ICP 18B: Management of Key Risks - iaisweb.org · Welcome to the ICP 18B: Management of Key Risks module. ... answers through discussion and cooperative work methods. ... Insurance

ICP 18B:Management of Key Risks

Basic-level Module

A Core Curriculum for Insurance Supervisors

Copyright © 2006 International Association of Insurance Supervisors (IAIS).All rights reserved.

The material in this module is copyrighted. It may be used for training by competent organi-zations with permission. Please contact the IAIS to seek permission.

This module was prepared by Stuart Wason, senior actuary with Assuris, Canada’s life insur-ance policyholder protection fund. He was director of Mercer Oliver Wyman, an operating company of Mercer, a subsidiary of Marsh and McLennan Companies. At Mercer, he served as an adviser on enterprise risk management, as the appointed actuary for several life insur-ers, as the valuation actuary for the liquidator of two life insurers, as the independent actuary in the purchase and sale of several blocks of life insurance business, as the independent actu-ary in the demutualization of Mutual Life, as the peer reviewer of the valuation of life insur-ers, and as an actuary responsible for preparing appraisals of life insurers. He has more than 30 years of experience in actuarial, financial reporting, and insurance company management positions. He has been involved in the work of the Canadian Institute of Actuaries, the Society of Actuaries, and the International Actuarial Association.

This module was reviewed by Anthony Asher, N. M. Govardhan, and Hauw-Quek Soo Hoon. Anthony Asher is a consulting actuary with Trowbridge Deloitte. His previous positions in-clude senior policy manager with the Australian Prudential Regulation Authority, professor of actuarial science and head of the School of Statistics and Actuarial Science at the University of Witwatersrand, Johannesburg, and before that chief actuary of the Prudential Assurance Company of South Africa. N. M. Govardhan served as internal actuary with the Insurance Regulation Department, Bank Negara Malaysia, from 1997 to 2003. He is currently doing re-view work for the Insurance Regulatory Development Authority of India as a member of the Actuarial Review Committee. Hauw-Quek Soo Hoon recently retired as executive director of the Insurance Group at the Monetary Authority of Singapore (MAS), where she represented MAS on several IAIS committees and subcommittees, including the Executive Committee and a period as chair of the Education Subcommittee.

iii

Contents

About the Core Curriculum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Note to learner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Pretest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ix

A. Insurer key risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

B. Underwriting (insurance) risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

C. Credit risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

D. Market risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

E. Operational risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

F. Putting it all together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

G. Summary and Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

H. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Posttest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Appendix I. ICP 18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Appendix II. Answer key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

FiguresFigure 1. Risk aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

v

About theCore Curriculum

A financially sound insurance sector contributes to economic growth and well-being by supporting the management of risk, allocation of resources, and mobilization of long-term savings. The insurance core principles (ICPs), developed by the International As-sociation of Insurance Supervisors (IAIS), are key international standards relevant for sound financial systems.

Effective implementation of the ICPs requires skilled and knowledgeable insurance supervisors. Recognizing this need, the World Bank and the IAIS partnered in 2002 to develop a “core curriculum” for insurance supervisors. The Core Curriculum Project, funded and supported by various sources, accelerates the learning process of both new and experienced supervisors. The ICPs provide the structure for the core curriculum, which consists of a set of modules that summarize the most relevant aspects of each topic, focus on the practical application of supervisory concepts, and cross-reference existing literature.

The core curriculum is designed to help those studying it to:

• Recognize the risks that arise from insurance operations• Know the techniques and tools used by private and public sector professionals• Identify, measure, and manage these risks• Operate effectively within a supervisory organization• Understand the ICPs and other IAIS principles, standards, and guidance• Recommend techniques and tools to help a particular jurisdiction observe the

ICPs and other IAIS principles, standards, and guidance• Identify the constraints and identify and prioritize supervisory techniques and

tools to best manage the existing risks in light of these constraints.

vii

Note to learner

Welcome to the ICP 18B: Management of Key Risks module. This is a basic-level module that focuses on each of the key risks faced by an insurer and how they can be managed within the framework described in module ICP 18A, Risk Management Fundamentals. It is recommended that you successfully complete module ICP 18A before studying this module. This module should be useful to new insurance supervisors or experienced supervisors who have not dealt extensively with the topic—or are simply seeking to refresh and update their knowledge.

Start by reviewing the objectives, which will give you an idea of what you will learn as a result of studying the module. Then answer the questions in the pretest to help gauge your prior knowledge of the topic. Proceed to study the module either on an independent, self-study basis or in the context of a seminar or workshop. The amount of time required for self-study will vary but it is recommended that the module be ad-dressed over a short time, broken into sessions on parts if desired.

To help you engage and involve yourself in the topic, we have interspersed the module with a number of hands-on activities for you to complete. These exercises are intended to provide a checkpoint from time to time so that you can absorb and under-stand the material more readily and can apply the material to your local circumstances. You are encouraged to complete each of these activities before proceeding with the next section of the module. If you are working with others on this module, develop the answers through discussion and cooperative work methods. An answer key is provided in appendix II.

As a result of studying the material in this module, you will be able to do the fol-lowing:

Insurance Supervision Core Curriculum

viii

1. Explain how an insurer could apply each step of the risk management frame-work (objective setting, risk identification, risk assessment, strategy planning, risk monitoring, and controlling) to each of the following risks:

a. Underwriting (insurance) riskb. Credit riskc. Market riskd. Operational risk.

2. Provide examples of approaches commonly used by insurers to regularly review the market environment in which they operate in order to identify and draw ap-propriate conclusions about the risks posed.

3. Discuss the difference between risk control and risk financing and illustrate how each can contribute to the risk management process.

4. Define financial engineering and illustrate its application as a risk management tool.

5. Describe products commonly used for risk management purposes, including

a. Insuranceb. Contingent capitalc. Swapsd. Securitization.

6. Describe the statistical and analytic techniques commonly used in each step of the risk management steps framework.

7. Explain what is meant by the term “risk aggregation.”8. Discuss the relevance of dependency, concentration, and diversification to risk

aggregation.

ICP 18B: Management of Key Risks

ix

Pretest

Before studying this module on risk management, answer the following questions. The questions are designed to help you gauge your knowledge of ICP 18, Risk Assessment and Management, and the material presented in module ICP 18A, Risk Management Fundamentals, before beginning this module. The answer key is presented in appendix II.

For each of the following questions, circle the correct response(s); there may be more than one correct response.

1. Whichofthefollowingstatementsaboutriskmanagementaretrue?

a. Riskmanagementisimportantinensuringthataninsurermeetsitsobligationsnowandinthefuture.

b.Thebusinessofinsuranceisfundamentallyaboutthemanagementofrisk.

c. Likeotherbusinesses,insuranceissubjecttooperationalrisk.

d. Insurancesupervisorshaveidentifiedpoorriskmanagementasaleadingcauseofinsolvency.

e.Riskmanagementisimportantforoverallfinancialsystemstability.


x

2. WhichofthefollowingaretruestatementsforICP18,RiskAssessmentandManagement?

a. Aninsurershouldidentify,understand,andmanagethesignificantrisksthatitfaces.

b.Allinsurersshouldestablishriskmanagementfunctionsandriskmanagementcommittees.

c. Ultimateresponsibilityforthedevelopmentofbestpracticesandtheproperoperationoftheinsurerrestswithitsseniormanagement.

d.Thesupervisoryauthorityrequiresandchecksthatinsurershaveinplacecomprehensiveriskmanagementpoliciesandsystems.

e.Theriskmanagementpoliciesandriskcontrolsystemsthatshouldbeusedbyaninsurerarelargelyindependentofthenatureoftheinsurer’sbusiness

3. Whichofthefollowingpairsofinsurancestakeholderandstakeholderinterestareappropriatelymatched?

Stakeholder Primary stakeholder interest

a. Insurancesupervisor Insurersolvency

b. Insurerboardofdirectors Goodgovernance

c. Insureractuaries Riskcompliance

d. Insurerseniormanagement Riskappetiteapproval

e.Auditors Independentreviewofcontrols

4. Whatrolescansupervisorsplay?

a. Understandingtherisksfacedbyaninsurerandthemannerinwhichthoserisksaremanagedisamajorfocusofsupervision.

b.Supervisorsplayacriticalroleintheriskmanagementprocessbyreviewingthemonitoringandcontrolsexercisedbytheinsurer.

c. Thesupervisoryauthoritydevelopsprudentialregulationsandrequirementstocontaintheserisks.

d. Increasingly,supervisorsarerelyingonexpost(afterthefact)reviewsordisclosuresratherthanusingrisk-basedsupervisionwithanexante(early)detectionmannerofoperation.

e.Supervisorsshouldleavethereviewofinsurerstrategiestoinsurers’boardsofdirectorsbutshouldinsistoncompliancechecklistsshowingthatallriskshavebeenaddressed.

f. Boardsunwillingtoimplementappropriateriskmanagementpracticesposeconsiderablerisktopolicyholders,andsupervisorsshouldbepreparedtoconsideralloptionswithintheirlegalpowerstoinfluenceinsurersandtheirboardstotakecorrectiveaction.


xi

5. Whichofthefollowingkeyinsurerriskcategoriesandspecificrisktypesareappropriatelypaired?

Key risk category Specific risk type

a.Creditrisk Assetdefaultrisk

b. Insurancerisk Asset-liabilitymanagementrisk

c. Marketrisk Liquidityrisk

d.Operationalrisk Counterpartyrisk

6. Whichofthefollowingpairsofriskmanagementstatementsareappropriatelymatched?

Framework process Descriptive element

a.Assessrisks Coherentriskmeasures

b. Identifyrisks Probabilityandseverity

c. Planstrategies Avoid,retain,reduce,transfer,exploit

d.Controlrisks Riskdashboard

e.Monitorrisks Auditandreview

7. Whichofthefollowingaretruestatementsabouttheobjective-settingphaseofriskmanagement?

a. Risktoleranceistheacceptablelevelofvariationaroundobjectives,alignedwithriskappetite.

b.Riskappetiteistheamountofrisk—onabroadlevel—anentityiswillingtoacceptinpursuitofvalue.

c. Riskmanagementobjectivesusemainlyquantitativeterms(forexample,earningsatrisk,risklimits).

d.Settingriskappetiterequiresmanagingthecompetinginterestsofvariousstakeholders.

e.Responsibilityforsettingobjectivesrestswithseniormanagement.

8. Whichofthefollowingareimportantissueswhenaggregatingriskexposureswithinaninsurer?

a. Diversificationwithinarisktype

b.Diversificationacrossrisktypes

c. Group-leveldiversification

d.Concentrationrisk

e.Uncertaintyrisk.

1

ICP 18B:Management of Key Risks

Basic-level Module

A. Insurer key risks

Risk is the raison d’être for insurance. Through insurance contracts customers seek to transfer financial uncertainties to the insurer in exchange for a set of premiums lev-ied by the insurer. Life insurance contracts provide protection in the event of death, longevity, morbidity, critical illness, or health care costs. Contracts for other types of insurance afford protection against costs or losses to property, for example, owing to contingencies such as fire, theft, accident, and storms. Therefore, it is to be expected that an insurer’s core operations, the estimation of the amount and timing of policyholder payments, and the present value of their amount (taking account of the future costs to administer these obligations) are subject to risk. It is vital that insurers manage the risks inherent in the insurance contracts they assume.

Like any business, the business of insurance involves many functions to be success-ful. The successful execution of these business functions also entails risk. In this regard, the explanatory note to ICP 18 states

Some risks are specific to the insurance sector, such as underwriting risks and risks related to the evaluation of technical provisions. Other risks are similar to those of other financial institutions, for example, market (including interest rate), opera-tional, legal, organizational, and conglomerate risks (including contagion, correla-tion, and counterparty risks).


�

In other words, insurers are subject to risks inherent in their core business as well as to general business risks applicable to any business. In the rapidly developing field of risk management, there is no single globally accepted manner of naming and categoriz-ing insurer risks. However, there is growing convergence on the key broad categories of insurer risk. The development of a common means of categorizing risks is most impor-tant to ensure clarity of communication among insurer stakeholders. Insurer key risks might be categorized under the following major headings:

• Underwriting • Credit • Market • Operational• Liquidity• Strategic.

This module introduces the reader to each of the major risk types prevalent in an insurer and the manner in which these risks are typically managed. This module builds on the concepts described in the companion module, ICP 18A, Risk Management Fun-damentals. This module also describes the process of integrating and aggregating risk exposures across risk types, products, and geographic areas. At the conclusion of both modules you will have had a comprehensive introduction to risk assessment and man-agement for an insurer.

Commonly used terms

EntErprisE risk managEmEnt

In “Overview of Enterprise Risk Management” (CAS 2004), the Casualty Actuarial So-ciety describes enterprise risk management as “the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risk from all sources for the purposes of increasing the organization’s short- and long-term value to its stake-holders.”

In Enterprise Risk Management—Integrated Framework (2004), COSO (Commit-tee of Sponsoring Organizations of the Treadway Commission) defines enterprise risk management (ERM) as “a process, effected by an entity’s board of directors, manage-ment, and other personnel, applied in strategy setting and across the enterprise, de-signed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”


�

non-systEmatic risk

Non-systematic risk is also known as diversifiable risk or specific risk. It can be reduced or eliminated by aggregating entities that are less than 100% positively correlated with respect to a given risk factor. An entity could be, for example, a financial security, a li-ability, a corporation, an asset class, or a person’s life. In these examples, the risks could be default, policyholder withdrawals, bankruptcy, return volatility, or mortality, respec-tively.

risk

The IAIS Glossary defines risk as being “used to indicate a condition of the real world in which there is a possibility of loss; also used by insurance practitioners to indicate the property insured or the peril insured against.”

The 1995 Standard on Risk Management (ASNZS 4360:1995) released by Stan-dards Australia and Standards New Zealand states that “risk management is as much about identifying opportunities as avoiding or mitigating losses.”

risk managEmEnt

The IAIS Glossary defines risk management as “a scientific approach to the problem of dealing with the pure risks facing an individual or an organization, in which insurance is viewed as simply one of several approaches for dealing with such risks.”

The 1995 Standard on Risk Management (ASNZS 4360:1995) released by Stan-dards Australia and Standards New Zealand states that “risk management is as much about identifying opportunities as avoiding or mitigating losses.”

In Enterprise Risk Management (2003), James Lam states “[R]isk management is not only about reducing downside potential or the probability of pain, but also about increasing upside opportunity or the prospects for gain.”

systEmatic risk

Systematic risk is also known as non-diversifiable risk or market risk. It is the residual risk that cannot be eliminated by aggregating or pooling the same risk within a given market, but may be further reduced by aggregating the underlying risk with other im-perfectly correlated risks in the same market or other imperfectly correlated markets. For example, the relationship between a stock’s return and the return of the stock mar-ket as a whole represents that stock’s systematic risk.


�

systEmic risk

Systemic risk represents the danger that specific local problems may spread more broad-ly to affect the entire financial system. Examples affecting the banking sector include the liquidity and lending crises that rapidly escalated from local country problems to international crises. A flu pandemic or the failure of a sufficiently large global reinsurer are examples of local problems that might have systemic implications for the insurance industry.


�

B. Underwriting (insurance) risk

Insurance companies assume risk through the insurance contracts they underwrite. Underwriting risks are those associated with both the perils covered by the specific line of insurance (fire, death, motor accident, windstorm, earthquake, etc.) and the risk mitigation processes used to manage the insurance business. The types of perils that are insurable are limited perhaps only by one’s imagination and the judgment of an insurer that the risk is insurable.

