Future Pathways Fresh perspectives from actuaries of the future

Risk Management:

An overview of the development of ERM

in the insurance industry and the

pathway of the actuary

Prepared by

James Xu, AMP

Klaas Stijnen, Deloitte

Presented to the New Zealand Society of Actuaries Future Pathways Sessional Meeting

15 – 16 March 2011

Abstract

The Global Financial Crisis (GFC) has forced the insurance industry to put a stronger focus on risk

management. Strengthening regulatory requirements and ever more risk-oriented business-needs

almost continuously increase the demand for actuaries focussed on risk management. Through the

GFC, the need for and willingness of actuaries to further embrace risk management as a key focus

has excelled.

Currently, and with increasing momentum, Enterprise Risk Management (ERM) is being

implemented across the financial industry. The International Actuarial Association responded to the

need for risk management focussed actuaries by introducing the Chartered Enterprise Risk Analyst

(CERA) credential, which aims to equip actuaries with the right tools to implement and manage ERM.

Managing the after-effects of the Global Financial Crisis requires will require changes by many

insurance companies. As a driver of these changes, the role of the actuary is one that will require

more than just technical skills, such as professionalism and leadership.

1. Introduction

Risk management is an often heard word nowadays especially in the finance industry. In the 15 years

before the Global Financial Crisis (GFC), the development of risk management had been fairly

gradual, driven by strengthening regulatory requirements as well as through business needs.

Actuaries have been seen by many as professionals with the right skill set and attitude to lead these

devlopments in insurance companies to fully embed risk management. Various educational actuarial

bodies increased the weight of risk management techniques such as Value at Risk in the actuarial

training during the first half of the last decade. This enforced focus coincided with an increasing

number of insurance companies in most developed countries implementing risk management

systems to identify, monitor and develop a deep understanding of risks. During the second half of

the same decade, as the understanding of risks and the regulatory push for risk management

increased, Enterprise Risk Management (ERM) moved to the forefront. ERM represents the concept

in which “an organisation (...) assesses, exploits, finances and monitors risks from all sources for the

purpose of increasing the organisation’s short- and long-term value to its shareholders”1.

The GFC hit the financial industry hard during the second half of 2008, uncovering risks which

appeared to have not been managed properly. Unsurprisingly, poor risk management was the target

of various critics. The GFC changed the pace of the development of ERM in the financial industry.

The various financial failures in the financial industry exposed ERM as a critical tool in order for the

business to survive and succeed, driving a more rapid implementation in an increasing number of

companies and geographical areas. In response, the International Actuarial Association introduced

the Chartered Enterprise Risk Analyst (CERA) credential to distinguish a core actuarial body of risk

management knowledge alongside appropriate standards for achieving the qualification.

In the next section of this paper, we investigate the various causes, implications and lessons learned

from the GFC with a focus on the role of risk management. In the following section, we pay

particular attention to ERM. We discuss some best practices currently adopted by the insurance

industry. We explore the benefits of having ERM and what challenges a risk manager might have to

deal with in the implementation of ERM. In the last section, we provide an overview of the CERA

credential. We discuss the objectives of the qualification and provide a high level outline of the

course. Finally, we discuss how this qualification prepares an actuary for implementing and

performing ERM. Other papers presented at the Future Pathways Sessional Meeting extensively

cover prudential regulation. Therefore, we have chosen not to focus on this matter in this paper.

1 Various definitions of ERM exist. This definition is applied by the Casualty Actuarial Society.

2. Risk Management and the GFC

Over the years, we have observed many incidents that could have been avoided or at least mitigated

were an appropriate risk management process in place. The famous Baring Bank case, where lack of

disciplined investments led to a loss of $1.5 billion and the collapse of the entity, is a good example

which emphasises that the implementation of Enterprise Risk Management has become a burning

issue for financial services organisations.

One of the key drivers of risk management development is increasing regulatory requirements. From

the 1933 Act2 right after the start of the Great Depression to Sarbanes-Oxley to Solvency II,

regulators around the world have been working towards a much stricter environment for the entire

financial services industry, which has led to the shaping up of risk management for the financial

sector today.

Unfortunately, many of these regulatory changes only took place after a major collapse of the

industry, which was why the US government strengthened control over the financial sector after the

GFC had taken hold.

The boom of the US housing market, where a consecutive 10-year rise in house prices led to a belief

that a nationwide house price drop would never happen, is seen as the primary cause of the GFC. In

addition, there were many secondary causes contributing to the magnitude of the crisis, such as the

complex and ultimately ineffective regulatory system in the US. This system gave rise to a conflict of

interest which led to problems in the securitisation process. Also, an over-reliance on credit ratings

by market participants and regulators has been observed.

It is believed that one of the main contributors to the GFC were Residential Mortgage Backed

Securities (RMBS). A RMBS is a securitisation that uses the householders’ repayment on mortgages

as collateral in order to obtain a higher credit rating for the security. A lack of regulatory supervision

on securitisations contributed directly to the expansion of these securities, which resulted in a rapid

deterioration in quality of the underlying mortgages.

The RMBS were initiated by Government Sponsored Enterprises, namely Fannie Mae (FNMA),

Freddie Mac (FHLM) and Ginnie Mae (GNMA). Growth in the issue of RMBS over the years can be

found in the diagram below.

All dollar amounts are in USD.

2 This is the US Securities Act of 1933, which was introduced after the stock market crash in 1929. It requires

the listing of any new securities to be registered. The Securities and Exchange Commission (SEC) took over the registration authority a year later.

source: Citigroup

As can be seen from the above graph, the securitisations issued by the three major entities (Ginnie

Mae, Fannie Mae and Freddie Mac) increased dramatically towards the end of the last century.

source: LoanPerformance

In addition to the government agency issued securities, there were numerous non-agency securities

that usually offered a higher return, but with the originator not guaranteeing the quality or the

repayment of the securities. In the diagram above, Alt-A loans usually refer to loans with borrowers

having an unstable source of income. ARM (Adjusted-Rate Mortgage) refers to periodically adjusted

interest rates on mortgages according to a series of publicly available indices. Subprime loans are

usually to borrowers with low credit quality while Whole Loans are loans that exceed the maximum

allowed loan size accepted by the government agencies. Similarly to the government agency

securities, the issue of non-agency securities also boomed together with house prices. However,

they then almost vanished due to the credit crunch after 2007 as can be seen from the above graph.

Since borrowers have a variety of credit quality, when a sufficiently large pool of mortgages had

been accumulated, the issuers were able to divide these into different tranches with different

seniorities. Tranches with lower seniority were then expected to bear the initial loss if borrowers

defaulted. Following this restructuring, despite the poor credit quality of individual loans, rating

agencies would have “enough” evidence to show that some of the tranches in fact qualified as a

“AAA” rating.

A similar situation was observed with Collateralised Debt Obligations (CDOs)3, especially in CDO-

squared, where poor quality CDOs were accumulated to construct a tranche-like structure in order

to qualify for a better credit rating.

It is clear that not only were there flaws in the regulatory frameworks, but it also created serious

incentive problems for the participants in the process of focussing on short term goals (e.g. volume

and bonus) rather than the long term viability (the quality of the loans).

The US regulatory framework will not be discussed further in this paper, since it is less relevant to

the New Zealand insurance market. We will therefore turn our focus to a less systemic but more

behaviour-driven analysis.

The fact that many of the participants in the securitisation process (such as appraisers, bankers,

mortgage brokers, and investment bankers) aimed for short-term results with little consideration for

longer-term outcomes led to high volume and low quality of the securities. Since many had little

financial stake in the process, it is no surprise that they pursued volume and speed at the cost of

quality. Market self-regulation in this process did nothing to help the maintenance of origination

standards. Cases of lax underwriting and even fraud, such as intentional appraisal inflation or loan

application alteration, were uncovered.

In addition, not all buyers of these securities did their homework appropriately. Many simply relied

on the credit rating from the rating agencies rather than conducting a thorough review of the true

risks they were taking on. Even though the rating agencies usually have more insight into a security

and hence would be able to properly assess the quality of a security, the tranche structure was new

to them and they appeared unable to accurately assess risks embedded in the security and assign an

appropriate credit rating. This is particularly true for institutional investors, such as insurance

companies and banks, who in fact had the required resources and knowledge to conduct in-depth

analysis of the risks. Unfortunately, most of these institutional investors also failed to understand

the potential negative impacts of the agreements they entered into.

