Proposal For Enterprise Risk Management Evaluations · Proposal For Enterprise Risk Management...

Proposal For Enterprise Risk ManagementEvaluationsJanuary 23, 2019

Key Takeaways

- S&P Global Ratings is proposing a new product to analyze and evaluate insurancecompanies' enterprise risk management (ERM) practices.

- The ERM Evaluation is not a credit rating.

- The evaluation would include scores on risk culture, risk exposure management, and riskoptimization, and scores on subfactors that affect risk exposure management, to arriveat our overall ERM Evaluation.

- We are seeking feedback on our proposed ERM Evaluation framework from investors,issuers, and intermediaries.

S&P Global Ratings is seeking feedback on a potential new Enterprise Risk Management (ERM)Evaluation product, which we are proposing be based on our newly developed framework forevaluating and scoring ERM. The ERM Evaluation is not a credit rating.

Our ERM Evaluation provides a prospective view of an insurer's potential risk profile and change incapital position related to movements in risk drivers. Our evaluation of insurance companies' ERMassesses whether an insurer executes risk management practices across the enterprise in asystematic and consistent manner, and the extent to which it effectively limits key risks within itsappetite to optimally achieve its business goals and objectives.

The final outcome will reflect S&P Global Ratings analysts' qualitative opinion of a company's ERMpractices, informed by interactive discussions with senior management. The evaluation will utilizedata that entities supply directly and will incorporate other data, where available. The proposedERM Evaluation is not a credit rating, a measure of credit risk, or a component of our credit ratingmethodology. However, the information we gather for an ERM Evaluation can inform our creditanalysis of rated entities. The ERM Evaluation will be a stand-alone, on-request service andseparate from our credit ratings.

We look forward to receiving your feedback to our proposed ERM Evaluation framework and todiscussing our approach on this important issue with investors, issuers, and intermediaries. Toaccess the survey feedback platform, please paste into your browser:https://spconsumerinsights.co1.qualtrics.com/jfe/form/SV_3wmyAbWoD3dKBH7.

Proposal For Enterprise Risk ManagementEvaluationsJanuary 23, 2019

PRIMARY CREDIT ANALYSTS

Robert N Roseman

New York

(1) 212-438-7236

[email protected]

Stephen Guijarro

New York

+ 1 (212) 438 0641

[email protected]

Olivier J Karusisi

Paris

(44) 20-7176-7248

[email protected]

Katilyn Pulcher, ASA, CERA

Chicago

(1) 312-233-7055

[email protected]

Miroslav Petkov

London

(44) 20-7176-7043

[email protected]

Charles-Marie Delpuech

London

(44) 20-7176-7967

[email protected]

See complete contact list at end of article.

www.spglobal.com/ratingsdirect January 23, 2019 1

mailto: [email protected]












ANALYTICAL APPROACH

Our proposed ERM Evaluation consists of three sections--risk culture, risk exposuremanagement, and risk optimization. Risk exposure management consists of the followingsubfactors:

- Risk tolerance,

- Risk controls,

- Emerging risk management,

- Model risk management, and

- Liquidity risk management.

We would assess each of the three sections and then combine our assessments to derive aninsurer's overall ERM Evaluation.

We evaluate an insurer's ERM as superior, strong, good, adequate, or deficient, based on ourassessments of the three sections, which we score as favorable, appropriate, or unfavorable. Inthe risk exposure management section, we have five subfactors, which we score as favorable,


Proposal For Enterprise Risk Management Evaluations

appropriate, or unfavorable. We do not provide characteristics deemed appropriate, but rather ourassessment is based on our analytical judgment and typically indicates aspects we view asfavorable and unfavorable.

Table 1 illustrates our typical scoring approach for an insurer's ERM. Our final overall evaluation isbased on the degree of favorability within each score and may be higher or lower than indicated intable 1, typically by up to one category. The evaluation is evidence-based. An insurer receives anunfavorable score for any of the three sections where, due to a failure to disclose to S&P GlobalRatings key risk management information, evidence is insufficient to assign either a favorable orappropriate score.

Table 1

Overall ERM Evaluation Scoring*

Evaluation§ Risk culture Risk exposure management Risk optimization

Superior Favorable Favorable Favorable

Strong Favorable Favorable Appropriate

Good Favorable Favorable Unfavorable

--Or--

Appropriate Favorable Favorable, appropriate, orunfavorable

Adequate Favorable or appropriate Appropriate Favorable, appropriate, orunfavorable

Deficient Favorable, appropriate, orunfavorable

Unfavorable Favorable, appropriate, orunfavorable

--Or--

Unfavorable Favorable, appropriate, orunfavorable

Favorable, appropriate, orunfavorable

*Our final overall evaluation is based on the degree of favorability within each score and may be higher or lower than indicated in table 1,typically by up to one category. §Evaluations are made in the context of the insurer's risk profile.

