News
Fit for purpose - 2010-01-04
Internal models are coming to the fore, but there's no point having sophisticated systems if they aren't practical enough to be used by your staff. David Roberts helps shed some light on proceedings.
General insurers and reinsurers are looking to risk assessment models to ensure that poorly understood risks don't threaten the survival of individual companies or the industry as a whole. It comes in the face of Solvency II, other capital restraints and an increased focus on risk-assessed capital management, following the failure to assess systemic risk in the banking sector.
This combination of events has also created a higher set of hurdles as to what is acceptable risk assessment and what is not. So what does this mean in practice? Solving the problem by buying a big risk assessment model that nobody understands and probably won't use surely isn't the right way to go - isn't that what got the banks into trouble in the first place? There is no commercial or regulatory value in risk assessment models if they are not used. They must be practical and proportionate.
The challenge is to come up with a better process, not to buy another product. In addition, rather than pursuing a "big bang" approach, a better response to the multiplicity of challenges is to break down the tasks involved in risk assessment and management and define the project so that it can move forward incrementally. As progress is made the benefits will accrue, with more control and understanding gained as lessons are learned.
Although Solvency II is a large factor, the real issue is improving the quality of business while producing regulatory value as a by-product.
Building and testing an internal model that can be approved by the FSA for capital requirement modelling purposes is not easy and takes a long time.
Models need to reflect the reality of an insurer's business, and as such might be highly complex, with a considerable number of inputs and outputs. In Annex A to its recent consultation paper, CEIOPS (the umbrella body for European insurance and pensions regulators) lists no less than 37 example uses of an internal model. While many insurers will not wish to build and use a model capable of delivering meaningful output addressing all 37, managing an insurance carrier does require most of the example uses to be addressed somehow.
Models must also comply with the approval standards set out by CEIOPS, which are: the use test; statistical quality standards; calibration standards; profit and loss attribution; validation standards; and documentation standards. The use test is the key hurdle to be cleared in obtaining model approval. Without this, regulatory capital will be calculated according to a standard formula, which appears likely to result in a materially higher capital requirement than is presently the case.
To what extent do you do this already? FSA-regulated insurers already prepare an ICA that covers the key risks in the business, and values those risks in terms of capital required to be held. It is common for the ICA to be focused very much on the agreement of the capital requirement, and not to be used to any significant extent in other aspects of managing the business.
Some insurers have embraced ERM concepts more fully, and it is an implicit part of such an approach that management of the risks dealt with in the ICA is integrated with normal management and operational processes.
The use test
In practice, the use test poses the following challenge to an insurer's management; if you don't trust your internal model enough to use it in the management of your business, why should the regulator trust it in determining the capital requirements for the business?
Use of your internal model in business-critical functions will, to a material extent, validate the model from a regulatory perspective. In this context, the model should be widely used and play an important role in the conduct of regular business, particularly in risk management.
The expectation is that the model will inform real decision-making.
To pass the use test, management will have to be able to tick the boxes on the specific aspects of use defined by the regulator, some of which are outlined above. However, that will impose stress on the whole process. The model must serve all those various masters and therefore it must be comprehensive, but at the same time it cannot be too complex.
Otherwise, in practice it will be too difficult for management to really understand, and difficult to actually use in practice. It must deal with the sometimes complicated realities of business and be technically robust, but it cannot be a "black box" solution provided by a third party. It must reflect all the significant business drivers and be responsive to changing circumstances, but also be genuinely usable by management.
In short, your whole approach to building a model for use and approval needs to be designed to produce incremental gains along the way, and to be focused on how you will actually use it. Otherwise, you risk committing huge expenditure to a project that does not give you what you need.
Criteria for model assessment
CEIOPS has recommended a principles-based assessment approach. Some of the principles are self-evident; however, in some cases they merit further consideration:
Senior management shall be able to demonstrate understanding of the internal model
The underlying thrust of regulatory concern in this area is that there is real devil in the detail. Without wishing to impugn the intellectual ability or business understanding of senior management groups throughout the industry, I would suggest that the above alone represents a pretty strong argument for internal models being at the simple end of the spectrum. A "black box" approach is simply not going to work.
The internal model shall fit the business model
All too often the feedback aspect during model development is not integrated into the whole process, but is rather ad hoc and driven by the need to solve problems as they arise. To satisfy this aspect of the use test, the output of the internal model will have to be consistent with the calculation of technical reserves; reconcile itself to internal and external financial reporting; and be comparable with the profit and loss attribution (the causes and sources of profit and loss analysed across categories of risks).
The internal model shall be widely integrated with the risk management system
This means that the internal model must actually be used in the risk management system, including in areas such as risk quantification and ranking - specifically including diversification effects - and in formulating risk strategies, including risk appetite and mitigation, arising from risk quantification and ranking. Internal model outputs should be used to formulate risk limits; and the outputs should also be reflected in risk-focused reports used in the management (at different levels) of the business.
The internal model shall be used to support and verify decision-making
The key points in this respect are that internal models should provide information that allows management to assess the expected results arising from decisions they are considering. As such, internal models should be used in the decision-making process, including for the setting of business and risk strategy, and be regularly discussed in the relevant risk forums and at board level. This does not mean that management should simply follow the output of the internal model; rather, management must bring to bear all the understanding summarised under the first principle described above and tailor decisions accordingly. Coowing reasons for ruling in favour of reinsurers:
David Roberts is a partner in Littlejohn's Financial Services division. He can be contacted by telephone: 020 7516 2251, or by e-mail: droberts@littlejohnllp.com
This article was first published in Insider Quarterly, Winter 2009.
