Enterprise Risk Management
TO: Members of Actuarial Organizations Governed by the Standards of Practice of the Actuarial Standards Board and Other Persons Interested in Enterprise Risk Management
FROM: Actuarial Standards Board (ASB)
SUBJ: Proposed Replacement of Actuarial Standards of Practice (ASOPs) Nos. 46 and 47
This document contains the exposure draft of a proposed single ASOP titled Enterprise Risk Management to replace ASOP Nos. 46 and 47, Risk Evaluation in Enterprise Risk Management and Risk Treatment in Enterprise Risk Management, respectively. Please review this exposure draft and give the ASB the benefit of your comments and suggestions. Each written comment letter or email received by the comment deadline will receive consideration by the drafting committee and the ASB.
The ASB appreciates comments and suggestions on all areas of this proposed standard. The ASB requests comments be provided using the Comments Template that can be found here and submitted electronically to firstname.lastname@example.org. Include the phrase “ERM ASOP COMMENTS” in the subject line of your message. Also, please indicate in the template whether your comments are being submitted on your own behalf or on behalf of a company or organization.
The ASB posts all signed comments received on its website to encourage transparency and dialogue. Comments received after the deadline may not be considered. Anonymous comments will not be considered by the ASB nor posted on the website. Comments will be posted in the order that they are received. The ASB disclaims any responsibility for the content of the comments, which are solely the responsibility of those who submit them.
For more information on the exposure process, please see the ASB Procedures Manual.
Deadline for receipt of comments: September 15, 2023
History of the Standard
ASOP Nos. 46 and 47 were the first ASOPs applying specifically to actuaries performing actuarial services for the purposes of enterprise risk management (ERM). Both were adopted by the ASB in 2012, specifically ASOP No. 46 in September and ASOP No. 47 in December.
ASOP No. 55, Capital Adequacy Assessment, covering topics with strong connections to ERM, was adopted in June 2019 with an effective date of November 1, 2019.
ASOP Nos. 46 and 47 were prepared when ERM as a field of practice for actuaries was in fledgling form, with a relatively small number of actuaries having experience in the area. In the ten years since, actuarial practice in the field has evolved considerably, with many actuaries now working as risk practitioners and a number working in senior risk roles, including chief risk officer. Moreover, ERM nomenclature has also evolved.
Thus the ASB decided to revise ASOP Nos. 46 and 47 to reflect the developments of the past decade, to better reflect today’s ERM practices and terminology, and to align with ASOP No. 55.
Notable Changes from the Existing ASOPs
Early in the drafting process, the ASB decided that it would be more appropriate to have a single ASOP covering the overarching subject of “ERM framework.” ASOP No. 46 is primarily concerned with how risk is measured and monitored, while ASOP No. 47 is focused on risk appetite and the setting of limits, and how risks are managed. Because the activities covered by ASOP Nos. 46 and 47 are intertwined, the ASB drafted a single ASOP with the development and maintenance of an ERM framework as its core.
The proposed exposure draft contains many significant changes from the prior ASOPs, including a heavily revised set of definitions that better reflects current practice.
Other notable changes are summarized in the following.
- The proposed new ASOP covers activities in an order that reflects how organizations typically establish an ERM framework. Such a framework is then managed as a continuous process from the identification and classification of risks to risk appetite setting and mitigation. Because topics were split between two ASOPs, ASOP Nos. 46 and 47 did not reflect the holistic framework.
- The proposed new ASOP provides guidance on the following topics where ASOP Nos. 46 and 47 previously provided little or no guidance:
- governance over risk processes;
- risk identification;
- risk classification;
- considerations related to an organization’s own risk and solvency assessment.
Request for Comments
The ASB appreciates comments and suggestions on all areas of this proposed standard submitted through the Comments Template. Rationale and recommended wording for any suggested changes would be helpful.
In drafting the proposed standard, the ASB recognized that actuaries work in a variety of roles in and around ERM, in different organizations and consulting firms. Actuarial services may relate to one or several components of the ERM framework, but may not extend across the entire framework. In addition, organizations vary in the extent and maturity of their ERM. The proposed standard therefore cannot, for example, provide guidance directing an actuary to establish any item of ERM practice, even if such item is commonly used. The proposed standard generally qualifies the sections of guidance to be conditional on (a) relevance at the organization receiving actuarial services, and (b) whether the services fall within the actuary’s role and authority.
