Proposed Actuarial Standard of Practice
Risk Treatment in Enterprise Risk Management
STANDARD OF PRACTICE
TO: Members of Actuarial Organizations Governed by the Standards of Practice of the Actuarial Standards Board and Other Persons Interested in Risk Treatment in Enterprise Risk Management
FROM: Actuarial Standards Board (ASB)
SUBJ: Proposed Actuarial Standard of Practice (ASOP)
This document is an exposure draft of a proposed ASOP, Risk Treatment in Enterprise Risk Management.
Please review this exposure draft and give the ASB the benefit of your comments and suggestions. Each written response and each response sent by e-mail to the address below will be acknowledged, and all responses will receive appropriate consideration by the drafting committee in preparing the final document for approval by the ASB.
The ASB accepts comments by either electronic or conventional mail. The preferred form is e-mail, as it eases the task of grouping comments by section. However, please feel free to use either form. If you wish to use e-mail, please send a message to email@example.com. You may include your comments either in the body of the message or as an attachment prepared in any commonly used word processing format. Please do not password-protect any attachments. Include the phrase “ASB COMMENTS” in the subject line of your message. Please note: Any message not containing this exact phrase in the subject line will be deleted by our system’s spam filter.
If you wish to use conventional mail, please send comments to the following address:
Risk Treatment in Enterprise Risk Management
Actuarial Standards Board
1850 M Street, NW, Suite 300
Washington, DC 20036
The ASB posts all signed comments received to its website to facilitate transparency and dialogue. Anonymous comments will not be considered by the ASB nor posted to the website. The comments will not be edited, amended, or truncated in any way. Comments will be posted in the order that they are received. Comments will be removed when final action on a proposed standard is taken. The ASB website is a public website and all comments will be available to the general public. The ASB disclaims any responsibility for the content of the comments, which are solely the responsibility of those who submit them.
Deadline for receipt of responses in the ASB office: September 10, 2012
Enterprise Risk Management (ERM) has been defined by the Casualty Actuarial Society in 2003 as follows:
The discipline by which an organization in any industry assesses, controls, exploits, finances and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.
This definition was also adopted by the Society of Actuaries in 2005.
Enterprise Risk Management is a rapidly emerging specialty within the actuarial community and with the new Chartered Enterprise Risk Analyst (CERA) risk management educational certification it could well become an area of practice for actuaries with no tie to traditional actuarial work. The CERA is a globally recognized ERM designation supported by actuarial organizations in 12 countries with rigorous educational programs. In addition, the 2008 financial crisis makes it desirable for a group with strong professional standards to take a leading role in the future development of risk management throughout the economy. Currently, no group has specific professional standards for enterprise risk management work performed by individuals. Other organizations may also be considering or have started developing standards for ERM work.
The ERM Task Force was formed in the fall of 2009 to revisit the need for ERM standards that were previously addressed by an earlier task force in 2007. In June 2010, the Task Force presented findings to the ASB and was then asked to go forward with the development of standards for two broad topics relating to ERM, Risk Evaluation, and Risk Treatment.
In March of 2011, discussion drafts for two topics were posted to the ASB website on risk evaluation and risk treatment. The ERM Task Force reviewed the comments received and based on those comments, began work on the development of exposure drafts of standards on risk evaluation and risk treatment for presentation to the ASB.
This ASOP, Risk Treatment in Enterprise Risk Management, considers the topic of risk treatment, which is the process of selecting and implementing actions to modify risks. The process of risk treatment is a fundamental part of risk management systems that are found in organizations. In this context, risk is intended to mean the potential of future losses or shortfalls from expectations due to deviation of actual results from expected results.
This standard is proposed to apply to enterprise risk treatment activities performed by actuaries. Some organizations will face requirements and requests for assessment of the risk treatment part of the risk management system in order to evaluate whether their risk management systems are operating at a level that meets or exceeds professional standards. Regulators in some industries may want similar evaluations.
This standard, along with the previously exposed standard Risk Evaluation in Enterprise Risk Management, is intended to cover the risk evaluation and risk treatment activities within risk management work but does not cover other ERM practices that are performed by insurers, pension plans, other financial service firms, and other businesses or organizations. These two topics were chosen because they cover the most common actuarial services performed within risk management systems of organizations. In the future, other standards may provide guidance for other aspects of actuarial professional services in ERM.
These standards, as with all standards of practice, apply to the actions of individual actuaries and not to their organizations, employers, or clients.
