Actuarial Specialties | Enterprise Risk Management

Hungry for Risk?

Practical applications of a risk appetite framework Rebecca B. Scotchie and Christopher H. Murphy June/July 2019

Risk appetite, risk exposure, risk tolerance, risk limit dashboard—these are all buzzwords used by your organization’s enterprise risk management (ERM) program, right? While they may seem like high-level academic concepts that do not apply to your actuarial existence, the reality is many of your daily activities support key initiatives of your organization that help it operate within its risk appetite. So, what are these concepts all about, and how do they apply to you?

Assumption of risk is essential for insurers. Whether risk is knocking at or proactively welcomed through the door, it underpins your organization’s objectives, strategy and value proposition. As actuaries, we manage risk daily. The actions we take often feel intuitive, merely what is expected to properly manage the business. What is sometimes lost is a realization that we are—or should be—actively considering our organization’s appetite for certain risks.

Risk appetite is not only focused on the risks themselves, but also on achievement of organizational objectives. A well-run company summarizes how its stomach feels about risk via a risk appetite statement, and foundational to an insurer’s ERM program is its risk appetite framework. Think of risk appetite akin to the North Star or a point on a compass, and a risk appetite statement like a country’s constitution. Figure 1 illustrates sample excerpts of what a risk appetite statement might articulate.

Figure 1: Risk Appetite Statement

This article expands on the components of a risk appetite framework and suggests an approach for developing and implementing it within your organization. The sometimes-intangible concepts of ERM are connected to how we as actuaries apply and adhere to our organizations’ risk appetites daily. As you read, you will gain understanding regarding how your organization empowers you to act in its best interest.

Risk Appetite Framework

A risk appetite framework comprises all activities utilized to determine risk appetite, monitor actual risk taking and manage risk exposures to remain within risk tolerances. An organization’s risk appetite framework aids decision-making, holds staff accountable and supports the organization’s culture. Representative principles¹ upon which it is developed are shown in Figure 2.

Figure 2: Principles of a Risk Appetite Framework

A best practice framework is not only defensive, but also opportunistic. The board of directors, C-suite and senior management share responsibility for the development and governance of the risk appetite framework. The framework is reinforced by strategic and operational policies, guidelines, statements, processes and governance. Monitoring adherence to the organization’s risk appetite is a responsibility shared by all staff.

Refining an Organization’s Risk Appetite

Once guiding principles have been determined, one effective approach to further refine risk appetite is to leverage a questionnaire,² using variations of these questions:

What are our objectives?
- Objectives likely will be aligned with protecting and growing franchise value, maintaining adequate and efficient levels of capital, maintaining liquidity to satisfy obligations and achieving target performance.
What are our risk categories, and what is the tolerance for each?
- Common risk categories are strategic, credit, market, insurance, operational and reputational. Tolerance will be high for some, such that they are sought out and appropriately managed, while low for others, such that exposures are kept to a minimum.
What is our attitude regarding uncertainty in achieving our objectives?
When faced with decision-making, how willing are we to put achievement of each objective at risk?

The process, demonstrated in Figure 3, will drive focused discussions, ultimately resulting in content for a risk appetite statement.

Figure 3: Development Process

As Figure 4 illustrates, a rating scale can be used for certain questions whereby, for example, “1—Averse” would indicate zero or near-zero tolerance and avoidance of the risk at all costs, and “5—Tolerant” would indicate a high level of tolerance and acceptance of the risk in order to exploit associated gains.³

Figure 4: Risk Appetite Questionnaire

The questionnaire should be sent to senior leadership for completion. Answers should then be aggregated, summarized and shared for reactions. They can be shared and discussed both one-on-one and in small groups, which lend themselves to robust discussion.

Information gathered through the questionnaire process and subsequent discussions provides content for an initial draft of the risk appetite statement, which can be iterated to completion with senior leadership. The final risk appetite statement contains the overarching sentiment of senior leadership for risk preferences and tolerances, and it serves as a guide for the rest of the organization. As denoted by Figure 5, risk appetite is cascaded to different organizational areas and levels by confirming existing policies, procedures, monitoring and metrics, and by expanding linkages to risk appetite.

Figure 5: Risk Appetite Framework

Rooting Risk Appetite in Culture

The organization’s risk and other management committees have oversight responsibility for assuring risk appetite is cascaded to all areas and levels of the organization and that appropriate monitoring occurs. These committees also are responsible for making sure business lines have action plans if risk exposures breach certain tolerances or limits, and for assuring decisions are consistent with risk appetite. Business units, in turn, are responsible for determining risk limits, and utilizing and refining existing policies, procedures, monitoring and metrics.

Risk limits⁴ are operational controls established at the level of the organization that manages risk on a day-to-day basis and should be relatively easy to measure and monitor. They serve a dual purpose: to ensure enough risk is being assumed while also limiting excessive risk taking. Some risk limits are “hard limits” for which action must be taken immediately to remediate a breach. Other risk limits are “soft limits” for which monitoring is intended to drive discussion, heighten awareness and influence decision-making—immediate remedial action is not necessary.

Making the link between existing practices and risk appetite encourages a culture that operates with a risk management mindset and empowers staff. Employees are accountable for identifying and enhancing programs to keep risk exposures within the organization’s risk appetite, leveraging risk limits and action triggers as needed. With support from oversight committees, frontline staff are responsible for developing and assuring an escalation process exists to ensure appropriate actions are taken commensurate with each breach. In a mature state, staff proactively anticipate potential risk limit breaches rather than react to them.