This leads to the discussion of Credit Default Swaps (CDS). A CDS is a derivative where the payoffs

are dependent on the survival of a particular entity. Typically, the buyer will pay the seller a series of

payments in exchange for a lump sum payment should the reference entity default. In most cases

during the GFC, institutional investors inadequately assessed that the house price would not fall and

hence there should hardly be any defaults. Therefore, they entered into the CDS transactions

without knowing exactly what or whom they were covering. Due to the existence of these CDS

agreements, everyone thought they were in a perfectly safe position. However, when the market

3 A CDO is a security whose value depends on the cashflow of a portfolio of fixed interest assets. Usually many

CDOs are grouped together in order to divide into different tranches, namely senior, mezzanine and equity tranches. Equity tranches will bear the first loss while senior tranches have better security in terms of interest and principal payments.

started to shake, these securities suddenly deteriorated as insurance companies would often find

their counterparties’ names listed in the “Defaulted” category.

What happened to Swiss Re back in 2008 was a very good example of why institutional investors

should conduct a careful investigation for their investments.

From 2003, the Swiss Re asset management business had been growing strongly. In terms of total

assets under management (AUM), it grew from 3% to more than 10% of the total AUM of the group

in just 3 years. This growth helped Swiss Re become one of the biggest reinsurers in the world.

However, their success reversed once the credit quality of their CDS deteriorated. In 2008, Swiss Re

announced a CHF$1 billion (equivalent to NZD $1.629 billion as at 31/12/2008) loss and had its credit

rating downgraded by all major rating agencies4.

Thus, some of the lessons learned from the GFC are:

There is no free lunch - the old principle “high risk, high return” still applies. Investors should

carefully investigate risks they are taking on.

Investors should develop a robust system that enforces understanding the systemic risks of

aggregate exposures, including those which may not be obviously seen.

Always challenge the accurateness and reliability of the analytical model, such as the one

that underpinned the tranche structure. Investors should familiarise themselves with any

underlying model.

In the next section, we will discuss the importance of ERM and how best practices could help

mitigate the potential risks one can confront in the financial industry.

4 Swiss Re Annual Reports

3. Enterprise Risk Management nowadays

As discussed in the introduction, Enterprise Risk Management is about ´an organisation (...)

assessing, exploiting, financing and monitoring risks from all sources for the purpose of increasing

the organisation’s short- and long-term value to its shareholders´. Traditionally, most insurance

companies have been predominantly managed on profit and loss (earnings) and book value (of

equity) and less so on risk-based measures.

Crises, on several occasions, have revealed that these measures, which are relatively short term

focussed and not always market value equivalent, do not provide significant insight into the various

risks insurance companies are exposed to. In the case of the UK-based insurance company Equitable

Life, policyholders were guaranteed investment returns of 8% or more. The economic value of these

guarantees was not reflected on the balance sheet, however it became significant when over the

course of several years, investment returns dropped well below 8%. The option was not properly

hedged and therefore, amongst other reasons, the company wasn´t able to meet policyholders´

benefits and closed its doors to new business in 2000.

One of the goals of accounting is to provide ´relevant´ information. Relevance in this context means

that information presented in financial statements should be appropriate and assist a person

evaluating the statements to make educated assumptions regarding the future financial state of a

company. Because of events such as the collapse of Equitable Life, accounting standards have

progressively been moving toward fair valuation in order to provide more relevance to accounting

standards.

To protect policyholders and society from systemic damage, such as described in the previous

section, insurance regulators world-wide have progressively introduced new requirements for

insurance companies to develop risk management techniques and to disclose more advanced risk-

based information for the regulator to better assess the capability of insurance companies to keep

their promises to policyholders during times of financial distress.

There are also compelling business reasons to further develop ERM, not only from a risk perspective,

but also from a return perspective, where superior knowledge and understanding of risk can help to

not only mitigate but also exploit risks. However, it should be noted that the weight of these reasons

can also depend on the compensation of directors, which is decided upon by shareholders, who

often have a shorter term investment horizon compared to life insurance, for example. With

accounting standards moving towards fair valuation (i.e. aiming to also capture the market price of

risk), possible materialisation of longer-term risks are also being reflected in the current profit and

loss and balance sheet. This (arguably) more relevant information available to the public effectively

increases the transparency for investors investing in the insurance business.

