Introduction
The basic legal doctrine that governs most insurance contracts (uberrimae fidei) implies that all parties to insurance contract must deal in good faith, i.e., disclose all information relevant to the proposal.Footnote 1 A key fundamental principle underlying this relationship is that presumably all risks pertaining to or underlying the contract are fully disclosed in a neutral, transparent and objective way in order to ensure fair pricing. Moreover, this fundamental principle concerning the effectiveness of insurance contracting is also a generalisation of the presumed informational efficiency of capital markets that underpins security regulation and has received much attention by the vast and expanding corporate finance and accounting literatures over the last five decades. Despite the insurance industry’s apparently critical and growing role in the global allocation of risk and transformation of capital, there is little authoritative guidance concerning the form and content of risk reporting in general, or indeed what specific forms of calculation or displays might facilitate more effective decisions about the allocation of risk by various stakeholders.
The purpose of this paper is to investigate the rationale, background, characteristics and evidence concerning risk reporting by global insurance companies. The quality of insurance companies reporting practices, both to external stakeholders and internally, should be of public policy concern for many reasons.
∙ Credit ratings, analysts and other users are concerned about the extent of risk exposure of global insurers following the recent adverse publicity about shortcomings in risk management practices of financial institutions in the run up to the financial crisis (e.g. the issues seen at AIG).
∙ Regulators are increasingly demanding specific risk disclosures related to certain financial instruments in accounting standards.
∙ In the light of the forthcoming implementation of Solvency II, and ongoing accounting standard developments, a number of regulators have imposed transparency requirements. These arise from the shift of solvency and capital adequacy away from simplistic accounting ratios towards greater transparency of insurance companies about the effectiveness and resilience of their risk management, corporate governance and risk monitoring systems.
∙ The insurance industry is becoming increasingly politically visible as a risk carrier of last resort as public policy makers in many countries affected by the financial crisis are increasingly seeking to transfer formerly public-held risks onto insurance industries (e.g. mandating of privately insured, minimum levels of health insurance and pensions coverage).
The actuarial, risk management and accounting professions and a number of regulators have recently drawn attention to the importance of good practices in risk reporting. The Walker Report in particular drew attention to the need for greater emphasis on risk reporting to support various strengthened governance framework systems.Footnote 2 This is in stark contrast to current accounting and reporting regulations, which still focus almost entirely on financial reporting of financial statement numbers, rather than the risk allocations that might underlie them.
Given the central role that actuaries play both for statutory and business purposes in the analysis of risk management and their expertise in measuring the probability of future events, it is surprising that the topic of risk reporting has received relatively little attention from the Actuarial Profession to date. Moreover, owing to the evolution of integrated financial reporting and risk management systems in complex organisations, it is becoming increasingly important for actuaries to communicate the results of their specialised risk analysis to key stakeholders both within and outside their organisations. Consequently, it is becoming increasingly important to garner evidence about the disclosure effectiveness of risk reporting and risk communications, whether inside or externally produced.
Actuaries also possess unique skills in analysing the depth and interaction of various types of business and emerging societal risks. These skills seem particularly relevant given the apparent shortcomings of standard quantitative financial techniques historically used by risk management professionals in detecting and appraising the impact of black swan events such as the recent financial crisis.
Finally, we believe that the current environment of the recent recognition of risk reporting as an increasingly significant issue by public policy makers affords a unique opportunity for Actuarial Professionals to both create, and then meet, standards for best practice in risk reporting, focused on organisations that specialise in the efficient allocation and/or transformation of risk across society.
Most current regulations concerning risk reporting appear to be based on the presumption that a narrow concept of “risk to rewards” (in terms of the trade-off between mean and variance of return (VaR)) are of primary interest to stakeholders, and not how the risks were allocated in the first place. Current regulation also ignores the extreme nature or distributional characteristics underpinning firms’ risk to reward relations. This leads to a strange irony – in recent years, actuaries, analysts, and the accounting and auditing communities seem to have generated much controversy concerning how well financial reporting of insurance contracts reflects “performance”. For example, the delineation between insurance and non-insurance (investment) elements of “comingled” contracts has led to a bifurcation approach that decouples risk sharing and pooling benefits associated with such contracts. However, the more fundamental question about the processes by which the risk allocation decisions has been almost entirely ignored. Merton (Reference Merton1995) points out subtly that financial numbers only report information about value allocations, but not risk allocations.
Most regulations that do exist on risk reporting appear to focus almost entirely on the sensitivity of financial numbers to certain well-defined financial risks that are associated with diversifiable and tradeable financial instruments. This ignores issues of emerging risks, insurance risks or even softer strategic risks that seem to be so important to the fair valuation of insurance.
We consider several important considerations in exploring the topic of risk reporting:
∙ The underlying framework for classifying such risks in the first place. This is an important topic that has a begun to be addressed (Kelliher et al., Reference Kelliher, Wilmot, Vij and Klumpes2012).
∙ The appropriate corporate governance framework. This may bear upon whether risk reporting should be perceived as serving, primarily, regulators, shareholders, internal users or other stakeholders.
∙ The form and content of risk reporting. Prior research has shown those investors and other users decisions may be significantly affected by the form in which information is disclosed, particularly when revealed as a footnote rather than recognised in financial statements. This is considered in the “disclosure effectiveness” on risk reporting practices.
There is very little evidence concerning the behavioural impact on, or consequences of, risk reporting processes, on those affected by or influencing important decisions about the allocation of risk. Much prior research has focused on the substantive rationality of individual investors who trade on, or rely on, risk information that bears the pricing of insurance contracts. This leads us to consider even more basic questions about the fundamental theoretical rationale for undertaking risk reporting in the first place, i.e., whether it is motivated by positive “signalling” reasons, or by more negative “instrumental–political visibility” reasons, or is simply an outcome of plainly misleading attempts to deceive investors (e.g. Enron), or incompetence, i.e., that risk reporting processes are simply not sufficiently holistic or joined up to be sufficiently relevant to how strategic business decisions are actually made.
The next section outlines the motivation to this study and summarises the main objectives. Section 2 contains some institutional background and review of theoretical antecedents and relevant research. Section 3 outlines the research methods used to examine current risk reporting practices. Section 4 summarises the analysis of disclosure practices to external stakeholders. Section 5 discusses the survey of internal reporting practices. Section 6 provides conclusion, findings, and recommendations and suggestions for future research.
1. Motivation and Objectives
The risk reporting working party was set up in August 2011 in response to increasing interest in the topic of risk reporting by practicing actuaries, professional bodies and regulators in the light of the financial crisis. However, most of risk reporting appears to have focused on the banking, rather than insurance, industry.
There is a lack of specific guidance by authoritative regulatory bodies in this area. Therefore, the risk reporting working party identified a series of research objectives framed as questions within the general scope of risk reporting by insurance enterprises. These specific research objectives are summarised below.
i. To summarise current authoritative guidance on insurance risk reporting and review the state of recent related research on this topic as defined broadly. This is covered in section 2.
ii. To consider what conceptual frameworks, derived either from theory, practice or related industries, might be applicable to evaluating the quality of existing reporting practices. What alternative perspectives concerning risk management, corporate governance, disclosure effectiveness and accountability could bear on risk reporting environment? This is covered in section 3.
iii. To report some evidence on recent trends in the scale and scope of risk reporting practices to external stakeholders by multinational insurance enterprises. What are the sources of variations in risk reporting disclosures across multinational insurers? How have these trends evolved over time? What are the key areas of risk disclosure? This is covered in section 4.
iv. To provide some detailed analysis of best practice risk reporting processes within multinational insurance enterprises. Are internal risk reporting processes effective? Are they fit for purpose in aiding decision making? This is covered in section 5.
v. Based on the analyses undertaken in steps iii and iv above, to provide some recommendations and public policy implications for enhancing the scope, relevance and user reliability of risk reporting for shareholder, regulatory and internal managerial purposes. This is covered in section 6.
Our analysis of the above is constrained by a number of factors that limit both the scope and depth of our research contribution. These factors should be borne in mind by readers who are seeking to apply our findings to specific risk reporting contexts.
1. First, the global risk reporting environment is fast changing and it has been difficult to absorb and incorporate the rapid evolution in accounting, auditing and regulatory standards that bear on this topic into our analysis. IFRS, UK GAAP and Solvency II have all developed more specific guidance for risk reporting in early 2013 and we fully expect imminently more specified guidance to be provided concerning the implementation of currently vague general purpose requirements for risk reporting. However, owing to constraints in our own resources we are unable incorporate these latest insights into our empirical and survey analysis, and therefore our discussion and results are limited in application as of the current regulations in force as of 1 July 2013.
