We advise insurers on emerging risk management and regulatory changes (including Dodd-Frank and Solvency II), help them design and implement enterprise risk management frameworks, and measure and manage risk and capital against a range of regulatory, internal, and external requirements, including risk-based capital, economic capital, Solvency II (standard and internal models), and rating agency capital.
PwC’s overall risk management solutions are based on key steps, outlined below, that companies must take to ensure a robust framework, coupled with critical drivers such as governance and communication and a thorough understanding of the place and degree of risk in strategy and business planning that contributes to successful management.
Key elements of risk management include:
ERM/RMORSA gap assessments and implementation
The NAIC’s 2012 adoption of the RMORSA Model Law requires insurers to “maintain a risk framework to assist the insurer with identifying, assessing, monitoring, managing, and reporting on its material and relevant risks.” The Law requires a summary report to be filed in 2015, but many states may require RMORSA-type disclosures before that. Companies must prepare to meet the RMORSA requirement, including the three major areas required in any report:
- Section 1: Description of the Insurer’s Risk Management Framework
- Section 2: Insurer’s Assessment of Risk Exposure
- Section 3: Group Risk Capital and Prospective Solvency Assessment
In order to comply with RMORSA guidelines, applicable to insurers that are part of company holding systems – which covers the vast majority of U.S. insurers – many insurers will need to undertake a comprehensive review of their risk management infrastructure, process, and controls, and be prepared to invest in areas of deficiency to ensure their ability to comply with the regulations in a timely manner.
- A lack of a risk management framework to create structure around and coordinate existing risk management activities
- A low level of maturity for elements of, or all of, the risk management framework
- Gaps or duplications in activities or responsibilities; siloed business units
- A lack of understanding around what needs to be done to achieve compliance
- A low level of engagement at the Board or executive management level
How we can help
- Evaluate your risk framework and provide clarity over work required to achieve compliance
- Develop project plans and identify resource requirements needed for compliance
- Increase knowledge and understanding of the law and its requirements throughout the business so that senior company representatives are able to provide effective risk oversight
- Increase engagement at the Board and executive management level
- Develop better risk practices for the organization that make sense in terms of your business model and risk management objectives
- Enhance collaboration across critical functional areas (e.g., actuaries and risk managers) to aid effective framework implementation and continued efficiency
- Risk management gap analyses
- Readiness assessments
- Regulatory readiness reviews and mock exams
- Form F preparation assistance
- Project planning and organization
- Training and development, including Board and executive management sessions
- Implementation advice and support for ERM elements
Risk strategy and appetite
When managing risk, both generally and in response to current and upcoming regulatory requirements, many companies have critical gaps as far as Board involvement as well as a company-wide lack of understanding of how risk appetite and tolerances should be linked to business strategy.
Risk should be a core consideration when setting strategy, formulating business plans, managing performance, and rewarding management success. Risk appetite should be clearly articulated and reflect the organization’s risk-carrying capacity, business strategy, and financial goals. Processes and procedures should be in place to manage risk on an enterprise-wide basis within defined boundaries, without stifling day-to-day operations.
A comprehensive risk review is central to ORSA guidelines, and documentation of an organization’s risk levels and management framework will be required for the first part of the three-section RMORSA report.
- A low level of Board engagement or lack of clarity of the role of the Board in risk management
- A lack of enterprise-wide understanding of the organization’s risk appetite
- A lack of Board or senior management involvement in risk management
- An absence of risk and business objective alignment
- Business planning does not consider risk appetite, and risk metrics are not included in the process
- Risk limits are not aligned to overall strategy and appetite
- Inconsistent business decisions around business units regarding the risk/reward tradeoff
How we can help
- Develop a clearly articulated risk strategy and appetite statement expressed in terms of corporate metrics for stakeholders, including regulators and the market
- Develop a limit framework for significant risks that is calibrated to ensure linkage to appetite, as well as strategic metrics and operational decision making, to ensure efficiency
- Identify links between appetite limits and business planning, including your business model and operational plans
- Articulate appetite at all levels through the risk governance process, including Board stance and approval of risk appetite
- Improve Board engagement through education on the role of the Board in risk management activities and identification of appropriate responsibilities
- Embed risk strategy and risk appetite through the entire organization
- Risk appetite statement and limit framework reviews
- Risk appetite and limit framework effectiveness assessments
- Development advice and support for risk appetite statements and limit frameworks
- Correlation identification between corporate strategy and risk activities
- Board and management training on risk appetite
Risk assessment and quantification, including economic capital
Risk-sensitive economic capital measures are used by businesses to help make risk quantification relevant to day-to-day business operations and can help insurers advance risk measurement and related decisions. Such measures should balance internal and external views as well as the differing perspectives of users, and provide the basis to determine the financial resources a company requires to achieve its business objectives over the planning period.