Importance of good data

For each insurable peril it is vital for the insurer to understand the frequency and se-verity data. For the vast majority of perils, achieving this understanding requires gath-ering data on both exposure (the amount and number of insurable risks) and claim (the amount and number of claims arising from the exposure base). As mentioned in module ICP 18A, the study of the frequency and severity of claims arising from each peril can be used to prepare a claims distribution. This statistical information provides the insurer with much valuable information about the number and amount of claims arising from each peril (for example, mean, median, standard deviation, coefficient of variance, tail variance) that is used for pricing and valuing those risks.

It is vital that the insurer have as clear an understanding as possible of the key driv-ers behind each peril. For a peril such as automobile collision, key risk drivers might include the operator’s past accident record, the operator’s driving habits, the type of vehicle, the geographic region, and the demographics of the operator. For tradition-ally insured perils (such as mortality, disability, longevity, and many products in the personal and commercial lines of non-life insurance), considerable data are available to the insurer either from the insurer’s experience or from broader databases of industry experience. The data must be reliable, credible, and internally consistent. An insurer can gain much insight from such data.

Insurers naturally seek additional data on the risks they insure. A useful and com-mon technique is to combine the data gained from experience studies over several time periods. In so doing, however, the insurer needs to consider the possibility that com-bining data from additional time periods masks underlying volatility (random fluctua-tions), trends (such as mortality improvement), or periods of unusual activity (such as a flu epidemic for the peril of mortality, and severe floods in the case of property insur-ance). Therefore, when assessing experience studies, insurers must consider the impli-cations of prior experience for the future experience of the risks already underwritten, as well as for the future experience of the risks resulting from new business.

Another technique insurers use to gather more data is to consider relevant industry data. This is particularly helpful when the insurer does not yet have sufficient statis-tically credible data of its own on the peril being insured. However, in selecting this


�

technique, the insurer must consider the many possible differences between industry experience and its own experience (such as the perils being insured, the types of sub-jects being insured, and the trends inherent in each set of data).

In some situations (for example, a new product, an emerging market), little claims experience may be available to the insurer. In such situations, the insurer must rely on some combination of experience gained in related markets, the experience of local reinsurers, and industry experience (where available). Clearly, where there is a public interest need for these types of insurance products, the local insurance industry should be encouraged to provide such products. The local supervisory authority can be of as-sistance in supporting or encouraging the development of pools of experience data among insurers and within the local industry. Until credible experience data are ob-tained, insurers should value these risks conservatively, recognizing the uncertainties they have assumed.

Underwriting process

The gathering of accurate, credible, and relevant data is vital for the underwriting of risks by an insurer. There are many components to the underwriting process. Some of the generic processes involved with underwriting risks are as follows (IAAust 2003, 120):

• Underwriting process risk. Risk from exposure to financial losses related to the selection and approval of risks to be insured.

• Pricing risk. Risk that the prices charged by the company for insurance contracts will be ultimately inadequate to support the future obligations arising from those contracts.

• Product design risk. Risk that the company faces risk exposure under its insur-ance contracts that were unanticipated in the design and pricing of the insur-ance contract.

• Claims risk (for each peril). Risk that many more claims occur than expected or that some claims that occur are much larger than expected claims resulting in unexpected losses. This includes both the risk that a claim may occur, as well as the risk that the claim might develop adversely after it occurs.

• Economic environment risk. Risk that social conditions will change in a manner that has an adverse effect on the company.

• Net retention risk. Risk that higher retention of insurance loss exposures results in losses due to catastrophic or concentrated claims experience.

• Policyholder behavior risk. Risk that the insurance company’s policyholders will act in ways that are unanticipated and have an adverse effect on the company.


�

• Reserving [provisioning] risk. Risk that the provisions held in the insurer’s finan-cial statements for its policyholder obligations (also called claim liabilities, loss reserves, or technical provisions) will prove to be inadequate.

Underwriting risk management framework

This section applies the lessons learned about the general risk management framework in module ICP 18A, Risk Management Fundamentals, to underwriting risk. Sound cor-porate governance practices are presumed to be in place. To illustrate the concepts in this section, life insurance mortality risk is used as an example.

sEt objEctivEs

As with any set of risks, the process of establishing risk-related objectives (that is, risk appetite and risk tolerances) is essential in the development of any business strategy involving underwriting risks.

For life insurance mortality, an insurer might define its risk appetite in terms of

• Population segments in which it is willing to underwrite risks (that is, to focus on countries in which the insurer has experience)

• Maximum amount of life insurance the insurer is willing to underwrite on a single life, on a gross or net (of reinsurance) basis

• Type of underwriting to be used (that is, short form underwriting versus fully underwritten).

The insurer might also define its risk appetite for the life insurance line of business (or other lines of business) in terms of its ability to deliver a target risk-adjusted return on capital. Of course, to be effective, the “return” and “capital” components need to be clearly defined and communicated within the insurer. The return might be based on GAAP after-tax earnings. The capital might be based on risk-based capital appropriate for the risks assumed by the line of business (reflective of all of the risks undertaken by that line of business).

The insurer might further define its risk appetite and tolerance for life insurance mortality risk, using a combination of the following:

• Underwriting approval levels (a set of progressively higher limits for senior un-derwriters, the underwriting committee, the vice president of underwriting, the CEO, etc.)

• Reinsurance limits (the levels at which reinsurance is required for a life insur-ance risk)


8

• Substandard limits (the levels at which the insurer is comfortable underwriting the risk by itself, with the aid of a reinsurer or not)

• Medical condition limits (conditions, such as heart disease, that require a sub-standard rating or an exclusion)

• Occupation limits (occupations, such as mining, that require a substandard rat-ing or an exclusion)

• Activity limits (activities, such as skydiving, that require a substandard rating or an exclusion).

Various levels within the insurer will be involved in setting the risk appetite and tolerances:

• Board (for overall risk appetite and tolerances)• Underwriting committee, perhaps consisting of the CFO, CRO, actuary, medical

director, senior underwriters, business unit head, etc. (for example, for under-writing policies, high limit approvals, reinsurance limits, and complex under-writing decisions)

• Senior underwriter (for example, for second-level approvals and judgment of risks that require underwriting committee approval)

• Underwriter (for example, for routine and first-level approvals).

idEntify risks

When assuming underwriting risk for a specific peril (such as life insurance mortality) it is vital that the insurer capture sufficient relevant information about the characteris-tics or drivers of that risk, so that a fair price or value can be placed on the risk. The in-surer should maintain accurate, reliable, and verifiable systems to administer and track the emerging experience of its risks for purposes of risk management, pricing, financial reporting, policyholder service, and other efforts.

Of course, the primary purpose of insurance is to pool a large number of similar risks so that a fair price (premium) can be levied for each risk (or policyholder) in ex-change for a promise from the insurer to pay if the insured peril occurs. The insurer’s ability to determine the similarity of risks (which risk category they fit into) is linked to the insurer’s ability to discern the characteristics or drivers of each risk.

For individual life insurance, an insurer will likely keep a record, for each life in-sured, of several risk characteristics:

• Name of insured• Age• Gender• Country of residence


�

• Occupation• Product type (permanent, term, variable, universal life, etc.)• Smoking status• Type of underwriting (nonmedical, medical, short-form, etc.)• Substandard rating.

If the insurer fails to capture information about key risk characteristics at the time of underwriting, the insurer may inadvertently take on a disproportionate number of policyholders with that risk characteristic. Potential policyholders will naturally select the insurer offering the most favorable price. Taken to an extreme, an insurer may find that its underwriting experience steadily worsens and it may be forced to steadily in-crease its premium rates. This rate spiral will cause the insurer to become unprofitable and uncompetitive relative to its peers who attract policyholders with more favorable risk characteristics.

The public’s perception of what questions are appropriate and socially acceptable (nondiscriminatory) to ask policyholders at the time of underwriting can change. For example, in recent years policymakers in some jurisdictions have judged that certain insurance products should not differentiate their prices on the basis of gender. If the claims experience differs materially by gender for these products, undifferentiated pric-ing undermines the fundamental insurance principle of pooling similar risks.

Like any business, insurers are constantly under pressure to innovate by introduc-ing new features, differentiated pricing, and entirely new product introductions. These pressures arise from competitors, customers, sales representatives, and product design-ers. Unfortunately, the race to innovate frequently precedes the availability of solid data from experience on the risks entailed with these products. Examples of the challenges faced by insurers and supervisors in identifying new risks include the introduction of a “preferred” mortality risk underwriting class and the original versions of the critical illness product in North America.

Insurance supervisors should expect insurers to retain appropriately trained and experienced staff to identify and underwrite the insurer’s insurance risks. Such staff members are arguably the most important risk managers, because the claims experi-ence of the policies they underwrite can affect the insurer’s profitability for years to come.

assEss risks

The management of risk requires a clear understanding or assessment of its impact and behavior. Assessment involves consideration of a risk’s impact through a combination of its

• Probability (likelihood of its occurrence)• Severity (size if it does occur).


10

The assessment of underwriting risk is needed for many of the essential operations of an insurer: product design, product pricing, risk management, financial reporting, valuation of insurance liabilities, asset/liability management, etc. Skilled staff in each of these areas have useful perspectives on the assessment of underwriting risks.

Actuaries are skilled at assessing risk, especially underwriting risk. Actuaries are often members of a local actuarial association and are represented internationally by the International Actuarial Association (IAA). Actuaries generally must meet educa-tion and examination requirements established by their association and must abide by a code of conduct and binding standards of practice. Some jurisdictions reserve specified roles (such as valuation of insurance obligations) for actuaries.

Underwriting risks quite commonly have a term of many years. Life insurance mor-tality risk can be limited for a specified number of years in term insurance or be covered for a lifetime in permanent insurance. Therefore, when assessing underwriting risk (for life, health, or non-life insurance), it is frequently more important to understand the present value of the longer-term impact of experience changes than to react to short-term changes in experience. Although a sudden clustering of large life insurance claims will negatively affect the insurer’s earnings in the near term, there may be little future impact if the claims simply reflect normal volatility in experience. If instead they signal an adverse trend in experience, then the assumptions used to value all future claims may need strengthening and the adverse impact on earnings may be much greater.

In assessing underwriting risk, policyholder behavior (rate of policy surrender, rate of policy loans, usage of policy options, payment of premiums, etc.) must usu-ally be taken into account. The modeling of policyholder behavior is a complex topic. It requires considerable skill and care in its evaluation to determine the present value impact of long-term contracts.

When assessing underwriting risk it is frequently important to perform integrated assumption modeling (with all types of risks, not just underwriting risks). A change in one assumption can influence other assumptions, producing a different cumulative present value impact than that of one assumption alone. For example, the investment performance of the assets underlying a variable or unit-linked insurance policy can affect policyholder behavior in terms of their premium payments or their rates of with-drawals. In turn, this altered behavior may change the mix of remaining policyholders so that the mortality assumption for other policyholders is affected.

In the assessment of risk one important area of an insurer is the claims department. Typically responsible for claims approval, the claims department may also provide the first notice of large claims, unusual claim causes, claim epidemics, and the like. How-ever, emerging trends may not always be readily detected without examination of long periods (several months or years) of experience. Typically, such experience studies are conducted by actuaries within the insurer to facilitate the re-pricing of insurance prod-ucts and the revaluation of technical provisions.

Frequently, the actuary has sufficient exposure and claims experience for an un-derwriting risk to readily define the claims distribution. From this distribution, the


11

mean claim amount and the various useful risk measures (Tail Value at Risk, standard deviation, etc.) can be estimated. With this knowledge, actual claims can be compared on a regular basis with these risk measures to determine whether additional risk man-agement action is required.

Risk assessment requires studying the volatility, uncertainty, and catastrophic ele-ments of each risk. Risk assessment also requires a clear understanding of the root cause or drivers of each risk. Insurers should employ skilled risk specialists, such as actuaries, who have the expertise to address these topics on a daily basis.

The sophistication of the risk measures used by insurers to assess their risks varies considerably, from simple standardized formulaic techniques to sophisticated stochas-tic models requiring highly trained specialists. For risks that are well understood in the industry, fairly simple, and not material to the insurer, simple standardized formu-laic requirements are likely appropriate. For complex risks with considerable “tail” risk (unit-linked annuity products with material maturity amount guarantees if the under-lying asset values fall before maturity), it is inappropriate for the insurer to assume these risks without using appropriate advanced expertise and systems to assess and manage them on a regular basis. Therefore, a smaller insurer can use standardized approaches for its simpler risks, but it should be required to use an appropriate (advanced) level of expertise for any complex risks it assumes.

The supervisory authority should work with the insurance industry to determine guidelines for appropriate types of risk measures and assessment. An example is Pru-dential Standard GPS 220: Risk Management from the Australian Prudential Regulation Authority (APRA 2006), on risk management for general insurers.

plan stratEgiEs—an introduction

The need to manage underwriting risk is driven by some combination of the insurer’s risk appetite and risk tolerances, the risk versus reward tradeoff of potential risk re-sponses, the degree to which a response will reduce the risk’s severity or probability, and the impact of the response on the business unit’s return on equity.

As described in module ICP 18A, the general strategies for managing risk fall into five major categories:

• Avoid—eliminate, stop, prohibit, or sell the risk exposure• Retain—accept and self-insure the risk exposure (perhaps by integrating it with

other risks or by diversifying risks)• Reduce—mitigate or cap portions of the risk exposure• Transfer—reinsure, hedge, securitize, or outsource the risk exposure• Exploit—expand and diversify the risk exposure.


1�

The insurer tries to select the optimal combination of strategies from these cat-egories. Some of the examples in module ICP 18A used underwriting risk to illustrate their operation. Generally, all these strategies, except for risk transfer, depend solely on the actions of the insurer. Risk transfer uses a counterparty to assume some or all of the risk. In most cases, the policyholder relationship is unaffected by risk transfer. However, if the counterparty fails to perform, there are financial repercussions on the insurer and if any element of policyholder service is outsourced, policyholder relations may also be affected.

Whichever strategies are adopted by an insurer in managing its risks, the insurance supervisor should expect the insurer to demonstrate

• A sound level of understanding of the underlying risks as well as the risks en-tailed in the strategies adopted

• An appropriate level of expertise to manage the strategy adopted based on the complexity of the risks and strategies (for example, the use of professional rein-surers is a common strategy for transferring risk for all sizes of insurers, whereas the use of a dynamic hedging strategy requires sophisticated employee or exter-nal consultant expertise and software).

plan stratEgiEs—rEinsurancE

Reinsurance is one of the most important risk management tools available to all types of insurers. Reinsurance companies are specialized insurers that assume risk from direct writing insurers. Reinsurance refers to insurance purchased by an insurer to provide protection against some or all of certain risks (primarily, but not only, underwriting risks) of the insurance policies issued by the insurer. In exchange for assuming these risks, the reinsurer receives payment in the form of reinsurance premiums or allow-ances from the direct writer of the business, the insurer. (See module ICP 19B, Reinsur-ance, for a more complete discussion.)

In a reinsurance arrangement, the insurer cedes risks to the reinsurer. Reinsurers can do the same thing by a retrocession to other reinsurers. Reinsurance is purchased for several reasons:1

• Increase new business capacity. One of the most common reasons for purchas-ing reinsurance is to enable an insurer to issue larger insurance policies than it would prudently issue on its own, because the reinsurance will reduce the im-pact of several large claims occurring in a short period of time.

• Limit catastrophic claims. Catastrophic coverage generally provides for the rein-surer to pay claims in excess of a certain limit, subject to a minimum number of claims and a maximum amount of reinsurance per event. This coverage pro-

1. Refer to Tiller and Tiller (1995) for a discussion of reinsurance.


1�

vides protection against concentrated claims arising from a single event (such as storms, earthquakes, and plane crashes).

• Limit total claims. Some insurers, especially smaller ones, need stop-loss rein-surance to limit the aggregate cost of claims in a given year.

