Upload
kiransook
View
49
Download
5
Tags:
Embed Size (px)
DESCRIPTION
internal audit
Citation preview
Financial services
Internal audit of an actuarial functionactuarial function
KPMG LLP
High risk areas in actuarial
Financial statement risk
Model risk and control
Regulatory compliance
Economic and pricing risk
Risk managementg
Key process risk
Key person risk
End-user applications
General risks and potential areas of focus
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
1
Financial statement risk
Examples of risk area GAAP assumptions are inappropriately developed, used improperly or simply not refreshed
frequently enough (e.g., for life, mortality, lapse/persistency, expense and economic eque y e oug (e g , o e, o a y, apse/pe s s e cy, e pe se a d eco o cassumptions, or for P&C or health, lag factors, payment patterns, underlying expectedloss rates)
Reserve and/or DAC end-to-end processes are not well controlled from original source to ( fultimate destination leading to inaccuracies (e.g., valuation process from the admin system
data through to the GL, especially if there are manual hand-offs)
Inaccurate or uncontrolled accounting and financial reporting processes (journal entries, consolidation analytics rollforwards sources of earnings etc ) leading to inaccuracies in theconsolidation, analytics, rollforwards, sources of earnings, etc.) leading to inaccuracies in the actuarial figures
Unlocking of assumptions is not adequately controlled and documented
AG 43 i t l ti l t d t i bl iti th t b i dditi l i k d t it AG 43 is a recent regulation related to variable annuities that brings additional risks due to its complexity.
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
2
AG 43
Entirely new approach based on company-specific modeling
Aggregate AG 43 Reserve is greater of
The Standard Scenario Amount(Defined Deterministic Assumptions)
OR
The Conditional Tail Expectation Amount(Stochastic – Average of Worst 30% Scenarios, aka CTE 70)
Risks Not in compliance with AG 43
Inaccuracies or errors
Improperly or insufficiently documented
Lack of internal change controls Inaccuracies or errors
Lack of completeness
Subjectivity (stochastic i / h d l )
Lack of internal change controls
Available resources are not appropriately skilled or knowledgeable
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
3
assumptions/methodology)
Model risk and control
Examples of risk area Lack of inventory of those models being used, including information on purposes and
impact/prioritization analysis leads to a lack of understanding of key models for which a pac /p o a o a a ys s eads o a ac o u de s a d g o ey ode s o c acontrol framework should be in place
Reliance on a large number of models which do not follow a consistent governance around the development, controls or usage of those models for key decision-making and/or ffinancials
Legacy systems (internal mainframes, EUAs or commercially available) have pervasive errors that are not observed when looking at year-over-year trends
Lack of governance in the actuarial conversion process (e.g., when converting from one valuation system to another) leading to inaccurate or misleading actuarial figures under the new system
L k f d l lid ti f th th t d ’t t fi i l t t t it Lack of model validation for those that don’t support non-financial statements items (Economic Capital, Solvency II Internal Model, Cash Flow Testing, etc.)
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
4
What is model risk?
