Taking too long? Close loading screen.

SOA FSA Module: Enterprise Risk Management

Developing an ERM Framework

ERM Framework Criteria (Effective )

  • Scope is enterprise-wide
  • All risk categories included
  • Focused on key risks
  • Enhances decision making ability
  • Integration across risk type
  • Aggregated metrics
  • Balanced risk & return management
  • Appropriate disclosures
  • Measures value impacts
  • Primary stakeholder focus

Challenges to ERM Analysis

The implementation of a strong ERM framework must address three primary hurdles.

  • Quantification of strategic and operational risks
  • Imprecise formulation of risk appetite
  • Decision making is not integrated with an ERM analysis

ERM Process

ERM Frameworks use a control cycle process similar to that of general actuarial work, consisting of the identification, quantification, decision making, and communication of risks across the company.

Risk Identification

In the initial stage of the framework process, all the risks in the universe are mapped into company specific categories based on the potential losses to the company that are relevant to its business plan.

Typically this categorization breaks down into:

  • Strategic risks
  • Operational risks
  • Financial risks

Net Risks

Risks are by default discussed on a “gross” basis, without reflecting the value of techniques used to reduce such risks. But for the purposes of finalizing the quantification, the value of any risk mitigation should be subtracted from the gross basis to compile more accurate values on an aggregate basis.

Both gross and net risk analysis provides information for the quantification of the risk. Similarly, risks can be looked at on a stand-alone basis or aggregated. Looking at risk on an aggregate basis will allow risks within the company that are natural hedges to provide an offset. These natural hedges can be thought of as a type of risk mitigation. For example, a block of life insurance where the risk is people dying sooner than expected may be offset by a block of annuities where the risk is people living longer than expected. The impact of this aggregation provides a diversification effect.

Risk and Reporting

Risk represents the value of losses that are due to business results drifting away from a baseline scenario, including losses that are unexpected.

Individual Level

Reporting an individual risk involves the quantification of multiple risk scenarios for each key risk in terms of its potential impact on the company value.

There is a baseline company value that represents the expectations embedded in the strategic plan.

A risk at an individual level represents a deviation from this expectation, and is calculated in three major stages.

    • Input of data and assumptions
    • Model calculations
    • Output of results

Enterprise Level

Enterprise level reporting produces a dimensionless distribution at a company level. Reporting based on company value impact, usually as a percentage, does not have inherent meaning from a management perspective.

In order to give enterprise level reporting meaning, probabilities of key events that are critical for company management should be noted. For example, it is meaningful to report the probabilities of events such as potential ratings downgrades or losses in company value that are likely to attract board and stockholder attention.

Risk Decision Making

Decisions made in regards to company risks are usually done in three distinct phases.

  1. Defining risk appetite
    • Sometimes defined as risk tolerance, risk appetite represents the level of risk that a company’s upper management can accept. It is in principle a business decision but should be made in light of the facts regarding the competitive environment and the company’s overall position in the economy.
  2. Managing enterprise exposure within risk appetites
    • All the prior steps in the ERM process lead to the active management implied by the appetite statement. The process of calculating risk is ultimately a matter of mechanics, risk appetite is a decision, and bringing the two processes together involves periodic risk monitoring and statement comparison.
  3. Strategic planning
    • Development of an organization’s strategic plan has significant value for ERM. Many of the analyses that go into a strategic plan are representative of what would happen in an unexpected future, most commonly there are multiple SWOT analyses done in conjunction with the strategic plan.
    • A SWOT analysis is a list of a business unit’s Strengths, Weaknesses, Opportunities, and Threats to achieving the primary goals of the strategic plan. You will revisit this topic later in the section as a tool for better understanding risk exposures.

Managing to Risk Appetite

When the level of risk exceeds that defined in the risk appetite statement there are several courses of action possible.

    • Changing the business
    • Changing the risk mitigation
      • Risk transfer often works to reduce financial risk but is costly on an expected value basis. For example, for an insurer a typical tool is reinsurance, with the cost correlated to the reinsurer’s profit. In addition, this typically introduces credit or counter-party risk.
      • Captive reinsurance can be used as an alternative method of risk transfer but this can cause regulatory and compliance risk that may not be reducible.
      • Hedging to reduce risk is typically not 100% effective but has the advantage of allowing upside potential to be retained within the company. Otherwise risk can be avoided by changing business strategy, selling off blocks of business or buying blocks that are natural hedges to the insurer’s current portfolio.
    • Revising the risk appetite
The Cycle of Risk Management Process

The-Cycle-of-Risk-Management-Process.png

Alternative Frameworks

While enterprise value is the most comprehensive risk standard, it is often easier to model capital since it is rule-based or a liability driven model in which all aspects of the firm are not taken into account.

Using capital types as the risk criteria amounts to a risk appetite statement that spells out capital allocations to business units and risk types throughout the firm.

      • Required economic capital: the excess funding needed to be held in order to achieve regulatory and rating agency objectives.
      • economic capital: the amount that should be held to avoid large losses at a high confidence level.

ERM Challenges

Enterprise-Wide Scope

When an ERM program is first developed it often doesn’t have an enterprise wide focus and is contained within the monitoring of a risky product that holds a lot of required capital.

Having a risk management program permeate every area of the company is needed, since it is impossible to predict where a significant risk event will occur. Therefore the risk appetite, program, and management functions in the plan are expected to impact the entire company

Inclusion of all Risk Categories

The three main categories discussed earlier, strategic, financial, and operational, can be expanded to include insurance risk when insurance companies are measured. Ideally all these categories are the focus of the ERM program, but in reality there is often a bias towards reporting on financial risk. This is not an inherent flaw in the system but a natural desire to focus on risks that are more immediate and transparent. A disciplined execution of the ERM framework should be employed to avoid this issue.

Focus on the Key Risks

Since the approach described previously lists the top individual risks as part of the ERM aggregation, it draws the eye to the most critical risks.

Based on the size and complexity of the institution there may in fact be many key risks that are not seen on the first page of the aggregation. As such these risks, while ranked, may be less apparent. To account for this, separate individuals could review different sections of the risk ranking.