To improve consistency, the ASB may make further modifications to the proposed ERM ASOPs based on comments received regarding either of these exposure drafts. Also, please note that the task force has refined the definition of “enterprise risk management control cycle” in section 2.4 and intends to incorporate this refined definition into the final Risk Evaluation in Enterprise Risk Management ASOP.
Request for Comments
The task force would appreciate comments on all areas of this proposed ASOP and would like to draw the readers’ attention to the following questions in particular:
1. Does the proposed standard provide sufficient guidance to actuaries performing risk treatment work within risk management systems?
2. Is the proposed standard sufficiently flexible to allow for new developments in this newer area of actuarial endeavor?
3. When actuaries are performing ERM services at various levels in or for an organization, this standard indicates that the actuary may rely upon others who may or may not be actuaries for some of the important considerations for risk treatment. Is that a viable approach to ensuring that those considerations are a part of all risk treatment work? Does the proposed standard provide effective and actionable guidance for actuaries when performing risk treatment work alongside non-actuaries?
4. The scope for this standard was set with the intention that it would apply to ERM work and not be so broad that it might apply to any actuarial professional services that include any consideration of risk. Is the scope as stated in the standard sufficiently clear in that regard?
The ASB voted in June 2012 to approve this exposure draft.
Enterprise Risk Management Task Force
David N. Ingram, Chairperson
Maryellen J. Coggins David Y. Rogers
Eugene C. Connell Max J. Rudolph
Wayne H. Fisher David K. Sandberg
Claus S. Metzner John W. C. Stark
Actuarial Standards Board
Robert G. Meilander, Chairperson
Albert J. Beer Thomas D. Levy
Alan D. Ford Patricia E. Matson
Patrick J. Grannan James J. Murphy
Stephen G. Kellison James F. Verlautz
The ASB establishes and improves standards of actuarial practice. These ASOPs identify what the actuary should consider, document, and disclose when performing an actuarial assignment. The ASB’s goal is to set standards for appropriate practice for the U.S.
Section 1. Purpose, Scope, Cross References, and Effective Date
This actuarial standard of practice (ASOP) provides guidance to actuaries when performing professional services with respect to risk treatment systems, including designing, implementing, using, and reviewing those systems.
This standard applies to actuaries when performing professional services with respect to risk treatment for the purposes of enterprise risk management (ERM).
Risk treatment is often performed as part of an ERM control cycle. A typical ERM control cycle includes risk identification, risk evaluation, risk taking, risk treatment, and governance.
This standard provides guidance on risk treatment. For purposes of this standard, risk treatment includes choosing risk appetites, determining risk tolerance, setting risk limits, and performing risk mitigation activities. Guidance for activities related to risk evaluation is addressed in the proposed ASOP, Risk Evaluation in Enterprise Risk Management.
This standard does not apply to actuaries when performing professional services with respect to risk treatment that are not for the purposes of ERM. Examples of risk treatment services that may be performed for purposes other than ERM include designing a health insurance program and executing a product specific reinsurance or hedging program.
If the actuary departs from the guidance set forth in this standard in order to comply with applicable law (statutes, regulations, and other legally binding authority), or for any other reason the actuary deems appropriate, the actuary should refer to section 4.
1.3 Cross References
When this standard refers to the provisions of other documents, the reference includes the referenced documents as they may be amended or restated in the future, and any successor to them, by whatever name called. If any amended or restated document differs materially from the originally referenced document, the actuary should consider the guidance in this standard to the extent it is applicable and appropriate.
1.4 Effective Date
This standard is effective for work performed on or after four months after adoption by the Actuarial Standards Board.
Section 2. Definitions
The terms below are defined for use in this actuarial standard of practice.
2.1 Basis Risk
The residual risk that results from an imperfect risk offset or transfer process. For example, basis risk may arise from a hedge that pays off based upon an index while the exposure is an investment in a managed selection of individual stocks, or from a capital market hedge based upon industry-wide losses used to offset an insurer’s specific storm exposure.
2.2 Counterparty Risk
The risk that the party providing a risk offset or accepting a risk transfer does not fulfill its obligations.
2.3 Enterprise Risk Management
The discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.
2.4 Enterprise Risk Management Control Cycle
The continuing process by which risks are identified, risks are evaluated, risks are taken, and risks are treated (e.g. risk appetites are chosen, risk limits are set, risk mitigation activities are performed to prevent limit breaches, and actions are taken when limits are breached). Risks are monitored and reported as they are taken and as long as they remain an exposure to the organization.
