Actuarial Data

The new modelling

Data is the new modelling. That is, it’s where all the sexy stuff is going to be over the next few years. Over the last few years, in the insurance industry at least, modelling has been where its at. Driven largely by Solvency II, a huge amount of effort has gone into building and, now, validating, hugely complex financial models.

But now, in the insurance industry as well as others, data is coming to the fore. After all, what is a model without data? And, as we all know, Garbage In, Garbage Out is one of the fundamental tenets of computing. The FSA has pointed out that data is a key area for the successful introduction of Solvency II and has produced a scoping tool that will help them assess a firm’s data management processes.

And it’s not only Solvency II. At GIRO last week there was an interesting debate over whether telematics will be at the heart of personal motor insurance in ten years’ time. The thing about telematics is that it produces large quantities of data. With the Test Achats case meaning that gender won’t be able to be used as a rating factor, insurers are going to be looking for other ways of coming up with premiums, and other factors they can take into account. The thing about gender, of course, is that it doesn’t take much data. It’s just a single bit in the database. Other rating factors may have more predictive power, but it’s harder to get at them.

We’re seeing this everywhere, though. As computers continue to get more powerful, and data storage gets ever cheaper (how big is the disk drive on your laptop? — even my phone has 16GB), doing things the rough and ready way with only limited data has fewer and fewer advantages. Big data is becoming mainstream: look at Google, for instance. And why did HP buy Autonomy?

You mark my words, a change is gonna come.

Old site

Justify your results

At the recent GIRO conference, Rob Curtis from the FSA drew our attention to the recent consultation paper: CP06/16: Prudential changes for insurers. The part that made me prick up my ears was the following:

The written record of a firm’s individual capital assessment, as carried out in accordance with Sub-Principle 1 submitted by the firm to the FSA must:

  1. in relation to the assessment comparable to a 99.5% probability over a one year timeframe that the value of assets exceeds the value of liabilities, document the reasoning and judgements underlying that assessment and, in particular, justify:
  2. (a) the assumptions used;
    (b) the appropriateness of the methodology used; and
    (c) the results of the assessment.

  3. identify the major differences between that assessment and any other assessments carried out by the firm using a different probability measure.

It’s 1 (c) that caught my attention, of course. I’ve written elsewhere about what you have to do to believe the results of your models: you have to be able to trace the results back to model specification, data and parameters. This means having good audit trails, thorough testing (and records of those tests) and effective version control.

Notes Old site

The FSA and risk based capital

The FSA has published proposals for a new framework for risk-based capital rquirements for both life and non-life insurers. Although the details of the calulations differ, the overall structure is the same for both types. The proposals were issued in July and August 2003; the consulation period ends on 30th November 2003.

General framework

Insurers will be required to hold the higher of:

Minimum Capital Requirement (MCR)
as set out in EU directives
Enhanced Capital Requirement (ECR)
a more risk sensitive calculation specified by the FSA

The ECR calculations are obviously different for life and non-life insurers. However, for both types the calculations make various industry-wide assumptions that may not be met by individual firms, whose risk profiles may be different from the average. The FSA proposes to take these differences into account through the Individual Capital Adequacy Standards (ICAS) mechanism. They say that ICAS will

  • mean that firms will hold capital more appropriate to their business and control risks
  • emphasise the responsibility of senior management for ensuring that firms have adequate financial resources
  • Provide incentives for better risk management

ICAS will operate through Individual Capital Guidance (ICG). The ICG will usually be at or above ECR, and will be affected by whether firms’ risk assessment processes follow all the FSA’s guidance. The ARROW assessments will be a major input.

Although ICG is only guidance, firms will be expected to notify the FSA if capital falls below the ICG level. In addition, firm that fail to meeet the ICG will be expected to set out a plan to restore adequate capital.

Notes Old site

ARROW risk assessment framework

The FSA has developed the ARROW risk assessment framework with the following objectives:

  • Help FSA meet its statutory objectives by focusing on key risks
  • Influence resource allocation to make efficient and effective use of limited resources
  • Use appropriate regulatory tools to deal with risks or issues
  • Undertake proportionally more work on a thematic (or cross-sectional) basis

ARROW stands for Advanced Risk Response Operating frameWork: a bit contrived, but we get the picture.

