Tag Archives: economic capital

Cognitive Dissonance and the CRO

Could F. Scott Fitzgerald have had chief risk officers (CROs) in mind when he wrote, “The test of a first rate intelligence is the ability to hold two opposed views in the mind at the same time and still retain the ability to function”?

Probably not. But, based on recent discussions with some leading insurance CROs and my own experience in the industry, there are a surprising number of circumstances where a CRO needs to accommodate two opposing views. Exploring these circumstances can shed some interesting light on how the CRO role has evolved over the last several years and where it may be heading.

CROs’ early focus was on the development and implementation of economic capital and a concerted effort to meet enhanced regulatory expectations. It is now more nuanced.

Economic capital: A rule that needs to be followed and a model that needs to be questioned

The development and utilization of economic capital (EC) is a good starting point to explore the CRO’s cognitive dissonance. Economic capital is a powerful and indispensable concept; arguably the most powerful weapon in the CRO’s arsenal. It allows insurers to quantify many of their most important risks in precise monetary terms that can be translated into precise actions. Like, “add this much to the product price to accommodate its risks” or “buy this asset not that asset because it has a better risk-adjusted return.”

For economic capital to do its work, it needs to be a rule that is followed. From its most comprehensive manifestation – the expected level of capital that the insurer should hold – to the tolerances and limits that inform pricing decisions and individual asset transactions, insurers need to build economic capital values into their decision-making fabric.

At the same time, the CRO recognizes that the economic capital values are model output. They depend on a lot of assumptions. And the underlying methodology, that risk is best quantified as the upper bound of a high confidence interval such as 99% or 99.5%, is only one of many meaningful options. The CRO should develop insight into how other assumptions and methodologies would affect business decision making. Furthermore, risk managers also need to employ completely different tools, like stress testing. And these could lead to new and conflicting insights that the CRO needs to reconcile with economic capital’s definitive outcomes.

The dissonance engendered by economic capital presents a particular challenge for CROs with long experience in insurance ERM. More than any other development, economic capital was the progenitor of enterprise risk management (ERM). Before economic capital, ERM consisted primarily of risk lists and heat maps. Economic capital provided a solid foundation to decision making, particularly related to credit and market risks in the period leading up to and during the last recession. But, as the industry evolves, and credit and market risk taking has stabilized and often declined, new risk and new ways of managing risk need more attention. CROs who grew up with economic capital as the defining feature of their job may need to exert special effort to champion non-EC tools’ decision making potential.

See also: Insurance CROs: Shifting to Offense  

As Isaiah Berlin noted in “The Fox and the Hedgehog,” “A fox knows many things but a hedgehog one important thing.” Considering the importance of EC in the emergence of ERM, it is reasonable to think of the risk function as a very quant-oriented one. Calculating EC is a complex undertaking requiring a high level of mathematical and financial acumen. Certainly it is a great example of “one important thing.”

However, other, equally important aspects of the CRO role need a much broader vision. In keeping an eye out for emerging sources of risk and new challenges, it would be good to know “many things.” We have noticed that successful operational risk management efforts feature a multifaceted mindset when helping businesses recognize and manage these risks. Contrast this with model risk management where a more singled-minded focus is required.

Even within the narrow world of some traditional risk thinking, taking a broader view could yield innovative and profitable outcomes. For example, mortality and longevity risk is almost universally viewed one way: from a retrospective experience perspective, with mortality rates varying by age and gender. Risk values are generated by shocking these rates; upwards for mortality (representing the impact of a pandemic) and downward for longevity (representing significant medical advances in treating deadly diseases). But broader, informed thinking by someone or a group could find an alternative, likely one that looks at underlying fundamentals and uses advanced analytics to develop better and more actionable insight.

As ERM continues to develop, both hedgehogs and foxes are necessary. And the CRO needs to be able to effectively communicate with and manage both.

