Ratings

Emerging risks have not yet materialized or are not yet clearly defined and usually appear slowly. Therefore, having some sort of early warning system in place, methodically identified either through internal or external sources, is very important. To minimize the uncertainty surrounding these risks, insurers should consistently gather all existing relevant information to amass preliminary evidence of emerging risks, which would allow the insurer to reduce or limit growth of exposure as the evidence becomes more and more certain. Insurers practicing this discipline will need to be aware of the cost of false alarms.

Assess the relevance (i.e. potential losses) of the emerging risks linked to a company's commitment—which classes of business and existing policies would be affected by the materialization of the risk—and continue with the assessment of the potential financial impact, taking into account potential correlation with other risks already present in the portfolio. The degree of concentration and correlation of the risks in an insurer's portfolio are two important parameters to be considered; the risk in question could be subject to very low frequency/high intensity manifestations, but if exposure to that particular risk is limited, then the impact on the company will not be relevant. On the other hand, unexpected risk correlations should not be underestimated; small individual exposures can coalesce into an extreme risk if underlying risks are strongly correlated. When developing extreme scenarios, some degree of imagination to think of unthinkable dependencies could be beneficial.

A further sound practice would be to work backwards from concentrations to risks. Insurers might envision risks that could apply to their concentrations and then track for signs of risk emergence in those areas. Some insurers set risk limits for insurance concentrations that are very similar to investment portfolio credit limits, with maximum concentrations in specific industries in geographic or political regions. In addition, just as investment limits might restrict an insurer's debt or equity position as a percentage of a company's total outstanding securities, some insurers limit the percentage of coverage they might offer in any of the sectors described above.

Responses to emerging risks might be part of the normal risk control process, i.e., risk mitigation or transfer, either through reinsurance (or retrocession) in case of insurance risks, through the financial markets for financial risks, or through general limit reduction or hedging. When these options are not available or the insurer decides not to use them, it must be prepared to shoulder significant retained losses, which can strain a company's liquidity. Planning access to liquidity is a basic part of emerging risk management. Asset-selling priorities, credit facilities with banks, and notes programs are possible ways of managing a liquidity crisis.

Apart from liquidity crisis management, other issues exist for which a contingency plan should be identified in advance. The company should be able to quickly estimate and identify total losses and the payments due. It should also have a clear plan for settling the claims in due time so as to avoid reputation issues. Availability of reinsurance is also an important consideration: if a reinsurer were exposed to the same risks, it would be a sound practice for the primary insurer to evaluate the risk that the reinsurer might delay payments.

Finally, sound practices for managing emerging risks include establishing procedures for learning from past events. The company will identify problems that appeared during the last extreme event and identify improvements to be added to the risk controls.

The majority of credit risk insurance companies assume tends to result from the investment portfolio that backs policyholder liabilities and shareholder's funds or from retrocession in terms of their reinsurance receivables, with other counterparties such as banks and brokers and for some insurers by writing credit insurance business. In addition, some insurance coverage will have a very high correlation to credit risk, such as liability, director's and officer's coverage, and earnings and omissions coverage.

Standard & Poor's has identified sound practices management of credit risk. Exposure to credit risk needs to be evaluated in the light of a company's risk tolerance, risk appetite, and strategic asset allocation decisions. There may be circumstances where it would be entirely appropriate for an insurer to assume credit risk beyond those associated with its optimal portfolio of investments, which may in practice be driven by an asset/liability (ALM) management strategy or other considerations rather than by maximizing returns relative to credit exposures.

Credit risk measurement can be done using two approaches: credit rating based and equity based.

Approaches based on credit ratings take the rating as the primary or only estimation of default probability over a given time horizon. Models can also be built that attempt to estimate the transition of ratings over time. Portfolio development is modeled to estimate defaults and other credit losses. Assumptions on recoveries (loss given default) can then be made based on ratings or on other measures such as industry type or asset class. Correlation matrices are used in estimating correlated ratings changes. Using rating-based estimates of credit risk is borne out by empirical data, although this method has had its theoretical underpinnings questioned by some academics. A clear distinction needs to be made between assessing credit quality based on public ratings, such as ours, and assessments based on internal ratings systems similar to those used by banks for their loan books.

As insurers and reinsurers have started to develop processes and systems to aggregate all risk types, some have found that the extra portfolio risks exceed the investment credit risks, which has led them to significantly revamp their process for accepting those risks. A sound practice for credit risk monitoring is for insurers to explicitly measure all of their credit exposures from all sources and aggregate their total exposure by name, sector, rating category, etc. in all groupings where they have set limits.

Models that use credit ratings have traditionally embraced deterministic stresses on credit spreads and rating transition, but increasingly more sophisticated stochastic models are being used.

Equity-based models are based on option theory. Under limited liability, an equity is a call option written on a firm's underlying assets with the strike price being its liability. Models based on this understanding (such as KMV models) attempt to estimate future debt values by simulating correlated time paths for asset values and pricing bonds at a future horizon conditional on the assets values at that date.

Sound practice for such measurement of credit risk might be demonstrated by using structural (equity-based) models as a complementary analysis to rating-based models, or for portfolios of unrated debt where equity prices and asset values are known or can be inferred.

Limits and standards will depend on the credit risk management approach. The most common limits are concentration limits, which apply to items such as industry sectors, credit rating categories, and geographic location. In addition to total limits in these categories, maximums might exist for any one holding within some or all categories. In addition, there might be portfolio value-at-risk (VaR) limits and limits on relative or absolute changes in market values due to changes in credit spread.

In some companies, sound practice is to have "checkpoints" (names for these vary) below the limits. A limit breach might be treated as a very serious event that may need to be reported to the board, whereas breaching a checkpoint could allow management to identify and resolve problems before a limit is neared. Others are time limits for holdings to be on watch lists, time limits for positions close to dollar or percentage limits, and resolution of limits through sale of security or purchase of offsetting credit derivatives.

As insurers have developed processes for monitoring credit exposures from multiple sources, a sound practice has developed of emplacing systematic processes for resolving limit breaches arising from multi-source credit exposures. The choice of allocating exposure to investment, insurance, reinsurance, or other counterparty credit exposure is made using clear, predetermined criteria transparent to risk managers in all areas that could contribute to the breach and to resolving the breach.

Insurers take four different approaches to managing credit risk on the investments detailed below. We will assess that an approach is appropriate for an insurer by examining the complexity of the risks, the credit risk management, the experience and expertise of management, and the associated tolerance of credit risk.

The majority of insurers use investment policy constraints to manage the credit risk of assets.

Sound practices for this approach might include monitoring adherence to underwriting guidelines and to limits at every level of the business. Limits far in excess of the expected range of actual holdings have no significance in evaluating credit risk management. Control processes should be in place to ensure that breaches are rectified in a suitable time period (e.g., one month).

Adjusting limits to resolve limit breaches is not sound risk management. Sound practices would include:

• Formulation of a plan for actions in advance of an adverse credit rating migration.
• Procedures to monitor and control the average portfolio credit rating.
• Monitoring the average rating of recent purchases.
• Forecasting the portfolio's average rating going forward.
• Monitoring actual versus expected defaults.
• Monitoring default recovery experience.
• Tracking borrowers in or near distress via a watch list.
• Incorporating this experience back to investment and product pricing decision-making.

An extension of this approach is one where insurers use the spreads themselves as a way to manage risk or, in some cases, identify opportunities to make economic profits by realizing gains due to favorable movements in spreads.

Monitoring credit spread trends and undertaking periodic full reunderwriting of questionable credits, formulating credit spread development projections, and establishing and controlling clear preferences for balance between default and spread losses are all sound practices. Also, a clear expectation for the sale of problem credits and the allowance for taking credit losses under predetermined circumstances is key.

The models embrace either a ratings or equity-based approach to risk or a combination of both.

A large number of insurers perform aggregated analysis (perhaps using stochastic modeling techniques or credit risk transition matrices) so that portfolio credit risk can be managed.

Sound practices include the following:

• Modeling, stress testing, and validating a credit loss projection.
• Modeling of extreme events.
• Quantification of portfolio optimization and economic capital associated with credit risk.
• Evaluating marginal risk for new purchases.
• A combination of VaR and stress testing along with stop-loss procedures and RAC measures to control credit risk.

Sound practices can be designed to minimize default risk as well as to limit marked-to-market losses from credit migration.

Sound practices here will be similar to those for credit risks assumed through the cash purchase of portfolio assets. Further sound practices include the use of a credit-focused economic capital model to ensure that credit risks are correctly priced and that the benefits of diversification are quantified so as to justify the assumption of additional risk. Where credit instruments are used for hedging, counterparty credit risk needs to be managed (see below).

Insurers assume credit risk through the use of reinsurance, with exposure to this risk driven by the amount of current and future claims payable by the reinsurers to their cedents. Reinsurance recoverables and receivables stem from claims paid by the insurer but not yet recovered from the reinsurer, claims reported but not paid by the insurer (case reserves) and not yet recovered from the reinsurer, and claims that have occurred but have yet to be reported to the insurer (IBNR). As a matter of prudence, many insurers do not recognize ceded IBNR as an asset. The problems associated with reinsurance credit risk are exacerbated by the unwillingness of some reinsurers to pay claims and the small number of reinsurers that underwrite certain types of businesses. Insurers therefore seek to manage concentrations of risk to reinsurers (especially lower rated reinsurers).

