To: Financial Examiners

From: NAIC Examination Unit Staff

Date: May 4, 2015

Re: Frequently Asked Questions in Identifying and Assessing Prospective Risks

The following FAQ provides information on common questions posed by examiners when identifying and assessing prospective risks.

The template of the FAQ will follow the Exhibit V Matrix columns. The first two examples within this exhibit are provided at the end of this memo within Appendix A.

1. Prospective Risk Identified

This column of Exhibit V is used for documenting overarching prospective risks that the examiner identified as a result of the knowledge and understanding of the company gained during planning.

Q1. Why are prospective risks important?

The Financial Condition Examiners Handbook (Handbook) Introduction (D) states that “the intent of the risk-focused surveillance process in a risk-focused examination is to determine areas of higher risk to enable more efficient use of examiner resources. The primary purpose of a risk-focused examination is to review and evaluate an insurer’s business processes and controls (including the quality and reliability of corporate governance) to assist in assessing and monitoring its current financial condition and prospective solvency. As part of this process, the examiner identifies and evaluates risks that could cause an insurer’s surplus to be materially misstated, both currently and prospectively.” In short, prospective risks should be among the areas of focus for examinations as this is a key part of the regulatory charge of States. While financial risks are reviewed in detail by others such as auditors, prospective risks typically are not. Consider the example provided by Prospective Risk 1 in Appendix A (excerpt from Exhibit V). The issue of compensation practices encouraging risky behavior may have been identified by auditors, but this risk may not have been subject to audit procedures due to the lack of impact on the financial statements. While this may be appropriate for auditors, these sorts of risks require a response from the examination as the compensation practices could pose a long term threat to the insurer’s solvency. Examiners

are specifically charged with solvency monitoring while auditors are charged with ensuring the accuracy of information that is reported in the audited financial statements. Q2. How do I identify prospective risks for my insurer?

The process to identify prospective risks is the same process used to identify risks placed on a Key Activity Matrix. Exhibit V states that “Based on the knowledge and understanding of the company obtained during the planning stages of the exam, document any overarching prospective risks identified.” Therefore, prospective risks can be identified by any of the means by which traditional financial reporting risks are identified (i.e. documents reviewed as part of understanding the company, discussions with management, review of 10k filing, discussions with analysts, etc.).

The following diagram should serve to illustrate this point.

Exhibit V, Part Two contains a listing of common areas of concerns that examiners may use as a brainstorming tool in the risk identification process.

Q3. How do I decide whether to place my risk on Exhibit V or a Key Activity Matrix?

Risks placed on Exhibit V tend to impact multiple key activities or may simply not align with a key activity; they may also have entity wide implications (i.e. they are overarching risks). These overarching risks benefit from the format of Exhibit V. Because of the nature of these risks, it can be difficult to walk through the concepts of likelihood of occurrence and magnitude of impact. Using Exhibit V to address these risks allows examiners to focus on risk mitigation and additional review procedures and/or ongoing monitoring.

The decision to place a risk on the prospective risk matrix or a key activity matrix is a relevant decision, but not a decision that requires extensive consideration; responses to the risks should be consistent with the risk level regardless of the exhibit on which the risk is placed.

2. Branded Risk Classification

This column of Exhibit V is used for identifying the branded risk category associated with each risk.

Q4. Why is it important to identify the branded risk classification for each risk listed on Exhibit V?

Branded risk classifications (BRC) are the common language between the examination and analysis function. Knowing the BRC for each risk will facilitate communication of exam conclusions to analysts and will likewise enhance the examiner’s ability to use the results of analysts work to identify risks on an examination.

3. Risk Mitigation Strategies

This column of Exhibit V is used for identifying risk mitigation strategies the insurer has in place (if any) to address the prospective risk.

Q5. How do I identify risk mitigation strategies for prospective risks?

The insurer determines the level of risk that they are willing to accept on a variety of risks and often will provide descriptions of risk mitigation strategies in discussions with examiners.

Risk mitigation strategies can also be identified using resources described in Handbook guidance. Section 2, Phase 3 (A) of the Handbook states that the insurer’s internal

controls/risk mitigation strategies “can be identified using a number of sources including company control documentation and documentation from external and/or internal auditors. This documentation could include narrative descriptions, flowcharts, Sarbanes-Oxley compliance documentation and/or other source information...Examiners may also utilize walkthroughs of key processes to further their understanding of the existing controls in place.”

