Tag Archives: ingram

2 Shortcuts for Quantifying Risk

Most companies that take up risk management start out with subjective frequency-severity assessments of each of their primary risks. These values are then used to construct a heat map, and the risks that are farthest away from the zero point of the plot are judged to be of most concern.

This is a good way to jump-start a discussion of risks and to develop an initial process for prioritizing early risk management activities. But it should never be the end point for insurers. Insurers are in the risk business.  The two largest categories of risks for insurers — insurance and investment — are always traded directly for money.  Insurers must have a clear view of the dollar value of their risks. And with any reflection, insurance risk managers will identify that there is actually never a single pair of frequency and severity that can accurately represent their risks. Each of the major risks of an insurer has many, many possible pairs of frequency and severity.

For example, almost all insurers with exposure to natural catastrophes have access to analysis of their exposure to loss using commercial catastrophe models. These models produce loss amounts at a frequency of 1 in 10, 1 in 20, 1 in 100, 1 in 200, 1 in 500, 1 in 1000 and any frequency in between. There is not a single one of these frequency severity pairs that by itself defines catastrophe risk for that insurer.

Once an insurer moves to recognizing that all of its risks have this characteristic, it can now take advantage of one of the most useful tools for portraying the risks of the enterprise, the risk profile. For a risk profile, each risk is portrayed according to the possible loss at a single frequency. One common value is a 1 in 100 frequency. In Europe, all insurers are focused by Solvency II regulations on the 1-in-200 loss. Ultimately, an insurer will want to develop a robust model like the catastrophe model for each of its risks to support the development of the risk profile. But before spending all of that money, there are two possible shortcuts that are available to rated insurers that will cost little to no additional money.

SRQ Stress Tests

In 2008, AM Best started asking each rated insurer to talk about its top five risks.

Then, in 2011, in the new ERM section to the supplemental rating questionnaire, Best asked insurers to identify the potential impact of the largest threat for six risk types. For many years, AM Best has calculated its estimate of the capital needed by insurers for losses in five categories and eventually added an adjustment for a sixth — natural catastrophe risk.

Risk profile is one of the primary areas of focus for good ERM programs and is closely related to these questions and calculations. Risk profile is a view of all the main risks of an insurer that allows management and other audiences the chance to compare the size of the various risks on a relative basis. Often, when insurers view their risk profile for the first time, they find that their profile is not exactly what they expected. As they look at their risk profile in successive periods, they find that changes to their risk profile end up being key strategic discussions. The insurers that have been looking at their risk profile for quite some time find the discussion with AM Best and others about their top risks to be a process of simplifying the detailed conversations that they have had internally instead of stretching to find something to say that plagues other insurers. The difference is usually obvious to the experienced listener from the rating agency.

Risk Profile From the SRQ Stress Tests

Most insurers will say that insurance (or underwriting) risk is the most important risk of the company. The chart below, showing information about the risk profile averaged for 31 insurers, paints a very different story. On average, underwriting risk was 24% of the risk profile and market risk was 30%. Twenty of the 31 companies had a higher value for market risk than underwriting risk. For those 20 insurers, this exercise in viewing their risk profile shows that management and the board should be giving equal or even higher amounts of attention to their investment risks.


Stress tests are a good way for insurers to get started with looking at their risk profile. The six AM Best categories can be used to allow for comparisons with studies, or the company can use its own categories to make the risk profile line up with the main concerns of its strategic planning discussions. Be careful. Make sure that you check the results from the AM Best SRQ stress tests to make sure that you are not ignoring any major risks. To be fully effective, the risk profile needs to include all of the company’s risks. For 20 of these 31 insurers, that may mean acknowledging that they have more equity risk than underwriting risk – and planning accordingly.

Risk Profile From the BCAR Formula

The chart below portrays the risk profiles of a different group of 12 insurers. These risk profiles were determined using the AM Best BCAR formula without analyst adjustments. For this group of companies on this basis, premium risk is the largest single category. And while there are again six risk categories, they are a somewhat different list. The risk category of underwriting from the SRQ is here split into three categories of premium, reserve and nat cat. Together, those three categories represent more than 60% of the risk profile of this group of insurers. Operational, liquidity and strategic risks that make up 39% of the SRQ average risk profile are missing here. Reinsurer credit risk is shown here to be a major risk category, with 17% of the risk. Combined investment and reinsurer credit is only 7% of total risk in the SRQ risk profile.