Enhanced Decision Making Ability

The goal of an ERM framework is to improve decision making ability. Correctly quantifying and reporting on risk is important, displaying this information in a granular way that allows exposure to be broken down across the company is the key decision making asset of the system.

Integration Across Risk Types

It is easy for a company to form into “silos” in their approach to risk. This can lead to inefficiencies and inconsistency in risk reporting. The aggregation of risk at an enterprise wide level is a key step in getting around the siloed approach.

Aggregated Risk Metrics

The framework is set up to aggregate the company’s total risk exposure and its relationship to management’s aggregate risk target. Both these quantitative and qualitative metrics allow management to determine the risk strategy for the company. Statements such as “we want no more than a 10% chance of losing 20% or more of company value” stem from total aggregation and lead to formations around risk appetite and management.

Balanced Risk and Return Management

An initial reaction to large risk exposures is to reduce them, but with additional information such as the risk management reports within the framework and the resulting risk appetite statement, this is not meant to be the case. Exposures that are acceptable will naturally find their way into the appetite statement and be retained, while other less desirable exposures can then be reduced or transferred.

Appropriate Risk Disclosures

ERM frameworks allow risk reporting in a sophisticated way that can allow for easy risk reporting. Finding the company discipline to report accurately on the results of the framework can lead to competitive advantage over more protected companies.

Measurement of Value Impact

Value can have a subjective definition. The idea of the framework is to create enough available information to calculate on a value-added, risk exposure, absolute value, or any other custom measure. The ultimate output of the system is company value and its sensitivities.

Focus on the Primary Stakeholders

Risk management programs are often geared to focus on the rating agency perception of company value for the purpose of managing the rating and access to capital. ERM frameworks that gear to reporting on company value do not only allow rating agency management. They also show how to increase policyholder and shareholder value, which promotes improved company financial value.

Common Risk Management Tools

  • Risk maps are simply graphical or slide-show like displays of risk exposure across a set of risk categories. These maps can be as simple as the risk categorization itself or multidimensional plots of exposures across the whole company environment.
  • An influence matrix is a tool designed to qualitatively describe the covariance of risks across the enterprise. Showing the interdependence among risks allows the company to focus on those that have the greatest potential impact on the company and its operations.
  • a SWOT analysis is a listing of a company’s Strengths, Weaknesses, Opportunities, and Threats. This analysis is done relative to the current competitive environment, i.e. competitive advantages, disadvantages, external chances to improve performance, and external threats. This divides the universe of risk into those that are both positive and negative and originate from both internal and external sources.
  • Value at risk is a percentile measure of exposure over a given period of time. Filing in the phrase “There is a 99 percent probability of losing less than $X on any given day or transaction within a given period of time” satisfies the concept of VaR. It’s an equivalent measure of a percentile of the loss distribution.

Modeling Considerations in an ERM Framework

  • Reliability: The inputs used should all be easily obtainable and understandable, and ideally the number of variables should be as limited as possible.
  • Speed: Calculations should be simplified whenever possible to allow for minimal run times.
  • Transparency: Management scrutiny should be allowed to the point in which lower levels of data and reports on them are available to back up the conclusions being drawn.

Practical Modeling

It is easier for a modeler to add complexity to a risk model and is often habitual to the modeling process. Too much complexity can destroy a model.

Regulatory Requirements

Regulatory Initiatives

  • Basel II: Created by the Basel Committee on Banking Supervision (BCBS); an international standard for banking regulators to ensure capital that banks hold is sufficient to guard against financial and operational risks.
    • Pillar I – Minimum Capital Requirements: Covers the details for calculating the amount of capital the bank must hold to protect against its risks. The main components are credit, market, and operational risk.
    • Pillar II – Supervisory Review: Addresses capital adequacy assessments by banks and supervisors, as well as intervening actions that should be taken by supervisors if banks are not appropriately capitalized.
    • Pillar III – Market Discipline: Complements the first two pillars and provides requirements on what banks must disclose with respect to risk management and capital management.
  • Basel III: A comprehensive set of reform measures, to strengthen the regulation, supervision and risk management of the banking sector (supersedes Basel II).
    • In response to weaknesses discovered in the 2008 financial crisis, Basel III was introduced in 2010. Goals of the latest Basel Accords are to improve bank liquidity and decrease bank leverage, and are set to be implemented from 2013 to 2018.
  • ComFrame: Guidance developed by the International Association of Insurance Supervisors (IAIS) to establish a common framework for the supervision of Internationally Active Insurance Groups (IAIGs).
  • IAIS Insurance Core Principle 16 (ICP 16): Guidance for insurance regulators to establish risk management requirements for solvency purposes that require insurers to address all relevant and material risks.
  • Dodd-Frank Act: Among its many objectives, this U.S. law established new federal regulatory powers over the insurance industry, in addition to state-based supervision and regulatory authority. In particular, it:
    • Established the Financial Stability Oversight Council (FSOC) to regulate systemically important institutions.
    • Created the Federal Insurance Office (FIO), aimed at monitoring the insurance industry for potential systemic threats and coordinating on international insurance matters.
  • Solvency II: European Union initiative that will establish prudential capital requirements, strengthen enterprise risk management activities, and promote greater financial disclosure for insurers. Similar to the Basel II regulation for banks, Solvency II is based on three pillars:
    • Pillar I: sets the amount of risk capital an insurer should hold.
    • Pillar II: sets out the requirements for governance and risk management of insurers, and for the effective supervision of insurers.
    • Pillar III: sets out necessary disclosures to the regulators and to the public.
  • NAIC Solvency Modernization Initiative: A critical self-examination of the U.S. insurance solvency regulation framework which includes a review of international developments regarding insurance supervision, banking supervision, and international accounting standards; along with their potential use in U.S. insurance regulation.
  • OSFI Supervisory Framework: Guidance from Canada’s Office of the Superintendent of Financial Institutions on a risk based approach to the regulation and supervision of financial institutions.
  • Own Risk and Solvency Assessment (ORSA): A requirement for insurers by U.S., Canadian, European, and other regulatory jurisdictions.