Section 3 of an insurer’s RMORSA Summary Report – Group Risk Capital and Prospective Solvency Assessment – should document these measures and consider the insurance group as a whole, including the impact of inter-group transactions and financing arrangements, the transferability and fungibility of capital, and any anticipated or foreseeable contagion risks.
In order to be fully compliant with RMORSA guidelines, any insurer affected by the guidelines must demonstrate that the organization has sufficient capital to execute its two-to-five-year business plan, taking into account the potential impact of adverse scenarios and a company’s solvency needs in addition to regulatory capital requirements. The section must also outline management actions to address areas where capital may not be adequate.
- No current risk-sensitive capital measure
- Immature economic capital process or model
- An inability to project economic capital into the future
- An absence of hedging strategies in the economic capital assessment
- A lack of sophistication in the risk aggregation approach
- A lack of awareness and understanding of economic capital
How we can help
- Improve economic capital methods and processes to project metrics over the required five-year period
- Increase confidence in results through implementation of reconciliations
- Increase confidence that the model performs as expected through independent reviews and validation
- Benchmark practices against peer companies and offer a greater understanding of maturity level to senior management, the Board, and stakeholders
- Improve understanding across the business of economic capital and use to ensure an enterprise-wide compliance culture
- Economic capital methodology development
- Economic capital model process development and design and implementation of reconciliations
- Economic capital model review
- Assistance setting stress assumptions
- Economic capital model build and testing
- Economic capital model validation
- Education and training
In addition to the broad risk management policies it outlines, the RMORSA Summary Report also requires insurers to document their risk exposures in normal and stressed economic environments. These stress tests – the results of which will comprise a company’s second RMORSA summary report section, Insurer’s Assessment of Risk Exposure – should be applied to any business unit or area of material risk identified through the risk management exercises companies will undergo to meet the requirements for the first section of the required three-section report to comply with the RMORSA.
One of the most difficult exercises in modeling insurer results is determining the relationships, if any, between risk categories. As compliance with ORSA guidelines will be a requirement for most U.S. insurers, companies will have to provide evidence of their stress testing of risk exposures across and between risk categories and will not only have to address their risk responses to various scenarios, but also ensure that such testing is accurate and encompassing of all identified risk.
- An absence of a fully operational and formalized stress testing program
- Concerns over areas of stress test focus (e.g., demographic versus catastrophe)
- A lack of integration of risks into cohesive scenarios (e.g., market risk and liquidity crunch in combination)
- Linkage with appetite statement and business planning process is not comprehensive
- Assets and liabilities are not stressed in a coordinated manner
- Scenarios which “break the business” are not considered
How we can help
- Design a robust and repeatable stress testing process to ensure compliance
- Link stress testing to the business planning process, enhancing response capabilities
- Apply coverage across all risk appetite metrics
- Identify key business weaknesses to develop risk mitigation plans
- Assist in scenario construction and enhance appreciation for interaction between events, improving your ability to respond to normal and stressed economic conditions, in addition to ORSA compliance
- Identify ways to improve discussion and communication at all levels in the organization on risk events
- Process design and operational approach development stress testing
- Internal stress test modeling validation
- Peer company benchmarking
- Scenario design, application scope, modeling techniques, financial projections, and forecasting assessments
Model risk management and model validation
As a result of the financial crisis and concerns over companies’ ability to properly manage and mitigate their business and financial risks, there has been increased scrutiny of the models that are used for risk management, valuation, and regulatory reporting. In response to these concerns, SR-117 provided updated guidance on model use that applies to all banks and federally regulated insurance entities, and will be similar to validation requirements under ORSA. Insurers will be expected to comply with this and forthcoming guidance through enhanced risk management and validation processes to ensure the reliability of the models they use to manage their risk as well as those models that form the basis of a company’s reporting and disclosure information to investors and the broader market.