Why are the two risk profiles so different in their views about insurance and investment risks? This author would guess that insurers are more confident of their ability to manage insurance risks, so their estimate of that risk estimated in the stress tests is for less severe losses than the AM Best view reflected in the BCAR formula. And the opposite is true for investment, particularly equity risk. AM Best’s BCAR formula for equity risk is for only a 15% loss, while most insurers who have a stock portfolio had just in 2008 experienced 30% to 40% losses. So insurers are evaluating their investment risk as being much higher than AM Best believes.

Neither set seems to be the complete answer. From looking at these two groups, it makes sense to consider using nine or more categories: premiums, reserves, nat cat, reinsurer credit, bond credit, equities, operational, strategic and liquidity risk. Insurers with multiple large insurance lines may want to add several splits to the premium and reserve categories.

Using Risk Profile for Strategic Planning and Board Discussions

Risk profile can be the focus for bringing enterprise risk into the company’s strategic discussions. The planning process would start with a review of the expected risk profile at the start of the year and look at the impact on risk profile of any major proposed actions as a part of the evaluation of those plans. Each major plan can be discussed regarding whether it increases concentration of risks for the insurer or if it is expected to increase diversification. The risk profile can then be a major communication tool for bringing major management decisions and proposals to the board and to other outside audiences. Each time the risk profile is presented, management can provide explanations of the causes of each significant change in the profile, whether it be from management decisions and actions or because of major changes in the environment.

Risk Profile and Risk Appetite

Once an insurer has a repeatable process in place for portraying enterprise risk as a risk profile, this risk profile can be linked to the risk appetite. The pie charts above focus attention on the relative size of the main types of risks of the insurer. The bar chart below features the sum of the risks. Here the target line represents the expected sum of all of the risks, while the maximum is an aggregate risk limit based upon the risk appetite.


In the example above, the insurer has a target for risk at 90% of a standard (in this case, the standard is for a 400% RBC level; i.e. the target is to have RBC ratio of 440%). The plan is for risk at a level that produces a 480% RBC level, and the maximum tolerance is for risk that would produce a 360% RBC. The 2014 actual risk taking has the insurer at a 420 RBC level, which is above the target but significantly below their maximum. After reviewing the 2014 actual results, management made plans for 2015 that would come in just at the 440% RBC target. That review of the 2014 actual included consideration of the increase in profits associated with the additional risk. When management made the adjustment to reach target for 2015, its first consideration was to reduce less profitable activities. Management was able to make adjustments that significantly improve return for risk taking at a fully utilized level of operation.

Emerging Risk of 2015: Outsourcing

Outsourcing might just be the most common business management earnings booster of the past 10 years. Which means that it is also a top candidate for becoming a major emerging risk in the near future.

The idea of outsourcing is an extension of the fundamental logic of capitalism: specialization. Processes are good candidates for outsourcing when there are other firms that can perform the same service at a significantly lower cost.

Cost Advantages

When you start looking at a potential outsourcing situation, you need to understand the source of the cost advantage. There are several possible drivers:

  • Higher efficiency
  • Lower wages paid to the people performing the outsourced work
  • Lower overhead for the outsourcing partner

But there are other ways that a cost advantage might come about that are not as desirable:

  • Lower safety and health standards
  • Lower spending on quality control
  • Lower amount of slack resources that can be available when a machine breaks or a key person gets sick
  • Lower-quality source materials

How to Control Risks of Outsourcing

If an outsourced process is not only out of sight but also out of mind, this emerging risk may become a current problem.

There are two basic ways of controlling the risks of outsourcing: by specifying standards at the outset of the arrangement and by inspection of the process and output on a continuing basis.

But with the explosion of outsourcing over the past 10 years, even firms that had set down extensive and clear standards at the time of the original agreement and that have allocated the needed resources for inspection of the processes and outputs are at risk from the complacency that comes from the the passage of time without serious incident, the changing individuals on both sides of the agreement and the changing pressures on both organizations.