Firms are assigned to one of four supervision categories, based on the risk they pose to the FSA’s objectives, as perceived by the FSA. The ARROW framework describes how the FSA assesses the risk. Although the requirements are the same for all firms, the level of the FSA’s involvement depends on the supervision category. Firms in category A can expect a close and continuous relationship; those in category D can expect little or no individual contact.

An extremely important aspect of the whole regulatory approach of the FSA is that only the risks to the FSA’s objectives are considered. These objectives are concerned with market confidence, public awareness, consumer protection and the reduction of financial crime. Risks to shareholder value, for example, do not explicitly concern the FSA.

The FSA assesses the risk that a firm poses to its objectives by considering the impact and
probability separately. The unit of assessment may be the individual firm, or a business unit consisting of several firms (in large groups) or within a firm.

The impact assessment depends on the size of the firm, and is expressed as high, medium high, medium low, or low. The size of the firm is measured by premium income, assets/liabilities, funds under management, annual turnover, or other similar measures, depending on the firm’s sector.

The probability assessment is performed on a firm by firm basis, by considering each element in a matrix of risks. The thoroughness of the probability assessment depends on the impact rating of the firm. Low impact firms won’t be assessed individually; high impact firms will be assessed in great detail, with visits from the FSA; those in the middle will get desk-based assessments.

After performing the probability assessment, the FSA develops a risk mitigation programme (RMP) for the firm. The RMP will use a selection of regulatory tools intended to reduce the risks that have been flagged as requiring action. Usually, this means that the firm has to take some action: produce and implement a plan for introducing a risk management process, for example.

Notes Old site

The FSA and operational risk

The FSA has produced several documents that are concerned with operational risk, and others that are concerned with systems and controls.

The FSA sometimes distinguishes between operational risk (as part of business risk) and control risk and sometimes doesn’t. For example, the guidance was originally intended to be part of a separate module, PROR, and was presented as such in CP97. However, the guidance was completely rewritten, and moved into the systems and controls module (SYSC), in CP142.

Further guidance on operational risk is contained in PS97_115, a policy statement issued after feedback on CP97 and CP115, and in PS140, a policy statement issued after feedback on CP140. PS140 applies to insurers, friendly societies, and Lloyd’s.

Operational risk is also mentioned in several of the documents in the “Building a New Regulator” series. These documents set out the overall approach of the FSA, and describe their risk framework and regulatory processes.

A report on how firms are going about the business of introducing operational risk management systems, “Building a framework for operational risk management: the FSA’s observations”, was published in July 2003. It contains useful information on good practices.

The FSA’s new structure for capital requirements, based on the calculated ECR (Enhanced Capital Requirement) which is then modified by the ICG (Individual Capital Guidance), as discussed in CP190 and CP195, means that operational risk will affect the capital that firms need. This will be through the ICG, which although it takes the ECR into account is also influenced by the systems and controls that firms have in place. The FSA say:

The more firms are able to demonstrate that their risk assessment processes capture and quantify all of the issues in our guidance, then the lower we are likely to assess their ICG (and vice versa). This provides an incentive for good risk management.


The following external links are relevant:

Notes Old site

Future regulation of insurance briefing

The FSA held a half-day briefing on The future regulation of insurance on 4th December 2002. Nearly 200 people attended, from a variety of organisations: insurance companies, banks, building societies, solicitors, accountants and other consultants.

The main points concerning risk management to emerge from the briefing were:

  • Risk Management Framework
  • Senior Management Responsibility
  • Proportionality

See below for further details.

The briefing was chaired by John Tiner, recovering from a bout of flu. Instead of giving a presentation, he confined himself to introducing the speakers and responding to points made by them and from the floor. There were five speakers, whose topics and main points were:

David Strachan
Director of the Insurance Firms Division at the FSA
What does the Tiner Project mean for you?
If insurance firms have not yet done so, they should urgently review their operations, systems and controls. Proportionality is important: although their risk management processes and framework should be comprehensive, their complexity should depend on the size and complexity of the firm and the risks it faces. The ultimate responsibility of senior management cannot be delegated, whether within the firm or through outsourcing arrangements.
Richard Harvey
Group Chief Executive, Aviva plc
An insurer’s perspective
Things have changed a lot since pre-FSA days. There is a big learning curve for both the regulated and the regulator. There are enormous demands on management time: about 70 or 80 senior management meetings a year. The hope is that the confidence and trust built up will lead to a lower level of intervention in the future. There are a number of issues about the relationship between the FSA and the regulated firms that must be resolved.
Bill Lowe
Prudential Standards Division, FSA
The Role of the Risk Review Team
The risk review department supports all the regulatory and supervisory teams in the FSA. In particular it is heavily involved in visits to regulated firms, both the general discovery (ARROW) visits and themed visits. Several areas of concern have been identified from the visits undertaken so far, including outsourcing, documentation, delegation by senior management, business continuity planning and stress and scenario testing.
Andrew Campbell-Hart
Grey Panther, FSA
Emerging risks in the industry
Grey panthers are apparently not predators, but are there to build bridges between industry and the FSA, and between the promulgation and application of policy. They also support the line supervisors, and provide international contacts and experience. There are four economic drivers that will result in major challenges of the next decade, and appropriate regulation can help to balance the forces.
Mary Francis
Director General, ABI
The future regulation of insurance: considerations for firms
The FSA has a huge task, integrating nine regulators and their rulebooks during the worst market conditions for a quarter of a century and as international developments are changing rapidly (Basel, IAS, EU). It is important that regulatory creep is minimised: don’t go too far towards protecting people from risk rather than educating them to understand it and take responsibility for themselves.

Risk Management Framework

• If insurance firms haven’t started already, they should urgently review their operations.
• However elaborate the risk management framework (see proportionality), it must be comprehensive. It must cover the full range of risks in an integrated manner, not just insurance risk.
• The risk assessments that have been performed so far have shown some examples of good practice, but overall there are some significant question marks. Risk management frameworks have not always been integrated over the whole firm, or presented a coherenct picture, even when some risks have been identified.
• Good controls and compliance culture should lead to less crystalisation of risk and hence less regulatory intervention.
• Risk assessment should be integrated over the whole firm. Operational risk are currently handled poorly, with not enough data collection.
• There is a definite trade-off: good controls will lead to less intrusive regulation, but firms must deliver on their side of the bargain.

Senior Management Responsibility

• Senior management must take responsibility for risk management.
• Boards and senior management should read the report, The future regulation of insurance: A progress report, which sets out the regulatory agenda for the next few years.
• Management responsibilities should be clearly defined and documented, not only for risk issues but for other responsibilities too. There should be a clear view of the risk appetite of the firm, which should be communicated to all levels.
• Outsourcing is a key issue. Senior management remains responsible and should ensure that they get the requisite information from the outsourcer.
• In the risk assessment exercise, the FSA can tell a great deal by looking at the risk pack that goes to members of the board: Is there one? Does it cover key risks in an accessible manner?
• The inability to demonstrate proper control of outsourcing, and poor disciplines over delegation, are major areas of concern. Senior management cannot opt out of their regulatory obligations.


• Insurance firms themselves must implement a more efficient approach to managing risk. Costs must outweigh benefits.
• Firms needn’t necessarily have an elaborate framework for risk management. It should depend on the size and complexity of the firm and the risks they face.
• There should be a genuinely risk-based approach to internal audit: higher risk areas should be looked at more frequently.
Notes Old site

Financial Services Authority

The Financial Services Authority is the single statutory regulator in the UK responsible for regulating deposit-taking, insurance and investment business. It assumed its full powers on 2nd December 2001 (N2).

The FSA practices risk-based regulation. It has four statutory objectives, and tries to manage the risk to those objectives. The objectives are:

Market confidence
Maintaining confidence in the financial system;
Public awareness
Promoting public understanding of the financial system;
Consumer protection
Securing the appropriate degree of protection for consumers;
Reduction of financial crime
Reducing the extent to which it is possible for a business carried on by a regulated person to be used for a purpose connected with financial crime.

Regulated firms are expected to have frameworks in place to manage the risks to the FSA’s objectives. They may manage other risks too, of course, such as risks to shareholder value.

The FSA assesses the risk category of its regulated firms by looking at impact (essentially measured by the size of the firm) and the probability of a risk crystalising, based on its risk management framework, compliance culture, and systems and controls. The level of supervision depends on a combination of these two factors, of which impact appears to have the greater effect: the smallest firms will not receive heavy supervision however bad their practices.

The FSA emphasises that the aim is not a zero-failure regime. The belief is that a small number of low impact failures will not materially affect the statutory objectives: a single high impact failure would be much more significant.


The following external links are relevant: