risk evaluation in erm: iasb proposed standard

Enterprise Risk Advisory, LLC 1

Session 28PD

Mr. Michel Rochette Enterprise Risk Advisory,LLC

September 10th, 2012


Topics Context Two proposed risk standards:

Risk Evaluation – covered in this presentation Risk Treatment – see ASB web site

Reactions Discussion Questions


Risk Evaluation in Enterprise Risk Management


Context


Context

Source: INGRAM, Dave(2009), “ERM and Actuaries”, Casualty Actuarial Society E-Forum, WinterEdition, p.386-395


Context Risk Controlling:

– Creation of comprehensive risk models: establish and monitor risk tolerance and limits

– Some existing ASOPs fall in this category but actuaries mostly absent

Risk Trading:– Pricing and valuation of risks– Most ASOPs pertain to this goal, mostly

insuranceRisk Steering:– EC, Risk-adjusted performance, Value


Context

Copyright 2010 by the Society of Actuaries, Schaumburg, Illinois. .

RISK EVALUATION

RISK TREATMENT


Context Most ERM standards usually apply at the

company level Most other ASB ASOPs are very specific,

although they also reference risk issues:– #7: Analysis of life, health, or property/casualty

insurer cash flows– #12: Risk classification (All practice areas)– #19: Appraisal of insurers– #35: Selection of demographic and other non

economic assumptions for measuring pension obligations


Context

Source: INGRAM, Dave(2011), “ERM Standards of Practice: A Socratic Dialogue”, SOA Annual Meeting, p.11-22


Context Other ERM ''Standards of practice” being

considered:– IAA: global standards initiative: Ex. Social

Security– Asset management industry: some initiatives at

the industry level– Auditors: some very specific individual risk

standards: risk audit and SOX.


Standards in general


Ex. Components of Standards

Individual Risk Standards


Risk standards Let's listen to Dave Ingram's presentation of the

context at the 2012 ERM Symposium

Source: ERM Symposium, 2012, session C9

http://www.ermsymposium.org/2012/audio/C9.mp3

http://www.ermsymposium.org/2012/audio/C9.mp3


Risk standards



Risk Evaluation Standard Purpose: Provide guidance – not guidelines –

to actuaries – for the moment – as it pertains to risk evaluation – broader than measurement, quantification but smaller than analysis – systems: - not just a framework -– Design or Implement– Use or Review

Scope: apply to actuaries for any ERM phases: ERM control or compliance cycle, trading or steer objectives


Risk Evaluation Standard Different categories of risk evaluations:

– Risk evaluation models: apply to 3 ERM phases– Economic Capital: mostly steer phase– Stress testing: trading & steer phases– Emerging risk: steer phase– Other risk evaluations: all 3 phases

Applies to an ERM type work, not pricing nor valuation as there are particular ASOPs.

Q: What about MAD in principles-based reserving?


Risk Evaluation Standard: some definitions

Risk Evaluation System — A combination of practices, tools, and methodologies within a risk management system used to measure the potential impacts of risk events on the performance metrics of an organization.

Risk—The potential of future losses or shortfalls from expectations due to deviation of actual results from expected results.

Economic Capital—The amount of capital needed for an organization to survive or to meet a business objective over a specified period of time at a selected confidence level, given its risk profile.


Standard doesn't use “standard” definitions for some components

Ex. Standard uses counterparty risk: risk that the party providing a risk offset or accepting a risk transfer does not fulfil its obligations. Missing some components. A counterparty is larger than credit risk.

Risk Management Terms Survey, SOA, 2007SOA (2006): Enterprise Risk Management Specialty Guide May 2006, SOACCRO (2002): Committee of Chief Risk Officers; Volume 6 of 6 Glossary, Nov 2002


More “standard” risk definitions

Source: Risk Management Terms Survey, SOA, 2007


Risk standard definitions



Risk standard definitions



Standard risk definition: deviation from expectations only. What about the average losses?


