Hostname: page-component-745bb68f8f-cphqk Total loading time: 0 Render date: 2025-02-07T00:28:20.007Z Has data issue: false hasContentIssue false
  • English
  • Français

Investigating risk reporting practices in the global insurance industry ‐ Abstract of the London Discussion

Published online by Cambridge University Press:  17 April 2014

Paul Klumpes
Rights & Permissions [Opens in a new window]

Abstract

This abstract relates to the following paper: KlumpesP., KumarA. and DubeyR.Investigating risk reporting practices in the global insurance industry ‐ Abstract of the London Discussion. British Actuarial Journal, doi: 10.1017/S1357321714000087

Type
Sessional meetings: papers and abstracts of discussions
Information
British Actuarial Journal , Volume 19 , Issue 3 , September 2014 , pp. 728 - 746
Copyright
© Institute and Faculty of Actuaries 2014 

The Chairman (Mr E. M. Varnell, F.I.A.): A very warm welcome to all of you here for tonight’s discussion of investigating risk reporting practices in the global insurance industry. I should now like to hand over to Professor Paul Klumpes, who is going to present the paper.

Professor P. J. M. Klumpes, H.F.I.A.: I am an Honorary Fellow of the Institute of Actuaries. I am very pleased to be here. Ravi Dubey is in South Africa at the moment and Abhishek Kumar is in Singapore. We also have Tracey Zalk, our research assistant, whom I have asked to attend.

In terms of the presentation, I am just going to go through the highlights. There is a lot of detail. Much of the work that we did was what we call content analysis – looking at annual reports of insurance firms. I will also talk briefly about the internal reporting survey which we administered to a group of chief risk officers (CROs), and then the conclusions and recommendations.

In terms of the project, we started a couple of years ago and a lot of people contributed to this working party. The terms of reference were to look at risk reporting in the insurance sector and we delineated three stakeholder perspectives on risk reporting: shareholder, managing the business (internal), and regulatory.

Many people were also interested in looking at investments, pension funds, and so forth, but we just could not do everything. So we decided to focus on insurers. Again, because of the limited time available, we focused on the largest insurers. Then we benchmarked to those from the US and the Asia-Pacific region.

Our focus was on current practices but we also looked at trends over time. We tried to think about analysing this by focusing on insurance. There is something very special about insurance that requires it to be analysed in a particular way, so we went to a lot of effort to do that.

There was much uncertainty within the working party as to what were the relevant frameworks. Some of the frameworks were about incentives of management to report. Some of it was about corporate governance. Some of it was about accounting and some of it was about disclosure. The working paper discusses all of those frameworks.

In terms of the issues, we started with the Walker Report: a narrative discussion about risk reporting as an issue mostly for banking. There is a brief discussion in the paper about banking-related risk reporting, which you can read at your leisure.

The other aspect on which we focused was insurance as being a regulated industry. You have credit rating agencies, investors, and regulators who chime in with their own views about risk. You also have internal issues: a lot of risks which are inherent to the business rather than necessarily like a business risk that is diversified away. Management incentives come in through such idiosyncratic risks.

We also tried to think about risk management as a process. We started worrying about much which is mandated in risk reporting, such as ticking boxes and, as an auditor, checking compliance with regulation. That is, whether risk is there, as opposed to why and how well it was managed, and whether it was managed internally or externally.

We thought about that and also, in the regulatory world of risk, how important is reporting? A lot of risks are partially internally generated as part of the conversation you have with the regulator. It is not just an accounting ratio: you actually disclose strategic risks related to your own business model. This is very controversial in banking.

We looked at external reporting but we also went inside the business and asked about internal risk communications, such as the things about which actuaries worry, and their communication with other people inside the firm.

In terms of the information flow, you have four different boxes. We think about the insurance companies at the centre. Managers concerns may be primarily oriented towards future cash flow. Regulators may be more concerned about the value at risk in terms of regulatory assets. Capital providers may be primarily interested in earnings at risk.

We did not fully address sustainability, or the reporting of corporate social responsibility, which is an emerging area, as we did not have time to address that in this paper. It was briefly analysed within the “managing the business” risk reporting perspective.

In terms of different frameworks about risk reporting, one is about incentives. If a firm has no fraud then this is good news and the firm will want to disclose the position fully. Indeed, if the firm does not disclose in that situation, it will be marked down. Such disclosure is a signalling story.

On the other hand we have instrumentalism, where AIG or a government-taken-over insurer discloses either because they have to or because they want to be visible.

Then there is an ugly story which says there is no correlation, in fact a negative correlation, between how much risk is borne by the organisation and what is disclosed. I suppose, in a way, you can think about Enron and consider to what extent was risk information disseminated to the investors in a way which was misleading?

There is also the issue of effectiveness of reporting: many of these documents are very large.

Corporate governance: there are different theories about corporate governance. Is it shareholder-orientated, as in the US, or is it stakeholder orientated, such as in Germany, where firms have to deal with multiple boards? Or is it something else?

There are different ways of classifying risks. We note that there is the COSO framework, which is not that well specified, but which distinguishes primarily between inherent risk and management risk, and then briefly defines certain other types of financial risk.

Risk reporting is multi-dimensional in nature, e.g. firms need to comply with requirements set out by EU directives, accounting rules and the proposed Solvency II-based pillar III disclosures, which will, presumably, be equivalent to those already reported by banks under the Basel II capital adequacy regulations. Firms that raise capital in the US must also comply with SEC rules to discuss various risks in the annual report Form 10K in the “management discussion and analysis section”.

The prior literature on risk reporting is extensive but mostly ignores the insurance sector. The only consistent finding in this literature is that firm size determines risk reporting, i.e. the larger the firm is (e.g. in terms of sales or assets), the more risks they have and therefore the more risks they disclose. That is not a particularly exciting finding!

