk MIS Limit Monitoring Voice Call Tracking Personal Trading Credit Review Investments concurrent audit co-ordination 2. 3. 4. 5. BCP monitoring & co-ordination DR follow-ups IT risk review & co -ordination IT Risk Assessments CAATs 2. 3. 4. 5. ALM Monitoring & co-ordination Insurance risk measures Strategic risk Underwriting Risk Actuarial Risk Both Reputation and Financial impact of each risk is managed Slide

How an Organization could gear up for best practices in Risk Management Strategy Enterprise Risk Management Environment Strategy Risk Appetite Analysts Economic Capital Regulator Risk Diversification Rating Agencies Finance Portfolio Optimization Compliance Process Infrastructure Disclosure Confidential Investors Risk Modeling Risk Mitigation Risk Financing ORSA Data Reporting Modeling Stakeholder Mgmt Risk Mgmt Accounts RM Framework Operations Mgmt Information Solvency & Financial Condition reporting Projects Business Units Slide 12

Effective Reporting at Reliance life Reliance Capital Internal audit Nippon Reliance Life Insurance Company Limited – Reporting to Board & Executive Management Confidential Regulators Slide

Creating a Heat Map and Mitigation Plan of action for Red Risks ü Responsibility for action ü Follow up and update ü Confidential Slide

Risk Management Framework & Committee Broad objective of the Risk Management Committee is to ensure that risk management processes are followed as per COSO guidelines. Confidential Slide

Export – Web Send researches to an Intranet server and give users navigation and graphic tools Trends and Reports' Forecasting Expense Mgt. generator - Follow up in time of profit centers (Agents, Products…) - Expenses Reporting - Trends and Budget -Business simulations - Taylor made Reporting -Taylor made follow up of entities - Define specific indicators Import files Clean data Create variables Customers' profile -Portfolio segmentation - Cross-selling New policies' profiles - Lapses' profiles Products management - Profit and Loss areas - - Review pricings - Scoring - Simulations on new pricings Make insurance calculations Create Pricing Claims - Build - Claims' explorer - Reporting new pricings. in Pure Premium. in % of value - Frequency and Cost modeling Analyze the Risk Premium and stratify values Real Time processing - Reserving Triangulations Stochastic models - Claims segmentation Portfolio explorer System 1 System 2 System N-1 System N (example: Auto Company A) (example: Auto Company B) (example: Fire) (example: product p) Periodic Confidential update (copy) of the information – Policies, Expenses and Claims Slide

Evaluating Risk Appetite • Define vision • Design/Review target portfolio by – Industry – Geography 1. Strategic – Product type Planning • Distinguish between – Corporate – Retail (personal, SME) – Treasury • Risk return expectation of the bank • Risk grade of the portfolio 2. Evaluate Risk Assessment 3. Set Target Returns Ongoing Planning and Performance Measurement Process 6. Monitoring And Performance Reporting • Risk position • Comparison of actual v/s target portfolio • Risk adjusted performance measures • Financial performance Confidential • Competitive positioning • Strategic aspirations • Risk/return profile of SBU’s 4. Allocate Capital 5. Business Unit Transactions • Capital allocation • Risk weighted return measurement • Risk incurring transactions • Risk mitigation tactics Slide

Reporting requirements Monthly Risk meeting on Risk practices and implementation Reliance Capital (Group Company) Quarterly CRO meeting on review o f Status Quarterly Group Conglomerate meeting on aggregation of risk practices Monthly reporting on Risk trending, indicators, market risk and operation risk Annually reporting of all policies procedure and practices Nippon Life Risk Reporting Inspection of risk management and audit practices annually Conducting various audits and submitting reports to stakeholders and Audit Confidential regulators Internal audit, IFC review, Statutory audits and concurrent audits Slide

Reporting requirements IRDA reporting and other regulatory reporting Monthly Risk meeting on Risk practices and implementation Quarterly CRO meeting on review o f Status Quarterly Group Conglomerate meeting on aggregation of risk practices Monthly reporting on Risk trending, indicators, market risk and operation risk Collation of various reports of risks, frauds, investments and market risk Quarterly reporting to Board for the following activities Board and Executive Management Confidential Financials Risk Dashboard Key risk indicators Quarterly audit report of financials and key regulations by auditors Internal audit report Investments ALM Report (Asset Liability Management) Compliance update – circulars and reporting deadlines Monthly reporting to Executive Management Risk Dashboard to Risk Committee Key ratios and key risk issues Compliance Update Dashboard of various service TATs Investment committee ALM committee Slide

Expectations from Actuarial for Effective Risk Reporting Adequate Statutory reserving Effective disclosure on Business /Product Assumptions Expectations Monitoring of Assumptions vs actual of insurance risks such as from Actuarial for claims, mortality, persistency, expenses and new business Effective Risk Business parameters Reporting Channel wise monitoring Product wise monitoring Confidential Slide