An outsourced process is out of sight. If it also becomes out of mind, then it will likely move out of the emerging risk category into the current problem category.

This article first appeared on WillisWire.

The Key Role for Stress Tests in ERM

In the world of mechanical engineering, stress testing involves subjecting a mechanism to extreme conditions, considerably beyond the intended operating environment, to determine the robustness of the device and the circumstances under which it might fail. Financial stress testing is much the same.

What is a Financial Stress Test?

Generally speaking, a stress test is an assessment of the financial impact of changing a specific variable, without regard to the likelihood of this change.

Often, all other factors remain constant (even if this is not especially realistic). Sometimes the point of the test is to determine failure modes: A reverse stress test determines the magnitude of change necessary to induce financial ruin.

The term scenario test is often used to describe an assessment of the financial impact of a specific event (again, without regard to that event’s likelihood), in which the testers seek to reflect realistically the impact of this event on all aspects of the firm.

So, a scenario test involves a more holistic look at possible circumstances rather than altering a specific variable in isolation.

Unlike probabilistic simulation modeling, stress testing:

  • Is concrete and intuitive
  • Does not require selection of probability levels
  • Does not require understanding of overall dependencies among linked risks
  • Avoids “black-box syndrome”

Stress tests can be used as a primary risk measure: assessing the level of a specific risk, measuring aggregate risk level, setting risk tolerances or evaluating the benefit of risk mitigation. Tests can also be used to verify the calibration of more complex risk models.

Examples of Stress Tests

Stress tests and scenario tests have a long history and have been broadly applied. Deterministic financial projections readily lend themselves to stress testing.

For example, Willis Re’s eNVISION financial forecasting model allows users to easily change the value of a single parameter and see how that change affects key metrics.

S&P's Stress Events

Click image to see it at full size.

An example of scenario testing is Standard & Poor’s use of past market stress events, pegging them to a rating level. In other words, a company with a BB rating should be able to get through a “BB event” without defaulting.

A blend of stress and scenario testing can be seen in the A.M. Best approach. Since 2011, the rating agency has asked insurers to estimate the impact of the largest potential threats to the firm arising from six different types of risk: market risk, credit risk, underwriting risk, operational risk, strategic risk and liquidity risk – each using a specific “Risk / Event / Scenario” combination designed by the company.

For example, in terms of market risk one could consider a stock market scenario based on the events of 2008, or a three-percentge-point rise in interest rates such as that experienced in 1994.

The lessons of recent events have also led regulators to look to stress tests to assess how well the market could stand up to adverse events.

The Solvency II process has seen the European Insurance and Occupational Pensions Authority (EIOPA) run such a stress test in 2011, which examined resilience under three scenarios of varying severity.

Each included deterioration in market, credit and insurance risk variables. Regulators will increasingly expect insurers to evidence such stress testing as part of their overall solvency management.

While it is easy to develop scenarios that reflect prior experience, it is a much more difficult proposition to consider scenarios that factor in emerging or as yet unknown risks.

The Lloyd’s emerging risk reports provide interesting examples of the extensive work that is being carried out to try and increase understanding and awareness of risk.

Natural Catastrophe Analysis

Another example of stress testing can be seen in the realm of natural catastrophe analysis. While sophisticated simulation models are quite well accepted for certain perils and regions (such as U.S. hurricane and earthquake), other catastrophe models are not so far advanced.

For example, the modeling of severe convective storm — tornado and hail — still faces significant shortcomings and is subject to significant model risk; for other perils, such as brushfire and sinkhole subsidence, there may be no model at all.

That’s why many companies prefer to use stress tests and scenario tests to assess their catastrophe exposure, supplementing stochastic models in some cases.

Willis Re’s SpatialKey geospatial platform, including stress testing apps such as eXTREME Tornado, is one example of a tool that facilitates this approach.

We understand that the International Association of Insurance Supervisors (IAIS) is considering a scenario test approach for its developing insurance capital standards for Globally Systemically Important Insures (G-SIIs) and Internationally Active Insurance Groups (IAIGs).