• Transfer investment risk. Insurers may reinsure a block of business to effect a transfer of investment risk from the insurer. This can occur because of the growth of interest-sensitive life and annuity products, either to take advantage of reinsurer asset management capabilities or to avoid a large concentration of assets arising from a single product or annuity.

• Gain product expertise. On entering a new product, territory, or line of business, an insurer may request the assistance of a reinsurer with experience in that mar-ket. In exchange for its advice, the reinsurer will participate through reinsurance in the future profitability of the business sold.

• Gain underwriting advice. One benefit that reinsurers provide is their experi-ence in underwriting. This can prove valuable during the design, pricing, and underwriting of products, especially new, novel, large, or complex ones.

• Divest a product line. An insurer wishing to exit a certain business, product, or territory may choose to cede that business through an assumption reinsurance agreement or through indemnity reinsurance.

• Manage financial results. Insurers may be able to use the financial reporting im-pact of reinsurance agreements to achieve earnings and surplus objectives and also to minimize taxes.

The most important types of reinsurance are as follows:

• Indemnity/assumption. A reinsurance agreement between an insurer and a re-insurer is called a reinsurance treaty. Most treaties are called indemnity agree-ments. Such agreements are binding only for the companies. The policyholders of the insurer have no contractual relationship with the reinsurer. Assumption reinsurance entails the permanent transfer of insurance liabilities to the reinsur-er. Policyholders are notified that the assumption reinsurer has assumed legal responsibility for the business and that all future premiums and claims are the responsibility of the assumption reinsurer.

• Proportional/nonproportional. Reinsurance may be offered on either a propor-tional or a nonproportional basis. Proportional reinsurance provides for the cession of a portion of the coverage through a formula based on the ceding insurer’s retention limit (for example, all amounts of life insurance in excess of the insurer’s retention limit will be reinsured). Common proportional rein-surance techniques include traditional coinsurance, for life insurance products with a savings element, whereby all risks and policy elements are shared with the reinsurer, including the investment risk; modified coinsurance, similar to traditional coinsurance except that the insurer retains the investment risk; and


1�

yearly renewable term (YRT) cover, whereby the insurer reinsures a specific risk, such as mortality, in exchange for a YRT premium. Nonproportional reinsur-ance provides protection that depends on the claims amount experienced (for example, stop-loss or catastrophe reinsurance).

• Automatic/facultative. An automatic reinsurance treaty allows an insurer to automatically cede risks in excess of its retention limit to its reinsurer, subject to predetermined conditions. Facultative treaties require that the reinsurer ap-prove each risk before assuming any liability for it. Facultative treaties tend to be used for larger risks that are more complex to underwrite.

• Excess/quota share. Excess treaties provide for risks in excess of the schedule of retention limits to be reinsured. Quota share treaties provide for a fixed percent-age of each risk to be reinsured.

According to the Institute of Actuaries of Australia (IAAust) (with some editing for emphasis),

From the perspective of the insurer, the direct writer of insurance policies, reinsur-ance provides for a transfer of risk to the reinsurer. The extent of the transfer depends on the specifics of the reinsurance agreement or treaty. It is important to note that re-insurance also creates risk for the insurer. The insurer must carefully evaluate these risks:

• Reinsurance exposes the insurer to the risk that the reinsurer defaults on its obligations through insolvency. Depending on local legislation or case law, the insurer may find that many other classes of creditors will rank higher for distri-bution of proceeds from the liquidated reinsurer.

• The terms of the reinsurance agreement may not match exactly those of the un-derlying insurance contracts.

• Heavy reliance on reinsurance may expose the insurer to increased costs in tightening reinsurance markets.

Beyond all of the risks normally associated with being an insurer, a reinsurer fac-es some unique challenges. Reinsurance products are difficult to price (especially in the general insurance market, where there are often complicated layers of reinsurance cover) owing to the limited data available on which to base the pricing. Additional risk arises in general insurance from the low claim frequency and high claim severity of many reinsurance coverages and from the lengthy time delays between the occurrence, reporting and settlement of many covered loss events (CAS 2001). It is especially im-portant for the reinsurer to understand the insurer’s target market, its pricing, and all of the layers involved in its reinsurance program. In addition, the reinsurer is exposed to the risk of default by the ceding insurer. Depending on local legislation or case law, the reinsurer may find that many other classes of creditors will rank higher for distribu-tion of proceeds from the liquidated insurer. Potentially critical to the reinsurer in this


1�

circumstance is the legal right (allowed in some cases) to offset any funds it owes to the liquidator by the amounts which the ceding insurer owes it.

Reinsurers must monitor the profile of their insurance risks very carefully, for pre-cisely the reasons that they were ceded in the first place. They will often retrocede a high proportion of the risks and, in turn, accept retrocessions from other reinsurers. Some of the most complex and significant risks thus become spread over a very large number of reinsurers in what is almost a reverse form of pooling. This is why major disasters seem to affect all major reinsurers, no matter where they are based. (IAAust 2003, 126-7)

Additional useful references on reinsurance include A Global Framework for In-surer Solvency Assessment (IAA 2004) and Prudential Standard GPS 230 Reinsurance Management (APRA 2006a).

plan stratEgiEs—policy adjustability or pass-through fEaturEs

Another form of risk transfer applicable for some types of insurance products is the ability to share emerging experience with policyholders. This ability is constrained or permitted by the provisions of the insurance contract, competition from other insurers, and policyholders’ expectations.

An example of such a product is a participating (sometimes called “with profits”) insurance policy. In its life insurance form, policyholders pay a higher premium than for a comparable nonparticipating insurance policy, in exchange for receiving an an-nual experience dividend (or bonus). The size of the dividend depends on the contri-butions made by the policyholder through increased premiums and on the experience of the insurer. Dividends are not guaranteed, but an insurer’s past practices and sales illustrations can create policyholder expectations.

An example of useful supervisory guidance in this area is provided by the U.K. Financial Services Authority in its Conduct of Business (COB) 6.10, Principles and Practices on Financial Management. (See ICP 25, Consumer Protection, and the related module for more information on communication with policyholders.)

Although these adjustability or pass-through features permit insurers to transfer or share risk with policyholders, insurers that deviate significantly from policyholder expectations or the practices of competing insurers risk confusing, alienating, or even angering their policyholders. In extreme cases, class action lawsuits brought by policy-holders can cause an insurer both financial loss and loss of reputation.

Many types of insurance products have some degree of product adjustability or pass-through of emerging experience feature, regardless of whether they are called par-ticipating, variable, unit-linked, adjustable nonparticipating, or other names. Regard-less of the type of policy, the best insurer practices entail:

• Clear communication between the insurer (and intermediaries) and the policy-holder regarding the nature of the adjustability or pass-through feature


1�

• Clear communication between the insurer (and intermediaries) and the policy-holder regarding how the insurer will act in the face of emerging experience

• Development of insurer policies related to the operation of these product fea-tures at the board level

• Well developed internal studies of emerging experience for these products, such as sophisticated contribution analyses (asset share or embedded value analy-ses)

• Formalized or written communications to policyholders regarding their emerg-ing experience.

monitor risks

The monitoring of underwriting risks depends on the timely availability of accurate data on the insurer’s exposure to each risk, as well as frequency and severity data for related claims. Skilled risk professionals seek to establish a statistically credible pool of experience. Where that is not possible, they seek industry experience from similar risks to supplement the insurer’s experience.

The risk professionals seek to understand the determinants of each risk, their ex-pected values, their (statistical) volatility, their inherent trends (for example, rate of improvement in mortality), uncertainty risks, etc. They compare the insurer’s emerging experience against that assumed at the time of product pricing, the experience expected from a prior period, or the experience of other insurers for similar risks.

For individual life insurance, larger insurers often conduct regular annual experi-ence studies of mortality, withdrawals, and expenses. Actual experience can then be compared with expected experience. It is important that these experience studies in-clude sufficient detail by product, size of policy, age, gender, and duration, so that ap-propriate risk management decisions can be made.

Monitoring claims experience helps the insurer make necessary modifications to its pricing, underwriting, provisioning, or claims management practices to better man-age its risks and to be alert to emerging trends as early as possible.

control activitiEs

The underwriting risk management framework would not be useable, reliable, or effec-tive without an appropriate set of control activities. Some examples of needed control mechanisms follow.

• Organization structure. Effective underwriting risk management requires the presence of an enabling corporate structure, typically requiring overall board responsibility for ERM, and including a CRO reporting to the CEO or CFO. It


1�

also requires the formation of executive and business unit underwriting com-mittees to develop, maintain, and monitor underwriting risk policies, limits, and approvals. Vital to controlling underwriting risk exposures is a skilled team of risk professionals, typically involving actuaries at a senior level within the insurer.

• Objectives. The insurer’s board should establish overall risk appetite and risk tolerance objectives for the insurer and all its business units. The detailed list of risk measures to be used by the insurer to track its progress should also require board approval. The insurer’s appetite for underwriting risk can be measured in several ways—for example, through premium volume, policy liabilities, or a form of value at risk.

• Approvals. The insurer should be expected to establish appropriate approval levels throughout the steps of the underwriting risk management framework. Those entrusted with approval authority must have appropriate experience and training to fully appreciate the possible consequences of their decisions (fi-nancial and organizational impacts on their own areas as well as on the entire company). Key underwriting approvals relate to experience rating decisions (declinations as well as claims approvals or denials). Other decisions relate to product repricing and changes to adjustable product features (for example, divi-dend scale changes).

• Limits. The insurer should be expected to establish appropriate limits on the risk decisions made by its managers, to control its exposure to risks. The ability of all key processes to operate within agreed limits and authorities must be monitored and exceptions examined for their causes and significance.

• Training and communication. The insurer should have regular programs for providing relevant staff training and ensuring that all underwriting risk man-agement staff members have an appropriate level of awareness of the risk man-agement policies and practices relevant to their business. The insurer should ensure that the level of training (especially for those involved with highly com-plex risks) is commensurate with industry and supervisory standards for such responsibilities.

• Change controls. Risk management depends on the consistent assessment of risks over time. Any change in source data, experience, models, assumptions, or the like should be subject to appropriate change control procedures so that their impact does not cloud a true assessment. Such changes can occur from a natural desire to better meet the insurer’s performance (for example, return on equity) targets.

• Models. It is common for insurers to use models to assess and manage material or complex risks. To avoid these models being viewed as a “black box,” insurers should be able to document and describe the key model assumptions, methods, and output. The models should be used regularly in the insurer’s operations. The models should also be subject to validation and review by knowledgeable


18

internal and external professionals. The models should conform to all relevant industry and supervisory norms and standards.

• Audit and review. All key processes of the insurer must be subject to periodic independent review by appropriate experts. An insurer’s internal audit func-tion plays a key role in this regard and should report directly to the board on these matters on a routine basis. In addition, several of the insurer’s key internal processes may involve significant judgment, outsourcing, or expert systems, ne-cessitating specialized independent (and perhaps external) reviews of specific aspects of the insurer’s operations.

Exercises

1. Whichofthefollowingareimportantconsiderationsinthereviewofdatausedtoassesstheexperiencefromunderwritingrisks?

a. Accuracyofthedata

b.Credibilityoftheinsurer’sdata

c. Relevanceofindustrydata

d.Underlyingvolatility,uncertainty,andextremeeventsinamultiyearstudy

e.Relevanceofexperienceforthefuture.

2. Whichofthefollowingunderwritingriskprocessesanddescriptionsareproperlymatched?

Process Description

a.Underwritingprocess Selectionandapprovalofriskstobe insured

b.Pricing Pricesproveinadequate

c. Productdesign Implicationsofdesignnotunderstood

d.Claims Provisionsforclaimsproveinadequate

e.Policyholderbehavior Actionsadverselyaffectsinsurer

f. Provisioning Frequencyandseverityaregreater

3. Whichofthefollowingaretruestatementsforunderwritingrisk?

a. Whenassessingunderwritingriskitisfrequentlyimportanttoperformintegratedassumptionmodeling.Achangeinoneassumptioncanreactwithotherassumptions,producingadifferentcumulativepresentvalueimpactthanthatofthesingleassumptionalone.

b.Themodelingofpolicyholderbehaviorisacomplextopic,requiringconsiderableskillandcareinitsevaluationtodeterminethepresentvalueimpactoflongtermcontracts.


1�

c. Productscontainingadjustabilityorpass-throughofemergingexperiencefeaturesrequirelittleinthewayofcommunicationbetweentherepresentativesoftheinsurerandthepolicyholder.

d. Fromtheperspectiveoftheinsurer,thedirectwriterofinsurancepolicies,reinsurancefrequentlyprovidesacompletetransferofrisktothereinsurer.

e. Failuretocaptureakeyriskcharacteristicatthetimeofunderwritingwillresultintheinsurerassumingadisproportionatenumberofriskswiththatcharacteristic,aspotentialpolicyholdersnaturallyselecttheinsurerofferingthemostfavorableprice.

4. Whichofthefollowingareamongthecommonreasonsforusingreinsuranceasastrategyformitigatingunderwritingrisk?

a. Limitclaims

b.Acquirenewblocksofbusiness

c. Increasenewbusinesscapacity

d.Gainproductexpertise

e.Gaininvestmentexpertise

f. Gainunderwritingexpertise

g. Financialresultmanagement.


�0

C. Credit risk

Defining credit risk

Credit risk is the inability or unwillingness of a counterparty to fully meet its on- or off-balance sheet contractual financial obligations. The counterparty could be an issuer, a debtor, a borrower, a broker, a policyholder, a reinsurer, or a guarantor.

The IAIS defines credit risk as “the risk that a counterparty to the insurer is unable or unwilling to meet their obligations causing a financial loss to the insurer. Sources of credit risk include investment counterparties, policyholders (through outstanding premiums), reinsurers, and derivative counterparties.”

Note that intermediaries can also be a potential source of credit risk to the extent that they do not properly forward policyholder premiums to the insurer. This risk can be particularly important for non-life insurers, where insufficient attention to outstand-ing premium levels can threaten the solvency position of the insurer.

A useful reference for this section is the IAIS Guidance Paper on Investment Risk Management (2004b).

Credit risk has traditionally been associated with assets. However, it can exist for any set of projected future cash flows. Credit risk is therefore also important in assess-ing the true relief provided by a counterparty to an insurance transaction, such as a reinsurer or a party to whom the insurer has outsourced some work functions.

Credit risk can be reflected in the present value of a set of cash flows, either implic-itly through a credit risk spread incorporated in the discount rate or explicitly through modeling of the cash flows themselves.

The market value of a stream of projected future cash flows (say, a bond) reflects the current market view of (among many things) the credit risk of the provider of the cash flows. Such a view might reflect a variety of information available to the market about the bond issuer, such as credit ratings provided by various agencies. Necessarily, such a view will likely reflect the current financial position of the issuer as well as the current economic environment. Such a view will consider the possibility of the issuer slipping in its ratings (and its ability to pay) as well as the probability of default and the amount of loss given that default occurs.

The Basel Committee for Banking Supervision sets international standards regard-ing the capital requirements for banks. Its April 2003 document, The New Basel Capital Accord, contains extensive materials related to the determination of credit risk capital requirements, including both standardized and advanced approaches. The IAA has rec-ommended that similar approaches be used for insurers.


�1

Credit risk management framework

This section applies the lessons learned about the general risk management framework to credit risk. Sound corporate governance practices are presumed to be in place.

sEt objEctivEs

As with any set of risks, establishing risk-related objectives (risk appetite and risk toler-ances) is essential in the development of any business strategy involving credit risks.

An insurer might define its credit risk appetite in terms of

• Asset classes in which it is willing to invest (government and corporate bonds, mortgages, equities, etc.)