2. Second, owing to time and resource constraints we were unable to undertake a comprehensive analysis and so restricted our analysis accordingly. Consequently, we decided to focus our efforts on understanding practices in a sample of global 25 insurance companies over the period 2006–2012 only. This period witnessed some major changes in risk reporting, including both the full implementation of IFRS generally and derivative reporting requirements specifically in many jurisdictions. It also allows us sufficient time to analyse the impact of both the financial crisis and its regulatory impact on corporate governance and managerial incentives to voluntarily reveal information, and the imminent implementation of Solvency II, on reporting practices.
3. Third, since the nature and extent of observed risk reporting practices is likely to be strongly related to business complexity, our analysis considers the global leaders in UK, European, US and Asia-Pacific insurance. This population comprises insurance enterprises that specialise in a range of different business lines, such as reinsurance, bancassurance, general, life and composites. This variation in focus versus diversification business models provides some additional richness to the analysis, but also severely limits the scope of our research and hence the generalisability of our findings to the entire insurance sector and to the actuarial and other professionals that participate in risk reporting practices.
4. Finally, we also believe that only global insurance companies have sufficient risk capital, pooling and resilience resources to be able to produce relatively sophisticated risk reporting systems. Thus from our results we are able to discern both risk cultural and appetite influences over reporting practices. Global insurers also tend to be thought leaders in terms of developing best practice and are often asked by regulators to act as “guinea pig” first implementers of new standards of reporting.
Our decision to focus only on large, listed insurers limits the scope of our analysis, for example, we have ignored mutual and specialist insurers. However, it does allow us to escape from a major limitation of prior risk reporting studies, that the richness of observed risk reporting is significantly influenced by firm size.
2. Institutional Background and Prior Research
Until relatively recently, the topic of “risk reporting” did not receive much attention from regulators, policy makers or researchers. Most of the recent developments related to risk in financial reporting concerned greater levels of required footnote disclosure about risks in specific areas, including, for example:
∙ Sensitivity of certain financial statement numbers to alternative assumptions under pension accounting.
∙ More detailed disclosure concerning the type and nature of derivative instruments, both by general classification (e.g. currency, commodity, interest rates), their nature (hedged or speculative) and by type (over the counter or traded, forwards, swaps, etc. and their maturities).
∙ Increased amounts of narrative concerning financial risk management policies.
However, these requirements are mainly confined to audited disclosure of market risks associated with these specific types of financial instruments.Footnote 3 In this section we briefly review recent practices in bank risk reporting, and then summarise the key regulatory developments and relevant research findings.
2.1. Bank Risk Reporting Practices
The general vagueness in risk reporting by insurers is in stark contrast to the banking industry. In addition to being required to report “risk-weighted assets” (RWA), Basel Committee has also recently developed specific guidance for risk reporting principles. These are summarised in Appendix 1.
Despite this, one of the great ironies of the financial crisis is that, ahead of its impact, according to the general purpose and specific risk reporting standards applicable time, regulation and guidance then in operation, the banking system appeared well capitalised. Banks were reporting capital ratios well above the minimum levels required under Basel 1. And Basel 2, due to be implemented just as the crisis hit, proposed no overall increase in the level of capital held by the banking sector.
In this section we briefly summarise the results of a study conducted by one of the authors (Klumpes & Welch, Reference Klumpes and Welch2011) concerning recent trends in both accounting and regulatory supervision after the financial crisis. By comparing the risk-weighted capital ratios calculated in accord with the fully implemented Pillar III requirements of Basel 2, with the unweighted equivalent capital ratios estimated under IFRS (leading to the calculation of the subsequently implemented “leverage ratio”), the analysis identifies areas of deficiencies in the transparency of IFRS-based financial reports and regulatory-based capital risk disclosures and calculations by the major UK banks around the time of the crisis.Footnote 4
We briefly outline capital risk disclosures of the big UK five banks, as well as Northern Rock and UBS, two of the banks worst hit by the first phase of the crisis during the second half of 2007. At end of 2006, Northern Rock reported a Tier 1 ratio 8.5% more than twice the regulatory minimum and higher than the 7.7% ratio it reported at end of 2005. Meanwhile, UBS reported a Tier 1 ratio of 11.9% at end of 2006, one of the highest in the European banking sector.
Why did banks appear so strongly capitalised? Was there a simple flaw in the Basel approach to the risk weighing of bank assets that contributed to this illusion of capital strength?
Under Basel, assets are effectively risk weighted from a 100% ceiling rather than around a 100% mid-point. Few asset categories are weighted more than 100% with major asset categories (interbank loans, mortgages) risk weighted at significantly <100%.
Weighting from a ceiling rather than a mid-point has a crucial effect on asset values and capital ratios. It disconnects the total value of RWAs from the total unweighted value of bank assets. Crucially, it pushes down the risk-weighted value of assets, so they are significantly lower than unweighted asset values. And this in turn disconnects RWA-based capital ratios (such as benchmark Tier 1 ratio) from unweighted leverage ratios (e.g. equity as a proportion of total balance sheet assets). Risk-weighted capital ratios are significantly higher than capital ratios based on unweighted assets.
Prior research demonstrates that changing the anchor can have an important impact on the behaviour of investors and analysis, who rely on the quality of capital risk disclosures contained in financial reports in making investment decisions (Klumpes & Manson, Reference Klumpes and Manson2008). In their reporting, banks tended to focus on their “strong” Basel capital ratios rather than the value of the RWAs. Yet, the capital ratios only looked strong because the value of RWAs was so much lower than the value of unweighted assets. Thus, the recalibration gave the illusion of a systemic reduction in the underlying risk, when it should have been calibrated neutrally. As a result, investors and regulators lost sight, or failed to realise that “strong” Basel Tier 1 ratios were compatible with surprisingly low unweighted capital ratios.
Northern Rock and UBS were major players in asset categories – residential mortgages and trading book assets, respectively – that were only lightly weighted relative to the 100% ceiling under Basel. As a result, Northern Rock’s RWAs of £30.8 billion at end of 2006 were less than a third of its balance sheet assets of £101.0 billion. And its Tier 1 ratio of 8.5% at end of 2006 was more than twice as high as its unweighted leverage ratio (equity-to-balance sheet assets) of 3.2%.
The value of UBS’s total balance sheet assets of CHF 2.4 trillion at end of 2006 was an astonishing seven times greater that it’s RWA of CHF 342 billion. As a result, its Tier 1 ratio of 11.9% compared with an unweighted leverage ratio of only 2.1%. UBS’s large and lightly capitalised investment bank trading book appears to be the main factor behind the disconnect. UBS’s large investment banking business accounted for over 80% of its balance sheet.
But this disconnection between the value of risk-weighted and unweighted assets was not limited to the more specialist mortgage or investment banking players. Take, for example, the big five UK-based universal banking groups (Barclays, HBOS, HSBC, Lloyds and RBS). At end of 2006, only HSBC’s RWAs were valued at more than 50% of its unweighted balance sheet assets. And even in the case of HSBC, the value of its RWAs was only 50.4% of its balance sheet assets. Overall, for the five banks combined, RWAs were valued at only 43% of unweighted balance sheet assets, by 2012 that had increased to 67%. By contrast, the unweighted leverage ratios has hardly changed, from 3.8% in 2006 to 4.3% in 2012.
Almost everyone agrees that the Basel risk weightings need to be re-calibrated to increase banking sector capital. As part of that reform, the risk-weighting valuation framework should be reconfigured so that 100% becomes a mid-point rather than a ceiling. This would significantly improve transparency by reconnecting the total value of RWAs in the banking system with the unweighted value of those assets.
At the time of the financial crisis, there was a significant lack of clarity concerning key financial statement numbers underlying the calculation of capital and leverage ratios under Basel and IFRS-based comprehensive GAAP. Subsequently, the leverage ratio has been introduced as a way of “de risking” bank capital ratios. Further, most banks now routinely provide footnote reconciliation of RWAs to unweighted GAAP assets. Any currently off-balance sheet assets should be recognised in full in GAAP-based reporting so that there are no opportunities for “regulatory arbitrage” between GAAP-based reporting and regulatory accounting principles under Basel 2.Footnote 5
However, significant discretion is still available for banks to manipulate key elements of the capital ratio under relevant GAAP, such as the reclassification of certain types of bank assets that use inconsistent measurement bases (Klumpes & Welch, Reference Klumpes and Welch2010). Consequently, key elements of bank assets, the fair value of the loan portfolio is not recognised in their financial statements, but can be instead reported at amortised cost.Footnote 6 By contrast, insurers must report the fair value of their insurance liabilities, and a number of insurers even report voluntarily their embedded value.