Calibration and Interpretation

When creating a stress test, analysts typically calibrate by ensuring that it ranks among real events of appropriate magnitude — and, while likelihood is not necessarily considered in stress testing, the frequency of real events of comparable magnitude may guide the design of the stress test.

An understanding of this calibration provides context for the numerical results of the stress test.

When reviewing the results of a stress test or scenario test, the first question to ask is: What does this say about the firm’s resiliency? As in the Standard & Poor’s example, the results may indicate a level of security that is either higher or lower than desired.

Given the concrete, intuitive nature of stress tests and scenario tests, these results facilitate communication with senior managers, the board of directors and other stakeholders.

When only a single variable is test, the explanatory power of the test is clear. And when using a scenario test, the “story” of the scenario enables company leaders to think concretely about its financial effects, how the firm could respond and what might be done to prevent a loss that large in the first place.

Overall, stress tests and scenario tests deserve a prominent place in a strong enterprise risk management program: they do much to foster a healthy risk culture.

This article originally appeared on WillisWire.

The Right Way to Test for Solvency

We can know, looking back at last year, how much risk an insurer was exposed to. And we can simply look at the balance sheet to see how much capital they held. So that is the way we have tended to look at solvency. Backwards. Was the insurer solvent at the end of last year? Not really useful information. Unless…

Unless you make an assumption about the future. Not an unusual assumption. Just the common assumption that the future will be like the past.

That assumption is usually okay. Let’s see. In the past 15 years, it has been correct four or five times. But is that record good enough for solvency work — a system that might give the right answer a third of the time?!

There is a solution. Regulators have led us right up to that solution but haven’t yet dared to say what it is. Perhaps they do not know, or even are not thinking that the backward looking problem has two aspects. We are making two heroic assumptions:

  1. We are assuming that the environment will be the same in the near future as it was in the recent past.
  2. We are assuming that the company activity will be the same in the near future as it was in the recent past.

The regulatory solution based on these two shaky assumptions is:

  1. Stress scenarios
  2. A look forward using company plans

Solution 1 can help, but solution 2 can be significantly improved by using the enterprise risk management (ERM) program and risk appetite.

You may have noticed that regulators have all said that ERM is very important. And that risk appetite is a very, very important part of ERM. But regulators have never, ever, explained why understanding risk appetite is important.

Well, the true answer is that it can be important. It can be the solution to one part of the backward-looking problem. The idea of looking forward with company plans is a step in the right direction.  But only a half step. The full solution is the Full Limits Stress Test.

That test looks forward to see how the company will operate based on the risk appetite and limits that management has set. ERM and risk appetite provide a specific vision of how much risk is allowed by management and the board. The plan represents a target, but the risk appetite represents the most risk that the company is willing to take.

So the Full Limits Stress Test would involve looking at the company with the assumption that it chooses to take the full amount of risk that the ERM program allows. That can then be combined with the stress scenarios regarding the external environment.

Now, the Full Limits Stress Test will only actually use the risk appetite for firms that have a risk appetite and an ERM program that clearly functions to maintain the risk of the firm within the risk appetite. For firms that do not have such a system in place, the Full Limits Stress Test needs to substitute some large amount of growth of risk, because that is what industry experience tells us can happen to a firm that has gone partially or fully out of control with regard to its risk taking.

The connection between ERM and solvency becomes very substantial and realistic:

  • A firm with a good risk management program and tight limits and overall risk appetite will need the amount of capital that would support the planned functioning of the ERM program. The overall risk appetite will place a limit on the degree to which all individual risk limits can be reached at the same time.
  • An otherwise similar firm with a risk management program and loose risk appetite will need to hold more capital.
  • A similar firm with individual risk limits but no overall risk appetite will need to hold capital to support activity at the limit for every single risk.
  • A firm without a risk management program will need to hold capital to support the risks that history tells us that a firm with uncontrolled growth of risk might take on in a year. A track record of informal control of risk growth cannot be used as a predictor of the range of future performance. (It may be valuable to ask all firms to look at an uncontrolled growth scenario, as well, but firms with a good risk control process will be considered to have prepared for that scenario with their ERM program.)
  • A firm without any real discipline of its risk management system will be treated similarly to a firm without an ERM program.