• Type of credit activity, collateral security, or real estate and type of borrower• Range of exposures in each asset class (for example, government bonds 10–20%,

marketable corporate bonds 20–40%, mortgages 10–30%, equities 5–10%)• Maximum exposure to a given credit, issuer, industry sector, or counterparty

(chosen to limit the possible impact of a default on the surplus of the insurer)• Transactions or exposures involving connected or related entities.

The insurer might also define its risk appetite for credit risk in terms of a broader ability to deliver a target total return in excess of risk-free rates of return (for assets in-vested generally) or to deliver a total return in excess of various benchmark indices (for investments supporting variable or unit-linked policies).

The insurer might further define its risk appetite and tolerance for credit risk in a number of ways using a combination of the following:

• Credit approval levels (a set of progressively higher limits for investment manag-ers, senior investment officers, the vice president of investments, and the CEO)

• Portfolio limit approvals (required to increase the size of an asset class, exposure to a given credit, etc.)

• Target credit quality (expected average credit quality for debt instruments—per-haps single A quality)

• Minimum credit quality limits (for example, debt securities of all types must be no lower than triple BBB quality).

Various levels within the insurer will be involved in setting the credit risk appetite and tolerances:

• Board (for example, for overall risk appetite and tolerances)• Chief Investment Officer (CIO)


��

• Investment committee, perhaps consisting of insurer’s senior investment staff, CFO, CRO, actuary, business unit representatives, etc. (for example, to monitor credit risk experience across business units and to develop related policies and practices across business units)

• Senior investment staff (for example, first-line decisions regarding credit risk).

idEntify risks

Credit risk is assumed whenever the insurer selects investments to support its poli-cyholder obligations and its surplus or when it selects a counterparty for some of its activities. When assuming credit risk, it is vital that the insurer capture sufficient rel-evant information about the characteristics or drivers of that risk to manage the risk properly.

The principal sources of credit risk are:

• Direct default risk. Risk that a firm will not receive the cash flows or assets to which it is entitled because a party with which the firm has a bilateral contract defaults on one or more obligations.

• Downgrade or migration risk. Risk that changes in the possibility of a future de-fault by an obligor will adversely affect the present value of the contract with the obligor today.

• Indirect credit or spread risk. Risk due to market perception of increased risk (i.e., perhaps due to business cycle or perceived creditworthiness in relation to other market participants).

• Settlement risk. Risk arising from the lag between the value and settlement dates of securities transactions.

• Sovereign risk. Risk of exposure to losses due to the decreasing value of foreign assets or increasing value of obligations denominated in foreign currencies.

• Concentration risk. Risk of increased exposure to losses due to concentration of investments in a geographical area or other economic sector.

• Counterparty risk. Risk of changes in values of reinsurance, contingent assets and liabilities (i.e., such as swaps that are not otherwise reflected in the balance sheet). (IAA 2004, 29)

The insurer should maintain accurate, reliable, and verifiable systems to administer and track the performance of its assets and counterparties to manage its credit risks for purposes of asset valuation, measurement of investment returns, financial reporting, and the like. The exact nature of the data to be maintained will vary by specific asset class but for debt instruments might include

• Details of the loan amount, repayment terms, and effective interest rate


��

• Specifics of the collateral security behind each loan. In the case of real estate or mortgages this entails specific detail about the nature of the underlying prop-erty, its location, type of business, etc.

• Certain financial information from the borrower to ascertain the borrower’s ability to make all payments when due

• Credit rating of the borrower, either as determined by a rating agency or as de-termined by the insurer through a similar process

• Repayment history.

assEss risks

As described earlier, the management of credit risk requires a clear understanding and assessment of its impact and behavior. Assessment involves considering the impact of credit risk through a combination of its

• Probability (likelihood of its occurrence)• Severity (its size in the event that it does occur).

The assessment of credit risk is needed for many of the essential operations of an insurer—investment, product design, product pricing, risk management, financial re-porting, valuation of insurance liabilities, and asset-liability management. Skilled staff from each of these areas of the insurer have useful perspectives on the assessment of credit risks.

According to the IAA,

In general, life and health insurers purchase assets to support their liabilities. His-torically this has not been true for non-life insurers where there has been a tendency for insurers to manage separately the results from underwriting and investments. While all of the assets of an insurer are available to provide against adversity, it is common risk management practice for insurers to implicitly or explicitly allocate their assets for one of the following purposes:

• Support insurance contract liabilities• Represent economic capital• Represent free surplus.

The allocation of assets to support specific policy liabilities is especially im-portant for those insurance products whose performance depends directly on the performance of the underlying assets. In situations where the asset performance is shared directly or indirectly with the policyholder, then the impact of credit losses


��

can also likely be shared in a similar manner. Such credit must take into account policyholders’ reasonable expectations in this regard as well as the insurer’s prac-tices in sharing such experience with policyholders. Sizeable portions of an insurer’s liabilities can have durations comparable to readily available high-quality liquid assets in the local market. In these situations it is possible to select assets whose cash flows can provide a very close match to the liability cash flows. In other words, a replicating portfolio of assets is available in the market. In this situation, credit risk focuses on the actual assets held and the ability of the insurer to manage its credit loss position within the replicating port-folio horizon. This type of credit risk will be called Type A risk. The long-term duration of some insurance (especially life insurance) liabilities requires the consideration of long-term reinvestment of existing assets since a rep-licating portfolio of assets of sufficient duration may not be currently offered in the market. For this type of business appropriate account must be taken not only of credit risk in current assets (Type A credit risk) but also the credit risk involved with future reinvested assets as well. This latter aspect of credit risk will be called Type B risk. Assessing Type B credit risk entails considerable uncertainty about the composition of the replicating portfolio and the manner of its reinvestment to ma-ture the underlying cash flows. The length of the reinvestment period may extend through several economic periods. (IAA 2004, 146)

Allowance for Type A credit risk can be made through specific asset (loan loss) provisions, through conservative valuation of the assets (for example, at market value, reflecting higher credit spreads), and through credit risk provisioning in the policy li-abilities (that is, through conservative choice of the discount rate used in their valua-tion). Allowance for Type B credit risk can be made only through the policy liability discount rate.

Some considerations in the assessment of credit risk:

• Credit quality. Credit quality of an investment or an enterprise refers to the probability that the issuer will meet all contractual obligations. This assessment normally occurs at both the initial investment and at each renewal point. [For debt instruments] one of the common measurements used in assessing credit quality is the rating assigned to the issuer. A variety of ratings agencies provide these assessments to the public, giving the investor a perceived level of confi-dence in the issuer’s ability to make good on the repayment schedules to which it is committed.

• Maturity. The longer the term to maturity of an investment, the longer even a high-quality issuer has to potentially deteriorate.

• Concentration by industry. Conditions that trigger credit events have a tendency to impact on the entire economy simultaneously. Within this general charac-


��

teristic, however, the impact of economic development often varies between sectors of the economy. Within a sector, however, there tends to be uniformity between the entities participating in that sector. Degrees of separation within a sector will exist, but these are on a smaller scale than those that normally occur between sectors.

• Concentration by geography. Credit risk has been shown to carry a large de-gree of contagion. Periods of relatively few credit events are followed by periods where default experience is extremely high. Similarly, economically depressed regions tend to produce high levels of default experience in comparison with more prosperous areas. That these regions can and do change over time creates a challenge to the process of credit risk analysis

• Size of expected loss. The size of loss due to a credit event can vary widely, from loss of some or all of the return on an investment to loss of some, or all, of the inherent principal. Losses can also occur from a delay in the timing of a sched-uled payment, causing either a loss of return during the deferral period, a reduc-tion in available reinvestment rate during the deferral period, or both. When a scheduled payment is delayed for any reason, there is also the potential for an associated loss if the payment were needed to match a scheduled outflow. The investor would then be required to make good on its obligation by borrowing or selling other assets. They might need to delay payment of their own scheduled obligation, possibly incurring a penalty. (IAA 2004, 146; original source: Cana-dian Institute of Actuaries. 2003. “Report of the CIA Sub-Committee on Credit Risk”. October. Available only in the members section of the CIA website.)

An additional consideration in the assessment of credit risk is cyclicality. This re-fers to the tendency for credit losses to increase or diminish with each economic cycle. Provisioning for credit risk should take into account the insurer’s expected future posi-tion in the economic cycle. Frequently, higher credit losses are associated with a weak-ened economic situation; both the frequency and severity of default losses increase with a worsening economy.

Key to the assessment of credit risk is the rating of all exposures for their quality (the probability that the issuer of the exposure will meet its contractual obligations). For publicly traded exposures (such as corporate bonds), the ratings are assigned by various commercial rating agencies. For other credit exposures (such as mortgages), the insurer must develop a comparable internal rating process.

Once the ratings have been determined, commercially available credit risk soft-ware can assist the insurer in making provision for future credit risk events.


��

plan stratEgiEs

Important in the insurer’s management of credit risk are a combination of sound un-derwriting practices and appropriate lending limits.

A broad definition of hedging strategies used to offset credit risk includes

• Letters of credit• Contingency deposits • Securitization of mortgages (mortgage-backed securities)• Securitization of other assets (asset-backed securities)• Credit derivatives • Credit default swaps• Total return swaps• Collateralized debt obligations• Credit-linked notes• Credit spread options• Basket derivatives.

The investment performance features of some insurance products also permit some or all credit losses for assets deemed to be used to support the policyholder obligations of specific blocks of insurance products. (IAA 2004, 147)

However, if a full pass-through of credit losses is not required by the terms of the product, policyholders’ reasonable expectations will be relevant.

The insurer should have appropriate contingency plans to deal with worsening credit situations in a timely and disciplined manner. The assessment and management of distressed assets as well as the use of several of the credit-related strategies described above may require additional or specialized skills for effective management.

monitor risks

Important tools to monitor credit risk include

• Detailed reporting of new credit risk exposures assumed or purchased• Summary of all credit exposures assumed by rating• Exception reports identifying issuers whose rating has changed• Watch list reports for those exposures exhibiting early signs of distress• Delinquency reports for exposures in default.

Insurance supervisors should expect insurers to have sound procedures for select-ing, rating, and monitoring all credit risk exposures. These rating systems should be subject to periodic audit and expert external review. This includes insurer research (or


��

access to appropriate outside expert advice) into relevant credit risk trends for the expo-sures assumed. Insurance supervisors should also expect close control and preventive actions for all emerging credit risk events.

control activitiEs

In general, the control activities needed for credit risk are generally similar to those needed for other key insurer risks (as described earlier for underwriting risk). The fol-lowing are specific differences.

• Organization structure. Effective credit risk management requires the presence of an enabling corporate structure. This typically entails overall board respon-sibility for ERM, a CRO reporting to the CEO or CFO and the formation of a senior-level credit risk committee (typically chaired by the CIO; the CEO and CFO are often members) involving the lead credit risk specialists for each ma-jor asset class. The committee develops, maintains, and monitors the insurer’s credit risk policies, authorities, limits, and experience. Leading life insurers also maintain committees at the executive and business unit levels for asset-liability management (ALM). These committees develop, maintain, and monitor ALM risk policies, limits, and approvals. These asset-liability committees (ALCOs) bring together the top asset and liability managers to coordinate their actions. Credit risk is one of the risks discussed in an ALCO.

• Objectives. The insurer’s board should establish overall risk appetite and risk tol-erance objectives for the insurer’s credit risk. The foremost asset objective for an insurer is to decide whether it will be an asset-driven or a liability-driven com-pany. Insurers tend to be liability driven, in that assets are selected after insur-ance contracts are issued and the initial premiums deposited. Other important objectives address permissible asset classes, target ranges of investment in those classes, average credit quality, etc. The detailed list of credit risk measures to be used by the insurer to track its progress also requires board approval.

• Approvals. The insurer should establish appropriate approval levels throughout the asset selection and credit risk review steps, as well as the entire credit risk management framework. Those entrusted with approval authority must have appropriate experience and training to fully appreciate the possible consequenc-es of their decisions (financial and organizational impacts on their own areas as well as on the entire company). Key credit risk approvals relate to the purchase of each asset, subsequent credit review of the asset, and actions taken to address events related to credit risk.

• Limits. The insurer should establish appropriate limits on the risk decisions made by its managers to control its exposure to credit risk. Typical of these limits might be those restricting the amount committed to any one borrower, to an industry, or to a geographic region. Limits might also be imposed for the


�8

maximum and minimum exposure in a given asset class. A limit might also be imposed on the minimum credit quality for each asset before it is sold. The ability of all key processes to operate within agreed limits and authorities must be monitored and exceptions examined for their cause and significance. The observation of any investment limitations imposed by legislation must also be monitored.

• Training and communication. The insurer should have regular programs for providing relevant training of its staff and ensuring that all credit risk manage-ment staff have an appropriate level of awareness of the credit risk management policies and practices relevant to their business. Specifically, the insurer should not purchase assets from a class for which it does not have relevant expertise. Liability product managers should have appropriate training and experience of the risks entailed with any asset class they intend to select under ALM to sup-port their products.

• Audit and review. All key credit risk processes (especially underwriting new as-sets and rating credit) must be subject to periodic independent review by appro-priate experts. An insurer’s internal audit function plays a key role in this regard and should report directly to the board on these matters on a routine basis.

Exercises

5. Whichofthefollowingarepossiblesourcesofcreditrisk?

a. Investmentcounterparties

b.Suppliers

c. Salesintermediaries

d.Policyholders

e.Reinsurers

f. Derivativecounterparties.

6. Whichofthefollowingtypesofcreditriskareproperlydescribed?

a. Direct default.Firmwillnotreceivethecashflowsorassetstowhichitisentitledbecauseapartywithwhichthefirmhasabilateralcontractdefaultsononeormoreobligations.

b.Downgrade or migration risk.Riskduetomarketperceptionofincreasedrisk.

c. Indirect credit or spread risk.Riskthatchangesinthepossibilityofafuturedefaultbyanobligorwilladverselyaffectthepresentvalueofthecontractwiththeobligor.

d.Concentration risk.Riskofincreasedexposuretolossesduetoconcentrationofinvestmentsinageographicareaorothereconomicsector.

e.Counterparty risk.Riskofchangesinvaluesofreinsurance,contingentassets,andliabilities.


��

7. WhichofthefollowingstatementsdescribeproperlytheconceptofTypeAandTypeBcreditriskasproposedbytheIAA?

a. AllowanceforTypeAcreditriskcanbemadeonlythroughspecificasset(loanloss)provisionsandthroughconservativevaluationoftheassets(forexample,atmarketvalue,reflectinghighercreditspreads).

b.TypeBcreditriskreferstofuturereinvestedassetsforwhichprovisioncanbemadethroughamargininthepolicyliabilitydiscountassumption.

8. Whichofthefollowingaretruestatementsaboutcreditrisk?

a. Creditqualityofaninvestmentoranenterprisereferstotheprobabilitythattheissuerwillmeetallcontractualobligations.Oneofthecommonmeasurementsusedinassessingcreditqualityistheratingassignedtotheissuer.

b.Thelengthofthetermtomaturityofaninvestmentisinverselyproportionaltothepotentialforcreditrisk.

c. Creditriskisnotusuallysubjecttoalargedegreeofcontagion.

d.Thesizeoflossduetoacrediteventisfairlypredictablebyassetclassandincludeslossofsomeorallofthereturnonaninvestmentandlossofsomeoralloftheinherentprincipal.

e.Theassessmentandmanagementofdistressedassetsrequiresspecializedskills.


�0

D. Market risk

Defining market risk

The following definition of market risk for insurers has been proposed by the IAA (2004, 131):

Market risks relate to the volatility of the market values of assets and liabilities due to future changes of asset prices(/yields/returns). In this respect, the following should be taken into account:2

• Market risk applies to all assets and liabilities.• Market risk must recognize the profit sharing linkages between the asset

cash flows and the liability cash flows (e.g., liability cash flows are based on asset performance).