We evaluate overall ERM and the individual sections and subfactors in the context of an insurer'srisk profile. We evaluate an insurer's risk profile based on the potential volatility of its risk capacityand its capital buffer available to absorb its potential losses above a defined threshold. We mayclassify a company's overall risk profile or certain of its subsector risk profiles as having high orlow volatility based on our view of its inherent riskiness (absent any hedges or other controls) andits capital buffer, if such risk profile is influential to our evaluation.

We believe highly complex risks could cause a significant loss of capital and earnings and arehighly uncertain, especially when they're long term. Therefore, to achieve the most favorableassessments, a more robust ERM framework is typically necessary for an insurer with highvolatility. Typically, we would view companies with significant exposure to risks such as naturalcatastrophes, reserve volatility on long-tail casualty business, or financial market volatility ashaving highly volatile risk profiles. Our low volatility evaluation may include insurers notsignificantly exposed to these types of risk or those that consistently retain significant excesscapital relative to their risk profiles (as a form of risk management).



Risk Culture

The evaluation of the first ERM section, risk culture, focuses on the importance an insurer accordsto risk in all key aspects of its business operations and corporate decision-making. Because riskculture encompasses all aspects of the ERM framework and all the ERM subfactors areinterconnected, evaluating this section requires consideration of the overall ERM framework.Therefore, our analysis of risk culture focuses on an insurer's philosophy toward risk, including itsrisk governance, risk reporting and communications, risk appetite framework, and incentivecompensation structure. Our evaluation assesses the degree to which there is broadunderstanding and participation in risk management throughout the organization.

We focus on the following key areas of risk management culture:

- Risk governance,

- Risk reporting and communication,

- Risk appetite framework, and

- Incentive compensation structures.

Risk governance and risk reporting and communication

A formal, well-defined, and independent risk governance framework and ERM organizationstructure with effective communication and reporting, both internally and externally, arefundamental to an effective ERM framework, and we view these attributes favorably.

We view favorably insurers with established enterprise-level functions that aggregate and managerisks with an enterprisewide view, taking into consideration correlation and diversification.Additional attributes we view favorably include a well-defined and independent ERM governancestructure that supports effective risk management at an enterprise level. Such governancestructure typically involves guidance and oversight from the board of directors (or equivalent), adedicated ERM function led by well-qualified senior executive and risk management functions atthe business unit level, and a clear definition of roles, responsibilities, and reporting relationships.We believe these cultural attributes foster accountability, transparency, and behaviors supportedby the relevant regulatory and legal regimes (i.e., ethical behavior). We view favorably an ERMfunction that has been in place for several years, has high visibility, and carries significantauthority within the organization.

Additionally, insurers that have effective risk committees, both at the enterprise and business unitlevels, supported by significant resources committed to day-to-day execution, are favorable. Wealso view favorably a long-standing culture of risk communicating and sharing, supported by a setof comprehensive and frequent risk reporting around all key areas of risk exposures bothinternally (to the board, senior management, and business units) and externally (to regulators,investors, and analysts). Evidence of learning from past mistakes and being open to discussingsuch mistakes with external constituents are positives in our evaluation.

We view unfavorably cases where we believe a board and senior management lack a thoroughunderstanding and appreciation of the importance of ERM and have insufficient activeinvolvement in the ERM process. We view unfavorably the absence of dedicated resources to riskmanagement, unclear risk ownership and reporting lines, and sporadic/ad hoc board-level riskdiscussion. We view unfavorably insurers that manage risk in silos that have limitedcross-functional communication without an enterprise-level risk view or risk supervision. We also



view unfavorably insurers that lack effective or sufficient internal and external riskcommunications to the board or other constituents.

Risk appetite framework

We define risk appetite as an expression of the amount and type of risks an insurer is willing toassume to meet its planned objectives and is intended to align its risk taking with its businessgoals, strategies, and performance expectations, as well as to create and preserve value oroptimize capital management and earnings/profitability. In short, we believe risk appetite definesan insurer's inclination for volatility and uncertainty.