Sound practices include the following:

• Acceptance criteria based on credit analysis (including ratings). This may involve different criteria depending on the length of the business ceded.
• Monitoring market intelligence relating to cedents.
• Limits for concentrations by sector, location, rating, and name.
• Maintenance of a close relationship with reinsurers.
• Appropriate use of letters of credit and collateralization.
• Process for estimating potential "domino effect" in extreme events.
• More than one reinsurer failing (systemic risk).
• Significant inward losses combined with reinsurer failure.

Insurers face exposure to other counterparty credit risk through their hedging activities and through their relationships with brokers and other suppliers of goods or services. It is important to aggregate these exposures with other credit risks that a company faces.

Sound practices include the following:

• Limits for concentrations by sector, location, rating, and name.
• Effectiveness of counterparty credit risk scoring for nonrated clients (premium receivables/broker claw-backs).
• Collateralization arrangements.

Credit risk management for commercial mortgage lending concentrates on the underwriting process, since mortgages have limited liquidity.

Sound practices include the following:

• Diversification targets and concentration limits set by geographic region and type of property and industry.
• Underwriting standards for the financials of the property to include loan-to-value standards, cash flow coverage limits, and gap between lease term and loan term.
• Ensuring terms for the mortgage loan have minimum cap rates, recourse, and standing.
• Targets for the proportion of amortizing versus balloon mortgages in their portfolio.
• Monitoring vacancy rates in areas where loans are being considered.
• Requirements for mortgage holder financial standing and experience.

Whenever a credit loss occurs, sound practice is to analyze the situation and determine whether any course of action existed for the company within their existing credit risk management processes that would have avoided or limited the loss. If so, the insurer would also identify the reason such actions were not taken and adjust their procedures so that such a situation could be helped in the future. If current practices would not have been adequate to limit or avoid the loss, then new procedures would be developed and adopted. For example, insurers experienced high credit losses in 2001-2002, with many credit portfolios hit with twice their expected losses. When insurers looked at the situations, some found that a sell discipline for deteriorating credit holdings would have greatly limited losses. Sell disciplines were developed and adopted by some insurers.

The following and subsequent tables give examples of contrasting practices that would be viewed as positive or negative to an ERM evaluation. These tables are not meant to be complete lists of the factors that would be considered, nor are these examples suggestions of a complete set of best practices. The ERM assessment process is intended to be principles-driven, and these examples are given to illustrate the principles.

Table 1 Credit Risk Control
	Most Favorable Indicators	Least Favorable Indicators
Risk identification	Insurer has identified all potential credit risk sources (e.g., investment portfolios, banks, brokers, reinsurers, policyholders, etc.).	Insurer does not as a practice identify credit risk other than within the corporate bond or loan portfolio.
Risk monitoring	Insurer regularly aggregates credit exposure information across all portfolios, business units, and credit risk sources. Information made widely available to those authorized to take on additional credit risk so they can see in advance where portfolio concentrations exist. Use of multiple metrics to monitor credit risk.	Aggregation of credit risk does not happen or is done long after credit exposures are added. Information is not made readily available to those making credit decisions. Use of at most one metric to monitor credit risk.
Risk limits and standards	Insurer has risk limits for concentrations that could constrain activities and clear underwriting standards that set down desired financial conditions of borrowers.	Risk limits are so broad that insurer credit risks never come close to reaching the limit. Risk limits do not exist or are not documented.
Risk limit enforcement	Clear, certain responses for limit breaches. Use of checkpoints or other below-limit situations to trigger responses less severe than limit breach. Time limits for resolving checkpoint and limit breaches. Monitoring reports show current holding versus limit and clearly flag over-limit situations. Special situations falling outside the rules are constantly monitored until resolved.	Most common reaction to limit breach is to raise the limit. No enforcement needed because limits are so high that there has never been a breach. Limits and exposures do not appear on the same page--two values must be found on separate reports and compared. Special situations that fall outside of the rules happen but are ignored as time passes.
Risk management	Use of two or more credit risk management techniques described above. Combination of objective quantitative measurements with judgement of experienced credit risk managers. Triangulation of information on changes to risk of each security in the portfolio is regularly used to identify potential problem situations. Highly disciplined approach to resolving problems using the best tool for each situation.	Only one of the risk management techniques is used. Sometimes there is no system—insurer just relies on the judgment of the portfolio manager.
Risk learning	Insurer learns from near misses as well as losses. Performance of each credit exposure pool is reviewed at each loss event or near miss to ensure that no additional problems exist with similar characteristics to the recent loss. Adjustments to procedures are often subtle.	Insurer generally has credit losses when everyone else does, and may have higher or lower losses but cannot clearly identify why that relationship to the industry loss level either will or will not be repeated. When changes are made due to losses, they are usually drastic, such as moving completely out of a sector or instrument type that had been commonly used in recent periods.

Interest rate risk is the risk that funding insurer policyholder promises will have to be done at a significantly higher cost than anticipated, or that the accounting for a liability and for the asset funding the liability will deviate from one other significantly. It can arise from promises of balances to be accrued or for timing of payments. It can also arise from options granted to a policyholder, such as an option to make an additional deposit into an insurance contract under a predetermined accrual scheme or the option to withdraw funds with a guarantee of value of those funds or of contingent payments, the value of which is set in advance without regard to market conditions at the time of the payment. ALM risk can also arise whenever payments over an extended period of time are promised by an insurer.

Interest rate risk also arises from insurer investments and under conditions and situations exactly parallel to liability risks. When an investment's counterparty has options for the timing or amount of payments it will receive, the potential for interest rate risk exists. Interest rate risk also exists when a security has payments that take place over an extended period of time.

When product performance is driven by asset performance, significant interest rate risk can arise.

Insurers should have a process for identifying ALM risk in all their insurance products and in all the investment portfolios that back reserves held for the policy obligations. That process may identify ALM risk from expected payments as well as the expected risk from exercising options in both assets and liabilities. ALM risks are most often identified by type of risk, such as interest rate, equity, liquidity, or currency risk.

Measuring and monitoring interest rate risk exposure is very important to effective ALM.

Interest rate risk is not readily available from information in an insurer's accounting or policyholder recordkeeping systems but must generally be developed from projections. A multitude of metrics and methods have been developed to measure and model interest rate risk, including cash flow projections, gap analysis, duration, convexity, key rate durations, scenario testing, VaR, greeks (sensitivities to changes in various factors), and stochastic modeling. Measuring and monitoring each of those metrics would be a sound practice.

In cash flow projections and gap analysis, an insurer identifies the expected asset and liability cash flows and measures their projected period-by-period differences.

Duration is a first-order measure of interest rate risk stemming from the price sensitivity of assets or liabilities or sensitivity of the economic value of a portfolio to changes in interest rates (sometimes called interest rate delta risk). Duration can be expressed as a proportion to the values of the security or as a direct financial value or as dollar duration in the U.S., which is the dollar change in the value of the security or portfolio for a fixed change in interest rates.

First-order interest rate risk is often measured by comparing a modified duration of the assets with a modified duration of the liabilities. Second-order interest rate risk (gamma risk), or convexity, arises from the nonlinearity of the relationship between interest rates and the economic or market value of an instrument or portfolio and from embedded options in a firm's assets and liabilities. It can also be thought of as the speed of change in duration as interest rates change.

Sound practices in interest rate risk measurement involve the use of additional metrics such as calculations of convexity (second-order duration), and key rate duration (looking at the sensitivity of assets and liabilities to shifts at discrete maturities on the yield curve) and calculation of partial duration and DV01 values (dollar value economic changes resulting from a one-basis-point shift in rates).

Further sound practices could involve using scenario testing either in a deterministic sense or with more sophisticated stochastic techniques. These practices are effectively employed when an insurer can translate its net exposure into an offsetting hedge vehicle to mitigate exposure.

In measuring risks associated with embedded options, sound practices include calculating effective duration and option-adjusted duration for the assets and liabilities. These measures combine first- and second-order risks into one metric and are therefore a sound overall metric of risk. But for effective mitigation, first- and second-order risks must be separated. Risk measurement techniques that let a company quantify its exposure to interest rates movements at individual points along the relevant yield curve are sound practices. We view it as especially positive when companies are able to separate out their spread volatility risk, mismatch risk, and gamma (convexity) risk at the different points along the curve. This process more readily identifies the source of the exposure and is easily translated into a portfolio adjustment or offsetting hedge vehicle when desired. Because this methodology can test exposure effectively based on an infinite number of yield curve patterns, we view it as superior to using a set series of yield curve patterns to test for interest rate risk exposure.

Economic capital models and VaR techniques such as conditional tail expectations (CTRE) are also being used for ALM and constitute sound practices that could be used in addition to the less model-intensive approaches above.

Systematic spread volatility within a sector or through the entire market may also be a concern for the ALM process. It is particularly important when a significant part of the risk management is being done via derivatives tied to risk-free rates. Deliberate measuring and managing the basis risk between risk-free hedges and credit sensitive investment portfolio is a sound practice.

The approaches taken to using various risk metrics to measure interest rate risk in order to manage it is a crucial aspect of ALM. When selecting a methodology to use the ALM risk metrics, the following sound practices might be observed:

• Adhere to an appropriate frequency of measurement for key metrics.
• Use both stochastic and deterministic models.
• Develop and monitor target ranges for the metrics (such as asset-liability duration mismatch) as well as triggers that should indicate a need for action to bring the metrics back into the target ranges and limits that cannot be exceeded.
• Clearly defined permissible actions and responsibility and authority for taking those actions to manage compliance with the above target ranges and triggers. Actions could include changes to choices for future asset purchases, sales of assets and use of the funds to purchase securities with different characteristics, and use of derivatives, including but not limited to interest rate swaps, caps, floors, futures, swaptions, etc.
• Use of market-consistent valuation of assets, liabilities and trades.

Other sound practices include (1) risk metrics that reflect economic reality and that achieve the right balance between accuracy and the desire for simplicity, and (2) timely reporting of metrics to management and commensurately sophisticated and appropriate IT and MI systems.

Management of first-order interest rate risk has traditionally been confined to putting limits on the maximum difference between the modified durations of assets and liabilities. This has sometimes been achieved by using segmentation or dedication strategies in which assets or groups of assets have been purchased in an attempt to match the cash flows of liabilities. Within a segmented portfolio strategy, the standard might be to separate liability cash flows into portfolios with common cash flow characteristics. Other sound practices have included product design and interest credit rate setting strategies that might limit the duration or convexity of the resulting liabilities.

An insurer might also have limits on the difference between asset and liability option-adjusted or effective durations and between key rate durations at all or selected points. Insurers could also have asset-liability gap limits.

For interest rate risk management strategies to be effective, a company should have in place a robust control structure and framework to ensure that ALM objectives are reached and that ALM polices are adhered to. These structures might apply to all of the risks mentioned above, or they could be managed separately, each with their own structure.

Interest rate risk controls stem should be closely tied to the ALM framework. The optimal structure will depend on an insurer's specifics, but sound practices Standard & Poor's might recognize in determining the optimal framework include the following:

• An independent ALM function reporting to senior management (chief actuary/CRO).
• A formal ALM committee (ALCO).
• Clearly stated risk tolerances (risk appetite and risk preferences) and related financial objectives.
• Clear ALM policy statements that underpin the ALM process and set out ALM strategies, roles, and responsibilities.
• Management incentives based on ALM financial objectives.
• A powerful audit and management control process to ensure objectives are reached and strategies validated.

In assessing adequacy of an organization's ALM controls, Standard & Poor's will review the established ALM framework to determine whether it is fit for the purpose stated. In conducting this review, we will consider a number of aspects, such as the ALM function's reporting structure to CRO and/or Board level and the frequency and detail of reporting to Board; how the ALM process is supported by the monitoring system that produces risk measures and how meaningful the reports and measures are to management outside the ALM function; the ability of ALM to get current data from front line units; and the frequency and scope of internal and external auditing of ALM process.

We will seek to understand the operating limits on those buying assets/writing liabilities and the extent that limits are established for asset/liability durational mismatches. This includes the monitoring systems used to report limit breaches, specific planned reactions to limit breaches, and allowable exceptions and evidence of execution of planned reactions in breach situations. Other practices include whether limits can be varied (and if so how and by whom) and the number of levels of limit there are (product, business unit, region, etc). This ultimately comes down to a description of how limits are monitored and how frequently and by what process they are reviewed.

Cash flow matching and immunization strategies that strive to match modified duration ignore the convexity or sensitivity to large changes in interest rates inherent in the relationship between economic value and interest rates, and second-order interest rate risks that stem from embedded options and the other interest rate-sensitive features of assets or liabilities. Sound practices identified to manage interest rate risk start with sophisticated modified duration matching or immunization strategies and go on to include those that attempt to deal with second-order risks such as convexity and embedded options.

Another interest rate risk management technique is developing a target portfolio of securities that fulfills ALM constraints. In some programs, ALM checkpoints are set in terms of deviations from this portfolio. In others, the target portfolio is treated as the actual investment portfolio for insurance business performance measurement and as the liability portfolio for investment business performance management. The investment business is then given ALM limits in terms of portfolio VaR, EaR CVaR, credit risk constraints and/or deviations in duration, convexity or other metrics, and is free otherwise to deviate from the portfolio in particular security selection.

Sound practices might involve the following:

• Securitization, where cash flow packages are sold into the capital markets.
• Using derivatives such as customized swaptions and convexity swaps that allow companies to acquire additional convexity.
• Purchasing alternative assets with desired optionally.
• Using dynamic-hedging strategies that attempt to rebalance all the various interest rate risk metrics as well as the modified duration of the assets to those of the liabilities.
• Use of other derivatives such as forward rate swaps, floors, and put options, which might also represent sound practice if adequate controls are put in place (see below).

A number of insurers use value creation or yield enhancement strategies that go beyond interest rate risk mitigation. They look to build an optimal portfolio of assets and liabilities using hedging techniques to maximize risk-adjusted return. Increasingly, companies use economic capital models to define strategic asset allocation.

Risk learning is another major function of the ALM committee. As markets shift and liability cash flows emerge on or off expectations, ALM managers can take each change as an opportunity to enhance the ALM program. These learning processes include keeping up to date on the latest robust techniques for measuring and managing risks. Risk learning has caused several insurers' ALM efforts to migrate from interest rate targeting to duration matching to segmentation to effective duration matching to duration and convexity matching to key rate durations and so on.

Each strategy enhancement usually has a cost in terms of the technology needed to support it as well as the short-term impact of implementing the strategy on reported income. A company with a robust risk learning approach will have a track record of making decisions on these enhancements on a risk/reward basis, with a risk element tied to the company's risk tolerances and risk limits for ALM risk.

Standard & Poor's views the timely attribution of gains and losses to specified sources of changes in the market value of the assets, liabilities, and hedge instruments as a critical component of the risk management process. Some insurers have found that regular marking to market of both assets and liabilities is helpful in the attribution process.

Table 2 Interest Rate Risk Control Indicators
	Most Favorable	Least Favorable
Risk identification	Insurers recognize interest rate risk exposures from liabilities as they are affected by changes in interest rates, in yield curve shape, yield curve inversions, and short-term or long-term up or down spikes. Also recognizes interest rate risk from policy options, such as the option to deposit or withdraw funds to or from an insurer. Also recognizes interest rate risks from the investment portfolio, including the potential impact of interest rate changes and changes in investment cash flows.	Insurer only recognizes some of the interest rate risks of their assets or liabilities.
Risk monitoring	Insurer has a regular systematic process to measure interest rate risk using multiple metrics and techniques. Results of measurements are distributed to appropriate risk management staff, including the ALM committee, and are periodically reviewed with the board.	Risk monitoring primarily takes place to support annual reserve certification requirements.
Risk limits and standards	Insurer has documented ALM policy, including clear checkpoints and limits for all monitored risk metrics. Clear authority limits exist for individuals to exceed checkpoints and limits. Targets for cash flow gaps, duration, convexity, or other mismatches may vary due to market conditions but are within firm long-term limits. A clear tie exists between the insurer's limits and risk tolerances.	Limits are not formally stated or are very broad. Limits are not tied to risk tolerances and may be significantly larger than the amount the insurer would be prepared to lose from interest rate risk. Limits are for duration mismatch only.
Risk limit enforcement	Limit breaches are very serious. Depending on the size, they require notification of senior officials of the insurer and/or the board. An active ALM committee has first responsibility to monitor interest rate risk limit breaches. ALM committee must report breaches and actions taken to resolve breaches to top management and/or the board.	Processes to identify and respond to limit breaches are not clearly outlined, communicated, or followed.
Risk management	Risk managers have clear authority and responsibility for keeping interest rate exposure within limits. Risk managers have information that lets them identify emerging status of assets and liabilities and authority to use appropriate tools to prevent and resolve limit breaches, including directing the interest rate risk characteristics of new investments, sales of existing investments, input to product design, product rate crediting, and/or the use of derivatives to affect matching of risk characteristics. Formal and frequent asset/liability management process.	Interest rate risk position is only observed after a long delay for model update and validation. Adjustments to risk position are made through broad steering of future investment purchases, sometimes over several quarters. Risk managers lack input into product design or interest rate crediting. Asset/ liability management is informal and ad hoc.
Risk learning	Gains and losses from interest rate movements are carefully examined in each period to determine whether policies and procedures could be modified, different market instruments used for investing or hedging, or different actions regarding interest crediting or product design could have produced better results.	Interest rate gains and losses are seen primarily as exogenous events, and little expectation exists that management actions could significantly affect outcome.

In addition to measuring and managing interest rate risk, the ALM function will frequently be charged with managing an insurer's liquidity position. Managing liquidity risk involves identifying liquidity sources and availability. The first source is net cash flows, i.e. the difference between cash outflows and inflows. The company may want to ensure that net cash flows are always positive through techniques such as cash flow coverage projections. Sound practices include stress tests on liquidity, which would include looking at extreme risk scenarios (such as natural catastrophes, market crashes, etc) to assess the liquidity needs; identifying additional sources of liquidity to cover crisis situations; identifying the order of sale for asset; and setting up backup banking facilities.