• Market risk includes the effect of changed policyholder behavior on the li-ability cash flows due to changes in market yields and conditions.

The IAIS definition of market risk captures these concepts in a briefer definition: “The risk to an institution’s financial condition resulting from adverse movements in the level or volatility of the market prices of interest rate instruments, equity-type in-struments, currencies, or property.”

A useful reference for this section is the IAIS Guidance Note on Investment Risk Management (2004).

An insurer’s investment policies (and specifically its market risk policies) are de-signed to ensure that the insurer holds sufficient assets of appropriate nature, term, and liquidity to enable it to meet its obligations as they become due. The timing and amount of insurance benefit payments is usually uncertain and in some cases sensi-tive to changes in financial markets (policyholder behavior can be related to expecta-tions in financial markets, relative investment performance, and quality of customer service). Furthermore, the business of insurance usually involves a mismatch, in timing or amount, between the receipt of premium income and the payment of expenses and policy benefits.

The management of market risk focuses on the economic value of the insurer’s net asset and liability market risks. Such a long-term focus may be better aligned with the long-term best interests of the policyholders, shareholders, and other stakeholders than with other short-term measures (such as accounting). Economic value is consis-tent with the horizon of the liability or surplus, which tends to be long-term by nature.

2. This also includes the situation in which policy benefits, such as pensions within life insurance, are indexed to adjust for price or wage inflation (either unconditionally or conditionally, depending on the available capital). In that case there is infla-tion risk. Note: Inflation risks related to health and non-life insurance benefits or future internal expenses are ignored here, since they are considered special types of trend risks and operational risks, respectively.


�1

Insurers that focus on economic value are viewed by many as performing better than other insurers.

The market risks of assets and liabilities of insurers (especially life insurers) need to be considered together because of the need to manage the relationship between as-set and liability cash flows to achieve financial objectives. The overall level of market risk associated with a given financial objective can be reduced through diversification by combining exposures that are less than 100% positively correlated. Risks are diver-sifiable through aggregation up to the point where only systematic risk remains. For example, the return volatility of a portfolio of assets caused by changes to the level of prevailing interest rates is diversifiable through investment in different asset classes, such as stocks versus fixed-income securities. However, the residual systematic risk cannot be diversified through simple aggregation, although it can be reduced through hedging.

A related risk is liquidity risk, the risk that various events will require the insurer to attempt to liquidate various asset holdings prematurely on short notice and under unfavorable terms. A trigger for liquidity risk could be market risk, but other opera-tional and policyholder behavior risk factors could also be the trigger.

In addition to the volatility of market risk affecting the net market value of the insurer’s assets, market risk may also affect the liabilities (and net surplus position) as follows:

• Changing asset yields will affect the market value of the liabilities through their effect on the rate(s) used to explicitly or implicitly discount the liability cash flows.

• Changing asset returns (yields) may affect the amount and/or timing of future liability cash flows. Policyholders may be entitled to some form of profit shar-ing related to actual and/or historical asset returns. In this respect, the different types of “interest” profit sharing within the global insurance market might be categorized into the following three groups:

– Profit sharing that is fully based on objective indicators of the performance of the capital market, e.g., an indicator of the actual interest rate level that is calculated and published periodically by a government agency or a stock market index. The company may or may not actually be holding these asset-referenced benchmarks to back the liabilities.

– Profit sharing that is somehow related to the actual performance of the com-pany (“performance linked”), particularly with respect to the company’s in-vestments. Note: This type includes the systems where the management is entitled to “declare the bonus rate.”

– Profit sharing that is related to the actual performance of the assets that are “locked in” at the policyholders’ discretion, i.e., policyholders themselves are, at least partially, responsible for the way their premiums are invested.


��

Note: The typical example of this type of profit sharing in life insurance is the profit sharing that is (implicitly) offered with unit- linked/universal life (UL) products in Europe or variable (separate account) products in the United States.

All three types of profit sharing may also include certain types of guarantees of-fered by the insurer, such as a bonus rate that will never be negative or a minimum level of the maturity benefit.

Changes in asset returns in the external market may affect the amount and/or tim-ing of future liability cash flows by inducing policyholders to “arbitrage” the external returns with those available in the policy by either surrendering or paying additional premiums. (Note: this policyholder behavior may not always appear rational due to dif-fering tax implications and liquidity/risk preferences of the policyholder.) (IAA 2004, 130)

Market risk management framework

This section applies the lessons learned about the general risk management framework to market risk. Sound corporate governance practices are presumed to be in place.

sEt objEctivEs

Financial objectives and risk tolerances for market risk are generally determined by senior management of an insurer and are reviewed from time to time.

An insurer might define its risk appetite in terms of

• Asset liability management policies for the assets supporting its policy obliga-tions (for example, insurance product assets and liabilities should be duration matched; annuity product assets and liabilities should be cash flow matched)

• Market risk policies for assets supporting the capital or surplus of the insurer (for example, limitations on the portion of surplus assets that can be invested in equity)

• An appropriate limit structure to control its market risk exposure• Allowable methods that can be used to hedge market risk.

Market risk limits should be reviewed periodically to verify their suitability for current market conditions and the insurer’s overall risk tolerance. An insurer should use a model or some form of analytical tool to assess risk in complex instruments or across portfolios.


��

Various levels within the insurer will be involved in setting the market risk appetite and tolerances:

• Board (for example, for overall risk appetite and tolerances)• CIO• ALM committee, perhaps consisting of insurer’s senior investment staff, CFO,

CRO, actuary, business unit representatives, etc. (for example, to monitor mar-ket risk experience across business units and to develop related policies and practices across business units)

• ALM managers (for example, day to day operational management of market risk).

idEntify risks

The sources of market risk for the insurer’s assets and liabilities need to be identified. The component pieces of each source of market risk as well as their underlying causes need to be examined. The correlation of various risks to each other and to external fac-tors should also be identified.

The principal sources of market risk are:

• Interest rate risk. Risk of exposure to losses resulting from fluctuations in inter-est rates.

• Equity and property risk. Risk of exposure to losses resulting from fluctuation of market values of equities and other assets.

• Currency risk. Risk that relative changes in currency values decrease values of foreign assets or increase the value of obligations denominated in foreign cur-rencies.

• Basis risk. Risk that yields on instruments of varying credit quality, liquidity, and maturity do not move together, thus exposing the company to market value variation that is independent of liability values.

• Reinvestment risk. Risk that the returns on funds to be reinvested will fall below anticipated levels.

• Concentration risk. Risk of increased exposure to losses due to concentration of investments in a geographical area or other economic sector.

• Asset/liability mismatch risk. To the extent that the timing or amount of the cash flows from the assets supporting the liabilities and the liability cash flows are dif-ferent (or can drift apart) the insurer is subject to asset/liability mismatch risk.

• Off-balance sheet risk. Risk of changes in values of contingent assets and liabili-ties, such as swaps that are not otherwise reflected in the balance sheet.


��

In general, life and health insurers purchase assets to match their liabilities. His-torically this has not been true for non-life insurers, which tend to manage separately the results from underwriting and investments. Although all an insurer’s assets are of-ten available to hedge against adversity (though, in some jurisdictions, there may be restrictions on an insurer’s ability to use them for this purpose), it is common risk man-agement practice for insurers to implicitly or explicitly allocate their assets for one of the following purposes:

• Support insurance contract liabilities• Represent economic capital• Represent free surplus.

Sizeable portions of an insurer’s liabilities can have durations comparable to readily available high-quality liquid assets in the local market. In these situations it is possible to select assets whose cash flows can provide a very close match to the liability cash flows. In other words, a replicating portfolio of assets is available in the market. In this situation, market risk focuses on the volatility of the market value of the actual assets held and the market value of the replicating portfolio of assets, and the ability of the in-surer to manage that volatility. This type of market risk will be called Type A risk. It also includes the effect of volatility on an insurer’s stand-alone surplus or economic capital assets. (IAA 2004, 131)

In principle, the replicating portfolio generates cash flows that replicate (coincide with) the liability cash flows in each future year. Therefore, the replicating portfolio pro-vides a perfect hedge against liability risks. This is a theoretical concept, since liability cash flows are subject to several types of risks (for example, mortality risks) that can-not be hedged by financial instruments. Consequently, the replicating portfolio should provide a full hedge against the financial risks that may affect future liability cash flows before the replicating portfolio horizon.

The long-term duration of some insurance liabilities (especially life insurance) re-quires the consideration of long-term rates of reinvestment. Replicating portfolio assets of sufficient duration may not be currently offered in the market. Measuring market risk for these liabilities entails considerable uncertainty about the composition of the replicating portfolio and the manner of its reinvestment to mature the underlying cash flows.

Lowered rates of reinvestment in the future are typically of concern. In addition, life insurance contracts may contain various complex, long-term options or guarantees for which replicating market positions may not currently exist (for example, death and maturity guarantees on variable annuity products). These two types of market risk will be called Type B risk.

The assets and liabilities of an insurer are subject to Type A and possibly Type B risk. Shorter-term insurance contracts without complex-to-value embedded options or guarantees are subject to Type A risk. Long-term insurance contracts and those con-


��

taining complex embedded options or guarantees may be subject to both Type A and Type B market risk. (IAA 2004, 132)

risk assEssmEnt

When the market risk of liabilities is compared with the market risk of the assets used to support them, the net market risk for these liabilities can be measured. This net as-set/liability mismatch is generally subject to specific ALM policies and procedures of the insurer.

Market risk exposure is quantified relative to changes in its component pieces, as a maximum loss for a given confidence interval, or by the distribution of outcomes for a given set of scenarios for the component piece over time. Regular measurement and monitoring of the risk exposure is required.

The purpose of ALM is not necessarily to eliminate or even minimize risk. The level of risk varies with the return requirement and financial objectives of the insurer.

Type A market risk is said to be “diversifiable to the extent that another manag-er could immediately eliminate the mismatch risk by rebalancing the portfolio” (IAA 2004, 132). Type B market risk is due to “cash flows that extend beyond the term of cur-rently available replicating portfolio assets” since they require “consideration of [future] reinvestment decisions and reinvestment rates” (IAA 2004, 132).

To a certain extent, market risk for these liabilities involves systematic (undiver-sifiable) risk because of the limited availability of (parts of) the replicating asset portfolio or, at least, uncertainty about its composition. In theory, these risks must always be assessed for the full remaining term of the liabilities. The best-fitting rep-licating portfolio assets must be reinvested in accordance with the insurer’s policies and practices on investments so as to provide for lengthy future cash flows. The requirement of a full-term time horizon is considered necessary due to the consid-erable uncertainties involved in providing for future cash flows beyond the term of currently available replicating portfolio assets….

Market risk should include provision for both specific risk (perhaps as implied by the credit spread inherent in the yield of securities offered by the issuer) and gen-eral market risk (for example, general sensitivity to future rates of return). (IAA 2004, 133)

Market risk can be assessed by sophisticated insurers by “modeling cash flows over a broad range of economic scenarios, using stochastic modeling for the time horizon specified and the confidence level desired” (IAA 2004, 133). A reasonable time horizon


��

for this modeling is considered to be one year at a high (99% CTE [conditional tail ex-pectations]) confidence level (IAA 2004, 133).

In situations where a sophisticated insurer has a block of insurance contracts that exhibit only Type A market risk, “the insurer may choose to conduct integrated model-ing of the projected future cash flows resulting from the insurance contracts and their matching assets. Such modeling must reflect the actual asset allocation, reinvestment policies, and practices of the insurer for that business. At the end of the one-year time horizon, the reinvested matching assets must be sufficient to mature the remaining li-abilities with a prudent level of confidence (for example, 75% CTE)” (IAA 2004, 133).

For less sophisticated insurers, various simplifications of this assessment can be quite useful. At a minimum, insurers should be able to demonstrate their ability to ac-curately project option-adjusted asset and liability cash flows each month for several years (and at least annually thereafter). They should also be able to demonstrate their ability to model the reinvestment of the net cash flows in accordance with the insurer’s practices under a wide variety of investment scenarios. Type A market risk could be as-sessed by comparing the results of the worst reinvestment scenario (the scenario judged to represent with a high degree of confidence the worst result) with the result produced by the current investment scenario.

The appropriate time horizon for measuring Type B market risk is the entire du-ration of the (longer and containing complex options) liability cash flows. The gen-eral market risk component can best be measured at an advanced level by modeling the insurer’s actual reinvestment policies and practices. Separate provision needs to be made for the specific risk inherent in the asset and liability cash flows. Specific risk re-sults from an adverse movement in the price of an individual security owing to factors related to the individual issuer.

risk assEssmEnt—Economic scEnarios

The proper development of economic scenarios is key to the successful management of market risk. Scenarios described as risk neutral are used in the pricing of actively trad-ed financial instruments. The probability-weighted average result of using risk-neutral scenarios is designed to reproduce the observed market price for the financial instru-ment in the marketplace. Where there is no actively traded market, real-world scenarios represent the view of likely scenarios in the future. Real-world scenarios are used to estimate the value of financial instruments that are not actively traded in the market.According to the IAA,

In developing appropriate economic scenarios, the following desirable characteris-tics of the constructed scenarios are noteworthy:


��

Interest rates

• Nominal yields must remain positive and not increase indefinitely• Are subject to mean reversion but the reversion target is not constant• Rate volatility decreases with maturity• Higher volatility occurs with higher rates• High correlation between maturities• Distinctive yield curve shapes.

Equity returns

• Negative skewness• Fat tails over short periods• Volatility clustering• Exogenous shocks• Markov property; only the current state is important• Market correlations increase under extreme conditions• Price appreciation versus dividend income.

Inflation

• Non-persistence of extremely high or low (negative) inflation• Realized may equal expected plus exogenous shock• Mean reversion but target does not appear to be constant• Volatility clustering• Various forms of inflation• Relationship to other economic factors. (IAA 2004, 136)

plan stratEgiEs

ALM strategies comprise both pure risk mitigation (eliminating the net market risk) and optimization of the risk/reward tradeoff (maintaining a specific market risk posi-tion to reap a current financial reward).

Risks can be mitigated by modifying existing risks simply through rebalancing the asset or liability portfolio (for example, by trading some assets for others that represent a better match) or through a variety of financial engineering techniques such as swaps (for example, agreement to exchange a set of fixed cash flows for a variable set) or hedg-es (for example, the use of a combination of cash instruments and futures contracts).

For a given risk tolerance level, a given set of investment opportunities, and a given set of constraints, optimization ensures that the portfolio has the most desirable risk/re-ward tradeoff. Optimization presupposes that the management team has been educated


�8

on the risk/reward profile of the business and understands the need to take action based on ALM analysis.

Sophisticated ALM strategies (such as hedging) require insurers to retain appro-priate expertise to manage the insurer’s ALM position within the insurer’s risk appetite. The example of Barings Bank has reinforced the importance of appropriate controls for this type of activity.

The need for sophistication in the ALM strategy varies considerably with the type of insurance product being sold. For example, non-life insurance products may be de-signed and sold without an underlying expectation of an investment return from any supporting assets. In this situation, the level of ALM sophistication needed is fairly ba-sic and many possible types of investments may be suitable. For variable universal life insurance, the policyholder may well have clear expectations of the type of investment performance. In this circumstance the ALM strategy will require greater sophistica-tion.

monitor risks

The daily volatility in the financial markets makes it very important that an insurer monitors its market risk position with similar frequency. This will be especially true for products where the investment performance is important to the policyholder and also where the profitability is largely due to the investment performance of the underlying assets.