Putting a price on priceless information

In a business that is all about taking risk, most senior management teams certainly would rank good information about risk as essential to the effective management of their business. To call this information “priceless” would not be an exaggeration.

The last recession put great pressure on regulators and, through them, on insurance companies to quickly upgrade their risk capabilities. For many regulators, the cost of achieving these upgrades was much less of a concern than thoroughness and completeness. Both of these forces, business need and regulatory pressure, put significant demands on the risk function. Faced with these demands, it has been fairly easy to put programs and people in place that address acute needs without being unduly constrained by program price.

However, the absence of price constraints has obvious negative implications. Any business has limited resources. And, for much of the insurance industry, the trends in customer demands and purchase/service platforms is away from high-margin options. Furthermore, the lack of spending discipline can easily lead to maintaining a status quo that overspends on some areas and ignores others. As priceless as good risk information can be, some is more valuable than others, and some can be produced with the same value but at a lower cost.

Implications: Where is ERM heading and how can CROs prepare?

The CRO’s role has evolved significantly over the last several years. CROs’ early focus was on the development and implementation of EC and a concerted effort to meet enhanced regulatory expectations.

See also: Major Opportunities in Microinsurance  

The trend now is more nuanced. CROS are trying to address more qualitative risks and incorporate a business-centric focus. With this in mind, we offer some suggestions:

  1. CROs would do well to take stock of their current ERM program inventory. What are the approximate costs of different programs? Are they meeting objectives and are those objectives still as important as when the programs were initially established? Is there an overlap? For example, does stress testing address only the same risks EC already covers effectively, and if so, would it make sense to deploy resources in a different way?
  2. In taking stock of current benefits, ERM efforts that enhance shareholder value should be receiving high priority. Considerations focused on pricing and new business challenges present a good opportunity to use risk knowledge to add value, not just conserve it.
  3. Lastly, consider if reshaping emphasis across the program portfolio requires some ERM team members to alter their orientation, e.g. behave more like “foxes.” Or, if there’s a need, consider adding new team members with the required skills and mindset.

As ERM continues to develop, both hedgehogs and foxes are necessary.

ERM Is Ignoring 4 Key Tasks

Over the last decade, economic capital has captured the risk management spotlight. Recognizing its merits, insurers have deployed economic capital for many uses. Regulators now rely on it, too — especially internationally — and have put it at the center of their prudential regulatory agenda.

Economic capital (defined as value at risk over a year) has two unique and extremely useful characteristics. First, the concept can be applied to any event with an uncertain outcome where a probability distribution of the outcomes can be postulated. Thus, insurers can value, in a consistent and comparable manner, very different risky events — such as mortality claims, credit losses and catastrophic property damages. Second, economic capital calculated for a portfolio of risks can be readily subdivided into the economic capital attributable to each risk in that portfolio. Or, alternatively, economic capital calculated at the individual risk level can be aggregated to economic capital at the portfolio level and beyond, across portfolios to the enterprise level.

However, there are four critical enterprise risk management (ERM) tasks for which economic capital is not an effective tool; unfortunately, because of this, we have observed a tendency for risk managers to de-emphasize those tasks and sometimes ignore them altogether. We believe this should change.

See also: How to Improve Stress Testing  

In response to these shortcomings, insurers should take full advantage of stress testing, a valuable risk management tool that is on par with economic capital in terms of its potential to help solve problems and improve performance. And, because stress testing enables insurers to tackle many of the important tasks that economic capital cannot, it gives insurers the opportunity to double the size of their risk management tool kit and thereby double their ERM output.

Liquidity

By design, economic capital assumes assets and liabilities can be monetized at their formulaic values — that is, at the values derived from the probability distributions’ assumptions. But, as we saw in the credit crisis of 2008-09, credit markets can seize up under extreme stress. When that happens, many assets — regardless of their formulaic value — cannot be sold at any price. Because of this, economic capital is not an effective tool to understand and manage liquidity risk.