With this Full Limits Stress Test, ERM programs will then be fully and directly connected to solvency in an appropriate manner.


5 Issues for Boards on Risk Appetite

Many have struggled to find and articulate a risk appetite. It is actually not too hard to find, if you know where to look. It is right there – on the border.

Risk appetite is the border between the board and management. Once management has proposed a risk appetite and the board has approved it, then management is empowered to take risks. As long as the risks are within the risk appetite, then management does not need to inform the board until after taking those risks. If management plans to take risks that are outside of the risk appetite, then executives must go to the board in advance for permission.

That, of course, is just the bare minimum communication with the board about risk. There are five topics that make up a good level of board communications:

1. Risk appetite and plan
2. Risk position and profile
3. Top=risk mitigation and capabilities
4. Emerging risks
5. Major changes to risk environment and risk plan

The first and last items are the subject here. The other topics will be covered in later posts.

Notice that the first item on the list above is appetite AND Plan. Before discussing risk appetite, both management and the board need to be very familiar with the company’s historic levels of risk and the intentions for risk level. If there is no history of risk planning, it is totally premature to even discuss risk appetite.

It is doubtless true in all cases that management has vast experience with risk taking, as well as experience with risk taking that ended up creating losses or other undesirable adverse consequences. But unless there has been experience of planned and monitored risk taking, there is a natural propensity to start with the presumption that, in the past, the highest-risk activities are those that ended in losses and that activities that did not end up with losses were lower-risk. While losses are a good indication of one sort of risk, they are not the only way to assess risk.

Imagine the risk of an earthquake in a specific area. There have been no earthquake losses there in living memory. But that doesn’t mean that there is no risk. There was a devastating earthquake there just 150 years ago, thus there is certainly some potential for future events.

Risk is not loss, and loss is not risk. Risk is the potential for loss. It only exists in advance of an event. Loss is the negative outcome of an event.

Risk appetite sits on another border. That is the border between regular and extraordinary – mitigation, that is. For each of the major risks of a firm, we have a regular process for control, mitigation and treatment of risk that we have and and that we acquire. We also should have some idea of what we might do if the level of risk gets out of hand. For example, a life insurer writing variable annuities might have a hedging program that is used to mitigate unwanted equity market risk. A P&C insurer might have a reinsurance program to lay off excess aggregations of property risk. A bank might have a securitization program to mitigate the portion of mortgage risk that it does not want to keep. In all three cases, an unexpected jump in closing rate or a new very successful distributor might suddenly cause the level of residual risk after normal mitigation to become excessive.

Usually, this is evidenced by a weakening solvency margin. The company must go into extraordinary mitigation mode. That means that for the risk that has become excessive, or for another risk if they have a nimble risk steering function, there will need to be some major change in operations to bring the level of risk back into line. The choices for these extraordinary mitigations may be simple adjustments to the normal mitigation processes, a shift in hedging targets, a drop in the reinsurance retention or an increased emphasis on securitizing all tranches. But most often these extraordinary mitigations involve real changes to plans, such as a change in pricing structure, risk acceptance procedures, a change in product or distribution strategy to discourage the least profitable or highest risk sales or a change in a share buy-back plan. In the most extreme cases, there might be a need to temporarily shut down the source of the excessive risk.

Unexpected losses might also cause a sudden shift downward in risk capacity and therefore in risk appetite. In such cases, extraordinary mitigations will favor options that might speed the rebuilding of capital. In the most extreme cases, the final stage mitigation would be to sell an entire operation along with the embedded risk exposures.

Almost all of those extraordinary mitigation choices are not decisions that management prefers for businesses. But good managers have some advance idea of the priority order in which they might apply those tactics as well as the triggers for such actions. Those triggers are the boundary for risk taking. They are reflective of the risk appetite.

So if you recognize that risk appetite is this boundary condition, you realize that the talk you hear in some places of “allocating risk appetite” is not the approach that you want to take. What you really need is a risk target that is allocated. The risk target is your plan. It is not totally “efficient,” but there should be a buffer between the risk target and the risk appetite. That buffer allows for the fact that we do not control and may not even immediately notice all of the things that might cause our risk level to fluctuate, but we need a risk target because risk appetite is really the border that we hope not to cross.