To: The Actuarial Standards Board ERM Task Force Comments: Exposure Draft on Risk Evaluation in Enterprise Risk Management Date: Jun 10 2012 First, I would like to reiterate my positive support for the work of this committee, which is breaking ground in this regard. In this note, I will respond first to the questions raised in the Exposure Draft. I will then follow with some more specific comments. Overall questions: Question 1: Does the proposed standard provide sufficient guidance to actuaries performing risk evaluation work within risk management systems? As presented at the 2012 ERM Symposium by Mr. Dave Ingram, the word “Evaluation” is present in many components of the Risk Control Cycle. So, if the purpose of this standard is to guide actuaries performing an overall “evaluation” of the work done by others in the field, it is probably not complete enough. If the purpose of this standard is more focused on ''risk assessment'' as in the ERM definition of the actuarial organizations but using the inappropriate term of “risk evaluation”, the name of the standard should be changed to “risk assessment”. In addition, if the purpose as stated in article 1.1 as “provides guidance to actuaries when performing professional services with respect to risk evaluation systems, including designing, implementing, using, and reviewing those systems”, it appears that the review of systems is better covered than the other components in this proposed standard. As I made the same comment last year. I am of the view that this standard should be limited to ''review'' risk evaluation systems. The field is still evolving and as a first step, the review would fit nicely with some of the work in the field like ''model review'' and ''internal model review'' in Solvency II.
Question 2: Is the proposed standard sufficiently flexible to allow for new developments in this newer area of actuarial endeavor? If the purpose is to focus the work of actuaries on the evaluation of risk models - generic risk models, economic capital models in particular -, this standard gives general guidelines about the criteria that should become part of an outsider/consultant/model reviewer in this regard. However, if the purpose is to give guidance to build such a model, as stated as one of its purposes, it is probably too limited or should focus on broader principles in this regard, similar to principles-based approaches to regulatory valuation activities in the US and elsewhere. Question 3: Question about the reliance on the work of others to perform ERM work and work with others. There is no choice here and in fact, it is a feature of any ERM system to break down the silos of organizations. So, when an actuary reviews or builds a model, he must seek out the input of others within the organization. The proposed standard is silent in this regard. For example, in section 3.3 on economic capital, there is no reference to any other ERM initiatives. Other ERM initiatives in any firm – ex. audit control review, Risk and Control Self Assessment, new product committees, asset review committees...etc – do provide insights into the risk profile of any organization and can furnish relevant information to an actuary building or reviewing an economic capital model for proper key risks to integrate, relevant assumptions, types of risk models, value of controls, etc. EC is part of the ERM system and an explicit statement about this is warranted. This section is set up as if the actuary will be performing this function in silo, which is what ERM is trying to avoid in the first place. Question 4: The scope for this standard was set with the intention that it would apply to ERM work only. On page 1, it is written that this standard will apply to actuaries involved in ERM. Any kind of ERM activities? Some ERM activities – ex. economic capital models using the run-off liability approach include an evaluation of liabilities. However, this evaluation of liabilities is not certified by an actuary like in the case of pension plans or life business as done by valuation actuaries, for instance. It doesn't go through the rigorous SOX-type process evaluation as certified by auditors. You could rephrase this aspect this way. Also, the proposal states that this standard would apply to actuaries doing risk evaluation. Is that supposed to imply actuaries working in any kind of environment? For example, if the company that I am working for adopts ISO 31000 as its ERM standard, would this standard imply that I have to apply risk evaluation in that context? What about potential conflicts? Should the proposed standard be more specific in this regard? Be contingent on ERM context?
Specific comments: Proposed definitions: Since this is a proposed standard on Risk Evaluation, the set of definitions become crucial as it will define the extent of applicability. Definition of risk: The standard proposes that '' risk is intended to mean the potential of future losses or shortfalls from expectations due to deviation of actual results from expected results.'' The focus of risk is on potential future losses although the idea with ERM is that opportunities are also included in the risk analysis and evaluation in general. Based on the proposed definition, the standard would apply mostly to the negative part of the risk evaluation. Is that what is intended? Also, by defining risk as the difference between expectations – ex-ante – and results – ex-post -, the standard positions it to apply only to the risk evaluation of the fluctuations. Is that what is intended? The proposed definition of risk should tie to a time horizon or at-least mention over a ''desired time horizon as relevant to the enterprise''. The definition could apply to a business cycle, a strategic plan, over a one-year, etc depending on the context of the firm. The proposed definition should mention the word ''strategy, mission, long-term goals, value '' somewhere, so that that risk evaluation is tied to an impact of some sort on those objectives. Otherwise, it just doesn't answer the question as to 'why' we need to do risk evaluation. It is referred indirectly in 'expected results'' but should be made more explicit. When the word ''losses' is used, do you have in mind only monetary losses? What about harm caused to individuals that can be expressed in monetary terms but not necessarily? Are they excluded from the definition? I think that it would be relevant here to link the proposed definition of risk to the definition that the famous economist Knight – Theory of profit of firms - used where he distinguished between risk outcome set known and probabilities defined – to uncertainty – outcome set known but not probabilities. Then, the proposed standard would apply to a specific