The entity for which ERM is being performed. Examples include public or private companies, government entities, and associations, whether for profit or not for profit.
The potential of future losses or shortfalls from expectations due to deviation of actual results from expected results.
2.7 Risk Appetite
The level of aggregate risk that an organization chooses to take in pursuit of its objectives.
2.8 Risk Limit
A threshold used to monitor the actual risk exposure of a specific unit or units of the organization to ensure that the level of aggregate risk remains within the risk tolerance.
2.9 Risk Management System
A combination of practices, tools and methodologies that an organization uses to identify, assess, measure, mitigate, and manage the risks it faces during the course of conducting its business.
2.10 Risk Mitigation
Action that reduces the frequency or severity of a risk.
2.11 Risk Tolerance
The aggregate risk-taking capacity of an organization.
Section 3. Analysis of Issues and Recommended Practices
3.1 Risk Treatment
An actuary may be called upon to perform many risk treatment activities. Models can be used to provide support for risk treatment decisions, for example, the setting of specific risk tolerance or the selection of a risk mitigation strategy. In performing services related to risk appetite, risk tolerance, risk limits, and risk mitigation, the actuary should consider, or may rely on others who have considered, the following:
a. information about the financial strength and risk context of the organization that is appropriate to the actuary’s assignment. Such information may include the following:
1. the current and potential future financial strength of the organization;
2. the organization’s risk profile, and the nature, scale, and complexity of the risks faced by the organization;
3. the current and long-term risk environments. The actuary may rely on management’s opinions of the risk environment, may form an independent opinion of the risk environment, may rely on a third party’s evaluation of the risk environment, or may imply a risk environment from current conditions (such as market prices and political climate, among others);
4. the organization’s strategic goals, including the level and volatility of profits, both short term and long term;
5. the interests, including the risk/reward expectations, of the relevant stakeholders. These stakeholders may include some or all of the following: the owners, the board of directors, the management, the customers, the partners, the employees, and others potentially impacted by the organization’s management of risk;
6. regulatory or rating agency criteria for risk levels and the implications of potential risk levels on the continuation of business operations as reflected in ratings or other external measures of security;
7. the degree to which the organization’s different risks interact with one another, actual and perceived diversification benefits, and dependencies or correlations of the different risks;
8. limitations to the fungibility of capital across the organization; and
9. the extent to which the organization’s exposure to risks may differ from its competition.
b. information about the organization’s own risk management system as appropriate to the actuary’s assignment. Such information may include the following:
1. the risk tolerance of the organization;
2. the risk appetite of the organization. This may be explicit or inferred from objectives of the organization including those related to solvency, market confidence, earnings expectations, or other non-financial objectives;
3. the components of the organization’s enterprise risk management control cycle;
4. the actual and potential future variability of the costs and benefits of risk mitigation;
5. the knowledge and experience of the management and the board of directors regarding risk assessment and risk management; and
6. the actual execution of the organization’s enterprise risk management control cycle, including how unexpected outcomes are acted upon.
- the intended purpose and uses of the actuarial work product.
3.2 Risk Treatment Models
An actuary may use models to provide support for risk treatment decisions and activities. Such models are usually risk evaluation models and, as such, the actuary designing or implementing models for risk treatment purposes should refer to the proposed ASOP Risk Evaluation in Enterprise Risk Management.
3.3 Risk Appetite, Risk Tolerance, and Risk Limits
An actuary may be called upon to review or recommend an organization’s risk appetite, risk tolerance, or risk limits, or may be involved in designing, operating, or using a system to monitor risks relative to the organization’s risk appetite, risk tolerance, or risk limits.
In performing services related to risk appetite, risk tolerance, or risk limits, as appropriate to the actuary’s assignment, the actuary should consider, or may rely on others who have considered, the following:
a. the financial and non-financial benefits in the aggregate derived from all planned, risk-taking activities;
b. the financial and non-financial benefits associated with each planned, risk-taking activity;
c. the degree of concentration of the risks of the organization;
d. the opportunities available to mitigate breaches of risk limits and risk tolerance, as well as the cost and effectiveness of such mitigation strategies;
e. regulatory or accounting constraints that may affect the risk environment;
f. the relationships between the risk appetite, risk tolerance, and risk limits; and
g. the historical volatility of the organization’s results in the context of its current risk profile.