Sound practice for managing foreign exchange risk would involve periodically matching the currency of assets and liabilities via the sale or purchase of relevant currencies and/or through derivative strategies such as currency swaps, futures, and options. Adequate controls need to be in place for the strategy to be sound. Those controls might include clear documentation of situations where an insurer would use derivatives as well as which instruments would be used. Authority limits and risk limits would be documented and regularly monitored, and the insurer would have a predetermined process for rectifying limit breaches. Overall monitoring, and especially limit breaches, would be regularly reported to an insurer's management and board. Control processes would be approved by the board.

Insurers face equity market risk through their investments in equities and the guarantees embedded in certain liabilities, often found in products issued by with-profit funds. Asset portfolio equity market risk is commonly measured by looking at some variant of volatility of past returns. Forward-looking approaches often fit past observations to a log-normal (or normal) distribution, then derive a confidence-based measure of volatility. Sound practices might involve the inclusion of fat-tailed distributions of equity volatility or the use of regime switching or stochastic volatility modeling techniques to better reflect the impact of future volatility.

Sound practices to manage and control equity risk include limiting exposure to one entity (percentage of equity investment) and broad allocation in a total investment portfolio to set them against part of the participating business. Further, more sophisticated sound practice might be done by limits based on the percentage of available capital where economic capital modeling is being performed.

ALM for products with discretionary participation features involves managing market risks in relation to the equity-linked features associated with liabilities (primarily with-profit term life policies and annuities or pensions). Sound measurement and management practices might mirror the approaches taken for equity risk in the investment portfolio, but will focus on an awareness of risks inherent in guarantees and will be reflected in the companies' choice of investment strategy. Control processes will involve monitoring and enforcing investment strategy and might require hedging (through equity futures, total return swaps, or options) or quantification of surplus needed to support guarantees.

A large class of life insurance products has arisen where the investment element of the product is tied to the performance of a very specific pool of actual or notional investments that are shared among a group of policyholders. These products are called unit-linked, variable annuities, and equity-linked, depending on the market.

Insurers initially thought that these products transferred all investment-related risks to insureds. However, insurers with large blocks of equity-linked or unit-linked business have found that their revenues are directly tied to the same investment pools to which the products are linked. Over time, insurers have increasingly added guarantees to the product's investment performance that significantly added to the insurer's risk. While these risks were not initially recognized by the insurers or reinsurers that wrote them, equity market turbulence early in this century has left no doubts about the consequences of ignoring this risk.

The risks in these products include equity market risks, product design risks, policyholder behavior risks, risk modeling risks, and financial reporting risks. Policyholder behavior risks are particularly diverse and full of uncertainty. Behavior risks include client retention risk, where in some situations client retention might increase losses and in others might decrease them, and benefit election rate election rates and asset allocation choice risks. In most cases, experience for these products is insufficient to provide significant guidance for the formation of assumptions to use for the reliable evaluation of potential costs of these benefits.

From 2001 to 2003, U.S. companies that sold these products and their reinsurers experienced significant losses due to poor management of the risks of these benefits. The largest losses arose from significant underpricing of benefits; failure to offset or hedge embedded options, which exposed the insurers and reinsurers to losses far beyond their risk tolerance; product designs that could not be hedged; and failure to recognize the potential volatility of revenue streams solely based on the value of an equity portfolio.

Risk modeling risks result from models not as robust as reality, specifically due to factors such as variations in investment alternatives that are more complex than what is modeled and financial markets that do not behave as modeled.

Financial reporting risk results from differences in short-term financial statement recognition of gains and losses from the embedded options and the hedges. Gains and losses from hedging programs that develop strategies based on market values or economic values of risks may have financial statement treatment that is significantly different from the embedded policy options.

Companies may monitor the amount of exposure present in their liability portfolio in terms of aggregate account values, amounts of various guaranteed benefits that are outstanding, the degree to which potential risks of underlying base revenues are hedged, and the degree to which guaranteed benefits are hedged. Gains and losses from hedging activities as well as offsetting gains and losses from the base contract and guaranteed benefits including the driving source of the gains and losses might also be tracked. This tracking may be done on a basis timely enough to support the hedging activity even daily, as well as aggregated information that would support financial reporting analysis and product management activities. Hedged and unhedged in-the-money benefits as well as volumes of policies that are in an extreme situation due to uneconomic basic policy provision such as dollar-for-dollar withdrawals might be reported (see "The Dollar for Dollar Loophole: Another Item on Variable Annuity Writers' List of Woes," published July 30, 2003, on RatingsDirect). Asset allocation situations might also be monitored. The VaR of the separate and combined portfolio of liabilities and hedges might also be monitored as well as the Expected Shortfall (see "Chasing their Tails: Chasing Their Tails: Banks Look Beyond Value-At-Risk," published July 12, 2005, on RatingsDirect ). Sensitivities of the liabilities and hedge portfolios to market shifts (delta, gamma), volatility shifts (vega), and interest rate shifts (rho) might also be tracked.

Insurers that have identified the risks of these products and guarantees will often have robust limits for the amount of market risk that they will retain. The limits may be stated in terms of dollar delta, dollar gamma, dollar vega, and/or dollar rho. Some benefits may not have significant sensitivities to one or more of these measures. Limits might also be stated in terms of VaR or CTE. That target is often to transfer or offset guarantee risk while retaining revenue flow risks. Sometimes the target is to retain certain portions of the expected loss distribution from the guarantee or the combined distribution of gains and losses from the product base revenues and the guarantee revenues and losses.

Just as daily monitoring is needed for some situations, enforcement of limits may also be needed that frequently. Enforcement may flow through the ALM committee as described for interest rate risk, or there may be a separate committee or control structure for these VA equity risks. Enforcement may have a process for escalation of notification from breaches of various levels of checkpoints with ultimate limits that are not expected to be breached often, if ever. The company may also have pre-planned actions when limits and checkpoints are breached, which for hedged risks might involve the adjustment of hedged positions. The insurer may have contingency plans for situations where they are precluded from staying within limits due to extreme market situations where market prices have changed drastically and/or when hedging securities are not available for a period of time.

A set of potentially sound risk control practices have recently emerged. Those practices have not been tested in a severe market downturn, so diligent and continuous reevaluation of the effectiveness of the risk control system is needed, and significant adjustments should be made as the need emerges.

The guarantees associated with these product types bear a cost for insurers when the returns on assets are lower than those guaranteed. An insurer may assess this cost through a market price evaluation of the cost of guarantees, either through a replication process (where the guarantee is compared to some combination of marketable securities) or through a model with market-consistent assumptions for the key risk elements. The market-consistent assumptions and model would be as robust as the actual guarantees. For example, a model that solely measures the delta of a guarantee, if that guarantee has risks that extend over long periods of time, may be subject to risks from large movements in markets, or may depend on interest rates or may have other risk characteristics that are not captured by the metric delta.

Product design may be influenced by the retained risk target and the market price of the guarantees.

For risks that a company retains, a hedging program might exist that offsets the risks to the extent needed to keep company exposure within the retained risk target supported by the measurement and reporting system. Such hedging programs may use short-term instruments, long-term instruments, or a combination of the two. The measurement and reporting system must be able to provide the information needed to meet the objectives of the program. Long-term hedging programs may not be adjusted as often as hedges using short-term instruments.

Together with the definition of a hedging program, a requirement for a complete risk control is a systematic execution of hedging, measurement, and enforcement, along with a commitment to disciplined execution. Use of long-term instruments does not change this discipline's importance unless the instrument involves transfer of insured behavioral risk through a reinsurance or reinsurance-like feature to the hedge. Many long-term hedge programs do not transfer this risk and therefore require commitment to monitoring the impact of insured behavior on the effectiveness of the hedge. On the other hand, short-term hedging programs offer the insurer the option of easily opting out of the hedging program by simply failing to renew the hedge positions. The short-term hedging programs will be most important during periods of turbulence, when execution is most difficult and cost is highest, which is when the temptation for a lapse in execution would be the greatest.

Another important consideration is the regular assessment of model risk, unmodeled risks, and the basis risk present in hedging programs due to differences between the underlying investments of a product and of its hedges. Significant risks can arise from the differences between an actual product portfolio and the model of that portfolio. Some insurers regularly assess and place limits and checkpoints on risks not addressed by the hedging program, such as the amount of unmodeled funds or the amount of basis risk from incomplete modeling of funds. Standard & Poor's recognizes that products with guarantees based on index values and products that require investment in funds that are more easily modeled and hedged would be more easily controlled than products with fewer restrictions or more open guarantees.

Regular evaluation of a hedging program's effectiveness would include a full analysis of and attribution of gains and losses from the hedging program. This step will provide information that could ultimately be used to make adjustments to the hedging program that are needed to provide for market conditions that are not foreseen at the current time. In addition, some insurers have found that there are limited offsets between different products with different guarantees. It is a sound practice for insurers to evaluate the risks from several products together so that any internal offsets can lead to a reduction of hedge purchases rather than having two different hedging programs buying opposite sides of similar hedges. The effectiveness of these offsets should be carefully modeled, not assumed for sound risk control.

Risk learning is an extremely important aspect of management for this risk. Management of an equity risk through a hedging program is very new to most insurers, and a high degree of uncertainty of policyholder behavior exists. Insurers may incorporate what they have learned about their hedging programs to design better hedging procedures. Those considerations might be regarding financial market behaviors that deviate from idealized or oversimplified models or in terms of policyholder behaviors. In addition, what the insurers have learned could be incorporated into future product designs, as this market is constantly evolving and the most sophisticated insurers are looking for designs that have lower hedging costs without sacrificing competitive attractiveness in the marketplace.

Table 3 Control Of Equity Risk For Equity-Based Products With Guarantees
	Most Favorable Indicators	Least Favorable Indicators
Risk identification	Insurer is aware of equity market risks, product design risks, policyholder behavior risks, and risk modeling, as well as financial reporting risks for each variation of their product and benefit.	Insurer only recognizes risks when forced to due to accounting, regulatory, or rating agency requirements or need to make cash benefit payments.
Risk monitoring	Monitors several risk indicators such as benefits outstanding, in-the-money benefits, VaR, CTE, delta, gamma, vega, and rho, all on both hedged and unhedged bases.	Monitors account values and sales.
Risk limits and standards	Has expected ranges and risk limits for VaR, CTE, delta, gamma, vega, rho and standards for frequency of review of compliance with those limits.	No specific limits.
Risk limit enforcement	Reports of exposures outside of expected ranges triggers review by ALM or other oversight individual or body. Limit violation had prescribed action and time frame for resolution.	No enforcement. May do irregular large rebalancing after significant drift.
Risk management	Has a regular hedging program that includes updating complex model that measures retained risk and has a discipline for purchasing and/or trading hedge instruments to maintain desired position. Standards appropriately reflect expected treatment for deviations from expectations due to emerging policyholder behavior or has full reinsurance cover for risks beyond tolerances.	Has an ad hoc hedging program or partial reinsurance cover.
Risk learning	Regularly monitors and analyzes hedging gains and losses and adjusts hedging program based on results. Robustly monitors policyholder behavior and uses results to adjust risk models and product design.	No process in place. Gains and losses from the hedged risk are seen as totally outside the control of management.

Beyond the successful identification and control of the underlying perils to be included in the insurance policy, the risks to manage for a nonlife insurer are identified in the processes, such as underwriting, pricing, policy issuance, reserving, performance monitoring, environmental monitoring, cycle management, and reinsurance risk. Particularly important for many insurers is the identification of risks that may aggregate, such as catastrophes.

While the identification of perils may seem straight forward, insurers need to be cautious about insufficiently precise contract language that allows losses to be unintentionally covered by an issued policy.

Underwriting risk is the risk that the coverage offered will have a different risk profile and therefore different loss distribution than is needed to achieve the targeted profit.

Pricing risk is the risk that even if the coverage offered has the exact risk characteristics that were anticipated in pricing, the loss distribution will be different because the process that formed the expectations was flawed in some way. The process flaw could be due to bad data, bad process, or an unanticipated change in trend (also assumption problems such as too complex, false certainty, or unmodeled risk).

Cycle management risk is the risk that the insurer will write business during a soft market that is later found to have claim costs significantly higher than premiums because of higher claim frequency/severity and/or softer policy terms and conditions.

Claims risk is the risk that the claims paid will by significantly different than expected due to irregular claims management processes, insufficient rigor to the claims process, or unexpected legislative, regulatory, or court intervention in the claims process.

Catastrophe risks are the risks that large events such as hurricanes, earthquakes, tsunamis, terrorism, or other large-scale calamities will result in losses far above the loss tolerance of the insurer and at a frequency different than anticipated.

Since catastrophe risks are usually systematic risks, there are also secondary risks that reinsurers might be overextended at the same time and not provide the full coverage that was anticipated . Reinsurance risk includes this event-driven situation as well as a pricing risk. Insurers that rely heavily on reinsurance for achievement of their main business objectives are subject to risk that the availability of reinsurance may alter significantly or that reinsurance pricing might increase at a much faster pace than the insurer is able to raise rates. This risk is especially present in personal lines coverages where rate increases are subject to regulatory approval.

Risk monitoring concerns the underlying risks, which can be measured with several different exposure metrics including premiums, expected claims, probable maximum loss (PML), total limit, earnings at risk, VaR, and/or expected shortfall. Some insurers measure their exposure to one or all of their risks by geographic area, industry, or other grouping.

Insurance contract terms and conditions are sometimes monitored, either on a regular basis (for example, as part of a rate monitoring process) or on an ad hoc or spot check basis.

Claim costs are often highly monitored and in many different groupings, as was the case with the risk breakouts mentioned above. Claims costs are often monitored in comparison to expectations, either those formed when the coverage was priced or when the claim was first reported, or both.

Monitoring is often particularly intense for catastrophe risks. One of the basic building blocks of sound risk control of catastrophe exposure is data capture and its availability for modeling. Specifically, the ability to model catastrophic risks depends on a number of features, including the availability, quality, and volume of data upon which such models are founded. Claims and policy database(s) capture both quality (breadth and depth) and volume of data. Where this information is not available (such as for reinsurance or retrocessions), the underwriter may request appropriate data.

Sound modeling includes a process to set and update model inputs. Models are by definition a simplified representation of reality; as such, they require an appropriate set of data and assumptions to replicate that reality. There should be a disciplined process for the regular updating of models and the data and assumptions embedded in them.

Nonlife insurance risk limits and standards often apply to underwriting for all coverages and especially for catastrophe risks.

Good underwriting will start with underwriting standards, often followed by a training and enforcement process, as well as clear accountability for the underwriting itself. Sound practices will vary with the degree of control over underwriters/agents by the insurer. Personal lines insurers may have a high degree of control over the risks accepted and the price, terms, and conditions upon which these risks are taken on. At the other end of the scale, followers in subscription markets and users of third-party agents will sometimes have significantly less control of one or more of these key features. Consequently, their control processes might be more rigorous and robust.

Nonlife insurers may have consistent, fully documented underwriting standards with monitoring and enforcement of compliance to these standards. They may have an underwriting plan including objective(s), strategy, and measurable targets. There will often be authority limits for underwriters and referral procedures, including (but not limited to) types of risks, exposure limits, and terms and conditions allowed. A "four- eyes" principle may be used whereby each significant risk requires two peer underwriters to approve each risk. Another focus might be on the data needed to reach underwriting decisions (e.g. perils, coverage, and exposure) with standards for the nature and amount of data needed to support an underwriting decision (stated in an underwriting checklist).—Also, underwriters may be required to fully document their underwriting decisions to assist future file audits.

A robust pricing process will ensure that the underwriters receive the information needed to make appropriate decisions. The quality and accuracy of pricing for individual risks will vary according to a number of elements including the skill, experience, and size of the pricing team; the quality and volume of appropriate data; and the way on which the outputs are used in the underwriting process. The outputs of the process may include a "technical" price as well as documentation of the adjustments made to meet current market conditions.

Catastrophe model(s) may be used to aid setting concentration limits. Part of the process of allocating the overall risk tolerance of an insurer could involve establishing the tolerance to catastrophic events. Sound models contain appropriate assumptions and scenarios, which can be tested and stressed. Those models provide for all risk classes covered, all policies affected by each peril, and any secondary factors (influencing frequency and/or magnitude of events). The sound catastrophe models contain a range of methods for analysing the potential exposures and allow the insurer to determine their inwards exposures before separately establishing their outwards reinsurance needs.

In addition to catastrophic modeling, and given the fallibility of models, insurers often choose to establish absolute limits to certain geographic zones. Each contract is allocated to a zone or a combination of zones. For a contract that spans several zones, the most conservative approach is to allocate the full limit to each of the affected zones rather than trying to allocate it proportionately.

There is often an auditing process for reviewing risk acceptance decisions that is performed by appropriately qualified and experienced personnel (e.g. underwriters, actuaries, lawyers, claims handlers, and senior management) that may be self review, peer review, pricing review, supervisory review, and potentially independent internal/external review and/or reinsurer review. There may be a tracking process that collects information regarding frequency of deviations from standards and planned actions where deviations are identified.

Documentation and clear internal disclosure of changes to standards – both temporary & permanent is both a part of the standards process and a part of the enforcement process.

A sound practice would be for the capabilities of the IT system should match the ERM process. Specifically, the IT systems would be in real-time, or very close to real-time, so that they have the ability to monitor risk tolerances and exposure limits in real-time during renewal season. Groups that operate with fewer systems would generally be found to have potentially stronger ability to accomplish this real time monitoring than groups with many legacy systems.

Cycle management is another key element of the underwriting process. The ability to identify changing market conditions allied to a robust underwriting plan that provides a planned response to these changes can be a significant benefit in managing the underwriting result throughout the life of the market cycle. To identify the changing market condition, insurers rely on tools such as expert underwriter opinion, trade journals, broker surveys, premium rate indices, government or regulatory body influences, claims cost trend analysis, and other leading indicators including capital markets activity. The planned response to a change to a weakening market might be a change in volume or type of business or changes in sources of business, premium rates, terms and conditions, and/or reinsurance use.

Diversification is an underlying principle in insurance and a key tool in insurance risk management. There are many levels of diversification. The underwriting limits are a key tool in achieving diversification on a micro level within risk category. At the macro level, the spread of risk among various risk categories is another form of diversification. The Standard & Poor's Insurance Risk Control is concerned with the micro level of diversification. The macro diversification is considered to be a part of Strategic Risk Management.

Another key element of risk management is risk selection, or the choices that insurers and reinsurers make on the structure of the coverages that they write. Those choices might include the determination of what programs to be on (whether proportional or nonproportional) and then what layers to write and at what price.

The primary purpose of reinsurance is often to reduce the variability of the net underwriting result; as such, requirements will usually be driven from an analysis of top-down risk tolerance and bottom-up exposure. However, purchasing reinsurance protection usually involves a trade-off between expected cost and reduced risk. Also, the use of reinsurance or retrocession placements may introduce new risks for the sake of reduction of pure underwriting risks, mainly credit risk or contract risk.

Once the business has been written, it is sound practice to have a robust review process to identify strengths and weaknesses in the process. An insurer may have a process for reviewing actual premium and claims experience, sharing and feeding back the results into future underwriting, pricing (and other) estimates. Actual versus expected experience, including an analysis and discussion of the key "drivers" of observed variances, is regularly developed and reported. Pricing changes and reserving estimates adjusted to take account of these variances are determined. An important sound practice relates to the remuneration of underwriting, claims and pricing teams, which encourage positive impact on the risk-return profile of risks underwritten, the quality of information provided to decision makers, and the early recognition of divergence from expectations.

Even with regular updating and checking, models are still only a simplified version of reality. Thus there will usually be a process to feedback strengths, weaknesses, and assumptions of models. Catastrophe models, like all models, are merely tools to aid decision making; as such, the outputs from these models will usually include information about their usefulness, for example:

• Strengths and weaknesses.
• Assumptions, including sensitivities.
• Unknowns.
• Range of scenarios modeled.

As stated, underwriting is the key risk for nonlife insurers and, combined with good pricing, can assist in setting initial reserves. However, it is not a substitute for good management of reserving risks, as it is difficult if not impossible to anticipate all changes that will affect the amount of premiums, claims, and expenses at the time of writing the risks.

Reserving risk relates to the uncertainty surrounding the level of reserves that will ultimately be needed to meet all liabilities and timing of those liabilities. To identify and measure these uncertainties, insurers will usually need to employ a range of data and methods, often including stochastic technique(s), to then ascertain whether these models quantify all three types of uncertainty (data, model, and parameter). The board (which is responsible for booking reserves) may be made aware of the assumption, parameters and strength and weaknesses of techniques used.

Sound practices for reserving models and would be to have good quality and volume of data. The collation of this data would imply data reconciliation and checks to ensure completeness and reliability; communication of adjustments (including justifications) and identified errors in the data; use of internal and/or external data; and, where external data is used, a specification of what sources and adjustments are made.

Sound practices would be for the techniques employed to allow for emerging changes in the development of premiums and especially claims. Several issues must be considered. Changes in legal environment, recent court decisions, can affect the uncertainty around estimates, and the same can be said for general changes in claims environment, to identify which sound practices would be to outline separate trends in frequency and severity of claims, any possible new types of claims and actions taken, and the monitoring of different type of inflation. Another sound practice would be to identify changes in underwriting and claims management processes, including quantification and/or qualification of changes in underwriting and how this is allowed for in the reserve estimates and an evaluation of how estimates allow for the latest years, where some poor performing business has been replaced. Also separating underwriting from reserving where reasonable to do so in order to avoid conflicts of interest. Independent review of reserves and reserving processes can be beneficial, as they can identify issues that are not present in an individual company's data.

Reserving across the cycle can significantly reduce the uncertainty in reserve estimates for both premiums and claims. There is strong evidence to suggest that both premium rate and claims cycles exist. However, many standard actuarial techniques fail to fully recognize both of these without explicit adjustments. Sound practices would therefore use cycle-robust reserving methods, which reflect economic and market patterns in loss development that vary over the cycle.

How large, unusual, and disputed claims are dealt with also affects the uncertainty in reserves. Sound practices may be to decide on a cutoff point and plan the management of large claims, including the modeling through scenarios.

All of the above processes are highly technical. Thus, it is critical that assumptions and parameters and strengths and weaknesses underlying all recommendations and models are communicated clearly to nonspecialist decision makers. This should help to avoid a repeat of the situation created by Hurricane Katrina, where some modeled results were taken as gospel.

Table 4 Evaluation Of Property/Casualty Insurance Risk Control
	Most Favorable Indicators	Least Favorable Indicators
Risk identification	Insurer has robust process for identifying all risks under their broad contracts. Furthermore, the insurer has identified all instances where risks may aggregate.	Insurer fails to identify incidental risks. Insurer concentrates on cat risks featured by regulators or rating agencies.
Risk monitoring	Insurer uses multiple measures of risk exposures, choosing several from premiums, expected claims, PML, total limit, earnings at risk, VaR, and/or expected shortfall. Monitoring process is updated frequently and produced on a timely basis. Monitoring very granular basis supports both management feedback to underwriters and input to analysis of diversification. Cat risk monitoring is augmented by robust models. Deviation from indicated price is tracked and aggregated by underwriter, by office, and by region, and is known shortly after a monitoring period closes. Exposures are monitored in real time with a few days lag at most. Insurer can aggregate exposures across the entire group.	Insurer mostly uses a single measure of risk and might not update its monitoring very frequently. Cat risk modeling is not done frequently or on a timely basis. Deviations from indicated price are only known many months after a period closes. Exposures are aggregated after the renewal season is over, which is when the insurer first finds out whether they have stayed within their risk limits.
Risk limits and standards	Risk limits as well as expected ranges set for many categories of business and for individual coverage support control and ensure diversification. Standards for underwriting processes are clearly documented. Cat risk limits are very tight, with clear and certain escalation requirements in place as coverage approaches limits, and are based on robust stochastic scenario models. Clear process for resolving over-limit situations.	Limits are rarely challenged because they are much higher than any expected range of risk to be retained. Cat limits are set using a small number of deterministic scenarios.
Risk limit enforcement	Timely monitoring allows insurer to identify first limit breach. Process exists to avoid subsequent breaches. Insurer has process to utilize limits from one area to another without creating an over-limit situation. Swift consequences for deliberate limit violations.	Over-limit situations usually resolved by expanding limits. Limit breaches found several months after the close of a period and are usually resolved by gradual reductions in future new case limits. Consequences of limit breaches are uncertain and uneven.
Risk management	Reinsurance program is consistently applied and tied to overall risk tolerance. Insurer has a clear strategy for how it will modify its business strategy in a soft market, including an expense strategy if reduced sales are a part of that strategy. Insurer has a process for identifying the stage in the underwriting cycle that is credible enough to drive business decisions.	Reinsurance program not monitored centrally and is used on an ad-hoc basis. Cycle management only exercised reactively with changing market conditions.
Risk learning	Swift feedback process lets insurer modify pricing as adverse claims trends emerge. Regular updates to cat model assumptions reflect emerging experience.	Infrequent updates to indicated price or other terms and conditions. Cat models updated by vendors.

Mortality risk includes misclassified risks, underpriced risks, and excess potential volatility due to concentration of coverage for single individuals or employer groups. Processes and procedures to control these risks are sometimes as old as the insurer and sometimes as new as the latest medical procedure.

Monitoring will often be done with a chart showing new business distribution into various categories such as size of policies, underwriting class, location of business, etc. Under most circumstances, mortality risk is uncorrelated from one insured individual to another. Risk concentrations via exposure to extremely large amounts of life insurance on a single individual or family may be monitored. In addition, life insurance is exposed to rare but potentially large events such as terrorist attacks and pandemics. Some group insurance writers now monitor geographic concentrations.

Due to the low correlation of mortality between individuals, the primary approach to achieving diversification of mortality risk is to limit the amount of coverage to any single individual through retention limits. It is a sound practice to recognize that a block of individual exposures with a wide amount of insurance dispersion may be much less diversified than a block with the same number of lives and a small range of coverage amounts. Monitoring the dispersion of insurance policy sizes may be used to track this situation.

Claims monitoring and actual-to-expected mortality rate monitoring are two of the most universal mortality risk control practices. Others include regularly comparing claims experience to pricing objectives, analysis, and explanation for deviations done with a standard frequency and timing of studies. Studies often include mortality rate monitoring and comparison to pricing expectations and industry tables, as well as a detailed embedded value analysis of changes to compare actual versus expected mortality. Routing feedback from the monitoring process to pricing, underwriting and claims processes is also important.

We will look for clear field underwriting standards with training and enforcement processes. Sound practices will vary with the degree of insurer control of agents. Insurers with closely tied sales forces may expect field participation in underwriting to provide a significant prescreening step. Insurers that deal primarily with independent distributors will sometimes ignore sales force input, but insurers with disciplined underwriting standards find that experienced professional insurance agents will quickly learn their standards and usually submit business consistent with those standards.

In addition, we will look for consistent home office underwriting standards with monitoring and enforcement of compliance. Standards may include the following: data needed to reach underwriting decisions (such as blood tests or APS); appropriate use of data in reaching decisions (such as a debit and credit system); authority limits for underwriters; and an auditing process for reviewing risk classification decisions, which may be self-review, peer review, supervisory review, independent internal or external review, and/or reinsurer review.

Risk concentration is usually not a concern for individual life insurance writers. Writers of group life and reinsurance have adopted the sound practice of placing limits on their coverage concentrations in specific geographic areas that are thought to be prone to terrorism risk with monitoring and compliance enforcement programs.

