It may be hard to believe, but enterprise risk management (ERM) has become mainstream. ERM processes exist today at essentially every major insurer operating in well-established insurance markets. Regulators across the globe have some type of own risk and solvency assessment (ORSA) requirement, facilitated by the International Association of Insurance Supervisors’ adoption of Insurance Core Principle 16. Evaluating insurer ERM is now embedded into the rating criteria of each major credit rating agency.
The actuarial profession has made significant contributions to the advancement of many key components of the ERM process, including risk identification, assessment and decision-making. However, its main achievements, arguably, have been in the area of risk quantification. As I reviewed all of the ERM modeling practices I have utilized over the course of my career, I was struck by their ambition and comprehensiveness, as well as the challenge in making them transparent and intuitive to key stakeholders.
Logical and Not-so-humble Beginnings
Before getting into where ERM modeling stands today, it is instructive to review how it all started. As with most evolutionary processes, there is no single find in the archives that definitively establishes a genesis of the first ERM model. Rather, different parts of the profession moved toward its conceptualization from their own unique vantage points. In short, the roots of today’s ERM models can be found in previous actuarial models constructed for different purposes. Those models were leveraged and modified to paint the larger mosaic of risk being sought after.
Life and annuity actuaries have long performed total company projections, built from the ground up using policy-level information. Output includes future premiums, claims, withdrawals and surrenders, investment income, expenses and other key financial statement items. Aggregation across blocks of business provides a total legal entity viewpoint under specific assumptions. New York Regulation 126 and the National Association of Insurance Commissioners (NAIC) Actuarial Opinion and Memorandum Model Regulation were established in the 1980s, leading to the modern-day Appointed Actuary and the use of cash-flow testing in asset adequacy analysis. This provided life insurers a view into interest rate risk exposures. Life valuation actuaries went beyond prescribed scenarios, utilizing economic scenario generators (ESGs) to capture exposure to other financial risks, such as equity market volatility. Beyond reserve testing, these models were readily adapted through adding capital requirements and profits released adjustments to calculate the embedded value of the business, providing useful information on the drivers and risks of long-term value.
Concurrently, actuaries at property and casualty (P&C) insurers began creating ground-up models of business projected over multiple years. These dynamic financial analysis (DFA) models also project key financial items that capture exposure to uncertainty in both claim and investment experience. They also utilize ESGs and tie claim costs to parameters such as inflation and interest rates. DFA models differed from their life and annuity counterparts in that they incorporated new business into projections. Insurers found several nonregulatory applications for them, including capital management, reinsurance, pricing, and mergers and acquisitions. Indeed, DFA models contained many of the seeds of modern-day ERM models.
The ERM Modeling Opportunity
The ERM wave began gaining momentum at the turn of the millennium, inspired by many risk events that occurred during that time. Examples include the dot-com boom and bust; several major accounting scandals; the Sept. 11, 2001, terrorist attacks; and the advent of cyberattacks. The failure of the hedge fund Long-Term Capital Management illustrated that an individual firm of sufficient size, scope and interconnectivity could threaten the viability of financial markets. In the insurance industry, low interest rates combined with other adverse experiences exposed the risks of variable products and long-term care. It was recognized that risks beyond underwriting and investment needed to be considered, and scenarios involving multiple risks manifesting concurrently needed to be assessed.
Furthermore, company management was looking for risk-adjusted performance measures to aid strategic decisions and ensure they were compensated for the risks they took. Everything from product enhancements to business dispositions would be subject to a risk lens. Risks would be prioritized for better resource allocation. Budgets would be sized appropriately for audit, compliance and cybersecurity. Protection levels would be analytically set for dynamic hedging, corporate insurance and reinsurance programs.
Regulators and credit rating agencies would be assuaged that company risks were known and well-managed, with the knowledge impacting business decisions. They thought that with more efficient financial examinations and better credit ratings, perhaps lower capital requirements would result. Focus on these stakeholders helped shape initial ERM modeling efforts around capital.
The Rise of Economic Capital
Most ERM modeling discussed in actuarial literature focuses on economic capital (EC). In this context, EC initially was defined as the amount of capital an insurer needs to cover its risks based on a specified security standard, usually without consideration of any external constraints, such as desired credit ratings or regulatory minimums. Ignoring these constraints does not seem economical at all, and as discussed later, more EC models today are incorporating them.