An important point to consider in analysis is that the audit profession is not currently required to verify or check the validity usefulness or reliability of either disclosed capital and leverage ratios or Pillar III reports published by banks. This was subject to a discussion paper by the former Financial Services Authority that was never subsequently implemented. However, in recent years both the United Kingdom and other regulators have sought to require auditors to move away from the strict “pass or fail” report towards greater disclosure of key areas of uncertainty affecting their audits. Most recently, the US Public Company Accounting Oversight Board has just implemented this for all US-listed companies, although the effectiveness of that requirement remains unclear.Footnote 7
2.2. Risk Reporting Regulations for Insurers
Before the financial crisis, there was almost no requirement on insurers, either specifically or generally, to provide narrative on their insurance, business or emerging risks. Unlike the Basel Committee Pillar 3 reports, which have been fully implemented by banks since 2006, there is still no equivalent disclosure provided by insurers, either to their policyholders or shareholders. With the exception of AIG, most of the pressures for increased disclosure affected the banking industry. In the United Kingdom, the Walker review of corporate governance in UK banks proposed the preparation of risk reporting by banks to help investors better understand the governance of risk taking and risk appetite and performance of their investee company (Walker, Reference Walker2009, 104).
The integration of risk reporting into Solvency II is still (as of date of publication) relatively unspecified and still lacks clarity in key areas (KPMG, 2012; Morgan, Reference Morgan2012). This is in contrast to the fully implemented Pillar III disclosure requirements of Basel capital adequacy requirements as discussed above.
Moreover, there is almost no authoritative guidance on risk reporting practices by insurance. Neither the Actuarial Standards Board, the UK accounting standards board or the International Financial Standards Board provide any detailed promulgation concerning specific or even general guidance for risk reporting for insurance enterprises. This is despite both issuing draft amendments to existing GAAP in the last few months (ASB, 2013; International Accounting Standards Board (IASB), 2013). For instance, the IASB (2013, para 86) states blandly that “an enterprise shall disclose information about the nature and extent of risks that arise from insurance contracts”. It further states that an entity shall disclose the exposures to risks and how they arise, and its objectives, policies and processes for managing risks that arise from insurance contracts (IASB, 2013, para 87 (a) and (b)). However, it does not actually state comprehensively what those risk categories are or provide specific guidance on reporting within each of those broad categories.
As similar lack of clarity pervades the ASB’s FRED 49, which merely states (2013, para 4.6) that an insurer “shall disclose information that enables users of its financial statements to evaluate the nature and extent of risks arising from insurance contracts”. It then demands that insurers disclose information about insurance, credit, liquidity and market risks without specifying the nature, type of scope of such disclosures (ASB, 2013, para 4.7).
The only specific general purpose reporting guidance available on risk reporting for insurance enterprises was provided by the German Accounting Standards Board (Deutschen Standardisierungsrat or DSR), standard DSR 5-20. The standard, effective from 2004 for all German insurers, provides requirements concerning the provision of information about general risks as well as specific risks and the type of risks and overall risk provision of the consolidated group. It requires that risks are quantified only where this can be done “with reliable and recognised methods” and “without undue economic expense”, but does not specify a method of quantification. It also includes model risks and minimum disclosures relating to underwriting, default receivables and investment risk. As discussed below, the DSR 5-20 is also the only standard that has been subject to thorough empirical study.
2.3. Review of Prior Research
More recently, most accounting professional bodies and accountancy companies have produced or sponsored definitive studies on the topic, including the Institute of Chartered Accountants in England and Wales (ICAEW) (2011), Abraham et al. (Reference Abraham, Marston and Darby2012), PriceWaterhouseCoopers (2011), Chartered Institute of Management Accountants (CIMA) (2012) and Franken et al. (Reference Franken, Szwejiczewski and Kutsch2013) in mainly non-financial settings. Most recently, the Basel Committee on Banking Supervision (BIS) (2013) produced a definitive guidance on principles for more effective risk reporting by banks.
After an extensive review of the limited evidence available on risk reporting practices in general, the ICAEW (2011, 14) concludes that “there is no basis to arrive at any firm conclusions”. Abraham et al. (Reference Abraham, Marston and Darby2012, 5) notes that “while the quantity of information has increased, questions have been raised over the quality of information disclosed”. CIMA (2012, 6) reports that the main outcome of what went wrong at RBS was that “too much emphasis was placed on the need to quantify risks” and its weakness as a financial institution was due primarily to undocumented “macros imbalances”. For example, the compartmentalisation of risk into silos resulted in portfolio risk aggregating across the silos developed unchecked.Footnote 8
By contrast, there is little definitive research at the academic or practitioner level on risk reporting by insurance companies. With the exception of long-standing German GAAP on this topic (discussed briefly in more detail below) there is also no definitive guidance on risk reporting by insurance enterprises. This seems surprising given the importance of risk monitoring as a key component of the overall risk management process that is now subject to scrutiny by both regulators and credit rating agencies.
Although multinational insurance companies are subject to various disclosure requirements, and there is a significant and growing body of literature concerning risk reporting generally, very little research has investigated risk disclosures and their link to overall corporate and risk strategy adopted by large insurance enterprises. In a recent study, Horing & Grundl (Reference Horing and Grundl2011) examine the extent of risk disclosure practices in annual reports of a sample of EU insurers during the period 2005–2009. They construct and implement a self-constructed disclosure index that is mainly based on the Chief Risk Officer (CRO) forum proposal for public risk disclosure (IAIS, 2002). This was then applied to examine the extent, trends and determinants of risk disclosure practices in a sample of 31 European insurance firms.
Horing & Grundl (Reference Horing and Grundl2011) predict and find that the extent of risk disclosure is positively related to size, book-to-market ratio, ownership dispersion, cultural differences across Europe and listing status. They also find that the introduction of IFRS 7, Basel II and the financial crisis potentially triggered this improvement in risk disclosure. Aggregated risk overview and operational risk reporting received the most attention with the highest growth rates. Consistent with the results of prior research on risk reporting practices in many other contexts, they find that the extent of risk reporting is positively associated with firm size and negatively associated with profitability.
However, there are a number of reasons why the results and analysis of Horing & Grundl (Reference Horing and Grundl2011) may be limited in their application.
∙ Since they relied primarily on DSR 5-20, which requires categorical disclosure of the following types of risk: market risk, credit risk, liquidity risk, underwriting risk and operational risk. Unfortunately, these risks are oriented to financial risk management procedures, such as VaR, which may not necessarily resolve risk management problems associated with financial crises or broader issues.Footnote 9
∙ They studied a relatively large cross-sectional sample of insurers across the European industry, so they were unable to discern results on an individual firm basis. This is important since their results confirmed those of prior risk reporting studies that size is a significant influence on risk reporting quality.
∙ Since they adopted the CRO forum and DSR 5-20 method of risk classification framework categorisation, their compartmentalisation of risks ignored the analysis of broader portfolio-level risks global insurers face that might cross these silos, and they ignored other “soft risks” such as strategic and frictional risk. We discuss this issue in the next section. Moreover, their analysis of disclosure index items within each major category of risk was confined to a quantification of the risk exposure only (e.g. definitions, description of risk mitigation activities, value at risk at specified confidence intervals and period, description of stress tests and/or sensitivity analysis and description of major risk concentrations). Consequently, they did not separate adequacy of disclosure of various stages after risk exposure, such as an analysis of risk measurement or an assessment of management effectiveness.
∙ Finally, they only studied disclosures up to 2007. In the light of the financial crisis and the gradual implementation of Solvency II, evaluating trends in disclosure quality over time between the pre- and post-crisis period would seem to be of interest and relevance in a more up-to-date analysis.
3. Framework for Analysing Risk Reporting Quality
This section summarises the various theoretical and conceptual frameworks related to corporate governance, disclosure effectiveness, accounting and risk classification that can provide a useful frame of reference for studying risk reporting practices by global insurance companies. We consider this to be an essential pre-requisite to our research design since there are differing perspectives on corporate governance, disclosure effectiveness and scope of accountability. In particular, we are seeking to delineate which of these perspectives are most relevant to the Actuarial Profession’s position on this topic.
3.1. Corporate Governance
Perspectives on corporate governance can be characterised in two ways. The UK and US legal systems generally adopt a “shareholder perspective” on governance. Thus, it is not surprising that the ICAEW’s paper on this topic is constrained to “business risks” and is directed primarily to shareholders only. By contrast, Continental European insurance companies operated in a “stakeholder perspective” on corporate governance. This may involve the operation of multiple boards of management and processes for consultation with stakeholders, including policyholders and employees that are not usually formalised in Anglo-American countries.
These differences are subtle and yet may have a significant bearing on the nature of risk reporting within insurance companies operating in different countries. For example, under the US approach, there is much less emphasis on stakeholder reporting, while the regulatory reporting tends to be separately supervised by state of incorporation and through the National Association of Insurance Commissioners. There is a plethora of US GAAP on this topic by business line with no clear delineation for risk reporting.
By contrast, in the European context, the disclosure environment is more complicated since there is usually a single national regulatory authority and the reporting to shareholders is subject to disclosure requirements by the European Commission (PAIEC). However, these regimes can vary significantly in terms of both the requirements of the national regulator and the interaction and enforcement of EU directives and principles. There is also continued uncertainty over the nature of the implementation of the Solvency II, including the effective date and crucial details about the Pillar III requirements.
The United Kingdom is even more complex in so far as reporting can be subject to UK GAAP (FRS 27, soon to be updated to FRS 103), SORPs (e.g. the ABI SORP on embedded value) and IFRS (with the soon to be implemented revised IAS 4). Further, besides the general corporate governance codes that have influenced the form and content of risk reporting (particularly related to management remuneration), the role of the UK Actuarial Profession itself has been subject to significant scrutiny with the Penrose Commissions’ recommendations for reform and the creation and promulgation of rules by the UK Actuarial Standards Board. Finally, the regulatory environment is currently in a state of transition with the evolution of the former Financial Services Authority regime to the newly created Financial Conduct Authority and the Bank of England. Consequently, it remains unclear what, if any, these bodies will seek to amend the regulatory oversight of UK insurance industry reporting.Footnote 10
An alternative perspective on corporate governance is that of complexity theory, which depicts shareholders, employees, stakeholders and gatekeepers as part of the complex social ecosystem surrounding risk reporting by insurance companies (Goergen et al., Reference Goergen, Mallin and Swe2011). A major insight of this theory is that comprehending the full scope of risk reporting requires a deeper understanding of the various formal and informal processes by which shareholders, regulators, management and other external stakeholders that affect and are affected by the insurance enterprise, can and/or should interact.Footnote 11
This research topic seeks to identify areas where risk functions could/should advocate structures or methods that promote organisational resilience. Evaluating the cost-benefit of corporate investment in resilience requires a slightly different calculation, which involves considering the possibility that changes in the operating environment cause the organisation to unintentionally find itself in a new paradigm which is suboptimal. An important insight of this approach is a greater emphasis on the analysis of risk tolerance, resilience and culture, in contrast to the decision hierarchical approach of standard corporate governance theory.
In this paper, we will adopt the complexity theory approach because unlike the more traditional and narrow “shareholder” and “stakeholder” perspectives there is likely to be better insight into recent and current trends in risk reporting and the incentives facing the players involved in or using this process.
Table 1 shows how subtle differences in reporting regime affect the nature, scope and scale of risk reporting. It is interesting to note how differences affect both the nature and scope of reporting.
Table 1 Alternative Bases For Risk Reporting
≅ See, for example, Culp (Reference Culp2000) for a definition and delineation among these alternative perspectives.
Table 1 shows that different governance bases for reporting risk has a significant impact on the major focus and frame of reference. From a shareholders’ perspective, the major reference is the disclosure requirements of relevant accounting standards. In this case, only IAS 32, 37, and IFRS 7 and 9 provide specific guidance on risk reporting in general purpose financial reports sent to investors, but only in connection with the reporting of financial instruments. The annual report (particularly the quantitative and narrative footnotes concerning risk reporting) will be most relevant – these are mainly concerning market (diversifiable) risk sources, as well as pension and other sources of retained risk. The valuation basis for shareholder reporting is a combination of historical cost or fair value for the balance sheet assets and liabilities. The risk management process is implicitly assumed to focus on accounting measures of a firm’s financial condition such as earnings. Therefore, risks are primarily concerning the extent to which companies actively hedge factors affecting the volatility of earnings, such as commodities, interest rates or currencies. The appointed auditor is primarily responsible for vetting compliance with relevant general purpose reporting requirements, and may indeed seek to constrain the scope for voluntary reporting beyond this.
By contrast, the major focus for regulatory-focused risk reporting is downside risk based on parameters set by the regulator (e.g. one in a 100 year thresholds). Risk reporting is therefore constrained by regulatory fiat and pre-specified format, and is likely to focus more on prudence rather than relevance.
An important distinction between regulatory and shareholder reporting of risk is that presumably the former requires more conservative, verifiable and neutral valuation measurement bases, whereas the latter is tending towards fair value measurement bases. This is indeed an important distinction between Core Tier 1 capital under Basel versus IFRS-defined shareholder capital. Since the focus of regulators is more balance sheet than performance oriented, it would seem logical that most risk reporting would relate to assets at risk such as traditional VaR measures. However, post-crisis the credibility of such measures has declined, particularly beyond the traditional portfolios. Of course, unlike general purpose financial reports, risk reporting information would not be subject to audit, although audit companies do specialise in helping insurance companies prepare such reports to regulators.
From an internal management perspective, the scope of governance reporting is constrained by the idiosyncratic and unique organisation of the C-Suite, job titles and professional qualification of the CRO/CFO user of internally generated risk reports. In recent years there has been a significant increase in demand for risk monitoring and it has been combined with broader expertise in enterprise risk management, where actuaries are increasingly working.
One would also expect that risk reporting would be tailored to the business segment or internal organisation of risk functions, and to be more disaggregated in nature than for external reporting. It might also be expected to be future oriented and the valuation bases might therefore be more likely based on future expected cash flow. Since the form and content of such reports may depend on the strategy of the firm, it may also be less standardised in nature than for external or regulatory purposes.
3.2. Disclosure Effectiveness Framework
Although the regulation of financial ratios, financial statements and detailed financial statements is pervasive, very little is known regarding how individual investors assimilate such disclosures into their purchase decisions. Financial theory often assumes that the primary decision makers of interest are professional investors or decision makers, who typically have some experience in reviewing financial documents, adopt relatively focused and well-defined decision-making strategies, and use a limited number of information cues. By contrast, individual strategic managers of large global insurance companies often make decisions in unstructured environments, and must cope with vast amount of financial condition and non-financial risk disclosures that are provided directly by multiple sources. These limitations of human decision heuristics have given rise to a growing popularity of behavioural theories of decision-making behaviour that model risk taking in terms of “loss aversion” rather than “risk aversion” (e.g. Kahneman & Tversky, Reference Kahneman and Tversky1979).Footnote 12
The increasing complexity of mandated risk disclosures raises questions over the disclosure effectiveness of risk reporting, defined as the trade-off between the value relevance of the information provided to the investor and its costs of provision in terms of either;
(i) direct and indirect costs involved in preparing, printing and distributing financial statements containing regulated financial disclosures; or
(ii) information overload to users induced by inclusion of regulated financial or non-financial disclosures (FASB, 1995). The ICAEW (2005) proposes that public policy information requirements should take account of individuals’ limited information processing abilities.
This study investigates the disclosure effectiveness of regulated financial risk disclosures conveyed by insurance enterprises both in their annual reports issued to stakeholders and to idiosyncratic risk communications and/or disclosures disseminated to individual internal decision makers that might use internally generated reporting processes. We undertake a survey of practices within organisational decision-making processes to supplement the content analysis of externally generated risk reports following the approach of Horing & Grundl (Reference Horing and Grundl2011). Disclosure effectiveness is defined in terms of both information load (i.e. financial solvency disclosures in the form of financial statements, abbreviated financial reports or financial ratios) and news favourableness.Footnote 13
3.3. Accountability Framework
A third dimension of our study concerns the content of risk reporting, i.e. should it be primarily concerning risk exposures or the impact of risk events on reporting pure risk exposure.
In a recent paper, Kelliher et al. (Reference Kelliher, Wilmot, Vij and Klumpes2012) developed a proposed common system of risk characteristics for the Actuarial Profession.Footnote 14 Appendix 2 summarises the main insights garnered by that paper in terms of various risk categories and their connection with components of insurance company value.
The intention of the exercise was to identify a common set of themes and definitions that would allow Actuarial Professionals to deal with regulators and to foster better understanding and a common language among those charged with developing enterprise risk management systems.
While the developments are welcomed, a number of issues arose from the paper:
∙ Whether the relevant frame of reference in adopting any proposed system of risk classification (see section 3.1 above) should be based on actuarial or risk management practice or regulatory frameworks.
∙ The definition of and nature of “strategic risk” and its relation to other types of risk.
∙ The extent to which the proposed system is applicable to different types of entity.
∙ What particular aspects of “risk” which accountants would deem to be of greater importance than actuaries, and hence are “missing elements” of the proposed framework.
We now briefly discuss some issues related to each of these major concerns.