The risk appetite statement may document overall company objectives; risk strategy; preferredrisks; undesirable risk (aversion); risk capacity; allocation of risk; minimum levels of regulatory,rating agency, or economic capital; earnings volatility limits; and credit rating maintenance. Webelieve the inclusion of an appetite for operational risk may add value in some instances. Wedetermine the degree to which the risk appetite statement shapes an insurer's defined risktolerances, which we view as a favorable attribute of an ERM program. Risk appetite frameworksvary between companies (for example, the type of risks assumed), and we believe an aggressiverisk appetite necessitates a more robust ERM framework to manage risk within chosen risktolerances.

We view a well-defined risk appetite framework--that supports an effective risk selection processthat clearly articulates risks that are preferred and risks that should be avoided--as critical to asuccessful ERM program. We view favorably a well-defined risk appetite framework that'sdeveloped with significant participation of senior management and business units and activeinvolvement of the board of directors and is aligned with the organization's strategic goals,resources, and value proposition.

A clear rationale supporting chosen risk tolerances and limits, which can be easily communicatedto all levels of the organization, is also favorable, as is the ability to articulate the direct linkagebetween enterprise risk appetite, risk tolerances, and risk limits and policies. We also viewfavorably the inclusion of both quantitative and qualitative objectives, such as reputational riskand investor perception, that align the interests of stakeholders, the board, shareholders, andsenior management.

We view unfavorably insurers with risk appetites that are less clearly defined or that don't includeall key risk exposures, are not directly linked to overall risk tolerances, or are not effectivelycascaded to all levels of the organizations. We also view unfavorably a risk appetite that is unclearor inconsistent. The absence of a formal risk appetite statement would likely affect our view of riskculture because it is more challenging for an insurer to disseminate the types of risks it wants totake across the organization without one.

Incentive compensation structure

A compensation structure that uses metrics that align employee behaviors with strategic goalsand objectives and longer-term performance targets, rather than those incentivizing excessiverisk-taking for short-term gains or other nonaligned behaviors, is an important element of aneffective risk culture. In evaluating an insurer's incentive compensation structure, we evaluate thedegree to which it seeks to avoid excessive risk-taking by using a variety of risk-adjusted metricsthat tie compensation to a balance of growth and profit measures (e.g., risk-adjusted return oncapital) across the enterprise over different periods of time, rather than non-risk-adjustedtargets, such as sales volume. We also determine the extent to which a company uses techniques



such as deferred compensation and "clawbacks" to further align its interests with employees'actions. We also look at whether compensation practices are reviewed by independent externalparties to assess the effectiveness of the compensation structure in discouraging excessiverisk-taking or actions not aligned with company interests.

Risk Exposure Management

Our risk exposure management analysis considers risk tolerance, risk controls, emerging riskmanagement, model risk management, and liquidity risk management. We assign scores offavorable, appropriate, and unfavorable to each of these five subfactors as well as separatescores for credit, market, insurance, and operational risk controls. Our overarching scores for riskcontrols and risk exposure management are influenced by the individual scores and theirimportance to the specific enterprise. The overall risk exposure management score is favorable,appropriate, or unfavorable based on the subfactor scores and their importance to the specificenterprise.

Risk tolerance

We view risk tolerance, which defines the quantitative thresholds/boundaries or acceptable rangeof outcomes and risks an insurer is willing to assume aggregated across the organization (mayinclude upper and lower boundaries), as a critical part of risk exposure management. Risktolerance is an indication of the potential for capital and earnings volatility, and therefore maynecessitate more or less robust risk controls.

In effect, we view risk tolerance as the company's potential risk exposure or willingness to assumerisk, which may be larger than its existing exposure. We view risk capacity as the maximum level ofrisk an insurer can assume given its current resources, such as capital and reinsurance, beforebreaching constraints determined by metrics relating to regulatory capital, ratings agencies,liquidity needs, stakeholders, and financial obligations, which we take into consideration whenevaluating the company's risk tolerances.

In situations where exposure levels are significantly below risk tolerances, we typically considerthe increased exposure and potential volatility that would arise if the company increases itsexposure levels near the tolerance limits. Where a risk tolerance for a specific risk consumes asignificant portion of capital or other resources, we may view its corresponding risk controls morecritically.

We evaluate risk tolerance by considering the following:

- Appropriateness of risk tolerance relative to risk capacity (comparison with peers as a percentof capital and relative to capital buffer, ratings stability);

- Consistency between the risk appetite and the risk tolerance;

- Consistency between the metrics used in risk tolerance and those used in risk limits across theorganization;

- The methodology and approval process used to derive risk tolerances including quantification;

- The risk tolerance breach escalation process or actions taken if tolerances are violated(breached), such as required escalation to specified senior managers; and

- Method used to allocate risk by risk driver when companies budget risk by type.