Practical Applications: Bringing It All Together

So, how do actuaries consider risk appetite each day? Perhaps not always explicitly, but they inherently understand uncertainty in achieving objectives and naturally consider alternatives. The following examples summarize ways in which actuaries consider risk appetite, risk tolerances and necessary trade-offs in their day-to-day work.

For certain organizations, these examples may represent current activities to actively manage risks and monitor risk profiles, while for others they may represent opportunities to impact the organization’s financial positioning against its risk appetite. Regardless, all examples serve as useful tools to drive discussion, strategy considerations and decision-making.

Example 1: New Business Pricing

Many actuaries focus on new product development and pricing, with the goal of achieving an expected financial return. In doing so, assumptions are made, such as expected business mix (gender, age, etc.). In reality, actual business mix always varies from expectations. What are the reactions to an unanticipated mix of business? What if the greatest proportion of business sold is in the most unprofitable sectors?

As new business is obtained, actual characteristics are compared to pricing assumptions to determine the impact on expected future returns. Variances are assessed, and adjustments are made. Voilà! Monitoring and managing against risk appetite is achieved.

To address new business variances, consider potential actions for altering new business sales and profitability. Can underwriting guidelines or premium rates be adjusted? Can commission scales be altered? Does the company need to stop selling the product? Potential actions fall along a broad spectrum from less severe to more severe.

Example 2: Risk Profile Assessment/Dashboard

A risk profile assessment is a point-in-time review of the organization’s risk exposures measured against its risk tolerances and limits. The assessment can be either quantitative or qualitative, and it may be performed at various levels of granularity.

A simple example of a quantitative risk profile assessment is the National Association of Insurance Commissioners (NAIC) risk-based capital (RBC) ratio. This ratio can provide a sense of overall risk exposure, with implications if the ratio is too high or too low. Capital usually is managed to be within a certain range. The range is reflective of risk appetite, and the bookends constitute the risk limits. Monitoring against risk appetite leads to decision-making and actions such as increasing diversification (to improve the capital ratio) or investing in a new product line (putting excess capital at risk to fulfill the fundamental purpose of an insurance organization).

A more detailed quantitative assessment might take the form of a risk limit dashboard. Risk limits should be developed for each major driver of risk, such as mortality, persistency or business mix (see Figure 6 for a basic representation). Color and arrow indicators measure against each stated risk limit (within, watching, outside) and express trend (improving, unchanged, deteriorating) based on the recent past and expectations regarding the future. The dashboard should also drive discussion and action taking—each hard or soft risk limit should have an associated set of actions should a breach occur.

Figure 6: Risk Limit Dashboard

Management may request a more qualitative risk profile assessment for a specific business line. It would ideally consider risk exposures, concern level (high, medium, low) and recent movement (improved, minimal change, worsened). Management actions (actual or expected) could be summarized, along with their expected impact. Such an assessment empowers ownership and accountability.

Example 3: Sensitivity Testing

Sensitivity testing is used to understand potential volatility of future results and to inform and monitor risk appetite and risk limits. Individual sensitivity tests can be created for key risk exposures calibrated to a similar likelihood. For example, a sensitivity test on mortality reflecting a one-in-20 year occurrence (i.e., 5% likelihood in a given year), could be applied to understand impact on expected results, reserves and/or capital. After applying similarly calibrated sensitivity tests for all key risk exposures, management can use this information to define risk appetite. After risk appetite has been identified, sensitivity testing can then be used to determine if expected volatility falls within risk appetite. Figure 7 illustrates the impact of sensitivity results and their relationship to risk appetite.

Figure 7: Sensitivity Testing

The dials represent the impact of sensitivity tests for mortality, claims incidence and persistency on expected results. Sensitivity tests have been calibrated to one-in-20 year events. The relationship of the impact to risk appetite is represented with colors—green (within), yellow (watching) and red (outside).

Example 4: Economic Capital

A frequently used metric for risk appetite is economic capital. Determining economic capital requires considering the entire organization’s balance sheet and indicates the total level of assets needed to assure solvency through extreme yet plausible events. The calculation builds on sensitivity testing for individual risks and aggregates results with consideration for diversification. Measuring and managing economic capital within a certain range is how many organizations understand and manage their risk appetite.

Conclusion

The concept of risk appetite may not be in all actuaries’ vocabulary; however, it is inherent in their practice. Establishing a clear link between what actuaries do and the importance of helping our organizations operate within their risk appetite increases the likelihood of fulfilling organizational objectives, strategy, vision and values. The value to our profession and our industry lies in shifting from a reactive approach to a proactive one with respect to risk appetite and potential breaches.

Rebecca B. Scotchie, FSA, MAAA, is a principal at Oliver Wyman in Atlanta, Georgia.

Christopher H. Murphy, ASA, is a consultant at Oliver Wyman in Atlanta, Georgia.

The views or opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of Oliver Wyman.

References:

1. CRO Council and CRO Forum. Establishing and Embedding Risk Appetite: Practitioners’ View. CRO Council and CRO Forum, December 2013, (accessed March 21, 2019). ↩
2. Acknowledgment to the Gartner Risk Management Council for guidance. ↩
3. Ibid. ↩
4. Supra note 1. ↩