Enterprise Risk Management
TRANSMITTAL MEMORANDUM
September 2024
TO: Members of Actuarial Organizations Governed by the Standards of Practice of the Actuarial Standards Board and Other Persons Interested in Enterprise Risk Management
FROM: Actuarial Standards Board (ASB)
SUBJ: Proposed Replacement of Actuarial Standards of Practice (ASOPs) Nos. 46 and 47
This document contains the second exposure draft of a proposed single ASOP titled Enterprise Risk Management to replace ASOP Nos. 46 and 47, Risk Evaluation in Enterprise Risk Management and Risk Treatment in Enterprise Risk Management, respectively. Please review this second exposure draft and give the ASB the benefit of your comments and suggestions. Each comment letter received by the comment deadline will receive consideration by the drafting committee and the ASB.
The ASB appreciates comments and suggestions on all areas of this proposed standard. The ASB requests comments be provided using the Comments Template that can be found here and submitted electronically to comments@actuary.org. Include the phrase “ERM ASOP COMMENTS” in the subject line of your message. Also, please indicate in the template whether your comments are being submitted on your own behalf or on behalf of a company or organization.
The ASB posts all signed comments received on its website to encourage transparency and dialogue. Comments received after the deadline may not be considered. Anonymous comments will not be considered by the ASB nor posted on the website. Comments will be posted in the order that they are received. The ASB disclaims any responsibility for the content of the comments, which are solely the responsibility of those who submit them.
For more information on the exposure process, please see the ASB Procedures Manual.
Deadline for receipt of comments: November 1, 2024
History of the Standards
ASOP Nos. 46 and 47 were the first ASOPs applying specifically to actuaries performing actuarial services for the purposes of enterprise risk management (ERM). Both were adopted by the ASB in 2012, specifically ASOP No. 46 in September and ASOP No. 47 in December.
ASOP No. 55, Capital Adequacy Assessment, covering topics with strong connections to ERM, was adopted in June 2019 with an effective date of November 1, 2019.
ASOP Nos. 46 and 47 were prepared when ERM as a field of practice for actuaries was in fledgling form, with a relatively small number of actuaries having experience in the area. In the years since, actuarial practice in the field has evolved considerably, with many actuaries now working as risk practitioners and a number working in senior risk roles, including chief risk officer. Moreover, ERM nomenclature has also evolved.
Thus, the ASB decided to replace ASOP Nos. 46 and 47 with a new ERM ASOP to reflect the developments since 2012, to better reflect today’s ERM practices and terminology, and to align with ASOP No. 55.
First Exposure Draft
The first exposure draft was released in May 2023 with a comment deadline of September 15, 2023. Fifteen comment letters were received and considered in making changes that are reflected in this second exposure draft.
For a summary of issues contained in these comment letters, please see appendix 2.
Notable Changes from the First Exposure Draft
Notable changes from the first exposure draft included in this second exposure draft are summarized below. Notable changes do not include changes made to improve readability, clarity, or consistency.
- In section 1.2, guidance has been added to limit the scope of the standard.
- Concepts in section 2.9 were moved to new section 3.10.
- A definition of risk classification was added in section 2.14.
- In section 3.4, guidance on the risk appetite framework was streamlined into one section.
- Section 3.9 was split into sections 3.9 and 3.10. Section 3.9 now lists the ORSA basic requirements.
- In section 3.11, language was modified.
Notable Changes from the Existing ASOPs
Early in the drafting process, the ASB decided that it would be more appropriate to have a single ASOP covering the overarching subject of “ERM framework.” ASOP No. 46 is primarily concerned with how risk is measured and monitored, while ASOP No. 47 is focused on risk appetite and the setting of limits, and how risks are managed. Because the activities covered by ASOP Nos. 46 and 47 are intertwined, the ASB drafted a single ASOP with the development and maintenance of an ERM framework as its core.
This new ASOP contains many significant changes from ASOP Nos. 46 and 47, including a heavily revised set of definitions that better reflects current practice.
Other notable changes from the guidance in ASOP Nos. 46 and 47 are summarized in the following.
- The new ASOP covers activities in an order that reflects how organizations typically establish an ERM framework. Such a framework is then managed as a continuous cycle from the identification and classification of risks to risk appetite setting and mitigation. Because topics were split between two ASOPs, ASOP Nos. 46 and 47 did not reflect the holistic framework.