We would likely view favorably the following factors when evaluating risk tolerances:

- Robust process for setting risk tolerances with significant oversight from senior managementand the board;

- Risk tolerance metrics that are consistent with limits at the business level;

- Risk tolerances that consider each material risk (e.g., credit, interest rate, equity) and producttype;

- Multiplicity of metrics (e.g., earnings volatility, economic capital, capital ratios);

- Frequent risk tolerance testing and risk tolerance reassessments;

- Clearly defined stress scenarios and time periods (e.g., one year at a defined confidence level);

- Balance between board and business involvement in setting risk tolerance;

- Consideration of emerging risks (i.e., an understanding of the limitations of models/metrics onformerly unknown risks); and

- Capacity to satisfy potential losses at maximum potential exposure, as defined by risktolerance.

We would likely view unfavorably the following factors when evaluating risk tolerances:

- Weak linkage between risk limits and risk tolerances (for example, tolerance for interest raterisk expressed in dollars and limit expressed in Macaulay duration);

- Ambiguous governance when applying limits that change under different economic or marketenvironments (i.e., economic conditions or market environment is not clearly defined);

- Limited number of risk metrics used to derive risk tolerances or all material risks not captured;

- Infrequent assessments of risks relative to risk tolerances;

- Informal risk tolerance breach escalation process;

- Method used to allocate/budget risk by risk driver that is somewhat arbitrary and not based onrisk optimization; and

- Lack of capacity to satisfy potential losses at maximum potential exposure, as defined by risktolerance.

Risk controls

We assess risk controls based on our view of an insurer's ability to measure, monitor, and limit itsrisks and its ability to keep its losses within its defined risk tolerances. We analyze the processesand procedures insurers employ to manage their key risk exposures, including insurance risk (e.g.,biometric, underwriting, catastrophe, and reserving risks), credit risk (e.g., fixed-income,counterparties, real-estate mortgage/loans), equity risk, foreign exchange risk, interest rate risk,and operational risk, which includes cyber risk. Our evaluation focuses on the risk controls thatare most relevant given the insurer's business and risk profiles. We focus on the insurer'stechniques for aggregating risks across risk drivers at the business level and/or enterprise level.Risks related to assessing potential mergers and acquisitions (M&A) are considered in ourassessment of risk optimization.

We assess an insurer's individual risk controls of its material risks as favorable, appropriate, orunfavorable (see table 2). Our opinion of the relative importance of each risk to the insurer's



overall risk profile determines each score's impact on the overall risk controls score. In general, weassess overall risk controls as favorable when we score a majority of the relevant individual riskcontrols as favorable. For insurers with limited exposure to a risk, we may not view unfavorably aprogram with relatively simple risk controls if it is commensurate with the exposure levels.

There are three main aspects of the risk control process we consider: risk identification, riskmetrics and exposure, and limits and management. These include risk measurement andmonitoring, risk limits and standards, the procedures to manage risks to stay within limits, andthe execution and the results or effectiveness of such risk control programs. We also consider risklimit enforcement processes and the insurer's practice of learning from its own, or the industry's,experiences. The comprehensiveness and effectiveness of these aspects influence our final scorefor each risk control.

We view favorably an insurer with risk control programs in place that consistently and effectivelyidentify, measure (model), monitor, and manage the risk exposures and demonstrate a trackrecord of managing risk exposures within predetermined risk tolerances, particularly duringstressful periods. Such programs are generally a result of established risk-specific riskmanagement structures that comprehensively identify risk exposures from all sources, employfrequent risk monitoring and risk reporting using multiple appropriate risk metrics, have formaland clearly communicated risk limits, and use multiple risk mitigation strategies to proactivelycontain exposures within risk limits.

We view favorably clearly defined risk limit enforcement policies that promptly address breachesof risk limits. We also view favorably an insurer that continuously reviews its program'seffectiveness to make improvements based on new developments as well as lessons learned.

We view unfavorably a history of incurring losses outside risk tolerances or prolonged breach ofrisk limits without justification, which we view as evidence of weak or inappropriate risk controls.We view unfavorably inconsistent or incomplete processes to identify risk exposures from allsources of a given risk. Additionally, informal and infrequent risk monitoring and reporting,applying overly simplistic risk metrics, or lack of formal and well-communicated risk limits areweaknesses to the risk control framework.

