erm and the new regulatory - iasa 2015/sessions/arf/iasa-2015-session 104...erm related regulatory...

IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

ERM and the New Regulatory Requirements

Session Number 104


Presenters

Lisa Cosentino, Managing Director, SMART DEVINE

Kim Piersol, Consulting Actuary, Huggins Actuarial

Services, Inc.

Steve Turner, Executive Director, Reinsurance Group of

America, Incorporated


Objectives

ERM and the New Regulatory Requirements – a

Consolidated Approach and Evaluation Techniques

Objective 1 – Understand the high level requirements of the

ERM related regulatory requirements

Objective 2 - Approach to consolidate the regulatory

requirements into a consolidated Enterprise Risk

Management process

Objective 3 - Discussion on economic capital modeling and

internal audit as evaluation techniques to assess ERM


“Great companies will have great Corporate Governance

and ERM Frameworks. The others will be left behind.”

Steve J. Johnson, Deputy Insurance Commissioner, Office of Corporate and

Financial Regulation, Pennsylvania Department of Insurance, September 30,

2014, Insurance Regulatory Update, PAMIC Conference


Consolidated Approach


Enterprise Risk Management

What is ERM?

“A process, effected by an entity’s board of directors,

management and other personnel, applied in strategy

setting and across the enterprise, designed to identify

potential events”

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2004

Enterprise Risk Management – Integrated Framework


Benefits of ERM Framework

Maximize value to the organization’s various stakeholders

Manage exposure to potential earnings and capital volatility

Create a risk-aware culture that encourages risk-taking

Develop consistent metrics to measure risk and to establish

risk tolerance levels

Assign roles and responsibilities to board, senior

management and others

Maintain excellent rating from rating agencies


ERM Components


Internal Environment

Encompasses the tone of an organization and sets the

basis for how risk is viewed and addressed by an entity’s

people, including risk management philosophy and risk

appetite, integrity and ethical values, and the environment

in which they operate.


Terminology

Risk Appetite – amount and type of risk that an organization

is willing to pursue or retain in pursuit of its mission.

• Reflective of strategy, risk strategies and stakeholder expectations

• Set and endorsed by board of directors through discussions with

management

Risk Tolerance – The amount of risk an organization is

willing to accept in the aggregate (or within a certain

business unit or a specific risk category)

• Expressed in quantitative terms that can be monitored

• Often expressed in acceptable/unacceptable outcomes or levels of

risk


Risk Tolerance Level Examples

Economic Capital Model – Probability of ruin at 99.5% VaR,

one-year out

Minimum best capital adequacy ratio, one year out to

achieve/maintain A- rating

NAIC risk based capital less than 300

Net written premium to surplus ratio of greater than 1.5 to 1

No greater than a 10% loss of capital from all risk factors in

any one year

Holding Company debt to total capitalization ratio


Objective Setting

Management, with the oversight from its board of directors,

is responsible for establishing strategic, operational,

reporting and compliance objectives, and for ensuring the

appropriate and timely consideration of the risks to

achieving those objectives.

Provides the context and “pre-condition for effective event

identification, risk assessment and risk response.”

Objectives cascade from the organization’s strategy setting

to sub-objectives that drive risk management at lower levels

of the organization across geographic boundaries,

geographic divisions and departments.


Event Identification

Robust, comprehensive, and continual process for

identifying potential events that may affect the entity’s

ability to achieve its strategic, operational, or other related

objectives.

• This process identifies both potentially positive and negative

outcomes (i.e., opportunities and risks)

Top-Down Risk Identification

• What would prevent the company from achieving its strategic

objective

• What event(s) could significantly negatively impact the company?

• What opportunities are there to grow our business and what could get

in the way of our success.


Risk Assessment

Risks are analyzed, considering likelihood and impact, as a

basis for determining how they should be managed.

Risks are assessed on an inherent and a residual basis.


Risk Assessment Process

Identifying risks considering expected, unexpected or

emerging risks.

Assessing each risk for its likelihood, impact, and velocity

and an inherent and residual basis.

Considering both inherent (without consideration of the

control environment) and residual risk (after evaluating the

adequacy of controls in place to mitigate risks).

Comparing and aggregating risks to ensure highest level

impact and probability.

Using stress testing and scenario analysis to consider the

adequacy and completeness of risk assessments.


Risk Assessment Process, Continued

Comparing residual risk risks to the company’s risk appetite

to identify gaps

Establishing risk categories for purpose of subsequent

reporting and communication

Reviewing the risk assessment results with executive

management and the board of directors for further

consideration and oversight, particularly to bring risks in line

with the company’s overall risk appetite


CERA – the ERM Actuarial Credential

Chartered Enterprise Risk Analyst

• Uniquely qualified to address all types of risk

• financial,

• operational and

• strategic risks

• Training in qualitative and quantitative aspects of enterprise risk management

• Experience in integrating diverse insights into business solutions.