To address the risks posed by insufficient liquidity, insurers need to play out meaningful stress events and postulate how they might affect both the ability to monetize assets and the asset’s price if they can be monetized, as well as critically assess the ability to actually access pre-arranged credit in the event these stress events unfold. Then, with an understanding of the likely challenges these stresses may impose, insurers can test the effectiveness of the potential mitigating strategies that they can deploy immediately or when stress events begin to unfold. Selecting and documenting the most effective options can become the insurer’s liquidity risk management game plan.

Diversification

Diversification is a cornerstone of effective insurance underwriting and risk management. The industry acknowledges the benefit of diversification across similar, independent risks and is able to apply considerable mathematical rigor to measuring this benefit. However, matters become less certain when attempting to quantify diversification across dissimilar risks such as mortality, credit and catastrophe. Extending the benefits of economic capital across risks requires that the capital amounts assigned to different risk types be combined.

Recognizing that extreme outcomes for each risk type are not likely to occur simultaneously, the combined capital requirement is typically calculated as the sum across risk types, with a credit given for diversification.

Deciding how much credit should be assigned for diversification is a critical question in establishing the enterprise’s total required capital. Unfortunately, historical information about the precise interaction of disparate extreme events is sparse.

Empirically, establishing diversification credits is difficult at best and is largely impossible for some combinations. For enterprise risk capital, a best guess may have to suffice. But, just because such a guess is sufficient for the purpose of ascribing required capital, it does not follow that it is sufficient for other purposes — particularly for charting a course of action across all risk types in the event of an extreme risk occurrence.

Stress testing is useful for this purpose. Playing out the series of interactions and events that could follow from a catastrophe such as an epidemic will yield much more actionable information than guessing the magnitude of the diversification credit. Constructing a future scenario that thoughtfully considers how an extreme event in one risk type will have an impact on others is key. These impacts occasionally are asymmetric and not easily accommodated in a standard diversification credit matrix. For example, we can be fairly certain that an extreme drop in equity values will not have significant impact on mortality rates. Conversely, it would seem imprudent to assume that an extreme pandemic would not have any impact on equity values.

Business risks

In a survey of insurance company board members and CROs that PwC conducted in June, the area where board members felt more attention would be most beneficial was “searching for, understanding and finding ways to address new risks” — meaning risks outside of traditional insurance, credit and market. Upon further discussion with the survey respondents, it became clear that they are not as interested in esoteric dialogues on black swans or unknown unknowns as they are in addressing more practical questions about currently evident business risks. In particular, survey respondents want to understand how those risks could materialize in ways that have an impact on their companies and how to mitigate those impacts.

Using stress testing to map out the impact of these business risks will help insurers assess how serious the risks are. The stress projection can measure the impact on their future financial condition after a risk event. And if the impact is significant, they can further deploy stress testing to map out potential management actions to reduce the risk’s likelihood of impact or mitigate damage if the impact occurs. Having an effective course of action is far better than hoping black swans won’t materialize.

Excessive capital

If insurers use only the economic capital tool, then there is a real risk that it will become a hammer, rendering everything in its path a nail. On discovering a new risk, the most likely reaction will be to call for more required capital. However, in the case of, for example, liquidity and business risk, a more effective approach is to use stress testing to create a plan for reducing or eliminating the risk’s impact.

Likewise, seeing economic capital as the sole means of addressing insurer insolvency can lead to an overly restrictive regulatory agenda that focuses only on the economic capital formula. This unfortunately appears to be the case in the development of some required capital standards. We think a more productive approach would be to recognize that no economic capital formula will ever be perfect, nor can one formula fit all business and regulatory needs around the world. Instead, a simpler formula augmented with stress testing can form a more effective, globally consistent solvency management framework.