Early forms of EC were developed based on a modified-factor approach, similar to NAIC risk-based capital (RBC). Most risks are quantified by applying a factor to a measure of risk exposure. For example, the credit risk of a fixed-income investment is calculated by applying a factor to the book or market value of that investment, where the factor captures the relative risk of the investment based on its individual characteristics. Similarly, mortality risk typically is captured by applying a factor to the net amount of each policy at risk, with the factor varying by the characteristics of the insured and the policy itself.
Other risks are quantified based on the modeling results of blocks of business with exposure to those risks. The nature and complexity of the risks do not lend themselves well to a factor approach. These typically include market risks such as interest rate, equity and foreign exchange that can be captured using cash flow testing models in conjunction with an ESG. Another category is catastrophe risk, arising from either natural or manmade perils, which is often captured using third-party vendor models. The C3 phase 1 and phase 2 portions of the life RBC formula and the catastrophe risk charge in the P&C RBC formula are the regulatory capital parallels.
A key modeling decision is the model time horizon. Since life insurers write long-term liabilities, one approach is to capture the total risk over the run-off period of policies in force, plus one to three years of new business. This requires the insurer to hold the present value of capital needed over the run-off period—this is the approach taken in C3 RBC phases 1 and 2. The primary alternative is a one-year horizon. This amounts to “just in time” capital and is the horizon for the standard formula in Solvency II. Usage of the shorter time horizon usually is accompanied by a higher security standard—the solvency capital requirement in Solvency II targets a 99.5 percent value at risk (VaR). The model horizon and security standard are harmonized with how factors are developed.1
Individual risk amounts are aggregated using a variance-covariance matrix reflecting the expected co-movement of risks. Note the square root of sum of squares approach used in the RBC formula is a special form. In early iterations of EC, operational risks were often the last step. They were an add-on calculated as either a percentage of premium (e.g., RBC) or as a gross-up of aggregate capital (e.g., 15 percent). This simplified approach reflects the lack of operational risk data and the heterogeneity of such risks.
One early example in ERM modeling took place shortly after the turn of the century and involved the U.S. subsidiary of a major European financial services company with large banking operations. Because of the overwhelming amount of enterprise risk capital due to the market and credit risks of the European parent, the marginal EC requirements of the U.S. insurance operations were a fraction of its gross capital charges. The EC model assumed no correlation between underwriting and asset risks, and the bulk of the diversification benefits generated were allocated to the U.S. insurance operations. The EC model result indicated that the U.S. insurance operations needed capital well below what the rating agencies expected.
Getting the agencies to agree with the company view hinged on alignment of model correlation assumptions and the fungibility of capital flows across legal entities. Obtaining such buy-in is a multiyear process that includes clear demonstration that the model is driving business decisions (the “use test” criteria).
Recent EC Model Developments
Since that time, EC models have evolved in a number of ways.
- Models employ fewer factors and model more risks directly. Some models have abandoned the factor approach altogether. A subset of these calculate EC holistically by modeling all risks concurrently and then allocating capital to each risk source and business unit based on the results and security standard selected (there are well-established mathematical procedures for performing this, such as the Ruhm-Mango-Kreps capital allocation algorithm). The increase in direct modeling has been accompanied by increased model testing, governance and validation. In particular, correlations and extreme events are scrutinized for their plausibility.
- Modeling advancements have occurred for certain risks common to many organizations. More data has been collected on credit risk and operational risks, such as cyber, financial statement errors and litigation. Both trends allow for more precise risk measurement.
- EC is calculated for each legal entity on a stand-alone basis unless it is demonstrated that capital shortfalls will be reimbursed by another entity in the holding company family on a timely basis.
- The modeling time horizon coincides with the business plan. This allows for the synchronization of capital planning with projected growth. New business projections are included.
- Capital requirements also are projected over the plan horizon, under normal conditions and stress scenarios.
ORSA requirements have driven much of these trends. Nos. 1 and 2 from this list align closer to the principles embedded in Section 2 of the ORSA manual. The other three enhancements address expectations for Group Capital Assessment spelled out in Section 3.2
Treasury-based Approach to EC
There has been convergence toward a methodology that brings ERM into the treasurer’s office and largely mirrors the Federal Reserve’s stress tests of large banking groups. This approach supplies critical information on the riskiness of future cash flows within a given holding company system. The steps in this approach are:
- Project required capital for each entity under the business plan over the horizon based on external constraints from rating agencies and regulators. This necessitates setting ratings and capital ratio targets.