3.4 Risk Mitigation
An actuary may be called upon to review or recommend an organization’s risk mitigation strategy, or may be involved in designing or using processes to mitigate risks relative to the organization’s risk appetite, risk tolerance, and risk limits.
In performing services related to risk mitigation, the actuary should consider, or may rely on others who have considered, the following:
a. information relating to qualitative aspects of the organization as appropriate to the actuary’s assignment. Such information may include the following:
1. the resilience of the organization under duress caused by common fluctuations in experience as well as from extreme adverse conditions;
2. the operational capabilities of the organization needed to implement the risk mitigation strategy; and
3. the potential risk to the organization’s reputation as a result of the risk mitigation strategy.
b. information relating to the potential effectiveness of or constraints upon risk mitigation activities as appropriate to the actuary’s assignment. Such information may include the following:
1. the availability of risk mitigation instruments both in the current and future environments;
2. the counterparty credit risk inherent in the risk mitigation instruments and the organization’s ability to monitor and mitigate the counterparty risk over time;
3. the nature and degree of the basis risk that is inherent in the risk mitigation instruments;
4. the degree of confidence that the risk mitigation process can be maintained or repeated over time;
5. the availability of data on current and potential future risk positions, before and after mitigation;
6. the accounting and regulatory treatment of the gross risk positions related to risk mitigation; and
7. the granularity of modeling needed to capture the effects of the risk mitigation processes as well as the practicalities of achieving that granularity.
3.5 Reliance on Data or Other Information Supplied by Others
When relying on data or other information supplied by others, the actuary should refer to ASOP No. 23, Data Quality, and ASOP No. 41, Actuarial Communications, for guidance.
The actuary should prepare and retain documentation in compliance with the requirements of ASOP No. 41. The actuary should also prepare and retain documentation to demonstrate compliance with the disclosure requirements of section 4.
Section 4. Communications and Disclosures
4.1 Actuarial Communication
When issuing an actuarial communication subject to this standard, the actuary should consider the intended purpose or use of the risk treatment activities and refer to ASOP Nos. 23 and 41, and, if applicable, ASOP No. 38, Using Models Outside the Actuary’s Area of Expertise (Property and Casualty). In particular, consistent with the intended use or purpose, the actuary should disclose the following
4.1.1 Changes in System/Process
The actuary should disclose any material changes in the system, process, methodology, or assumptions from those previously used for the same type of risk treatment activity. The general effects of any such changes should be disclosed in words or by numerical data, as appropriate.
The actuary should disclose the significant assumptions used in the risk treatment activity such as accounting constructs, economic values, and stand-alone or portfolio views of risk. The actuary should disclose the different target criteria underlying the risk treatment activity (solvency, regulatory standards, earnings volatility, reputation damage, etc.). The actuary should disclose any other significant assumptions used in the analysis, including anticipated future actions by management to manage or mitigate risks identified by the actuary.
4.2 Deviation from Guidance in the Standard
If the actuary departs from the guidance set forth in this standard, the actuary should include the following where applicable:
a. the disclosure in ASOP No. 41, section 4.2, if any material assumption or method was prescribed by applicable law (statutes, regulations, and other legally binding authority);
b. the disclosure in ASOP No. 41, section 4.3., if the actuary states reliance on other sources and thereby disclaims responsibility for any material assumption or method selected by a party other than the actuary; and
c. the disclosure in ASOP No. 41, section 4.4, if, in the actuary’s professional judgment, the actuary has otherwise deviated materially from the guidance of this ASOP.
Appendix- Background and Current Practices
Note: This appendix is provided for informational purposes, but is not part of the standard of practice.
Enterprise Risk Management (ERM) has been a developing area of practice for actuaries for over 10 years. In 2001, the Casualty Actuarial Society Advisory Committee on Enterprise Risk Management produced a report that recommended areas of research and education that were needed by actuaries entering this emerging field. In 2002, the Society of Actuaries formed a Risk Management Task Force that wrote guides to Economic Capital and Enterprise Risk Management practice as well as initiating several research projects. In 2004, the task force evolved into a new Risk Management Section of the Society of Actuaries and became the first and largest joint activity in 2005 when it became the Joint Risk Management Section co-sponsored by the SOA, CAS and CIA.