In short, discussions with management and review of process documentation (including documentation included in the insurer’s ORSA report, as applicable) are key steps in identifying risk mitigation strategies. Even after completion of this, however, it may be possible that no relevant risk mitigation strategies are in place for the risk identified. In these situations, and taking into consideration the results of ongoing examination work/prospective risk assessment, the examiner should consider communicating their concern back to management through a management letter or other means to ensure that a response to the risk is developed going forward.

Q6. What if the risk mitigation strategy provided by management is not designed properly to mitigate the risk?

Section 2, Phase 3(A) states that “when identifying controls, the examiner should consider that although a control or multiple controls exist in a particular area, they may not be designed effectively to mitigate the specific identified risk being evaluated by the examiner. Therefore, the examiner should understand and assess the design of each internal control identified...during the review of the design of controls, the examiner should take into consideration the type of control and how well it appears to mitigate the inherent risk.”

Risk mitigation strategies provided by the company may only mitigate a portion of the risk or in certain situations, may not mitigate the risk at all. In these situations, the examiner should consider engaging management in a discussion to determine if there are any other risk mitigation strategies in place to respond to the risk. Questions such as “what prevents this risk from happening?” may help incite an applicable response. If management is not able to provide the examiner with a risk mitigation strategy that effectively addresses the risk, the examiner should take this into consideration when determining the prospective risk assessment for the risk statement.

Section 2, Phase 3 (B) gives guidance on evaluating risk mitigation strategies and controls.

The following are questions that the examiner may consider when evaluating risk mitigation strategies: (note that additional questions are provided in Handbook Section 2, Phase 3(B)):

• Whether risk policies, guidelines and limits at the insurer are appropriate and consistent with its significant business activities, management experience level and overall strength.

o Consider the example provided by Prospective Risk 1 within Exhibit V. The risk is that “the company’s executive compensation practices encourage and/or reward excessive risk-taking and may induce fraudulent behavior.” One of the strategies in place is to limit variable compensation to a percentage of salary and tie the salary to performance over a 5 year period. In theory the strategy would be part of an effective mitigation of the risk. However, if the percentage limit is excessively high relative to industry standards or if the performance metrics can only be achieved through excessive risk taking, the compensation policy would in fact serve to increase the risk instead of mitigating the risk. This assessment would require that the examiner understand the business activities to determine how compensation policy might impact behavior and in turn results of operations.

• Whether qualitative and quantitative assumptions implicit in the risk management process are appropriate.

o Consider the example provided by Prospective Risk 2 within Exhibit V. The risk is that “The Company may experience rating agency downgrades causing the company to be unable to sell its products.” In response to this, the company monitors and manages its financial performance using metrics identified by the rating agencies and utilizes models to determine its economic capital needs. One implicit assumption within this process is that the company has selected the right mix of metrics to monitor performance (i.e. the rating agencies may track 15 distinct metrics while the company may use 5). The company should not “cherry pick” metrics to monitor its performance but instead should be using metrics that are representative of the metrics used by the rating agency. Quantitative assumptions may be identified through the review of the model used and should be considered by the examiner when evaluating the quality of this risk mitigation strategy. If the company is modeling performance assuming 15% growth when it has only seen 5% growth in recent years, the examiner would likely need to challenge the quality of this assumption.

4. Corroborating Evidence and Documentation

This column of Exhibit V is used for documenting corroborating evidence and other documentation that supports the risk mitigation strategy.

Q7. How do I test risk mitigation strategies?

Once the effective design of a risk mitigation strategy is established, examiners must still ensure that risk mitigation strategies are operating effectively. The focus of examiners in achieving this objective should be to verify the information provided by companies, document corroborating evidence reviewed, and conclude on the effectiveness of the risk mitigation strategies. Consider the following common risk mitigation strategies.

• Risk is addressed by a policy. o Examiners should obtain and review a copy of the policy in place. o Does the policy include the necessary detail to fully address the risk? o Is the policy reasonable given the size of the company and the extent of risk

exposure? o How is compliance with the policy ensured?

• Management or a third party prepares a detailed analysis or performs modeling specific to a risk.

o Examiners should obtain and review a copy of the analysis or modeling performed.

o Are the people performing the analysis qualified to do so? o Who is involved in the review of the results of the analysis? o What actions or changes typically result due to this analysis?

