RISK MANAGEMENT PRACTICE COMMITTEE
Information Note: Actuarial Advice regarding Risk Management of a Life
Insurer (LPS220), General Insurer (GPS220), or Superannuation Fund (SPG200)
Release date: TBC
Contents
1. INFORMATION NOTE STATUS
2. BACKGROUND
3. SUMMARY OF CONCLUSIONS
4. CONSIDERATIONS
APPENDIX: Extracts from LPS220, GPS220, SPG200
1
1.
INFORMATION NOTE STATUS
1.1 This Information Note was first published in [DATE] and was prepared by the
Professional Standards Sub-Committee of the Risk Management Practice Committee
of the Institute of Actuaries of Australia (“Institute”).
This Information Note does not represent a Professional Standard of the Institute. It has
been prepared to assist Appointed Actuaries in their role in providing actuarial
advice regarding the suitability and adequacy of risk management frameworks that
might be required under APRA Prudential Standards LPS 220, GPS 220, SPG 200 and
related APRA Guidance Notes. The Note aims to achieve a degree of consensus on
the requirements of these prudential standards, and suggest ways in which
Appointed Actuaries might satisfy themselves as the appropriateness of the risk
management framework to their organisation. This Information Note does not
constitute legal advice.
Although the stated objective of this Note is to provide guidance on satisfying the
actuarial requirements relating to risk management under the relevant APRA
Prudential Standards and Guides, references are also made to the ways in which
actuaries may more specifically assist in strengthening the risk management
frameworks of life insurers, general insurers, and superannuation funds. The actuarial
profession should remain vigilant, identifying opportunities to appropriately enhance
an entity’s risk management framework. Taking opportunities to assist in shaping
sound risk management and governance processes can assist in ensuring protection
against a wide range of potential adverse scenarios.
1.2 Feedback from Institute Members is encouraged and should be forwarded to the
Professional Standards Sub-Committee.
2
2.
BACKGROUND
2.1 Purpose of this note
The purpose of this note is to provide guidance for Appointed Actuaries and their
support staff in assessing the suitability and adequacy of their company’s Risk
Management Framework, a requirement of APRA’s Risk Management Prudential
Standards.
The main requirement for a life or general insurance Appointed Actuary is that he/she
must include an assessment of the suitability and adequacy of the risk management
framework as part of the annual investigation of the company’s financial condition.
This note aims to outline aspects of the company’s risk management framework that
an Appointed Actuary could consider in forming this opinion.
APRA is in the process of preparing a similar note for Superannuation businesses, and
as such, superannuation is outside the scope of this note. Interested readers are
referred to “Discussion Note: Risk Management for Superannuation Funds” <include
reference>.
2.2 Rationale for explicit inclusion of ERM framework review within Prudential
Standards / Guides
APRA notes in the Life Prudential Standard on Risk Management that:
“Risk management is an essential component of a life company’s ability to deal with
its internal and external sources of risks and, therefore, its capacity to reduce and
manage any adverse effects on its policy owners, operations and reputation.”
Whilst regulating capital can provide financial security for policyholders and
superannuation fund members, sound risk governance processes can provide
broader protection for a broader group of stakeholders.
In 2007, APRA released two prudential standards relating to Risk Management – LPS
220 and GPS 220 – that aim to ensure that companies maintain a risk management
framework and strategy that is appropriate to the nature and scale of its operations.
It is recognised that large, complex financial institutions will typically require
sophisticated risk management frameworks that are complete and effective, whilst
smaller, simpler organisations might use less sophisticated approaches. In other
words, one size does not fit all.
2.3 Previous actuarial ERM considerations within legal and prudential frameworks
within Australia
Risk management has long been a feature of the actuary’s role within the insurance
industry in Australia, but historically formed part of the Actuary’s assessment of the
company’s ability to meet its financial obligations to policyholders and as part of
actuarial advice regarding the appropriateness of the terms and conditions of
products, pricing, reserving and reinsurance.
2.1 Definition of ERM
There is no single definition of Enterprise Risk Management. Ultimately, businesses
need to define what Enterprise Risk Management means to them in the context of
their operations and the types and complexities of the risks that they face.
3
The Institute of Actuaries of Australia defines Enterprise Risk Management as follows:
Enterprise Risk Management is the process by which organizations in all industries
assess, control, exploit, finance, and monitor risks from all sources for the purpose of
increasing the organization’s short and long term value to its stakeholders.
Broadly, Enterprise Risk Management is the management of risks across the whole of
an organisation in a structured and consistent manner, taking into account the
relationships between the risks, and includes the methods and processes used by
companies to manage risks and identify opportunities.
Enterprise Risk Management typically involves identifying risks and opportunities
relevant to the organisation’s ability to meet its objectives, assessing the likelihood
and severity of these risks, determining an appropriate response and the ongoing
monitoring of the risks and the management actions taken to address the risk.
By identifying and addressing risks in this manner, and by focusing on upside as well as
down side risks, businesses protect and grow their business in a profitable and
sustainable manner, creating value for their stakeholders.
There are two key elements that separate Enterprise Risk Management from
traditional risk management.
The first differentiating element is applying risk management techniques consistently
across the whole of an enterprise. Risk management techniques have traditionally
been applied in a ‘silo’ manner, with different business units being responsible for the
management of risks with few risks being managed consistently across the enterprise.
Examples of this include underwriting risks being managed in the underwriting team,
perhaps with little regard to the overall product offering or the organisation’s
tolerance for the insurance risks being accepted.
Enterprise Risk Management aims to avoid a ‘silo’ approach to risk management,
allowing management to understand the interactions and interdependencies
between risks faced by different business units. It also aims to ensure that the
organisation’s risk exposure is considered after allowing for any diversification and the
concentration of risks across business units.
The second differentiating feature of Enterprise Risk Management is that it requires
integration of risk management and measurement into business processes. This
includes incorporating risk considerations into strategic planning processes, ensuring
that a company’s strategy is aligned with its risk appetite and ensuring that key
management decisions are made in a ‘risk aware’ manner.
By combining these two elements, Enterprise Risk Management may enable
companies to take on understood and well-managed risks, increasing shareholder
value.
4
3. CONSIDERATIONS IN ASSESSING THE SUITABILITY AND ADEQUACY OF
RISK MANAGEMENT FRAMEWORKS
3.1 Introduction
This section outlines considerations for an Appointed Actuary in forming a view as to
the suitability and adequacy of their company’s Risk Management Framework.
3.2 ERM Frameworks
ERM frameworks are designed to provide a structured approach to identify, assess
and manage risks. A number of frameworks exist to assist companies in this task, and
in assessing the appropriateness of an Enterprise Risk Management framework,
consideration of adequacy should be made in light of the size and complexity of the
company involved.
Considerations for selecting and implementing an appropriate ERM framework
include:
1.
2.
3.
4.
5.
The risk appetite and risk culture of the Board
The maturity of the business
The complexity of the risks that the business faces
The nature and magnitude of the risks faced by the organisation
The cost / benefit tradeoffs
ERM frameworks should be adaptable to emerging risks, as well as being flexible
enough to cope with changing company circumstances.
A number of ERM frameworks exist, and some of these are described in the Appendix.
Actuaries are encouraged to keep up to date with future developments and
enhancements to ERM frameworks.
3.3 The process an Appointed Actuary may use to assess the suitability and
adequacy of an entity’s risk management framework
3.3.1
No single process for forming an opinion on an entity’s ERM framework is
suggested. That said, the Appointed Actuary should carefully consider the
process adopted and the basis upon which their opinion has been
formed. Detailed below are some actions that Appointed Actuaries may
wish to consider in forming their view on an entity’s RM framework.
3.3.2
Inevitably any opinion is a matter of judgement, but this must be
reasonably formed, based on a reasonable review of the company’s ERM
framework, and emerging issues to the company.
3.3.3
The Appointed Actuary may consider the views of those involved in
monitoring risks and controls, whether employed by the company or not.
In particular, staff such as the Chief Risk Officer, internal audit,
compliance, and operational risk managers will have views on the
adequacy of the framework.
3.3.4
Specific matters that such staff could assist with may include details on
major risk incidents during the year, details on “near misses” during the
year, insights into ERM concerns that they have, views on opportunities for
5
improvement, and the emergence of new types of risks.
3.3.5
The Appointed Actuary should consider how to analyse key risk
management issues that have emerged over the year, many of which will
likely need to be considered in any event in the financial condition report.
The Actuary should consider assessing the severity of such events, the
responsive actions of management, and the ongoing management of
these issues. Reviews on a more frequent basis than annually may also be
appropriate.
3.3.6
Action points that have been identified in previous risk management
reviews should be followed up on, and reported on.
3.3.7
A review of the entity’s philosophy on risk tolerance may be worth
considering. Stated company policy and culture on risk management,
and changes / reviews of these over time, may help the Appointed
Actuary to form their view on the appropriateness of “risk appetite”, and
how embedded this is across the business.
3.3.8
The processes used to inform the Board, and senior management, of risk
management practices within the entity, and their appropriateness, may
also be considered. For instance, a review of the appropriateness of
communication of risk “triggers” – events resulting in escalation of a risk
management issue to more senior management – might be considered,
as may management’s reaction to “bad news”.
3.3.9
An entity’s response to “extreme” events might also be considered. An
Appointed Actuary might consider whether scenario testing of possible
outcomes, or “extreme” scenario testing, have been considered. For
instance, testing the ability of the business to continue to operate
following a significant business continuity event, low liquidity, or a breach
of desired surplus above capital adequacy may be considered.
3.4 Forming a view that an entity’s risk management framework is inadequate or
unsuitable
3.4.1
An Appointed Actuary may form the view that an entity’s risk
management framework is materially inadequate or unsuitable. This is a
view based on judgement, and is not a simple conclusion.
3.4.2
The Appointed Actuary may conclude that part of the risk management
framework is adequate, whilst other components are deficient. Having
noted this, risks do not function in isolation, and control deficiencies in one
area may suggest control weaknesses in other areas. The Appointed
Actuary needs to consider entity-wide risk management capabilities in
forming a view of the entity’s risk management framework.
3.4.3
A way to consider the appropriateness of controls and capabilities may
be to consider how well risks have been identified, reported and
managed over the year. For example:
- how well have “warning signals” or “alarm bells” of events been
communicated?
- has the process for reporting and managing new risks been effective?
- how frequently, or materially, have risks in excess of the entity’s risk
tolerance arisen?
6
- how well have risks or incidents been reported?
- have there been material control failures during the year?
3.4.4
Even if no new risk events have arisen during the year, the Appointed
Actuary needs to consider the entity’s ability to effectively respond to
emerging risks.
3.4.5
If the Appointed Actuary forms the view that the entity’s risk management
framework is materially inadequate or unsuitable, the Appointed Actuary
should effectively communicate this within the company, and to APRA if
required. Although responsibility for any areas of risk concern may lie with
other staff members within the entity, the Appointed Actuary should seek
to play an appropriate role in facilitating an improvement to the entity’s
risk management framework.
3.5 Communicating the results of the review to the Board and APRA
3.5.1
The Appointed Actuary should present the Board of the entity with an
update on any items raised last year. Topics that should be covered
include an update on items of concern identified in last year’s review, and
the identification of new findings.
3.5.2
The Appointed Actuary should be prepared to communicate the findings
of their review on the risk management framework more frequently than
the minimum. In particular, the Appointed Actuary may wish to consider
how frequently they should be prepared to present their findings to the
Board in the ordinary course of events, and how often to present findings
or updates in the event of material issues being identified in the entity’s risk
management framework.
3.5.3
Similarly, the Appointed Actuary should also consider how frequently they
would need to be prepared to discuss (present) their views on the
appropriateness of the risk management framework with APRA, over and
above the minimum requirement. Again, how this view might change in
the event of material issues being identified should also be considered.
7
APPENDIX 1:ERM AND ACTUARIES INVOLVEMENT
1.1 ERM responsibilities of Appointed Actuaries and actuarial staff
1.1.1
Mandatory requirements for Risk Management
Prudential Standards LPS 220 and GPS 220 aim to ensure that a company maintains a
risk management framework and strategy that is appropriate to the nature and scale
of its operations.
The prime responsibility for the risk management framework and strategy rests with
the Board of directors of the life company, or in the case of an eligible foreign life
insurance company, with the Compliance Committee.
The Appointed Actuary’s involvement is in assessing this risk management framework,
namely:
“The Appointed Actuary must include an assessment of the suitability and adequacy
of the risk management framework as part of the Financial Condition Report”.
Whilst this note aims to assist in providing support to Appointed Actuaries in making
this assessment, it is noted that there is a number of statutory requirements in both LPS
220 and GPS 220 that must be complied with, and the reader is encouraged to
review the requirements of these standards in more detail.
1.1.2
Role of the Actuary in Risk Management
Actuaries are concerned with the financial soundness of institutions and their ability to
meet their obligations to policyholders, as well as acting as trusted advisers to
businesses. As such, actuaries should be concerned with the risks that could adversely
affect the company’s ability to meet these obligations, and that could adversely
affect business objectives and strategic plans.
Actuaries are uniquely placed due to their training and technical capabilities to serve
a valuable role in Enterprise Risk Management, and to make important contributions
to protect the financial soundness of institutions.
This includes the identification and evaluation of quantifiable and unquantifiable risks,
consideration of downside as well as upside risks, the reporting of risks, the analysis of
risks and the recommendation of appropriate management responses.
1.1.3
Role of the Appointed Actuary in Risk Management
The main requirement of the Appointed Actuary is that he/she must include an
assessment of the suitability and adequacy of the risk management framework as
part of the annual investigation of the company’s financial condition. The Actuary
should ensure they use a sound process to support this opinion, and the following
sections outline aspects of the company’s framework that an Appointed Actuary
might consider in forming this opinion. One, or more of these frameworks, provide a
useful benchmark against which an Appointed Actuary can review risk management
practices across their company.
8
APPENDIX 2: ENTERPRISE RISK MANAGEMENT FRAMEWORKS
5.1 COSO ERM Framework
The Committee of Sponsoring Organisations of the Treadway Commissions (COSO) is
an American private sector organisation sponsored by professional accounting
associations. It has issued a set of definitions and standards against which
organisations can assess their internal control systems.
Graph 5.1. COSO ERM Framework
5.2 ISO 31000
The International Organisation for Standardisation is an international standard setting
body that has issued a set of standards relating to risk management known as ISO
31000. The purpose of ISO 31000 is to provide principles and generic guidelines on risk
management.
ISO 31000 seeks to provide a universally recognised paradigm for practitioners and
companies employing risk management processes.
5.3 Three lines of defence model
The three lines of defence principle is used across a variety of industries and situations,
and primarily relates to governance across organisations:



First line: the day to day running of the business, and includes management
and staff.
Second line: the monitoring of the business via risk, control and monitoring
functions
Third line: independent internal and external assurance processes.
9