Fap3-3

Module 3: Risk in Actuarial Problems

Section 3: Introduction to Risk and Risk Analysis Principles

Back to list of modules

Objectives

• Define risk in an actuarial context.
• Describe risk management.
• Define risk types that need to be managed within a financial security system.
• Explain how risk is transferred from a consumer to a financial security system.
• Explain risk classification.

Definition of risk

• A broad definition of risk is that risk is uncertainty over the range of possible outcomes. This definition includes upside risk as well as downside risk.
• An actuary can determine whether a risk is
  • A risk to an individual or to a financial security system.
  • Insurable (i.e., capable of being managed through a financial security system) or non-insurable (i.e., not capable of being managed through a financial security system).
• The following reading provides an overview of risk, risk management, risk management frameworks and corporate governance. Read Chapter 1, An Introduction to ERM, in Financial Enterprise Risk Management (Sweeting_Ch1.pdf).

From the reading,

• Some risks are hard to quantify. The risk of loss due to reputational damage, for example, is more difficult to assess than, say, investment risks.
• Enterprise risk management is the management of all risks faced by an organization, on a holistic basis.
• The following can result from a well-designed risk management program: Less volatile returns, improved credit rating, reduced regulatory interference, and easier selection of new projects.
• ERM is an ongoing process with constant monitoring and with results being fed back into the process. In many respects, it is similar to the Actuarial Control Cycle.
• Sweeting argues that the “Partnership Model,” where the Chief Risk Function and business units work together to maximize returns, subject to an acceptable level of risk, is the preferred model. This model, however, produces the risk that the Chief Risk Function may not be able to provide independent assessments of risk management approaches used by business units.

• For another view of risk and enterprise risk management, we look to Sim Segal. Read Chapter 2 of Corporate Value of Enterprise Risk Management (2011). From the readking:
  • Segal’s criteria for a robust ERM program include: Enterprise-wide scope; all risk categories considered; and appropriate risk disclosures. Rather than considering all risks, Segal recommends that only major risks to a company’s value are considered. Segal estimates that 10 to 30 risks would be included in a robust ERM Program.
  • Segal argues, using information from the 2009 Audit Director Roundtable, Corporate Executive Board, that strategic risks (65% of declines) led to greater market capitalization declines from 1988 to 2005 than did financial risks (15% of declines).
• In the reading that follows, Sweeting defines various risks that organizations might face and should consider when developing an enterprise risk management process. Although there are more risks identified in this reading than in the financial security system graphic (the house graphic from Section 2), it is important to understand that this list is not exhaustive. Read Chapter 7, Definitions of Risk, from Financial Enterprise Risk Management (Sweeting_Ch7.pdf). From the reading:
  • Sweeting restricts his definition of credit risk to default risk. Sweeting includes spread risk, the risk of change in value due to a change in the spread, as part of market risk.
  • Credit risk includes the economic loss suffered due to the default of a borrower or counterparty. Corporate bondholders are exposed to credit risk to the extent the corporations are at risk of insolvency.
  • Systemic risk, the risk of failure of a financial system that results from relationships between different parties, is known as contagion risk.
  • The International Actuarial Association defines 4types of mortality or longevity risk: level, volatility, catastrophe and trend risk.
  • Moral hazard is the risk that behavior will depend on the level of exposure to a particular risk.
  • Process risk is a component of operational risk associated with the processes used by an organization. Sweeting argues, however, that model risk, which can be thought of as a type of process risk, should be considered separately.