- The new ASOP provides guidance on the following topics where ASOP Nos. 46 and 47 previously provided little or no guidance:
-
- governance over risk processes;
- risk identification;
- risk classification; and
- considerations related to an organization’s own risk and solvency assessment.
The ASB voted in September 2024 to approve this second exposure draft.
Enterprise Risk Management Committee | |
David R. Paul, Chairperson | |
Derek D. Berget | Adam J. Lei |
Anthony Dardis | Elisabetta Russo |
William R. Jones |
Actuarial Standards Board | |
Kevin M. Dyke, Chairperson | |
Laura A. Hanson | Gabriel R. Schiminovich |
Richard A. Lassow | Judy K. Stromback |
David E. Neve | Alisa L. Swann |
Christopher F. Noble | Patrick B. Woods |
The Actuarial Standards Board (ASB) sets standards for appropriate actuarial practice in the United States through the development and promulgation of Actuarial Standards of Practice (ASOPs). These ASOPs describe the procedures an actuary should follow when performing actuarial services and identify what the actuary should disclose when communicating the results of those services.
PROPOSED ACTUARIAL STANDARD OF PRACTICE
ENTERPRISE RISK MANAGEMENT
STANDARD OF PRACTICE
Section 1. Purpose, Scope, Cross References, and Effective Date
1.1 Purpose
This actuarial standard of practice (ASOP or standard) provides guidance to actuaries when performing actuarial services with respect to developing, maintaining, or reviewing all or part of an enterprise risk management (ERM) framework.
1.2 Scope
This standard applies to actuaries when performing actuarial services with respect to developing, maintaining, or reviewing all or part of an ERM framework. While ERM frameworks vary among different organizations, the following are common components:
- governance;
- risk identification;
- risk classification;
- risk appetite;
- risk mitigation;
- risk metrics;
- capital management;
- stress testing and scenario analysis; and
- own risk and solvency assessment (ORSA).
This standard does not apply to actuaries when performing actuarial services that are related to a component of an ERM framework but are not for the purposes of developing, maintaining, or reviewing all or part of an ERM framework. Examples of such services include pricing of insurance products, the evaluation of liabilities of insurers and pension plans, designing a health insurance program, and executing a product-specific reinsurance or hedging program.
If the actuary is performing actuarial services that involve reviewing all or part of an ERM framework, the actuary should follow the guidance in this ASOP to the extent practicable within the scope of the actuary’s assignment.
If the actuary determines that the guidance in this standard conflicts with an ASOP that applies to all practice areas, this standard governs.
If a conflict exists between this standard and applicable law (statutes, regulations, and other legally binding authority), the actuary should comply with applicable law. If the actuary departs from the guidance set forth in this standard in order to comply with applicable law, or for any other reason the actuary deems appropriate, the actuary should refer to section 4.
1.3 Cross References
When this standard refers to the provisions of other documents, the reference includes the referenced documents as they may be amended or restated in the future, and any successor to them, by whatever name called. If any amended or restated document differs materially from the originally referenced document, the actuary should follow the guidance in this standard to the extent it is applicable and appropriate.
1.4 Effective Date
This standard is effective for actuarial services performed on or after four months after adoption by the Actuarial Standards Board.
Section 2. Definitions
The terms below are defined for use in this ASOP and appear in bold throughout the standard. The actuary should also refer to ASOP No. 1, Introductory Actuarial Standard of Practice, for definitions and discussions of common terms, which do not appear in bold in this standard.
2.1 Available Capital
The excess of assets over liabilities that is available to cover the required capital, calculated on a basis consistent with required capital.
2.2 Emerging Risk
New or evolving risks that may be difficult to identify, manage, or measure because they have not been experienced previously and therefore their likelihood, magnitude, timing, or interdependency with other risks are more uncertain.
2.3 Enterprise Risk Management (ERM) Framework
The collection of processes by which the organization identifies, classifies, mitigates, measures, monitors, and manages its risk exposures. These processes are repeated periodically.
2.4 Governance
The structure of an organization’s personnel, committees, and boards; the processes for review, referral, notification, escalation, and decision-making; and the identification of responsible parties for these processes.