Horing & Grundl (2011) is the only prior published paper of which we are aware that specifically focuses on risk reporting by European insurers. Their content analysis was the self-selected construction of an index, based on 1–45. They identified six types of risk categories: insurance, credit, market, liquidity, operational, and “other”, and then they ranked firms on the extent to which they disclosed information related to these risks, based on a “content analysis” of the annual reports of 31 EU insurers from 2005 to 2009. They found that disclosure quality is positively related to firm size and profitability.

There were a number of issues with this research. First, they did not focus on “soft risks”, which Kelliher et al. (2012) said were important for actuaries working in the insurance industry, e.g. exposure to strategy, frictional, and aggregation types of risks.

Second, they only focused on risk identification, and not necessarily on how well the risk was managed.

Third, their content analysis was motivated by an agency-based conceptual framework of reporting, i.e. risk disclosures that help ameliorate conflicts between shareholders and firm managers. We feel that a stakeholder perspective is more appropriate: by distinguishing different perspectives on risk reporting for external stakeholders such as shareholders, internal stakeholders such as managers of the business, and key gatekeepers such as regulators.

Finally, their analysis of risk reporting quality seemed highly correlated with the degree of quantitative disclosures (e.g. value at risk), and it is not clear how much of that is compliance driven rather than a narrative and/or voluntary discussion of risks by management.

Certainly, in the area of cyber security, and areas of strategic risk, one would look for disclosures such as “We had a failure and we had a business continuity plan” or “we did not” or “we fixed it up”. Such soft disclosures need not be reported at present in the EU.

Our paper initially replicated the approach used in the prior research by Horing & Grundl (2011) but our content was updated to cover 2006–2012, and used more refined sample selection criteria, by focusing on the largest global firms. The advantage of this was to examine the effects of the financial crisis on financial reporting quality, and to avoid the problem of “size” dominating findings through the use of a stratified sampling approach.

Our content analysis involved reviewing all the annual reports issued by all firms in our sample, year by year. Obviously, we focused only on annual reports in the public domain so we downloaded these from the investor relations part of each firm’s website. Our sample selection was based only on top 25 global leaders, which are shareholder-based firms. Many specialist insurers are private firms that are not listed or are subsidiaries of other firms, and are therefore excluded. We also conducted the analysis yearly over a considerable length of time, i.e. before, during, and after the crisis, to see how practices evolved. However, due to time constraints, we have not yet analysed the determinants of disclosure quality, i.e. size or profitability of the firm.

Our “stakeholder theory” approach also differs from the prior research, which is motivated by an alternative “agency theory” and therefore only analyses risk disclosures to shareholders.

By contrast, we recognise that there are other users, such as capital providers and other constituents, who also use the annual reporting process to assess risk.

Regulators are worried about downside risk.

Also, there are private conversations between managers and shareholders (and others) about what kind of risks were sustained by the firm, and to what extent were such risks “idiosyncratic”, as a result of strategy choices, as opposed to a financial risk that has to be disclosed to meet an accounting requirement. That leads us to a third perspective.

We constructed three separate sets of disclosure indices. We first replicated the Horing & Grundl (2011) content analysis, details of which are outlined in their paper. This was repeated on a year-by-year basis, and then subtotalled to derive an overall average disclosure score out of 45.

Second, we reclassified the risk categories identified in Horing & Grundl (2011) with additional ones using the Kelliher et al. approach.

In addition to using alternative risk classification systems, we also recalibrated the score weightings to increase the relative importance of soft risks.

The difference between the two disclosure indices is that the Horing & Grundel (2011) approach identifies only those risk categories that are classified by the CRO forum and the Basel Committee. This classification system identifies, first, market-related risks, as well as credit risks and liquidity risks. Then they add on operational risk. By contrast, the Kelliher et al. (2012) classification system is more comprehensive. They were thinking about actuaries working in an insurance setting so they added a few more risks like strategy risks, frictional risks, and aggregation risks. Kelliher et al. (2012) additionally classified more detailed, different levels of risks within each of the first-level risk classification system. That is, there was an effort to provide a more detailed description of what kind of risks comprised these broad categories. Market risk, for example, under Horing & Grundl (2011), is decomposed only in terms of analysing greater precision about limits, risk mitigation, and value at risk. This same decomposition was also used for analysing the other risk categories. Kelliher et al. (2012) had a different way of thinking about market risk. They said, “What kind of market risk is it? Is it equity risk? Is it property risk? And then below that you might have two or three more detailed levels”.

The sample was based on the top global 25 insurers. However, some of these bigger insurers might have sufficient assets under management but not sufficient premium growth (or vice versa), to be listed as top 25 throughout the entire study period were not included, and we ended up with only 13 insurers in the final sample.

The final sample comprises eight European, three Asian, and two US firms. These regional variations are important because of the different legal and cultural risks in which firms operate. This, in turn, resulted in a different frame of reference for assuming risks.

These regional differences also affected the cross-sectional variations in disclosure scores. For example, the European firms scored the highest average scores on regulatory disclosure. On the other hand, the US firms’ average scores were higher on the shareholder side. Asia-Pacific firms, in general, were slightly lower than the other two. Remember we only have three Asia-Pacific firms, two Japanese, and one Chinese, so we do not really have a lot of scope to compare with firms in the other regions.

In terms of the Europeans we excluded ING, because it is really a bancassurer, so you do not know whether it is the bank aspect or the insurer aspect which is driving disclosure quality. There is little difference between Allianz and Axa being the two with the highest average scores. Munich Re also scores highly. Since Munich Re is a reinsurer, it has a quite comprehensive view of risk. We also looked at Swiss Re but we did not include it in the final list.