The Kelliher et al. (Reference Kelliher, Wilmot, Vij and Klumpes2012) framework is based mainly by reference to regulatory frameworks for categorising risk, such as Basel II (III) and Solvency II. Both of these frameworks are in turn based on the “event-based” categorisation system originally developed by the Global Derivatives Study Group (1993), often called the “group of thirty report”. This classified three major types of risk: market risk, credit risk and operational risk. Below these one might add additional elements, such as liquidity risk and insurance risk. There is considerable variation in practice and regulation, such as whether idiosyncratic risk elements such as “strategy risk” should be separately included, and whether “frictional risks” such as accounting or regulatory costs need to also be included.
Most actuaries would regard ERM in connection with relevant guidance by the PRA, IAA or, in the near future, by the proposed Solvency II along those lines. By contrast, most accountants’ understanding of the concept is from a much narrower frame of reference related to general purpose financial reporting. Indeed, ERM for many accountants is understood in connection with “compliance-oriented” internal control frameworks originated out of US legislation. Specifically, in the US context, the Sarbanes Oxley Act mandates relates to the provision of internal control framework that needs to be used to establishing an appropriate control structure for compliance. The act specifies that such a framework is proven and “publicly vetted”, and further recommends the use of COSO framework for general purpose financial reporting in compliance with US GAAP. This suggests that ERM is broader than just the market-based categories identified by the earlier framework.
While financial organisations based in other jurisdictions can choose to use any other framework that fits the criterion described above (including the COCO framework from Canada or Turnbull paper from United Kingdom), the current industry trends in financial reporting suggest that COSO framework as being the one that is widely adopted for companies adopting IFRS.
The COSO framework and the ERM concept were originally embedded in financial reporting, with a focus primarily on accountability to owners or shareholders and the corporate governance issues this raises. This implies a different focus from regulators, who are primarily interested in the total or “enterprise value” focus of the Kelliher et al. (Reference Kelliher, Wilmot, Vij and Klumpes2012) framework. Solvency II has given additional impetus to improvements in the regulatory review of returns by insurance companies. However, the implications for accountants and auditors are not yet that clear. In particular, there are corporate governance and aggregation issues related to the fact that the “reporting entity” may be a much higher level of analysis than a regulated entity subject to PRA regulation. It is important to recall that the role of ERM and COSO as “compliance-oriented” internal control frameworks originated out of US legislation. The report by Sir David Walker suggests that “board-level engagement in the high-level risk process should be materially increased with particular attention to the monitoring of risk and discussion leading to decisions on the entity’s risk appetite and tolerance” (Walker, Reference Walker2009).
This implies that board and corporate governance is primarily defined by the COSO ERM framework, whereas, many Actuarial Professionals’ attention is rather confined to relevant pronouncements by the profession, the FSA and the IAA.Footnote 15
3.4. Risk Classification Framework
In this study we consider two alternative methods of classifying risk as a basis for analysis of risk reporting; the Basel II framework as adopted by both the CRO forum and the DSR 5-20 and used as a basis for disclosure content analysis by Horing & Grundl (Reference Horing and Grundl2011), and the Kelliher et al. (Reference Kelliher, Wilmot, Vij and Klumpes2012) risk classification framework developed for actuarial use. The key differences between these frameworks is summarised in Table 2.
Table 2 Differences Between Alternative Risk Classification Frameworks
Sweeting (Reference Sweeting2011) notes there are many other types of risk classification, including RAMP, IRM/AIRMIC and COSO. However, it should be noted that the COSO (2012) revised framework does not explicitly define or categorise major types of risk, and in any case is limited to financial risk management systems as regulated under SOX. By contrast, the Kelliher et al. (Reference Kelliher, Wilmot, Vij and Klumpes2012) model is more comprehensive because it covers different categories of risk particular to the insurance industry, as well as strategy risk.
There are also a number of proprietary risk frameworks developed by credit rating agencies and while undoubtedly there is controversy of the unit of analysis and the frame of reference, a more practical issue concerns the “auditability” of any proposed system of classification of risks. The Kelliher et al. (Reference Kelliher, Wilmot, Vij and Klumpes2012) model appears primarily geared towards the risk-assessment work the FSA carries out in many financial companies. However, although the requirements are now being implemented, there is little transparency relating to the requirements. Specifically, there is no requirement for auditors to comment on the quality of or reporting on supervisory or regulatory compliance. A similar issue arises for banks with their Basel II to IFRS capital adequacy requirements and reported accounting ratios. Finally, it is surprising that there are still no auditing requirements for the monitoring of Basel II or Solvency II as they are outside the financial statements. In 2009, the FSA proposed that this issue be addressed; however, it has not been subsequently endorsed by the PRS.Footnote 16
There have been recent controversies surrounding accounting manipulation and creative accounting (e.g. AIG, Enron). These have arisen from the scope for banking and insurance entities to place undesirable exposures off-balance sheet. Much of this controversy surrounds the role of functional versus institutional or legal interpretation of accounts. This is currently defined in the Kelliher et al. (Reference Kelliher, Wilmot, Vij and Klumpes2012) framework as an issue of “frictional risk” but one wonders whether off-balance sheet exposures are really included in that definition.
An important aspect of the Kelliher et al. (Reference Kelliher, Wilmot, Vij and Klumpes2012) is the definition of “strategic risk” in terms of the “inherent goodwill”, which is defined by reference to embedded value. Such numbers are effectively off-balance sheet because they are not currently “recognised” in balance sheets published by insurance companies to satisfy either regulatory reporting or conservative financial reporting; rather they are disclosed by way of footnote or supplementary financial statements. Recent evidence suggests that embedded values are “value relevant” for capital market participants in both Taiwan and the United Kingdom. The evidence appears to condone moves towards such reporting in the revised IFRS 4 (Wu & Hsu, Reference Wu and Hsu2011).
It is possible that an accountant would define “strategy risk” not in terms of the difference between “embedded value” and “total market value” but in terms of the more conservatively defined on (or off) balance sheet equity or book value to market value (market to book). On the other hand, an economist might define it in terms of market to replacement cost of assets (or Tobin’s Q). It is hard to know which is more applicable in the case of insurance companies, except that we know that most of the assets and liabilities are “fair value” and hence the strategic risk would presumably “disappear” since market values are already supposedly recorded on the balance sheet.
In conclusion, while efforts such as those of Kelliher et al. (Reference Kelliher, Wilmot, Vij and Klumpes2012) to classify risks are to be applauded, the interrelationship between strategy risk, ERM practices, and capital management and risk reporting remain obscure. For instance, the footnotes concerning risk management practices incorporate reference to off-balance sheet exposures and the status of ERM implementation and provide details of the outcome of regular supervisory reviews of those practices, thereby enhancing the reliability and transparency of such practices to investors and other users? Such developments can help investors to better appreciate the link between regulatory-based and financial reporting-oriented views of ERM. In particular, one wonders about the role of “model risk” and whether actuaries are prepared to admit that sometimes the “models used” can lead to wrong or erroneous outcomes (e.g. compare the esoteric arguments over the application of alternative fair valuation approaches of either “mark to model” versus “market”-based valuations of bank investments in Greece (Financial Times, 20 August 2011).
Finally, the objective of financial reporting is to prepare and/or audit accounts intended primarily to provide information relevant to capital providers. Analogous to this argument is that the “event-based” classification system appears specifically geared to identifying and “managing” specific sources of asset or liability risk, rather than equity risk. Yet, there are a number of material sources of “equity risk” that raise issues for shareholders. More subtly, there are a number of “unhedged” exposures or “valuation errors” which may themselves be manifestations of actuarial and risk management processes, and are often hidden in form of “reserve” accounts related to “other comprehensive income”. Examples include pension valuation errors, available for sale securities and cash flow hedges and foreign currency translation changes.
These raise issues concerning the appropriate scope and nature of risk reporting practices from various shareholder, regulatory and managerial perspectives. We consider this issue empirically in the next section.
4. Content Analysis of Risk Disclosures by Global Insurers
In this section we report the results of an analysis of risk reporting practices by a sample of global insurance companies. We discuss the sample selection procedures, followed by a brief outline of how the various disclosure indices were constructed. This is followed by a brief outline of the results of our analysis.
4.1. Sample Selection Procedure
The sample is based on the list constituting the Global 25 insurers as listed by AM Best Services for the period 2006–2012, both by sales and assets under management. This results in a final sample of 13 companies as listed in Table 3.
Table 3 Sample of Global Insurers
Of these companies, eightare based in Europe and the remainder either in the United States (two) or Asia-Pacific (three). The business lines vary from life to general, bancassurance, and reinsurance and composite. The analysis reported below was conducted both for individual companies and by region. Since the cultural, regulatory and economic environments in which these companies operated were so diverse, we avoided generalising the results for the entire sample.