Reinsurers commonly use a robust process for ensuring compliance with agreed-upon underwriting standards by the direct companies. In reinsurance programs with transfer of a high percentage of total risk written, reinsurers should be especially diligent in conducting an underwriting compliance review due to the agency risk, which requires more frequent and more extensive underwriting audits.

Reinsurance is a primary tool for managing mortality risk, and securitization is also becoming prominent. Use of reinsurance can be guided by objective processes for establishing and updating retention limits, which should be tied back to overall insurer risk tolerance. The processes can apply statistical methods augmented by an evaluation of the potential impact of unusual extreme adverse events such as pandemics and terrorism. Securitizations are often used for purposes other than risk management, such as relief from reserving requirements, but can provide some transfer of risk, especially of extreme events.

Another sound practice is an objective process for selecting reinsurers and distribution of reinsurance, with considerations of counterparty risk as well as cost of reinsurance coverage. Insurers can have limits for exposure to individual reinsurers with monitoring and enforcement as well as a process for anticipating and avoiding exposures that violate limits. Periodic due diligence of reinsurer financial strength and risk concentration is also important and is discussed in detail under credit/counterparty risk. Another sound practice is the monitoring of aggregate reinsurance usage in the context of a view of the total risk profile of the insurer, and maintaining awareness of the degree to which the insurer risk retention strategy relies on third parties to take a portion of the risk written.

Some insurers will analyze gains and losses from reinsurance to ensure that a reinsurance program is achieving its cost and risk protection objectives over time. Insurers may identify gains and losses from reinsurance and their sources as well as analyze claims volatility both with and without the reinsurance program. Insurers often monitor compliance with standards for insurance policies that should or should not be reinsured (usually part of underwriting standards). The monitoring can be accompanied by responses to compliance failure such as retraining, limitations of authority, compensation limitations, or termination.

To avoid any surprises or ambiguity concerning a large claim payment, many insurers have clear standards for reinsurance treaty terms and clear authority limits for accepting any changes to standard terms. With the complexity and diversity of any reinsurance agreements that insurers have in place that cover long time periods and multiple regimes, actual compliance with the terms of reinsurance treaties can be a difficult exercise for insurers. A sound practice would be conducting regular and detailed internal audits of the accuracy, completeness, and timeliness of reinsurance settlements.

A sound practice for mortality risk control is to carefully align underwriting standards and pricing with industry and company experience. This will often involve processes that are aimed at extending trends or subdividing experience into new or developing classifications. Recent unusual events or events with a temporary impact on company or industry mortality experience are often important considerations, as well as implementing a process to incorporate emerging experience when updating pricing.

Insurers often pay additional attention to death claims occurring during a life insurance policy's first several years in force. Such as situation allows for an analysis of the cause of death and a determination of whether the underwriter could have identified the situation at the time of underwriting. Underwriting standards might be changed as a result of this analysis.

Governments, insurers, and pension plans that provide lifetime income guarantees are exposed to significant risk that the annuitants will live longer than expected. Over the past century, life expectancy in many countries has increased by 20 to 30 years. Prices for annuities and providing guaranteed incomes need to be set in a way that includes a provision for future longevity improvements. While a significant individual element exists to longevity risk, it is generally thought to be systematic. Elements such as changes in medical care and environmental improvements could improve life span for wide sectors of the entire population. However, countertrends such as obesity and pandemics could work in the opposite direction, also on a systematic basis. Many techniques used to manage mortality risk do not apply to longevity risk. In addition, longevity risk is usually paired with interest rate risk, another systematic risk.

Sound practices are limited, but there are some. One is regular monitoring of longevity exposure, paying special attention to sudden abrupt or gradual shifts in competitiveness of longevity products. Those shifts can often be indicators of pricing more aggressively than the market. Other sound practices include having a process to analyze such shifts and to make swift pricing adjustments, and for insurers that write large pension guarantee contracts, setting limits for the level of longevity exposure that they will add in a year, with a monitoring and enforcement process.

An experience monitoring process to collect longevity experience should incorporate regular monitoring of industry experience, including medical and environmental factors that will affect longevity as well as a comparison of achieved versus assumed mortality improvement. From this information, an insurer can form an opinion regarding the future mortality of its current and potential future annuitants.

Finally, insurers may have a process for updating longevity product pricing, gradually raising prices as mortality improves and as their view of future mortality changes.

To sell many insurance products, insurers often incur costs well in excess of anything that could be charged to a customer when the policy was issued. An insurer usually expects to recover these costs over the policy's life; therefore, these insurance products are economic for the insurer only if significant policy persistency exists. However, insureds or policyholders continue these contracts "at will." Insurers bear significant risk that their customers might terminate their policies at a faster pace than would be needed for the insurer to achieve profits as well as recovery of acquisition costs.

Insurers need to identify areas where persistency would be an important financial risk due to high unamortized acquisition costs, high surrender values, lapse-supported products, and stranger-owned life insurance situations. Sound practices include the following:

• Frequent monitoring of lapse experience in high-risk areas.
• Regular attempts to rationalize causes of shifts in persistency.
• Policyholder communications programs to discourage premature lapsation.
• Counseling programs for lapse requests by reselling policyholders on the value of the product, including recovery programs for exchanges.
• Disciplined updating of product pricing and costing to reflect actual lapse experience to prevent creation of future problems where favorable lapse assumptions are no longer realistic.

Many life and annuity products have provided a myriad of options to policyholders and beneficiaries. In some cases, these options were priced with generous margins, which made the insurer indifferent to the option's exercise. Some options have costs that vary based on market conditions. Under adverse market conditions, the costs could fluctuate and become much higher than the price of the option to the policyholder (which is generally referred to as an option being "in the money"). For these potentially "in the money" options, a few sound risk control practices exist at some point depending on financial conditions. Among them are the following:

• Careful selection of utilization assumptions in initial pricing after reference to external or internal experience and testing of impact of variations in assumptions.
• Identification of assumptions with low experience input and development of significant monitoring systems for uncertain or sensitive assumptions.
• Monitoring "in the money" option situations.
• Developing predetermined triggers for hedging of options or other actions.
• A process to identify and react to changes in utilization patterns (such as changes to hedging programs) with predetermined reactions.
• Evaluation of risk from open options through stochastic modeling or stress testing.

Reinsurer management of insurance risk has several differences from that of primary carriers, differences that are driven primarily by the different levels and timing of information flows to the reinsurer. Some reinsurers have standards for the amount of information they must have in order to provide a bonding quote on a treaty or program. Monitoring customers' underwriting standards is also a concern. Reinsurers often have an underwriting audit process that they apply periodically to each customer. Those reviews could take place on a schedule or could be triggered by activity or experience significantly outside of expectations. A sound practice is having clear standards for the performance of those audits as well as standards for findings under the audits. Claims-handling practices can also differ from those of primary insurers. A reinsurer with sound claims control practices should have clear guidelines for triggering claims reviews and audits. Reinsurer use of retrocession as a risk-management tool is a direct parallel to the use of reinsurers by primary carriers.

As part of the new product risk management, sound practices would include a methodical assessment of pricing adequacy. Complex benefits structures and open-wording policies often increase the risks of mispricing, as it might be difficult to correctly evaluate embedded options and risks. Pricing will be done by modeling all identified risks, using methodologies that vary from simple stress test assumptions to stochastic scenarios, depending on the complexity of the risk and the available data. For life products, traditional actuarial practices based on a deterministic approach—with a simplistic approach to risks (i.e., expected average cost) and to investment returns (i.e., expected returns)—resulted in embedded options and guarantees being consistently underpriced and under-reserved. Because the underlying risks cannot be diversified, embedded options and guarantees should be priced on a risk-adjusted basis, using more sophisticated techniques, such as market-consistent valuations.

The pricing process normally includes an assessment of the capital requirement for the new products. The capital can be defined as regulatory capital, rating agency capital, or—for a more sophisticated approach—economic capital. This will allow the risk-adjusted profitability of a product to be assessed, which should be one of the first considerations when launching a new product or entering a new business line.

A sound practice for designing a full-control process for new product risk will also include an ongoing post-implementation process to monitor performance. Sources of profits will be identified and compared with the expected results embedded in the pricing, so as to allow corrective actions in due course.

Governance aspects are of particular relevance in the new product launch process—and even more so for large groups. Sound practices would include:

• Full involvement of local top management, product, technical, investment, and local risk managers, with the designation of an individual responsible for the risk management of the product.
• An appropriate standardized decision making process, which will include all aspects illustrated above and will allow senior management/executive committee to assess all consequences of launching the new product before giving the final sign-off.

For large groups, once the local approval process is completed, the new product report should be submitted to a company's central risk management function. Group risk management should give final approval on the product's risk/return profile; the valuation framework used to price the product (which should be consistent throughout the group); the risk mitigation techniques to be used (particularly as far as reinsurance is concerned) and on local risk management activities. More importantly, group risk management should address group risk considerations such as overall risk tolerance, accumulation, concentration, and diversification. Thus, group risk management could veto the launch of the new product if, when accumulated at group level, it represents an unacceptable level of risk.