Defining, Identifying and Evaluating Operational Risks

Definition of Operational Risk

Basel II defines operational risk as:

the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. This definition includes legal risk, but excludes strategic and reputational risk.

For an insurance company, credit risk and market risk are significant non-operational risks, but there are other risks that need to be considered as well.

  • Liability risks are inherent in the outstanding insurance contracts.
  • Strategic risks are those related to decisions regarding what to do, such as which markets to enter and what products to offer.
  • Reputational risks are those involving perceptions of present and future stakeholders, in particular both policy owners and shareholders.

When the risks listed above are all excluded, a narrow definition of operational risk remains:

the risk associated with the processes by which the company turns strategic goals into products and services and with the structure that supports the processes.

Operational Risks vs. Financial Risks

Many in the risk field think that operational risk differs from financial risk. Even though the risk profession and the regulatory framework encourages organizations to put risks in specific boxes for management purposes, it remains that operational and non-operational risks cannot be easily separated.

For example, when a credit claim occurs, is it purely a financial risk happening or is it due (at least in part) to any or all of the following?

Improper credit risk underwriting (a process issue).

    • An absence of credit monitoring (an IT issue).
    • An external event (such as economic conditions).
    • Although the credit loss could be recorded as a credit event, it is very often the consequence of operational issues. The same holds true for other financial risks.

Key Risk Indicators (KRI)

Possible indicators for monitoring operational risks include:

  • Employee turnover in manual data processing functions – more frequent turnover could stretch training capabilities and lead to errors.
  • Trends in unemployment rates – higher unemployment rates could increase the likelihood of receiving fraudulent insurance claims.
  • Time since replacement of IT infrastructure – relying on older IT equipment could expose the organization to system failures.

Quantitative Methods: Basel II

Basel II prescribes three approaches for estimating operational risk, which vary in complexity. You should become familiar with these methods for calculating operational risk capital charges and the qualifying criteria for each approach.

Basic Indicator Approach

This is a simplified approach where operational risk capital is based on a fixed charge applied to the bank’s gross income over the previous three years.

Standardized Approach

The standardized approach also involves fixed charges specified the regulator, but the bank’s exposure is broken down by line of business in order to provide a greater level of detail.

Advanced Measurement Approaches (AMA)

This approach allows banks to use internal models to calculate the operational risk capital if they can demonstrate to regulators that these models are reliable and appropriate.

Quantitative Methods: Actuarial Perspective

  • Data availability is a key constraint to quantifying operational risk.
  • The actuarial method of quantification seeks to overcome data limitations by modeling the frequency and severity of operational risk losses separately.
  • Quantifying operational risk almost always relies on a combination of internal and external data to model losses. The characteristics and limitations of these data need to be understood in order to make sure operational risk calculations are used appropriately by the organization.
  • Since operational risk modeling is primarily interested in outlying data points, a smaller data set collected over a longer time horizon may be more useful than a larger set collected over a shorter time horizon. This is because a longer window is often needed in order to observe extreme events.

Mitigating Operational Risk Through Insurance

In some cases, managing operational risk through internal controls would be impractical or too costly. Consequently, organizations may seek insurance coverage as another means for mitigating operational risk. Reducing operational risk exposures by purchasing insurance also carries the advantage of reducing the capital that must be allocated to operational risk.

The reading introduced the following forms of operational risk insurance:

  • Employment Practices Liability
  • Non-Financial Property
  • Unauthorized Trading
  • General & Other liability
  • Fidelity/Bankers Blanket Bond
  • Electronic Computer Crime
  • Professional Indemnity
  • Directors and Officers Liability

Operational Risk and Reputational Risk

Basel II definition of operational risk excludes strategic and reputational risks. However, over the years, operational and reputational risks have become more intertwined.

A major operational risk event will affect the value of the firm and damage its reputation if the response is not managed well. When news of an operational incident breaks, the value of the firm often drops by a certain percentage and then rebounds over time if investors and clients believe the firm can recover. In some cases, firms cannot recover and then simply disappear.

Data Issues

Importance of External Loss Data

Quantifying appropriate capital requirements for operational risk remains a challenge for many insurers. This is because internal data on operational losses are often limited and biased. An external source of loss information not only provides evidence for the robust assessment of capital requirements for operational risk. Consortium data also offer an adequate benchmark against which a company’s individual loss experience and risk-management approach can be compared.

Internal Data External Data
Internal data tend to have the following characteristics:

  • Only values above a threshold are collected.
  • Shape is positively skewed.
  • Data for large events are lacking, and so will not be smooth.

A likely cause of the lack of smoothness for large event data is that most of the distribution is from high frequency/low severity losses, but the tail is from low frequency/high severity losses. The latter would be smoother in an external database due to the higher volume of data.

External data can be from a public source, an insurance source or a consortium. Public data are susceptible to biases. Insurance data are only available on losses that are insured. Various organizations have developed consortiums to provide risk-specific data. Those data have the challenge that the reporting basis may be inconsistent among members.

Some recommendations regarding how to make external data “relevant” to a specific organization are:

  • Cautiously scale the data to match your firm’s size.
  • Do not scale subjectively.
  • Do not attempt to select specific data points; use all external data.

Combining internal and external data by selecting relevant losses from an external database and then modifying each loss to make it reflective of a particular firm’s environment is a poor method because it is impossible to know how to adjust a loss to a particular firm’s control environment.

Communication

Communication is key with respect to helping others understand data issues and, more importantly, the impact of those issues on the results of any actuarial assignment. You can have an effective model for answering an important practical actuarial question, but if you don’t effectively communicate the data issues and their impact on the results, the modeling effort is not as valuable as it could be and can even be counterproductive.

The key communication concepts are documentation of what the data issues were and what was done to address the issues, and identification of any resulting limitations on the use of the results. There should be documentation of the data quality review process, including how errors identified were fixed and any adjustments made to the data. This documentation may be best communicated in an Appendix or work files. Communication on any assignment involving data should include reference to the source and quality of the data and any resulting caveats regarding interpretation of the results of the assignment. The analysis of the results of the assignment must keep in mind the nature and quality of the data upon which the results are based.

Risk Measurement Approaches

Extreme Value Theory

Modeling for extreme events will never be able to represent the complexities of real-life situations fully. However, Extreme Value Theory (EVT) is an approach that can assist in understanding the implications of unexpected events. EVT provides tools to understand how losses in the tail of distribution may behave differently from the rest of the distribution.

Models for the Size of Losses: Continuous Distributions

Example: Models for the Size of Losses

Predictive Analysis

  • Expected losses should be reflected in the original pricing analysis.
  • Risk capital should be set aside to protect against unexpected losses.
  • It is unrealistic to protect against all possible future outcomes, so companies must set a threshold for risk capital (e.g. the VaR or TVaR risk measures from the EVT examples). This threshold will depend on the risk appetite of the firm.

Risk Algorithms

Some practitioners believe that certain risk variables can be modeled using mathematical algorithms. When evaluating such algorithms in the context of a business problem, it is important to consider whether or not the underlying assumptions remain relevant. In extreme situations, variables will not necessarily revert to their long-term mean values. For example, consider the current low interest rate environment that has not been seen since the great depression. Although new products are emerging to help companies protect against extreme events (e.g. catastrophe bonds, longevity swaps, and unique reinsurance coverages), extreme risks often cannot be traded or are very costly to off-load.

Many risk modeling approaches rely on risk neutral assumptions which imply that the firm can hedge completely and continuously against risk exposures. This is not always possible in practice, particularly when dealing with unexpected events and extreme risks.

Economic scenario generators use mathematical algorithms to simulate future paths for economic variables such as interest rates and equity returns. Analyzing a wide range of scenarios can help companies understand the potential variability in their financial results. However, as mentioned above, it is important to understand that the underlying assumptions cannot capture or predict every possible outcome.

Non-Normal Risks and Measures of Association

When dealing with extreme events, most of the risks under consideration will not be normally distributed. This creates several obstacles for modeling and quantification, including:

  • The correlation coefficient is not an effective measure of the association between risks.
  • Consequently, an additional model is needed to provide the association structure.
  • When considering risks on a holistic basis, the aggregate distribution may not be directly related to any of the individual risk distributions.

Copula Models

The easiest way to construct a dependency model is to use a copula function. Although there are numerous such functions available, only two will be studied in detail in this module. In general, a copula is a function of several variables that has certain properties (not defined here), but essentially it is defined as a function on a unit hypercube that is a joint distribution function of uniform \([0,1]\) variates.

Suppose \(C(u_1,u_2,…,u_k\) is an acceptable copula function.

Further suppose the k random variables of interest have marginal distribution functions \(F_1(x_1),F_2(x_2),…,F_k(x_k)\)

Then a joint distribution function can be created from the copula function as \(F(x_1,x_2,…,x_k)=C[F_1(x_1),F_2(x_2),…,F_k(x_k)]\)

Copula Models Activity

Use the following instructions below and the attached t-copula spreadsheet to complete the activity. Once completed, click on the Solution button.

Copula Models Activity
Modify the t-copula spreadsheet to do more than 1,000 simulations (instructions are given at the end of the assignment). The number you choose may depend on the speed of your computer. We set it for 20,000 simulations. For parameters, begin with ten degrees of freedom and a correlation parameter of 0.75. For the first marginal use a gamma distribution with α = 2 and θ =5,000 and for the second marginal use a gamma distribution with α = 4 and θ =2,500. Determine the VaR and TVaR at the 95 percent level. Then do sensitivity analyses by varying, in turn, the degrees of freedom, the correlation coefficient and the two α parameters (changing θ to keep the means at 10,000). Make ten percent changes in each direction. Comment on the results of your analysis.

Altering the spreadsheet:
Copy columns H through T down for as many simulations as you plan to do. Change cell N2 to reflect the new number of simulations. For the sensitivity analysis to be more meaningful, in columns I, J and L, copy the random numbers and then do a “Paste special…:Values” so that new random numbers are not generated for each subsequent run.

Copulas and Model Risk

Use of models always presents risk (the model may be wrong, the parameters may be wrong, and so on), but it is important to understand which models are a good fit for a particular problem.

  • All models have limitations. The model used here assumed that all the component securities have the same association; that the association measure did not change over time, and that the tail dependence is zero. The model worked well in stable times, but had no built-in mechanism to forecast or react to unusual events.
  • Even when there is a large amount of data, models built on it can only reflect the environment in which the data was generated.
  • The gap in understanding between those who build the model and those who use the model’s output can lead to risks being understated.

Scenario Analysis: Delphi Approach

In ERM, since purely mathematical approaches are limited, scenarios have become one of the best approaches to understand the potential impact of unexpected events and share the knowledge with decision makers.

One such well-known approach is the Delphi approach. The idea is to obtain expert opinions of high-severity events that could plausibly affect a firm and use these potential events to craft a story about risk to share with senior management and the board. In a Delphi study, the experts anonymously develop scenarios through several rounds of opinions. Eventually the distribution of responses stabilizes, although it is unusual for a consensus to emerge.

In an early example of this type of work during the 1960s, Shell Oil Company brainstormed stress scenarios that could affect their firm and developed full strategic and tactical plans to address these risks if they occurred. One identified risk was an oil cartel driving oil prices higher and Shell developed a plan to address this. When the situation presented itself during the 1970s, Shell was able to react quickly because it already had a plan developed. The company utilized this competitive advantage to improve its position in the industry and add value for stakeholders.

Scenario Analysis: Emerging Risk

Others are considering the field of emerging risk approaches as appropriate in this regard. The following paper presents an overview of the field of emerging risks as a valuable approach to constructing scenarios.

Scenario Analysis: Systems Dynamics Approach

Some consider that it is necessary to understand the dynamics of the underlying system to be able to construct scenarios.

Scenario Planning

Ratings Downgrade from AA to A: Effect on Life Insurer

Scenario planning can take many forms. The scenarios need to be plausible and balance volume versus value. Risk techniques tend to evolve from efforts to mitigate risk toward optimization techniques.

While quantitative modeling can help determine severity, scenario planning often stresses qualitative analysis. In a life insurer downgrade, both new business and in-force product lines would be affected, although often in different ways. There are many recent examples related to firms experiencing rating drops.