4.2. Construction of Disclosure Indices
Three indices used to evaluate the quality of risk disclosures by the sample of global insurance companies that represent the various key accountability relationships as outlined in section 2.2, are defined below, including the major categories of disclosure:
1. Shareholder disclosure index: covers usefulness of general purpose reporting to capital providers; two constructions covering the risk classes – market, credit, insurance and demographic, liquidity, operational, strategic, frictional and aggregation.
2. Regulatory disclosure index: covers robustness and prudence and objectives per Pillar III type disclosures – principles, recognition, measurement, strategic, functional.
3. CRO reporting index: covers resilience of companies’ internal processes to sustain competitive advantage: principles, recognition, measurement, strategic, functional.
The shareholder disclosure index was constructed in the following four steps:
i. Index construction. This was based initially on the Horing & Grundl (Reference Horing and Grundl2011) approach as outlined in section 3.3 above, with a maximum of 45 “points” possible for each of the six major categories outlined in Table 2. It should be noted that the possible number of points available under each category differed, ranging from 15 points for the “risk overview” and 14 points for the “insurance risk” categories, to only 4 points for each liquidity and operational risk categories.
ii. Scope of analysis. Annual reports that are available on the website of each of the sample companies identified in Table 3 were then analysed for each year 2006–2012, consecutively. A keyword search was then conducted to identify each of the items, with a score of 1 if fully disclosed (based on a subjective judgement about the frequency of keyword occurrence, in this case judged to be at least six separate disclosures), 0.5 if partly disclosed (between one and five disclosure instances) and 0 otherwise. This process was repeated for each company annual report and for each of the six categories identified in Table 2. This resulted in a total score out of 45 points, which was recalculated to a score out of 100 points to ensure consistency with the disclosure indices outlined below.
iii. Recalibration (Kelliher et al., Reference Kelliher, Wilmot, Vij and Klumpes2012). The same procedure for index construction was applied, but using the Kelliher et al. (Reference Kelliher, Wilmot, Vij and Klumpes2012) system of risk classification instead. The generic category “risk overview” was replaced with a combination of strategic, frictional and aggregation risk categories that added to a maximum of 15 points. Further, the identified sub-components of each risk category was changed from a description of the standard procedures used to quantify the risk as performed by Horing & Grundl (Reference Horing and Grundl2011) to functional sub-categories that are unique to each category risk as identified by Kelliher et al. (Reference Kelliher, Wilmot, Vij and Klumpes2012). For instance, in the case of market risk, the standardised (Horing & Grundl, Reference Horing and Grundl2011) sub-categorisation of descriptions of definitions, limits, risk mitigation, VaR, stress tests and stress tests were replaced with identified sub-categories of market risk such as equity, property, interest rate, bond, commodity and foreign exchange risk.
iv. Recalibration – reweighting to non-financial risks. Finally, to reflect our concern that the (Horing & Grundl, Reference Horing and Grundl2011) risk categories over weighted financial versus non-financial risks, the above procedure used to construct the disclosure index under Kelliher et al. (Reference Kelliher, Wilmot, Vij and Klumpes2012) was reweighted so that sub-totals for each category of risk were equalised, except for insurance risk. This meant, for example, that market and credit risk were reduced from 6 to 5 points, insurance risk reduced from 14 to 10 points and all other risk categories increased to 5 points each. This resulted in a “reweighted” total disclosure score for each company.
Steps 1 to 3 above were repeated for the construction of separate disclosure indices reflecting regulatory and “managing the business” perspectives. For the regulatory reporting perspective, the five major functional (Kelliher et al., Reference Kelliher, Wilmot, Vij and Klumpes2012) categories identified above were again used but their sub-categorisation was slightly altered reflecting the interests of a regulator, rather than for an external user. These were weighted equally with 6 points each, adding to a sub-total of 30 points. In addition, four new categories of risk-related disclosure were identified that were specific to the different stakeholders. These comprised general disclosure principles (12 points), specified areas of disclosure (26 points) and measurement issue (22 points) categories were identified, as well as strategic issue category (10 points) concerning reference to Solvency II and ERM adoption. These were again totalled to a maximum possible score of 100. The weighting of each of the four new categories relative to the standard functional risk category as used in the shareholder disclosure index based on the relative perceived importance of such disclosures to other users.
4.3. Descriptive Statistics: Overall Average Disclosure Scores
Table 4 summarises the average disclosure scores (out of a possible 100 maximum), for each of the sample companies and by region for the study period 2006–2012, for the shareholder, regulatory and managing the business (internal) disclosure indices, respectively. Standard deviations are shown in brackets below the average scores.
Table 4 Average Disclosure Indices by Company
Standard deviation in brackets.
The results reported in Table 4 support our prediction that on average European companies have significantly higher overall levels of disclosure than either US or Asia-Pacific competitors. This result is consistent across all disclosure indices, except for the regulatory disclosure index, where Asia-Pacific companies are comparable to European companies. By contrast, US companies have generally relatively poor levels of disclosure, except from an internal business reporting perspective.
In general, the disclosure quality is highest in all three regions under the regulatory perspective, whereas it is the lowest for the Horing & Grundl (Reference Horing and Grundl2011) based shareholder perspective for Asian and US companies, and for the Kelliher et al. (Reference Kelliher, Wilmot, Vij and Klumpes2012) based shareholder perspective for European companies. This should not be surprising given the significant level of regulatory oversight of insurance companies worldwide.
On a company-specific basis, Allianz (Horing & Grundl, Reference Horing and Grundl2011) and Axa (Kelliher et al., Reference Kelliher, Wilmot, Vij and Klumpes2012) and reweighted provide the highest average level of disclosure quality, while AIG provides the highest quality disclosure under the regulatory perspective. Zurich has the highest quality average disclosure under the internal management perspective.
By contrast, Di-ichi has consistently the lowest quality disclosure of all companies, for all perspectives. These results are again consistent with our expectations, since the larger and most politically visible companies in the European and US regions tend to face greatest incentives to disclosure more risk information, particularly given the relatively high levels of underlying risk exposure they face. By contrast, the Japanese companies are relatively opaque in terms of risk disclosure quality, a result that is also consistent with prior international-based studies of disclosure quality generally.
4.4. Descriptive Statistics: Detailed and Time Series Analysis
Figures 1–5 report the overall breakdown of the major sub-categories of risk disclosure to shareholders, i.e. market, credit, liquidity, operational and strategy risk.
Figure 1 Market risk disclosure
Figure 2 Credit risk disclosure
Figure 3 Liquidity risk disclosure
Figure 4 Operational risk disclosure
Figure 5 Strategy risk disclosure
The breakdown outline of major trends can be summarised as follows:
∙ Market risk (Figure 1): average European and Asia-Pacific regulatory disclosures score similar and scoring less than half of available scores, average European, US and Asia-Pacific companies score similar for CEO disclosure scoring less than half of available scores, while average Asia-Pacific and US companies score higher than European companies on shareholder, and scored more than half of available scores.
∙ Credit risk (Figure 2): European companies and Asia-Pacific companies broadly similar on regulatory disclosure and relatively high scores. European, US and Asia-Pacific companies broadly similar on CEO disclosure and relatively high scores. Asia-Pacific companies scored highest on shareholder disclosure than either US or European companies. However, there is no clear trend towards improvement year-on-year post-crisis.
∙ Liquidity risk (Figure 3): average European companies and Asia-Pacific companies score broadly similar. Average European, US and Asia-Pacific companies score broadly similar. Average Asia-Pacific companies score highest than either US or European companies on shareholder disclosure. However, again there is no clear trend towards improvement year-on-year post-crisis.
∙ Operational risk (Figure 4): average European companies score higher than Asia-Pacific companies on regulatory disclosure. Average European companies, US companies and Asia-Pacific companies score broadly similar on CEO disclosure, scoring less than half of available score. US companies scored highest than either Asia-Pacific or European companies on shareholder disclosure, scoring more than half available scores.
∙ Strategy risk (Figure 5): average European companies score higher than Asia-Pacific companies on regulatory disclosure (one-third of available scores) difference between the regions. Average European and US companies also score higher than Asia-Pacific companies. Average US companies score higher than either European or Asia-Pacific companies on shareholder disclosure. Out of 11 points, US companies scored 4 points more than Asia-Pacific companies.
The overall results and trends are consistent with our expectations. European firms have relatively higher quality disclosure in the areas of market, operational and strategy risk from a regulatory perspective, whereas US companies on average produce higher quality reporting of market, liquidity and credit risk from a business-internal perspective. The shareholder results by risk category are more equivocal and depend on whether a Horing & Grundl (Reference Horing and Grundl2011), Kelliher et al. (Reference Kelliher, Wilmot, Vij and Klumpes2012) or reweighted index basis is used.