In terms of disclosure scores under the CEO perspective, a slightly different pattern emerges. Allianz and Axa again have the highest average scores, as does Zurich. On the other hand, Generali tends not to provide as much detail as the other firms.

Our regional trends vary depending on which disclosure index is used: the standard Horing & Grundl (2011) approach; or the Kelliher et al. (2012) approach; or the re-weighted approach that is skewed towards the soft risks. The Asia-Pacific firms tend to disclose more about softer risks, as do the US firms, compared to the European firms. By contrast, the European firms tend to outperform the other two regions under the traditional Horing & Grundl (2011) approach.

ING scores the highest, perhaps because it is a bancassurer. Axa also scored highly. But Generali does not score as well. Aviva and Prudential are up there with the others. Of course, they have a little bit more to play for in that they have to deal with the FSA. So perhaps there is a more detailed conversation going on than might be expected for some other firms.

The second aspect of our research was the internal reporting survey. We were very fortunate that out of the 12 or 14 firms we sampled, ten responses were received. These respondents were the main users of internally generated reports in making decisions. The high response rate resulted from the presentations made at both the Brighton Conference and the CRO forum. We are grateful to the Profession for helping us get such a great response rate.

The survey questionnaire covered a number of areas: (i) corporate governance fit for purpose questions, (ii) link to risk appetite, (iii) the use of risk reporting, and (iv) reporting capabilities.

The primary objective of the survey was to elicit views about risk reporting processes within organisations. We must be careful in discussing survey results because we promised anonymity. This allowed a fuller conversation.

We found that there were areas of concern by respondents about usability: lots of things that they would like to know about which were not in their reports; and lots of information coming through that is not necessarily helpful. There was also a concern over the quality of material produced, both in terms of “fitness for purpose” but also capability. For example, was it grounded enough to help make a decision? Was it too grounded? You can read more about this in the paper.

The main conclusion from our research is that we found risk reporting to be an emerging area. The issue is risk communication. I am sure a lot of actuaries are very good at what they are doing, but it is very important for them to communicate that effectively to other people inside their organisations, and to other stakeholders.

It is an area where there seems to be scope for more work. We tried to have a look at this from the perspective of the actuarial professional who is working in insurance. We know that decision making is different from that in an unregulated environment. It is also different from the banks where there are a lot more pillar III disclosures that are not yet coming through under Solvency II.

This is very much at the tip of the iceberg. We are not pretending that this paper is a deep academic paper. What we are trying to tease out is, first of all, the sensitivity of our self-constructed index across different definitions and variations in risk reporting. We were also very concerned about actuaries talking to other risk professionals in managing global organisations, and considering how useful was that information to them at the disaggregated level, and not just at the consolidated aggregated level that goes to the auditor and gets cross-checked by shareholders or credit rating agencies.

There were some concerns about the quality of information. We found that the actuaries were very much involved in preparing information but were not necessarily the decision makers. The Basel Committee has just come out with recommendations for the quality of the information that is produced and communicated.

We would like to extend our research in a couple of ways. One is to analyse what factors drive the risk reporting process. Is it connected to size? Is it connected to profitability or risk reward ratio? Are the firms that are more sophisticated in terms of their Enterprise Risk Management, or with higher credit ratings, also the ones that do more on risk reporting? Or is it just a bad or ugly story, where risk reporting does not seem to connect in any way to the risk management sophistication of the firm?

We would also like to produce more guidance. Current ASB and IASB guidance on risk reporting within new accounting standards is still quite vague, in our opinion, and needs more flesh.

Also, under Solvency II, we are aware that there is a pillar III requirement but there does not seem to be much of a conversation going on, as yet, between the industry and other stakeholders.

Given that actuaries are so important in managing risks and challenging others inside organisations, who may have a narrower perspective on risk as being simply value at risk, perhaps the Actuarial Profession itself could take leadership in this area and think about developing some recommendations.

Our four questions are:

  1. (1) Should the Actuarial Profession go to the trouble of providing more guidance about risk reporting, either in a specific context, such as pensions or insurance contract reports, or more generally in terms of what narrative about risk taking is being disseminated to stakeholders?

  2. (2) Do you consider that the Actuarial Profession should follow the same line of reasoning as existing risk management professionals, whereby we only worry about either those factors which are measured, or those which are constant such as market risk? Or should there be more disclosure about other softer risk factors, such as whether the firm has a captive insurance arm or whether there strategic risks are related to managing an environmental risk?

  3. (3) To what extent should there be a position taken by the Actuarial Profession on the effectiveness of risk disclosure? In other words, the trade-off between saying “I have disclosed more and more information. However it costs me money to do that” and, on the user side, “Yes, you can disclose more and more, but then I just end up becoming confused and I really only want to know which disclosure is the most relevant one for me”.

  4. (4) Is risk communication, in general, a topic on which the Actuarial Profession would like to provide some further guidance?

This seems to be an important question for practitioners who specialise in communicating risk. For example, I was in a conference at Oxford a couple of weeks ago and some of the insurers and other specialists were concerned about risk communication. They were specifically concerned about graphical representations of environmental risk or hazard risk.

They were worried about translating those metrics into something that a shareholder of a reinsurer could understand. For example, to what extent are your earnings at risk if you do not worry about, and manage properly, a particular CAT risk? Those kinds of questions are very important, and actuaries surely have a role to play.

Dr L. Pryor, F.I.A. (opening the discussion): I thank the authors for such an interesting paper. It certainly brought home some things that I had not really thought about before, especially the lack of a standard framework. The existence of a standard framework for risk reporting would make it much easier for the readers of public reports to compare different reports with each other. The authors clearly encountered difficulty in comparing reports, as they developed three different rating systems. Although these systems gave somewhat consistent results, they were not 100% consistent by any means.

