9. PM Track 3 - KPMG - Internal_Audit_of_an_Actuarial_Function_051612

Financial services

Internal audit of an actuarial functionactuarial function

KPMG LLP

High risk areas in actuarial

Financial statement risk

Model risk and control

Regulatory compliance

Economic and pricing risk

Risk managementg

Key process risk

Key person risk

End-user applications

General risks and potential areas of focus

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 36509BOS

1

Financial statement risk

Examples of risk area GAAP assumptions are inappropriately developed, used improperly or simply not refreshed

frequently enough (e.g., for life, mortality, lapse/persistency, expense and economic eque y e oug (e g , o e, o a y, apse/pe s s e cy, e pe se a d eco o cassumptions, or for P&C or health, lag factors, payment patterns, underlying expectedloss rates)

Reserve and/or DAC end-to-end processes are not well controlled from original source to ( fultimate destination leading to inaccuracies (e.g., valuation process from the admin system

data through to the GL, especially if there are manual hand-offs)

Inaccurate or uncontrolled accounting and financial reporting processes (journal entries, consolidation analytics rollforwards sources of earnings etc ) leading to inaccuracies in theconsolidation, analytics, rollforwards, sources of earnings, etc.) leading to inaccuracies in the actuarial figures

Unlocking of assumptions is not adequately controlled and documented

AG 43 i t l ti l t d t i bl iti th t b i dditi l i k d t it AG 43 is a recent regulation related to variable annuities that brings additional risks due to its complexity.


2

AG 43

Entirely new approach based on company-specific modeling

Aggregate AG 43 Reserve is greater of

The Standard Scenario Amount(Defined Deterministic Assumptions)

OR

The Conditional Tail Expectation Amount(Stochastic – Average of Worst 30% Scenarios, aka CTE 70)

Risks Not in compliance with AG 43

Inaccuracies or errors

Improperly or insufficiently documented

Lack of internal change controls Inaccuracies or errors

Lack of completeness

Subjectivity (stochastic i / h d l )

Lack of internal change controls

Available resources are not appropriately skilled or knowledgeable


3

assumptions/methodology)

Model risk and control

Examples of risk area Lack of inventory of those models being used, including information on purposes and

impact/prioritization analysis leads to a lack of understanding of key models for which a pac /p o a o a a ys s eads o a ac o u de s a d g o ey ode s o c acontrol framework should be in place

Reliance on a large number of models which do not follow a consistent governance around the development, controls or usage of those models for key decision-making and/or ffinancials

Legacy systems (internal mainframes, EUAs or commercially available) have pervasive errors that are not observed when looking at year-over-year trends

Lack of governance in the actuarial conversion process (e.g., when converting from one valuation system to another) leading to inaccurate or misleading actuarial figures under the new system

L k f d l lid ti f th th t d ’t t fi i l t t t it Lack of model validation for those that don’t support non-financial statements items (Economic Capital, Solvency II Internal Model, Cash Flow Testing, etc.)


4

What is model risk?

Models have become an increasingly important means of evaluating, analyzing and reporting key business information

As the use of models has expanded significantly in recent years, the complexity and risk of these important tools has increased

For better or worse, we are no longer in the “Keep it Simple” world when it comes to models

KPMG’s Definition:“A model is broadly defined as a process within a system that transforms data and/or assumptions into values, inferences, or information for the purpose of

Model

values, inferences, or information for the purpose of valuation or business decision making”

Model risk is viewed as the adverse financial impact caused by:

Incorrect Implementation

Misapplication

MisspecificationModel Risk


5

Model Risk

Comparison: Model validation versus model risk and control

Model validation Model risk and controlPurpose Determine the appropriateness

of model results (i.e., "does the Determine the appropriateness of risk control practices o ode esu s ( e , does e

model work”?)o s co o p ac cesgoverning model development, usage, and change control