The trends over time are also very significant for most firms with a significant increase in disclosure quality after the financial crisis took effect in 2007–2008. There is a continuing increase in the quality of all types of disclosure in the latest period, 2011–2012, suggesting that the overall complexity and sophistication of communication of various risks has improved significantly. However, whether this improvement is because of pure managerial effort or regulatory environment changes is an unresolved question that requires further analysis beyond the scope of this paper.
5. Survey of Internal Reporting Processes
Although the various perspectives on disclosure analysed above include risk related to “managing the business”, the empirical evidence concerning the quality of external disclosure practices provides relatively little insight into the nature and extent of risk reporting within organisations from an internal, management perspective. We therefore additionally conducted a brief survey of the scope, nature and quality of internal risk reporting processes within the sample of global insurance companies. This section briefly summarises the design, administration and results from this survey.
5.1. Design of Survey Instrument
Appendix 3 summarises the survey instrument that was administered. The survey focused on the following five qualitative attributes of risk reporting quality that we have previously outlined in section 3; governance and fit for purpose, risk to overall risk appetite, usefulness and capabilities of risk reporting. The survey was originally designed to be self-assessed and targeted to the main internal user of internal risk reporting within global insurance companies. While we did not designate an exact title of this person, it was assumed to be the CRO or similarly titled senior executive.
Each of the four sections involved up to 12 closed form questionnaires that facilitated an unambiguous response, or at least provided for some uncertainty into the scope of answers expected.
The main purpose and nature of each of these five sections are outlined briefly below.
i. Governance and fit for purpose: this section was intended to provide some insight into the overall organisational framework in which risk reporting processes are generated and produced. There is a scope for ambiguity and duplicity of purpose and the deemed significance of the reporting for due diligence and performance management.
ii. Relevance and usefulness: this section focused attention on whether risk reporting processes were deemed to be used primarily for planning and control or for operational and strategic decision making. There is some scope for participants to comment on the overall significance of the process.
iii. Risk appétite: the main purpose of this section was to identify and comprehend the extent of integration between risk reporting and other key managerial decision-making processes. Relevant considerations include both the granularity of reporting and identifying the appropriate risk owner within the organisation to which the reports are sent.
iv. Reporting capabilities: this section focuses mostly on the scale, scope and complexity of risk reporting and its location within the overall system of managerial provision of information inside the organisation. Issues include confidence in and complementarity of risk reporting processes with other aspects of managerial information systems.
5.2. Survey Administration
The survey was administered initially via the CRO forum of the Actuarial Profession and through identification and call for participants both at the 2013 Risk and Investment Conference in Brighton and via the profession’s website. External media sources (e.g. ai-CIO) also provided some publicity for the survey to intended participants.
The survey was administered via a survey monkey run from the profession’s own administrative sources. The results were anonymised so that participant’s names, company positions and companies could not be reported or monitored. While this step ensured anonymity of response it also severely constrained the ability to interpret the results in conjunction with the disclosure content analysis results reported in section 4 above.
5.3. Survey Results
Overall, there were ten responses to the survey, although it could not be verified that the respondents were uniquely and solely connected with the sample of global insurance companies, as reported in Table 1. However, as it was made clear in the instructions and questions, the survey could only be realistically completed by the status, profile and seniority of management role that was intended by the survey. Consequently, we have sufficient confidence that notwithstanding these caveats, the results are reasonably reflective of the type and role of person responsible for receiving and acting upon internally generated risk reports within global insurance companies.
A brief outline analysis of the major results obtained in the survey by major section outlined in section 5.2 is summarised below:
i. Governance and fit for purpose: most respondents expressed confidence in the purpose and appropriateness of their risk reports. However, nearly half of respondents indicated that the terms of reference for various management committees did not include requirements for risk reporting. A majority of participants also expressed frustration that there were elements of reporting that were relatively routine in nature and not directly relevant to overall strategic decision making. In terms of content, most recipients also noted that escalation triggers and processes were not well defined. Only a slight majority of participants felt that all risk reports were directly useful to strategic decision making. In terms of production processes, actuarial functions in most organisations were mostly responsible for the production and analysis of risk reports, but not their design, delivery or review.
ii. Relevance and usefulness: the overall content and presentation was felt to be subject to information overload problems. There is an even mix of companies where internally generated risk reports are also used for external reporting. Most users felt that management committees’ understanding of risks diverged from the business functions’ view. The challenge and discussion of risk reports is mostly evidenced by minutes and formal documents. Only a slight majority of participants agreed that the audience was sufficiently informed of reliances and limitations underlying the reports.
iii. Risk appétite: a majority of participants felt that risk reporting processes were generally credible but that more granularity is required. Only a slight majority agreed with the assertion that risk owners understand the risk reporting and the business risk drivers thereby communicated therein. Most also were equivocal as to whether risk owners actually use risk reports in the business.
iv. Capabilities: most respondents agreed that different reporting systems are only partially in synergy with other reporting systems and consistent in terms of the information and data. Most also felt that internal risk reporting units did not have sufficient resource capability to be effective. A slight majority had a high level of confidence in the information and data load effectiveness of risk reporting processes. Most respondents also felt that risk reports were not particularly timely and that a minimum of a week was needed to gain access to consolidated financial information.
5.4. Discussion of Overall Survey Results
The overall survey results provide only equivocal evidence that internally generated risk reports are useful and relevant to key strategic decision makers within global and complex insurance organisations. Furthermore, while actuarial departments play a key role in these processes, their influence appears to be relatively limited in scope. Finally, the results support the conclusion that risk reporting capabilities and processes are only part of the full management information systems used and applied by key decision makers in executing their responsibilities. Accordingly, there seems to be further scope for improvement in the design, application and communication capabilities of internally generated risk reports.
6. Conclusion
In the light of the financial crisis and ongoing evolution of regulatory change and global competitive challenges, the topic of risk reporting is becoming increasingly important to the effectiveness of professional actuaries in reporting their duties of accountability to external stakeholders, regulators and internal decision makers. However, there is little systematic evidence available on the nature, scope and usefulness of risk reporting processes that contribute to both external and internal communications within large, complex and multinational insurance organisations. As one of the key professional gatekeepers for the efficient and effective management of global insurance enterprises, the Actuarial Profession plays a key role in facilitating further dissemination of information concerning best practices in risk reporting.
This paper contributes by providing evidence concerning the quality of both external and internal risk reporting processes within these contexts. An important insight is that risk reporting should not be seen primarily from a shareholder, regulatory or internal perspective. But is in reality serves multiple and potentially conflicting objectives in creating and then meeting the expectations of these key stakeholders. While our research is necessarily limited in scope and scale, we have sought to identify the main trends in terms of the content and presentation of risk reporting both as components of comprehensive general purpose external financial reports, and as idiosyncratic and tailored internally generated risk monitoring and communication systems within global insurance enterprises.
Another key contribution is that we have sought to delineate alternative approaches to understanding the underlying terms of reference related to corporate governance and accountability that pervade insurance enterprises that operate in culturally different regions of the world.
Our major findings concerning the content analysis of risk reporting practices by a sample of globally leading insurance enterprises in the period before, during and after the financial crisis. Our evidence supports the conjecture that the European insurance industry provides significantly more sophisticated and complex risk reporting than their US and Asia-Pacific competitors, particularly to shareholders and regulators. By contrast, US-based global insurance companies tend to focus their risk disclosures on informing a management perspective on risk disclosure effectiveness.
Additional survey evidence on the disclosure effectiveness of internally generated risk reports are more equivocal as to their usefulness and relevance to key strategic decision makers. While there is general consensus that most internal risk reporting processes fit the corporate governance setting for which they were designed and are generally useful, there is some concern that they are not necessarily fit for purpose both as to their reliability and their salience to key strategic decision. Moreover, it appears that the actuarial function within these organisations has only limited influence over the design and review of these internally generated risk reports. Finally, the survey evidence appears to reveal problems of information and data overload that significantly mitigates the usefulness of risk reporting processes for key strategic decisions.
Our research evidence is subject to a number of caveats:
∙ Our disclosure content analysis is necessarily constrained by the limitations associated with the subjectivity and arbitrariness of disclosure content analysis techniques.
∙ We were unable to undertake a more comprehensive study owing to the limitations of our terms of reference.
∙ We did not achieve sufficient scale and scope of analysis to provide more sophisticated analysis of the determinants of risk reporting practices. For example, it is important to determine whether the nature and extent of risk reporting practices is associated with higher risk to reward ratios, and/or greater incentives facing management to invest in risk resilience processes, such as ERM systems and business continuity plans.
∙ The external validity of our survey results was constrained by the need to assure anonymity of respondents to assure a relatively high response rate. Consequently, we were unable to fully corroborate and integrate the results of our externally and internally oriented research components.
