Actuarial Standard of Practice No. 47
Risk Treatment in Enterprise Risk Management
STANDARD OF PRACTICE
TO: Members of Actuarial Organizations Governed by the Standards of Practice of the Actuarial Standards Board and Other Persons Interested in Risk Treatment in Enterprise Risk Management
FROM: Actuarial Standards Board (ASB)
SUBJ: Actuarial Standard of Practice (ASOP) No. 47
This document contains the final version of ASOP No. 47, Risk Treatment in Enterprise Risk Management.
Enterprise Risk Management (ERM) has been defined by the Casualty Actuarial Society in 2003 as follows:
The discipline by which an organization in any industry assesses, controls, exploits, finances and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.
This definition was also adopted by the Society of Actuaries in 2005.
Enterprise Risk Management is a rapidly emerging specialty within the actuarial community and with the new CERA risk management educational certification, could well become an area of practice for actuaries with no tie to traditional actuarial work. The CERA is a globally-recognized ERM designation supported by actuarial organizations in 12 countries with rigorous educational programs.
The ERM Task Force was formed in the fall of 2009 to revisit the need for ERM standards that were previously addressed by an earlier task force in 2007. In June 2010, the Task Force presented findings to the ASB and was then asked to go forward with the development of standards for two broad topics relating to ERM, Risk Evaluation and Risk Treatment.
In March of 2011, discussion drafts for two topics were posted to the ASB website on risk evaluation and risk treatment. The ERM Task Force reviewed the comments received and based on those comments, began work on the development of exposure drafts of standards on risk evaluation and risk treatment for presentation to the ASB.
This ASOP considers the topic of risk treatment. The process of risk treatment is a fundamental part of risk management systems that are found in organizations. In this context, risk is intended to mean the potential of future losses or shortfalls from expectations due to deviation of actual results from expected results.
This standard applies to enterprise risk treatment activities performed by actuaries. Some organizations will face requirements and requests for assessment of the risk treatment part of the risk management system in order to evaluate whether their risk management systems are operating at a level that meets or exceeds professional standards. Regulators in some industries may want similar evaluations.
This standard, along with ASOP No. 46, Risk Evaluation in Enterprise Risk Management, is intended to cover the risk evaluation and risk treatment activities within enterprise risk management work but does not cover other ERM practices that are performed by insurers, pension plans, other financial service firms, and other businesses or organizations. These two topics were chosen because they cover the most common actuarial services performed within enterprise risk management systems of organizations. In the future, other standards may provide guidance for other aspects of actuarial professional services in ERM.
These standards, as with all standards of practice, apply to the actions of individual actuaries and not to their organizations, employers or clients.
The exposure draft of this ASOP was approved for exposure in June 2012 with a comment deadline of September 10, 2012. Eight comment letters were received and considered in developing modifications that were reflected in this final ASOP. For a summary of the issues contained in these comment letters, please see Appendix 2. In general, the suggestions helped improve the clarity of the standard and did not result in substantive changes to the standard.
The ASB thanks everyone who took the time to contribute comments and suggestions on the exposure draft.
The ASB voted in December 2012 to adopt this standard.
Enterprise Risk Management Task Force
David N. Ingram, Chairperson
Maryellen J. Coggins David Y. Rogers
Eugene C. Connell Max J. Rudolph
Wayne H. Fisher David K. Sandberg
Kevin M. Madigan John W.C. Stark
Claus S. Metzner
Actuarial Standards Board
Robert G. Meilander, Chairperson
Albert J. Beer Thomas D. Levy
Alan D. Ford Patricia E. Matson
Patrick J. Grannan James J. Murphy
Stephen G. Kellison James F. Verlautz
The ASB establishes and improves standards of actuarial practice. These ASOPs identify what the actuary should consider, document, and disclose when performing an actuarial assignment. The ASB’s goal is to set standards for appropriate practice for the U.S.
Section 1. Purpose, Scope, Cross References, and Effective Date
This actuarial standard of practice (ASOP) provides guidance to actuaries when performing professional services with respect to risk treatment within a risk management system, including designing, implementing, using, maintaining, and reviewing those systems.
This standard applies to actuaries when performing professional services with respect to risk treatment for the purposes of enterprise risk management (ERM).
Risk treatment is often performed as part of an ERM control cycle. Within a typical ERM control cycle, risks are identified, risks are evaluated, risk appetites are chosen, risk limits are set, risks are accepted or avoided, risk mitigation activities are performed, and actions are taken when risk limits are breached. Risks are monitored and reported as they are taken and as long as they remain an exposure to the organization.
