Managing a crisis

The financial crisis has effectively silenced any doubters and dissenters on the need for rigorous processes and controls around risk and capital management and their place in financial services regulation. At the moment, crisis-hit banks everywhere are feverishly reviewing their risk and capital management processes and controls, mostly behind closed doors and often with regulators looking over their shoulders. One widely-discussed disclosure came from UBS, which criticised its internal risk measurement and monitoring processes, including a lack of a limit framework, over-reliance on measures such as value-at-risk and a lack of meaningful data for certain valuation processes. With write-downs amounting to nearly dollars 40 billion at the time, UBS made the case more starkly than any regulator could do for the critical importance of robust processes and controls.

In the insurance industry, the focus was turning to the implementation of such processes and controls even before recent events, with the proposed Solvency II directive setting the framework and guidelines.

Multinational insurance group, Allianz, has an umbrella Solvency II project that embraces a number of sub-projects, including those for risk reporting systems and controls. These sub-projects are working towards optimal processes for calculating each type of risk, and their overall integration and aggregation. In the area of market risk measurement, the company is using Monte Carlo simulation of assets and replicating portfolios of liabilities (portfolios of standard financial instruments that replicate the behaviour of complex liabilities), with correlations determined by a five-year rolling window of weekly data. Allianz chief risk officer, Tom Wilson, pioneered this approach to economic capital when he was chief insurance risk officer at Dutch financial services group, ING; and its success there has set a benchmark for the performance and transparency of the economic capital calculation process.

Within its Solvency II umbrella project, Allianz is integrating its replicating portfolio-based market risk measurements with those of risks such as property and casualty, life mortality and longevity, credit, business and operational risk, into an overall framework with central risk aggregation based on a Gaussian copula approach.

"Process control, assumption setting, end-user computing and model validation standards have been defined based on a few key principles, especially risk-based materiality and reliance, for example on existing control processes, in such a way that the reporting framework can be controlled, audited and reconciled at different levels within the organisation," says Wilson.

Many UK insurers are basing their Solvency II preparations on work already done for their Independent Capital Adequacy (ICA) review under the UK regulator, the Financial Services Authority (FSA). London-based insurance group, Aviva, is focusing on establishing an integrated risk-based financial performance framework over the next three years, which will include a Solvency II compliant economic capital model. This will be an enhancement of its existing ICA-based economic capital model, which the company's regions and business units have been using for a number of years. Aviva plans to apply for approval of its internal model under Solvency II.

"The economic capital team in the Aviva group centre will provide oversight, challenge and aggregation of the (economic capital) numbers, and will support the regions in implementing the enhanced capital calculations," says Jim Webber, Aviva Group's chief risk officer. "Further challenges to the numbers will be provided by the regions, in line with our group-wide risk governance and oversight protocols and procedures, as well as by (global auditors) Ernst & Young through an annual review process, and by the FSA who see our ICA numbers."

London-based Legal & General (L&G) has integrated its risk and actuarial functions at the group level, initially for its ICA review, but has evolved this into a cross-divisional approach for implementing Solvency II requirements. This integrated function comprises less than 20 people. "We have a small team at the core - the risk managers and actuarial managers - and that works very well," says Randle Williams, group investment actuary at L&G. "At the local firm level, we have separate risk and actuarial people, but we encourage them to work together."

An issue that L&G has needed to address is that, traditionally, in insurance, people have thought that most of the risks, like morbidity and mortality, are dealt with by the actuary, and have not recognised some of the more generic risks, such as operational risk. One of the challenges with Solvency II is to integrate all the different types of risk, including operational risk, and prove it through the use test. "That is a still evolving piece," says Williams.

Risk and capital management, with their modelling, aggregation and calculation requirements, need a range of tools to support their processes and controls. It was concerns about the performance and transparency of the calculation process that drove Wilson, while at ING, and his colleague Doug Caldwell, manager of corporate insurance risk management (CIRM) at ING, to develop a replicating portfolio-based system for economic capital. The system, called Economic Capital System (Ecaps), enables the central CIRM group to develop sets of economic scenarios and distribute them to the group's business units spread across 30 countries. The units then use their local actuarial systems to generate the cashflows for each scenario and send these back to CIRM for aggregation and enterprise economic capital modelling. The use of replicating portfolios has reduced this process from 10 weeks to a timescale that allows for monthly reporting, as well as improving the auditability of the process. "We believe that Ecaps gives us everything that we will need to apply for internal model approval for Solvency II," says Caldwell (see Life & Pensions, April 2008, p22).

Like ING, Allianz is using Toronto-based Algorithmics to develop its replicating portfolios and to calculate market risk, as well as for risk aggregation, with Amsterdam-based SecondFloor developing a web-based infrastructure for these processes. Allianz's approach to its risk and capital management systems is to "select the best possible application for each specific role, and integrate them into a coherent business application architecture," says Wilson. So for credit risk it uses tools from California-based credit risk specialist Moody's KMV. "On the other hand, where Allianz has unique needs and requirements due to our business footprint, such as for property and casualty stochastic reserve and premium risk and life stochastic cashflow uncertainty, we have developed group-supported tools and standards, which our operating entities use for the modelling of their products to better reflect local product and market characteristics," says Wilson. Around these tools and the business application architecture is a structured process that allocates clear roles, responsibilities and authorisation for things like the development of models, with electronic sign-off procedures, he says.