• CERA professional standards of conduct identify responsibilities

• to the public,

• to their clients,

• to their employers; and

• to the actuarial profession.


CERA – the ERM Actuarial Credential

The CAS minimum requirements to qualify for the CERA designation

are:

• Meet all requirements for CAS Associateship

• Have credit for CAS Exam 7 and Exam 9

• Successfully complete the three-day Enterprise Risk Management

and Modeling Seminar for CERA Qualification

• Successfully complete Exam ST9, Enterprise Risk Management

Specialist Technical, of the Institute and Faculty of Actuaries (U.K.)


Actuarial Key Risk Factors/Controls

Enterprise risks

• Model risk and control

•Models must be in compliance with all Actuarial

Standards of Practice (ASOPs)

•Appropriateness of the assumptions made in the

calculations

•Defined and documented process for each periodic

review

•Back-test the results (actual verses expected analyses)

•Transparency of assumptions and limitations to key

stakeholders (communications)



Enterprise risks (cont.)

• Economic and pricing risk

•Price monitoring system – data reconciliation and frequency of

review

•Development of pricing assumptions

•Treatment of differing characteristics of insured risks

•Feedback loop on actual performance compared to pricing

objectives

• Regulatory compliance

•Preparation and analysis for new and emerging regulatory changes

•Compliance


Stress Testing and Scenario Analysis

A scenario describes a consistent future state of the world over time,

resulting from a plausible and possibly adverse set of events or

sequences of events. A stress test provides an assessment of an

extreme scenario, usually with a severe impact on the firm, reflecting

the inter-relations between its significant risks.

Together, they complement the use of economic capital models that

apply probabilities to possible future scenarios to determine appropriate

capital needs of a firm. In contrast to internal models, scenario analysis

and stress testing assess the financial effect of the events or sequence

of events that lead to specific scenarios in adequate detail so that their

causes can be identified and their effects on the firm can be

understood. Thus, they can be used to enhance the understanding of if

and why a firm is vulnerable to highly uncertain tail risks.


Sensitivity Analysis

A sensitivity is the effect of a set of alternative assumptions

regarding a future environment.

A stress test is a projection of the financial condition of a

firm or economy under a specific set of severely adverse

conditions that may be the result of several risk factors over

several time periods with severe consequences that can

extend over months or years. Alternatively, it might be just

one risk factor and be short in duration. The likelihood of

the scenario underlying a stress test has been referred to

as extreme but plausible.


Financial Models Supporting ERM

Economic Capital Model (ECM) and ERM

• Cornerstone of ERM

• ECM applies economic principles in concert with company’s own risk

profile for estimation purposes

• Uses stochastic methods to model possible outcomes for insurer

financials

• Permits detailed measurements of the impact of business segments

on overall risk

• Can be used to measure compliance with Solvency II standard of

solvency (99.5% probability of solvency over one year time horizon)

• Requires significant expertise to effectively apply model


Risk Response

Selected by management – avoiding, accepting, reducing,

or sharing risk – developing a set of actions to align risks

with the entity’s risk tolerances and risk appetite.


Control Activities

Policies and procedures established and implemented to

help ensure the risk responses are effectively carried out.


Information and Communication

Relevant information is identified, captured, and

communicated in a form and timeframe that enable people

to carry out their responsibilities.

Best practices includes information about its ERM

programs and reporting processes in its annual reports to

key stakeholders as part of the disclosure of corporate

governance principles and practices and via the

organization’s external and internal internet sites.


Monitoring

The entirety of the ERM is monitored and modifications are

made as necessary. Monitory is accomplished through

ongoing management activities, separate evaluations, or

both.


Practical Approach

Discussion


AM Best Enterprise Risk Management Framework


AM Best Risk Framework

Credit Market Underwriting Operational Strategic

Default Equities UW Process Monetary Competition

Downgrade Other Assets Pricing Reporting Demographics

Disputes Currency Reserves Legal Publicity

Settlement Concentration Prodct Design Distribution Rating

Sovereign Basis Basis IT Systems Demands

Concentration Reinvestment Frequency Regulatory Regul Capital

Liquidity Severity Training Availability

ALM Lapse Turnover Technological

Interest Rates Longevity Data Capture

Mortality/Morb

Optionality

Concentration

Economy


Rating Agency Measures - BCAR

• Both formulaic and simulation-based.

• Used as significant input into assignment of financial

strength ratings.