Therefore, the ASB would like to draw the reader’s attention to the following questions:
- Does the proposed standard cover all parts of ERM that may be relevant to actuaries practicing in the field of ERM? If not, please provide examples and explain.
- Is the guidance with the conditionality as described above—conditional on (a) and (b)—effective? If not, please propose an alternate approach.
- Subject to the conditionality in question 2 above:
- Is the proposed guidance appropriate and sufficient? If not, please explain and suggest language.
- Does the proposed standard contain any guidance that might be impractical to apply in practice? If so, please provide examples and explain.
The ERM Committee thanks Jamie Krieger for her valuable contributions to this exposure draft.
The ASB voted in March 2023 to approve this draft for exposure.
|Enterprise Risk Management Committee|
|David Paul, Chairperson|
|Derek D. Berget||Adam J. Lei|
|Anthony Dardis||Elisabetta Russo|
|William R. Jones|
|Actuarial Standards Board|
|Robert M. Damler, Chairperson|
|Elizabeth K. Brill||David E. Neve|
|Kevin M. Dyke||Christopher F. Noble|
|Laura A. Hanson||Judy K. Stromback|
|Richard A. Lassow||Patrick B. Woods|
The Actuarial Standards Board (ASB) sets standards for appropriate actuarial practice in the United States through the development and promulgation of Actuarial Standards of Practice (ASOPs). These ASOPs describe the procedures an actuary should follow when performing actuarial services and identify what the actuary should disclose when communicating the results of those services.
PROPOSED ACTUARIAL STANDARD OF PRACTICE
Enterprise Risk Management
Standard of Practice
Section 1: Purpose, Scope, Cross References, and Effective Date
This actuarial standard of practice (ASOP or standard) provides guidance to actuaries when performing actuarial services with respect to developing, maintaining, or reviewing all or part of an enterprise risk management (ERM) framework.
This standard applies to actuaries when performing actuarial services with respect to developing, maintaining, or reviewing all or part of an ERM framework. While ERM frameworks vary among different organizations, the following are common components:
- risk identification;
- risk classification;
- risk appetite;
- risk mitigation;
- risk metrics;
- capital management;
- stress testing and scenario analysis; and
- own risk and solvency assessment (ORSA).
If the actuary is performing actuarial services that involve developing or maintaining part of an ERM framework, the actuary should use the guidance in this ASOP to the extent practicable within the role and authority of the actuary.
If the actuary is performing actuarial services that involve reviewing all or part of an ERM framework, the actuary should use the guidance in this ASOP to the extent practicable within the scope of the review.
If a conflict exists between this standard and applicable law (statutes, regulations, and other legally binding authority), the actuary should comply with applicable law. If the actuary departs from the guidance set forth in this standard in order to comply with applicable law, or for any other reason the actuary deems appropriate, the actuary should refer to section 4.
1.3 Cross Reference
When this standard refers to the provisions of other documents, the reference includes the referenced documents as they may be amended or restated in the future, and any successor to them, by whatever name called. If any amended or restated document differs materially from the originally referenced document, the actuary should consider the guidance in this standard to the extent it is applicable and appropriate.
1.4 Effective Date
This standard is effective for actuarial services performed on or after four months after adoption by the Actuarial Standards Board.
Section 2: Definitions
The terms below are defined for use in this ASOP and appear in bold throughout the standard. The actuary should also refer to ASOP No. 1, Introductory Actuarial Standard of Practice, for definitions and discussions of common terms, which do not appear in bold in this standard.
2.1 Available Capital
The excess of assets over liabilities that is available to cover the required capital, calculated on a basis consistent with required capital.
2.2 Emerging Risk
New or evolving risks that may be difficult to identify, manage, or measure because they have not been experienced previously and therefore their likelihood, impact, timing, or interdependency with other risks are more uncertain.
2.3 Enterprise Risk Management Framework
The collection of processes by which the organization identifies, classifies, sets risk appetite for, mitigates, measures, and finances (with capital) its risk exposures.