subset of the whole field, that is events that have outcomes that actuaries can evaluate and turn into risk estimates. Or you could phrase the definition in broader terms and adding surprises, unknown unknowns..etc....that can also become part of the risk evaluation. Also, the additional sentence “Evaluation of expected losses and provisions for expected losses is a common actuarial task that is not considered directly by this standard”. It has more a connotation to reserve and pricing done in an insurance context. In the ERM context, although the value that ERM brings to the table is higher when one deals with unexpected events, the determination of expected events remain relevant still. I would propose to drop this restriction. Finally, as a comparison, the new proposed ISO3100 has its own definition of risk: “effect of uncertainty on objectives”. It is probably too broad for this purpose but it does include three components. An impact of risk – effect – a fluctuation – uncertainty – and link to something –
objectives. Thus, I am of the view that the proposed definition of risk needs to be reviewed expressing it as a three-component definition basing it on a more established definition like the one proposed by Knight with a link to strategy/value...,thus tying well with the SOA/CAS ERM definition. Other definitions: As I wrote last year, it would relevant to tie these definitions to some broader discussed definitions, at least within the actuarial community and even elsewhere as the CERA is intended to have a broader application. For example, the standard could reference an existing external source like this one from the CEA. http://ec.europa.eu/internal_market/insurance/docs/solvency/impactassess/annex-c08d_en.pdf -Counterparty: It is more than another party involved in a risk transfer transaction as the definition proposes. For example, a client to an insurance company is a counterparty that involves risks to the insurance undertaking. For example, the counter-party - policyholder - may stop paying his side of the obligation – lapse assumption -. An asset counterparty – investment – may default. - credit risk -Economic capital: should mention the “economic basis of calculation”. Capital can be calculated on different basis but by definition, economic capital is tied to an economic valuation of assets and liabilities. -Emerging risks: The definition mentions the fact that “they are new”. Essentially, we don't have enough knowledge about them at some point so that is why they appear to be “new”. There are issues – opportunities and threats – that may become relevant to our organization at some point in time because of some vulnerability – strength or weakness -. We investigate them and they become risks on our radar screen, thus “emerging”. Some “emerging risks” may also fade away. -Risk evaluation system: Since this definition refers to “impacts on performance”, risks take on both the upside and the downside. Thus, the previous definition of risk should be changed to make it consistent with this one. Also, using the term “impact” limits the evaluation to direct effect. The indirect effect of any action would thus be ignored. – ex. Effet on reputation of a credit loss – Is that what is intended? -Is there a need to have a different definition between “Enterprise Risk Management Control Cycle” and “Risk management System”? -Risk mitigation: Should the term be “impact” to make it consistent with previous definition instead of “severity”, which is more limited? -Risk tolerance. In the ERM field, there is a difference between “risk capacity” and “risk tolerance”. Risk tolerance usually relates to acceptable fluctuations in risk limits. In fact, the previous definition of “risk limit” refers to risk tolerance. It is not relevant to define “risk tolerance” in terms of “risk capacity.” -Scenario and stress tests: As per the proposed definition, they are geared towards the “financial” position of the firm, which is broader than economic capital. Is that what is intended?
Other specific comments: Question on page v The standard proposes to ''modify risks” when it refers to the future Risk Treatment standard. Words like reduce, eliminate, augment, change the risk profile would be more suitable than simply “modify risks.'' Question on professional standards It is mentioned on page iv that other risk evaluation can be performed to determine whether or not they ''exceed professional standards.'' Which standards are we referring to here since there exist a number of ERM standards out there like '' ISO 31000:2009, COSO ERM Framework, BS 31100:2008, FERMA: 2002, and Solvency II.” Comment on article 1.2 The standard says that ''Risk evaluation is often performed as one part of an ERM control cycle.'' It would be better to anchor this risk evaluation as one building block of any ERM system, whatever the ERM framework or standard used. The use of the word ''control'' is somewhat contradictory to the ideas of ERM in general. Control is only aspect of it. When you say “models”, do you imply only “mathematical models”? Or do you imply “qualitative models” as well? Comment on sections 3.1 and 3.2 : Risk Evaluation and Risk Evaluation Models The initial objective of the standard mentions “risk design, implementation,...review.” All the criteria mentioned in the section resemble criteria that an external evaluator of an existing risk evaluation system would take into account to do its work and reach some conclusions. In a sense, they pertain mostly to the “review” aspect, not to the other aspects. They are all relevant for an actuary to consider when the goal is to “judge” what others have done in this regard like a rating agency or a regulator would do. If that is the goal, it should be made explicit. Comment on section 3.3: Economic Capital Model In subsection b, the term “significant risk” has not been defined previously. Comment on section 3.4: Stress and Scenario Testing. -Item 3.4.1.a. There is a mention of “similar adversity”. What is that supposed to mean? -Item 3.4.1.b. The reference should be to “extreme” events, some of which may be catastrophic. -Item 3.4.2: Should this section on “methods” be integrated with the other section on “methods”, section 3.3.3. Methods are used whatever the approach. Comment on section 3.5: Emerging risk The section on emerging risk should be expanded and even tied to the scenario section as scenarios are often used to “assess” emerging risks, issues, and trends.
Comment on section 4: Communications How would this tie to other initiatives like new proposals like ORSA, SEC requirements for publiclytraded entities, proposals by Solvency II, Pillar III on communications?
Michel Rochette, FSA, MBA, Phd(student) Enterprise Risk Advisory, LLC