    • New business high effect—Many lines of business are sensitive to ratings for new business. Any line using distribution channels like brokers and banks will shut down when ratings fall below AA. Bad news travels very quickly in these sophisticated circles.
    • New business moderate effect—Agency distribution and employer group markets will have some reaction for new business. Bids will need to be more competitive, and there will be pressure on expenses.
    • New business limited effect—Direct to consumer distribution and elderly products like the Medicare supplement product line should not be affected. These lines have limited rating sensitivity.
    • In-force high effect—Product lines with surrender privileges sold to institutions will be mostly gone in 90 days.
    • In-force moderate effect—A deferred annuity line sold through banks will surrender as soon as it makes sense to do so for the policyholder and bank, likely at the end of the surrender charge

Rating Agency Downgrade Scenario: What Can We Do Now Or At The Event?

Companies should calculate internally the tests performed by the rating agencies, being especially aware of any trigger points that could lead to a downgrade. An attempt should be made to project these test ratios as well. This will help to manage the future balance sheet and income statement issues.

There may also be opportunities for new types of business after a downgrade. As other lines shut down, new ones that are not rating specific might open up, especially if the downgrade results from an industry-wide issue.

Economic Capital

ASOP 46

In 2012, the Actuarial Standards Board adopted two ASOPs (ASOP 46 & ASOP 47) focused specifically on ERM. This action supports the importance of ERM to the actuarial profession by formalizing standards for those practicing in this area. The first of these standards is focused on risk evaluation and has many close ties to economic capital. As you work through the case study, think about how the ideas discussed in the ASOP relate to YourCo’s initiatives.

YourCo Case Study

This section is built around a case study that will introduce you to economic capital and the considerations a company might face when working to implement economic capital.

Read YourCo case study introduction to obtain information about the company and your role.

Meeting 1: Value of Economic Capital

Draft an outline of your report to the CRO that summarizes the ways economic capital can be valuable to YourCo’s operation.

    1. In general, economic capital can:
      • Help any company
        • Make effective strategic decisions; key is assessment of “true” level of capital adequacy to ensure policyholders of the security of their benefits as well as satisfy the needs of other stakeholders
        • Monitor and control risk
        • Measure and manage performance, when combined with a related measure of performance
        • Implement risk-based pricing
      • Facilitate discussions with key external constituencies: regulators, rating agencies,investment community/shareholders
    2. Specifically, economic capital can be valuable to YourCo because:
      • YourCo is extremely concerned about its reputation, which affects sales of its products and the confidence that distributors have in making recommendations to buy YourCo products; having an explicit approach to estimating required capital is an important component of its risk management strategy from the distributor’s and customers’ perspectives.
      • Rating agencies consider economic capital as part of their regular rating activity YourCo is international in focus but U.S.-based, which means regulators throughout the world have an interest in YourCo’s financial viability, and economic capital is important to many regulatory and accounting initiatives worldwide.
      • Other stakeholders are taking notice with concerns about corporate social responsibility, which ERM and economic capital can integrate as well, and investors can feel more confident that YourCo is well positioned to anticipate emerging risks and be able to sustain a major loss and survive.
      • With an economic capital model in place, YourCo can then evaluate the capital impact of potential events (emerging risks), making YourCo forward looking, which is one major advantage of any effective ERM system.
    3. Essential that communications regarding economic capital be clear and understandable to all the various constituencies.

The Value of Economic Capital

An economic capital model can assist any organization to better deploy its financial resources and capital. Before the advent of economic capital approaches, risks were not explicitly integrated in advance into high-level capital budgeting decisions. Instead, decisions were made indirectly through a crude risk-adjusted return. There was no analysis done to translate risks into an adjusted return, except for crude approaches such as the Capital Asset Pricing Model. Economic capital makes risks explicit and because it is often called the ”currency of risk,” it translates all different types of risks into a single base to facilitate decision making. For example, with an economic capital approach, one can compare, on a similar basis, the anticipated risk-adjusted return of investing capital in a certain type of new product or deploying it elsewhere.

From a high-level perspective, economic capital that is integrated with the overall ERM system assists an organization to maximize their value as well as to better deploy its scarce capital for the benefit of many stakeholders.

From a day-to-day perspective, an economic capital model can:

      • Assist an organization to monitor risk limits that translate its overall risk appetite and tolerance goals;
      • Assist an organization to better control risks by consolidating different risk exposures and their correlations from different perspectives;
      • Aid in measuring investment decisions and their potential impact on overall financial risk exposures;
      • Aid in measuring the impact of potential new products on the overall risk profile of the organization;
      • Aid in managing the actual capital of the firm;
      • Aid in monitoring solvency;
      • Aid in integrating external events in order to assess potential impact on our firm; and
      • Aid in testing potential emerging risks.

Meeting 2: Risk Identification

Draft an outline of a report to the CRO regarding the major risks to YourCo and their potential interrelationships.

General categories of risk:

    • Insurance or underwriting, including mortality risk, longevity risk, morbidity risk, lapse risk and reserving risk
    • Credit, including default risk, spread risk on assets, and reinsurer and other hedging counterparty credit risk
    • Market, including equity risk, interest rate risk, exchange rate risk and risk on non-traded assets such as real estate and private placement bonds
    • Operational, including people, process, distribution channels, internal systems, employee behavior and external events, such as regulatory and political risks
    • Liquidity, including liquidity of the assets and the net liquidity position of the company.

Major YourCo risks:

    • Insurance or Underwriting Risks: mortality, longevity because of insurance and annuity products; pandemic or emerging disease risk, while having low likelihood, could have high potential severity impact that could be global in nature (negative for mortality benefits, positive for longevity).
    • Credit Risks: counterparty risk resulting from hedging activities related to the new trading operations; country risk – risk of countries defaulting –sometimes called sovereign risk, more difficult to assess but based on recent world events, it is an ever increasing risk, and credit risk resulting from the asset portfolios.
    • Market Risks: Interest rates will be an important risk as YourCo is in the asset, life insurance, and annuity businesses; YourCo being international in nature means potential currency risk; central banks likely devising strategies to counteract the low-growth environment; equity risks and links with interest rates can have an impact on fee income business and on asset guarantee return business as well; asset price risk due to changes in credit spreads – YourCo’s existing asset base held for investment is subject to this risk; can also show up in asset/liability mismatch risk primarily in spread products, and affect the cost of product guarantees.
    • Operational Risks: from new products, processes, technology requirements, personnel; internal auditors only did a quick review of the new trader operation; new traders trade new complex products with limited supervision and control – YourCo has no expertise with longevity swaps, which are complex and have thin secondary markets resulting in possible liquidity issues; human risks due to potential culture clashes between externally hired traders and the existing staff, exacerbated by proposed compensation levels, which favor risk taking
    • Liquidity Risks: credit rating downgrade
    • Reputational Risks: Ultimately, the reputation of YourCo is at stake as it is envisioned that the new operation will represent close to 25% of future profitability, making it a strategic risk as well.

Interrelationships:

    • Correlation between operational risks – in the absence of any control – and other risks such as liquidity risk, market risks (interest rates, currencies) and counterparty risks will likely be high.
    • Longevity risk and its natural hedge of mortality risks in YourCo’s traditional products have to be taken into account both in YourCo’s traditional lines of business, namely annuity and some retirement products as well as in the swaps that YourCo will be undertaking with external counterparties.
    • Internationally-focused:
      • Mortality and longevity evolve differently in different parts of the world, with probably less sudden jumps in the more developed countries but always subject to sudden shifts in countries with less stable environments. Emerging risks, such as a pandemic that could impact all regions of the world simultaneously or within a short time period, could affect these risks as well.
      • Because YourCo has operations in China and Germany, as well as the U.S., international currencies are involved, which means different credit spreads will have to be integrated and are likely correlated.
    • Credit risk spreads will vary depending on the type of security involved; credit risk correlations are changing rapidly due to recent world events, and the unstable economic environment; credit risk and many market risks tend to move together in adverse market environments, exaggerating the impact and limiting diversification between them.
    • Insurance and market risks diversify each other well, given YourCo products, but some of YourCo’s insurance products have asset guarantees, which along with a large asset management and retirement services business, put the company’s income diversification benefit at risk in strong market declines.

Select the risks to be addressed in an economic capital model

An important consideration in the development of an economic capital model is to decide which risks will be integrated within the model and which risks will be left out. An economic capital model can’t possibly cover all types of hazards that an organization can face. To guide us in this endeavor, one important aspect is to link the development of the economic capital model with the other ERM initiatives taking place in the company. These initiatives can give us relevant links to external and internal research done by the many consultants and analysts in this field.

Our investment people rely on external rating agencies to assign credit risk. We scan the environment to understand how world events can affect us. Because we are a publicly traded company, financial analysts publish analyses about us that can give us hints as to what risks they perceive can affect us. In addition, any company, as part of its regular ERM initiatives, performs internal risk identification exercises such as setting up Delphi and scenario development task forces. We also rely on external databases from organizations such as the Operational Risk Consortium (ORIC) to give us insights as to relevant financial risks experienced by the industry, and provide operational risk data that give an indication as to where operational risks may lie. All these give us a picture of a potential risk profile. The representatives from the various key areas then come to a consensus as to the identification and prioritization of the major risks that should be addressed in the economic capital model. In addition, a decision has to be made about the integration of other potential risks. Emerging risks are usually not directly integrated into an economic capital model, which is usually more focused on the existing risks and risks that are under the direct control of the company.

Finally, once risks are identified and prioritized, an analysis has to be undertaken in order to decide on potential correlations – positive, negative or zero – between risks.

Meeting 3: Risk Appetite Statement

A risk appetite statement is a general statement about what types of risks an organization is considering taking on and its willingness and capacity to bear losses if some of those risks were to materialize. It is related to risk preferences and usually is set by the board of directors in consultation with an ERM group. In a sense a risk appetite is like a mission statement of an organization. A mission statement is usually focused on revenues while a risk appetite statement is focused on risks. A risk appetite statement will also define desired risk levels, potential targets of risks judged to be acceptable or not, an overall risk measure by which to evaluate the company’s risk exposure, and how this risk appetite will be translated into risk limits that become part of the many risk policies of an organization. Value-at-Risk has been used as the industry standard in the banking industry, but alternative metrics like Conditional Tail Expectation are now entering the discussion especially in the insurance industry.

A risk appetite statement should ideally be based on the input of the company’s many stakeholders. Employees have an interest in the continuation of the company, regulators want to protect policyholders and analysts have an interest in both a company’s profitability and its survival. External groups are concerned about their interests and embedded risks as well. For example, only satisfying regulators’ interest would lead to an excessively high targeted capital with little risk. That would satisfy the regulators but a company’s investors would be totally unsatisfied as their return on their investment would be reduced. A risk appetite statement has to be a compromise between many competing interests.

Draft an outline of a report to the CRO regarding the draft risk appetite statement for YourCo.

YourCo’s risk appetite:

    • Stake holders: policyholders, employees, rating agencies, investors, regulators, other external parties
    • Risks: As a financial institution, YourCo’s risks include financial risks, counterparty risks, operational risk, liquidity risk, and strategic risks; given YourCo’s products, there are also longevity risks and mortality risks; all of these can impact the value of YourCo, thus reputation risk.
    • Desired risk level: Credit rating of AA, because YourCo is a publicly-traded entity and credit ratings as published by rating agencies drive the value of YourCo’s business; overall credit ratings done by external parties like rating agencies include many aspects, including capitalization and ERM; thus, such a target is value-focused, which external parties such as financial analysts consider in their investment recommendations; AA has been YourCo’s rating for the last few years and it is considered investment grade by many; these ratings are used by YourCo’s distributors and clients in making long-term investment decisions. It has been so for the last 100 years.
    • Specific risk tolerance: YourCo could add a more specific risk tolerance expressed as not facing a major loss of more than 5% of capital or surplus at risk more than 1% of the time over the next 5 years, which addresses solvency concerns; or it could be expressed as some tolerance that YourCo would be willing to face in the short-term – tactical deviation from the long-term strategic-targeted rating of AA.
    • Time horizon: one-year, which is usually the horizon chosen for a statement that features ratings because ratings are re-evaluated on a regular basis, and because given the international nature of YourCo’s business and an unsettled world economy, YourCo intends to review its risk appetite regularly to incorporate the impact of emerging risks as appropriate.
    • Overall risk measure: Value-at-Risk because it is a common standard for a one-year time horizon, although YourCo may have to investigate other measures if they seem appropriate from the perspective of some stakeholders
    • Risk limits: As YourCo refines its EC model, it will be able to develop relevant limits that will be applied for each risk and in totality, to monitor on a regular basis so that YourCo can maintain the targeted risk rating, which will be communicated both internally and externally.

