Early thoughts as a regulator

Ian Laughlin, Executive Member - Institute of Actuaries of Australia 17th General Insurance Seminar, Gold Coast

I grew up in the southern suburbs of Brisbane, not far from here, so when I heard where the meeting was being held, a few memories came back to me.

They don’t make ‘em like they used to.

I grew up in the southern suburbs of Brisbane, not far from here, so when I heard where the meeting was being held, a few memories came back to me. As kids we would visit the Gold Coast, and in those days the area around here was sand dunes and some old beach houses and flats – vastly different to what you see today.

And when I was 17 or 18, I had a 1934 Ford V8. Here she is:

My mates and I would often come down to the Gold Coast in the old Ford, piled in, without a care in the world. It was cheap transport and we had lots of fun.

Though we didn’t appreciate it at the time, every trip down here was a pretty risky venture: The road from Brisbane was an appalling, single lane affair, where passing another car was literally life-threatening. It was almost normal to see an accident on a trip to the Gold Coast.

And the car was not very safe at all. It had skinny cross ply tyres, brakes of fairly modest performance, and there were no seat belts, air bags or any other safety features. So in any sort of significant accident, you were probably seriously injured or dead. And of course, we thought we were kings of the road!

I was obviously aware of the financial risks though, because I recall I had third party property insurance. I remember thinking how cheap this insurance was, given the expensive cars that I could run into, so there was a latent actuary in me even then! At the time the Ford was made, safety wasn’t a high priority.

Times have changed. Technology has improved. Community expectations are much higher.

And the industry has responded.

In the car world today, they talk about primary safety and secondary safety.

• Primary safety features are intended to help avoid an accident – so they include things like brakes, steering, tyres and electronic aids like Anti-Lock Braking Systems, Stability Control systems, heads-up displays, etc.
• On the other hand, secondary safety features are there to help when an accident actually happens – so things like seat belts, air bags, crumple zones, collapsible steering columns, padded interiors etc.

Enormous progress has been made in both areas. Modern cars have vastly better steering, handling and brakes than the old Ford, and the electronic aids are a great help in avoiding accidents. And you would have much better chance of avoiding injury or death in a modern car, in the event of an accident.

There’s a parallel with the management of insurance companies.

• Risk management is akin to the car’s primary safety features.
• Capital provides the secondary safety.

As with cars, great improvements have been made in both primary and secondary safety, and improvements will continue to be made. As with cars, it’s much better to avoid the accident in the first place, and so high quality risk management is critically important to successful management of a modern insurance business.

So today I want to spend some time on the primary safety features for insurance companies: risk management. Later in the conference, there is a session on capital requirements – the secondary safety features – so I will restrict myself to some high level comments on this today.

It Ain’t Broke, so ...

Before I talk about either risk management or capital though, a few comments about ongoing change and improvement:

I occasionally hear statements like:

"Australia survived the GFC really well, so why do we need to change?"

Or

"The GFC had almost no impact on GI in Australia, so why do we need to change the capital requirements?"

I don’t buy those arguments for a minute. With that sort of thinking, we’d all be driving cars with the safety features of my old Ford.

There is always a better way, and so you should expect ongoing improvements to APRA’s regulation and supervision - in the areas of capital and risk management and elsewhere – even in benign conditions.

Recent Years

In support of that, let’s look at some of the progress that has been made over the last few years.

• Pre 2002, there were simple capital requirements for GI companies, no Financial Condition Reports (FCRs) in GI, and some industry participants argued actuaries had no role in general insurance.
• This changed in 2002, with the first risk-based capital requirements and the introduction of prudential standards, including one on risk management.
• In 2006 we introduced more comprehensive risk management requirements, including the Financial Condition Report. This included the requirement for the Appointed Actuary to sign off on the suitability and adequacy of the Risk Management Framework.
• Then the GFC occurred, and it highlighted the importance of group supervision. APRA’s prudential standards for consolidated supervision of general insurance groups (known as Level 2) became effective last year.

So you can see a history of ongoing development.

LAGIC

Which leads us to the current review of capital standards for life and general insurers – "LAGIC", as we call it. As mentioned, I will keep my comments brief here.

You might recall that one of the main drivers behind LAGIC was that we wanted to make the capital requirements more risk-sensitive – so LAGIC is another important step in the process of improvement.

As part of LAGIC we are introducing the three pillar concept. To remind you,

• Pillar 1 – quantitative requirements in relation to required capital, eligible capital and liability valuations;
• Pillar 2 – the supervisory review process which may include a supervisory adjustment to capital; and
• Pillar 3 – disclosure requirements designed to encourage market discipline.

Under Pillar 2, APRA may increase the prescribed capital determined under Pillar 1 if we are of the view that this amount does not adequately account for all of an insurer’s risks. Such an adjustment may increase the total required capital amount and/or strengthen the composition of the insurer’s capital base (i.e. the insurer may have to hold an increased proportion of higher quality capital).

As part of Pillar 2, we are also introducing ICAAP– the Individual Capital Adequacy Assessment Process.

APRA already expects insurers to have in place a process to assess their capital needs and manage their capital levels. ICAAP formalises those requirements. In particular, we want insurers to assess their own risk profile and the capital needed to support the risks they undertake, and to carry out appropriate capital projections and stress testing.

The insurer’s ICAAP is expected to go beyond the need to meet regulatory capital requirements. It should include development of appropriate internal capital targets, which reflect the insurer’s risk appetite. There should also be an adequate process for monitoring actual capital levels relative to the insurer’s own capital targets and regulatory capital levels.

The main point that I want to make here is that Pillar 2 (including ICAAP) provides a powerful tool for APRA to reflect a company’s quality of risk management in its capital requirements. Or to turn it around, subject to the lower bounds of Pillar 1, the company can influence its capital requirements through the quality of its risk management. For those companies adopting the internal model process, there is even more scope to have their capital reflect the quality of their risk management.

Either way, there is a strong incentive for the company to be very proficient at risk management.

International Developments

Before I talk about future improvements in risk management, it is worth reviewing some international developments in financial regulation.

Recent and current activities include the following:

• Basel 3 in banking, which will see revised capital requirements (amount and quality) and liquidity requirements.
• Solvency II for insurance in Europe, long in the making, which is a fundamental overhaul of capital requirements.
• UK changes in insurance regulation a few years ago.
• International Association of Insurance Supervisors (IAIS) guidance for insurance supervisors (like APRA).

There are a few points to note here:

• They all use the three pillar concept, which we have adopted for LAGIC.
• They are all moving to greater risk-sensitivity.
• They all have 1 in 200 (or similar) level of sufficiency aims.
• There is increasing alignment of capital requirements across sectors i.e. banking, life and general insurance (one of the aims of LAGIC).
• There is increasing alignment of requirements from regulator to regulator internationally.
• There is also increasing adoption of the Tier1 and Tier 2 concepts of quality of capital (as for LAGIC). 
• In some cases, the concept of formally defined capital buffers is being introduced.

So (perhaps unsurprisingly in the aftermath of the GFC), we are seeing much greater co-operation and alignment of thinking internationally and across sectors, and APRA is part of this.

APRA is an active member of the International Association of Insurance Supervisors. One of the major current initiatives of the IAIS is what they call ComFrame – a common framework for regulation of internationally active insurer groups. The intention here is that there is a consistent and co-operative approach to the regulation of insurers that operate internationally. This will influence our approach to regulation of such companies in due course.

As you may be aware, the international Financial Stability Board has been working on the concept of SIFIs – Systemically Important Financial Institutions. The intention here is that SIFIs should be subject to more intense regulatory attention and potentially higher capital requirements. So far, the focus has been on banking institutions, but increasingly there is discussion and debate about insurers as SIFIs. This is in its early stages, but we expect it will intensify over coming months. Already we are seeing arguments about how an insurance SIFI might be defined, and why insurers should or should not be considered SIFIs at all.

Note too that there is a distinction being made between global and domestic SIFIs.

So international developments are significant, and will be increasingly important in insurance regulation. Note though, that the peculiarities of local markets will always be reflected in local regulation. For example, Solvency 2 needs to take account of the markets and politics of Europe. Similarly, APRA’s requirements will be tailored to our markets and reflect our standards.

Risk Management – Now and Then

Let me now turn to improvements that we might see in risk management – in practices, in regulation and in supervision.

Risk management as a discipline, and Enterprise Risk Management as a concept have both developed enormously over recent years. There are various drivers behind this (apart from regulation), including close attention to ERM by ratings agencies and a deepening understanding that ERM is just plain, good business practice. So the thinking is fairly well-established in both a business sense and from the perspective of a regulator.

Regulation

Let’s first consider possible developments in regulation. The APRA risk management standards were last reviewed in 2006, and are quite comprehensive.

We are now working on prudential regulation of level 3 conglomerate groups across banking, GI and life insurance industries. A discussion paper on level 3 supervision was released in March this year and the consultation process on that paper ended in June. LAGIC, too, will have an impact on risk management practices (e.g. because of the impact of ICAAP). Aside from these developments, we don’t think there is any need to significantly change our regulations in the area of risk management in the short term. But as indicated earlier, you should expect ongoing improvement.

Supervision

Let’s turn now to how APRA’s risk management supervision may develop – and I make a clear distinction between regulation and supervision.

In APRA’s supervision work, Risk Management has been a core area of focus for the last eight years. In that time, our supervisory practices have evolved as the industry has worked on implementing APRA’s Risk Management requirements. In more recent times, we have conducted targeted reviews consistent with the risk profile of each insurer.

We plan to continue to develop our supervisory practices to better satisfy ourselves first that each insurer’s Risk Management Framework is robust and of high quality, and secondly that it has been well implemented and is deeply embedded in the operations of the business. This will include consideration of the engagement of senior management and the board in the company’s risk management.

Industry Practice

Lastly, let me consider possible operational improvements in Risk Management. Industry risk management practice is evolving as skills and understanding develops. It is fair to say that quality of work varies from company to company. Most companies have a well-constructed Risk Management Framework on paper but we see a number of weaknesses in implementation. To be truly effective, risk management must be embedded in the business and its culture, from the board down, and this is not always evident. So improvement is needed.

To illustrate, I’d like to focus now on one aspect of Risk Management, namely Risk Appetite.

Risk Appetite

As you know, APRA makes it clear that the board is primarily responsible for the Risk Management Framework (RMF), and it defines the Risk Management Framework quite broadly. Just to remind you, it refers to "the totality of systems, structures, processes and people within the insurer" in the context of risk management. That’s pretty comprehensive! The Risk Management Framework includes the Risk Management Strategy which must, amongst other things, set out the company’s Risk Appetite. So the board is responsible for setting the company’s Risk Appetite – in simple terms, a clear statement of the degree of risk the company is willing (and able) to take in pursuit of its goals.

Now, a well considered, clearly articulated Risk Appetite is the very foundation of sound risk management. Without this, risk management throughout the business will be carried out with unclear boundaries and expectations. So setting Risk Appetite should be top of the Risk Management list for the board. But setting Risk Appetite is much easier said than done – in fact, it is quite difficult to do well, and this is reflected in the practices we are seeing. In recent times, we have reviewed the Risk Appetite statements from a number of GI and life insurers, and spoken to a number of CEOs and boards about the engagement of the board in the Risk Appetite process.

It’s early in this exercise, but in summary, here’s what we have found so far:

• In some cases there is no clear statement of Risk Appetite, or no obvious understanding of what it actually is in concept.
• There is a wide range of approaches to articulating Risk Appetite - from short high-level statements to a few pages of detailed thoughts. This diversity is not necessarily a bad thing, but we need to better understand the practical implications of it.
• The quality of the statement of Risk Appetite ranges from poor to quite good.
• There is a lack of analysis of Risk Appetite through the use of scenario analyses, stress testing etc.
• It is not always clear that the board has been heavily engaged in setting the Risk Appetite.  In some cases there is a disconnect between the Risk Appetite statement and its translation into operational management.
• And last, with some subsidiaries or branches of foreign-owned insurers, we see an adoption of group risk management practices without necessarily full and proper engagement of local management and/or board.

You should expect that APRA will increase its focus on Risk Appetite - and its supervisory skills and expertise in this area will continue to develop. You should also expect that I personally will be taking a close interest in the engagement of boards and senior management in Risk Management and in the management of Risk Appetite.

Risk Management and Actuaries

Let’s now turn to how actuaries can help a company meet its APRA Risk Management requirements. Risk management has been at the core of the actuarial profession since its inception, so what has changed? The world has become far more complex, and risk management thinking has evolved well beyond the boundaries of traditional actuarial thinking. It is now widely acknowledged that risk management is fundamentally important for the sound management of any complex organisation, and senior management and boards have become far more engaged in Risk Management. In terms of my car analogy, there is now a good deal more emphasis on the primary safety features of the business.

The actuarial profession has a great deal to offer in the field of Risk Management, and we have seen significant improvements in the risk management of GI companies as a consequence of the involvement of actuaries in GI management. But arguably, there is potentially a lot more the profession can offer, and I know there is a session tomorrow to talk more about this. APRA already has entrusted the profession with important responsibilities beyond traditional actuarial boundaries. In particular, the FCR, including the requirement for the Appointed Actuary to sign off on the suitability and adequacy of the Risk Management Framework, is a critically important tool for both management and APRA.

Generally speaking, the General Insurance FCRs are of high quality but there is room for improvement in the risk management aspects. Here are a few observations:

• The quality of the risk management analysis and commentary tends to be weaker for smaller insurers.
• There is often no reference to the mandatory reviews of the Risk Management Framework conducted by the audit function or operationally independent persons.
• Stress testing is often not rigorous, particularly in the smaller companies.
• Target capital policy does not fully account for risks for many companies.

So, greater value could be added through current FCR work.

Let’s now look at some specific areas outside traditional actuarial risk management where actuaries could help support APRA objectives:

As discussed, management of Risk Appetite can be improved. This goes well beyond articulation – it also includes translation into tolerances for operational purposes, implementation and monitoring and reporting.

• APRA has recently introduced new remuneration requirements, that amongst other things are seeking stronger linking of remuneration with risk taken – e.g. through better understanding of capital backing business results. (Incidentally, the remuneration of actuaries themselves needs careful management under the new APRA requirements).
• The ICAAP process will need technical skills, business skills, and communication and interpretation.
• Greater use of stress testing and reverse stress testing could be done to help boards and senior management better understand the risk profile of the business, to help set Risk Appetite etc.
• APRA’s new capital requirements may require sensitivity and scenario analysis, with interpretation and communication to boards and management
• The GFC exposed the risk of over-reliance on models, and yet they remain critically important in the management of insurers. Actuaries can ensure the limitations of models are understood by management, and their outputs are kept in context, interpreted sensibly, and complemented with valuable insights and advice.
• Lastly, companies increasingly are appointing Chief Risk Officers, and such roles play a key role in meeting APRA’s requirements. Actuaries can provide important support for, or carry out such roles.

You’ll see a number of these opportunities fall into the area of primary safety.

Summary

To summarize:

• There will be ongoing improvement in APRA’s regulation and supervision. LAGIC is part of that process.
• International developments will be increasingly important in insurance regulation.
• The industry has made good progress in implementing APRA’s risk management requirements, but improvements are needed, particularly in the articulation and practical management of Risk Appetite.
• Pillar 2 (including ICAAP) provides a powerful tool for APRA to reflect a company’s quality of risk management in its capital requirements, and conversely, within limitations, the company can influence its capital requirements through the quality of its risk management.
• Actuaries play a critical role for both management and APRA in the overall risk management of GI companies, but there is significant scope for more to be done.

So I urge you to recognize the importance to APRA and the benefits to the company of high quality risk management, the ongoing need for improvement, and the opportunity for actuaries to help with this.

Closing Remarks

Let me finish now.

I’ve covered a fair bit of ground, so some of my comments have been necessarily at a high level, but I hope you have found them useful. In due course, as I become more familiar with my role at APRA, and with the GI industry, I hope I can provide you with deeper and better insights. Finally, let me leave you with this small bit of advice: Check your premium rates for 18 year-olds driving 1934 Fords – then think seriously about doubling them!