For all these reasons there is a clear trend in the insurance industry to increase the relevance of risk

management in day-to-day management and to implement ERM. ERM is effectively implemented in

various stages:

Risk identification

Risk monitoring

Risk management (reactive risk management)

Implementation of risk based strategy (proactive risk management)

In order to successfully implement ERM in strategy, ERM needs to be fully embedded in the

operating model, which requires capabilities in risk analytics. After having established the right

capabilities, the execution of ERM needs to mature. Integration of risk in performance management

incentivises ERM, guaranteeing the execution of ERM for the goal of growing and protecting long-

term shareholder value through a more thorough and deeper understanding of the business, which

is acquired in the process of implementing risk management.

A currently widely used framework to adopt ERM consists of the following elements:

Risk appetites

Risk appetites represent how much a company is willing to put at risk with a certain

probability over a defined time horizon. The measure defining loss should be directly aligned

with the company’s objectives (e.g. earnings, embedded value and solvency capital). As risk

and return are naturally related, risk appetite statements are directly related to the targeted

return.

Risk tolerances

A maximum potential reduction is allocated for each risk appetite to the various risk factors

(discussed below) through risk tolerances.

Key risk indicators (KRIs)

KRIs are measures used for management reporting indicating the status of a risk such as the

total exposure per investment class.

Risk limits

These are fixed business operation limits, (e.g. a maximum investment in stocks of 30%).

Risk management is about balancing risk and shareholders objectives and identifying the comfort

zone on the risk return curve, which is what this framework aims to do.

Establishing ERM requires a change of thinking about the business and its risks and therefore

enforces a change to a certain extent. Both employees and the board will need to further evolve

their way of thinking about the business. Implementing ERM is about following the right process,

acquiring the right capabilities and about enriching the understanding of the business, but even then

ERM is not likely to succeed without thought leadership. Actuaries are well placed to develop the

required skills to take up this role. Actuaries, more than most others in the insurance industry, are

used to viewing the business from a risk perspective. In addition, actuaries can relatively easily take

up the modelling skills required for ERM.

One of the cornerstones of successful implementation of ERM is reliable, accepted and understood

measurement of value and risks. Some risks can be modelled more reliably than other risks. The

availability of data is often key. For this reason in practice, operational and business risk is often

managed based on risk indicators and less so on modelled quantification. Where reliably possible,

the eventuation of relevant risks and their effect on various value measures are modelled. As

illustrated above, most commonly used value measures are:

Embedded value

Earnings

Capital (Economic and solvency amount available and solvency capital ratios)

These models aim to derive these value measures under a current (base) scenario and stressed

scenarios. In practices, modelled risks factors are:

Insurance Risk

Most commonly: mortality and longevity, general insurance, expense, lapse and inflation risk

Market Risk

Most commonly: interest / swap rates, stock price, credit (deteriorating credit quality and

widening of credit spreads – market appreciation of credit risk), currency and liquidity risk.

Operational and business risks are not often modelled currently. Stress scenarios are usually

determined using a one year horizon and confidence interval, often between 90% and 99.99%

,depending on the type of value measurement, geography, regulation and other factors.

4. Professionalism, ethics and CERA

Financial crises are in many cases directly linked with unethical practice, which has contributed to

various corporate failures in the past. For example, when investigators were examining the causes of

HIH’s collapse, they uncovered the fact that senior management, including key actuarial

stakeholders had “intentionally misled and lied to the company’s auditors from time to time”5

As actuaries are taking up responsible roles within the organisation, they may confront

circumstances where professional ethics may be challenged in practice. An actuary should act with

integrity and make professional decisions upon all situations in order to achieve a successful

actuarial practice. A professionalism course is therefore an integral part of any actuarial education

scheme. Candidates must successfully complete a professionalism course in order to become a

qualified actuary.