- A limited understanding of current-state model risk capabilities (e.g., are all models identified; is ownership of models clear throughout the company)
- Current-state model risk management may not be sufficiently strong to comply with current and expected guidance
- A lack of adequate resources in staffing and/or knowledge may compromise ability to develop best-in-class function
- Models must evolve to ensure continued compliance with regulatory requirements
How we can help
- Identify model population, ownership, use, assumptions and data requirements, and correction methods to develop an appropriate vision for desired model risk management framework
- Assess model riskiness to allow targeted and prioritized corrective actions
- Determine model risk management adequacy relative to compliance needs to ensure timely execution of any mitigation strategies
- Develop controls and governance that ensure correct, optimal use of models across the enterprise
- Design a risk framework that is responsive to product development and growth, and attendant risk management
- Current-state assessment
- Model risk management framework development
- Improvement identification for model governance/validation program areas
- Implementation roadmap creation
- Performance monitoring
- Periodic validation
Operational risk measurement
Operational risk can be viewed as a distinct, individual risk type rather than the execution element of all risk types within an organization. Such an assumption may lead senior management and Boards to view the need for controls around it as duplicative with their existing, in-place processes, leading to an absence of effective operational risk management within regular risk and control procedures.
Similarly, operational risks are often seen as being subjective in nature and difficult to quantify. As insurers tend to focus on more traditional and tangible financial and underwriting risks, there is a potential for operational risk policies to be inadequate, leading to significant unmitigated exposures.
With increased scrutiny on the overall risk functions of insurers and the means companies are using to mitigate risk, operational risk measurement becomes a critical element of a robust risk framework, and integration into the larger ERM system is essential.
- Current controls do not take into account operational risk/are not sufficiently developed to incorporate operational risk
- Risk measurement is not addressed in a single risk framework
- Business units have individual processes for managing operational risk that are not fully integrated into the enterprise-wide risk framework
- Management and staff do not have a thorough understanding of the links between operational risk processes or the value of operational risk quantification as it relates to their daily management of risk
How we can help
- Improve risk assessment effectiveness and robustness, including ensuring collective risks (e.g., credit risk, fraud, IT, etc.) are assessed through a single framework
- Establish an integrated approach to risk assessment across the business to help identify unmitigated exposures
- Integrate operational risk into the larger ERM system so that overall risk management is encompassing
- Reduce the cost of risk processes
- Operational risk process and culture development and implementation
- Operational risk identification and assessment process development
- Operational risk management information and quantification approach development
- Operational risk quantification, mitigation processes, and controls validation and monitoring
Risk monitoring and reporting
Risk reporting is critical to allow insurers and management to adequately evaluate and understand risk, yet risk managers are facing significant challenges when trying to distill vast quantities of data into concise, actionable, and forward-looking views of risk to help facilitate risk assessment and mitigation strategies.
Risk demands on insurers – from regulatory bodies, rating agencies, and shareholders – will not abate in the foreseeable future. Companies that are not able to respond to these demands through documented risk management and mitigation strategies may face queries and skepticism from ratings agencies and may experience higher levels of risk exposure or compromised competitive positions.
Dashboards that provide easily understandable information allow users to summarize the most relevant metrics, call attention to key areas of concern, access detailed information that is required to understand root causes and underlying trends, and identify, escalate, and potentially mitigate the impact of newly arising credit risk concerns earlier in the process. These capabilities underlie a robust risk reporting process.
- An absence of or inadequate enforcement of risk management policies
- A lack of formal risk management review policies
- Inefficient reporting process resulting from model development without consideration for output requirements for management reporting
- Reporting is not considered in conjunction with model development
- Regular delays exist in risk reporting and/or availability of updated information
- Current reporting provides limited support and/or is disconnected from the risk management framework
How we can help
- Minimize and mitigate the proliferation of irrelevant indicators
- Focus monitoring on key risks to increase efficiency
- Provide key information to the right people for effective decision-making and risk-mitigating actions
- Integrate risk with wider management activity to support business strategy and the risk management framework to allow for continuous, actionable improvement
- Establish a feedback loop of risk management performance
- Risk profile monitoring
- Solvency monitoring
- Internal risk and capital model assessment and validation
- Dashboard and reporting assessments and gap analyses
- Solution design and implementation
- Ready-to-use template creation
- Third-party assurance
- Reporting framework development
Risk governance design and policy development
Having a well-constructed risk governance framework provides the foundation upon which related activities will be built and is key to insurers’ broad risk strategy. A framework serves to communicate an organization’s approach to risk management, engage leading stakeholders, and should ideally include the identification of explicit owners of the risks and a clear allocation of responsibility for the management of risks on a day-to-day basis.