Potential improvements Adopt industry specific risk definitions:

– Ex.http://ec.europa.eu/internal_market/insurance/docs/solvency/impactassess/annex-c08d_en.pdf

ISO Guide 73: Risk management vocabulary Rephrase the standard to propose that the

evaluation be adapted to the context of how risk definitions are actually used by practitioners

Create a risk taxonomy adapted to the context: Ex. If risk is evaluated and treated as a system –

systemic risk -, different from risk evaluation by source or cause – economic capital calculation-.


Risk Evaluation Standardconsiderations

Financial resources and risk profile:– Financial strength of the organization – broader

than just capital– Risk profile, nature, scale and complexity– Current and long-term risk environments:

internal and external, own assessment or based on management's

– Organization's strategic goals including risk tolerance – desired volatility – of value

– Interests of various stakeholders



Financial resources and risk profile:– External risk evaluations: Ex., as done by rating

agencies ERM evaluation– Extent of dependencies, correlations,

interactions of risks– Fungibility of capital resources

Organization's own risk system:– Risk appetite, tolerance & management

involvement– Enterprise Risk Control Effectiveness:

management actions toward unexpected events



Interaction of financial resources, risk profile and risk system:– “If in the actuary’s professional judgement, as

appropriate to the assignment, a significant inconsistency exists, then that inconsistency should be reflected in the risk evaluation.”

– Important element to consider but criteria could be expanded to include other specific considerations like:• Looking at existing recent losses and how it was

managed, other professionals' report like Audit, financial analysts instead of only professional judgement



Risk Evaluation models: “Fit for the purpose:” – Sophistication of models & materiality of risks– Models reproducible & adaptable to new risks– Practical considerations: usability, reliability,

timeliness, process, cost effectiveness– Limitations: inherent & statistical. Ex. VAR – Model validation, calibration, sensitivity– Approaches to model correlations

Aspect missing: as in Solvency II, no “use test”



Risk Evaluation models: Assumptions– Assumptions supportable, documented & allow

for deviations from the expected– Regularly revisited to assess effectiveness– If assumptions reflect anticipated management

& actions are supportable by facts. Standard should capitalize on other work in this

area, particularly in the valuation area. Could also have assumptions as to the risk

control effectiveness, not just gross risk.



Risk Evaluation: Economic Capital models– Components: timeframe, basis to measure risk

– regulatory, reputation, earnings loss,.. -, confidence level

– Reflection of significant risks in a consistent and comprehensive manner

– Appropriateness of method to measure each risk

Standard could capitalize on the many economic capital requirements being developed for Solvency II, ICAP, Rating Agencies' EC requirements



Risk Evaluation: Economic Capital models– Reliance on consistent accounting framework– Somewhat inconsistent as the idea of an

“economic” capital model is to measure risks on an “economic”, not an accounting approach!

– Choice of appropriate methods:• Stochastic, stress tests, scenarios, standard

measures like “add-ons”– Validation of the models– Assumptions: remote & unlikely: historical,

market prices, experts, internal consistency, documented



Risk Evaluation: Stress & Scenario testing– Extent to which stress tests reflect similar

degree of adversity. Ex. 1 in 200 year event– How an organization will function during a

catastrophic event – I think it is the link to business continuity planning, if any -

– Extreme event may be part of many extreme events – all correlations go to one -. In other words, when things go bad, they all go bad at the same time and reactions by all stakeholders

– How to quantify non readily quantifiable risks and their potential total impact. Op risk + reputation



Risk Evaluation: Stress and Scenario testing– Methods and models to actually assess impact

on all organizations must be ascertained– Integrate disparate systems or build one

integrated model– Assumptions: Tests themselves.