• Lacks full transparency, as not all parameters are made

public.


AM Best Rating Process


AM Best Discussions

Discussion


Enterprise Risk Report – Form F

Required if your organization comes under the Holding

Company Act.

According to Steve Johnson -

• First ones filed in 2014

• Most were poorly done

• Questions should be answered as if you were having a conversation

with the regulator


Components of Form F

Any material developments regarding strategy, internal

audit findings, compliance or risk management

Acquisition or disposal of insurance entities and reallocating

of existing financial or insurance entities

Any changes in shareholders of the insurance holding

company system exceeding 10% or more of voting

securities

Developments in various investigations, regulatory activities

or litigation that may have a significant bearing or impact

Business plan and summarized strategies for next 12

months


Components of Form F, Continued

Identification of material concerns of the insurance holding

system raised by supervisory college, if any, in last year.

Identification of insurance holding company system capital

resources and material distribution patterns.

Identification of any negative movement, or discussions

with rating agencies which may have cause, potential

negative movement in the credit ratings and individual

insurer financial strength ratings assessment.

Information on corporate or parental guarantees and the

expected source of liquidity should guarantees be called

upon.


Components of Form F, Continued

Identification of any material activity or development of the

insurance holding company system that, in the opinion of

senior management, could adversely affect the insurance

holding company system.


Enterprise Risk Report (Form F) and ERM Components


Form F in Action

Discussion


Own Risk Solvency Assessment

A component of an insurer’s enterprise risk management

(ERM) framework, is a confidential internal assessment

appropriate to the nature, scale and complexity of an insurer

conducted by the insurer of the material and relevant risks

identified by the insurer associated with an insurer’s current

business plan and the sufficiency of capital resources to

support those risks.


Goals of ORSA

Ensure all insurers have “an effective level of ERM through

which material and relevant risks are identified using

techniques appropriate to the nature, scale and complexity

of the company’s operations, in a manner adequate to

support risk and capital decisions”; and

Provide support to the existing legal entity view of group-

level perspective on risk and capital.


ORSA Report Sections

Section 1- Description of Insurer’s Risk Management

Framework

• Risk Culture and Governance

• Risk Identification and Prioritization

• Risk Appetite, Tolerances and Limits

• Risk Management and Controls

• Risk Reporting and Communication

Section 2 – Insurer’s Assessment of Risk Exposure

• For each material risk category in Section 1, provide quantitative

and/or qualitative measurement of risk exposure in both normal and

stressed environments using risk techniques appropriate to the

insurer’s specific risk profile.


ORSA Report Sections, Continued

Section 3 – Group Risk Capital and Prospective Solvency

Assessment

• Document how the company combines risk assessment and risk

management to determine level of financial resources needed to

manage business over long term business cycle.

• Demonstrate the company has capability to execute a 3 to 5 year

business plan, given current capital requirements and result of normal

and stressed environments.

• If the company’s surplus cannot support 3 to 5 year plan, explain what

actions will be taken to resolve capital adequacy.


ORSA Section 3 – Group Risk Capital and Prospective Solvency Assessment

ORSA Section 3

Section 3 of the ORSA Summary Report should document

how the company combines the qualitative elements of its

risk management policy and the quantitative measures of

risk exposure in determining the level of financial resources

it needs to manage its current business and over a longer

term business cycle, such as the next 2-5 years. The

information provided in Section 3 is intended to assist

regulators in forming subjective assessments of the quality

of insurer’s risk and capital management.



Group Risk Capital Assessment

Broadly defined as the testing of aggregate available capital

against the various risks which may adversely affect the

enterprise.

Goal of such an exercise is to determine that a given level of

capital is sufficient to withstand the various risks, individually and

collectively, up to some defined security standard or risk

appetite.

The level of capital that just satisfies the security standard can be

defined as “risk capital,” and can be compared to “available

capital” to ascertain the degree of capital adequacy, including

“excess” or “deficit” capital.



Group Risk Capital Assessment (cont’d)

Insurers should have sound processes for assessing capital

adequacy in relation to their risk profile and the process

should be integrated into its management and decision

making culture.

On an annual basis, the insurer subject to this reporting

requirement should provide a group risk capital assessment

within its ORSA Summary Report for the previous period.



Definition of Economic Capital

Sufficient surplus to cover adverse outcomes or to meet a

business objective.

With a given level of risk tolerance.

Over a specified period of time.



Definition of an Economic Capital Model (ECM)

One primary tool to assess risk in an insurance

organization Simulates the internal operations of the company relative to the

external environment within which it is operating.

Indicates future levels and volatility of profitability, and

Estimates appropriate amounts of capital to hold.



ECM Can ….