2.5 Internal Capital Assessment
A methodology used to calculate the assets in excess of liabilities necessary to withstand shocks based on an internal quantification of financial risk exposures. An internal capital assessment may indicate capital levels that are higher or lower than levels specified by regulators or rating agencies.
2.6 Organization
The entity or entities to which the ERM framework applies. Examples include public or private companies (individual or a group), government entities, and associations, whether for profit or not for profit. Components of an ERM framework may function differently at the company level or be unified across the whole group.
2.7 Own Risk and Solvency Assessment (ORSA)
An internal assessment of the adequacy of an organization’s risk management and current and prospective solvency position, including action plans produced from the assessment. ORSA is a widely recognized key component of the ERM frameworks of many insurance organizations. ORSA is a requirement in most insurance regulatory regimes globally, although in some regimes it is not mandated for certain organizations. Nevertheless, some organizations elect to perform non-mandated ORSAs.
2.8 ORSA Report
A summary of an ORSA addressed to senior management and boards. It may also be submitted to insurance regulators.
2.9 Required Capital
The minimum level of excess of assets over liabilities necessary to withstand shocks based on a quantification of financial risk exposures. Required capital may be based on internal calculations, regulatory requirements, or rating agency recommendations.
2.10 Risk Appetite
The risks an organization is willing to accept in pursuit of its business objectives. Such risks may or may not be measurable or estimable. Risk appetite may refer to individual risks or risks in the aggregate.
2.11 Risk Appetite Framework
A framework used to identify, measure, and place limits on risks an organization is willing to accept in pursuit of its business objectives.
2.12 Risk Appetite Limit
The level that a risk measure should not exceed for the organization to remain within its risk appetite. Risk appetite limits may be applied in aggregate or specifically to a risk type. They may also apply at a line of business level, company level, or group level, possibly with different limits at each defined level.
2.13 Risk Appetite Statement
A statement by management of an organization (or a part of an organization) of its risk appetite. There may be several risk appetite statements pertaining to individual risks or a single statement across an organization.
2.14 Risk Classification
The process of establishing a system for evaluating, prioritizing, and cataloging risks, normally involving the creation of a risk inventory and an associated risk taxonomy.
2.15 Risk Inventory
A regularly updated list of the risks to which an organization is exposed. Also commonly referred to as a risk register.
2.16 Risk Taxonomy
A tiered structure with broad risk classifications and more narrowly defined classifications to the level of granularity that is appropriate for the organization. Risk inventories typically use taxonomy to index their risks.
2.17 Scenario Analysis
A process for assessing the impact of one possible event or several simultaneously or sequentially occurring possible events. Scenario analysis may include a narrative (non-financial) description or numerical (financial) calculations.
2.18 Stress Testing
A scenario analysis that measures the impact of adverse changes affecting an organization’s financial position.
2.19 Three Lines
A common model for governance of an organization’s ERM framework. The “first line” refers to business and process owners within the organization who own and manage risk. The “second line” identifies where there is separate oversight of risk-taking activities, with some independence from the first line. The “third line” audits the effectiveness of the implemented ERM framework. “Three lines” is also known as “three lines of defense.”
Section 3. Analysis of Issues and Recommended Practices
3.1 Governance
When performing actuarial services related to an ERM framework, the actuary should understand how their role and deliverables fit into the governance of the organization. When an organization uses the three lines model, the actuary should understand which line(s) their ERM activities fall under and understand the extent of their independence from the other line(s).
3.2 Risk Identification
When performing actuarial services related to the identification of risks for a risk inventory, including emerging risks, the actuary should take into account the following:
- how risks relate to the business objectives of the organization;
- how the organization defines risk, which depends upon a number of factors, such as business profile, ownership structure, and regulatory jurisdiction;
- how risks emerge across different time horizons;
- how risks are viewed through financial and non-financial lenses relevant to the organization;
- how risks may interact with each other; and
- how risks represent new threats to and opportunities for the organization.
3.3 Risk Classification
When performing actuarial services related to risk classification, the actuary should use a risk inventory and prioritize risks on the basis of 1) management’s assessment of the importance of a risk to the organization’s business objectives, and 2) the financial and operational significance of the risk. The actuary should take into account any risk taxonomy for purposes of classification of risks in the risk inventory. If there is no established risk taxonomy, the actuary may recommend that one be created.