A full treatise on monitoring market risk is beyond the scope of this module. But some common techniques for monitoring market risk are

• Cash flow matching (comparing the net asset-liability cash flows month by month)

• Duration matching (time- and interest-weighted present value of the asset and liability durations)

• Option-adjusted duration matching (same as above except for the allowance of optionality in the assets and liabilities).

As noted earlier, the monitoring and management of market risk for Type A risks is relatively straightforward. However, because of the absence of replicating portfolio investments of sufficient duration, Type B risks are more difficult to match.

All identified risk exposures must be monitored and reported to senior manage-ment on a regular basis. If a risk exposure exceeds its approved limit, corrective actions must be taken to reduce it. As the dynamic environment in which the insurer operates changes, the insurer’s risk tolerances and financial objectives may also need to change. Consequently, the insurer’s ALM strategies may no longer be appropriate and may need to be revised.


��

If liquidity risk is included in the category of market risk, the insurer should pe-riodically monitor the assets that it can liquify immediately, within six months, within one year, and in longer periods. In a similar fashion, the insurer should estimate its obligations in an emergency “run on the bank” scenario to determine its net liquidity needs and position.

control activitiEs

In general, the control activities needed for market risk are similar to those needed for other key insurer risks (as described for underwriting risk). Following are specific dif-ferences.

• Organization structure. Effective credit risk management requires the presence of an enabling corporate structure. This typically entails overall board responsi-bility for ERM, a CRO reporting to the CEO or CFO, etc.). Leading life insurers also maintain ALM committees at the executive and business unit levels to de-velop, maintain, and monitor market risk policies, limits, and approvals. Market risk is one of the risks discussed within an ALCO.

• Objectives. The insurer’s board should establish overall risk appetite and risk tolerance objectives for the insurer’s market risk. While the insurer may have an overall target range for the size of its market risk, the most useful objectives are expressed on the basis of line of business. For example, non-interest-sensitive lines may have an overall duration match target, while interest-sensitive lines may maintain a much closer match of assets and liabilities. The detailed list of market risk measures to be used by the insurer to track its progress should also require board approval.

• Approvals. The insurer should establish appropriate approval levels throughout the steps of the ALM matching process. Those entrusted with approval author-ity must have appropriate experience and training so they can fully appreciate the possible consequences of their decisions (that is, the financial and organiza-tional impacts on their own areas as well as on the entire company).

• Limits. The insurer should be expected to establish appropriate limits on the risk decisions its managers make to control its exposure to market risk. Typical of these limits might be restrictions on the size of any mismatch position as well as the amount of various hedges, swaps, etc. that could be used without execu-tive-level review and approval. The ability of all key processes to operate within agreed limits and authorities must be monitored and exceptions examined for their cause and significance.

• Training and communication. The insurer should have regular programs for pro-viding relevant training of staff and ensuring that all market risk management staff members have an appropriate level of awareness of the market risk manage-


�0

ment policies and practices relevant to their business. Specifically, the insurer should not embark on a sophisticated ALM matching strategy for which it does not have relevant expertise. Liability product managers should have appropriate training in and experience with the risks entailed in any ALM strategy used to support their products.

• Audit and review. All key market risk processes (especially the ALM matching model) of the insurer must be subject to periodic independent review by appro-priate experts. An insurer’s internal audit function plays a key role in this regard and should report directly to the board on these matters on a routine basis.

Exercises

9. Whichofthefollowingarecorrectstatementsaboutmarketrisk?

a. Themanagementofmarketriskfocusesontheembeddedvalueofaninsurer’snetasset/liabilitymarketrisks.

b.Aninsurer’smarketriskpoliciesaredesignedtoensurethattheinsurerholdssufficientassetsofappropriatenature,term,andliquiditytoenableittomeetitsobligationsastheybecomedue.

c. Marketriskistheonlytriggerforliquidityrisk.

d.Assetyieldsaffectthemarketvalueofliabilitiesbecauseoftheirroleindiscountingtheliabilitycashflows.

e.Changingassetreturnscanalsoaffectthetimingandamountofsomeliabilitycashflows.

10.WhichofthefollowingstatementsbetterdescribesthedistinctionbetweenTypeAandTypeBmarketrisksbytheIAA?

a. TypeBmarketriskisduetoassetsthatarenotneededtosupporttheliabilities,whileTypeAmarketriskisduetothenetmarketpositionoftheliabilitiesandtheassetsusedtosupportthem.

b.TypeBmarketriskisduetocashflowsthatextendbeyondthetermofcurrentlyavailablereplicatingportfolioassetswhileTypeAriskrepresentsallothermarketrisk.

11.Whichofthefollowingstatementsaboutmarketriskaretrue?

a. ThepurposeofALMistoeliminateorevenminimizerisk.

b.TheIAA-definedTypeAmarketriskissaidtobediversifiable.

c. Toacertainextent,TypeBmarketriskinvolvessystematic(undiversifiable)riskbecauseofthelimitedavailabilityof(partsof)thereplicatingassetportfolio.

d.BothTypeAandBmarketriskneedtobemeasuredoverthefulltermoftheremainingliabilities.

e.Real-worldinvestmentscenariosarebettersuitedtomodelTypeBmarketriskthanarerisk-neutralscenarios.


�1

12.Whichofthefollowingstatementscorrectlydescribecommonlyusedmarketriskmonitoringtechniques?

a. Cashflowmatching(comparingthenetasset-liabilitycashflowsonanaggregatebasis)

b.Durationmatching(time-andinterest-weightedpresentvalueoftheassetandliabilitycashflows)

c. Option-adjusteddurationmatching(sameasfordurationmatchingexceptfortheallowanceofoptionalityintheassetsandliabilities)


��

E. Operational risk

Defining operational risk

Though operational risk exists in all enterprises, including insurance companies, aware-ness of its importance in the insurance sector and efforts to manage it are relatively new developments. Leading insurance supervisory authorities and insurers have begun to encourage and build operational risk management frameworks. Although leading glob-al banks have spent the past few years preparing for the Basel II operational risk capital requirements, much remains to be done by them to gather sufficient data and develop industrywide best practices for a complete operational risk management framework.

Operational risk has been an important topic in the banking sector in recent years because of the introduction of an operational risk capital requirement for banks by the Basel Committee on Banking Supervision (BCBS). The importance of this category of risk for all types of businesses, not just banks, has been highlighted repeatedly in the 1990s through various corporate scandals. The insurance sector has not been immune to scandals and failures. In 2002 the European insurance supervisors (CEIOPS) produced a report, Prudential Supervision of Insurance Undertakings (2002), which reviewed the causes of insurer failures (and near failures) in Europe. An important finding of this report was that a full review of the causal chain of events was needed to understand the root causes of failure.

Analysis showed that these causal chains began in each case with underlying in-ternal causes, being problems with management or shareholders or other external controllers; these problems included incompetence or operating outside their area of expertise, lack of integrity or conflicting objectives, or weakness in the face of inappropriate group decisions.

By way of example, in his report on the demise of HIH (2003, 17), the Honorable Justice Owen stated,

It seems there was no appreciation of the risks associated with expanding the lines of business written by the UK operations beyond the expertise of the underwriters. The situation was exacerbated by the lack of a reporting structure that would allow others in the organization to know what business was being written and the risks being assumed. Further, once problems emerged, there was no process for redress-ing them and stemming the consequent losses. Poor-quality management informa-tion and inadequate accounting systems impaired the Australian management’s ability to monitor and control the UK operations effectively.


��

This is a different aspect of the risk-identification and -management problem be-cause it occurs at the operational level, rather than the governance level. It nevertheless demonstrates systemic failure.

The circumstances surrounding the demise of Equitable Life in the United King-dom were investigated by Lord Penrose. In a statement given to the UK parliament on March 8, 2004, Ruth Kelly, Financial Secretary to the Treasury, quoted from the Penrose report (HM Treasury 2004) that Equitable’s CEO (who served as the Appointed Actu-ary at the same time—a situation now widely considered to create a conflict of interest), failed to adequately inform Equitable’s board:

• Of management decisions in the period 1983–93 related to the recovery of the cost of annuity guarantees from terminal bonus

• Of the risks to which policyholders not entitled to annuity guarantees were ex-posed by the policies and practices adopted

• About the business risks inherent in the general actuarial management of the society.

Insurers have historically paid attention primarily to the direct risks they assume in the course of their business, namely underwriting, credit, and market risk. But now there is growing recognition among insurance supervisors and insurers alike of the risks inherent in the operation of a business (operational risk). The IAIS Glossary de-fines operational risk as “the risk arising from failure of systems, internal procedures and controls leading to financial loss. Operational risk also includes custody risk.”

It is useful to note that the definition used in the banking sector is similar but contains some differences. As initially developed by the British Bankers’ Association (generally adopted within the banking sector, including by the BCBS) for capital pur-poses operational risk is defined as “the risk of loss resulting from inadequate or failed internal processes, people, systems or from external events.”

As this definition points out, inadequate (not just failed) processes, people, and systems can be a source of loss (and insolvency). Insurers and their supervisors should therefore proactively and comprehensively address weaknesses that may create opera-tional risk.

Operational risk management framework

This section applies the lessons learned about the general risk management framework to operational risk. The importance of sound corporate governance practices has been mentioned earlier. In considering an appropriate set of supervisory requirements for an operational risk management framework, Prudential Standard GPS 220: Risk Manage-ment (APRA 2006b) is a useful reference.


��

sEt objEctivEs

Owing to the infancy of operational risk management frameworks in insurers, the board-level objectives for operational risk tend to be more developmental and less spe-cific than the objectives for other major classes of risk such as underwriting, credit, or market risk.

Objectives for leading insurers at the board level are likely to focus on

• Reducing the probability of large operational risk events• Reducing the level of expected (average) operational risk losses• Improving the productivity of internal processes• Improving the awareness and identification of operational risks.

Other objectives, especially for those insurers implementing an operational risk management framework for the first time, might include

• Institutionalizing operational risk throughout the insurer • Identifying the sources of operational risk in all its internal processes• Developing an operational risk event database• Developing appropriate risk indicators and measures• Developing operational risk strategies and controls.

risk idEntification

Identifying the sources of operational risk, unlike other major categories of risk, is a new science. Only recently has some degree of standardization occurred in the bank-ing sector with respect to the definition of lines of business (retail banking, commer-cial banking, asset management, retail brokerage, etc.) and the categories of loss event (internal fraud, external fraud, business disruption and system failure, etc.). The BCBS, leading banks, and various commercial risk management specialty firms are beginning to gather data and to interpret the results.

The insurance industry is at an earlier stage than the banking sector. There is little consensus on the best way for insurers to identify these risks; however, some early inves-tigation suggests that operational risk will include some different loss events for insurers than for banks. For example, based on several substantial class-action lawsuits launched against life insurers in several countries, it appears that misrepresenting key features or projected performance of an insurance policy to the policyholder can be an important source of operational risk. The complex features of some insurance policies, the long-term nature of the policies, and the unique customer relationship with the insurance intermediary can combine to create a source of operational risk not experienced to the same extent by the banks (except where banks have assumed the intermediation role for


��

insurance products). Conversely, there may be categories of operational risk for banks that do not apply to the same degree in an insurer (such as borrower fraud).

The identification of insurer operational risk involves considering all the key func-tional areas of the insurer from each of the following perspectives:

• Human capital risk (for example, employing people with the appropriate skills and experience)

• Management control risk (for example, including appropriate sets of controls in internal processes and using and communicating those controls effectively)

• System risks (for example, ensuring that systems used in the operation of the insurer are adequate, appropriate, reliable, and scalable, and have adequate se-curity, backups, and disaster recovery plans)

• Strategic risks (for example, addressing threats to operations from competi-tors)

• Legal risk (for example, complying with all laws and regulations in the juris-dictions in which the insurer operates; employing best business practices and standards of corporate governance; pro-actively addressing policyholder expec-tations).

An example of operational risk that insurers and their boards need to prepare for is the possibility of major operational disruptions. In December 2005 the Joint Forum published a consultative paper entitled “High-Level Principles for Business Continuity.” Insurance supervisors may want to review the business continuity plans of the insurers under their supervision.

One of the challenges in identifying operational risk is separating these loss events from the other major categories of risk. For example, was worsened claims experience caused by inadequate underwriting or controls at the time of issue? Should adverse with-drawal experience be attributed to underwriting risk uncertainties or to the “twisting” actions of one or more sales representatives who exerted their influence inappropriately over their clients? These are just two examples of the challenges involved in making an appropriate separation between operational risk events and those of the other major risk types. Achieving success in this area will require the insurer to instill a culture of “not shooting the messenger.” Without this culture shift, employees will naturally prefer to hide operational mistakes under the cloak of the other major risk types.

Good potential sources of data for identifying operational risks can arise from con-sumer complaints (or other stakeholder complaints), missed project schedules, and any task that requires rework or correction before completion.

A final challenge in identifying risk is that the most severe operational risk events occur infrequently across the industry and may never have occurred within the insurer. It is vital that insurers learn the lessons of operational risk failures within the industry and more broadly (to the extent applicable) in other businesses.


��

risk assEssmEnt

As with other risks, assessment of operational risk begins with an understanding of its probability and severity. Although there is much interest in this topic, especially among the banks as they seek to implement the Advanced Measurement Approach of Basel II, the gathering of data on losses and exposures from operational risk is relatively recent.

The Risk Management Group (RMG) of the BCBS has been surveying banks’ op-erational risk loss data since 2001. Useful reports on the survey results include those by the RMG (2002) and by Moscadelli (2004).

The gathering of similar data in the insurance sector is still in its formative stages. Several groups are gathering publicly available information. For example, the Associa-tion of British Insurers is seeking insurer contributors to a study of operational risks.

A preliminary observation (based on RMG surveys but with likely applicability to insurers as well) is that it is difficult to gather sufficient data on the very large but very infrequent losses that contribute the most to operational risk. An institution may well succeed in identifying and studying the frequency and severity of small to medium-size operational risk events. However, the most important events, those that can threaten solvency, occur so infrequently that experience from across the industry must be in-cluded to achieve credible results. Furthermore, it can prove challenging to scale the impact of operational risk losses to those of another institution of different size.

The presence of very large but highly infrequent losses indicates a highly skewed loss distribution. Operational risk typically features a skewed distribution of losses. In this situation it is not safe to assume that the losses are normally distributed around the mean value. Such an assumption severely underestimates the institution’s exposure to catastrophic loss. Extreme value theory can be helpful in selecting statistical measures that effectively capture the value of risk in the tail of the distribution, the area of most concern for solvency.

Although difficulties remain in gathering sufficient statistically credible data on operational risk loss events (especially the larger, more infrequent events), leading in-surers are developing an understanding of their exposure to operational risk. Starting with the identification of sources of operational risk, insurers are beginning to develop relevant exposures to those sources. For example, the new business premium volume might be used as an exposure measure for product mis-selling risk (perhaps split by year of sale and by type of product) while payroll, training statistics, or a human re-sources competency assessment program might be used as the exposure measure for other human capital risks. Insurers can use a combination of actual quantitative expe-rience (either their own or industry based) and qualitative judgment (causal analysis, scenario testing, etc.) to determine possible ranges of frequency and severity for each source of operational risk. In combination with an insurer’s exposure base, the insurer can develop an improved understanding of its most important operational risks.


��

plan stratEgiEs

Some examples of strategies for managing operational risk:

• Avoid—eliminate, stop, or prohibit certain types of business activity to avoid a particular source of operational risk (such as avoiding products found to con-fuse policyholders)

• Retain—accept and self-insure the risk exposure (perhaps by identifying, assess-ing, and managing the sources of operational risk)

• Reduce—mitigate or cap portions of the risk exposure (for example, by using more reliable, easy to maintain computer systems or software)

• Transfer—insure (operational risk insurance is fairly new and the definition of perils insured or the limits of coverage may not provide a full transfer of risk; in addition, the original insurer assumes new counterparty risk) or outsource (part of the administration to another company; this exposes the original insurer to counterparty risk if the outsourcing company fails to deliver satisfactory ser-vice, especially if policyholders are directly affected) the risk exposure

• Exploit—expand and diversify the risk exposure (for example, an insurer with a proven record of operational excellence may wish to assume more of this type of activity as a strategic initiative).

