compliance risk & maturity roll-out european region · we consider it as success, if the whole...
TRANSCRIPT
![Page 1: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/1.jpg)
© Copyright Allianz SE
Compliance Risk &Maturity Roll-outEuropean Region
Group Legal & Compliance / CIATMunich, February 2017
Internal
CLASSIFICATION: INTERNAL
ALZ.0001.0097.3494
![Page 2: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/2.jpg)
© Copyright Allianz SE2
The Vision…
We jointly bring the Compliance Risk Management to the next levelin line with the Renewal Agenda
We focus on key risks to avoid losses and protect the reputation of Allianz incompliance with Solvency II
We build one integrated platform and approach (ORGS/IRCS)
This enables all of us to assess risk, evaluate programs (maturity), test controldesign and effectiveness and report the results transparently
We want to leverage the expertise knowledge and resources of all levels ofdefense in order to contribute to an effective and best-in-class ComplianceManagement System as a part of an Integrated Risk and Control System
We consider it as success, if the whole compliance community is implementing theconcepts following the processes completely and consistently using ORGS
A Compliance Assurance program is an integral component of astrong Compliance Management and Internal Control System
CLASSIFICATION: INTERNAL
ALZ.0001.0097.3495
![Page 3: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/3.jpg)
© Copyright Allianz SE 08/2018CLASSIFICATION: INTERNAL
3
The new Integrated Risk and Controls System process will be rolledout to the entire Group in a 3-year staggered approach
AZ RiskCatalogue
Risk Scoping
Confirm•significance ofscoped risks
Tailor risk•description ifnecessary
Add•responsibilitiesand document
Control EnvironmentEffectiveness
Key control•identification &documentationand respon-sibilities
Key control•assessment
Identify control•gaps
Control•environmentassessment
Actual RiskAssessment
1-in-20 year•assessment
Reputational•impact
Response/Monitoring
Mitigate the risk•(e.g. action plan)by improvingcontrolenvironment
Accept the risk•
Rational•
KRIs for material•OpRisks
II III IV V
Reporting
Compliance
Ope
ratio
ns Insurance
Market/Credit/LiquidityLegal/ Tax/Other
I
RCSA
ALZ.0001.0097.3496
![Page 4: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/4.jpg)
© Copyright Allianz SE4
PreparationDo pre-
assessmentof 1-in-20
forSignificantrisks and
gatherinformationon controls
ControlEnviron-
ment
Discuss thecontrol
environmentand identifykey controls
Actual Risk
Assess the1-in-20,
reputationalrisk andcontrol
environmenteffective-
ness
Response/Action Plan
Mitigate* orAccept the risk;
if the riskresponse is to
mitigate, definean action plan
Risk scoping
Identify theapplicablerisks & addlocal risks
InherentRisk
Assess theinherent risk
for theapplicablerisks andgeneratethe Shortlist and
Significantrisks
ProgramMaturity
Assess theProgram
Maturity andgenerate the
Risk &MaturityMatrix
AOMMapping
MapShortlisted
risks toAOM
functions(only for
IRCS OEs)
Expert Challenge
CSC memberExpert
challenge discussionon 1,2,3
6 7 8 951 2 43
The Compliance Risk Assessment process is fully integrated into theIRCS
Risk Scoping RCSA Workshops
* Consider the Risk & Maturity Matrix outcome
CLASSIFICATION: INTERNAL
ALZ.0001.0097.3497
![Page 5: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/5.jpg)
© Copyright Allianz SE5
Risk scoping
Identify theapplicablerisks & addlocal risks
InherentRisk
Assess theinherent risk
for theapplicablerisks andgeneratethe Shortlist and
Significantrisks
ProgramMaturity
Assess theProgram
Maturity andgenerate the
Risk &MaturityMatrix
AOMMapping
Mapshortlisted
risks toAOM
functions(only for
IRCS OEs)
51 2 43
Compliance will roll-out only the Risk Scoping part of the IRCSprocess for all OEs in 2017
Risk Scoping – 2017 Compliance Roll-out
Only for RCSA OEs:Follow the RCSA approach in
accordance with the RCSA GuidelineIn the RCSA workshops only focus onsignificant risks instead of the entire
mandatory RCSA catalogue
Expert Challenge
CSC memberExpert
challenge discussionon 1,2,3
CLASSIFICATION: INTERNAL
ALZ.0001.0097.3498
![Page 6: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/6.jpg)
© Copyright Allianz SE
How to prepare for the 2017 Risk Scoping?