Risk Frameworks

• The formal framework refers to the entire risk management process, from initially understanding the context in which the risk management process is operating, through identifying, assessing and managing risks. In Chapter 1, Sweeting described common features of risk management frameworks. He emphasized that risk management is a continual process and organizations have to be aware that existing risks can change and new risks can emerge. He also stressed the importance of communication, both internal and external. Read Chapter 19, Risk Frameworks, from Financial Enterprise Risk Management (Sweeting_Ch19.pdf) to learn about mandatory, advisory and proprietary risk frameworks. From the reading:
  • The Basel Accords are concerned with solvency in the banking sector. Basel II is based on the three pillars: Minimum capital requirements, supervisory review process, and market discipline.
  • Under Basel II as compared to Basel I, the approach to credit risk was changed, while market risk remained unchanged. A greater range of creditors is allowed, internal models can be used (in the same way as for market risk) and there is a specific allowance for securitization
  • The three pillars under Solvency II are quantitative requirements, qualitative requirements and disclosure.
  • The quantitative capital requirement under Solvency II has two parts: a Solvency Capital Requirement (SCR) and a Minimum Capital Requirement (MCR). Failure to meet the SCR will result in regulatory actions, while failure to meet the MCR will result in the firm’s loss of authority to conduct business.
  • Advisory risk frameworks do not have the force of law, but can be used by organizations to develop their own ERM frameworks.

ERM Frameworks

• Read Chapter 3 of Corporate Value of Enterprise Risk Management (2011), where Segal presents his preferred approach, a value-based ERM framework, and identifies issues he sees with “traditional” ERM frameworks. From the reading:
  • Segal identifies 10 key criteria for a successful ERM program. The following key criteria are not adequately addressed, in Segal’s opinion, in “traditional” ERM programs:
    • All risk categories included: Strategic and operational risks are often ignored (difficult to quantify);
    • Aggregated metrics: risk appetites are not defined clearly, which affects aggregate metrics;
    • Includes decision making: ERM is not used for decision making
  • Segal’s value-based ERM approach requires the organization to reflect all risks it faces, by using a qualitative assessment process (looking at frequency and severity). Segal suggests that most organizations will determine 20 to 30 key risks.
  • The value-based ERM approach requires that deterministic risk scenarios be developed for each key risk. The scenarios should include upside risk where applicable. A risk scenario usually consists of a description of the risk event, the likelihood of its occurrence and the financial consequences of its occurrence. Some scenarios will be based on limited experience data or there may be no data at all. Most of these risks will be strategic or operational.
  • For subjective risks Segal recommends adapting a process known as Failure Modes and Effects Analysis (FMEA). This is a process that relies on input from internal subject matter experts.
  • The potential financial effect of a particular risk scenario must reflect the valuation of any mitigation in place. An organization should consider pre-mitigation and post-mitigation scenarios to understand the value of the mitigation strategy and the potential effect of the risk in question.
  • Baseline company value is the present value of discounted distributable cash flows consistent with the company’s strategic plan financial projection. The calculation is based on the company’s expectations. Risks can then be quantified by “shocking” the baseline valuation using the scenarios (individually and in combinations).
  • Risk decision making involves defining risk appetite, managing enterprise risk exposure to within risk appetite and strategic planning and other business decision making. Risk appetite is calculated by management and is a decision made by management regarding the level of risk that management believes shareholders are prepared to accept.
  • Although it can be argued that value-based ERM frameworks are superior to “traditional” ERM frameworks, regulators and rating agencies still require their programs to be followed.
• The first step in developing a value-based ERM framework is risk identification. In Chapter 4 of Corporate Value of Enterprise Risk Management (2011), Segal discusses risk identification, which must be completed before any modeling can take place. He identifies three components of the risk identification step: risk categorization and definition, qualitative risk assessment and emerging risk identification. From the reading:
  • There are three main risk categories to be considered: financial risk, strategic risk and operational risk. Insurance companies also have insurance risk, which is risk related to pricing, underwriting and reserving.
  • One of the financial risks is market risk - the risk of unexpected changes in external markets or rates. Examples include equity market risk, interest rate risk and currency risk.
  • Competitors present strategic risks to organizations. New competitors, or changes in tactics by existing competitors, can affect an organization.
  • Operational risks include unexpected changes in areas of human resources, technology, litigation, compliance, external fraud, disasters and internal company processes.
  • Segal believes reputation risk, which is commonly included in companies’ key risk lists, is not actually a risk. Using Segal’s approach, risks are defined by source and damage to reputation can be due to many sources (poor quality products, poor customer service, internal fraud or scandal, etc.). Further, damage to an organization’s reputation may not be relevant unless it actually has financial consequences. As such, Segal sees the reputation damage as being intermediate to the source of the risk and the outcome.
  • Successful qualitative risk assessment requires: Clearly defined metrics; appropriately gathered data; prospective risk identification. Subject matter experts will be asked to assign likelihoods to potential key risks, so clearly defined metrics are necessary. Similarly, the data gathered must be consistent and easily scalable. Finally, risks are in the future, not the past, so risks must be considered prospectively.
  • The primary purpose of qualitative risk assessment is to put the list of potential risks in priority order.
  • Emerging risk identification, the third component in the risk identification process, involves monitoring known risks and scanning for unknown risks.
  • In summary, Segal defines his approach to risk identification. He identifies three components to risk identification (risk categorization and definition, qualitative risk assessment and emerging risk identification). Segal then identifies a five-step approach to risk identification to improve the overall quality of the ERM program.
• In Chapter 6 of Corporate Value of Enterprise Risk Management (2011), Segal argues that traditional ERM programs are not easily integrated into decision-making processes, if they can be used at all. He also argues that a value-based ERM approach will allow full integration of ERM into decision making. From the reading:
  • Risk appetite reflects management’s judgment of the maximum level of enterprise risk exposure that will be accepted by shareholders. This cannot be defined by a calculation, but rather by a consensus opinion.
  • The hard limits are maximum limits that should be exceeded rarely, if ever. The risk appetite definition may also include soft limits that could be exceeded occasionally, and for a temporary period, although exceeding a soft limit likely would generate additional attention (monitoring, etc.).
  • Often, risk measures used prior to the implementation of an ERM program were loose rules of thumb, set by local management, and not related to an aggregate measure of risk exposure to the enterprise.
  • In Segal's simple top-down allocation example, he describes an approach to defining risk limits that involves attribution analysis, risk-return adjustments and scaling up. The attribution analysis apportions the enterprise risk exposure to business segments. The risk-return adjustment is applied on a segment-by-segment basis, considering the enterprise risk exposure attributed to the segment and the segment’s downside standard deviation. The scaling up step moves the calculations back to risk appetite. This is only one approach to defining risk limits.
  • Risk-priority decisions can change the selection of key risks (e.g., internal production of an item eliminates supplier risk) or can change the level of risk mitigation for an existing key risk (e.g., through the purchase of insurance).
  • Return-priority decisions can change the selection of key risks (e.g., acquisition or divestiture of a foreign business affects sovereign risk) or can change the level of risk mitigation for an existing key risk (e.g., mitigate economic risk by acquiring a counter-cyclical business).
  • With the framework recommended by Segal, the process is straightforward. First, recalculate risk and return metrics. Then, evaluate the risk-return trade-offs. All decisions made in an ERM context can be made using the same approach.
• Sweeting provided detailed information about what he terms credit, operational and market risks, but not from an actuarial point of view. From an actuary’s point of view:

• In the reading, the first category of risk was labeled “individual risk.” These are risks that need to be managed by a financial security system on behalf of a consumer; that is, providing for consumer needs. The following reading looks at the financial life cycle and financial products designed to meet consumer’s needs. In Understanding Actuarial Management 2010, read all of Chapter 4 and in addition, read the following PDF version of Section 5.8 from the first edition (m3s3-11_sec58_bellis2003.pdf).
• Universal life insurance unbundles the savings and insurance components of traditional life insurance policies making it clear to the policyholder how their premium dollars are used to purchase insurance protections and to build up their account value.
• Anti-selection is where the policyholder uses information not known to the insurance company to their advantage.
• For a financial security system, the two key risks associated with savings products are asset/liability risk and expense risk.
• Whole life insurance policies can include a surrender value, meaning an amount for which the contract can be cashed in. As the length of a term insurance policy increases, it is more likely that it will include a cash surrender value.
• Death is classified as an income risk for an individual.
• Advantages of a group insurance program when compared to individual insurance:
  • Administration charges are lower
  • All members of this group are covered by the insurance
  • Benefits are easily linked to salary levels
  • Opportunity for anti-selection is reduced
  • Underwriting is streamlined
• The followings are sources of "catastrophic correlation" within the context of modern extreme value theory:
  • Property insurance concentrated in one city or region
  • A large block of capital guaranteed products
  • A large block of insurance against exposure to asbestos
  • An adverse legal interpretation against policy wording within a large block of policies
• The follwoing business risks are insurable:
  • Risk of claims resulting from negligence by directors of the business
  • Risk of claims resulting from external events such as hail
  • Risk of losses due to fraud

