Category Archives: Risk management

Evolving FRM strategies still valuable to life insurers

In this A.M. Best interview, Milliman consultant Kamilla Svajgl offers perspective on financial risk management (FRM) strategies currently used by the life insurance sector. She also discusses how companies with sophisticated FRM strategies in place prior to the global financial crises withstood its effects.

SFCR: Where are the risks?

This blog is part of the Pillar 3 Reporting series. For more blogs in this series click here.

Following the first annual reporting deadline under Solvency II, here’s a look at the breakdown of risk components within the Solvency Capital Requirement (SCR) across the Irish market. This provides a useful insight into the largest drivers of regulatory capital, while also indicating some of the sources of risk for companies.

All companies
This analysis is based on 40 published Solvency and Financial Condition Reports (SFCRs) as only standard formula companies have been included. The graph in Figure 1 shows the breakdown of the various SCR components, where 100% represents the calculated SCR.

As can be seen, underwriting risk represents the largest driver of SCR, followed by market risk. In this case, underwriting risk represents a combination of life, health, and non-life underwriting risks.

The benefits of diversification and loss-absorbing capacity represent an average reduction of 43% of the SCR. Please note that diversification here is at the SCR module level and doesn’t include the impact of diversification across sub-modules.

Figure 1

Continue reading

Capitalizing on your actuarial report

In this article, Milliman’s Richard Frese and Andy Hoffman offer organizations perspective concerning critical topics they should discuss with an actuary to enhance their insurance program, better manage liabilities, and maintain appropriate actuarial analysis for the needs of their program. The authors also discuss best practices when working with an actuary.

This article was published in The Risk Management Quarterly.

Spotlight on operational and reputational risk

macdonnell-bridgetOperational and reputational risks have become areas of greater focus in recent times. There have been so many high-profile operational risk events that it is clear how important operational risk management is for all companies—Anthem, Volkswagen, and UBS are just a few examples of companies that have suffered significant losses because of operational risk events. In addition, for every publicly reported incident there are sure to be a host of smaller cases, which have not been large enough to hit the headlines, and which, of course, can have a cumulative detrimental effect over time. There is also a somewhat invisible aspect to operational risk, given that the damage does not always affect physical assets. Information can be stolen through a cyber breach, agents can act in their own interests, fraudulent activity can happen, and all of these events can go undetected.

Operational risk can also contribute to other risks that undertakings face, particularly reputational risk—a risk we don’t always fully appreciate until the damage is done. There are many strategies and marketing campaigns aimed at ‘one brand’ and ‘one vision’ which show the value organisations place on their reputations. Yet reputational risk management is not always given the attention it deserves. It’s worth pausing for a moment to take a closer look at operational and reputational risk management.

Operational risk
The challenges of quantifying operational risk are numerous—they include the lack of data to properly calibrate models and there are also challenges in relation to the models themselves. For example, the major shortcomings of the Solvency II standard formula calculation of operational risk capital are highly topical at the moment. Under Solvency II, operational risk capital must be held as part of the company’s Pillar 1 capital requirements. Criticism of this factor-based calculation includes its failure to capture many relevant elements of a company’s risk profile, such as the operating model and the specific processes within the company.

Interestingly, the solvency regime in Switzerland (known as the ‘Swiss Solvency Test’) does not require operational risk capital to be held. Rather, operational risk is considered as part of the company’s risk management, therefore treating it as a Pillar 2, as opposed to a Pillar 1, issue. Earlier this year, the Basel Committee on Banking Supervision imposed an outright ban on operational risk internal models for banks, acknowledging the widely differing approaches and complex modelling of this risk within the industry. Whether or not such developments will flow over to the EU (re)insurance solvency regime remains to be seen, but regardless of where operational risk sits from a regulatory perspective it is nonetheless an area where there are increasingly sophisticated methods being used in companies’ own risk assessments, such as, for example, Bayesian Network modelling.

For those who may be unfamiliar with Bayesian Network modelling, it is a technique that is gaining more and more traction as companies continue to develop their understanding of their operational risk exposures. This technique aids the understanding of operational risk exposures through workshops with various experts within the business, in order to establish the key underlying drivers of operational exposure and the relationships between these drivers. They are often not obvious at first glance and tend to involve quite nonlinear relationships. Once these exposures are well understood, the company can focus its attention on managing and mitigating the risks.

Continue reading

Chief risk officers identify threats and opportunities

Modern organizations are complex and having a chief risk officer (CRO) to look across the organization and its environment is hugely valuable. The CRO is uniquely positioned to scan across unfolding trends, both within the organization and outside it, and work with colleagues to determine whether there are opportunities or threats. In this video, Milliman’s Neil Cantle explains the management of risk and the role of a chief risk officer.

Decentralized governance enhances risk management

Assessing organizational culture is an integral aspect of a company’s risk management framework. Most companies, though, contain diverse groups of experts who interact with one another daily, and each group has its own distinct subculture. According to Milliman consultant Neil Cantle, companies that adapt decentralized control structures, allowing experts to make local decisions based on the company’s risk tolerance, can become more resilient and successful.

Neil’s Raconteur article “Achieving resilience by harnessing people power” provides more perspective. Here’s an excerpt:

[Companies] are complex ecosystems where people go about their daily tasks, interacting with countless others inside and outside the company. In the real world, people are faced with situations every day that don’t quite match the process manual, and they will use their initiative and try to find a way through to a successful outcome. Their judgments will reflect their values, so the question is whether those values are consistent with the culture your board wants to see? …

…In a world such as this, the notion of control, therefore, requires modification. We can no longer deliver the outcome we want with certainty, but can only choose our next action. Of course, we would like to select an action that will help take the company towards a successful outcome, but we simply don’t know for sure which one that is. We have to retain flexibility and learning as core skills, with the certain knowledge that things around us will not always go to plan.

In fact, in situations of complexity, where the environment is dynamic and changing, a model of centralised control is far from optimal and often leads to unintended outcomes. The more appropriate approach to guiding progress here turns out to be empowering local experts to make localised decisions, with the proviso that they are aware of what is happening in the wider overall context.

Organising in this way, we need to empower our experts to make local decisions in the best interests of the whole, and are much more concerned about whether their attitudes and behaviours are consistent with what we would like. We are trusting them “to do the right thing” rather than directly controlling what they do. There will be some things we are so keen to avoid that we will implement very strict controls, making it hard to do the wrong thing, but we are largely going to be using our values to guide behaviours.

For more perspective on organizational culture and risk management, read “Cultural compass,” also written by Neil.