Moving to the next level

In the paper we published earlier this year about the results of our stress testing survey, we noted that stress testing is well established in the insurance industry. Insurers use it for many purposes, and it has had significant impact. In fact, 36% of survey respondents indicated they have made key decisions markedly differently than prior to or without stress testing. A further 29% indicate stress testing has had a measurable influence (though no single key decision came to mind). The paper also identifies areas where only a little more effort can yield substantial benefit: through a clear definition of stress testing, through more thoughtful stress construction and through building a more robust stress testing platform.

See also: Risk Management: Off the Rails?  

To get the most advantage from stress testing, we have two further suggestions: 1) Insurers should apply a governance framework commensurate with stress testing’s status, and 2) insurers should advocate its use in new areas.

A good governance framework should include policies and procedures, documentation, model validation and independent review, as well as review by internal audit. Board and senior management oversight is also important. While our survey report notes that boards usually receive stress testing results from management, we recommend that management engage the board more in the stress selection process.

While stress testing certainly can add additional insight to insurance, credit and market risk analysis, economic capital already provides a good foundation in these areas. We recommend that insurers use stress testing, in particular, to tackle business risks where economic capital is not an effective tool. This includes new threats like cyberterrorism and their reputational impact. Stress testing can also be useful for understanding the risk of missed business opportunities, such as the failure to address how emerging trends in technology and customer behavior may have an impact on future sales and earnings potential.

We believe that the scope for the application of stress testing is as significant as for economic capital. And as with economic capital, once an effective tool comes into use, many more useful risk and business management applications will ensue.

Modernization: CRO Faces New ‘Unknowns’

Internal and external demands have resulted in the clarification and expansion of the role of the chief risk officer and the risk management function. Internally, senior management and the board see the merit of using key risk information. Ensuring the company is managed within its risk appetite enables it to best utilize its resources to take advantage of changing competitive needs and strategic opportunities. Externally, U.S. and global regulators are articulating clear expectations for the role of the CRO and governance of the risk function, as well as the role of the board in risk management and the CRO’s and risk function’s relationship with the board. These demands emphasize the need for clear policies and processes with appropriate documentation and governance.

As little as 10 years ago, the risk function was novel at most companies, and there were almost as many models of how to organize and manage the function as there were insurers. This has changed. Leading practice is becoming clearer, and expectations are now more consistent and defined. However, boards and regulators are increasingly inquiring about new “unknowns”: data security, cyber terrorism, reputational risk and competitive obsolescence. All of these also fall under the CRO’s purview and increase demands on risk resources.

The case for change

The risk function is the newest among the direct stakeholders that insurance modernization directly affects, and there are a number of important implications and outcomes.

  • No existing “pipes” – For the majority of North American risk functions, many risk calculations and resulting reports are very recent creations. Very few have a solid network of pipes that transmit data and input through models and calculations onward to result in verifiable and controlled information. Therefore, compared with many other functions that modernization affects, the risk function does not need to dismantle existing pipes. However, it is critically important that, as insurers plan and develop these new pipes, they do so in cooperation with other stakeholders. If they do not, then the risk function may find itself unnecessarily tearing up what should be a common roadway.
  • From build to oversee – While internal and external changes affect all stakeholders, the risk function is unique in that its very nature also is changing. When the risk function originally came into being, it was the CRO’s and his staff’s responsibility to create the models and capability needed to support the function. Now, as risk infrastructure takes shape, management, boards and other stakeholders are asking the CRO and risk function to play a key role in governance and control. This brings into question how best to manage and oversee both the risk and overall corporate infrastructure. Can and should these be responsibilities of the risk function, and, if not, who should be responsible for managing this infrastructure?
  • Process and documentation – Much of the newly built infrastructure was constructed quickly and in a “learn by doing” mode. Much of it is parallel to but not coordinated with activity in other areas, especially actuarial. As companies have mapped processes and documented assumptions, models and output, functional overlaps have become clearer. In many cases, clarification and resolution of the overlaps will be necessary to enable rational enterprise level mapping and non-duplicative documentation.
  • Demonstrated engagement – The CRO and risk management staff (with input from actuarial, investment, finance and others) support the foundation on which risk information is built Increasingly, the board and regulators are asking for holistic engagement in agreeing on assumptions and methodologies, not just siloed input from subject-matter experts. The risk function increasingly is being asked: Are the business managers – the first line of defense –in agreement? And, is their collective engagement substantive and verifiable?
  • Governance – As the board’s role in risk management and risk taking becomes clearer, many boards and regulators recognize the need to include major risk and strategic initiatives under the oversight umbrella. They look to the CRO to be the conduit of information between them and the insurer. This strongly suggests that the CRO should have insight into modernization initiatives that go beyond just the risk function.