This standard focuses on four aspects of risk treatment: determining risk tolerance, choosing risk appetites, setting risk limits, and performing risk mitigation activities. Guidance for activities related to risk evaluation is addressed in ASOP No. 46, Risk Evaluation in Enterprise Risk Management.
This standard does not apply to actuaries when performing professional services with respect to risk treatment that are not for the purposes of ERM. Examples of risk treatment services that may be performed for purposes other than ERM include designing a health insurance program and executing a product-specific reinsurance or hedging program.
If the actuary departs from the guidance set forth in this standard in order to comply with applicable law (statutes, regulations, and other legally binding authority), or for any other reason the actuary deems appropriate, the actuary should refer to Section 4.
1.3 Cross References
When this standard refers to the provisions of other documents, the reference includes the referenced documents as they may be amended or restated in the future, and any successor to them, by whatever name called. If any amended or restated document differs materially from the originally referenced document, the actuary should consider the guidance in this standard to the extent it is applicable and appropriate.
1.4 Effective Date
This standard is effective for any professional services with respect to risk treatment in enterprise risk management performed on or after May 1, 2013.
Section 2. Definitions
The terms below are defined for use in this actuarial standard of practice.
2.1 Basis Risk
The residual risk that results from an imperfect risk offset or transfer process. For example, basis risk may arise from a hedge that pays off based upon an index while the exposure is an investment in a managed selection of individual stocks, or from a capital market hedge based upon industry-wide losses used to offset an insurer’s specific storm exposure.
2.2 Counterparty Risk
The risk that the party providing a risk offset or accepting a risk transfer does not fulfill its obligations.
2.3 Enterprise Risk Management
The discipline by which an organization in any industry assesses, controls, exploits, finances and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.
2.4 Enterprise Risk Management Control Cycle
The continuing process by which risks are identified, risks are evaluated, risk appetites are chosen, risk limits are set, risks are accepted or avoided, risk mitigation activities are performed, and actions are taken when risk limits are breached.
The entity for which ERM is being performed. Examples include public or private companies, government entities, and associations, whether for profit or not for profit.
The potential of future losses or shortfalls from expectations due to deviation of actual results from expected results.
2.7 Risk Appetite
The level of aggregate risk that an organization chooses to take in pursuit of its objectives.
2.8 Risk Limit
A threshold used to monitor the actual risk exposure of a specific unit or units of the organization to ensure that the level of aggregate risk remains within the risk tolerance.
2.9 Risk Management System
A combination of practices, tools and methodologies that an organization uses to identify, assess, measure, mitigate, and manage the risks it faces during the course of conducting its business.
2.10 Risk Mitigation
An action that reduces the frequency or severity of a risk.
2.11 Risk Profile
The risks to which an organization is exposed over a specified period of time.
2.12 Risk Tolerance
The aggregate risk-taking capacity of an organization.
2.13 Risk Treatment
The process of selecting actions and making decisions to transfer, retain, limit, and avoid risk. This can include determining risk tolerance, choosing risk appetites, setting risk limits, performing risk mitigation activities, and optimizing organizational objectives relative to risk.
Section 3. Analysis of Issues and Recommended Practices
3.1 Risk Treatment
An actuary may be called upon to perform a variety of risk treatment activities. In performing services related to risk treatment, the actuary should consider, or may rely on others who have considered, the following:
a. information about the financial strength, risk profile, and risk environment of the organization that is appropriate to the assignment. Such information may include the following:
1. the financial flexibility of the organization;
2. the nature, scale and complexity of the risks faced by the organization;
3. the potential differences between the current and long-term risk environments;
4. the organization’s strategic goals, including goals for the level and volatility of profits, both short term and long term;
5. the interests, including the risk/reward expectations, of the relevant stakeholders. These stakeholders may include some or all of the following: owners, boards of directors, management, customers, partners, employees, regulators and others potentially impacted by the organization’s management of risk;
6. regulatory or rating agency criteria for risk levels and the implications of potential risk levels on the continuation of business operations as reflected in ratings or other external measures of security;
7. the degree to which the organization’s different risks interact with one another, actual and perceived diversification benefits, and dependencies or correlations of the different risks;
8. limitations to the fungibility of capital across the organization, under both normal and stressed conditions; and
9. the extent to which the organization’s exposure to risks may differ from the exposures of its competitors.
The actuary may rely on management’s opinions of the risk environment, may form an independent opinion of the risk environment, may rely on a third party’s evaluation of the risk environment, or may infer a risk environment from current conditions (such as market prices and political climate, among others).
b. information about the organization’s own risk management system as appropriate to the assignment. Such information may include the following:
1. the risk tolerance of the organization;
2. the risk appetite of the organization. This may be explicit or inferred from objectives of the organization including those related to solvency, market confidence, earnings expectations, or other objectives;
3. the components of the organization’s enterprise risk management control cycle;
4. the knowledge and experience of the management and the board of directors regarding risk assessment and risk management; and
5. the actual execution of the organization’s enterprise risk management control cycle, including how unexpected outcomes are acted upon.
c. the relationship between the organization’s financial strength, risk profile, and risk environment as identified in (a) above, and the organization’s risk management system as identified in (b) above. If, in the actuary’s professional judgment, as appropriate to the assignment, a significant inconsistency exists, then that inconsistency should be considered in the risk treatment activities and communicated by the actuary.
d. the intended purpose and uses of the actuarial work product.
3.2 Using Models in Risk Treatment
An actuary may use models to provide support for risk treatment decisions, for example, the setting of specific risk tolerance or the selection of a risk mitigation strategy. When using models in risk treatment, the actuary should consider the inherent statistical, theoretical, and other limitations of the models. Such models are usually risk evaluation models and, as such, the actuary designing or implementing models for risk treatment purposes should refer to ASOP No. 46, Risk Evaluation in Enterprise Risk Management.
3.3 Organizational Risk Parameters of Risk Tolerance, Risk Appetite, and Risk Limits
An actuary may be called upon to review or recommend organizational risk parameters, or may be involved in designing, operating, or using a system to monitor risks relative to these parameters.
In performing services related to these parameters, as appropriate to the actuary’s assignment, the actuary should consider, or may rely on others who have considered, the following:
a. the financial and non-financial benefits associated with each planned, risk-taking activity and the aggregation of those activities;
b. the degree of concentration of the risks of the organization;
c. the opportunities available to mitigate breaches of risk limits and risk tolerance, as well as the cost and effectiveness of such mitigation strategies;
d. regulatory or accounting constraints that may affect the risk environment;
the relationships between the risk tolerance, risk appetite, and risk limits; and
e. the historical volatility of the organization’s results in the context of its current risk profile.
3.4 Risk Mitigation
An actuary may be called upon to review or recommend an organization’s risk mitigation strategy, or may be involved in designing or using processes to mitigate risks relative to the organization’s risk tolerance, risk appetite, or risk limits.
In performing services related to risk mitigation, the actuary should consider, or may rely on others who have considered, the following:
a. information relating to qualitative aspects of the organization as appropriate to the actuary’s assignment. Such information may include the following:
1. the resilience of the organization under duress caused by common fluctuations in experience as well as from extreme adverse conditions;
2. the operational capabilities of the organization needed to implement the risk mitigation strategy; and
3. the potential risk to the organization’s reputation as a result of the risk mitigation strategy.
b. information relating to the cost of, potential effectiveness of, and constraints upon risk mitigation activities as appropriate to the assignment. Such information may include the following:
1. the availability of risk mitigation instruments both in the current and future environments;
2. the counterparty credit risk inherent in the risk mitigation instruments and the organization’s ability to monitor and mitigate the counterparty risk over time;
3. the nature and degree of the basis risk that is inherent in the risk mitigation instruments;
4. the degree of confidence that the risk mitigation process can be maintained or repeated over time;
5. the availability of data on current and potential future risk positions, before and after mitigation;
6. the variability of outcomes after risk mitigation;
7. the accounting treatment of the gross and net risk positions related to risk mitigation;
8. regulatory constraints on risk mitigation options; and
9. the granularity of modeling needed to capture the effects of the risk mitigation processes as well as the practicalities of achieving that granularity.
3.5 Reliance on Data or Other Information Supplied by Others
When relying on data or other information supplied by others, the actuary should refer to ASOP No. 23, Data Quality, and ASOP No. 41, Actuarial Communications, for guidance.
The actuary should prepare and retain documentation in compliance with the requirements of ASOP No. 41. The actuary should also prepare and retain documentation to demonstrate compliance with the disclosure requirements of section 4.
Section 4. Communications and Disclosures
4.1 Actuarial Communication
When issuing an actuarial communication subject to this standard, the actuary should consider the intended purpose or use of the risk treatment activities and refer to ASOP Nos. 23 and 41, and, if applicable, ASOP No. 38, Using Models Outside the Actuary’s Area of Expertise (Property and Casualty). In particular, consistent with the intended use or purpose, the actuary should disclose the following as appropriate:
4.1.1 Risk Treatment
The actuary should disclose significant inconsistencies between a) the organization’s financial strength, risk profile, and risk environment, and b) the organization’s risk management system that have been considered in the risk treatment activities as described in section 3.1.