Emerging risk management

In our evaluation of emerging risk management, we consider how an insurer addresses evolvingrisks that are not a current threat but may cause potential losses in the future. We evaluate aninsurer's ability to determine the likelihood, impact or severity, and velocity of the risk (speed ofpotential change), as well as its ability and willingness to mitigate the risk such that it does notsignificantly affect the company or its ability to opportunistically take advantage of the risk (levelof preparedness if those emerging risks materialize). The source of such risks includes theregulatory environment, the physical environment, the macroeconomic conditions, globalization,connectivity, medical developments, and other industry disruptors.

When we evaluate a company's risk identification process, we look at its ability to leverage bothinternal and external informational resources across multiple functions. We also consider thecompany's definition of emerging risks, which is integral to the process and varies across theindustry.

We view favorably well-established processes to consistently identify, assess, monitor, andpotentially mitigate the threat of identified emerging risks with techniques to quantify theprobability of occurrence, the velocity, and the impact or severity of emerging risks on the insurer.These risks may have a quantitative or qualitative impact on an insurer's reputation, liquidity,



capitalization, financial performance, and ability to execute its strategy, and we view favorably theability to apply risk-mitigation techniques and develop contingency plans to address them.

We also view favorably formal governance around emerging risk and an emerging risk committeewith cross-functional representation and formal documentation and communication (reporting)processes, which may take the form of a risk dashboard. Assigning ownership of emerging risks toindividuals within the organization with clearly defined frequency of monitoring--with greaterfocus on more likely events--is an effective practice, in our assessment. We also view favorablycompanies that provide evidence of mitigating risks to decrease vulnerability prior to emergence,as well as companies that provide evidence of having created strategic business opportunities ornew products from emerging risks.

We view unfavorably insurers that fail to quantify or subjectively assess the potential impact orseverity of emerging risks or have experienced outsize losses due to past failures to identifyemerging risks and haven't shown sufficient evidence of having learned from such experiences ortaken actions to mitigate emerging risk.

Model risk management

Model risk management (MRM) is an integral part of a robust ERM framework. Models are usedextensively to measure risk exposures, test risk correlation and diversification, validate riskmitigation strategies, and quantify capital requirements for a given risk profile.

We analyze two major aspects of MRM: inventory and utilization and governance and validation.Inventory and utilization considers the type of models used to assess risks, such as credit, market,insurance, and operational risks in stress testing, capital allocation decisions, pricing, valuation,and projections, as well as enterprise risk aggregation. Typically, governance and validationbroadly considers documented procedures on model development and assumption setting, modelrisk evaluation, model controls, model validation, and reporting and communication. In our view,these practices mitigate the risk of misinformed business or risk management decisions arisingfrom model errors, assumption errors, and errors in interpretation relating to the insurer's modelsand model applications.

Typically, in cases where an insurer has an economic capital model (ECM), we broadly assess itstechniques for capturing risk diversification and concentration (e.g., correlation) and its techniquefor risk aggregation when deriving its economic capital (EC). In our evaluation of an insurer's ECM,while we do not go into granular detail, we seek to gain an overview of how an insurer identifies,captures, and quantifies its risk exposures and whether it incorporates material considerations inits ECM.

We typically determine whether an insurer uses a stochastic and/or deterministic modelingapproaching. We view stochastic modeling as providing some advantages over deterministicmodeling. However, we view favorably an insurer applying a combination of the two approachesrather than a single approach. We typically consider the process and governance framework todetermine the assumptions and parameterization of its models.

We evaluate the extent to which an insurer uses sensitivity analysis to determine theappropriateness of alternative assumptions and parameters. We evaluate how well an insureroptimizes its data processing into its ECM and generates meaningful output. We typically considermanagement actions such as hedging and capital fungibility. Lastly, at a high level, we typicallyconsider the methodology used to capture the relevant risk drivers, such as biometric risks, creditrisk, and market risks, including interest rate risks.



Inventory and utilization. Our evaluation of inventory and utilization focuses on assessing therobustness, consistency, and completeness of an insurer's risk models, including its developmentand use of an economic capital model, if any. We look at the comprehensiveness and quality of therisk models used, the breadth of model utilization, the risk metrics modeled, the methodology,data and assumptions used, how the model results are used, and whether model limitations areunderstood by the risk managers and senior management.