In a modernized company, a synergy of efficient processes with clearly defined stakeholder expectations exists among risk, actuarial, finance and technology (RAFT). The modernized risk function will share a common foundation of data, methods and assumptions and tools and technology with the other RAFT functions. (Naturally, the risk function will have certain unique processes that build on this foundation.) Finally, enterprise compatible business management, HR, reporting and governance all channel the process to its apex: intelligent decision making.

  • Data – The organization, with significant risk input, clearly defines its data strategy via integrated information from commonly recognized sources. The goal of this strategy is information that users can extract and manipulate with minimal manual intervention at a sufficient level of detail to allow for on-demand analysis.
  • Methods and analysis – Modern risk organizations emphasize robust methods and analysis, particularly the utilization of different approaches to arrive at insight from more than one perspective. Key to proper utilization of multiple methods is confidence that different outcomes are not the result of inconsistent inputs but rather truly reflect new insight.
  • Tools and technology – Up-to-date tools and technology help the risk function gather, analyze and share information faster, more accurately and more transparently than ad hoc end-user computing analysis. With modern tools and technology, risk personnel can devote the majority of their time to understanding and managing risk rather than programming and running risk models.
  • Stress testing – Stress testing has become a key weapon in the risk management arsenal. Test results convey risk information to senior management, the board and regulators. Resulting impacts on capital under stress scenarios become key to capital planning and calibrating economic capital (EC) models. Moreover, these tests are fully integrated in financial planning and the finance function’s agenda.
  • EC/Capital modeling – Economic capital calculations continue to be an important tool for decisions at all levels, from strategic to micro-level asset trading and product design. A modernized organization fully integrates these models with key actuarial activities, and the process and results help the company more effectively plan for and manage risk. Results are available quickly, and efficiency of the process allows for extensive “what if” testing.
  • Validation – A comprehensive model risk management structure is in place. The company routinely validates new models and model changes. Assumption consistency is transparent across risk, actuarial and finance. The company verifies data integrity and uses a model inventory to weed out duplication and overlap. Savings more than pay for model risk management (MRM) costs.
  • Human capital – Risk functions employ more inquisitive and analytical analysts. The emphasis is on managing risk, not running models. A significant portion of the group devotes its time to understanding emerging trends and investigating potential new threats to the organization. Clear organizational design facilitates working in a collaborative manner with other control functions and business managers.
  • Governance – Risk plays a key role in governance and risk appetite is well established. Decision making throughout the organization incorporates risk in a transparent manner. This is in large part because of confidence in risk output because data and input is consistent with finance and actuarial analytics, models are validated and senior management and the board understand key assumptions and limitations.

The benefits

Realizing ERM’s promise requires more than just complex economic capital and value at risk (VAR) models. It requires confidence in these models and an understanding of their key assumptions and limitations. This confidence and understanding need to be pervasive – from risk, finance and actuarial personnel themselves, through line of business leadership, up to senior management and the board.

With a modernized platform in place, CROs and risk functions can turn their attention to managing risk, not calculating and reconciling numbers, as well as providing management and board with the best tools for intelligent decision making, confidence in capital deployment and competitive strategies consistent with risk appetite and capacity.