Entitycoverage
Review the entitycoverage
flowchart andexcel tool
Document theentity coverage
together with yourlocal RiskFunction
Workbook
Familiarizeyourself with theWorkbook, the
Compliance risksin the Group Risk
catalogue andany local loss
data
Inherentrisk
Contact yourlocal Risk
Function in orderto obtain the
materiality basisfor the inherentrisk assessment
Understand theinherent risk rating
methodology
Maturity
Understand thematurity ratingmethodology
Familiarize yourselfwith the Level 3Descriptions for
Program Maturity
6CLASSIFICATION: INTERNAL
ALZ.0001.0097.3499
![Page 7: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/7.jpg)
© Copyright Allianz SE
Required activities
08/2018CLASSIFICATION: INTERNAL
7
Join a training session and learn about the new process•Participate in Trainings in March
State which entities in your OE submit a combined or individual risk &•maturity assessmentDocument Entity Coverage
Complete risk scoping, inherent risk assessment, program maturity•assessmentCheck the auto-populated Risk & Maturity Matrix in the Dashboard•
Complete Workbook
Complete PowerPoint Template•Complete Risk & Maturity Report
Participate in Expert challenge with your CSC member•Do Expert Challenge
Send Risk & Maturity report to CIAT or Region/Global Line first•Deliver results to CIAT (or
Region/Global Line for combinedsubmission to Group)
ALZ.0001.0097.3500
![Page 8: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/8.jpg)
© Copyright Allianz SE 08/2018CLASSIFICATION: INTERNAL
8
Next Steps
When European Region
March 7th In person training in Munich relating to risk scoping
End of AprilComplete Entity Coverage Calls with Elena and Irene(determining which/how many assessments have to beconducted)
May 19th Complete Entity Coverage Tool, Workbook, draft Risk andMaturity Report for the required entities
June 21st 22nd Discuss draft Risk and Maturity Reports during theEuropean conference in Muncih
May 19th to end ofJuly
Complete follow up calls (“Expert Challenge”) with CIATteam (Elena, Irene, Savoula) and finalize Risk and MaturityReports (replacing Heat Maps)
ALZ.0001.0097.3501
![Page 9: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/9.jpg)
© Copyright Allianz SE
Backup
9CLASSIFICATION: INTERNAL
ALZ.0001.0097.3502
![Page 10: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/10.jpg)
© Copyright Allianz SE
Inherent Risk Rating Matrix
Occurrence probability
Impa
ct(th
ehig
hero
ffin
anci
alim
pact
and
rep.
Risk
)
1 2 3 4 5
1 very low very low very low very low low
2 very low very low low low moderate
3 low low moderate moderate high
4 moderate moderate high high very high
5 high high high very high very high
The Inherent Risk is the§link between:
the probability that a given risküwill occur (on a 1 to 5 scalefrom rare to almost certain),andThe higher of either theüpotential financial impact of therisk or the reputational impact(on a 1 to 5 scale from verylow to very high),
prior to the considerationof any controls in place(i.e. controls are non-existent, improperlydesigned or improperlyexecuted)
10
CLASSIFICATION: INTERNAL
ALZ.0001.0097.3503
![Page 11: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/11.jpg)
© Copyright Allianz SE11
35 Group risks
Applicable risks
Local risks
Shortlist
Significant risks
Mandatory Group Risk Catalogue§
Risks rated moderate or higher§
Additional local risks applicable to the entity§
Risks applicable to the entity based on expert§judgment
Risks rated high and very high, which get an§actual risk assessment
The risk layers
CLASSIFICATION: INTERNAL
ALZ.0001.0097.3504
![Page 12: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/12.jpg)
© Copyright Allianz SE
The Program Maturity Concept
Ten Group Compliance Programs
1. RiskAssessment
and GapAnalysis
2. Policies andProcedures
3. Roles andResponsibilities
4. Awarenessand Training
5. Monitoring,Incidents and
Reporting
Five Elements of each Program
GC
ComplianceOrganisa-
tion SalesCompl.
DataPrivacy
Econ.Sanc-tions
Anti-MoneyLaunde-
ringFATCA
Anti-Fraud
Anti-Corrup-
tion
CapitalMarket
Anti-Trust
12
CLASSIFICATION: INTERNAL
ALZ.0001.0097.3505
![Page 13: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/13.jpg)
© Copyright Allianz SE
Each Program Element must be rated on a 1-5 scale with anindication if the rating is based on a self-assessment
Maturity Level MaturityRating
Independent testof design?
Ad-hoc/ Initial 1 Y/N
Reactive/Repeatable 2 Y/N
Defined 3 Y/N
Managed 4 Y/N
Optimized 5 Y/N
1. RiskAssessment and
Gap Analysis
2. Policies andProcedures
3. Roles andResponsibilities
4. Awareness andTraining
5. Monitoring,Incidents and
Reporting
13
16,55%
22,3%
16,55%
22,3%
22,3%
Each Program Element carries a different weight towards the finalassessment. CLASSIFICATION: INTERNAL
ALZ.0001.0097.3506
![Page 14: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/14.jpg)
© Copyright Allianz SE
Independent Test of Design and implementation status
DEFINITIONA test of the design or implementation status of the local§Compliance Program in an Entity against the GroupCompliance requirements is considered independent if itis performed by someone that is not the Control Owner(i.e. he/she is not responsible for the local Entity programdesign) or not the Risk Owner or Control Performer (i.e.he/she is not responsible for local implementation). GroupCompliance, Internal Audit, External Audit are typicalindependent testers.
PURPOSEThe existence of an independent test of design gives§context to the maturity rating and only indicates whetherthe maturity rating is based on a self-assessment or not
14
CLASSIFICATION: INTERNAL
ALZ.0001.0097.3507
![Page 15: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/15.jpg)
© Copyright Allianz SE
The Key differentiators between the Maturity Levels
Level 1(Ad-hoc/Initial)
Level 2(Reactive/
Repeatable)
Level 3(Defined)
Level 4(Managed)
Level 5(Optimised)
4 5Compliance
processes/activi-ties are in
place,appropriately
designed,complete and
processcontrols tested
foreffectiveness
Complianceprocesses/activities are in place,appropriately
designed,complete, processcontrols tested foreffectiveness and
continuouslyimproved.
.
3
Complianceprocesses/activi
ties are inplace, are
complete andappropriately
designed
2Some
complianceprocesses/activities are in place
but they arebased on a
reactiveenvironmentand may beincomplete.
1Compliance
happens on anad-hoc and asneeded basis.
.
Level 3 + KeyProcess control
testing takesplace
Level 4 + RiskMitigation actionplans are closed
and controlscontinuously
improved
Key Differentiators
15
GC Design isfully in place
(with approveddeviations)
CLASSIFICATION: INTERNAL
ALZ.0001.0097.3508
![Page 16: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/16.jpg)
High Priority Programs:
Program Maturity rating
Inhe
rent
Risk
ratin
g
1 2 3 4 5
5
4
3
2
1
ES
AML
AF
Risk and Maturity Matrix Report
1
Economic SanctionsES
CorruptionAC
Money LaunderingAML
Internal FraudAF
Sales ComplianceSC
Data PrivacyDP
Capital MarketsCM
AntitrustAT
FATCAF
Comment on Compliance Risk/Program StatusRisk & Maturity Matrix Result
ACSC
DP
CM
AT
F
Compliance Organization (Rating and Status comment)[Enter Maturity Rating + Comment on Status]
[OE/Region/Global Line] 2017[Division]
CLASSIFICATION: INTERNAL
ALZ.0001.0097.3509
![Page 17: Compliance Risk & Maturity Roll-out European Region · We consider it as success, if the whole compliance community is implementing the concepts following the processes completely](https://reader035.vdocuments.site/reader035/viewer/2022081612/5f21b53b32d80c42df2b160a/html5/thumbnails/17.jpg)
©Al
lianz
SE20
17
Any questions? Please contact us!
Irene Gürtler
European [email protected]
+49 89 3800 16192Elena Dimolarova
Risk and [email protected]+49 89 3800 13106
Savoula Demetriou
[email protected]+49 89 3800 69516
CLASSIFICATION: INTERNAL
ALZ.0001.0097.3510