4.1.2 Model Limitations
The actuary should disclose any known significant limitations of the models used in risk treatment, and the impact of those limitations on risk treatment activities and decisions as described in section 3.2.
4.1.3 Risk Tolerance, Risk Appetite, and Risk Limits
The actuary should disclose considerations important to conclusions reached when reviewing or recommending these organizational risk parameters, or when designing, operating, or using a system to monitor risks as described in section 3.3.
4.1.4 Risk Mitigation
The actuary should disclose considerations important to conclusions reached when reviewing or recommending an organization’s risk mitigation strategy, or when designing processes to mitigate risks relative to the organization’s risk tolerance, risk appetite, or risk limits as described in section 3.4.
4.1.5 Changes in System/Process
The actuary should disclose any material changes in the system, process, methodology, or assumptions from those previously used for the same type of risk treatment activity. The general effects of any such changes should be disclosed in words or by numerical data, as appropriate.
The actuary should disclose the significant assumptions used in the risk treatment activity such as accounting constructs, economic values, and stand-alone or portfolio views of risk. The actuary should disclose the different target criteria underlying the risk treatment activity (solvency, regulatory standards, earnings volatility, reputation damage, etc.). The actuary should disclose any other significant assumptions used in the analysis, including anticipated future actions by management to manage or mitigate risks identified by the actuary.
4.2 Deviation from Guidance in the Standard
If the actuary departs from the guidance set forth in this standard, the actuary should include the following where applicable:
a. the disclosure in ASOP No. 41, section 4.2, if any material assumption or method was prescribed by applicable law (statutes, regulations, and other legally binding authority);
b. the disclosure in ASOP No. 41, section 4.3., if the actuary states reliance on other sources and thereby disclaims responsibility for any material assumption or method selected by a party other than the actuary; and
c. the disclosure in ASOP No. 41, section 4.4, if, in the actuary’s professional judgment, the actuary has otherwise deviated materially from the guidance of this ASOP.
Appendix 1 – Background and Current Practices
Note: This appendix is provided for informational purposes, but is not part of the standard of practice.
Enterprise Risk Management (ERM) has been a developing area of practice for actuaries for over 10 years. In 2001, the Casualty Actuarial Society (CAS) Advisory Committee on Enterprise Risk Management produced a report that recommended areas of research and education that were needed by actuaries entering this emerging field. In 2002, the Society of Actuaries (SOA) formed a Risk Management Task Force that wrote guides to Economic Capital and Enterprise Risk Management practice as well as initiating several research projects. In 2004, the task force evolved into a new Risk Management Section of the Society of Actuaries and became the first and largest joint activity in 2005 when it became the Joint Risk Management Section co-sponsored by the SOA, CAS, and the Canadian Institute of Actuaries (CIA). The Joint Risk Management Section has been tightly linked with an annual ERM Symposium event that is a joint activity of the SOA, CAS, CIA, and the Professional Risk Managers’ International Association (PRMIA), a non-actuarial risk management organization.
Enterprise Risk Management is also becoming a standard practice at many organizations and its use has been steadily spreading. Poor ERM practice has been blamed by many for some or all of the ills of the 2008-2009 Global Financial Crisis. The G20 heads of state have called for significant improvements to risk management practices in the financial sector and have charged the Financial Stability Board and the International Monetary Fund to take steps to promote and sometimes require better risk management practices from financial sector firms. The International Association of Insurance Supervisors has responded to that by promulgating an Insurance Core Principle paper on Enterprise Risk Management, requiring insurance regulators to promote ERM practice and self assessment of solvency needs by insurers globally. The National Association of Insurance Commissioners has developed a requirement for an Own Risk and Solvency Assessment (ORSA) process that includes an assessment of risk management practices for larger insurers and the New York State Insurance Department (December 2011) published a requirement that all insurers domiciled in the state must adopt an Enterprise Risk Management regime.
At the most fundamental level, Enterprise Risk Management can be understood as a control cycle. Within a typical risk management control cycle, risks are identified, risks are evaluated, risk appetites are chosen, risk limit are set, risks are accepted or avoided, risk mitigation activities are performed, and actions are taken when risk limits are breached. Risks are monitored and reported as they are taken and as long as they remain an exposure to the organization. This cycle can be applied to specific risks within a part of an organization or to an aggregation of all risks at the enterprise level.