Using rating as a risk appetite target is important as it will drive the implementation of the EC model, and an externally-determined risk rating will enhance YourCo’s credibility to its stakeholders.

Meeting Meeting 4: Economic Capital Approaches

Draft an outline of a report to the CRO that identifies the alternative approaches for calculating economic capital and the pros and cons of each.

Two most common methodologies (General description)

Liability runoff

EC represents the current market value of assets required to pay all future policyholder benefits and associated expenses at the chosen security level (expressed on a VAR or CTE basis), less the current value of the liabilities (typically defined on a mean or best estimate basis).

      • Set of (typically 1,000 or more) stochastically generated future scenarios for the runoff of the business is defined, and projected asset/liability cash flows and balance sheets developed for each scenario. The scenarios include specifications for economic and demographic conditions, including risk drivers such as interest rate scenarios and asset default rates. Mortality levels and other insurance risk drivers may also be included in the stochastic scenario generation process, although this is less common among life insurers.
      • Under each scenario, the level of assets required at the beginning of the scenario to satisfy all obligations through to the end of the projection is determined. The level of “required assets” for all scenarios is then ranked to form a probability distribution.
      • Economic capital is defined by applying the chosen risk metric (e.g., VAR or CTE) to this distribution of total required asset levels and deducting the current value of the liabilities, measured on the selected basis (typically mean or best estimate).

One-year mark-to-market

Economic capital represents the current market value of assets required to ensure that the market-consistent value of liabilities can be covered in one-year’s time, at the chosen security level (typically expressed on a VAR basis), less the current market-consistent value of the liabilities.

      • An economic balance sheet is developed as of the valuation date on a mark-to market basis, i.e., with assets at market values and liabilities on a market consistent basis. The difference between the value of assets and value of liabilities gives the economic value of net assets, i.e., the available capital at the valuation date measured on an economic basis.
      • For a number of scenarios, which can be either stochastically-generated or specified for a given desired risk rating, assets and liabilities are projected forward for one year, at which point a projected economic balance sheet (on a mark-to-market basis) is developed. The resulting projected economic value of net assets (positive or negative) is then discounted to the valuation date using the projected earned investment return over the year.
      • A negative discounted value quantifies the additional initial asset value the insurer needs to hold to ensure it remains solvent on a mark-to-market basis at the end of the year under the chosen scenarios. A positive discounted value quantifies the excess initial asset value over the amount needed to ensure solvency on a market-to-market basis at the end of the year. The discounted value (of the projected economic value of net assets) is therefore subtracted from the market value of assets at the valuation date to give the required assets for the scenarios involved in the calculation.

Meeting 5: Implementing an Economic Capital Model

Draft an outline of a report to the CRO that summarizes the considerations that are important in selecting and implementing an economic capital model for YourCo.

The considerations that are important in selecting and implementing an economic capital model:

    • What is to be accomplished with the economic capital model? Maintain YourCo’s target AA rating and reputation which are important to policyholders and product distributors; satisfy national and international regulatory and accounting requirements; address corporate social responsibility concerns; be strategically in a position to address existing and emerging risks and to take advantage of risk opportunities
    • What type of model? Prescribed (e.g. by regulators), or developed internally; YourCo – thinking internal as ERM group is thinking more broadly in calculating economic capital rather than following the calculation solely for regulators.
    • What type of calculation?
      • Liability run-off vs one-year mark-to-market? YourCo considerations: Manage on a fair value mark-to-market balance sheet basis now? If so, likely use one-year, mark to market approach; If not, may prefer liability run-off.
      • Stochastic vs stress test (shock to individual risks); YourCo is just starting with economic capital so likely it wants to keep it simple; choice also depends on what existing internal modeling is done for other purposes that could be leveraged in building the economic capital model.
    • What time horizon? One-year or long-term; again, YourCo’s approach depends on its current accounting approach and existing models
    • What risk metric? VAR? Tail VAR? CTE? YourCo’s CFO recommends use of Value-atRisk, although it may only be because the traders say it’s the industry standard for trading portfolios; the ERM group may determine that another metric is more appropriate for the entire risk portfolio; a VAR metric chosen with a very high confidence level could be the equivalent of a Tail VAR; VAR chosen with the targeted AA rating implies a certain confidence level.
    • Risk representation implementation issues
      • Considerations for each risk: nature, availability of relevant data, and approach to modeling
      • Risk aggregation: YourCo – could use correlation matrix for various risk relationships; diversification possibilities with both mortality and longevity risks; alternatively, YourCo could build relationships of the various risks into a holistic risk model if resources and expertise allow.
      • Specific issues for YourCo: operational risk a focus because of new trading desk; reputational risk is important because of focus on AA rating – difficult to quantify; economic uncertainty
    • Management implementation issues
      • Considerations: governance; resources; time frames and budgets; stochastic processing limitations; model testing/validation
      • Specific issues for YourCo: economic capital calculation new so must establish processes for governance and monitoring, and allocate appropriate resources.

NAIC’s RBC Requirements

The NAIC’s Risk-based Capital is based on a set of predetermined risks using historical ratios. It is appealing from a regulator’s perspective as it is easy to implement and monitor. However, it has several drawbacks.

The calculation is based on a standard formula across an industry, which includes all companies in a one-size-fits-all approach. Contrast this to a principles-based economic capital model or approach, where company-specific characteristics such as risk profile, risk management, product or process design can be reflected.