• Effect on other assumptions• Management responses• Regulatory and market reactions• Risk mitigation and time horizon

– Scenarios: limited considerations



Risk Evaluation: Emerging risks– Impact of emerging risks over time– Limited considerations in the standard

Risk Evaluation: other risk evaluations– Used in risk monitoring, mitigation: compliance

and control ERM – Apply same considerations as in general risk

evaluation and risk evaluation models Data quality: ASOP 23 Documentation: ASOP 41



Risk Evaluation: Document and disclosure– Economic capital: models, results, limitations,

timeframe, measurement basis, confidence– Stress & scenarios: results, intended use &

limitations– Emerging risks: methods and sources– Major assumptions: as before– Risks included: risks excluded?– Model validation results– If major deviations from this standard: ASOP 41– What about other disclosure standards


Risk Evaluation StandardPotential applications

IAIS Core Principles:16 and 20 NAIC ORSA NAIC Form F: Enterprise risk reports Solvency II, Pillar II, Pillar III and ORSA Rating agencies' ERM and EC assessments ComFrame IAA Care report


Reactions Questions asked by the task force:


Reactions Questions raised:

– Sufficient guidance for risk evaluation?– Flexible enough?– Explicit enough about the reliance on the work of

others?– ERM scope clear enough so that it doesn't extend

to other actuarial work? 25 comments, mostly by individuals, companies

and two organizations Review comments and get your input


Reactions Comments so far:

– Pierson: guidance question. Should consider joining the two proposed standards as the risk evaluation and risk treatment are related. What is relevant is the net risk to the organization

– Bakos: scope questions.• Doesn't see difference between evaluation of risks

net of expectations covered by this standard and other “common actuarial tasks” like reserving and pricing, which also involve risk classification & evaluation.

• Only applies to CERA doing ERM work or any actuary?


Reactions Blanchard III: guidance questions

– Comments on definitions and ERM cycle– Replace emerging by environmental scan– Risk modelling should be done only after

understanding materiality of risks, data sources and mitigation initiatives

Koller: guidance question– Align definitions with other more standard

definitions Zher: good start for guidance, flexible enough,

area of concern on the reliance on others


Reactions Bradley:

– Make link with ORSA as risk evaluation will contribute to this process

– Should standard be rephrased ERM evaluation and not just “risk” evaluation as ERM considers risks and gains?

– Align “stress-test” definition with external definitions

Pfluger:– More emphasis on correlation, required capital,

not flexible enough to handle new standards, inevitable to integrate others


Reactions Rochette:

– Is the purpose more “risk assessment” within ERM than an evaluation, which is a broader term?

– View proposed standard as a good start if goal is to review, not complete enough is goal is to design, implement, use

– To make it more flexible, should be more-principles based

– Inevitable to work with others. EC section should refer to that explicitly, otherwise, silo EC

– Should standard be ERM-context dependent?


Reactions Hay: not enough guidance, flexible enough,

reliance inevitable as ERM is team-work, division of standard arbitrary – why exclude pricing, reserving, claims – not realistic to separate ERM from other “actuarial” activities

Financial Reporting Council: UK regulator for governance and reporting– Board responsible to assess risks– Risk evaluation is part of that role of Boards


Reactions


Reactions North American CRO Council:

– “We strongly believe that ERM is not an actuarial process and goes beyond an actuarial function.”

– “We believe it may be premature to develop a standard related to ERM and that expressing the ERM principles in the form of guidance document may be more appropriate at this time.”

– “This standard would be adding to existing and growing compliance requirements in the ERM landscape.”


Your reactions?Outstanding issues related to any new ERM

standards:



Your reactions? Should we have such a standard? Do you

agree with the ERM standard task force's earlier conclusions or do you agree with NACRO's conclusions?

Your reactions to the standard itself: guidance, scope, flexible enough, interactions with non actuaries? Other issues?

Do you think that the actuarial profession should develop its own theoretical ERM Framework to position itself in the ERM space?

Should standards reflect “existing” practice or “best” practice?

risk evaluation in erm: iasb proposed standard

Documents

risk standardssource

risk audit

risk classification

risk issues

valueenterprise risk

proposed risk standards

risk evaluation broader

context risk controlling