Models have become an increasingly important means of evaluating, analyzing and reporting key business information
As the use of models has expanded significantly in recent years, the complexity and risk of these important tools has increased
For better or worse, we are no longer in the “Keep it Simple” world when it comes to models
KPMG’s Definition:“A model is broadly defined as a process within a system that transforms data and/or assumptions into values, inferences, or information for the purpose of
Model
values, inferences, or information for the purpose of valuation or business decision making”
Model risk is viewed as the adverse financial impact caused by:
Incorrect Implementation
Misapplication
MisspecificationModel Risk
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
5
Model Risk
Comparison: Model validation versus model risk and control
Model validation Model risk and controlPurpose Determine the appropriateness
of model results (i.e., "does the Determine the appropriateness of risk control practices o ode esu s ( e , does e
model work”?)o s co o p ac cesgoverning model development, usage, and change control
Review approach Information component, processing component
Model inventory, risk ranking, control infrastructure riskprocessing component,
reporting componentcontrol infrastructure, risk management application
Focus areas Model results, model characteristics, results usage
Source and levels of risk around the modeling process, existence and effectiveness of controls
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
6
Internal model validation is a key internal model requirement
Good Practice
Assess appropriateness of modeling
Confidence in the Outputs
Provide confidence in using your internal pp p gmethods in achieving its objectives
Identify any issues or errors in your data and calculations
g ymodel to support strategic decision making and risk management
This will help with the use test
Transparency
Assumptions and limitations of the internal
Benchmark against Peers
Understand where your model sits relative fmodel are transparent to your key
stakeholders (e.g., Board, Rating Agencies and Regulators)
to your peers and prioritize areas for improvement
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
7
The scope of internal model validation should be wider than theextent of the model itself – Capital model example
Internal Model Governance
A ti
Example definition ofInternal Model
Typical components
Calibration Process
Calibration Data
Calculation Kernel
Capital Calculation
Method
Capital
Aggregation Process
Aggregation Data
Asset Data Accounting Data
Policy Data
Best Estimate Assumptions
Tax (if applicable)
SCR R lt
Calibration Methods
Calibration Assumptions
Capital Calculation
Assumptions
Aggregation Method
Aggregation Assumptions
Valuation Method
(if applicable)
SCR Results
IT & Systems
Economic Balance Sheet
Documentation Internal Model Reporting Internal Model P&L Attribution
Internal Model Validation Framework
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
8
Documentation Applicationp g
Procedures UseP&L Attribution
While risk has overall responsibility for model validation, the three lines of defense model can still be used
Validation is a key component of internal model governance and to fully understand its purpose you need to contextualize it within a governance framework
Roles and responsibilities in relation to the internal model
First line: Day-to-day business operations
Modelling team
Risk and control An established model control
environment
Assessment of model risk Roles and responsibilities in relation to the internal model can be structured to fit into the ‘3 Lines of Defense’ framework
The Risk Management function often has specific responsibilities in respect of the model:
tee
ode g tea
Risk and control
Validation processes and tools
– Designing and implementing
– Validating
– Informing the Board and senior management about
and
Aud
it C
omm
ittRisk and control Validation policy and
procedure setting
Guidance and direction
Monitoring
T h i l i
Second line: Oversight
Risk function, internalmodel committee, riskcommittee
Validation policy and procedure setting
Guidance and direction
Monitoring
Technical reviewperformance, areas for improvement and status updates of development
However, there is flexibility as to how validation is allocated to each operational team
Boa
rd a
Third line: assurance
Risk and control Challenge of model and
validation
Technical review
Validation report
Technical review
Validation report
It is important that objectivity is maintained when performing the validation
assuranceInternal Audit, Third Party
validation
Process and controls review
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
9
The “3 Lines of Defense” Framework
How to achieve objective validation is one area where there has beenmuch debate
There are no rules in relation to how a firm should provide for validation of the internal model
Firms can use one or more of the following approaches to achieve objectivity
Third partyfirms
InternalauditRisk
Review compliance with achieve objectivity
– Creating a validation team within risk management function
– Using experts from other parts of the business
Review compliance with requirements
Market perspective on peers Technical challenge of ?
– Using internal audit team
– Engaging third party firms
Third party firms can be used to either complement the Ri k M t F ti th I t l A dit t
Technical challenge of content ?
Objective ?
Process & Controls Risk Management Function or the Internal Audit team
What the firm chooses will depend upon the size and nature of the individual firm. The choice of who carries out the validation will need to balance the ability to establish an team internally with the right capability
Process & Controls
Numerical Review ? ?
Opinion ?an team internally with the right capabilityand cost
Opinion ?