This brings us to an important point which is: what is the point of risk reporting? What constitutes better risk reporting? It is clearly not just more. More of anything is by no means always a good thing, and especially more reporting can be a very bad thing if it obscures the material points with lots of irrelevancies.

It is not clear to me, for example, that going into more detail and defining what you mean by each type of risk is actually helpful to all readers. There are many different stakeholders. Do different types of reporting suit different stakeholders? That is certainly something, if regulation is called for, that the regulators would have to bear in mind.

Another challenge I have is: is risk reporting more important for insurers than for other corporates? I know why we are discussing it: it is because we are actuaries and we are interested in insurers. You could say, and this is possibly slightly unconventional, that maybe it is less important for insurers because they are more aware of risk and have it more under control. The big risk in their business, you might think, would be insurance risk and that they should be on top of that, whereas other corporates who are not thinking so, explicitly in risk terms, may not actually be controlling it so well.

What should the Profession be doing, if anything? Risk is at the heart of what we do, so, thinking more about risk reporting is probably a good thing. We should be thinking about how different forms of risk reporting might affect different stakeholders, about what would constitute better risk reporting for the different stakeholders, and thinking especially about how actuaries can better communicate risk internally.

Actuaries are not responsible for public reporting of risk. They are, however, very responsible for a lot of the internal reporting that takes place. It is something at which we should be good. I do not think that we always are.

Mr J. Instance, F.I.A.: I should like to take issue with some of the points that Professor Klumpes and his team have made. I do not think the statements of accounting standards are bland. They are quite powerful principles in terms of disclosure of risk.

I am slightly concerned, and this emphasises Dr Pryor’s point, that the trouble with specific guidance is that businesses are very different and the users have different views. A principles-based regulatory system is actually much more powerful. I appreciate it leaves things open to the practitioner, but market discipline should exert an influence.

It is quite interesting within insurance. A subject close to my heart, at the moment, is accounting for insurance. We are holding a seminar in a couple of weeks’ time. It is very hard to find investors, i.e. users of insurance accounts, to come and talk to us. In truth, the disclosure is probably not very good. So we do have something to learn.

The actual principles in the standards are quite powerful. There is a requirement in TAS R about reporting risk – I refer you to paragraph 5.5.

If actuaries read that principle and interpret it correctly, it will give them and the users of that information a lot of comfort in what they are reading.

Professor Klumpes: Dr Pryor asked the question: is it more important for insurers to disclose risks than those who are not insurers? I have done a lot of work looking at non-financial multi-nationals, where, unless you are an Enron, it is about mitigating the source of risk, which is not necessarily correlated with your business purpose, or your strategy. There are a lot of financial risks you have to manage and disclose, whereas, for insurers, that is the heart of their business.

What we were struggling with was what kinds of risks we are considering. Insurance risks and underwriting risks are the core of the business. On the other hand, insurers are also exposed to various types of emerging risk and to various types of financial risk. The value added by an insurance firm is being able to transform capital from one type to another. That is their major function in the economy: taking on risks and transforming those risks. I take the point on board.

The question about the Financial Reporting Council: let me answer that in two ways. I agree with the point about principles-based versus rules-based. But there are some very important risks where it seems to be almost “cut and paste”, in particular, financial instruments, where there is not much difference between SFAS 133 and the IFRS equivalent rules contained in IAS 7 and IAS 9.

I suppose what we are worried about in our research is there is one question about what the gap is and what the accountant will say. It is a separate question to ask how that gap is applied. How much room is there to apply the gap? Also, how much is disclosed voluntarily as opposed to just ticking a box saying a lot of the things we see are because they have to be disclosed.

What we are interested in, and why we went for the CRO view, is how much was actually voluntarily revealed about, for example, the performance metric that the firm uses and tells its stakeholders. Aviva seems to use ROCE whereas other firms use ROE, or is it adjusted ROE? That is an important issue.

It is also a discussion about standard financial types of risk, but there is a different type of risk conversation when talking about financial risks on a hedged or unhedged product.

I appreciate the comments, but we need to be a little careful how we define a principles-based approach. Of course there is more scope for variation, but that is also great for the market, because the market can then make its own judgement rather than having to be straitjacketed.

Mr D. B. Martin, F.F.A.: I was interested to read, in the introduction to the paper, a statement that it is surprising that the topic of risk reporting has received relatively little attention from the Actuarial Profession to date.

It is not a subject about which I have a great deal of knowledge. But what I do know is that there has been a great concentration in the Profession in the last 2 years on enterprise risk management.

It occurred to me that maybe all the training that we are now giving in CERA, and so on, should include risk reporting as well as other elements of risk. I would be interested in Professor Klumpes’ comments on whether the syllabus on risk should take this topic into account more than at present.

Professor Klumpes: From my perspective, it comes down to whether you see ERM training as being comprehensive, or whether you see ERM as a process where you allow the introduction of an element of risk culture, influencing the extent to which firms engage in that process. Then, clearly, risk reporting is a key element, but it is an element that is not necessarily receiving the attention of actuaries. Actuaries are much more worried about financial model risk and conduct risk, which are very important things for actuaries.

The actual communication, in its various forms, is a critical element: after you identify it, after you measure it, after you assess it, you have to report it. But, ERM is really a process rather than just a product, or just a brand name, which you would use to promote the company to both credit rating agencies and others.

I personally believe that if you want to convey a good message to credit rating agencies, and have a conversation with stakeholders, then it is worth your while going to the hassle of thinking about the quality of these processes and the quality of the risk reporting that underlies those processes. That is, again, a personal view.

Mr C. D. O’Brien, F.I.A.: We have learnt a lot more about risk in recent years: but part of that is, as the authors say, how do we report that risk, and what can we learn from the practices that have been in place to date?