We view favorably risk model systems that capture all of an insurer's material risk exposures andthe interrelation between risks with comprehensive risk metrics. Insurers with the capability toapply an ECM to derive EC on a granular level (by risk type across the enterprise) and perform bothstochastic and deterministic modeling supplemented with robust extreme scenario stress testing,where relevant, are also favorable. However, the use of such an EC model is not a prerequisite for afavorable score. We view favorably insurers that fully understand model risks and compensatethem with thoughtful judgment whenever possible. We also view favorably companies thateffectively apply advanced techniques leveraging big data, such as predictive analytics andartificial intelligence, to improve the management of their exposure.

We view unfavorably insurers that apply assumptions that are inconsistent across variousbusiness units or not representative of the risks, apply limited stochastic modeling, lack anunderstanding of model limitations, and lack sophistication of modeling applied to capture certainrisk drivers relative to the complexity of its risks (less comprehensive and less robust models).

Governance and validation. Our evaluation of governance and validation focuses on themanagement and control of model risk, including documented procedures, model risk evaluation,model controls, model validation, data quality and assumptions, and reporting andcommunication that establish procedural discipline. We evaluate the robustness of the validationprocess by assessing the processes and activities of the model owners, risk management, andinternal audit. Additionally, we evaluate an insurer's model risk tiering system in consideration ofstaffing levels and materiality and complexity of the models being validated. For models that aremore complex or pervasively used, we would expect a higher level of scrutiny, including morefrequent validations, especially for more advanced modeling techniques such as artificialintelligence (where the model is more of a "black box"). We also evaluate an insurer's ability toattract and retain talent needed to properly implement and maintain highly complex models, ifused.

We view favorably a rigorous model governance process where models undergo validation in whichcompanies determine how material their model risks are according to a tiering system, whichhelps to use resources effectively. We also view favorably companies that consider the potentialamplification of model errors when models are used across different business units (i.e., a smallerror across many models or businesses units may have a significant impact).

We view favorably when the staffing resources applied to validate models are consistent with theinventory and complexity of the models. We also view the incorporation of risk-reducingcomponents in the application of a model, with the goal of avoiding improper usage, as favorable.Companies that employ a data validation process, transfer data cleanly, and use granular,high-quality data appropriate for their application are viewed favorably too. And a specificgovernance committee that ensures consistency of assumptions across the enterprise is alsofavorable.

We view a less formalized model governance process and a less robust model validation processunfavorably. We view unfavorably companies that have an undefined data quality process or lackthe ability to derive data from multiple sources in consistent formats (concerns over transfer of



data). An undefined tiering process that results in an inefficient use of limited resources is alsounfavorable. And we view unfavorably companies that have limited documentation for therationale of assumptions used and methodologies applied.

Liquidity risk management

We view liquidity risk as the risk of an insurer, even if adequately capitalized, lacking sufficientavailable cash flow, collateral, or other resources to meet its obligations as they become due, oronly being able to secure them in a severely disadvantageous and uneconomical manner. Thesources of liquidity risk may include payments relating to insurance obligations (e.g., catastrophe[CAT] claims, annuity and life insurance payments, commissions), debt payments,collateral-posting requirements on reinsurance agreements or relating to credit support annexes(CSAs) on over-the-counter (OTC) derivatives, and variation margins on exchange-tradedderivatives, which are influenced by rating triggers, covenant requirements, and confidencesensitivity on liabilities.

Liquidity risk management is viewed in the context of an insurer's liquidity profile, and, therefore,a practice that is favorable for one company might be less favorable for a different company. Forexample, a personal lines company with little exposure to CAT risk would be viewed differentlythan a company with monoline operations focused largely on CAT risk. In our evaluation, wedetermine whether the formalized liquidity risk management framework includes clearly definedroles and responsibilities (for example, responsibility for reporting and decision-making). Wetypically review standards for identifying and reporting liquidity risk, including the establishmentof limits and a limit breach policy and status of limit compliance, categorization of the level offunding requirements, applied modeling methodologies, and contingency plans under a liquiditycrisis.

We evaluate an insurer's ability to effectively measure liquidity risk by forecasting cash flow andcollateral liquidity needs in both a normal and stressed environment and reflecting all majorsources and uses of liquidity. We evaluate the comprehensiveness of the insurer's liquidity riskmanagement in considering the impact on liquidity of potential market movements such asforeign exchange rates, interest rates, and equity levels on liability draws, collateral-postingrequirements, and the value of eligible collateral held. We evaluate its ability to consider stressedsingle liquidity events and events over extended periods as well as the potential impact of eventsand risks that may be correlated (for example, multiple significant CAT events), especially formonoline companies.