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
10
Regulatory compliance
Examples of risk area Inadequate preparation and analysis for new and emerging regulatory changes (e.g., model
audit rule, principle-based approach, IFRS) which is further compounded where there are aud u e, p c p e based app oac , S) c s u e co pou ded e e e e a esignificant internal legacy models that are complex and not well documented
Lack of compliance with statutory reserving rules (including policy, dividend and claim liabilities), statutory reinsurance, tax reserving, and NAIC RBC requirements
Inadequate documentation of decisions made and rationale due to legacy decisions and low turnover at the senior actuarial level where memories are relied on more than documentation
Solvency II is leading to an enterprise wide view of risky g p
Complying with new frameworks such as NAIC ORSA
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
11
Solvency II: BackgroundReasons for failures and near failures
Conference
States of th
Undertaking
Lack of understanding
Lack of capital e of Insurance S
he European U
ngs. D
ecember 2
Lack of integrity around
internal processes
of technical provisions
No strategic plan
Supervisory S
enion. P
rudentia2002 (“S
harmaIneffective
Lack of limits of
and systems
8 Reasons
ervices of the Mal S
upervision oa-R
eport”)
Ineffective Chairman
DominantLack of
independent
limits of authority
Mem
ber of Insurance
Dominant role of CEOcritical analysis
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
12
…qualitative business issues were significant causes of failure and impairment
Solvency II: OverviewThree pillar structure of solvency II
Pillar 1 Pillar 2 Pillar 3
Capital requirements
Minimum capital Standard model
Risk management, supervision process
Internal control & risk management
Market discipline
Support of risk-based supervision through
k t h i Internal model
management market mechanisms Disclosure
Lower solvency requirements through
internal modelNew area of influence for supervisory authorities
Capital market requirements are rising
Product ratings: risk management becomesmanagement becomes
product component
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
13
What Risks are Generating Economic Capital?
DIVERSIFIED
ECONOMIC CAPITAL SPLITBY RISK 60%
80%
100%
0%
20%
40%
All Life General Composite Reinsurance
PRE-DIVERSIFICATION
Participants Insurance Insurancep
Market Insurance Credit Operational Other
100%
ECONOMIC CAPITAL SPLIT BYRISK
40%
60%
80%
0%
20%
All Participants
Life Insurance General Insurance
Composite Reinsurance
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
14
Market Insurance Credit Operational OtherSource: KPMG Survey of large international insurers.
How do Companies Use, or Plan to Use Capital Models
APPLICATION OF EC – ALLRESPONSES
60%70%80%90%
100%
0%10%20%30%40%50%60%
APPLICATION OF EC NORTH
0%Strategic decisions Pricing/underwriting
decisionsRisk management
and mitigationCapital allocation and risk appetitie
Internal and external reporting
Current Planned Don't Know
100%APPLICATION OF EC – NORTHAMERICAN COMPANIES
50%
60%
70%
80%
90%
0%
10%
20%
30%
40%
Strategic decisions Pricing/underwriting decisions
Risk management and mitigation
Capital allocation and risk appetitie
Internal and external reporting
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
15
decisions and mitigation and risk appetitie reporting
Current Planned Don't KnowSource: KPMG Survey of large international insurers.
Solvency II insights (continued)
Solvency II
Significant need to exercise judgment, and not just in IM approval – adequate, comprehensive, completecomprehensive, complete
Proportionality – relates to the amount of work involved, not whether you comply
There will be disagreement on points of judgment.
Implications for firms
A new operational structure, and new contacts to engage with
A change in the regulatory relationship – focused and (more) challenging A change in the regulatory relationship focused and (more) challenging
SF firms need to take heed of, and apply, IM type thinking to their projects
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
16
What is the NAIC ORSA?
Own Risk and Solvency Assessment (ORSA) is an internal assessment of the risks associated with an insurer’s current business plan over the planning time horizon and the sufficiency of capital resources to support those risks. The proposed effective date for the Model Law is January 1 2014Model Law is January 1, 2014.