Structures of an organization’s personnel, committees, and boards associated with management of the business that defines where authorities are held and the associated processes for decision-making and escalation.
Denotes multiple related companies, typically in an organization’s hierarchy of parents, subsidiaries, and affiliates. Components of an ERM framework may function differently at the company level or be unified across the whole group.
2.6 Internal Capital Assessment
A methodology used to calculate the additional assets necessary in excess of liabilities to withstand shocks based on an internal quantification of financial risk exposures using stochastic methods or deterministic proxies. An internal capital assessment may indicate capital levels that are higher or lower than levels specified by regulators or rating agencies.
The entity or entities to which the ERM framework applies. Examples include public or private companies (individual or a group), government entities, and associations, whether for profit or not for profit.
2.8 Own Risk and Solvency Assessment (ORSA)
An internal assessment of the adequacy of an organization’s risk management and current, and likely future, solvency position, including action plans produced from the assessment. ORSA is a widely recognized key component of the ERM frameworks of many insurance organizations. ORSA is a requirement in most insurance regulatory regimes globally, although in some regimes it is not mandated for certain organizations. Nevertheless, some organizations elect to perform non-mandated ORSAs.
2.9 ORSA Report
A report produced with the following objectives:
- to communicate the main outcomes, rationale, calculations, conclusions, and action plans of the ORSA to senior management and board level;
- to explain to insurance regulators how the ERM framework operates; and
- to outline to insurance regulators the results of the solvency assessment.
2.10 Required Capital
The minimum level of excess of assets over liabilities required by regulators, rating agencies, or internal assessments.
2.11 Risk Appetite
The levels of risks an organization is willing to take. Such risks may or may not be measurable financially. An organization may be willing to take on specified levels of an individual risk. For financially measurable risks, risk appetite may refer to individual risks or the level of aggregate risk that an organization is willing to take in pursuit of its objectives.
2.12 Risk Appetite Framework
A methodology used to identify, measure, and place limits on risks an organization is willing to take. The risk appetite framework may contain risk appetite statements, measurement of risks, setting and monitoring of risk appetite limits, and the governance associated with risk appetite.
2.13 Risk Appetite Limit
The level that a risk measure should not exceed for the organization to remain within the intended level of risk-taking. Risk appetite limits may be applied at an aggregate level or specifically to a risk type. They may also operate at the company level within a group.
2.14 Risk Appetite Statement
A statement by the management of an organization (or a part of an organization) of how much risk, of different risk types and also overall, that the organization is willing to take. There may be several risk appetite statements pertaining to individual risks or a single statement across an organization.
2.15 Risk Inventory
A regularly updated register of the risks to which an organization is exposed. Also commonly referred to as a risk register.
2.16 Risk Taxonomy
A tiered structure with broad risk classifications at the top and more narrowly defined classifications further down. Risk inventories typically use taxonomy to index their risks.
2.17 Scenario Analysis
A process for assessing the impact of one possible event or several simultaneously or sequentially occurring possible events. Scenario analysis may include a narrative description (non-financial) or numerical or financial calculations.
2.18 Stress Testing
A scenario analysis that measures the impact of adverse changes affecting an organization’s financial position.
2.19 Three Lines of Defense
A common model for governance of an organization’s ERM framework. The “first line” refers to business and process owners within the organization. The “second line” identifies where there is separate oversight of risk-taking activities, with some independence from the first line. The “third line” is the role undertaken by auditors, which includes reviewing the effectiveness of the second line and the ERM framework.
Section 3: Analysis of Issues and Recommended Practices
When performing actuarial services related to an ERM framework, the actuary should understand how their roles and deliverables fit into the governance framework. If an organization uses the three lines of defense model, the actuary should understand which line(s) of defense their activities fall under and, if in the second line, should understand the extent of the independence they have from the first line. An actuary working in risk management will often be in the second line. However, the actuary may work in both first and second lines.
3.2 Risk Identification
When performing actuarial services related to risk identification, the actuary should consider the following:
- risks in relation to the objectives of the organization;
- understand how the organization defines risk, which depends upon a number of factors, such as business profile, ownership structure, and regulatory jurisdiction;
- the potential impact of risks across different time horizons; and
- risks through multiple financial and non-financial lenses.
When performing actuarial services related to the identification of emerging risks, the actuary should also take into account the interactions with other risks previously identified and whether these risks represent new threats to the organization.
3.3 Risk Classification
When performing actuarial services related to risk classification, the actuary should use a risk inventory and prioritize risks on the basis of 1) management’s assessment of the importance of a risk to the organization’s business objectives, and 2) the financial and operational significance of the risk. The actuary should take into account any risk taxonomy, if established by the organization, for purposes of classification of risks into the inventory.
For any given risk, the actuary should take into account the following:
- the organization’s attitude to the risk, such as risk avoiding, risk taking, or risk neutral;
- the impact of the risk on the organization’s business objectives;
- the impact of the risk across different time horizons;
- any existing classifications or assessments, which may already be articulated within the organization;
- capital implications of the risk; and
- classification of risk exposures by other parties, such as internal or external auditors.
3.4 Risk Appetite Framework
The risk appetite framework may include quantitative or qualitative components.
3.4.1 Quantitiative Components of Risk Appetite Framework
When performing actuarial services related to the quantitative components of the risk appetite framework, the actuary should confirm that the following exist and are appropriate:
- risk metrics for each risk identified in the risk appetite;
- risk appetite limits that represent the level of risk the organization is willing to take;
- risk appetite limits that constrain individual risks and the aggregation of risks at or below levels supported by the organization’s available capital;
- risk appetite triggers that serve as early warning indicators that a risk metric is approaching its respective risk appetite limit at levels sufficient to allow management time for risk mitigation strategies; and
- governance roles around the organization related to setting quantitative risk appetite limits and triggers, monitoring risk metrics, and including authority levels to respond to limit breaches.
To the extent these items do not exist or are inappropriate, the actuary should recommend they be developed or modified.
3.4.2 Qualitative Components of Risk Appetite Framework
When performing actuarial services related to qualitative components of the risk appetite framework, the actuary should confirm that the following exist and are appropriate:
- qualitative risk appetite limits related to the level of risk the organization is willing to take (for example, an organization stating absolute unwillingness to take certain types of risks); and
- governance roles around the organization related to setting qualitative risk appetite limits, including authority levels to respond to limit breaches.
To the extent these items do not exist or are inappropriate, the actuary should recommend they be developed or modified.
3.5 Risk Mitigation
When performing actuarial services related to risk mitigation, the actuary should test the proposed risk mitigation activities using scenario analysis to confirm that the mitigation program has the intended effects. The actuary should take into account the following:
- the extent to which the risk mitigation activity impacts the severity or frequency of an event and the length of time it takes to realize the impact;
- the extent to which the proposed risk mitigation activity, targeting specific sets of risks, reduces the total risk faced by the organization;
- the extent to which the proposed risk mitigation activity transforms the risks less tolerated by the organization into other risks the organization is more willing to manage;
- cost of the risk mitigation activity; and
- regulatory considerations.
When modeling the effects of risk mitigation activities, the actuary should model such activities with appropriate granularity.
3.6 Risk Metrics
When performing actuarial services related to risk metrics, the actuary should confirm the following:
- risk metrics align with the organization’s strategic and business goals;
- risk metrics align with business and risk drivers both at an organizational level and within specific business units, if applicable;
- risk metrics measure the level of risk exposure before and after risk mitigation (i.e., inherent risk and residual risk), if applicable;
- risk metrics align with the organization’s risk appetite; and
- risk metrics cover all the risks that have been identified and classified by the organization.
To the extent that risk metrics do not reflect (a)-(e), the actuary should recommend they be developed or modified.
3.6.1 Developing or Modifying Risk Metrics
When performing actuarial services related to developing or modifying risk metrics, the actuary should take into account the following:
- the frequency and severity of the risk:
- the extent to which the risk metric is qualitative or quantitative;
- the time horizon for which the risk metric is applicable;
- the confidence levels intended, if applicable;
- whether the risk metric is a leading or lagging indicator;
- the extent to which prior experience is used and how future trends may impact the risk metric; and
- any regulatory constraints associated with the risk metric and whether they are expected to change. If necessary, the actuary should adjust the types (such as earnings-at-risk or capital-at-risk) and characteristics (such as quantitative vs. qualitative, time horizon, confidence interval, statistical properties, etc.) of the risk metrics to ensure consistency with regulatory requirements.