Risk Management Framework q Risk Management framework with independent reporting line to CEO / CRO / Group – matrix reporting to Audit committee and Board § § § q q q Governance – Policies and processes Identification – Risk Assessment, Stipulation of risks along processes and projects Measurement – Quantification and Qualification of risks and losses / impact – Financial and Reputation – risks not measurable are qualified Monitoring – Identification, tracking and control of risk events and resolution thereof Mitigation – Proactive management of risks Quarterly review of the framework – efficiency and effectiveness Appointed Actuary a part of the Risk Committee / Framework Risk Management operational framework – few key areas: q § § § § Operational risks, Product / Pricing risks, Risk Transfer to Reinsurance, Underwriting policies…. Fraud prevention framework, Mis-selling, Investigations, Risk Control and monitoring ALM risk or a separate ALM / ALCO with AA as a member Insider Trading Policy Information Systems Risk Management processes – key processes: Control Self Assessments, Root Cause Analysis, Risk Assessments and Risk Reviews q Awareness q Vulnerability q Assessment q Responsibilitie q Policy q Controls q Measurement q Detection s Whistle blowing q Confidential Slide

Solvency II Architecture Three Pillars 1. Quantitative Requirements • Market Consistent Valuation • MCR & SCR • Formula to calculate SCR is likely to be based on Tail Value at Risk Va. R 99. 5% 1 -Year • MCR-relation to SCR to set up • Internal models for SCR • Recognition of Credit Risk mitigation • Recognition of Credit for diversification 2. Qualitative Requirements • Emphasis on good governance • Own Risk & Solvency Ass. 3. Disclosure & Reporting • New requirements for disclosure to harness market discipline in support of achieving regulatory objectives • Supervisory Review Process • More developed than in Basel • New requirements for transparency Third pillar of Solvency II Architecture requires Effective Disclosure and reporting Confidential Slide

Integration of ORSA with Internal Solvency II Model Fit & Proper Risk Management Systems Pillar I – Quantative Pillar II - Qualitative General Governance Own Risk and Solvency Assessment Internal Audit Operational Risk Actuarial Function Market Risk Underwriting Risk Default Risk Good Repute Confidential Outsourcing Internal Control Slide

Integrating Risks to Solvency II Model q Counter Party Default Risk q Using Exposure, Probability of Default and Loss Given Default q Type I Exposures: Reinsurance arrangements, Derivatives, Securitizations, Deposits with ceding institutions, letters of credit and cash at bank. =>99. 5 th percentile of the variance of the combined exposure q q Type 2 Exposures (More diversified but unrated): Receivables from intermediaries, policyholder debtors and deposits with ceding institutions (if numbers of counterparties are below a certain threshold) => Sum of the [Exposure multiplied by a (generic) Risk Factor] Credit derivatives: credit risk transferred goes to (market) credit spread risk Confidential Slide

Integrating Risks to Solvency II Model – Continued… q Market Risk q Interest Rate Risk: Increase in the volatility of Interest Rates q Currency Risk: Most Onerous result for each individual foreign currency and the aggregate q Stress Risk: Credit Stress vary by duration q Property Risk: Consider differential shocks to commercial, retail and other types of property q Concentration Risk: Thresholds 1 -2% (from 3 -5%) Confidential Slide

Integrating Risks to Solvency II Model – Contd… q q q Life & Health Underwriting Risk: Mortality Stress: 15% permanent increase in Rates (from 10%) Morbidity/disability Stress: 20% permanent decrease in recovery rates Inception rates 50% increase (from 35%) in inception rates in year one followed by 25% increase for all subsequent years Lapse Stress: The greater of 50% increase in lapses 50% decrease in lapses Sum of 30% of surrender strains of policies where the surrender strain is positive CAT Risk: A 2. 5 per mile mortality catastrophe test (from 1. 5 per mile in QIS 4) Morbidity CAT stress moved to health risk – a number of pan – European catastrophes will be developed Confidential Slide

Integrating Risks to Solvency II Model – Contd… q Operational Risks q Additional elements: q q Risks arising from any external management of investments: 0. 5% of highest amount held with a single 3 rd party management company q Risks associated with increased business activity: q Additional capital if the technical provisions/earned premium are expected to increase by more than 10% over the year q Risk associated with the use of management actions in calculating life provisions: q q An increase in the loading applied to life technical provisions Substantial increases in the capital factors: q Still no credit for diversification between operational and other risks Confidential Slide

Risk Appetite n n n n Environment risk Country Risk and Macro Indicators Nature of business, regulations and Impact Industry trends Profitability Asset base and solvency Stake holders expectations – Owners – Regulators – Government – Customers Confidential Slide

Risk Management Strategy Risk Management Framework n Enhancement and Extension of risk framework across n Support to Risk Based Capital n Rating for ERM (Enterprise Risk Management) Self Risk Management n Self Risk assessment across functions and decentralization n Facilitation process n Corroborative Risk Management Automated Risk Management Quantitative Risk Management tool Embedding risk management in process, technology and trainings Confidential Slide

Improvement in risk management practices Need to integrate these practices into the management process Possible change in organization structure Greater volatility in balance sheet Possible move to less volatile asset classes Greater diversification of assets and use of risk mitigation Increased capital requirements for higher risks More innovative risk management Industry consolidation Changes to product design Revision of product diversification Confidential Slide

Expected Impact on Insurers Confidential Slide

Some Key statistics Confidential Slide

Thank you