Model

Company or Product Risk Profiles

Risk Tolerance, Constraints & Strategies

Insurance Pricing & Business Strategies

Performance Measurements

Capital Adequacy & Budgeting

Incentive Compensation

Investment & Risk-Adjusted Rates of Return

Merger & Acquisition Pricing Details

Capital Allocation Among Business Units


ORSA and the ERM Components


ORSA In Action

Discussion


Corporate Governance

Annual Corporate Governance Disclosure

• Anticipate to be effective for 2016

• All Companies will need to file


Corporate Governance

NAIC Corporate Governance Principles (CGP)

The ERM approach encompasses the sections required by

the CGP which include significant changes from the prior

year, governance framework, board of director committee

policies and procedures, management policies and

procedures, management oversight of critical risk areas,

and risk summary reports to the board from management.


Corporation Governance Principles

White-paper

• Corporate Governance

• Board of Directors (Education of Boards)

• Senior Management

• Suitability of Individuals

• Reporting and Transparency

• Risk Management and Internal Controls

• Control Functions

• Regulatory Oversight


Corporate Governance and ERM Components


Corporate Governance in Action

Discussion


Internal Audit’s Role

From IIA Position Paper: The Role of Internal Auditing in Enterprise-wide Risk Management, January 2009


The Three Lines of Defense in Effective Risk Management


The Third Line of Defense

Internal audit provides assurance on the effectiveness of

governance, risk management, and internal controls,

including the manner in which the first and second lines of

defense achieve risk management and control objectives.


Internal Audit and ERM Components


Annual Financial Reporting Model Regulation (MAR)

Management’s Report of Internal Control Over Financial

Reporting

Annual direct written and assumed premiums greater than

$500 million.


Report Components

Management’s Report of Internal Control Over Financial

Reporting

Management is responsible for internal controls

Management has established internal controls over

financial reporting and they are effective

The approach used to evaluate internal controls

The scope of work

Disclosure of unremediated material weaknesses

Inherent limitations of internal control systems

Signature of CEO and CFO


Components of Internal Controls

Internal control consists of 5 interrelated components:

• Control Environment

• The entity’s risk assessment process

• The IT systems, including the related business processes relevant to

financial reporting and communication

• Control activities

• Monitoring of controls


Financial Reporting Controls

Entity-level controls

Processing controls

• Premiums

• Claims

• Investments

• Reinsurance

• Tax

• Actuarial

IT Controls



Actuarial Financial Statement Risks

• Key process risk

•Controls on actuarial judgment and selections

•Treatment of data anomalies in the analysis

• Key person risk/succession planning

•Over-reliance on a few key individuals

• Identify, develop and retain talent for key positions and areas

•Planning relating to reorganization, turnovers, or actuarial student

rotations



Financial Statement Risks

• Reliance on third-party providers

• Data risk

• Accuracy

• Completeness

• Controls (reconciliation)

• Other miscellaneous risk

• Assumptions

• Process around management best estimates vs. actuarial best estimate


MAR and ERM Components


Focus of the Examination Process

In general, the focus of the financial examination process

has shifted from primarily determining whether an insurer’s

statutory financial statements contain any material

misstatements of its financial condition at a specific point in

time (the “as of” date of the examination) to a broader,

more qualitative assessment of the risks inherent in each

insurer’s operations and the insurer’s efforts to identify and

mitigate those risks.


Risk-focused Regulatory Examinations

Moving to minimum of 10 critical risk categories to reduce

the scope of work 1. Valuation/Impairment of Complex of Subjectively Valued Invested Assets

2. Liquidity Considerations

3. Appropriateness of Investment Portfolio and Strategy

4. Appropriateness/Adequacy of Reinsurance Program

5. Reinsurance Reporting and Collectability

6. Underwriting and Pricing Strategy/Quality

7. Reserve Data

8. Reserve Adequacy

9. Related Party/Holding Company Considerations

10.Capital Management


Risk-Focused Regulatory Examinations

Critical Risk Categories

The 10 critical risk categories (valuation, liquidity,

investment strategy, reinsurance adequacy and

collectability, underwriting, reserve data and adequacy,

related parties, and capital management) of a RFRE are

included in the event identification of ERM.


Consolidated Approach


Contact Information

Lisa Cosentino

Managing Director

267.670.7320

[email protected]

Kim Piersol

Consulting Actuary

610.892.1808

[email protected]

Steve Turner

Executive Director

310.780.0100

[email protected]

mailto:[email protected]




Please Complete the Session Evaluation Form on the Conference App

erm and the new regulatory - iasa 2015/sessions/arf/iasa-2015-session 104...erm related regulatory...

Documents