For each risk being classified, the actuary should take into account the following:
- the organization’s attitude to the risk, such as risk avoiding, risk minimizing, risk accepting, or risk taking;
- the potential impact of the risk on the organization’s business objectives;
- the potential impact of the risk across different time horizons;
- any existing classifications or assessments that may already be articulated within the organization;
- potential capital implications of the risk; and
- classification of risk exposures by other parties, such as internal or external auditors.
3.4 Risk Appetite Framework
When performing actuarial services related to developing a risk appetite framework, the actuary should confirm that the following items exist and are appropriate for material risks in the risk inventory:
- risk appetite statements;
- risk metrics;
- risk appetite limits;
- risk appetite triggers, which serve as early warning indicators that a risk metric is approaching its risk appetite limit, set at a level to allow management time for additional risk mitigation; and
- governance roles for setting risk appetite limits and triggers and for monitoring risk metrics.
To the extent that these items do not exist or are inappropriate, the actuary should instead recommend they be developed or modified.
3.5 Risk Mitigation
When performing actuarial services related to risk mitigation, the actuary should evaluate the proposed risk mitigation activities using scenario analysis or other methods. When performing this evaluation, the actuary should take into account the following:
- the extent to which the risk mitigation activity impacts the severity or frequency of an event and the length of time it takes to realize the impact;
- the extent to which the proposed risk mitigation activity, targeting specific sets of risks, affects the total risk faced by the organization;
- the extent to which the proposed risk mitigation activity transforms the risks less tolerated by the organization into other risks the organization is more willing to manage;
- cost of the risk mitigation activity; and
- applicable law.
When evaluating the effects of risk mitigation activities using models, the actuary should use appropriate granularity.
3.6 Risk Metrics
When performing actuarial services related to risk metrics, the actuary should confirm that the risk metrics
- align with the organization’s business objectives both at an organizational level and within specific business units, if applicable;
- are clearly defined to support the measurement of risk exposures before and after risk mitigation (i.e., inherent risk and residual risk), if applicable;
- align with the organization’s risk appetite; and
- cover all the material risks in the risk inventory.
To the extent that risk metrics do not reflect (a)–(d), the actuary should instead recommend they be developed or modified.
3.6.1 Developing or Modifying Risk Metrics
When performing actuarial services related to developing or modifying risk metrics, the actuary should take into account the following:
-
- the frequency and severity of the risk;
- the extent to which the risk metric is qualitative or quantitative;
- the time horizon for which the risk metric is applicable;
- the confidence levels intended, if applicable;
- whether the risk metric is a leading, lagging, or coincident indicator;
- the extent to which prior experience is used and how current and future trends may impact the risk metric; and
- applicable law.
3.7 Internal Capital Assessment
When performing actuarial services related to an internal capital assessment that is a part of an ERM framework, the actuary should confirm, to the extent applicable, that the internal capital assessment
- reflects the way the organization manages its business and capital, given the nature of the risks of the business;
- is calibrated at appropriate confidence levels, if management monitors the organization’s capital at certain stress levels;
- includes a diversification credit from the aggregation of risks making suitable adjustments for correlations of risks, where appropriate;
- considers the fungibility of assets accessible as available capital in different parts of an organization, including restrictions or limitations on such transfers and costs of such transfers; and
- considers the quality of available assets to fulfill the organization’s obligations.
To the extent that the internal capital assessment does not reflect (a)–(e), the actuary should instead recommend modifications.
3.8 Stress Testing and Scenario Analysis
Stress testing and scenario analysis are used to test an organization’s resiliency, set or adjust risk appetite limits, or test the processes by which an organization manages capital and liquidity.
3.8.1 Resiliency Testing
When performing actuarial services related to stress testing or scenario analysis to test the resiliency of an organization against one or more risks, the actuary should confirm that the stress testing or scenario analysis takes into account the following:
-
- business objectives and how they are disrupted under stress(es) or scenario(s);
- the mitigating actions available to the organization if the adverse situation were to occur;
- potential obstructions to the mitigating actions; and
- correlations and tail dependencies between risks, if appropriate.
To the extent the stress testing or scenario analysis does not reflect (a)–(d), the actuary should instead recommend modifications.