The CERA designation was developed in the wake of awareness of the importance of risk

management. A Chartered Enterprise Risk Analyst (CERA) has “demonstrated knowledge in the

identification, measurement and management of risk within risk–bearing enterprises”, according to

the Society of Actuaries. Combined with the professionalism course, which covers the professional

code of conduct and the importance of adherence to recognised standards of practice, the CERA

designation is deemed to be an appropriate qualification of a risk manager.

One of the advantages of CERA is its global recognition. That is, there are no national boundaries as

with actuarial credentials currently. This effectively means a CERA designation gives one the ability

to work in many different countries – from Canada to Australia – as a professional who has

appropriate credentials within risk management.

A CERA holder must go through a series of technical and professional trainings in order to earn the

designation, which includes:

Understanding of the ERM concept / framework

Familiarity of the ERM process

Ability to identify and categorise different risks

Modelling various risks individually as well as on an aggregate level

Applying appropriate risk metrics to quantify risks where possible

Communicating the results of the analysis in plain English and in an effective manner

Having a strong understanding of Economic Capital and its applications in the real world

A CERA designation could be earned through one of the actuarial education associations, including:

Society of Actuaries (SOA) – the United States

Institute / Faculty of Actuaries – the United Kingdom

5 Corporate governance, managerial malfeasance and incentive compensation schemes: The case of HIH

Insurance in Australia. Dr Scott Bourke and Dr Neil E. Bžchervaise.

Institute of Actuaries of Australia – Australia

Actuarieel Genootschap – the Netherlands

Actuarial Society of South Africa – South Africa

For example, the CERA from SOA comprises 8 exams and according to the SOA website it usually

takes the student three to four years to complete the entire education on a part time basis6. The

Dutch Actuarial Society offers an intense CERA training schedule over four months.

Most actuaries becoming technical experts in the insurance industry focus on risk management of

insurance risks and financial market risks. It is less common for actuaries to become experts in the

field of operational and business risks. Generally, insurance and financial market risks are modelled

risks (hence the preferred choice of actuaries) and operational and business risks less so.

Most life insurance companies in New Zealand currently perform some form of embedded value

calculation, which is often used solely for management reporting rather than performance

management. Some form of earnings projection exists as part of actuarial reporting. Most insurance

companies in New Zealand have not (yet) established an economic capital (or Value at Risk) model.

Asset and liability modelling techniques, used to model the combined impact of asset and liabilities,

are applied in economic capital and embedded value models. Investment mandates, designed within

ERM frameworks are often driven by risk ERM return ratios. To conclude, most models required for

ERM in the framework as described in section 3 are present in some form, but need to be further

developed and integrated to grow from reporting / monitoring purposes to more mature stages of

ERM.

Embedded Value, Economic Capital and earnings projection models need to be internally consistent,

complete and theoretically sound to be understood and accepted. For most New Zealand insurance

companies to further develop ERM, an integrated suite of models will be required to grow risk

management to being integrated in strategy and enhance performance.

Building on existing knowledge and actuarial training, the CERA qualification will help actuaries to

further develop a good understanding of the technicalities behind financial market and insurance

risks modelling for ERM. Furthermore, it also trains actuaries to obtain a general understanding of

risk management, including non-modelled risks and the processes required in order to establish and

maintain an ERM framework.

Risk management in the insurance industry is a technical area. To clearly communicate ERM model

results, it is essential to obtain buy-in from management and the board. Actuaries can take a leading

role as they understand ERM model results and can support the board and management to

effectively apply the results and understand the relevant underlying assumptions and shortcomings

of these models.

Leading and supporting ERM transitions in insurance companies can be a challenging and rewarding

experience, enriching both technical and interpersonal skills. Actuaries are driving ERM within the

6 http://www.ceranalyst.org/overview.asp

insurance industry, the banking industry and (although on a lesser scale currently) in the energy

industry. Most of the technical and non-technical challenges present within the insurance industry

are equally present in these other industries.

References

American Academy of Actuaries, 2002, Fair Valuation of Insurance Liabilities: Principles and

Methods, Public Policy Monograph.

Hayre, Lakhbir S., Robert Young, 2004, Guide to Mortgage-Backed Securities, Citigroup.

Wheeler, Darrell, et al, 2007, A Simple Guide to Subprime Mortgages, CDO, and

Securitization, Citigroup.

Society of Actuaries. www.soa.org