An insurer who is subject to the NAIC ORSA requirement will be expected to file an ORSA Summary report annually or at the regulators request, to assess the adequacy of its risk management framework, current and likely future solvency position.a age e t a e o , cu e t a d e y utu e so e cy pos t o
The NAIC’s ORSA objectives:
1. To foster an effective level of enterprise risk management appropriate for the insurer’sown risksown risks.
2. To provide a group-level forward-looking perspective on risk and capital, as a supplement to the existing legal entity view.
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
17
Source: NAIC ORSA Manual.
Our view of U.S. ORSA
The U.S. ORSA Summary report should discuss the three major areas, at minimum:
Risk Management Demonstrate how ERM Framework principles, for managing
relevant and material risks are considered in the formulation andRisk Management Framework
relevant and material risks, are considered in the formulation and execution of the firm’s business strategy
Outline the approach for quantitative measurements of riskAssessment ofRisk Exposure
Outline the approach for quantitative measurements of risk exposure for each material risk category
Group Risk Capital and Prospective
Solvency Assessment
Overlay the qualitative elements of the firm’s risk management policy with the quantitative measures of risk exposure to determine capital needed to manage its business and over a multi-year (2 – 5) business cyclemulti-year (2 – 5) business cycle
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
18
Summary ORSA comparison – European SII vs. U.S. ORSA vs. FED:
European ORSA U.S. ORSA No Fed ORSA Requirement
Group BasisConsolidated Global Group not solo entity
unless regulated by Fed – standard is Basel and Fed’s own standards
Group/Solo Entity
Documented Risk Framework and clearly defined governance structure
Key Risks IdentifiedRisk appetite, tolerances and limits
Documented and appropriately approved Risk Framework including Corporate
Governance.
Requirement for a risk framework but no formal written submission. Approved risk
Documented Process and Detail Risk Framework considerations and active
involvement of board and management
Key Risks IdentifiedRisk appetite, tolerances and limits – all
assessment of emerging risksLinkage to solvency needs
Stress tests or complex stochastic analyses. Need to create an own view of capital
at the group level
RBC economic capital rating agency or other
Stress tests or complex stochastic analyses –based on macro economic factors
appetite, tolerances and limits – no requirement to link to capital needs but it is a
Fed focus and may applyORSA needs to be aligned to your risk appetite and project out your own funds
Need to perform stress testing for both economic factors and changes in risk
assumptions RBC, economic capital, rating agency or other views of capital. Group calculation is method
is not prescribed
Business Plan Capital Projection – own view of capital over the business planning cycle
No explicit business planning capital projection reporting requirement. But the annual CCAR process provides a 9 Qtr
projection on today’s numbers –Y9C Capital Reporting.
Business Plan Capital and Financial Statement Projection
Need to compare your SCR and projected own funds and understand the differences
p
Implicit USE test – expectation that it will be used in business decision making process
Annual Reporting Requirement to state regulators, more frequently if requested by
No explicit external reporting requirement, but the expectation is that appropriate annual
USE implicit but formally only through Basel II and ICAAPExplicit ORSA USE Test, internal control
requirements
Reporting Requirement is annual for the ORSA or if there is a material change
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
19
regulators reviews are performed.ORSA or if there is a material change
Economic and pricing risk
Examples of risk area Pricing is not consistent with governance around the pricing process due to resource
constraints, time pressures or lack of governance protocolsco s a s, e p essu es o ac o go e a ce p o oco s
Assumptions are inappropriately developed, used improperly or simply not refreshed frequently enough (e.g., mortality, persistency, annuitization and economic assumptions)
Inappropriate treatment of different classes of policyholders in pricing and experience Inappropriate treatment of different classes of policyholders in pricing and experience adjustments
Inaccurate or uncontrolled analytics and implementation of experience adjustments (e.g., investment, mortality) in participating productsy) p p g p
Analytics that are not adequate to assess the true economic risk at time of decision as well as tracking after decision has been made potentially leading to economic (and financial reporting related) surprises later on
Lack of feedback loop on actual performance vs. pricing objectives.