Some of the ratios used are low compared to those that may be experienced during a stress environment. For example, U.S. treasuries and Government Sponsored Entities are at 0%, while their underlying credit risk is higher. Structured finance may experience credit losses greater than 5%. The recent 2008 financial crisis has seen ratios greater than these for some asset classes. The asset risk factors were devised to include only credit defaults but not asset fluctuations as is now the case with the proposed new international accounting standards. The formula is also biased against some asset classes in insurance portfolios, such as equities, and assigns them very high capital charges without considering their upside.

RBC was devised at a time when there was no discussion of risks such as operational risk. The C4 component of RBC – the business risk component – was conceived as a catch-all category for all other risks including what we now call strategic and operational risks. The C4 component factor itself is too low.

For investment and interest rate risk we don’t have detailed information to calculate RBC. RBC factors were not determined for a period of relatively low and stable interest rates as we are now experiencing.

Longevity risk was not really envisioned to the extent that we are now anticipating and ratios were not based on the study of potential pandemics. Reputation risk is totally absent from the RBC calculation.

Today, RBC is mostly used for solvency purposes in the US. It is limited to a certain sets of risks based on factors that may not be totally up-to-date and dynamic.

Learning about Economic Capital

An economic capital exercise is a dynamic endeavor to assess the overall risk profile of a company and to translate that risk profile into a required capital number. This is important to regulators as evidenced by Solvency II internal models and the U.S. principles-based approach for some lines of business.

However, an economic capital model is not necessarily complete in terms of total capitalization needs of any firm as it usually focuses on existing risks of the firm. If the model also addresses emerging and strategic risks, it gets closer to modeling the total capitalization needs of a firm, which can then be used for broader corporate needs like strategic decisions, dividend policy, capital budgeting decisions, capital funding requirements, performance measurement, and assessment of the value of hedging and other risk mitigating activities.

Modeling risks is one thing; actually using the model for day-to-day decision making is another. In fact, the USE TEST developed in Solvency II is probably one of the most difficult aspects of building any economic capital model. If calculating economic capital remains a process managed in silos by actuaries in order to satisfy regulators’ and rating agencies’ needs, it will remain a compliance exercise. To show its potential value as an ERM tool, it has to be used by the organization in making strategic decisions on how to deploy its capital in relation to potential risks.

An economic capital model cannot be developed in isolation. It must have the buy-in of top management, must be understood by them, must be capable of being challenged, must be flexible enough to easily integrate new developments, must be of high quality and must be capable of being back-tested.

Finally, any report on an economic capital calculation should include the following sections:

  • Introductory section on the context and the firm’s objectives for the economic capital calculation
  • A section that describes methodologies, the proposed risk metrics, the rationale for the proposed choice and the links with the overall risk appetite statement of the firm and other ERM initiatives
  • A section that goes into detail about the modeling of each risk: model, assumptions, data issues
  • A section that explains in detail the rationales for the proposed correlations: good times and stressed environments
  • A section on the actual day-to-day implementation and operation of the economic capital model, for example management issues -governance and achieving buy-in; resources –staff, time frames, budgets; limitations of the model-model quality, model validation.

ERM and Strategic Planning

Leveraging Regulatory Models

Many of the techniques described throughout this module can be used for more than defining minimum capital requirements. Using them only for that purpose, without affecting company practices, will limit the usefulness of the models and other tools.

In the following article (ERM as a Competitive Advantage – Moving Beyond PBA to Add Value) from The Actuary, April/May 2007, Max Rudolph discusses how to leverage internal models built for regulatory purposes to increase firm value.

Though this article was written prior to the 2008 financial crisis, many of the concepts introduced continue to be key considerations for ERM programs. Important points to recognize include:

  • In order to maximize the potential benefits from using models, they should be managed in a control cycle framework which allows them to continuously evolve.
  • Reliance on historical experience should be complemented by critical thinking about emerging risks when developing assumptions.
  • Financial models are never perfect. Understanding limitations is vital when using models to make strategic decisions.
  • In order to be effective for risk management, models must provide risk information to the organization’s decision makers in a timely fashion.

Integrating ERM with Strategic Planning

The article (Integrating ERM with Strategic Planning) on leveraging regulatory models mentioned interaction between product line experts and the board of directors as an important risk management practice. Strategic planning is greatly improved once techniques are developed to understand the risks taken as well as to project those risks through future balance sheets, income statements and cash flow statements.

In the following article from The Actuary, August/September 2007, Doug Brooks discusses strategic planning and strategic risk management.

The article discussed the link between ERM and strategic planning. Key concepts discussed include:

  • Alignment of an organization’s risk appetite and its strategy is important in positioning the business to succeed in the future.
  • Strategic risks should be distinguished from business risks. Strategic risks more long term and broad in nature than business risks, strengthening the link to ERM.
  • The author introduced a strategic risk management process with many familiar components from the overall ERM framework described previously in the module. The process from the article involves:
    • Setting a target risk profile.
    • Identifying and assessing strategic risks.
    • Monitoring and reporting strategic risks.

ASOP 47

ASOP 47 addresses risk treatment. Many of the concepts discussed will be familiar from the previous sections in the module. The development of standards of practice for ERM reinforces the importance of this topic for the future of the actuarial profession.

Small Company Perspectives

Many of the best practices of ERM have been designed in the context of large, multinational firms. But small companies have just as much to gain from ERM. By making a list of risks taken, prioritizing them and developing action plans, a company of any size can better understand its risks and make better decisions. Some large companies have jumped past risk culture straight to economic capital modeling. This creates a major risk, as having the model without the culture leads to aggressive risk taking and lack of value added (several financial services firms have fallen victim to this). Companies can leverage their current business plan models using tools such as scenario planning and stress testing, described earlier in this module. These practices bring ERM and strategic planning closer together so that both risk and return are considered.

Perfect Storm Revisited

You will recall that in Section 2 you developed your own thoughts about the next “perfect storm.” Now that you have nearly completed this module, go back and review what you wrote down. You should have some ideas now about how to monitor and manage these risks using the tools described. Perhaps your list of risks has evolved as current events and the module readings have shaped your views.

A key component of risk management is its ever changing course. Like a river, it is constantly adjusting based on today’s issues while remaining true to a general path.