Review approach Information component, processing component

Model inventory, risk ranking, control infrastructure riskprocessing component,

reporting componentcontrol infrastructure, risk management application

Focus areas Model results, model characteristics, results usage

Source and levels of risk around the modeling process, existence and effectiveness of controls


6

Internal model validation is a key internal model requirement

Good Practice

Assess appropriateness of modeling

Confidence in the Outputs

Provide confidence in using your internal pp p gmethods in achieving its objectives

Identify any issues or errors in your data and calculations

g ymodel to support strategic decision making and risk management

This will help with the use test

Transparency

Assumptions and limitations of the internal

Benchmark against Peers

Understand where your model sits relative fmodel are transparent to your key

stakeholders (e.g., Board, Rating Agencies and Regulators)

to your peers and prioritize areas for improvement


7

The scope of internal model validation should be wider than theextent of the model itself – Capital model example

Internal Model Governance

A ti

Example definition ofInternal Model

Typical components

Calibration Process

Calibration Data

Calculation Kernel

Capital Calculation

Method

Capital

Aggregation Process

Aggregation Data

Asset Data Accounting Data

Policy Data

Best Estimate Assumptions

Tax (if applicable)

SCR R lt

Calibration Methods

Calibration Assumptions

Capital Calculation

Assumptions

Aggregation Method

Aggregation Assumptions

Valuation Method

(if applicable)

SCR Results

IT & Systems

Economic Balance Sheet

Documentation Internal Model Reporting Internal Model P&L Attribution

Internal Model Validation Framework


8

Documentation Applicationp g

Procedures UseP&L Attribution

While risk has overall responsibility for model validation, the three lines of defense model can still be used

Validation is a key component of internal model governance and to fully understand its purpose you need to contextualize it within a governance framework

Roles and responsibilities in relation to the internal model

First line: Day-to-day business operations

Modelling team

Risk and control An established model control

environment

Assessment of model risk Roles and responsibilities in relation to the internal model can be structured to fit into the ‘3 Lines of Defense’ framework

The Risk Management function often has specific responsibilities in respect of the model:

tee

ode g tea

Risk and control

Validation processes and tools

– Designing and implementing

– Validating

– Informing the Board and senior management about

and

Aud

it C

omm

ittRisk and control Validation policy and

procedure setting

Guidance and direction

Monitoring

T h i l i

Second line: Oversight

Risk function, internalmodel committee, riskcommittee

Validation policy and procedure setting

Guidance and direction

Monitoring

Technical reviewperformance, areas for improvement and status updates of development

However, there is flexibility as to how validation is allocated to each operational team

Boa

rd a

Third line: assurance

Risk and control Challenge of model and

validation

Technical review

Validation report

Technical review

Validation report

It is important that objectivity is maintained when performing the validation

assuranceInternal Audit, Third Party

validation

Process and controls review


9

The “3 Lines of Defense” Framework

How to achieve objective validation is one area where there has beenmuch debate

There are no rules in relation to how a firm should provide for validation of the internal model

Firms can use one or more of the following approaches to achieve objectivity

Third partyfirms

InternalauditRisk

Review compliance with achieve objectivity

– Creating a validation team within risk management function

– Using experts from other parts of the business

Review compliance with requirements

Market perspective on peers Technical challenge of ?

– Using internal audit team

– Engaging third party firms

Third party firms can be used to either complement the Ri k M t F ti th I t l A dit t

Technical challenge of content ?

Objective ?

Process & Controls Risk Management Function or the Internal Audit team

What the firm chooses will depend upon the size and nature of the individual firm. The choice of who carries out the validation will need to balance the ability to establish an team internally with the right capability

Process & Controls

Numerical Review ? ?

Opinion ?an team internally with the right capabilityand cost

Opinion ?