In managing their operations, leading insurers focus on optimizing the value they provide to policyholders at each stage in their operations. This entails measuring and monitoring the service (and its associated costs) provided at each step. In developing appropriate operational risk management strategies, the insurer must ensure that:

• Each step in the service process is clearly defined, documented, communicated to, and understood by the staff responsible for its completion.

• Staff with appropriate experience, training, and education for the service step have been retained and receive appropriate ongoing training.

• Target service levels are in place as well as appropriate limits, controls, and au-thorities for action.

• The consequences of service activity outside of the preset limits are well under-stood and plans are in place for dealing with these events.

• All staff have an appreciation and sense of ownership for the entire service pro-cess and the importance of satisfying or exceeding the expectations of stake-holders.


�8

monitor risks

Operational risk is a relatively new category of risk that inherently requires the staff of an insurer to be alert to the impact of operational risks on the end to end processes of the insurer. Given the normal human reticence to report mistakes, the monitoring of operational risk requires a fundamental shift in thinking throughout an insurer. All staff members should be encouraged to assume ownership of operational risk processes and be actively involved in managing it.

Useful monitoring of operational risk includes:

• Risk exposure monitoring for each source of operational risk• Risk event monitoring, to enable frequency and severity to be estimated• Key risk indicators, to warn of changes in risk levels and effectiveness of con-

trols• Self-assessment, to enable business units to assess the effectiveness of their in-

ternal processes and controls.

control activitiEs

In general, the control activities needed for operational risk are likely to be similar to those needed for other key insurer risks (as described earlier for underwriting risk). However, even insurers who are advanced in considering operational risk are unlikely to have implemented a full range of control activities yet. Some of the more promising control activities are likely to be in the following areas.

• Organization structure. A corporate governance structure for operational risk would likely mirror that for ERM (and operate within the same structure) and would include

— Board sponsorship of the operational risk management framework— Board ownership of operational risk policies and minimum standards— Executive risk committee, consisting of the CEO, CFO, CRO, and major

business unit heads, to make high-level risk decisions— Risk committee, consisting of the CRO and operational risk managers from

each business unit, to coordinate and develop action plans and risk pro-cesses across all businesses

— Business unit risk committee, to oversee the development of risk processes within each business unit.

• Objectives. The insurer’s board should establish overall risk appetite and risk tolerance objectives for the insurer’s operational risk, recognizing the potential


��

impact of such events on the insurer’s reputation. While the insurer may have an overall target range for the size of its operational risk, the most useful objectives may be expressed in terms of the typical sources of operational risk (customer complaints, instances of misleading sales practices, instances of employee error, etc).

• Training and communication. Perhaps the most important control on opera-tional risk will be training and communication throughout the insurer on the importance of operational risk and its consequences. This will heighten aware-ness throughout the insurer and lead to increased reporting, identification, and problem solving for operational risk.

• Audit. There will remain a natural tendency to want to hide operational risk events within the normal operational reporting of the insurer. The internal audit function should consider how best to encourage the disclosure of operational risk events.

Exercises

13.Whichofthefollowingstatementsaboutoperationalriskarecorrect?

a. Thebankingdefinitionofoperationalriskincludesonlyriskoflossresultingfrominadequateorfailedinternalprocessesorsystems.

b.Operationalriskhasbeenfoundtobeanimportantcauseofinsurerinsolvencies.

c. Achallengeinidentifyingoperationalriskisseparatingtheselosseventsfromtheothermajorcategoriesofrisk.

d.Theoperationalriskcategoriesoflossarelikelytobesimilartothatofthebanks.

14.Whataresomeofthechallengesindealingwiththedatafromoperationalrisklossevents(True/False)?

a. Losseventdatabasesarewelldeveloped.

b.Therearemoredataonroutine,low-losseventsthanonlow-frequency,catastrophicevents.

c. Itisdifficulttoscalethesizeofactuallossestothesizeoftheinsurerbeingassessed.

d. Itisdifficulttodevelopgoodexposuremeasuresforoperationalriskuntilthesourcesofoperationalriskininsurersarebetterdefined.

e.Twoofthemoreimportantsourcesofinsureroperationalriskrelatetobusinessinterruptionandemployeefraud.


�0

Figure 1: Risk aggregation

4. Measure required capital

5. Calculate contributions of business lines and individual risks

3. Combine distributions

2. Characterize the distributions

1. Identify all sources of risk

Insurance Risk

Economic Capital

Correlations, Dependencies

Expected SolvencyStandard

Credit Risk Market Risk Operational Risk

F. Putting it all together

This module has discussed each major risk type prevalent in an insurer and how these risks are typically managed. However, the insurer’s board and senior management need to understand and manage all the insurer’s risks in a comprehensive manner. Unfor-tunately, the aggregation of all the insurer’s various risks is not as simple as adding the individual risks together. This section focuses on the concepts involved in putting the risk management framework together.

Figure 1 illustrates the process of aggregating risk in an insurer.

Two of the main elements of the risk management framework are illustrated in this diagram (risk identification and risk assessment). Also important in the aggregation of insurer risks are the concepts of risk dependency, diversification, and concentration.

Dependency

In simple terms, the many risks experienced by an insurer vary directly or indirectly based on their interaction with other risks. They are dependent on each other. For ex-ample, the eventual mortality experience of a group of life insurance policies may de-pend on the withdrawal experience of those same policies. While all insured lives may be underwritten to the same standard at time of issue, over time, policyholders’ health changes. If the withdrawal pattern of the policyholders varies based on their emerging health (through self-selection, in which those policyholders who develop health prob-


�1

lems are more likely to retain their policies than those without health problems), then the emerging mortality experience will differ (be worse) from that of a cohort of lives in which this self-selection did not occur. In another example, the manner in which premium rate increases for automobile insurance are allocated across different operator rating classes may affect future policyholder persistence and product profitability.

In its 2004 report the IAA discussed the issue of risk dependence in the context of capital requirements as follows:

The risks an insurer faces often exhibit co-movement or dependencies. This means that knowledge about results for one risk can be used to better predict the results of another risk. Dependence between two risks may be because there are known relationships between these two risks or simply because certain correlations or other relationships have been observed historically. Dependence can increase or decrease the capital required to support the combined two lines. If losses for one risk tend to increase as the losses for the other increases, there is a positive correla-tion, usually resulting in more capital required than if the two risks are mutually independent. Similarly, if one tends to increase as the other decreases, the two risks form natural hedges and usually require less capital. If an insurer builds an internal model, it needs to reflect the nature of all significant dependencies. Similarly, with factor-based models, the formula used to combine risks needs to reflect all signifi-cant dependencies. (IAA 2004, 75)

Therefore, risk dependencies must be recognized to the extent possible when as-sessing, modeling, and aggregating risks.

Concentration

The 2004 IAA report defines risk concentration as “the risk of having higher-than-normal relative risk exposure in a single risk” (IAA 2004, 75). The Chief Risk Officer Forum, in its recently published study entitled “A Framework for Incorporating Diver-sification in the Solvency Assessment of Insurers,” stated “Concentration of risk is bad for the insurance industry and consumers. It is the main contributor to insurer impair-ments, especially in times of major stress” (2005, 4). The concentration of risk can oc-cur within a risk type as well as within the businesses of an insurer. For example, risk concentration can arise with respect to credit risk if too high a proportion of the assets of an insurer are invested in one asset class, individual credit, industry, or geographic area. Risk concentration can also arise if the insurer assumes underwriting risks from only one product type and does not have other sources of income to compensate in the event of weakened performance by that product type.


��

Diversification

Risk diversification is the opposite of risk concentration. According to the IAA, “Diver-sification reduces risk to the extent that less total relative capital is required when com-bining two risks” (2004, 75). The Chief Risk Officer Forum report states, “Diversifying strategies are the basis of sound risk management and can be used to counter concen-trations of risk, particularly in times of stress” (2005, 4). However, risk diversification requires deliberate risk management by the insurer. According to the Forum,

Strong management practices are essential for creating well-diversified portfolios. Measurement is necessary but not sufficient alone for realizing the benefits of di-versification. Appropriate practices, organizational structures and internal controls are also required. Many of these practices are already implemented at leading in-surers. (2005, 4)

Further, the Forum recommends that

Diversification effects must be recognized when risk factors, their dependencies, and the company’s exposure to them are:

• Identifiable• Supported by empirical evidence, scientific research, or expert opinion of

causal linkages• An active consideration in business decisionmaking• And where capital/risk mobility does not impose barriers to the diversifica-

tion effects being realizable. (2005, 5)

Evidence to date indicates that substantial diversification benefits can arise within a major risk category (such as credit risk) by combining the risks from many assets. Additional benefits can be gained by combining risks across lines of business within an insurer. This evidence seems to indicate that the diversification benefits resulting from combining the operations of different legal entities (say, a fund management firm and an insurer) can be expected to be more modest.

Modeling

An insurer’s assessment of all its risks generally requires the use of various types of models. The complexity of these models will vary with each insurer, depending on their need, size, and the complexity of the risks they face. Very important in develop-ing models are data quality, model design, parameter selection, and scenario selection.


��

Modeling insurer risks and aggregating those risks requires specialized expertise. For credit risks, this usually requires an investment professional. For underwriting risks, this usually requires an actuary. For market risks, collaboration between the investment professionals and the actuary is usually needed. While it is appropriate for the complex-ity of the modeling to vary by size of insurer, certain complex risks (such as embedded options with significant tail risk to the insurer) require high-caliber expertise for their management, regardless of the size of the insurer.

An insurance supervisor should

• Confirm that the insurer has retained a suitable caliber of expertise to model its risks

• Retain a suitable caliber of expertise on its own staff (or retain consultants) to be able to review the insurer models

• Ensure that the insurer’s models have been reviewed by independent experts• Ensure that the models have been calibrated against relevant market and com-

mon sense statistics• Ensure that the models are comparable (for similar risks and scenarios) across

insurers.

It is vital that the use of models be embedded in the risk management and opera-tions of the insurer.

Internal model standards have existed for some time for banks thanks to the Basel Capital Accord, but their development in the insurance sector is just beginning. Two relevant examples include the standards established by APRA for non-life insurance capital model requirements (2002) and by the Office of the Superintendent of Financial Institutions Canada (OSFI) for life insurance segregated fund capital model require-ments (2002).

Although the use of internal models for risk management should be expected for the more sophisticated insurers, these insurers tend to focus on their most material risks. Even the largest insurers may opt for simpler models or standardized approaches to managing other, less material risks that they face. Smaller insurers may not be able to devote sufficient resources to building sophisticated internal models but they should be expected to have appropriate standardized models for their most significant risks.

It is important to note that it is not yet possible to model all aspects of an insurer’s risks in an integrated manner using quantitative techniques. Inevitably there are certain risks or aspects of risks that can be addressed only (or best) by using qualitative rather than quantitative techniques. Operational risk might be one example.


��

Scenario testing

Risk management decisionmaking is enhanced through the use of scenarios. Scenarios enable insurers to examine the effects of a course of action on its risks if a range of as-sumptions hold or events occur. They also help management determine the best course of action to follow in managing the insurer’s risks. Scenarios can be used to provide information on the impact of instantaneous shocks to specific assumptions or variables. They can also be used to answer “what if ” questions. Stochastic modeling is used when the underlying processes driving an insurer’s risk(s) are well understood and the range of possible scenario results can be calibrated to actual insurer or industry results. Sce-narios can also be effectively used to demonstrate the impact of a given course of action over a specific time frame. In some jurisdictions insurers are required to project their future financial condition under various adverse scenarios selected by the insurer. For example, in Canada, where such reports are required by OSFI, such confidential reports provide an insurer’s senior management and board with much useful risk management information.

Adequacy of capital

Should the risks faced by the insurer be more onerous than provided for in its product pricing and in its provisioning for these risks in its balance sheet, access to various forms of capital protects the insurer’s ability to meet its obligations to policyholders. Risk modeling and scenario testing can provide valuable information about the ad-equacy of an insurer’s capital in providing such protection. (See IAIS 2003c for more information.)

Capital may be present in the form of unrestricted equity provided by sharehold-ers. It may also be present in various other partially restricted forms (such as preferred shares). Additional (“hidden”) capital may exist in various sorts of conservatism that are present in the provisions for future risk in the insurer’s financial statements (such as conservatism in the determination of the technical provisions). The IAIS is currently developing guidance on suitable forms of capital.

Advanced risk management and risk financing

In seeking to better manage their risks, reduce earnings volatility, and protect against severe losses, leading insurers use a variety of advanced risk management, risk financ-ing, and financial engineering tools. Although reinsurance has traditionally been one of the most important strategies used to mitigate risk, particularly underwriting risk, in-surers now have available several advanced mechanisms for risk management and risk financing. It is important for insurance supervisors to understand their key features.


��

Frequently, these advanced mechanisms are described by the phrase “alternative risk transfer” or ART. The advent of these advanced approaches has been primarily due to financial engineering by reinsurance, risk, and finance professionals.

Traditional reinsurance pricing is often based on industry experience for specific risks. Because of asymmetric information between insurer and insured (especially for larger and more sophisticated corporate policyholders), good risks may not be able to obtain traditional insurance cover at rates reflecting their perceived risk level, only at the higher (average) market rates. As a result, corporate policyholders with good risk experience, reluctant to subsidize bad risks, may turn instead to self-insurance (such as qualified self-insurance and captives) and risk financing solutions (such as finite risk solutions and contingent capital). In addition, some insurers have turned to the capital markets to find advanced risk solutions (such as derivatives and swaps). Some of these solutions (such as catastrophe bonds and securitization) have been developed because of greater capacity to absorb risk than may be available in certain reinsurance markets for certain risks (say, hurricane losses).

Although an in-depth discussion of these mechanisms is beyond the scope of this module, the following paragraphs provide a brief description of several of them.

captivEs

Narrowly defined, a captive is an insurance or reinsurance company owned by a cor-poration or group that is not active in the insurance business. The primary business purpose of a captive is to insure the risks of its parent(s) and related companies. In recent years, a captive has been more usefully described as an insurer that writes risks whose origins or access are restricted. Captives were developed because corporations questioned the efficiency of risk transfer through the traditional commercial lines of in-surance. Being incorporated as insurance companies, captives have access to the global reinsurance market. By using a captive to access the reinsurance market, the buyer can substitute the costs of the primary insurer with the lower costs of the captive. In addi-tion, the reinsurance market may be more flexible in structuring risk transfer programs and may grant a better reward for variations in risk retention levels.

finitE risk solutions

In recent years, finite risk solutions have received considerable attention from regula-tors concerned that these solutions constituted risk financing more than transfers of risk. (See IAIS 2005 for an extensive discussion of this subject.) One description of finite risk is as follows:


��

Finite [solutions] covers shift the main value proposition from traditional risk transfer towards risk financing. Finite [solutions] covers are multi-year contracts reducing the client’s cost of capital by means of earnings smoothing. The year-to-year earnings volatility is reduced while limiting the total amount of risk transfer over the contract period. It is somewhat difficult to provide a general definition of finite reinsurance, but the products typically have the following features:

• Risk transfer and risk financing are combined and the time value of money is emphasized in the contract

• Limited assumption of risk by the (re)insurer• Multiyear contract term• Explicit inclusion of investment income in the contract• Sharing of the results with the insured/cedant. (Swiss Reinsurance Company

2003)

contingEnt capital

To secure a line of credit in times of severe losses, an insurer can arrange contingent capital with a bank or reinsurer. Such an agreement allows the insurer access to speci-fied amounts of capital in the event that certain insurer balance triggers are exceeded. This arrangement is similar to a line of credit with a bank, except that it is activated only when the triggers are exceeded. The arrangement exposes the insurer to credit risk from the counterparty.

dErivativEs

Derivatives are financial market instruments that derive their value from the value of other assets. The traditional financial market derivatives involve movements in interest rates (for example, an interest swap might exchange regular payments of short interest according to an index with a level return payment according to a long-term bond yield). These instruments have expanded to include insurance derivatives (for example, based on weather conditions). A complete discussion of derivatives is beyond the scope of this module. However, derivatives tend to require sophisticated knowledge of the deriva-tives marketplace as well as the use of sophisticated software. Even with these require-ments in place, the insurer needs to have careful scrutiny and controls of the derivatives trading function on a daily basis. The failures at Barings Bank and Long-Term Capital Management are but two examples of the challenges involved in properly managing and controlling this useful risk transfer tool. (See modules ICP 22A and ICP 22B for more information on derivatives and their use by insurers.)


��

sEcuritization

Securitization of insurance risks enables insurers to transfer their insurance risk directly to investors in the capital markets. Although this risk transfer tool is still fairly new, in-terest in it is increasing. Primarily it has been used to transfer catastrophe risk (such as hurricane risk) to investors in the capital market. The interest in this vehicle stems from insurers who have found that normal reinsurance capacity to cover catastrophe risks is limited, while the potential capacity of the capital markets to absorb such risks is much greater. Investors are attracted for the diversification benefits offered by a catastrophe bond, because it offers returns that are not correlated with financial market risks. (See IAIS 2003a, 2003b for more information.)

Audit, controls, and peer review

ICP 10 states, “The supervisory authority requires insurers to have in place internal controls that are adequate for the nature and scale of the business. The oversight and reporting systems allow the board and management to monitor and control the opera-tions.”

Specifically, in regard to risk management, the explanatory notes to ICP 10 state, “A system of internal control is critical to effective risk management and a foundation for the safe and sound operation of an insurer.”

The effective operation of a strong internal audit department is a vital element in this system of internal controls. Essential criterion j of ICP 10 defines the internal audit department’s duties as follows:

The supervisory authority requires that an internal audit function:

• Has unfettered access to all the insurer’s business lines and support depart-ments

• Assesses outsourced functions• Has appropriate independence, including reporting lines to the board of direc-

tors• Has status within the insurer to ensure that senior management reacts to and

acts upon its recommendations• Has sufficient resources and staff that are suitably trained and have relevant ex-

perience to understand and evaluate the business they are auditing• Employs a methodology that identifies the key risks run by the institution and

allocates its resources accordingly.

As noted earlier, the complexity involved in modeling an insurer’s risks necessi-tates that the models be reviewed periodically by independent experts, to ensure that they continue to operate effectively and reliably. One way to carry out this independent


�8

checking is through peer review. In conjunction with their insurance supervisors (for example, in Canada), some actuarial associations have implemented required actuarial peer review, paid for by the insurer, to ensure that the modeling performed in calcu-lating the technical provisions and conducting the required stress testing is formally reviewed periodically.

Allocation to business units

The aggregation of risks across an insurer does not simply represent the sum of the in-dividual risks but involves (among other factors) the diversification and concentration of risks. So the allocation of an insurer’s total risk capital (or any risk-related decision) back to each line of business must be done with care, to ensure that the managers are given appropriate incentive to act in the insurer’s overall best interest.

In general, this requires that management decisions within the line of business be made on a risk-adjusted basis, with allowance for the difference between total company risk and risk at the level of that line of business.

Group-level issues

Management of risk across a group of companies, or even within a global insurer that operates in several countries, requires the risk manager to recognize potential difficul-ties in dealing with risk-related issues across jurisdictions or legal entities (local laws, regulations, provisioning practices, etc.) that may make the transfer of capital across jurisdictions difficult.


��

Exercises

15.Themostsignificantdiversificationbenefitsfromaggregatingindividualriskswithinaninsurer,indecreasingrankorder,are(a)aggregationamongsimilarrisks(forexample,withincreditrisk),(b)aggregationacrossrisktypes(forexample,acrossmarket,credit,andunderwritingrisk),and(c)aggregationacrossfinancialentitiesinagroup(forexample,acrossaninsurerandabankwithinacommonlyownedgroup).Trueorfalse?

16.Whichofthefollowingstatementsarecorrectabouttheroleoftheinsurancesupervisorwhenusinginsurers’internalmodels?

a. Confirmthattheinsurerhasretainedasuitablecaliberofexpertisetomodelitsrisks

b.Retainasuitablecaliberofexpertiseonthesupervisoryauthority’sstaff(orretainconsultants)tobeabletoreviewtheinsurers’models

c. Ensurethattheinsurers’modelshavebeenreviewedbyindependentexperts

d.Ensurethatthemodelshavebeencalibratedagainstrelevantmarketandcommonsensestatistics

e.Ensurethatthemodelsarecomparable(forsimilarrisksandscenarios)acrossinsurers

f. Confirmthattheuseofthemodelsisembeddedintheregulatorycapitalrequirementareaoftheinsurer.

17.Riskfinancingtoolsincludefiniterisksolutions,contingentcapital,derivatives,andswaps,butnotsecuritization.Trueorfalse?

18.Theallocationofaggregateresultsbacktoeachbusinessunitisacomplextaskbecauseoverallaggregateinsurerresultscanbenoticeablydifferentfromthesumofindividualrisks.Trueorfalse?

19.Insurancesupervisorsneedtocarefullyconsidergroup-leveleffectsofcombiningtheresultsfromseverallegalentitiesacrossjurisdictionsortypesoffinancialinstitution.Trueorfalse?


�0

G. Summary and Conclusions

This module has discussed the major risk types prevalent in an insurer (underwriting, credit, market, and operational) and the ways in which these risks are typically man-aged. As stated in ICP 18, Risk Assessment and Management, “The supervisory author-ity requires insurers to recognize the range of risks that they face and to assess and manage them effectively.” This module also dealt with the main considerations involved in putting together a risk management framework.

It is likely that large insurers will implement ERM so they can manage their busi-nesses better and provide value to all their stakeholders. Smaller insurers may be wary of the costs to implement ERM, but if they focus on its fundamentals they can derive considerable benefit at reasonable cost.

As insurers place greater emphasis on managing their risks using ERM, dialogue between insurers and insurance supervisors will focus on key risks and the strategies for managing them. This dialogue will have repercussions for how insurers are supervised and for the education, training, and experience expected of supervisory staff.

Although insurers will find considerable value in the development of quantitative approaches to risk management, the benefits of qualitative approaches for some types of risk should not be underestimated.

In conclusion, it is most important that a risk management culture be established throughout an insurer. The ultimate responsibility for risk management rests with the board. Supervisors play a critical role in reviewing the entire risk management pro-cess.


�1

H. References

APRA (Australian Prudential Regulatory Authority). 2002. Guidance Note GGN 110.2, Internal Model-Based Method. Sydney.

———. 2006a. Prudential Standard GPS 230, Reinsurance Management. Sydney.———. 2006b. Prudential GPS 220, Risk Management. Sydney.Basel Committee on Banking Supervision. 2002. Operational Risk Data Collection Ex-

ercise.CAS (Casualty Actuarial Society). 2001. Foundations of Casualty Actuarial Science,

Fourth Edition.Chief Risk Officer Forum. 2005. A Framework for Incorporating Diversification in the

Solvency Assessment of Insurers. Hanover.CEIOPS (Conference of the Insurance Supervisory Services of the Member States of the

European Union). 2002. Prudential Supervision of Insurance Undertakings. Lon-don.

COSO (Committee of Sponsoring Organizations of the Treadway Commission). 2004. Enterprise Risk Management—Integrated Framework. Jersey City, N.J.

HIH Royal Commission. 2003. The Failure of HIH Insurance, released by the Hon. Jus-tice Owen as commissioner. Canberra: Commonwealth of Australia, April. Avail-able at www.hihroyalcom.gov.au/finalreport/.

HM Treasury. 2004. Report of the Equitable Life Inquiry. HC290. London: The Statio-nery Office. [Known as the Penrose report].

IAA (International Actuarial Association). 2004a. A Global Framework for Insurer Sol-vency Assessment. Ottawa.

IAAust (Institute of Actuaries of Australia). 2003. “Assessing Risk.” In C. Bellis, J. Shep-herd, and R. Lyon, eds., Understanding Actuarial Management: The Actuarial Con-trol Cycle. Sydney.

IAIS (International Association of Insurance Supervisors). 2003a. Issues Paper on Life Insurance Securitisation. Basel, Switzerland, October.

———. 2003b. Issues Paper on Non-life Insurance Securitisation. Basel, Switzerland, Oc-tober.

———. 2003c. Stress Testing by Insurers Guidance Paper. Basel, Switzerland, October.———. 2005. Guidance Paper on Risk Transfer, Disclosure, and Analysis of Finite Rein-

surance. Basel, Switzerland.Moscadelli, Marco. 2004. The Modelling of Operational Risk: Experience with the Analy-

sis of the Data Collected by the Basel Committee. Bank of Italy, Rome.OSFI (Office of the Superintendent of Financial Institutions Canada). 2002. Instruction

Guide: Use of Internal Models for Determining Required Capital for Segregated Fund Risks (MCCSR). Ottawa.

Risk Management Group. 2002. “Operational Risk Data Collection Exercise.” A report by the Basel Committee on Banking Supervision. Bank for International Settle-ments, Basel.


��

Standards Australia and Standards New Zealand. 1995. Standard on Risk Management. ASNZS 4360.

Swiss Reinsurance Company. 2003. The Picture of ART. Zurich.Tiller, J. E. Jr., and D. F. Tiller. 1995. Life, Health and Annuity Reinsurance, Second Edi-

tion. Winsted, Conn.: Actex Publications.


��

Posttest

1. Which of the following are correct statements regarding underwriting risk?

a. The development of sound and reliable experience studies of the insurer as well as industry experience for all of the insurer’s underwriting risks is very important.

b. The key drivers of for each underwriting risk must be understood.c. The volatility, uncertainty, and catastrophic elements of underwriting risk

must be well understood.d. Whichever strategy an insurer adopts to mitigate its underwriting risks, it

must maintain an appropriate level of expertise to manage the strategy ad-opted based on the complexity of the risks and strategies.

e. Modeling of policyholder behavior is evaluated through standardized tech-niques.

2. Which of the following are correct statements regarding credit risk?

a. Counterparty risk is not a type of credit risk.b. In situations where asset performance is shared directly or indirectly with

the policyholder, the impact of credit losses can also be shared. Such credit need not take into account policyholders’ reasonable expectations.

c. Frequently, higher credit losses are associated with a weakened economic situation; both the frequency and severity of default losses increase with a worsening economy.

d. Insurance supervisors should expect insurers to have sound procedures for selecting, rating, and monitoring all credit risk exposures.

3. Which of the following are correct statements regarding market risk?

a. Liquidity risk is a related risk that is sometimes included in the category of market risk.

b. The management of market risk focuses on the economic value of the insur-er’s net asset and liability market risks.

c. Market risk varies considerably, depending on the nature of the underlying insurance product that the assets support.

d. Market risk varies considerably, depending on the extent to which such risk is shared with the policyholder.

e. The primary source of market risk is within the horizon of the replicating portfolio, not beyond it.


��

4. Which of the following are correct statements regarding operational risk?

a. Operational risk is an important source of risk to insurers.b. Industry data permit the scaling of losses between different sizes of insur-

ance operations.c. The causes of insurer operational risk are not yet well defined.d. Board focus on operational risk might well be on education, awareness, and

identification (that is, “don’t shoot the messenger”).

5. Which of the following are correct statements about “putting it altogether”?

a. Insurers experience many risks, which vary directly or indirectly based on the interaction of those risks with other risks. They are interdependent. Risk management must take these into account.

b. Concentration is the risk of having higher-than-normal relative risk expo-sure in a single risk. Concentration is considered bad in times of stress.

c. Risk diversification is similar to risk concentration.d. Some advanced risk mechanisms have been developed to access the capital

markets because of their greater capacity to absorb risk.

6. Which of the following are important in selecting appropriate risk measures?

a. Encourages the desired behaviorb. Reflects the insurer’s experiencec. Reflects the industry experienced. Consistent methodology across risk types and across the insurere. Approval at the board levelf. Multiple risk measures for each riskg. Risk measures with certain favorable statistical properties (for example, co-

herence).

7. Which of the following are correct statements about the management of key risks between large and small insurers?

a. Risk management is of key importance to all sizes of insurers.b. The qualitative aspects of risk management are important for both large and

small insurers.c. Complex risks in a small insurer can be handled using standardized tech-

niques.d. Assessment of key risks in a small insurer will frequently require reference to

industry as well as the insurer’s experience.


��

ICP 18 Risk assessment and management

Thesupervisoryauthorityrequiresinsurerstorecognizetherangeofrisksthattheyface

andtoassessandmanagethemeffectively.

Appendix I. ICP 18

Explanatory note

18.1. An insurer should identify, understand, and manage the significant risks that it faces. Effective and prudent risk management systems appropriate to the complexity, size, and nature of the insurer’s business should identify and measure against risk toler-ance limits the risk exposure of the insurer on an on-going basis in order to indicate potential risks as early as possible. This may include looking at risks by territory or by line of business.

18.2. Some risks are specific to the insurance sector, such as underwriting risks and risks related to the evaluation of technical provisions. Other risks are similar to those of other financial institutions, for example, market (including interest rate), operational, legal, organizational, and conglomerate risks (including contagion, correlation, and counterparty risks).

18.3. Supervisors play a critical role in the risk management process by reviewing the monitoring and controls exercised by the insurer. The supervisory authority develops prudential regulations and requirements to contain these risks. While the supervisor puts such requirements in place with the intent of ensuring enhanced practices by in-surers, the ultimate responsibility for the development of best practices and the proper operation of the insurer must always rest with the board of directors.

Essential criteria

a. The supervisory authority requires and checks that insurers have in place com-prehensive risk management policies and systems capable of promptly identify-ing, measuring, assessing, reporting, and controlling their risks (refer to ICP 10 Essential Criterion d).

b. The risk management policies and risk control systems are appropriate to the complexity, size, and nature of the insurer’s business. The insurer establishes an appropriate tolerance level or risk limit for material sources of risk.

c. The risk management system monitors and controls all material risks.


��

d. Insurers regularly review the market environment in which they operate, draw appropriate conclusions as to the risks posed, and take appropriate actions to manage adverse impacts of the environment on the insurer’s business.

Advanced criteria

e. Larger insurers establish a risk management function and a risk management committee.


��

Appendix II. Answer key

Pretest

1. a, b, c, d, e 2. a, b, d 3. a, b, e 4. a, b, c, f 5. a, c, d 6. c 7. a, b, d 8. a, b, d

Exercises

1. a, b, c, d, e 2. a, b, c, e 3. a, b, e 4. a, c, d, f, g 5. a, c, d, e, f 6. a, d, e 7. b 8. a, b, e 9. b, d, e 10. b 11. b, c, e 12. b, c 13. b, c 14. b, c, d 15. true 16. a, b, c, d, e 17. false 18. true 19. true

Posttest

1. a, b, c, d 2. c, d 3. a, b, c, d


�8

4. a, c, d 5. a, b, d 6. a, b, d, e, f, g 7. a, b, d

Documents

ICP 18B: Management of Key Risks - iaisweb.org · Welcome to the ICP 18B: Management of Key Risks module. ... answers through discussion and cooperative work methods. ... Insurance