Critical success factors

Plan ahead and in concert with other stakeholders. The risk function is in the unique position of not having to dismantle infrastructure, but it definitely does need to build on it. The function’s relative youth and lack of legacy encumbrances mean it is in an ideal position to be a leader in modernization initiatives.

Moreover, the risk function has both an opportunity and an obligation to raise concerns about the risks involved in modernizing in an uncoordinated way or the risk to the insurer’s competitiveness from not modernizing at all.

Call to action – Next steps

Look for quick wins, like faster processing, more transparency, deeper insight, but stay true to the long-term plan. Some of these quick wins can be cost savings opportunities. For example, an inventory of documented models can reduce the number of models (and associated maintenance cost) by weeding out redundancies. In addition, the company can streamline internal reports when all areas use the same foundational data and calculations. Moreover, the company may be able to rationalize multi-jurisdictional, external and regulatory reporting.

The Case for Modernizing Insurance

Several drivers of change are compelling insurance companies to re-evaluate and modernize all aspects of their business model and operations. These drivers include new and rigorous expectations from regulators and standards, increasing demands for more relevant and useful information, improvements in analytics and the need for operational transformation.

The modernization creates considerable expectations for finance, risk and actuarial functions, and potentially significant impacts to business strategy, investor education, internal controls, valuation models and the processes and systems underlying each – as well as other fundamental aspects of the insurance business. Accordingly, insurers need more sophisticated financial reporting, risk management and actuarial analysis to address complex measurement and disclosure changes, regulatory requirements and market expectations.

Three key areas to look at:

Regulation and reporting

Changes in regulatory and reporting requirements will place greater demands on finance, risk and actuarial functions. Issues include:

  • Changing global and federal regulation (e.g., Federal Insurance Office, Federal Reserve oversight)
  • ComFrame, a common framework for international supervision.
  • Principle-based reserving
  • Own Risk and Solvency Assessment (ORSA), the Solvency II initiative that defines a set of processes for decision-making and strategic analysis
  • Solvency reporting measures
  • Insurance contract accounting

Information and analytics

Stakeholders are demanding more information, and boards and the C-suite need new and more relevant metrics to manage their businesses. Issues include:

  • Economic capital
  • Embedded value
  • Customer analysis and behavioral simulation
  • New product and changing underwriting parameters

Operational transformation

Those in charge of governance are demanding that the data they use to manage risk and make decisions be more reliable and economical. Issues include:

  • Updated target operating models
  • Centers of excellence
  • Enterprise risk management (ERM), model risk management and governance
  • New framework from the Committee of Sponsoring Organizations (COSO), a joint initiative of five private-sector organizations that provides thought leadership on ERM, internal controls and fraud deterrence
  • Optimization of controls, and efficiency studies

These drivers of change, which affect every facet of the business — from processes, systems and controls to employees and investor relations — have significant overlaps, and insurers cannot deal with them in isolation. To meet emerging challenges and requirements, simply adding processes or making one-off, isolated changes will not work.

Systems, data and modeling will have to improve, and the finance, actuarial and risk functions will need to work together more closely and effectively than they ever have before to meet new demands both individually and as a whole.

Moreover, all of this change is imminent: Over the next five years, leading companies will separate themselves from their competitors by fully developing and implementing consistent data, process, technology and human resource strategies that enable them to meet these new requirements and better adapt to changing market conditions.

The insurers that wind up ahead of the game will excel at creating timely, relevant and reliable management information that will provide them a strategic advantage. Legacy processes and systems will not be sufficient to address pending regulatory and reporting changes or respond to market opportunities, competitive threats, economic pressures and stakeholder expectations. Companies that do not respond effectively will struggle with sub-par operating models, higher capital costs, compliance challenges and an overall lack of competitiveness.

In subsequent articles, we will take a closer look at those leaders/business units that need to modernize.

 Eric Trowbridge, a senior manager, contributed to this article.