We determine whether the forecasting period applied in the company's liquidity modeling allowssufficient time to take actions to maintain sufficient liquidity resources to absorb these risks.Resources may include appropriately liquid securities, securities lending, repurchase agreementarrangements, and committed backup liquidity facilities.

We evaluate the tolerances and limits established as well as the rationale for them, which mayinclude asset-liability mismatch limits, asset position limits, and probable maximum loss (PML)thresholds or minimum levels of liquidity support, which may include securities lending andrepurchase lines or bank liquidity facilities. We also evaluate the assumed transferability of fundsbetween entities.

We view favorably a robust liquidity stress-testing framework that includes the impact of relevantstressed market movements that may drive liability cash flows, variation margin requirements,and collateral posting on OTC derivatives, and may change the value of eligible collateral held. Weview favorably preplanning for stressed environments that considers possible actions given thepotential for multiple stressed events that happen concurrently--for example, a downgrade leads



to less access to liquidity resources at the same time collateral-posting requirements increase.We typically seek to understand whether the framework delineates the amount of assets that canbe immediately sold or used as collateral by required currency.

We view favorably reporting frameworks that provide information necessary for seniormanagement or board members to make decisions and consider options in an expeditiousmanner. We also view favorably companies that consider the implications of liquidity in theirproduct design and strategic asset allocation and perform contingent liquidity planning.

We view committed contingent liquidity lines favorably relative to uncommitted lines, as well ascompanies that maintain a presence in their chosen funding markets (e.g., securities lending). Wealso view favorably participation by an asset-liability management (ALM) or similar committee inthe development of the investment strategy and strategic asset allocation in consideration ofliquidity relating to products and potential collateral requirements. An insurer that performstimely reviews of the suitability of its limits, methods, and assumptions for analyzing andassessing liquidity risks in the context of its changing business mix and external conditions is alsoviewed favorably.

We view unfavorably a liquidity framework that does not fully capture the potential impact ofmarket movements in its liquidity modeling and does not fully consider the asset illiquidity thatmay occur in severely stressed financial markets or other stressed events, such as the terminationof a reinsurance or derivative contract. We view unfavorably when fractured systems are used tomodel data that are aggregated in a cumbersome way to measure liquidity.

Liquidity reviews that are not frequent enough to capture potential movements in factors that mayaffect liquidity--such as market movements and changes in business profile--are alsounfavorable. In addition, we view unfavorably liquidity management plans that do not consider thecorrelation between liquidity events or anticipate the impact that market turmoil can have onliquidity when relying on the liquidation of a large concentration of other than the most highlyliquid assets in a systemic liquidity crisis (e.g., the financial crisis).

Risk Optimization

Risk optimization is the process by which insurers facilitate the optimization of risk-adjustedreturns, starting with a view of the required risk capital and a well-defined and effective processfor allocating capital among different products, lines of business, and risk drivers. We assess aninsurer's ability to optimize risk-adjusted returns when evaluating and prioritizing strategicoptions, pricing products, allocating capital, and making M&A decisions based on a risk-rewardrationale that is consistent across the company and is aligned with the company's long-termgoals, strategies, and key stakeholder objectives. When evaluating metrics of risk-adjustedreturns between companies, we consider the different stress levels, correlation impact,assumptions, methodologies (e.g., VaR, deterministic), and calculation basis (i.e. STAT, GAAP,economic), which often includes the use of an ECM.

Our evaluation is supported by evidence of an insurer making strategic decisions based on itseconomic risk/reward metrics that are consistent with its risk appetite. We also view favorably aninsurer incorporating business considerations, such as competiveness and diversification benefitand impact on capital buffer and regulatory and accounting considerations, in its ERM framework.The evaluation considers the choice and outcome of the strategic decisions and, moreimportantly, the risk/reward rationale underlying the insurer's chosen strategy.

Mutual companies often allocate capital with the goal of supporting the expansion of itspolicyholder base rather than maximizing returns to shareholders. Therefore, we evaluate mutual



companies on how effectively they use higher risk/return or opportunistic businesses to supportthe growth of foundational/core businesses and their defined business goals, as well as tomaximize value to policyholders.

We would likely view favorably an insurer that executes consistent and effective risk-rewardanalysis in its strategic planning, product pricing and repricing, strategic asset allocation,reinsurance strategy and net retained risk profile, new risk-bearing initiatives (including M&A andentry into new markets), capital and/or economic capital budgeting, and optimization ofrisk-adjusted returns.