When firms voluntarily disclose risks, in their accounts, that may be helpful to investors and other stakeholders, it may, of course, also be helpful to their competitors. Therefore, regulations can have an important part to play in encouraging greater risk disclosure. The authors mention regulations and I should like to say a little more about two of those in particular.

These disclosures lead to some useful insights about firms, their risks, and how they manage them. First, it is the Companies Act 2006 which requires firms, and not only insurers, to describe the principal risks and uncertainties they face. Typically, firms go on to describe how those risks are managed. It is therefore common to see listed firms’ reports and accounts having a specific section about risks before we get to the profit and loss account and the balance sheet.

This can, I believe, produce some interesting insights into firms. For example, looking at one UK-listed insurer and its 2012 accounts, it talks about group risk appetite and risk governance structure. The risks disclosed include, for example, claims management and reserving, reinsurance counterparty risk management, and regulatory and emerging risks.

One risk was noticeable by its absence. A few years ago there was a survey of small- and medium-sized enterprises. The risk that scored most highly (when firms were asked to say what were the most important risks affecting them) was the risk that the demand for their products or services would decline.

This insurer made no reference whatsoever to this demand risk. I hasten to add that it was not a closed fund firm.

There is a danger that risk management concentrates on supply risk because it is easier to manage. If a firm buys raw materials from abroad, it can hedge the foreign currency risk. If it is a building firm, it can tell the workers to wear hard hats. If it is an insurer, it can price its products taking into account the probabilities of claims.

In contrast, it is much harder to tell your customers to buy your products, and so a more rounded risk discussion will include both demand and supply risks.

Incidentally, I would also suggest that the comment, in section 2.2 of the paper, that prior to the financial crisis there was almost no requirement for insurers to provide a narrative on their insurance, business or emerging risks does not really appear quite right.

The Companies Act requirement is derived from EU legislation and hence applies to a number of the insurers covered in the global survey, and may have contributed to the relatively strong showing of European firms. However, the authors are also aware that differences in firms’ risk reporting disclosures may reflect other factors such as size. Indeed, if you look at the three Asian firms in the survey, they are all smaller than average. That may have been a factor contributing to their relatively low index scores. I appreciate that the authors had a limited sample on which to try to refine their analysis.

Turning to the second set of regulations that I want to mention, we have the International Financial Reporting Standards. While the authors refer to the requirements of risk disclosure put forward in the exposure draft recently issued by the IASB, the existing IFRS 4 already sets some standards in this area. Insurers are required to disclose information that enables users of their financial statements to evaluate the nature and extent of risks arising from insurance contracts.

It is interesting that while banks usually disclose value at risk as part of their risk reporting, very few insurers do so. Of course, as the authors say, the credibility of value at risk has declined following the global financial crisis. One firm that did disclose value at risk was AIG. In section 4.3 of the paper the authors say that AIG provides the highest quality disclosure under the regulatory perspective. I think that that would come as a surprise to members of the Extreme Events Working Party who, in a recent paper, illustrated a disconnect between the value at risk that AIG disclosed and reality.

What I do find very helpful as part of risk disclosures are the sensitivities that firms reveal. For example, does a change in mortality affect annuities more than assurances? And some general insurers show how their results will be affected by certain stresses, for example, a Lloyd’s disaster scenario.

In conclusion, I think that there are plenty of examples of risk reporting practice, some of which are good and some less so. It is a recently developing area and I think that there is time for firms, and actuaries advising firms, to look at those examples and to say, “This works”. This may be a better way forward than what we have done to date and would help both the investment and wider community understand the risks and what firms are doing to manage them.

Professor Klumpes: Let me respond to one point that Mr O’Brien made in connection with the requirement under the Companies Act which again illustrates the point about principles versus rules-based regulations.

It is my perspective that in the US the registration process involved in company filing is subject to the SEC requirement that their Annual Report, or 10K, must provide narrative about the risks in which they engage. Furthermore, they have to show 5 years of cash flow commitments, obligations for things like operating leases and all their off-balance sheet components. It is very closely monitored by the SEC as part of the disclosure registration system.

This is an example where there is a lot of precision in the regulations. There is more disclosure and more detail required. On the other hand, if you do have a principles-based approach, which is very important in the European context, there is a question of interpretation and the interpretation of that regulation by both the firm and their auditor. The question is to what extent you would expect more variation across the firms in practice under the principles-based regime than under the straitjacket 10K regime in the US.

Some of our findings could be related to size. But it could also be related to culture, and the culture in the US is very much more “Keystone Cops”. In the European context it is much more a negotiation, so you would expect more variation.

Thank you very much for your other comments. We will want to take them on board.

The Chairman: Maybe we can pick up on question two. Do you have any comments on balancing quantifiable risks with those that are less measurable?

Professor Klumpes: I do. It is a source of huge frustration for me as a researcher. One of the issues that we looked at, especially in the non-financial context – and I did have conversations with the SEC on this topic – was that we noticed there were a lot of multi-nationals which have captive insurers The largest firms, will, under their contractual commitments and obligations, reveal the fact that they have a captive because they have to list their subsidiaries.

When we go into the detail, we can identify that there is an address somewhere on an exotic island in the Caribbean where the firm has its captive. But we do not know how much of the risk that the firm runs is retained within the organisation, and how much is reassured with external reinsurers.

I suppose that will come back to the earlier question regarding information about the supply of risk and demand for risk. I think it would help the operation of markets if firms were clearer about how much of their risk related to specific strategy risks or office liability risks and how specific kinds of risks are managed by their captives, and how much of that is exposure relative to the risks that are transferred through contract with insurance firms. And, turning that around for the insurer, how much of their risk as a proportion of their total sales? And how much is managed inside and how much is transferred outside the insurer?