• The risk that a business’ products do not keep up with technological improvements and the business ceases to be viable is neither an insurable risk nor a hedgeable risk and must be addressed by the business’s management.
• Financial Life Cycle Case study: How to handle potential risks facing an individual.
  • a_01_Your_Uncle.pdf
  • a-02-Life_Cycle-of_Financial_Planning.pdf
  • a-03-Creditor Insurance.pdf
  • a-04-UnclePolicies.pdf
• The article Risk Classification in Voluntary Life Insurance (m3s3-02_RiskClassification.pdf) introduces the concept of underwriting from an individual insurance perspective, and describes how risk selection and risk classification may be applied in a group insurance context.
• Example: History of Cancer is a risk for the Individual; working as a crop duster is a risk for the Individual and Group; working for a small organization is a risk for Group.
• Individual insurance underwriting would require a seriously ill person to pay an additional premium to be covered under the individual insurance policy.
• For a group insurance policy, it is the group that is underwritten (rather than the individual). A seriously ill individual may be covered under a group policy at standard rates as long as the individual is a legitimate member of the group. In group underwriting, individuals in the group are assessed to be healthy on average because they are actively employed. Under group underwriting, the company’s industry might be considered. Being part of a "white collar" industry may make a difference in the premium level charged under a group policy.
• The article "Perspectives on Retirement Risks and the Individual" (m3s3-03_RetireRisks.pdf) describes the risks for an individual during retirement and how these risks are addressed by pension plan design. Remember risk selection is controlled through plan design for a pension plan.
• Examples of post-retirement risks:
  • Longevity risk.
  • Death of a spouse.
  • Unforeseen needs of family members.
  • Unexpected healthcare needs and costs.
  • Loss of ability to live independently.
  • Inflation.
  • Change in housing needs.
  • Lack of available facilities or caregivers.
• Examples of risks that a heath insurance company is exposed to:
  • Risk of abuse through non-disclosure of pre-existing conditions.
  • Risk of incorrect premium pricing.
  • Risk in plan design including setting correct deductibles.
  • Risk of error in underwriting control policies.
• For defined contribution plans:
  • Defined contribution (DC) plans provide an account balance that participants can transfer relatively easily from job-to-job.
  • While defined benefit (DB) plans concentrate higher value on older/long-service participants close to retirement age, DC plans spread the value more uniformly among all participants. Because of this, participants in a DC plan usually don’t suffer huge reductions in retirement income simply because they change jobs.
  • A member is subject to the risks associated with investing their underlying assets.
  • A member assumes the responsibility of managing his longevity risk.
• For defined benefit plans:
  • Pension is determined by a formula. This formula is often based on a participant’s salary at or near retirement.
  • Defined benefit plans may require defined participant contributions.
  • The plan sponsor is responsible for all other costs, including administration costs.
  • The participant assumes the risk of losses on termination, especially if he changes employers periodically.
  • The plan sponsor assumes all other risks, such as investment risks, longevity risks, etc.
• Knowing what risk is, and understanding risk in the context of an individual’s or a financial security system’s situation, is a key actuarial skill. Successful problem definition depends on appropriate risk identification. This is a key element in the Define the Problem stage of the Control Cycle. International actuarial groups have looked at the roles risk and risk assessment play in the actuary’s work. In Understanding Actuarial Management 2010, read Chapters 2 and 6.
• Definition from reading: "Risk is the chance of something happening that will have an impact on objectives."
• Systemic risks are risks that are inherent in a particular system. For example, the risk of failure of the banking system as a whole and inflation risk are systemic risks. Systemic risks cannot be reduced by diversification.
• Examples of financal risks: Credit risk, market risk, liquidity risk.
• Examples of operational risk (a non-financial risk): application or implementation risk, contagion and related party risk, competition risk, reputational risk, legal and judicial risk, regulatory and/or political risk, technological change risk, extreme events risk, social attitudes change risk and environment change risk.
• There are several “formal” definitions of ERM, but no universally accepted definition. The common features of the various definitions include a holistic approach to risk across the entity and a focus on value optimization rather than risk reduction.
• Events occurring with a low frequency and a high severity are known as extreme events.
• Event risk is outside of the control of the enterprise.
• The risk of loss from being unable to adjust or change a position because of market inefficiency is known as liquidity risk.
• The following are reasons an insurance company might want to purchase reinsurance: To divest a product line, to gain underwriting expertise, to increase new business capacity, or to limit catastrophic claims.
• A summary of points from Chapter 2 of Understanding Actuarial Management (2010):
  • The emphasis on corporate governance has increased significantly over the past few years and sound corporate governance requires robust management.
  • There is a variety of risk types, some taken with the aim of reward and others not, some systemic and others diversifiable.
  • Enterprise risk management (ERM) involves a holistic approach to risk management, with an understanding of how the various risks interact with each other, and a focus on managing for value.
  • ERM has widespread support by regulators, rating agencies and risk management experts, and is generally regarded as best practice.
  • ERM is still evolving.
• How we classify risks is also dependent on the context of the problem and the entity. For example, Jorion (in Chapter 6 of Understanding Actuarial Management (2010)) gave a generic view of enterprise-wide risks divided into business and non-business risks. Jorion split non-business risks into event risks and financial risks. Segal, however, breaks risks for most companies into three categories: financial risk, strategic risk and operational risk, each with multiple sub-categories. Segal also includes insurance risk as a separate risk category, noting that this category generally applies only to insurance companies.
• Categorizations of risks include:
  • Long-term risks, strategic (medium-term) risks and short-term risks.
  • Asset risks, liability risks, asset-liability management risks and enterprise risk management risks.
  • Pricing risks, reserving risks and funding risks.
  Although it might not be vital to draw up a classification scheme for every actuarial problem encountered, actuaries must nevertheless understand the risks encompassed by the actuarial problem and consider those risks when designing solutions. A good job of defining the actuarial problem means taking into account the entire realm of risks at hand.
• The Risk Management Process shown on Understanding Actuarial Management 2010 page 136 as Figure 6.1 has the following commonalities with the "Define the Problem" state of the Control Cycle.
  • Envision process
  • Identify risks
  • Assess risks

