How to Manage 'Model Risk' (and Win)

One of the fastest-growing concerns on insurers’ enterprise risk agenda is managing model risk. From being a phrase that primarily actuaries and other modelers used, “model risk” has become a major focus of regulators and the subject of intense activity and debate at insurers. How model risk management has evolved from ad hoc efforts to its current stage is an interesting story. But more interesting still is what we believe could be its next stage – generating measurable business value. Generating measurable business value is model risk management’s next developmental stage. Ad Hoc Organizing and using experience to predict future claims is core to the business of insurance. Recognizing the importance of models, insurers and industry professionals, particularly actuaries, have long incorporated model reviews into their work. As new models were introduced or changes made to existing ones – especially if third-party systems were involved – insurers were careful to ensure consistency between old and new models. Additionally, internal and external auditors’ procedures recognized the risk that models entail and incorporated verification and testing in their processes. See Also: Secret Sauce for New Business Models? What distinguishes this earliest stage is not that model risk was ignored but rather that model risk management was dispersed and generally informal. Practices differed across the industry, across different types of professional organizations and across different parts and functions within an insurer. Standards for documentation, both of the models and the validation process, were largely absent. Typically, not all models were reviewed. Establishing a comprehensive inventory of all significant models was not the norm. Likewise, it was not common for insurers to follow consistent procedures to validate models across the enterprise. Reactive Although a comprehensive guide to help banks mitigate potential risks arising from reliance on models was available as early as 2000, concerted attention to the issue in insurance can be dated to the Great Recession and its aftermath. In reaction to the events of 2008/2009, regulators and insurers themselves revisited their risk management processes and governance. The U.S. Federal Reserve Board took the lead in promulgating new requirements for the banking sector, including supervisory guidance on model risk management issued in 2011. Many insurers, especially those designated as systematically important financial institutions (SIFIs), have been working to adopt these guidelines. In 2012, the North American CRO Council released its model validation principles for risk and capital models, which included eight core validation principles. For insurers operating in Europe, Solvency II provided the potential to use an internal model to establish their capital requirements. To take advantage of this opportunity, insurers needed to adhere to model validation expectations prescribed by regulators. In the U.S., the ORSA Guidance Manual requires insurers to describe their validation process. Reacting to the 2008/2009 crisis and regulators’ demands, insurers began to establish the key elements of an enterprisewide model risk management program:

• Governance and independence policies;
• An inventory and risk assessment of all significant models; and
• Documentation and validation standards.

Only after these basic building blocks had been put in place did insurers developed the practical experience to begin their transition to the next, active stage. Active The reactive stage and the beginning of the active stage effectively started in 2014. In the early months of that year, PwC conducted a survey of 36 insurers operating in the U.S. The survey provided the opportunity for participants to assess their programs across 10 dimensions characterizing the key elements of a monitoring and reporting mechanism (MRM) process. Modal responses across these dimensions were typically “weak” or “developing.” Almost all insurers admitted they had work to do and indicated that they had plans in place to improve their processes. In the intervening two years, we have observed a significant investment in MRM capabilities. In the absence of detailed insurance-focused regulatory guidelines, most insurers have shaped their developments to best fit their own circumstances. For example, while there has been a near-uniform increase in resources allocated to MRM, how insurers deploy these resources has differed significantly. Some have formed large centralized model management functions, and others have allocated most of the validation responsibility to business units. How the responsibilities are dispersed across risk, actuarial, compliance and audit functions vary considerably. We expect that most of these differences are attempts to fit the task to the insurer’s existing structure and culture. Likewise, we have seen insurers, both individually and as a group, more actively develop procedures that better fit the unique circumstances of the insurance sector instead of banking or financial services in general. Three areas in which the insurance sector is increasing its attention are:

1. Incorporating the unique aspects of actuarial models and the development of standards by actuarial professional organizations;
2. Emphasizing the process of assumption setting and the governance of this process; and
3. Emphasizing monitoring and benchmarking necessitated by the long time frame and the lack of market data to measure the performance of many insurance models.

Productive Recent discussions with forward-thinking insurance company executives and board members leads us to think a fourth stage may be next. The common theme is recognition that an insurer’s key asset is the information it possesses and the models it has developed to turn this information into support for profit-generating decisions. Seen in this light, models are not inconveniences substituting for “real” data. Rather, they are the machinery that insurers use to turn their raw materials (data) into salable, profitable costumer solutions. See Also: How to Remove Fear in Risk Management Model risk management then becomes the mechanism to ensure this machinery is performing at its best. This includes the normal activities that one would associate with maintenance, like finding and correcting inadequate performance. But, it also provides a way to determine how better machinery can be developed and brought online. In many respects, the transition to this stage mirrors the transition that has occurred in risk management in general. Not too long ago, risk management was seen as a strictly defensive activity. It was more about saying “no” than finding the right opportunities to say “yes.” Now, risk management is seen as an important strategic activity that plays a central role in an insurer’s deployment of capital and its selection of growth opportunities. Putting models and the data that feeds them at the center of an insurer’s value creation engine, instead of at its periphery, provides a new perspective. And, by moving model risk management to the productive stage, insurers can better use this new perspective to address customer expectations in an information-rich environment. Implications

• Model risk management is no longer an ad hoc or reactive activity. An active approach is now a necessity to meet internal and external stakeholder demands.
• Insurers are attempting to develop model risk management practices that fit the needs of their industry. They will need to continually communicate to regulators, standards setters and other stakeholders how the business of insurance has unique characteristics compared with elsewhere in financial services.
• Models are among insurers’ greatest assets, and the machinery that they use to turn data into salable, profitable costumer solutions. Putting models and the data that feeds them at the center of value creation can provide new perspectives that better address customer expectations. Model risk management becomes the tool to keep this machinery productive.