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
20
Price governance and risk created by insurance pricing cycles
Balance sheet and income statement risk for Property/Casualty companies stems in large part from pricing risk. Effective price governance helps manage this risk
The importance of price monitoring on accurate financial reporting is underscored byThe importance of price monitoring on accurate financial reporting is underscored by Sarbanes-Oxley compliance, Lloyds requirements, and is often discussed by rating agencies
Integration of price governance with corporate planning is key for setting appropriate plans and objectives and setting goals to achieve them
Integration of price governance with underwriting strategy is key for accomplishment of underwriting objectives
Price governance for Life & Annuity companies challenging due to the long term nature of g y p g g gsome products and potential inability to re-price.
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
21
Historical Loss Ratio Results: Recorded at 12 Months Compared to Ultimate at 12/31/2011
1.51.71.92.1
Industry Reinsurance B ex Munich Re & Gen Re
80%
90%
100%Industry Commercial Auto Liability
0.30.50.70.91.11.3
7 9 1 3 5 7 9 1 3 5 7 9 1
50%
60%
70%
80%
7 9 1 3 5 7 9 1 3 5 7 9 1
198
198
199
199
199
199
199
200
200
200
200
200
201
198
198
199
199
199
199
199
200
200
200
200
200
201
90%
100%Industry Workers' Compensation
100%
110%Industry General Liability Combined
60%
70%
80%
90%
60%
70%
80%
90%
100%
50%
1987
1989
1991
1993
1995
1997
1999
2001
2003
2005
2007
2009
2011
50%
1987
1989
1991
1993
1995
1997
1999
2001
2003
2005
2007
2009
2011
Reported Loss & DCC Ratio 12 months Reported Loss & DCC Ratio @ Latest
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
22
Source: SNL Financial composite Schedule P.
Climbing the continuum: Various stages of price monitoring capabilities in P&C insurance
Reconciling Price Monitoring Data to Financial Systems
Measuring and Acting in Real Time
Automating Data Feeds from Policy Systems
Capturing Changes in Classifications
Capturing Other Changes in Terms and Conditions
Capturing Changes in Limits, Deductibles, Term
Basic Monitoring of Renewal Price Changes
Establishing a Standard Benchmark to Measure New Business
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
23
Climbing the Price Monitoring Pyramid!
Personal auto liability – Frequency Trend vs. Loss Ratio
Personal Auto Liability Loss Ratio
Loss ratio tends to follow frequency trends as companies respond to changes only after a lag. As frequency trend has turned up, so have Personal Auto loss ratio.
80
85
90y
70
75
0.89
0.94
0.99
Cumulative Frequency
0.74
0.79
0.84
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
24
Sources: Personal Auto frequency trend is compiled from various industry participants. Personal Auto loss ratio is from Schedule P for the aggregate industry from Highline Data Services
BI trend industry benchmarks – Frequency to EP
105%
BI Frequency Trends – Indexed from 2002
90%
95%
100%
105%
Co. A
70%
75%
80%
85% Co. B
Co. C
Co. D
Composite
60%
65%
70%
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
25
Sources: Company data
Sources of change in price adequacy
Changes in use of credits
Changes in quality of risk/underwriting quality
Changes in distribution of business by class/product/line/coverage
Changes in policy terms and conditions
New vs. renewal mix of business
Changes in reinsurance usage impacting net lines
Changes in the external environment:
– Judicial, court decisions, legislative, and regulatory
Changes in economic trends such as inflation.
Changes in policyholder behaviorg p y
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
26
Risk management
Examples of risk area Ineffective or uncontrolled risk management around mortality and policyholder behavior
ALM process not robust or timely enough to capture emerging trends and react quickly
Complex equity-based products and hedging strategies
Lack of harmonization of actuarial risk management methods, formal or informal, with the gbroader enterprise-wide risk management structure and quantifications
Keeping the ERM Process to industry standards
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
27
Industry observations
The principles of risk governance are reasonably well established, but application varies widely.