10

Regulatory compliance

Examples of risk area Inadequate preparation and analysis for new and emerging regulatory changes (e.g., model

audit rule, principle-based approach, IFRS) which is further compounded where there are aud u e, p c p e based app oac , S) c s u e co pou ded e e e e a esignificant internal legacy models that are complex and not well documented

Lack of compliance with statutory reserving rules (including policy, dividend and claim liabilities), statutory reinsurance, tax reserving, and NAIC RBC requirements

Inadequate documentation of decisions made and rationale due to legacy decisions and low turnover at the senior actuarial level where memories are relied on more than documentation

Solvency II is leading to an enterprise wide view of risky g p

Complying with new frameworks such as NAIC ORSA


11

Solvency II: BackgroundReasons for failures and near failures

Conference

States of th

Undertaking

Lack of understanding

Lack of capital e of Insurance S

he European U

ngs. D

ecember 2

Lack of integrity around

internal processes

of technical provisions

No strategic plan

Supervisory S

enion. P

rudentia2002 (“S

harmaIneffective

Lack of limits of

and systems

8 Reasons

ervices of the Mal S

upervision oa-R

eport”)

Ineffective Chairman

DominantLack of

independent

limits of authority

Mem

ber of Insurance

Dominant role of CEOcritical analysis


12

…qualitative business issues were significant causes of failure and impairment

Solvency II: OverviewThree pillar structure of solvency II

Pillar 1 Pillar 2 Pillar 3

Capital requirements

Minimum capital Standard model

Risk management, supervision process

Internal control & risk management

Market discipline

Support of risk-based supervision through

k t h i Internal model

management market mechanisms Disclosure

Lower solvency requirements through

internal modelNew area of influence for supervisory authorities

Capital market requirements are rising

Product ratings: risk management becomesmanagement becomes

product component


13

What Risks are Generating Economic Capital?

DIVERSIFIED

ECONOMIC CAPITAL SPLITBY RISK 60%

80%

100%

0%

20%

40%

All Life General Composite Reinsurance

PRE-DIVERSIFICATION

Participants Insurance Insurancep

Market Insurance Credit Operational Other

100%

ECONOMIC CAPITAL SPLIT BYRISK

40%

60%

80%

0%

20%

All Participants

Life Insurance General Insurance

Composite Reinsurance


14

Market Insurance Credit Operational OtherSource: KPMG Survey of large international insurers.

How do Companies Use, or Plan to Use Capital Models

APPLICATION OF EC – ALLRESPONSES

60%70%80%90%

100%

0%10%20%30%40%50%60%

APPLICATION OF EC NORTH

0%Strategic decisions Pricing/underwriting

decisionsRisk management

and mitigationCapital allocation and risk appetitie

Internal and external reporting

Current Planned Don't Know

100%APPLICATION OF EC – NORTHAMERICAN COMPANIES

50%

60%

70%

80%

90%

0%

10%

20%

30%

40%

Strategic decisions Pricing/underwriting decisions

Risk management and mitigation

Capital allocation and risk appetitie

Internal and external reporting


15

decisions and mitigation and risk appetitie reporting

Current Planned Don't KnowSource: KPMG Survey of large international insurers.

Solvency II insights (continued)

Solvency II

Significant need to exercise judgment, and not just in IM approval – adequate, comprehensive, completecomprehensive, complete

Proportionality – relates to the amount of work involved, not whether you comply

There will be disagreement on points of judgment.

Implications for firms

A new operational structure, and new contacts to engage with

A change in the regulatory relationship – focused and (more) challenging A change in the regulatory relationship focused and (more) challenging

SF firms need to take heed of, and apply, IM type thinking to their projects


16

What is the NAIC ORSA?

Own Risk and Solvency Assessment (ORSA) is an internal assessment of the risks associated with an insurer’s current business plan over the planning time horizon and the sufficiency of capital resources to support those risks. The proposed effective date for the Model Law is January 1 2014Model Law is January 1, 2014.

An insurer who is subject to the NAIC ORSA requirement will be expected to file an ORSA Summary report annually or at the regulators request, to assess the adequacy of its risk management framework, current and likely future solvency position.a age e t a e o , cu e t a d e y utu e so e cy pos t o

The NAIC’s ORSA objectives:

1. To foster an effective level of enterprise risk management appropriate for the insurer’sown risksown risks.

2. To provide a group-level forward-looking perspective on risk and capital, as a supplement to the existing legal entity view.