3.7 Internal Capital Assessment
When performing actuarial services related to an internal capital assessment that is a part of an ERM framework, the actuary should confirm, to the extent applicable, that the internal capital assessment
- reflects the way the organization manages its business and capital, given the nature of the risks of the business;
- is calibrated at appropriate confidence levels, if management monitors the organizations’s capital at certain stress levels;
- includes a diversification credit from the aggregation of risks making suitable adjustments for correlations of risks;
- has considered the fungibility of assets accessible as available capital in different parts of an organization, including restrictions that may exist between regulated affiliates; and
- has considered the quality of available assets and any conditionality of debt to fulfill the organization’s obligations.
To the extent the internal capital assessment does not reflect (a)-(e), the actuary should recommend modifications.
3.8 Stress Testing and Scenario Analysis
Stress testing and scenario analysis is used to test an organization’s resiliency, set or adjust risk appetite limits, or test the processes by which an organization manages capital and liquidity.
3.8.1 Resiliency Testing
When performing actuarial services for an organization performing stress testing and scenario analysis to test the resiliency of an organization against one or more risks, the actuary should confirm that the stress testing and scenario analysis takes into account the following:
- business objectives and how they are disrupted under stress(es) or scenario(s);
- the mitigating actions available to the organization if the adverse situation were to occur;
- potential obstructions to the mitigating actions; and
- correlations and tail dependencies between risks, if appropriate.
To the extent the stress testing and scenario analysis does not reflect (a)-(d), the actuary should recommend modifications.
3.8.2 Risk Appetite Limits
When performing actuarial services for an organization performing stress testing and scenario analysis related to risk appetite limits, the actuary should refer to section 3.8.1 and should confirm that the risk appetite limits
- are appropriate for the organization to continue to meet its objectives under the stresses or scenarios that are tested;
- have been tested by stress(es) or scenarios that are at appropriate levels of severity (often expressed by an organization in terms of confidence levels); and
- have been tested by stresses or scenarios that include an appropriate range of risk drivers, which may include external drivers, such as macro-economic factors, as well as internal drivers specific to an organization.
To the extent the stresses and scenarios do not reflect (a)-(c), the actuary should recommend modifications.
3.8.3 Testing Target Levels for Capital or Liquidity
When performing actuarial services for an organization performing stress testing and scenario analysis in relation to capital and liquidity, the actuary should refer to sections 3.8.1 and 3.8.2. The actuary should also refer to ASOP No. 55, Capital Adequacy Assessment.
When performing actuarial services for an organization performing stress testing or scenario analysis in a manner prescribed by rating agencies or regulators, the actuary should align the stress(es) with those prescribed.
3.9 Own Risk and Solvency Assessment (ORSA)
When performing actuarial services related to an ORSA, the actuary should confirm, to the extent practical, that the ORSA includes basic components in line with general risk management concepts for ORSA and any applicable regulatory requirements.
When acting as signatory of an ORSA report to an insurance regulator, the actuary should:
- complete all appropriate risk assessments, or rely on assessments made by others, to support attestations made as the signatory;
- complete all appropriate capital and solvency assessments, or rely on assessments made by others, to support attestations made as the signatory;
- disclose, in the ORSA report or elsewhere, how the attestations in (a) and (b) are supported;
- communicate ORSA outputs and the ORSA report appropriately, particularly to senior leadership and the board, in accordance with an organization’s governance structure.
3.10 Reliance on Data or Other Information Supplied by Others
When relying on data or other information supplied by others, the actuary should refer to ASOP No. 23, Data Quality, ASOP No. 41, Actuarial Communications, and ASOP No. 56, Modeling, for guidance.
3.11 Reliance on Another Actuary
The actuary may rely on another actuary who has performed actuarial services related to aspects of the ERM framework. However, the relying actuary should be reasonably satisfied that the other actuary is qualified to perform the actuarial service and that it was performed in accordance with this ASOP and any other applicable ASOPs.
3.12 Reliance on Expertise of Others
An actuary performing actuarial services in relation to the ERM framework may rely on the expertise of others (including actuaries not performing actuarial services). In determining the appropriate level of such reliance, the actuary should take into account the following:
- whether the individual or individuals upon whom the actuary is relying has expertise in the applicable field; and
- the extent to which the assessment from the other party has been reviewed or opined on by others with expertise in the applicable field.
The actuary should prepare and retain documentation to support compliance with the requirements of section 3 and the disclosure requirements of section 4. The actuary should prepare documentation in a form such that another actuary qualified in the same practice area could assess the reasonableness of the actuary’s work. The degree of such documentation should be based on the professional judgment of the actuary and may vary with the complexity and purpose of the actuarial services. In addition, the actuary should refer to ASOP No. 41 for guidance related to the retention of file material other than that which is to be disclosed under section 4.
Section 4: Communications and Disclosures
4.1 Required Disclosures in an Actuarial Report
For the purpose of this section, an ORSA report is not considered an actuarial report. When issuing an actuarial report to which this standard applies, the actuary should refer to ASOP Nos. 23, 41, and, if applicable, ASOP Nos. 55 and 56. In addition, the actuary should disclose the following in such actuarial reports, if applicable to the scope of the actuary’s assignment:
- the line in which the actuary was working within the three lines of defense, including if the actuary was working in more than one line, and, if the actuary is working in the second line, any limitations on the independence of the actuary or the actuary’s work products (see section 3.1);
- the processes used to identify and classify risks, including emerging risks (see sections 3.2 and 3.3);
- any recommendations to develop or modify qualitative or quantitative components of the risk appetite framework (see section 3.4.1 and 3.4.2);
- considerations important to conclusions reached when evaluating or recommending an organization’s risk mitigation strategy (see section 3.5);
- any recommendations to develop or modify risk metrics (see sections 3.6 and 3.6.1);
- results of internal capital assessments, their intended use, and any known limitations of the internal capital assessments (see section 3.7);
- a description of the stress(es) and scenario(s), assumptions, the results of the stress testing and scenario analysis and their intended use, any known limitations of the stress testing and scenario analysis, and any recommendations to modify the stress testing and scenario analysis (see section 3.8.1 and 3.8.2);
- the role the actuary played in the design, preparation, or review of an ORSA and in drafting or signatory to ORSA report, as applicable (see section 3.9); and
- the extent of any reliance on data or information supplied by others, on another actuary, or on the expertise of others (see sections 3.10, 3.11, and 3.12).
4.2 Additional Disclosures in an Actuarial Report
The actuary also should include disclosures in accordance with ASOP No. 41 in an actuarial report for the following circumstances:
- any such assumption that significantly conflicts with what, in the actuary’s professional judgment, is reasonable for the purpose of the measurement (section 3.20); or
- any such assumption that the actuary is unable to assess for reasonableness for the purpose of the measurement (section 3.20).
4.3 Additional Disclosures
The actuary should also include the following, as applicable, in an actuarial report:
- if any material assumption or method was prescribed by applicable law;
- if the actuary states reliance on other sources and thereby disclaims responsibility for any material assumption or method selected by a party other than the actuary; and
- if in the actuary’s professional judgment, the actuary has deviated materially from the guidance of this ASOP.
4.4 Confidential Information
Nothing in this ASOP is intended to require the actuary to disclose confidential information.
Background and Current Practices
Note: This appendix is provided for informational purposes and is not part of the standard of practice.
More formalized ERM frameworks clarify the elements of risk governance, organize and prioritize identified risks, articulate risk appetite, and provide a process to measure and monitor risk. The ERM frameworks applied to the financial services and insurance industry also contain important elements focused on capital management and capital resiliency (for example, stress testing and scenario analysis).
Within the insurance industry, organizations describe the ERM process via the own risk and solvency assessment (ORSA) reporting process. ORSAs need to be appropriate for the applicable regulatory environment, as well as for the nature, scale, and complexity of an organization’s risks, and therefore ORSAs vary from one organization to the next.