• Board reviews a process, policy, results of operations etc. o Is the board qualified to review the process? o What level of detail is provided to the board and is that sufficient to

accomplish the objective? o How often does the board meet to review the process? Obtain board

minutes and consider using a sample to verify this activity. o Consider the extent of involvement in reviewing or challenging the process?

Consider whether any questions are posed by the board or if any meaningful changes have occurred as a result of this process to evidence level of involvement.

The examiner should understand the operation of the risk mitigation strategy and should perform some amount of corroboration for information provided. Inquiry with company executives may represent a start in addressing a risk mitigation strategy, but inquiry alone is typically insufficient in fulfilling the corroborating requirement for risk mitigation strategies identified. Examiners may consider performing interviews of multiple personnel (including those executing the strategy) to verify that the strategy is indeed operating effectively; however, examiners should not limit testing of risk mitigations strategies to interviews alone. Specifically, examiners should strongly consider using reperformance and examination of documents to obtain the necessary corroborating evidence.

Examiners should also consider the timing of the risk mitigation strategy and the associated testing. For example, for Prospective Risk 1 discussed above, if changes have been made to the compensation policy recently the examiner should consider reviewing the compensation policy on the date of inquiry instead of the compensation policy effective on the “as-of” date. Generally speaking, reviewing the company’s current version of a strategy or policy is more appropriate to determine the long term adequacy of the strategy in place. The Other Than Financial Reporting sections of the risk repositories (Section 3 of the Handbook) may provide possible testing ideas for various types of risk mitigation strategies. Furthermore, examiners should review Exhibit V examples for additional guidance on how risk mitigation strategies may be tested.

Q8. Does my testing of risk mitigation strategies require that I use a sample?

Depending on the nature of the risk mitigation strategy (i.e., multiple instances or occurrences over the course of a year), it may be appropriate to use sampling methodology to determine the effectiveness of the strategy throughout the course of the year. For instance in the situation of a quarterly board meeting that is used as the monitoring control for risk, examiners should consider reviewing several instances of board minutes to ensure the appropriate level of supervision is being performed by the board over the course of the year. Other mitigation strategies that focus more on overall strategy may not require a sample and testing should instead focus on obtaining documents to corroborate management’s representations.

5. Prospective Risk Assessment

This column of Exhibit V is used for documenting the prospective risk level (High, Moderate or Low), including a brief explanation regarding that determination, that remains after considering the nature of the risk and the company’s mitigation strategies.

Q9. Is prospective risk assessment the same as residual risk or inherent risk?

Prospective risk assessment is a different measurement of risk from the residual risk and inherent risk designations. Residual and inherent risk designations require that examiners determine likelihood of occurrence and potential impact to surplus which are often difficult to ascertain for some prospective risks.

Instead, the prospective risk assessment is the risk level that examiners identify after considering the nature of the risk and the company’s mitigation strategies. This makes the concept similar to the residual risk assessment because it considers the company’s response to the risk but still distinct because it is not an explicit computation of inherent risk – controls +/- judgment as would be the case for risks placed on a key activity matrix.

6. Ongoing Examination Procedures and Follow-Up

This column of Exhibit V is used for documenting any additional procedures that the examiner deems necessary to further understand or address the risk. This could include the plan for follow-up, such as specific procedures for continual monitoring, communication with the analyst, limited-scope examinations, revisions to the Supervisory Plan or Insurer Profile Summary, etc.

Q10. What do I do if I have a risk that could not be sufficiently mitigated by the company’s risk mitigation strategies?

Similar to Phase 5 of a key activity matrix, Exhibit V’s column called “Ongoing Examination Procedures and Follow-Up” should be used to document any detailed follow up that is performed to further respond to the risk identified. The extent of work performed in response to risks identified should be based on the prospective risk assessment. Risks with a high prospective risk assessment should have extensive examination procedures or follow-up performed while risks with a low or moderate prospective risk assessment may have a more measured response. In the first example within Exhibit V, the risk identified is that compensation strategies may encourage excessive risk taking and induce fraudulent behavior. After reviewing and testing the risk mitigation strategies, the examination team assesses the risk to be moderate and further follow up is considered necessary. The examination team performs their own benchmarking against competitors/industry averages and provides a recommendation to

analysts to monitor expense ratios and executive compensation going forward to ensure this risk is properly monitored. Note that this risk is addressed by both an examination response and detailed instruction for analyst follow-up. In situations when the risk cannot be fully addressed, examiners should consider whether formal communication to management via a management letter or other means is appropriate. For some risks, examiners may not have a means of testing the risk independently. Examiners may consider requesting more information on the risk in lieu of additional testing to ensure that it can be properly monitored on an ongoing basis. See considerations provided in Q10 for information that may be relevant to the examiner. Q11. What sort of follow up should I provide to the analyst?

Examiners should provide analysts with information that allows them to leverage work already performed by examiners. For instance:

• Are there key reports available that the analyst can request? o Specific title, frequency that reports are generated and specific contact

information will be helpful information to provide. • Are there changes to controls/risk mitigation strategies that the analyst can

specifically ask about? Consider the extent of information needed to enable the analyst to ask detailed questions tailored to the insurer’s circumstances. o For example, if management was asked to revise an investment policy to

incorporate limitations on market concentrations, the examiner should provide the analyst with the context for this recommendation and contact information for the person in charge of the update. With this information, the analyst would be aware of the recommendation and expected follow-up, would know who to contact, would know what to ask for, and what to look for when reviewing the document.

• Who are the primary contacts to obtain the necessary information? • Are there specific financial ratios or other data that can be observed more closely? • Has the company made specific projections that the analyst can compare against

actual data as it becomes available? • What is the anticipated time frame for the company to have the information

available?

For significant risks, it is typically insufficient to provide a recommendation that analysts “monitor results of company” to perform adequate follow up on specific risks without providing additional detail. With respect to communication with analysts, examiners should focus on providing additional value gained from being on site with the company.

Appendix A Prospective Risk Identified

Branded Risk

Risk Mitigation Strategies Corroborating Evidence and Documentation

Prospective Risk Assessment

Ongoing Examination Procedures and Follow-Up

Example Prospective Risk 1: The company’s executive compensation practices encourage and/or reward excessive risk-taking and may induce fraudulent behavior.

OP The board of directors maintains an independent compensation committee that meets at least annually to update the strategy and approve executive compensation. Variable compensation is limited to a percentage of salary and is based on qualitative and quantitative performance over a rolling 5-year period.

Reviewed minutes of the 20XX compensation committee meeting (see A.1.1), noting that actions were taken as described by the company. Obtained and reviewed variable compensation plan (see A.1.2), noting cap as a percentage of salary. Reviewed schedule calculating 20XX variable compensation for executives (see A.1.3), noting the calculation is based on five-year results and ties to GL.

Although the company carries a high expense ratio and the department had identified concerns with compensation in the past, it appears that the company has put additional controls in place to mitigate risks relating to executive compensation. As such, a Moderate prospective risk rating is deemed appropriate.

Based on the moderate prospective risk rating, total compensation awarded to the top five executives in the company was benchmarked to competitors and industry averages (see A.1.4). Although the company appears to be on the high end of the range, compensation did not appear unreasonable. Analyst will be asked to closely monitor changes in the expense ratio and executive compensation to determine if additional action is necessary.

Example Prospective Risk 2: The company may experience rating agency

ST RP

The company has processes in place to monitor and manage its financial performance in accordance with metrics considered significant by rating agencies. The company utilizes modeling to

Reviewed financial reports for evidence of monitoring of rating agency performance measures and management review, noting that the company

The company has product lines sensitive to a ratings decrease; however, it appears that the company has

Based on the low prospective risk, no additional work is necessary at this time. However, we request that the analyst notify the examination unit if

Appendix A Prospective Risk Identified

Branded Risk

Risk Mitigation Strategies Corroborating Evidence and Documentation

Prospective Risk Assessment

Ongoing Examination Procedures and Follow-Up

downgrades, causing the company to be unable to sell its products.

determine its economic and rating agency capital needs.

appears to be meeting its benchmarks w/o/e (see A.1.4). Obtained and reviewed the economic capital calculation at 12/31/XX, noting that rating agency considerations are included in the process and that the company appears to hold capital in excess of the calculated amount. See A.1.5 for more information.

appropriate controls and strategies in place to maintain strong ratings. As such, a Low prospective risk is deemed appropriate.

a future rating downgrade occurs so that the units can collaborate regarding actions to be taken (e.g., limited scope exam) at that time.