A growing number of insurers see the use of replicating portfolios for valuing liabilities and assets, in a platform that facilitates timely and transparent risk aggregation and economic capital calculation, as a way forward to improved management information as well as preparing to meet the requirements of Solvency II. L&G, for example, "is currently evaluating the potential (of replicating portfolios), including the IT implications," says Williams. These IT implications can be substantial, and some companies are cautious about the approach because of this. Webber of Aviva says: "There are a number of new techniques coming to market that better allow risk managers to understand, model and manage long-term insurance business. Replicating portfolios is one of these techniques and the results that we have seen to date are highly encouraging. However, the cost of setting up and maintaining replicating portfolio systems, together with the high overhead cost of producing fully robust calibrations, means that we will use them only in areas where we can demonstrate that they add value to our risk management activities." Despite such cost objections, Algorithmics says that it has two more major European insurers already developing replicating portfolio-based systems with its technology, although it would not name them, with several more investigating the possibility of doing so.

Meanwhile, Aviva uses the Prophet actuarial system from Pennsylvania-based financial software firm, SunGard, for developing its local models on the life side, and the Igloo simulation engine from London-based consultancy, EMB, for its general insurance companies. For economic scenarios and stress testing, it uses tools from Edinburgh-based Barrie & Hibbert. "Other analysis, such as the expected distribution of claims reserves, are produced by our in-house actuaries," says Webber. And finally, Aviva's central aggregation tool is a bespoke package developed with the assistance of consultants Towers Perrin.

Towards the insurance middle office

Companies that are groups of globally dispersed entities face the added problem of gathering and aggregating risk and capital information across their organisations, and in ensuring consistency in the process. With this in mind, Allianz divides its business applications into three categories - centrally developed and parameterised applications, centrally developed and locally parameterised applications, and locally developed and parameterised applications. "All local model development and parameterisation is governed by principles, guidance and minimum standards that are consistent across the group," says Wilson. Model validation and audit processes ensure adherence to the standards.

Aviva, meanwhile, operates a number of oversight committees to monitor and aggregate risk data across the group and take risk-based decisions. "Our businesses are required to disclose all material risks along with information on the likelihood and severity of these risks and the mitigation action taken or planned," says Webber. "This process enables us to develop a group-wide risk map identifying concentrations of risk and to define the risks that we are prepared to accept. The risk map is continually monitored and is refreshed regularly."

To support the implementation and ongoing maintenance of its systems, as well as to run its risk aggregation and analysis, Allianz has created a middle office function within its group risk department. This middle office will oversee the generation and maintenance of automated reports, and will also have available to it ad-hoc analytical capabilities. These reporting and analytical facilities are also made available to the chief risk officers of Allianz's various operating entities via a web interface.

In contrast, the insurance business of Amsterdam-based global financial services company, ING, has focused on streamlining the information flow between local business units and the head office in creating the infrastructure for its risk and capital management processes and controls, rather than creating a formal middle office. "This (information flow) allows local modelling of insurance cash flows and insurance risks, along with globally consistent calculations of market risk utilising replicating portfolios," says Caldwell.

Williams at L&G says: "(The choice of whether to create a middle office or not) depends on a company's structure and the amount of business that is done across territories." With just 10,000 employees and relatively small regional units, the company felt that it had neither the size nor the dispersement of operations to justify a middle office. Instead, L&G tries to keep a tight central control of risk management processes, while pushing them down as far as possible into the business units, he says.

Williams believes that a middle office runs the risk of becoming entangled in branch politics, "because you are asking branches to declare things they think will cause them problems, and our experience is that branches prefer to do that via their managing director talking to the chief executive, rather than through a middle body." L&G was also worried about creating a big overhead in a middle office before it was sure that it would add value. "Once you have a structure in place it can become self-generating," says Williams. But he acknowledged that for bigger companies with more dispersed operations, a middle office could be appropriate.

From risk models to model risk

An issue faced by all companies, and one that regulators are paying even greater attention to in the current financial crisis, is model risk and how to avoid the proliferation of models. Many companies, such as ING and Allianz, have already established rigorous independent model validation processes, and methods for ensuring consistency of models across central and local operations. Even so, elements of model risk can remain, says Caldwell. "These models require large numbers of assumptions which must be tested via sensitivity analysis," he says. Wilson adds, "We recognise any model is an abstraction of reality, typically calibrated to historical events, and as such, any model will, by necessity, be challenged during times of unique stress. We complement our quantitative modelling framework with experienced risk, actuarial and finance professionals who understand the business context, and who can, hopefully, identify any unique challenges and market developments relevant for our business."

L&G sees the regulatory requirements around models and their risks as an opportunity as well as an obligation. "Reviewing models for regulatory purposes such as ICA or Solvency II makes you review what you've got - whether your models are robust and 'fit for purpose', or whether you have gaps and might need to develop or update them," says Williams, who regards model risk as an important issue. Also, because companies develop and acquire models in an ad-hoc fashion as their business evolves, a review may offer the opportunity to consolidate functionality of models, and to reduce the operational risk of models based on different languages, tools and platforms, as well as to look at data issues. "If you are trying to build an enterprise risk model, then in an ideal world you would have everything fully integrated, but because of data and other technology issues it can be difficult to achieve that objective in a timely manner," says Williams.

Standardisation of model platforms and data formats is the way to overcome enterprise model integration problems, says the New York-based Association for Cooperative Operations Research and Development (Acord), a global non-profit organisation that promotes the use of data standards in the insurance industry. In a recent report, Preparing for Solvency II: Acord data and information standards (October 2008), the organisation says: "The (Solvency II) directive will require that (EU) member states ensure that both insurance and reinsurance undertakings have internal processes and procedures in place to guarantee the appropriateness, completeness, and accuracy of the data used in the calculation of their technical provisions ... For companies using internal models, supervisors will be evaluating the quality of data input into the models. They will want to know that the data is consistent and comparable." It is Acord's mission to provide standards to help insurers and the industry in general achieve consistency and comparability of data, and to facilitate the efficient exchange of data. Allianz, ING and L&G are among Acord's members and who apply its standards.

For a company - and its regulator - to have confidence in its processes and controls, they must be auditable. Wilson says: "Having auditable processes and controls is one of the prerequisites when establishing the process and controls landscape." Establishing this landscape starts with defining process control standards and guidance notes in such a way as they can be properly audited. Allianz is planning several audits of the overall Solvency II framework in advance of the introduction of the directive, using both internal and external auditors. "Capacity for these audits is appropriately budgeted," says Wilson.

Aviva has used Ernst & Young to audit its economic capital numbers and its approach to their calculation, both at the business unit and group levels. ING, meanwhile, performed an internal and external audit of its processes and controls in 2005 and found many gaps. For example, it discovered an over reliance on spreadsheets and other non-production systems, as well as a lack of documentation of its processes and controls, and insufficient segregation of duties. "After making significant improvements to processes and controls, another audit was carried out in 2007 which led to positive results and public disclosure of risk and economic capital figures," says Caldwell.

Preventing failures

One of the aims of a controls framework is to prevent risk management failures, and the FSA thought it necessary in September to publish an insurance sector briefing, Risk and Capital Management Update, in response to the financial crisis.

The FSA briefing says the crisis "underlines the importance of firms having appropriate systems and controls for quantifying and managing the risks associated with the assets they invest in". It looks in detail at two challenges presented by the current crisis, managing risk in sharply changing market conditions and managing the risks associated with asset-backed securities; and sets out the kind of processes and controls it expects insurers to have in each case. For example, for the first, it expects insurers to have a documented plan covering how they would respond, a committee or nominated individual responsible for managing the firm's response, and clearly defined triggers that would require the committee or nominated person to act.

Although the briefing was prompted by the market turbulence of the past year or so, the expectations it sets out are relevant to the FSA's regulatory principle 3 that "a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems", and will, therefore, continue to be relevant under Solvency II, says Sarah Wilson, director and insurance sector leader at the FSA and author of the briefing. Insurers will be expected to extrapolate from the guidelines on systems and controls for managing risk in sharply changing market conditions to other risks relevant to their own particular businesses. "We would expect insurers to consider what market events would have the greatest impact on their business and prepare for them accordingly," she says.

L&G's governance mechanisms for preventing risk management failure include a central risk committee as well as local committees in a framework that is continually evolving, says Williams. The company determines the approach that it will take to the management of a risk by its risk type. At the moment, although operational risk is a relatively small percentage of the total risk for a traditional insurance business, it is the area where the company is working hardest to establish robust processes, says Williams. For this, L&G is currently rolling out a third-party operational risk management software package (Williams would not say which one), which provides tools and procedures for assessing risk, establishing key risk indicators, collecting and analysing loss data, and so on.

To minimise failure, ING operates a three-line defence strategy. "The local businesses are responsible for day-to-day risk management, and are the first line of defence as they are the risk takers," says Caldwell. "They are closely watched and monitored by business line and group level risk management, who are the second line of defence, and all of this is audited by internal audit teams - the third line of defence."

Meanwhile, to prevent risk management failure, Allianz has implemented a governance structure and an escalation process for each risk function, with minimum standards that must be checked, such as limits or property and casualty reserving. This is supported by close cooperation between the risk and actuarial and other departments. "In addition, and more importantly, we try to foster an open and trust-based communication channel up and down the risk functional network," says Wilson. Building such a network requires substantial and continual investment, in terms of hiring experienced personnel, giving time to the development of the network and ensuring staff communicate in order to develop a shared view of the business and organisational context, as well as what the most important risk issues are, and the remediation activities required.

Although there is considerable focus at the moment on the development of risk aggregation platforms, with or without the use of replicating portfolios, as the core of a risk and capital management controls framework, the human element also requires careful consideration and appropriate investment. As Wilson says, "Ultimately, investment in this 'software' - the experienced professionals, the communication and so on - is equally as important as the investment in the 'hardware' of reporting systems and models."