Risk evaluation and risk treatment have long been a part of actuarial practice. Actuarial risk evaluations were long used by insurers to assess their capital needs and pricing for risks. Actuarial risk evaluations have also long been used and continue to be the objective functions in risk mitigation activities such as reinsurance, asset liability management and hedging within risk treatment programs.Risk evaluation is a key activity of the new ERM practice. An economic capital model has become a new standard tool for ERM programs. Stress tests are another risk evaluation process that has long been used by actuaries that has emerged as a primary tool for ERM. The risk evaluation activities of actuaries in all of these situations are the subject of Actuarial Standard of Practice No. 46, Risk Evaluation in Enterprise Risk Management.
The risk treatment activities of actuaries are the subject of this standard. Actuaries have provided analytical support and guidance in the development of informal or implicit risk appetites long before that phrase was in wide usage. For decades, actuaries have been providing support and guidance for decisions involving risk mitigation activities such as reinsurance, asset liability management and, more recently, hedging within risk treatment programs. Risk treatment is a key activity of ERM practice. Actuaries are taking more prominent roles in the development of articulated risk tolerance, appetite, and limits as well as becoming more intimately involved in risk mitigation activities.
Actuaries often have a central role in the operation of the control cycle for individual risks including insurance risk, equity risk, credit risk, interest rate risk, operational risk and liquidity risk. Within those control cycles, actuaries may use tools and processes such as reinsurance, hedging and duration/convexity matching as well as the more general risk mitigation processes such as underwriting, risk selection, and risk avoidance. In many organizations, actuaries are not the only risk managers. Actuaries might be a part of a multi-disciplinary team or may be managing one risk while other teams, including non-actuaries, manage other risks.
At the enterprise level, actuaries often participate with top management of the organization to manage the control cycle for the aggregate risk of the organization. They might focus on the relationship between the actual risk profile, the risk tolerance, and the risk appetite of the organization. In addition, strategic risk will be managed at this level along with reputational risk. In almost all cases, actuaries work with non-actuarial experts to manage these enterprise level risks.
Actuaries are also called upon to review risk treatment processes performed by actuaries or by other professionals; to provide or review the organization’s risk tolerance, risk appetite, or risk limits; and to document the underlying assumptions. An actuary might be asked to analyze the impact of a strategic decision on an organization’s risk treatment processes, recommend allocations of risk appetite to units within an organization, or opine on the appropriateness of an organization’s risk appetite relative to the organization’s risk profile and financial strength.
In most organizations, risk appetite or tolerance are key metrics that guide the risk treatment process. However, the terms risk tolerance and risk appetite do not have standardized definitions. These terms usually relate to the amount and types of risk that an organization is able to take and is planning to take consistent with the resources and objectives of the organization. In some organizations, these terms are solely used with regard to the aggregate risk of the entire organization, but in others, the terms are applied to broad types of risks or even to individual transactions. In some organizations, one of these two terms is a subset of the other, while in others, the terms refer to intersecting sets of risks where each set has elements that are not common to the other.
In working with risk treatment, the organization will usually want to consider both the threats to the organizations that are posed by the risks taken as well as the opportunities for gains that are associated with those risks, considering the costs and benefits of any risk mitigation activities under consideration or in use. The actuary is often asked to help with the following:
1. the strategic evaluation of potential opportunities and the risks associated with them. This would include strategic approaches to risk treatment that change both the opportunity and risk sides of expectations.
2. tactical choices of potential actions within the strategic direction, considering the risks and opportunities of each action as well as risk mitigation choices.
3. tactical choices of potential actions that can be taken to reduce the risk of actions that have already been taken. This often includes evaluation of the trade-offs of various risk mitigation alternatives.
4. selecting and implementing actions to reduce the severity of losses for an emerging adverse event. This often includes a cost benefit analysis of potential actions.
Appendix 2 – Comments on the Exposure Draft and Responses
The first exposure draft of this ASOP, Risk Treatment in Enterprise Risk Management, was issued in June 2012 with a comment deadline of September 10, 2012. Eight comment letters were received, some of which were submitted on behalf of multiple commentators, such as by firms or committees. For purposes of this appendix, the term “commentator” may refer to more than one person associated with a particular comment letter. The Enterprise Risk Management Task Force of the Actuarial Standards Board carefully considered all comments received, and the ASB reviewed (and modified, where appropriate) the changes proposed by the Task Force.
Click Here to view Appendix 2 in its entirety.