Senior management accountability and responsibility for “top-tier” risks and clear risk management policies and procedures for managing all material risks are also critical. Clearly defined and documented policies and risk appetite parameters for all key risks types should be available.
- Reviews of risk management governance arrangements are infrequent
- Reviews are not performed with regard to the continued development and progressive transformation of the risk management function
- A lack of confidence that all risks are being properly addressed and fully aligned between the group, regions, and business units exists
How we can help
- Provide defined, transparent, and consistent lines of responsibilities and appropriate segregation of duties so senior management and the Board understand their responsibilities regarding risk
- Provide a mechanism for efficient reporting of risks, such as exposures and the escalation of material risk events to senior management teams and the Board, to ensure action is taken to avoid and/or mitigate issues
- Establish and support limits and thresholds in managing and monitoring risks
- Review internal mapping of governance structures, committees’ terms of reference, etc.
- Structure effectiveness assessments
- Risk policy refresh exercises
- Risk management methodology development
- Design and policy validation
Variable annuity risk management and hedging
Growth in variable annuity sales surged through the last three decades, but escalating benefits shifted the sales proposition of the products and increased the risks absorbed by insurers. Given current economic volatility, combined with policyholder demographics, insurers have increased their use of hedging programs to limit risk as it relates to their variable annuity portfolios, even as many leave the business entirely.
For insurers with substantial variable annuity portfolios, hedging may be a way to alleviate part of the capital risk of maintaining those policies. Those exiting the variable annuity business or segregating their older policies will need to develop and implement risk management strategies; others may benefit from de-risking strategies as well as re-pricing and diversifying deposit limits, policy guarantees, asset classes, and funds.
- Better management of interest rate impacts is required, as rates are expected to remain low at least through 2014
- Policyholders acting more rational than expected as knowledge of embedded guarantees increases, affecting sales
- Equity markets show signs of recovery but are still volatile
How we can help
- Help you to better understand risks and variable annuity exposures, and establish well-defined tolerances to manage and mitigate them
- Optimize your hedging strategy to achieve the desired balance of risk and return
- Establish production quality operations that minimize model and operational risk
- Evaluate product structures to ensure they alleviate shareholder risk and drive an improved risk/return profile
- Improve the quality and timeliness of management reporting
- Reporting assessments
- Gap analyses
- Product design and hedge structuring optimization and implementation
- Model validation and benchmarking
Long-term care risk management and analytics
Long-term care product performance continues to deteriorate as societal changes result in increasing claim costs. Such changes include the growth of assisted living facilities, the increase in the number of home health aides, low interest rates, and lower-than-originally-anticipated voluntary and involuntary policy terminations. State regulators continue to show a reluctance to grant rate increases and are demanding a greater level of analytics to support requested increases.
For insurers selling long-term care or in run-off, detailed analytics are crucial to managing the business while minimizing losses. Bundled claim cost models no longer provide sufficient information to correctly diagnose problems and develop strategies for managing these problems.
- Pricing assumptions were overly optimistic
- Current administration of your LTC business has significant inefficiencies and operations are constrained by legacy systems and processes
- Managing complexity – in benefit triggers, state guideline variations, and policy provisions – is increasingly difficult
- Disconnects exist between actuaries providing the analytics and operations
How we can help
- Improve claim ratios by analyzing emerging experience while also changing controls to capture claim cost opportunities
- Improve performance through actuarial analysis and claims management
- Capture improvements through an integrated approach coordinating actuarial, operational, control, data management, and systems enhancements, providing improved reserve accuracy, rate and benefit options, and predictive analytics
- Reduce loss ratios by optimizing claim operations to ensure appropriate controls are exercised
- Address the needs of management for better analytics to identify trends to allow for timely action
- Assist in developing hedging programs that better meet long-term investment strategy and reserve-setting needs
- Review current claims management processes to assess whether recent adverse experience is a socio-economic trend or whether you can take action that will help mitigate the size of any reserve and rate changes
- Use the results of an experience analysis and projections in formulating assumptions as a basis for recommending how much rate action is needed and when to implement that action
- Experience analysis benchmarking
- Claim processes analysis
- Claim leakage analysis
- Claim processes re-engineering
- First principles implementation
- Targeted performance improvement strategy development