3.8.2 Risk Appetite Limits
When performing actuarial services related to stress testing or scenario analysis associated with risk appetite limits, the actuary should refer to section 3.8.1 and should confirm that the risk appetite limits
-
- are appropriate for the organization to continue to meet its business objectives under the stresses or scenarios that are tested;
- have been tested by stress(es) or scenarios that are at appropriate levels of severity (often expressed by an organization in terms of confidence levels); and
- have been tested by stresses or scenarios that include an appropriate range of risk factors, which may include external drivers, such as macro-economic effects, as well as internal drivers specific to an organization.
To the extent the risk appetite limits do not reflect (a)–(c), the actuary should instead recommend modifications.
3.8.3 Testing Target Levels for Capital or Liquidity
When performing actuarial services related to stress testing or scenario analysis associated with capital and liquidity, the actuary should refer to sections 3.8.1 and 3.8.2. The actuary should also refer to ASOP No. 55, Capital Adequacy Assessment.
When performing actuarial services related to stress testing or scenario analysis in a manner prescribed by rating agencies or regulators, the actuary should align the stress(es) with those prescribed.
3.9 Own Risk and Solvency Assessment (ORSA)
When performing actuarial services related to an ORSA, the actuary should confirm, to the extent practical within the scope of the actuary’s assignment, that the ORSA
- is performed regularly and when there are material changes to an organization’s risks;
- assesses the material and relevant risks associated with an organization’s business objectives;
- assesses the sufficiency of capital resources to support those business objectives; and
- is appropriate to the nature, scale, and complexity of an organization’s risks.
If the ORSA does not conform to the above, the actuary should recommend modifications.
3.10 ORSA Report
When acting as signatory of an ORSA report, the actuary should
- complete all appropriate assessments of material and relevant risks and sufficiency of capital resources, or rely on assessments made by others, to support conclusions and action plans in the ORSA report;
- document how the conclusions and action plans in the ORSA report are supported;
- ensure that the ORSA report
-
- describes how the ERM framework operates;
- describes the assessment of material and relevant risk;
- describes the sufficiency of capital resources;
- communicates the conclusions and action plans of the ORSA; and
- complies with applicable law; and
- communicate the ORSA report appropriately, particularly to senior management and boards, in accordance with an organization’s governance structure.
3.11 Reliance on Another Party
When relying on another party and thereby disclaiming responsibility
- for data and other information relevant to the use of data, the actuary should refer to ASOP No. 23, Data Quality.
- for a model, the actuary should refer to ASOP No. 56, Modeling.
- for assumptions and methods prescribed by another party, the actuary should review the assumption or method for reasonableness and consistency to the extent practicable and appropriate within the scope of the actuary’s assignment.
- for assumptions and methods not prescribed by another party, or for any other item not addressed above, the actuary should review the item for reasonableness and consistency to the extent practicable and appropriate within the scope of the actuary’s assignment. In addition, the actuary should be reasonably satisfied that the reliance is appropriate, taking into account the following, as applicable:
-
- when the other party is an actuary, whether the actuary knows that the other party is appropriately qualified and has followed applicable ASOPs;
- whether the actuary knows that the other party has expertise in the applicable field;
- whether the actuary knows the other party’s stated purpose for the item and the extent to which it is consistent with the actuary’s intended purpose; and
- whether the actuary knows of differences of opinion within the other party’s field of expertise that are material to the actuary’s use of the item.
3.12 Documentation
The actuary should prepare and retain documentation to support compliance with the requirements of section 3 and the disclosure requirements of section 4. The actuary should prepare documentation in a form such that another actuary qualified in the same practice area could assess the reasonableness of the actuary’s work. The amount, form, and detail of such documentation should be based on the professional judgment of the actuary and may vary with the complexity and purpose of the actuarial services. In addition, the actuary should refer to ASOP No. 41 for guidance related to the retention of file material other than that which is to be disclosed under section 4.