This is soft disclosure, and it is similar to the conversation you would have post-crisis. There were a lot of cross-guarantees between different parts of an entity which were managing risks. We know that in Parmalat, and other infamous cases, those risks were huge.

But what about for the insurers? How extensive are cross-guarantees, and how much of the risks are managed through their own governance structures?

Having a proper mature conversation – it could be about enterprise risk management as well – is not just about value at risk, it is also about greater narrative which will help the regulator and other outsiders. It also requires coming clean.

I realise that I am coming from the public interest perspective. There could well be reasons for not wanting to disclose too much to competitors which I understand. Management does not necessarily want to reveal too much to competitors. It is an area where, if we are going to advance risk reporting, we do not just want to say “What is the risk, how is it measured?” but “How effectively is it managed and how much of that risk is managed internally? How much has been transferred outside?”

Dr Pryor: I think that last point you made about the competitive advantage is really important. If you take what some people might consider a hard line view, that managing is essentially risk management, and that what all companies are in operation to do is to take advantage of some risks, ones that they think they can handle better than other people, then the last thing that they want to do is to explain to all and sundry exactly how they are managing those risks because that is their competitive advantage.

You can see why they would not want to do that. I suspect that in many cases that is not their conscious reason. Their conscious reason is they have not thought it through in much detail and they do not necessarily know what is going on.

But it is clear that there needs to be some sort of middle ground. If we look at investor stakeholders, for example, they do want to have some idea of what the managers of the company think they are doing with the company, and what is their competitive advantage. So you probably want some overall picture of what the risks are, and how you are managing them, and why you think you are good at that particular risk. But going into too much detail is then going to make it difficult for you to compete in the marketplace.

Professor Klumpes: I agree with Dr Pryor. I think it is important to recognise that we do not want to regulate everybody to death. There has to be a bit of freedom. We have to recognise the role of the market, even the investment market. Hedge funds and other active investors will want to have a little to play with, and be able to go long and short on their strategies.

I will respond on one point: I have noticed in certain regulatory environments that regulators require more detail. For example, in Switzerland the national regulator puts on its website all the general insurers, and some of them are actually captives of the large Swiss multi-nationals.

Again, in the Swiss context, it is interesting that the Swiss regulator is the one who was at the forefront of things like the leverage ratio in banking being a systemic risk to the Swiss government. They are worried about the scale and size of UBS and Credit Suisse and, therefore, they will go to the trouble of allowing some transparency.

Having said that, I think that culture is also very important. In certain cultural environments it is possible to have a more relaxed conversation on, for example, model risk.

We have noticed that in environments which are principles based there seems to be more willingness to have a narrative about model risk, whereas in other environments it seems to be less. It then becomes something that is not talked about, or there seems to be an assumption that it is all under control. We have to recognise that difference.

We have to recognise also the cultural differences in the regulatory environment as well as that of the companies themselves.

Mr P. G. Telford, F.I.A.: Dr Pryor made a really good point that competitive advantage relates to the risk profile of the firm. The very source of a firm’s competitive advantage may also add something to its risk register. It is very important that risk reporting does not sit in a silo and become divorced from the rest of the firm’s reporting.

If you read 20 pages of brilliant strategic story and then three pages of doom and gloom risk afterwards, you will end up with an unbalanced picture of the firm’s prospects. You cannot split those two components. They are inherently joined.

The second really good comment that Professor Klumpes made in passing was that regulation of disclosure drives culture as well as directly driving what is disclosed. I have seen a case, not in my present firm, where a risk management framework that was evolved in, and driven by, one regulatory environment completely failed to cross to a different regulatory environment. Part of the reason was that the culture was not ready to receive and operate what it was being handed from the other side of an ocean.

So, for that reason, I go back to the first question. I am very nervous about the word “specific” in the question: should we have more specific guidance? Even within one national or regional reporting culture, every firm has a different chosen risk profile and therefore a different appropriate emphasis to making its risk reporting. I am all for principles but very nervous about specific rules.

Professor Klumpes: Let me just comment on one thing about culture. I certainly think the Swiss example is very interesting. There does not seem to be a lot of regulation about factors like model risk.

We know that the regulator will compel even boutique insurers in Zurich to adopt a minimum template which also then moves to the question about the framing of risk. I suppose if you do go down the route of more precision, it also then frames what that regulator considers to be the relevant template.

For example, I asked the Swiss regulator. “Why is it that, under the Swiss solvency test, there is not a specific requirement for disclosure and monitoring of model risk?”. His response was really quite negative. In that environment there does not seem to be scope for having a discussion on the topic.

It is very important to recognise the impact of culture. You cannot just apply one set of guidelines to a different environment and expect the same answer because interpretation, legal enforcement, and even regulatory culture may differ.

Mr Martin: My question particularly concerns the point made about soft risks. There was a very good paper given to the Institute and Faculty about classification of risks. There was discussion then about the difficulty of what you are describing, and how two different organisations, or two different people, might describe the same thing in different ways, and the lack of having a classification perhaps leads to a lack of communication, because if you have consistent terminology, communication can be rather difficult.

It seems to me that one of the advantages, and one of the things that the Profession could do, would be to put more emphasis on classification so that, particularly in areas of soft risk, people are slightly clearer as to what it is they are reporting. That might well enhance their reporting of risks.

Professor Klumpes: I would like to mention that something I found very interesting in doing research was one of the criticisms of classification is that you can then end up putting different types of risks in different silos.

I thought one of the things that came out of the financial crisis was that companies like RBS got into trouble because they had whole portfolios of risks that went right across different silos that were not effectively captured because they did not fit within the silo. That was one of the self-criticisms of RBS’s director in reporting to the Scottish Parliament.

We have to be careful. It is important to have a comprehensive view of risk classification, but also recognise that a number of risks go across these risk silos and we need to think about it in a more dynamic way.

The Chairman: Just to follow up on Mr Martin’s point – Patrick Kelliher did that very good paper on risk classification. To what extent do you think we can, as actuaries, influence the way in which people use categorisations without engaging with organisations like ISO, for example?

Professor Klumpes: I think that was one of the things that the Kelliher et al. (2012) paper addressed very comprehensively.

The sheer richness, where they had high level risks which were broken down into two or three levels, along with Excel templates that were available for people to read, was in itself a very interesting exercise.

My final comment would be that you have to be careful because a lot of risks are what we might regard as emerging risks, and these risks are very important to certain kinds of insurers, like reinsurers and general insurers, in a different sense from how they would be to a life insurer. I suppose my only concern with whatever risk classification system we decide to use is that we have to understand whether the frame of reference is just about the business risk, or the strategy risk, which the firm manages, and reports, or whether there is also a conversation about the risks that are emerging such as worries for underwriters in terms of pricing moving forward? This is an area which is still unclear to me.

The Chairman: Just picking up on the path dependence of risk disclosure, do you have any comments on that topic? What I mean by that is once you have put some risk information into the public domain, people might think that it is actually quite difficult to then take that away. It is very difficult to change your mind once you have put something into the public domain. Do you have any thoughts as to what extent that is an impediment to people putting more risk reporting information into the public domain?

Professor Klumpes: I think that there could be an impediment in the sense that there are two answers to your question.

Why would a firm voluntarily reveal a whole set of risks when, for example, the initial fair value reporting by some US banks led the market to respond negatively because the market was confused.

One difficulty, therefore, is whether the market, or the market participants, sufficiently comprehend the disclosure to then be able to make a decision.

The other aspect, path dependence, is the conversation that an investment manager will have with a client saying, “Okay, I understand all the different risks. I can value a bond and all the different points and elements of my bond portfolio management. Do you understand it and do you therefore comprehend what I am doing?”.

So, it is also a question of education. It is a question of educating both the public and, perhaps more specifically, the investment community about what these risks are and how they are being managed. That is one reason for having some form of independent guidance on such topics, which then has the public interest benefit of it being from an independent body rather than an individual organisation which happens to have a lot of risks and then attempts to reveal more, or perhaps does not, and gets into trouble with its own investors as opposed to other firms which do not choose the same approach.

Professional experts, such as actuaries, can have a role here in education.

Mrs K. A. Morgan, F.I.A. (closing the discussion): When I read a novel, I tend to prefer those which introduce the characters and then put them in a stressed situation, often with an apparently depressing outcome. My favourite books, however, retrieve the characters with their serendipitous twist. The goodies get married and live happily ever after, and the baddies get their come-uppance.

This paper reminded me of my favourite novels. We started with an introduction to the characters: the insurance companies, the shareholders, the actuaries, the accountants, the auditors, and the regulators. I am not going to comment on who are the goodies and who are the baddies.

We had a stressed situation, the financial crisis, and an apparently dire outcome, good risk reporting being almost impossible because of a lack of consistent standards. The happy ending is, it is to be hoped, not an ending, more some green shoots of good practice that lead me to think that tomorrow is another day, in the words of Scarlett O’Hara. But we have to get to the “another day” if we want to live happily ever after.

I think the indices in the paper give us a measure of whether we are heading in the right direction. It is hard to measure the quality of risk reporting, and the paper sets out some approaches. Reporting, generally, is fraught with difficulty. We have to be transparent and be clear, but if we make it too simple then it loses its meaning.

As Dr Pryor pointed out, if we have too much reporting, it would not be helpful. People will not be able to see the wood for the trees.

Thinking about the four issues for consideration, first of all the authors called on the Profession to give more guidance on risk reporting. I tend to agree with this. It fits with our President’s call in his Address for us to ramp up our relevance.

Professor Klumpes made it quite clear that we should think about the incentives to reporting and the incentives for transparency, because these are quite varied. This leads me to think that guidance would be useful as it would take away the impact of those incentives. He also mentioned that guidance from a Profession would be independent.

It also made me think that as more actuaries become CROs, does that mean that we, as a Profession, should be giving out more guidance? That is something to think about.

Dr Pryor pointed out that standard frameworks would help the reader and would improve standards, so this would improve the clarity of reporting.

Mr Instance and Mr Telford both said that principles might be better because regulation can drive culture and that might not necessarily be in a good way and it might not be scalable. Perhaps the TAS on reporting might be a good place to start. So more to think about there.

The second challenge was identifying how to make risk reporting meaningful by including fewer quantifiable risks, which might actually be more important. This is something that I think is important. It is something that I have been worried about, actuaries learning more and more about less and less until we know everything about nothing. This seems to me a fruitful area for research.

Professor Klumpes highlighted in his presentation that there are different approaches in different regions of the world, and we can learn from one area to another – for example, look at the reporting in Switzerland. Various people mentioned demand side risk and strategy risks, and thinking about how to include information that is captive in some meaningful way.

This is something that I thought about in the Solvency II context where there is a big emphasis on firms understanding their risk profile, making sure that their regulatory capital calculation matches their risk profile. I have not seen very much on how a risk profile can be expressed and how that expression of risk profile can be useful in running a company and understanding risk. This is possibly another area where we could give some insight.

Dr Pryor added to this by mentioning that any expression of a risk profile, and how you measure and manage your risk, has to be done without losing your competitive advantage.

My personal opinion is that I think disclosure is always useful, and it is always more frightening before you disclose things: but once you disclose things, you actually find out it is not as bad as you thought.

The third challenge is about expressing a view on the effectiveness of risk reporting. We did not have many comments on this. But we now have the indices that are in the paper, so we have some statistics where we can measure the quality of this reporting. It is a good starting point but it is a really practical one.

I think that Professor Klumpes made a good point when he mentioned the difference between rules and practice. You can think that you have a regime that is working really well because you can point to your rules, but in the observance of those rules, it is not working. Again, if we have these measures, the Actuarial Profession could give an opinion.

The final challenge was whether we should be developing and supporting papers on risk reporting. Should we be accepting this challenge as thought leaders on enterprise risk management, or should we be passing it over to the accountants? Professor Klumpes pointed out that we could look at different perspectives: shareholders, regulators, and internal perspectives. Dr Pryor reiterated this point.

There is a serious lack of clarity on different frameworks. Several speakers spoke about this aspect. We need something to cut through the lack of clarity. There is a debate about whether this is more or less important for insurers. It is a good challenge about whether insurers are good at managing risks or whether insurers should be looking at risks external to the company as well as the insurance risks that they face.

We could also think about the Actuarial Profession’s role in other industries. Going back to the Presidential Address for this year, about ramping up our relevance, maybe we should be using our skills in other industries, using what we have learnt from insurance and making some recommendations about risk reporting there.

Possibly, there is some work that we could do about making position statements on the usefulness and practicalities of stress testing. That is something that Mr O’Brien mentioned. To me, this is still an open question.

The four challenges are good ones and we have had an interesting and useful debate about them. I think that there is more to say on all of them.

One twist that I think is important is that you can report lots of clear, meaningful information, but if no one reads it, it counts for nothing.

Over the last year I applied for a role with Network Rail – a volunteer job, I am not leaving the Regulator – and I did a lot of research on the information that was publicly available about Network Rail. It is amazing just how much there is.

Part of me thinks that, as we live in a democracy, we have a responsibility to go out and read this information, but I probably spent about 3 days of my life researching every aspect of Network Rail’s strategic plan and the governance arrangements around the organisation.

That is just one of the organisations in this country, and it was a lot of work, a lot of research, but I feel better informed and I feel happier when I am travelling on the train. I feel like a responsible citizen. But it is a lot to ask of people to understand this information. It is not just a case of getting information out there, it has to be accessible, relevant, and easy to understand.

I did feel that there were some good points about the motivation for reporting: the motivation of the people reporting can be different from the motivation of the people reading. Incentives need to be aligned if reporting is going to be useful.

I thought Mr Instance’s point about the potential users of insurance accounting not always using the information or understanding insurance accounts was a good one, and goes back to my point about Network Rail information.

Mr Martin made the point that we should be training people, possibly building on our CERA qualification, to improve risk reporting and make sure more people understand it. I do think that we should be building on our CERA qualification. We should not just leave it where it is and rest on our laurels. It should be something that does develop. This is another area into which we should look.

I was intrigued that Professor Klumpes referred a lot to “conversations” during his presentation. That highlighted for me that reporting is a starting point. Once you have the information, you have to talk about the content. So maybe that is something else we should be doing, not just training people on what to report, but then how to have conversations about the content.

Finally, one thing I love about my job is that I am still learning. I think it is great that our Profession is constantly finding new areas where we can apply our skills. Risk reporting is definitely one, and we should build on this paper and take seriously our CERA credentials and fill this gap.

The Chairman: I know that there is also an initiative by the Australian Institute of Actuaries on risk reporting, and a meeting at the end of October to take this work forward. Perhaps Professor Klumpes could say something about that in his final comments.

Professor Klumpes: Let me close by making a few comments in response to the Chairman. I suppose incentives are important. I think one of the fairy tales goes back to a novel – I am actually reading Dan Brown’s Inferno at the moment. It does worry me that there is some demographic researcher, or actuary, who is going to destroy all the good people because he knows that the world is not going to survive because of population explosions.

Sometimes the risks are just so bad we do not want to talk about them. It is important when we are having a conversation about risk reporting to delineate the good from the bad. And to what extent are risks we identify part of our external environment, and which risks are those which we can and should manage as part of our work environment?

Reliability of the information is very important. That is where actuaries have a role. There is also a trade-off between the reliability and precision of that information and its relevance to the users.

It concerns me that we need to have more discussion about the effectiveness of disclosure, and whether our communications are actually getting across to the stakeholder or to the senior manager.

The other comment I should like to make is to draw people’s attention to the importance of disclosure about risks. In the banking community, that is often done through things like pillar III and through the risk-weighted assets conversation that seeps through to capital ratios.

We have not yet seen that level of transference happening in the insurance context. I am very much hoping that, with the Solvency II issues, once they do get clarified, that we can actually have more discussion on that point.

I should also like to mention, just picking up on the Chairman’s comments, there are two initiatives happening. One is in terms of cultural issues, where we have talked about three different hats: regulatory, management, and shareholder. What would be interesting is to study environments where these three hats are more integrated. Does that lead to more effective risk reward for stakeholders and managers? Australia is interesting in this context in the sense that that they have already implemented Solvency II, not just in insurance but also in pensions and banking.

We are hoping to have conversations and perhaps develop joint work with our Australian colleagues to see whether there are some interesting cultural differences between Europe and Australia.

The Chairman has mentioned, as part of the contribution to the enterprise, the risk management development leadership group that he is leading. There is an intent of obtaining more precision, and documenting what are the more specific things the Profession can take away from this topic. Is there any specific guidance that we can actually come up with? I am looking forward to that.

I should like to end my presentation by thanking everybody for coming and for giving us the opportunity to have this session.

References

Horing, D. & Grundl, H. (2011). Investigating risk disclosure practices in the European Insurance Industry. Geneva Papers – Issues and practice, 36, 380431.Google Scholar
Kelliher, P. O. J., Wilmot, D., Vij, J. & Klumpes, P. J. M. (2012). Risk Classification Working party. A common risk classification system for the Actuarial Profession. British Actuarial Journal, 18, 132.Google Scholar