• Read Managing Actuarial Risks (m3s3-05_ManagingRisks.pdf) to learn some of the risk management processes used by actuaries. Also, in the May 2003 issue of Risk Management Reports H. Felix Kloman provides interesting perspectives on the discipline's past, present, and future (m3s3-06_ERMPastPresentFuture.pdf).
• Read "Modelling Mortality Risk with Extreme Value Theory: The Case of Swiss Re’s Mortality-Indexed Bonds" (m3s3-07_ModelingMortalityRisk.pdf). This article describes a relatively recent development for the insurance companies to develop and sell bonds whose cash flows (i.e., the amount the insurer must pay) can be expected to decrease when the insurer’s underlying liability cash flows increase (e.g., more death payments for a life insurer). These new bonds, however, create new risks and management issues. The approach has two steps. The first is the use of mortality-indexed bonds to mitigate their risks. The second is a particular statistical approach to determine if investors are being fairly compensated for the risk they have assumed. Our focus should be on the first step.
• One issue with this approach is to identify the limitations of the use of the Swiss Re’s mortality-indexed bonds in supporting their reinsurance block of business. Read “Pricing risk on longevity bonds” (m3s3-08_LongevityBonds.pdf) to obtain an expert’s response to a similar problem.
• Summary of section: This section has introduced the following key concepts:
  • The definition of risk.
  • Examples of risk in typical actuarial problems.
  • Risks that can and cannot be managed.
  • Transferring risk from a consumer to a financial security system.
  • Risks associated with a financial security system’s need to accumulate assets to support payments to consumers.
  • Prioritizing and managing risk.