Operational risks can be identified by looking at insurance industry or company loss experience, examining loss experiences in similar industries, or extrapolating from adverse situations. The Basel list cites such risks as internal and external fraud; employment practices and workplace safety; client, product and business practices; damage to physical assets; business disruption and system failures; and execution, delivery, and process management. Risk identification can be done by a risk-management staff, functional or operational management, and in some cases by a bottom-up process that surveys operational supervisors.

The list of possible operational risks can be very long. Some insurers will perform a second step of qualitatively sizing risks identified in the first step. Depending on the perceived severity of the exposures and the resources available, insurers will then often choose a smaller number of high-priority risks. Management can address unselected risks, but operational risk focus will be a selected high-priority risk.

Often insurers identify specific key risk indicators (KRI) for each identified and prioritized risk. A KRI can be a factor indicating how much general activity is associated with a risk, such as a transaction count, or an element more directly indicative of potential risk, such as an exceptional transaction count, or can be based on an estimate of expected losses. Actual losses can also be monitored both for the process of calibrating loss distributions and for risk learning.

Few operational risks are managed using limits and limit monitoring; instead, they are managed primarily by establishing standards of company practice, which are usually established for each priority risk. Training is done and then full compliance with standards is expected and monitored using written, documented internal and external recordkeeping and auditing.

Techniques for managing operational risks are as varied as the risks themselves. The techniques must be selected or adapted to fit with each insurer's corporate structure and environment. A set of sound practices that apply to operational risks can be significant for insurers. However, as risks can vary between companies, Standard & Poor's does not recommend using this list as a guide for forming an operational risk-management program.

Internal control processes provide a verification framework ensuring that operational risk controls are adequate and are being followed appropriately. To accomplish this, internal control processes are often more proactive and go beyond internal audit emphasis on financial controls. Clear duties and reporting lines exist for internal control processes and are organized so that no conflicts of interest exist between those assessing compliance with control policies and those who execute those policies. The internal control function is sometimes empowered to validate that an insurer's policies and procedures are in place and are adequate to achieve risk control objectives. In addition, a verification process sometimes exists to ensure that risk control objectives are consistent with operational risk tolerances. Top-down and bottom-up approaches are used to identify control weaknesses.

At some insurers, an appointed compliance officer does regular reporting of achieved compliance with compliance standards, with provision for a transition to process-oriented compliance programs under which compliance can be verified on a continual real time basis. Compliance officers usually are responsible for enhancing consistency in compliance expectations, policies and procedures, assessments, and reporting. The insurer maintains good relationships with regulator(s) and has codes of conduct to deal with general ethical conduct and money laundering and a process for the anonymous reporting of ethics and compliance breakdowns. Whistle-blowing is identified as an important employee duty, and a formal process may exist for collecting employee warnings and following up on those situations.

Information technology (IT) risks are identified and monitored. The insurer has a documented IT strategy and procedures, as well as checks on system security, data integrity, new systems testing, and backup facilities. The insurer has a policy for data access, distribution, and communication security, and compliance with that policy is monitored regularly. Plans are in place and are adequate to provide service continuity and access to data under a wide range of business disruption scenarios, and adequacy of data security policies is periodically assessed by independent experts. Procedures are followed to minimize the impact of computer viruses on the insurer's operating environment.

The insurer has a documented, sound human resources (HR) strategy and procedures, including pre-employment screening, succession planning, proactive training policies, and external review of funding adequacy of pension liabilities and long-term costs of other employee benefit promises. A process for anonymous reporting of HR issues exists, as well as a systematic process for resolving those issues. As part of the documented procedures, the insurer may seek to maintain clear, appropriate job descriptions, orientation, and training programs as well as performance appraisal and compensation systems. Compliance with these procedures is monitored, and managers' actions outside of the procedures can have significant consequences.

An insurer will often have a clear procedure for developing new outsourcing partnerships, including a comprehensive process for identifying potential outsourcing partners and selecting the optimal partner. That process could include such steps as an assessment of partner financial viability and a technical evaluation of the potential partners' ability to deliver. When the outsourcing is international, a country risk assessment of the partner's location might be valid. In addition, an ongoing process might exist to monitor the outsourcing partnership's success. Key performance indicators might be identified based on a joint understanding of success. In addition, a formal problem escalation process and an ongoing auditing process can exist. Implementation presents additional risks, and insurers might adopt procedures to minimize and mitigate its risks.

For ongoing vendor relationships, insurers often maintain a list of authorized intermediaries with documented procedures covering required expertise and culture characteristics, vetting procedures, contract terms, authorized limits, and monitoring of activities. The insurer also maintains a schedule of authorized suppliers with documented procedures covering contract terms and authorized limits. The insurer has an explicit policy regarding granting an exclusive relationship to a supplier, including ongoing performance standards and periodic assessment of the alternatives in the marketplace.

Business continuity risk management could include identifying potential risk scenarios, developing contingency plans for dealing with issues that would arise under each scenario regarding employees, customers, distributors, physical facilities, communications, data processing and information security, records, and in-process transactions. In addition, business continuity risk management can include practice emergency scenario testing and assessment of any actual major or minor disruptions.

Risks arising from a merger, such as change management and projects, would be identified and quantified in advance as part of standard procedures. An insurer can have a systematic process for addressing risk and evaluating risk-management practices of merger or acquisition targets. Insurers would also need to have implementation plans that include identifying the resulting combined entity's risk tolerance and standards for risk-management practices, as well as the steps needed to bring the combined risk profile and risk-management practices into compliance with those tolerances and standards. Reputation risks need to be identified and quantified in terms of both potential sources and consequences and crossover with other risk areas. The insurer should have procedures established for crisis management, including media training.

Insurers will sometimes have loss analysis processes, in which an insurer identifies the causes of an operational loss and ensures that any lessons learned are reflected when relevant procedures are updated.

After an operational risk-management process has been in place for at least one year, some insurers will resurvey the risk-identification process. The experience might result in more informed responses to the survey and analysis, in addition to the changes in risks that result from changes to the insurer, its markets, and its regulatory environment. Risk priorities could be changed and/or the list of priority risks could be expanded.

Table 5 Evaluation Of Operational Risk Control
	Most Favorable Indicators	Least Favorable Indicators
Risk identification	Risks identified using industry and company experience, as well as top-down and bottom-up processes. Focus is on high-priority risks.	Operational risk efforts focus only on recent industry losses. Bottom-up process for risk identification. No focus or prioritization.
Risk monitoring	Insurer uses key risk indicators closely tied to actual risk. Indicators are summarized and receive attention from management	Risks are not monitored.
Risk limits and standards	Insurer has documented and comprehensive compliance standards.	Compliance is reactionary, solely addressing the most recent problem area.
Risk management	High-level manager identified to own each priority risk. That manager is responsible for reporting successes and failures in managing the risk as well as identifying weaknesses for future improvement.	Risk ownership unclear. Risk management improvement plans are primarily after losses.
Internal control process	Proactive internal control processes go beyond internal audit emphasis on financial controls. Clear duties and reporting lines. Top-down and bottom-up approach.	Little or no identification or quantification of operational risks. Some categories have few or no internal control processes. Existing process focus. Passive, top-down-only box-checking approach. Blurred responsibilities.
Regulatory and compliance risks	Appointed compliance officer. Regular reporting of achieved compliance. Good regulator relationships. Codes for conduct/ethics/ money-laundering programs. Whistle-blowing encouraged.	Compliance responsibilities allocated unclearly or not at all. Problems with regulator and stock exchange (if public). Unexpected regulator involvement.
IT risk	IT risks identified and quantified. Documented IT strategy and procedures. Checks on system security, data integrity, new systems testing, and backup facilities.	Informal or incomplete potential IT risk identification. Inconsistent data, inaccurate analysis, security breaches, mismanaged IT projects, or system failures.
Human resources risks	Documented HR strategy and procedures. Pre-employment screening. Succession planning. Proactive training policies and records. Externally funded pension liabilities. Whistle-blowing encouraged.	Limited, informal, undocumented HR policy. Inconsistently applied across business units. Key-man dependency. Industrial/employee relations problems, absenteeism, employee dishonesty, difficulty attracting and retaining personnel. Large balance sheet pension fund deficit.
Distribution risks	Maintains list of authorized intermediaries with documented procedures covering required expertise and culture characteristics, vetting procedures, contract terms, and authorized limits. Monitoring of activities.	Unclear identification of distribution risks. Failure consequences not quantified. History of fraud or mis-selling by company or intermediary. Delays in receipt of monies owed to company.
New projects and acquisitions	Risks arising from M&A, change management, and projects are identified and quantified in advance as part of standard procedures.	Possible M&A or other risks not assessed or quantified in advance. Inadequate due diligence.
Reputation risk	Reputation risks identified and quantified re potential sources and consequences. Crossover with other risk areas. Established crisis management procedures, including media training.	No identification or quantification of possible reputation risks. Brand damage due to previous failures of strategy, governance, systems, or controls. High customer complaint levels.
Outsourcing risks	Maintains list of authorized suppliers and documented procedures for contract terms and authorized limits. No exclusivity.	Limited contractual recourse. Single supplier dependence. Absence of documentation.
Risk learning	Robust processes to analyze loss situations and quickly adjust policies, procedures, and standards.	Limited loss analysis. Tendency to put bad experiences aside immediately.