We view favorably companies that provide evidence of deriving targeted risk-adjusted returnsacross their business units. We review evidence of a track record of successful execution of astrategic risk management program, which may include better-than-peer risk-adjusted returnsand successful M&A that is consistently accretive on a risk-adjusted basis and incorporateslessons learned from previous decisions. We also view favorably insurers that include evidence ofusing model results extensively in ERM decision-making.

We would likely view unfavorably an insurer that doesn't apply consistent metrics or an effectivemethodology to allocate risk-based capital to the different businesses across the organization ordoes not reflect other considerations that may be relevant. Cases where a process has beenrecently developed and, therefore, the company does not have evidentiary history could alsonegatively affect our view.

APPENDIX: EVALUATING INDIVIDUAL RISK CONTROLS

Here we provide examples of how we evaluate the individual risk control subfactors. For each of aninsurer's major risks, we assign one individual risk control score based on the overall effectivenessof the risk control processes, including the quality of risk identification, risk measurement andmonitoring, the comprehensiveness and robustness of risk limits and standards, the rigor of theprocedures available to manage risks to stay within limits, and the execution and effectiveness ofsuch risk control programs. We also consider risk limit enforcement processes, and the insurer'shistory of learning from its own, and the industry's, experiences.

Table 2 provides some examples of how we analyze various aspects of the risk control process inassigning an individual risk control score. We provide examples of key characteristics that wewould view favorably and unfavorably for each risk factor. We do not list characteristics deemedappropriate, but rather an assessment of appropriate is based on our analytical judgment andtypically has aspects viewed as both favorable and unfavorable.

It is important to note that our evaluation reflects subjective factors, and a specific risk controlpractice in the favorable or unfavorable column does not solely drive our evaluation. Theseexamples are for illustrative purposes only and should not be interpreted as an exhaustive list ofconsiderations used to form our overall evaluation. Furthermore, we view the risk controls in thecontext of an insurer's risk profile and, therefore, a practice that is favorable for one companymight not be as favorable at a different company that has more volatile or complex risks. Forexample, we would typically evaluate interest rate risk controls for a property/casualty (P/C)company differently than a life company. The granularity of our evaluation is tailored based on themateriality of a particular risk driver in the insurer's overall risk profile.



Table 2



This report does not constitute a rating action.



Contact List

PRIMARY CREDIT ANALYST PRIMARY CREDIT ANALYST PRIMARY CREDIT ANALYST

Robert N Roseman

New York

(1) 212-438-7236

[email protected]

Stephen Guijarro

New York

+ 1 (212) 438 0641

[email protected]

Olivier J Karusisi

Paris

(44) 20-7176-7248

[email protected]

PRIMARY CREDIT ANALYST PRIMARY CREDIT ANALYST PRIMARY CREDIT ANALYST

Katilyn Pulcher, ASA, CERA

Chicago

(1) 312-233-7055

[email protected]

Miroslav Petkov

London

(44) 20-7176-7043

[email protected]

Charles-Marie Delpuech

London

(44) 20-7176-7967

[email protected]

PRIMARY CREDIT ANALYST

ALBERT CIOLEK

New York

+ 1 (212) 438 4654

[email protected]












STANDARD & POOR’S, S&P and RATINGSDIRECT are registered trademarks of Standard & Poor’s Financial Services LLC.

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors.S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites,www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may bedistributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratingsfees is available at www.standardandpoors.com/usratingsfees.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of theirrespective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&Phas established policies and procedures to maintain the confidentiality of certain non-public information received in connection with eachanalytical process.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction forcertain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its solediscretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment aswell as any liability for any damage alleged to have been suffered on account thereof.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they areexpressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are notrecommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of anysecurity. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied onand is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when makinginvestment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. WhileS&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of duediligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasonsthat are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on acredit rating and related analyses.

No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or anypart thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database orretrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). TheContent shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers,shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of theContent. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the resultsobtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is”basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OFMERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THATTHE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARECONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive,special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits andopportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of suchdamages.

Copyright © 2018 by Standard & Poor’s Financial Services LLC. All rights reserved.

Proposal For Enterprise Risk Management Evaluations · Proposal For Enterprise Risk Management...

Documents

Transcript of Proposal For Enterprise Risk Management Evaluations · Proposal For Enterprise Risk Management...