- Project actual capital for each entity under the business plan over the horizon based on future profitability projections from the businesses and capital management actions from treasury operations.
- Assess any capital redundancies and deficiencies under the plan.
- Repeat the three prior steps for each risk scenario that management has specified for inclusion as part of its risk appetite statement on capital adequacy.
- Based on the modeling results, determine in consultation with the businesses and treasury operations whether the business plans and/or capital management actions need to be adjusted to satisfy risk appetite.
I led the initial implementation of such an approach in 2012, and with some procedural refinements, it remains in place today. It has been the cornerstone of ORSA quantification for the company, and it has provided valuable input into share repurchase, reinsurance purchase, and mergers and acquisition decisions. The model output resonates with the C-suite and the board of directors. The approach has been reviewed favorably by two leading ERM consulting firms.
Going Beyond Capital
The past decade has witnessed the emergence of a comprehensive approach to quantify all risks, including strategic and operational risks. Studies of past corporate failures have shown that 60–65 percent were caused by strategic risks, and another 20–30 percent were caused by operational risks. Yet these risks can be overlooked when focusing exclusively on capital.3
The value-based ERM approach, authored by ERM thought leader Sim Segal, marries traditional ERM techniques with value-based management. Risk is defined as any deviation—upside or downside—in company value from its baseline amount as calculated under the company’s strategic plan. Company value is the present value of free cash flows to the company’s owners discounted at its cost of equity. Scenarios are created for all key risks based on “Failure Modes and Effects Analysis.” They include estimated impacts to key financial items from their baseline values to recalculate company values under each scenario.4
The value-based ERM model is simultaneously a dynamic strategic planning tool and an economic capital model, both of which capture key volatility and can be run rapidly to inform decision-making at the highest levels. The model projects statutory financials; required capital ratios; and key metrics such as company value, capital ratios and so on at the business subsegment level, rolled up to segment, legal entity and total company levels.5
The value metric highlights risks less emphasized under capital-centric measurement. In my experience, the value metric helped identify and quantify risks that were not pure loss events (e.g., asset write-downs during a financial crisis or natural catastrophe claims). Risks of changes in regulation (e.g., health care reform), systems obsolescence driving loss of distribution, adverse litigation outcomes damaging company brand and disruptive competitors are all modeled as reductions in future profitable business as well as increased claims and expenses. This adds a critical dimension to ERM.
ERM modeling will continue to evolve, driven internally by the need for more accurate and timely risk information and by external stakeholder requirements for reporting on risks and capital. Practitioners will continue refining existing methodologies built on pro forma projections. Data analysis of risk events will become more formalized, providing ERM modelers regularly updated assumptions. Advancements in machine learning (ML) and artificial intelligence (AI) may be the impetus of future models.
ERM model leaders will continue to evaluate the trade-offs between the transparency and intuition of simpler approaches, and the robustness and detailed insights offered by complex models. Both deterministic and stochastic scenarios will play a role, with the former leaned on for risk messaging and the latter used for quantifying nonlinear risks (e.g., options). Both will be used for setting risk appetite and limits.
Capital will remain the primary focus for many insurer ERM programs. However, models will adapt to capture other metrics such as earnings volatility and value impacts. The result will be a robust dashboard of output addressing the multiple perspectives to be considered in effectively managing enterprise risk.
- 1. Swain, Robin, and David Swallow. 2015. The Prudential Regulation of Insurers Under Solvency II. Quarterly Bulletin. Bank of England. ↩
- 2. ORSA Subgroup of the Financial Condition Committee. 2014. Own Risk and Solvency Assessment (ORSA) Guidance Manual. Kansas City, Missouri: National Association of Insurance Commissioners. ↩
- 3. Segal, Sim. 2011. The Corporate Value of Enterprise Risk Management. Hoboken, New Jersey: John Wiley and Sons. ↩
- 4. Ibid. ↩
- 5. Ibid. ↩
Copyright © 2020 by the Society of Actuaries, Schaumburg, Illinois.