Ri k G
Common PracticeERM Component
Risk Governance
Risk appetite policies are maturing but in many cases are not yet fully integrated into planning and strategy. Board involvement in setting policies varies considerably across the industry.Risk Appetite PolicyRisk Appetite Policy
Measurement of major individual risks (e.g., catastrophes, lapse risk) is well established.
Other risks remain difficult to measure (e.g., operational risk).Risk Measurement
Aggregation of risks into a complete view of required capital is new or emerging for leading insurers and aspirational for many others. Many companies default to factor based methods.Risk Aggregation
Risk reporting is increasingly important as insurers move from prototype to business as usual reporting.
Efficient use of existing management reports and developing additional risk analytics where gaps Risk Reporting
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
28
exist are common priorities.
Key process risk
Examples of risk area Lack of robust process around areas of actuarial judgment leading to an uncontrolled
environment (e.g., assumption-setting practices for pricing or financial statement items) e o e (e g , assu p o se g p ac ces o p c g o a c a s a e e e s)
End-to-end processes are not well controlled from original source to ultimate destination leading to inaccuracies (e.g., valuation process from the admin system data through to the GL – considering automated vs. manual hand-offs along the way)
Inaccurate or uncontrolled accounting and financial reporting processes (journal entries, consolidation, analytics, rollforwards, sources of earnings, etc.) leading to inaccuracies in the actuarial figures
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
29
Key person risk
Examples of risk area Resources not aligned with or focused on the priority risks leading to inherent issues across-
the-board (e.g., too many actuarial hours spent processing and not enough time spent e boa d (e g , oo a y ac ua a ou s spe p ocess g a d o e oug e speanalyzing)
Over-reliance on a few key individuals leads to issues when key individuals are otherwise compromised from performing their tasks
Reorganizations or frequent turn-over by choice or otherwise (e.g., actuarial student rotations) leads to a lack of comfort with those items being prepared
Over-reliance on third parties due to resource or other constraints leading to a compromised p g pcontrol environment
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
30
End-user applications
Examples of risk area No control over end-user applications in terms of change management and documentation
may lead to incorrect decision-making and/or financialsay ead o co ec dec s o a g a d/o a c a s
Lack of understanding of the extent of dependency on EUAs may be an indicator of a risk as these are used frequently by actuarial areas, often without rigorous controls in place
EUAs prepared to support quick decision-making without robust governance around the EUAs prepared to support quick decision-making without robust governance around the development and sign-off protocols of the EUA (e.g., M&A activities or reinsurance decisions)
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
31
General risks for internal audit
Data
– Policyholder data is inaccurate, incomplete or improperly coded
Control Activities– Control Activities
Reconcile total to independent source
Review system generated control reports
Review of change control procedures (e.g. admin systems)
Assumptions Setting
– Coded assumptions are incorrect or inconsistent with recent or anticipated experience
– Assumptions not in compliance with AG 43; not adequately justified/documented
– Scenarios not in compliance with AAA recommendations; not adequately justified
– Improper coding/mapping of funds in the system/modelsImproper coding/mapping of funds in the system/models
– Poor choice of economic scenarios
Management Estimates
Lack of robust process around development of estimates
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
32
– Lack of robust process around development of estimates
Potential focus areas for internal audit
Risk and Model Assessments
– Comprehensive Risk Assessment
– Model Risk and Control Broadly or Valuation-Specific
– Model Validations for identified financial statement items or other key decision-making models
Process/Control-Focused Reviews
– Comprehensive Review of Targeted Process(es) on a Staggered Basis (e.g., Pricing, reserving, product management, assumption-setting, financial reporting, etc.)
Product-Focused Reviews
– New Products – pricing to Valuation to Model Set-Up
Comprehensive Review by Product/Department on a Staggered Basis (as part of– Comprehensive Review by Product/Department on a Staggered Basis (as part ofgood governance)
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
33
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.