17

Source: NAIC ORSA Manual.

Our view of U.S. ORSA

The U.S. ORSA Summary report should discuss the three major areas, at minimum:

Risk Management Demonstrate how ERM Framework principles, for managing

relevant and material risks are considered in the formulation andRisk Management Framework

relevant and material risks, are considered in the formulation and execution of the firm’s business strategy

Outline the approach for quantitative measurements of riskAssessment ofRisk Exposure

Outline the approach for quantitative measurements of risk exposure for each material risk category

Group Risk Capital and Prospective

Solvency Assessment

Overlay the qualitative elements of the firm’s risk management policy with the quantitative measures of risk exposure to determine capital needed to manage its business and over a multi-year (2 – 5) business cyclemulti-year (2 – 5) business cycle


18

Summary ORSA comparison – European SII vs. U.S. ORSA vs. FED:

European ORSA U.S. ORSA No Fed ORSA Requirement

Group BasisConsolidated Global Group not solo entity

unless regulated by Fed – standard is Basel and Fed’s own standards

Group/Solo Entity

Documented Risk Framework and clearly defined governance structure

Key Risks IdentifiedRisk appetite, tolerances and limits

Documented and appropriately approved Risk Framework including Corporate

Governance.

Requirement for a risk framework but no formal written submission. Approved risk

Documented Process and Detail Risk Framework considerations and active

involvement of board and management

Key Risks IdentifiedRisk appetite, tolerances and limits – all

assessment of emerging risksLinkage to solvency needs

Stress tests or complex stochastic analyses. Need to create an own view of capital

at the group level

RBC economic capital rating agency or other

Stress tests or complex stochastic analyses –based on macro economic factors

appetite, tolerances and limits – no requirement to link to capital needs but it is a

Fed focus and may applyORSA needs to be aligned to your risk appetite and project out your own funds

Need to perform stress testing for both economic factors and changes in risk

assumptions RBC, economic capital, rating agency or other views of capital. Group calculation is method

is not prescribed

Business Plan Capital Projection – own view of capital over the business planning cycle

No explicit business planning capital projection reporting requirement. But the annual CCAR process provides a 9 Qtr

projection on today’s numbers –Y9C Capital Reporting.

Business Plan Capital and Financial Statement Projection

Need to compare your SCR and projected own funds and understand the differences

p

Implicit USE test – expectation that it will be used in business decision making process

Annual Reporting Requirement to state regulators, more frequently if requested by

No explicit external reporting requirement, but the expectation is that appropriate annual

USE implicit but formally only through Basel II and ICAAPExplicit ORSA USE Test, internal control

requirements

Reporting Requirement is annual for the ORSA or if there is a material change


19

regulators reviews are performed.ORSA or if there is a material change

Economic and pricing risk

Examples of risk area Pricing is not consistent with governance around the pricing process due to resource

constraints, time pressures or lack of governance protocolsco s a s, e p essu es o ac o go e a ce p o oco s

Assumptions are inappropriately developed, used improperly or simply not refreshed frequently enough (e.g., mortality, persistency, annuitization and economic assumptions)

Inappropriate treatment of different classes of policyholders in pricing and experience Inappropriate treatment of different classes of policyholders in pricing and experience adjustments

Inaccurate or uncontrolled analytics and implementation of experience adjustments (e.g., investment, mortality) in participating productsy) p p g p

Analytics that are not adequate to assess the true economic risk at time of decision as well as tracking after decision has been made potentially leading to economic (and financial reporting related) surprises later on

Lack of feedback loop on actual performance vs. pricing objectives.


20

Price governance and risk created by insurance pricing cycles

Balance sheet and income statement risk for Property/Casualty companies stems in large part from pricing risk. Effective price governance helps manage this risk

The importance of price monitoring on accurate financial reporting is underscored byThe importance of price monitoring on accurate financial reporting is underscored by Sarbanes-Oxley compliance, Lloyds requirements, and is often discussed by rating agencies

Integration of price governance with corporate planning is key for setting appropriate plans and objectives and setting goals to achieve them

Integration of price governance with underwriting strategy is key for accomplishment of underwriting objectives

Price governance for Life & Annuity companies challenging due to the long term nature of g y p g g gsome products and potential inability to re-price.


21

Historical Loss Ratio Results: Recorded at 12 Months Compared to Ultimate at 12/31/2011

1.51.71.92.1

Industry Reinsurance B ex Munich Re & Gen Re

80%

90%

100%Industry Commercial Auto Liability

0.30.50.70.91.11.3

7 9 1 3 5 7 9 1 3 5 7 9 1

50%

60%

70%

80%

7 9 1 3 5 7 9 1 3 5 7 9 1

198

198

199

199

199

199

199

200

200

200

200

200

201

198

198

199

199

199

199

199

200

200

200

200

200

201

90%

100%Industry Workers' Compensation

100%

110%Industry General Liability Combined

60%

70%

80%

90%

60%

70%

80%

90%

100%

50%

1987

1989

1991

1993

1995

1997

1999

2001

2003

2005

2007

2009

2011

50%

1987

1989

1991

1993

1995

1997

1999

2001

2003

2005

2007

2009

2011

Reported Loss & DCC Ratio 12 months Reported Loss & DCC Ratio @ Latest


22

Source: SNL Financial composite Schedule P.

Climbing the continuum: Various stages of price monitoring capabilities in P&C insurance

Reconciling Price Monitoring Data to Financial Systems

Measuring and Acting in Real Time

Automating Data Feeds from Policy Systems

Capturing Changes in Classifications

Capturing Other Changes in Terms and Conditions

Capturing Changes in Limits, Deductibles, Term

Basic Monitoring of Renewal Price Changes

Establishing a Standard Benchmark to Measure New Business


23

Climbing the Price Monitoring Pyramid!

Personal auto liability – Frequency Trend vs. Loss Ratio

Personal Auto Liability Loss Ratio

Loss ratio tends to follow frequency trends as companies respond to changes only after a lag. As frequency trend has turned up, so have Personal Auto loss ratio.

80

85

90y

70

75

0.89

0.94

0.99

Cumulative Frequency

0.74

0.79

0.84


24

Sources: Personal Auto frequency trend is compiled from various industry participants. Personal Auto loss ratio is from Schedule P for the aggregate industry from Highline Data Services

BI trend industry benchmarks – Frequency to EP

105%

BI Frequency Trends – Indexed from 2002

90%

95%

100%

105%

Co. A

70%

75%

80%

85% Co. B

Co. C

Co. D

Composite

60%

65%

70%


25

Sources: Company data

Sources of change in price adequacy

Changes in use of credits

Changes in quality of risk/underwriting quality

Changes in distribution of business by class/product/line/coverage

Changes in policy terms and conditions

New vs. renewal mix of business

Changes in reinsurance usage impacting net lines

Changes in the external environment:

– Judicial, court decisions, legislative, and regulatory

Changes in economic trends such as inflation.

Changes in policyholder behaviorg p y


26

Risk management

Examples of risk area Ineffective or uncontrolled risk management around mortality and policyholder behavior

ALM process not robust or timely enough to capture emerging trends and react quickly

Complex equity-based products and hedging strategies

Lack of harmonization of actuarial risk management methods, formal or informal, with the gbroader enterprise-wide risk management structure and quantifications

Keeping the ERM Process to industry standards


27

Industry observations

The principles of risk governance are reasonably well established, but application varies widely.

Ri k G

Common PracticeERM Component

Risk Governance

Risk appetite policies are maturing but in many cases are not yet fully integrated into planning and strategy. Board involvement in setting policies varies considerably across the industry.Risk Appetite PolicyRisk Appetite Policy

Measurement of major individual risks (e.g., catastrophes, lapse risk) is well established.

Other risks remain difficult to measure (e.g., operational risk).Risk Measurement

Aggregation of risks into a complete view of required capital is new or emerging for leading insurers and aspirational for many others. Many companies default to factor based methods.Risk Aggregation

Risk reporting is increasingly important as insurers move from prototype to business as usual reporting.

Efficient use of existing management reports and developing additional risk analytics where gaps Risk Reporting


28

exist are common priorities.

Key process risk

Examples of risk area Lack of robust process around areas of actuarial judgment leading to an uncontrolled

environment (e.g., assumption-setting practices for pricing or financial statement items) e o e (e g , assu p o se g p ac ces o p c g o a c a s a e e e s)

End-to-end processes are not well controlled from original source to ultimate destination leading to inaccuracies (e.g., valuation process from the admin system data through to the GL – considering automated vs. manual hand-offs along the way)

Inaccurate or uncontrolled accounting and financial reporting processes (journal entries, consolidation, analytics, rollforwards, sources of earnings, etc.) leading to inaccuracies in the actuarial figures


29

Key person risk

Examples of risk area Resources not aligned with or focused on the priority risks leading to inherent issues across-

the-board (e.g., too many actuarial hours spent processing and not enough time spent e boa d (e g , oo a y ac ua a ou s spe p ocess g a d o e oug e speanalyzing)

Over-reliance on a few key individuals leads to issues when key individuals are otherwise compromised from performing their tasks

Reorganizations or frequent turn-over by choice or otherwise (e.g., actuarial student rotations) leads to a lack of comfort with those items being prepared

Over-reliance on third parties due to resource or other constraints leading to a compromised p g pcontrol environment


30

End-user applications

Examples of risk area No control over end-user applications in terms of change management and documentation

may lead to incorrect decision-making and/or financialsay ead o co ec dec s o a g a d/o a c a s

Lack of understanding of the extent of dependency on EUAs may be an indicator of a risk as these are used frequently by actuarial areas, often without rigorous controls in place

EUAs prepared to support quick decision-making without robust governance around the EUAs prepared to support quick decision-making without robust governance around the development and sign-off protocols of the EUA (e.g., M&A activities or reinsurance decisions)


31

General risks for internal audit

Data

– Policyholder data is inaccurate, incomplete or improperly coded

Control Activities– Control Activities

Reconcile total to independent source

Review system generated control reports

Review of change control procedures (e.g. admin systems)

Assumptions Setting

– Coded assumptions are incorrect or inconsistent with recent or anticipated experience

– Assumptions not in compliance with AG 43; not adequately justified/documented

– Scenarios not in compliance with AAA recommendations; not adequately justified

– Improper coding/mapping of funds in the system/modelsImproper coding/mapping of funds in the system/models

– Poor choice of economic scenarios

Management Estimates

Lack of robust process around development of estimates


32

– Lack of robust process around development of estimates

Potential focus areas for internal audit

Risk and Model Assessments

– Comprehensive Risk Assessment

– Model Risk and Control Broadly or Valuation-Specific

– Model Validations for identified financial statement items or other key decision-making models

Process/Control-Focused Reviews

– Comprehensive Review of Targeted Process(es) on a Staggered Basis (e.g., Pricing, reserving, product management, assumption-setting, financial reporting, etc.)

Product-Focused Reviews

– New Products – pricing to Valuation to Model Set-Up

Comprehensive Review by Product/Department on a Staggered Basis (as part of– Comprehensive Review by Product/Department on a Staggered Basis (as part ofgood governance)


33


The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

9. PM Track 3 - KPMG - Internal_Audit_of_an_Actuarial_Function_051612

Documents

kpmg international cooperative

reported loss

ultimate destination leading

financial reporting processes

large international insurers

risk management function

admin system data

internal model validation