The Joint Risk Management Section has been tightly linked with an annual ERM Symposium event that started as a joint activity of the SOA, CAS, and PRMIA, a non-actuarial risk management organization. The Joint Risk Management Section now has approximately 2,500 members, which would be almost 15 percent of all Academy members (if all of the members of the section were Academy members).
Enterprise Risk Management is also becoming a standard practice of many organizations that employ actuaries and its use has been steadily spreading. Poor ERM practice has been blamed by many for some or all of the ills of the Global Financial Crisis. The G20 heads of state have called for significant improvements to risk management practices in the financial sector and have charged the Financial Stability Board and the International Monetary Fund to take steps to promote and sometimes require better risk management practices from financial sector firms. The International Association of Insurance Supervisors has responded to that by promulgating an Insurance Core Principle paper on Enterprise Risk Management requiring insurance regulators to promote ERM practice and self-assessment of solvency needs by insurers globally. The National Association of Insurance Commissioners has developed a new requirement for an Own Risk and Solvency Assessment process that includes an assessment of risk management practices for larger insurers and the New York State Insurance Department has recently (December 2011) published a requirement that all insurers domiciled in the state must adopt an Enterprise Risk Management regime.
At the most fundamental level, Enterprise Risk Management can be understood as a control cycle. Within a typical risk management control cycle, risks are identified, risks are evaluated, risks are taken, and risks are treated (e.g. risk appetites are chosen, risk limits are set, risk mitigation activities are performed to prevent limit breaches, and actions are taken when limits are breached). Risks are monitored and reported as they are taken and as long as they remain an exposure to the organization. This cycle can be applied to specific risks within a part of an organization or to an aggregation of all risks at the enterprise level.
Risk treatment has long been a part of actuarial practice. Actuaries have provided analytical support and guidance in the development of informal or implicit risk appetites long before that phrase was in wide usage. For decades, actuaries have been providing support and guidance for decisions involving risk mitigation activities such as reinsurance, asset liability management and, more recently, hedging within risk treatment programs. Risk treatment is a key activity of the new ERM practice. Actuaries are taking more prominent roles in the development of articulated risk appetite, tolerance and limits as well as becoming more intimately involved in risk mitigation activities. The risk evaluation activities of actuaries in all of these situations are the subject of another standard, Risk Evaluation in Enterprise Risk Management.
Actuaries perform analyses and make recommendations and decisions about the risk appetite, risk tolerance, and risk limits of organizations and, in addition, actuaries are called upon to review and give independent opinions regarding that work. Organizations then use the risk limits to guide the operation of the control cycle.
The control cycle within an ERM system may have the following elements:
1. Risk Identification
2. Risk Evaluation
a. Assess starting point
i. Evaluate retained risks from prior and ongoing activities
ii. Evaluate capacity to tolerate losses
b. Evaluate plans
i. Evaluate expected return, volatility, extreme loss potential and correlation with other plans
3. Risk taking
a. Review risk acceptance plan
b. Choose types and amounts of risks to accept and which to avoid
c. Implement plans
4. Risk Treatment
Risk treatment is intertwined with risk taking. The risk treatment activities may be performed in advance of, concurrent with, or after risk taking activities.
a. Set, modify, or confirm risk appetite and risk tolerance
b. Review and approve proposed risk treatment
i. Approve risk mitigation plans to transfer, offset, modify risks that are accepted
ii. Set risk limits
c. Perform risk mitigation as proposed
5. Risk Governance
a. Monitor risk positions
i. Total risks accepted and residual risks
b. Adapt to variations from plan
i. React to breaches of limits
6. Risk Reporting
7. Restart Cycle
Actuaries manage and assist with managing these control cycles for individual risks including insurance risk, equity risk, credit risk, interest rate risk, operational risk, and liquidity risk. Within those control cycles, actuaries often use tools and processes such as reinsurance, hedging, and duration/convexity matching as well as the more general risk mitigation processes such as underwriting and risk selection, risk avoidance, and reinsurance. In many organizations, actuaries are not the only risk managers. Actuaries might be a part of a multi-disciplinary team or may be managing one risk while another team made up of non-actuaries manages other risks.
At the enterprise level, actuaries often participate with top management of the organization to manage the control cycle for the aggregate risk of the organization focusing on the relationship between the actual risk profile of the organization, and the risk appetite and risk tolerance. In addition, strategic risk will be managed at this level along with reputational risk. In almost all cases, actuaries work with non-actuarial management on the management of these enterprise level risks.