Section 4. Communications and Disclosures
4.1 Required Disclosures in an Actuarial Report
When issuing an actuarial report to which this standard applies, the actuary should refer to ASOP Nos. 23, 41, and, if applicable, ASOP Nos. 55 and 56. In addition, the actuary should disclose the following in such actuarial reports, if applicable to the scope of the actuary’s assignment:
- the line(s) in which the actuary was working within the three lines and, if the actuary is working in the second or third line, any limitations on the independence of the actuary or the actuary’s work products (see section 3.1);
- the processes used to identify and classify risks, including emerging risks (see sections 3.2 and 3.3);
- any recommendations to develop or modify the risk appetite framework (see section 3.4);
- considerations important to conclusions reached when evaluating or recommending an organization’s risk mitigation strategy (see section 3.5);
- any recommendations to develop or modify risk metrics (see sections 3.6 and 3.6.1);
- results of internal capital assessments, their intended use, and any known limitations of the internal capital assessments (see section 3.7);
- a description of the stress(es) and scenario(s), assumptions, the results of the stress testing or scenario analysis and their intended use, any known limitations of the stress testing or scenario analysis, and any recommendations to modify the stress testing or scenario analysis (see section 3.8.1 and 3.8.2);
- the role the actuary played in the design, preparation, or review of an ORSA and in drafting or signing an ORSA report (see section 3.9 and 3.10); and
- the extent of any reliance on another party (see section 3.11).
An actuary who is a signatory to an ORSA report may satisfy the requirements of section 4.1 by including the required disclosures in the ORSA report.
4.2 Additional Disclosures in an Actuarial Report
The actuary also should include disclosures in accordance with ASOP No. 41 in an actuarial report for the following circumstances:
- if any material assumption or method was prescribed by applicable law;
- if the actuary states reliance on other sources and thereby disclaims responsibility for any material assumption or method selected by a party other than the actuary; and
- if in the actuary’s professional judgment, the actuary has deviated materially from the guidance of this ASOP.
4.3 Confidential Information
Nothing in this ASOP is intended to require the actuary to disclose confidential information.
Appendix 1
Background and Current Practices
Note: This appendix is provided for informational purposes and is not part of the standard of practice.
Background
Enterprise risk management (ERM) includes methods and processes by which organizations manage risk. One of the key objectives of ERM is to provide an enterprise risk management framework that supports an organization’s business objectives. The practice of ERM within an organization is important to stakeholders including shareholders, management, regulators, and rating agencies.
Current Practices
At its most fundamental level, ERM is a control cycle. Risks are identified, risks are evaluated, risk appetites are chosen, risk limits are set, risks are taken, risk mitigation activities are performed to prevent limit breaches, and actions are taken when limits are breached. Risks need to be re-evaluated periodically and after risk events as the risks may have changed or the mitigation may need refining for future events, and the entire process of identification, evaluation, etc. needs to be repeated. Risks are monitored and reported as they occur and for as long as they remain an exposure to the organization. This cycle can be applied to specific risks within a part of an organization or to an aggregation of all risks at the enterprise level.
More formalized ERM frameworks clarify the elements of risk governance, organize and prioritize identified risks, articulate risk appetite, and provide a process to measure and monitor risk. The ERM frameworks applied to the financial services and insurance industry also contain important elements focused on capital management and capital resiliency (for example, stress testing and scenario analysis).
Within the insurance industry, organizations describe the ERM process via the own risk and solvency assessment (ORSA) reporting process. ORSAs need to be appropriate for the applicable regulatory environment, as well as for the nature, scale, and complexity of an organization’s risks, and therefore ORSAs vary from one organization to the next.
Appendix 2
Comments on the Exposure Draft and Responses
The first exposure draft of proposed ASOP Enterprise Risk Management was issued in May 2023 with a comment deadline of September 15, 2023. Fifteen comment letters were received, some of which were submitted on behalf of multiple commentators, such as by firms or committees. For purposes of this appendix, the term “commentator” may refer to more than one person associated with a particular comment letter. The Enterprise Risk Management (ERM) Committee of the Actuarial Standards Board (ASB) carefully considered all comments received, and the ASB reviewed (and modified, where appropriate) the changes proposed by the ERM Committee.
Summarized here are the significant issues and questions contained in the comment letters and the responses. Minor wording or punctuation changes that are suggested but not significant are not reflected in the appendix, although they may have been adopted.
The term “reviewers” in appendix 2 includes the ERM Committee and the ASB. The section numbers and titles used in appendix 2 refer to those in the exposure draft, which are then cross referenced with those in the final standard.
PDF Version: Download Here
Last Revised: September 2024
Document Status: Exposure Draft