Subject to these caveats, our research results have a number of public policy implications:
∙ There is an urgent need for the Actuarial Profession to provide more specific guidance on the qualitative and quantitative aspects of specified form and content of risk reporting that can be applied by practitioners in real world settings.
∙ There is also a need for public policy making bodies to balance the desire for quantification of well-specified and operationally frequent risks related to market and credit risk with less measureable yet more strategically significant operational and frictional risks.
∙ An important consideration is the disclosure effectiveness of risk reporting and whether or not framing and mental accounting limitations in processing risk communications facilitates or hinders disclosure effectiveness, and the extent to which actuaries’ expertise in understanding risks can help to overcome such limitations.
∙ The Actuarial Profession needs to invest more resources to undertake more sophisticated research, particularly as regulatory, market and economic demands for more decision relevant risk reporting evolves.
Further research is needed to extend these findings in other risk reporting and communication contexts where actuaries can and do provide expertise and guidance. For example, international comparisons between jurisdictions that provide greater or lesser sanctions for voluntary and or mandated forms of risk reporting. It is also important for risk communications generally in other decision-making contexts, particularly those involving significant elements of ambiguity. This is particularly pertinent given the increasing integration of multiple and potentially conflicting stakeholder, shareholder and regulatory imperatives for more reliable and relevant, comprehensive risk reporting systems. Risk reporting processes are also more dynamic than traditional “value-based reporting systems” in the sense that the “loss or gain” associated with a given risk outcome may be due to subtle interactions between environmental, political and/or financial considerations affecting the allocation of risk capital. Finally, it is important that research provides more guidance to assist the profession to develop more specific guidelines for its members to adhere to minimum standards of ethical behaviour and conduct risk in preparing, validating and communicating risk-based information to decision makers.
Acknowledgements
We would like to take this opportunity to thank a number of people involved in this project, particular thanks go to Elliot Varnell for his sponsorship, to Dawn Macintosh and Diane Wilson for their support, to Sarah Mathieson and the research team for their patience, Chiara McCormack for her editorial support and especially Tracey Zalk for her high quality research assistance. We would also like to thank the numerous other members of the Actuarial Profession who gave up their valuable time to contribute to the formulation of our ideas and comment on our results. Finally, we would like to thank the CRO forum for their time and patience in road testing our ideas, and to participants in the various Risk and Investment Conference events in Leeds and Brighton for their interest in our topic. We also thank the very helpful comments provided by the two independent reviewers of this paper.
Appendix 1 – (Basel Committee on Banking Supervision (BIS), 2013) Key Principles for Risk Reporting
1. Governance: a bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements, consistent with other principles and guidance established by the Basel Committee.
2. Data architecture and IT infrastructure: a bank should design, build and maintain data architecture and IT infrastructure that fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other principles.
3. Accuracy and integrity: a bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors.
4. Completeness: a bank should be able to capture and aggregate all material risk data across the banking group.
5. Timeliness: A bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability.
6. Adaptability: a bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting request.
7. Accuracy: risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.
8. Comprehensiveness: risk management reports should cover all material risk areas within the organisation.
9. Clarity and usefulness: risk management reports should communicate information in a clear and concise manner.
10. Frequency: the board and senior management should set the frequency of risk management report production and distribution.
11. Distribution: risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained.
Appendix 2 – Working Party View of Risk Summary
Appendix 3 – Risk Reporting Questionnaire
Internal Risk Reporting Survey Questionnaire (Risk Reporting Working Party)
Dear participant
UK Actuarial Profession had formed a working party last year to understand various risk reporting practices within insurance companies. The mandate of the party was to investigate across three domains – external shareholder reporting, regulatory reporting and internal risk reporting. Whilst investigation in the first two domains can be carried out on publicly available information, internal risk reporting requires interaction with companies to form a correct view. We have therefore drafted this short survey to assess the state of the internal risk reporting and would be grateful if you can complete this survey.
The scope of internal risk reporting includes all management information and reports that are produced solely for the business management purposes. Survey questions are not related to any company-specific practice but are related to a general reporting framework for these reports.
The survey focuses on the following key aspects of the internal risk reporting:
∙ governance;
∙ fit for purpose;
∙ link to risk appetite framework;
∙ use of risk reporting;
∙ reporting capabilities.
The following should be noted in respect to this survey:
∙ The survey is intended to be a self-assessment and we will not superimpose this self-assessment with our view.
∙ The results of the survey will be collated on an anonymous basis and the confidentiality of your responses will be totally respected: a written assurance can be provided on this point if desired.
∙ The survey will be incorporated into a broader analysis of the incidence and prevalence of risk reporting practices by global top 25 insurers over the period 2006–2012.
∙ This will be presented to the profession in November and subsequently published in British Actuarial Journal: copies of the final published discussion paper can be provided on request.
∙ We hope to distil and combine the findings into a broader study of the connections between corporate governance and risk reporting practices in the financial sector and hope that you will continue to be interested in participating in such studies in the future.
Our intention is to share the collated results of the survey with all participants through a round table conference where the results will be discussed and further insights will be shared.
We hope you find this survey useful and informative in provoking your thoughts on this particular topic and we look forward to your participation.
Risk Reporting Working Party
UK Actuarial Profession
1.Governance
1.1.Is there an overall risk reporting framework that sets out what elements should be reported to the various committees?
□ Yes
□ No
1.2.Have the risk reports been specifically aligned to assist the committees in discharging their responsibilities as set out in the committee terms of reference?
□ Yes
□ No
1.3.Is there duplication of information between different committees? And if so, are these overlaps clear?
□ Duplication but clear and felt appropriate/essential
□ Duplication but not clear
□ No duplication
1.4.Are risk reports consistent between different committees or different audiences?
□ Yes
□ No
If the answer to the above question is NO, comment on how consistency is ensured. Is there any control mechanism?
1.5.Do the Terms of Reference for various management committees include requirements for risk reporting and how these should be used?
□ Yes
□ No
1.6.Are there elements of the reporting which are relatively routine in nature and not directly relevant to overall strategic decision making?
□ Yes, due to unnecessary and/or excessive reporting
□ Yes, due to inappropriate reporting (e.g. untimely or irrelevant)
□ Yes, due to ineffective decision making processes
□ No
1.7.Are key aspects of risk reporting appropriately explained in the risk committee reports?
□ Always
□ Most of the times except when there are new additions
□ There are always questions on the risk measures
1.8.Which of the following are covered under the definition of the scope of risk reports?
□ Business in scope (Legal entity, product etc) □ Frequency
□ Risk measures □ Link to materiality
□ Type and nature of risks in scope □ Time horizon
□ Purpose □ Expected use
□ Audience
1.9.Is the governance and control process around changing the scope of risk reports well defined?
□ Yes
□ No
1.10.Are escalation triggers and escalation processes well defined?
□ Yes
□ More work is required
□ No
1.11.Are al l potential breaches effectively anticipated and reported in a timely manner?
□ Yes
□ No
1.12.Does management perceive that all risk reports to be useful in directly facilitating overall strategic level accountability and performance in encouraging accountability?
□ Yes
□ No
1.13.Which functions are responsible for the design, production, delivery and analysis of different reporting aspects?
2.Relevance and Usefulness
2.1Is the overall general content and presentation risk reports generated normally appropriate to your requirements?
□ Just right
□ Should be significantly reduced
□ Should be slightly reduced
□ More should be generated
2.2Is the risk classification scheme normally underlying risk reports consistent with that used to manage the strategic risks of the business?
□ Fully consistent
□ Broadly consistent
□ Significantly inconsistent
2.3Is the reporting focused on downside control or does it also include the identification of opportunities?
□ Downside control only
□ Some focus on opportunities as well
□ Balanced focus on both aspects
2.4Is the trade-off between relevance and reliability appropriate given the nature, scale and complexity of the overall strategic risk decision making process?
□ Yes
□ No
2.5Do you include forward looking projections in your reports?
□ Yes, in line with the business planning period
□ Yes, different time horizons for different measures
□ No
2.6Do you include stress and scenario tests?
□ A range of what-if scenarios
□ A range of what-if scenarios including reverse stress test
□ Only certain regulator prescribed scenarios
□ Only sensitivity testing
□ Do not include this analysis
2.7Are the risk reports focused on retrospective compliance with targets or also include future actions?
□ Compliance only
□ Compliance and actions both
2.8Which major category of risks are primarily focused on in the risk reporting process?
□ Market/financial risks because they are material
□ Market/financial risks because there is a better reporting process around these
□ Market/financial and Insurance risks but no operational risks
□ Market/financial, Insurance risks and operational risks
2.9Are risk reports leveraged to support the external reporting?
□ Yes, to an extent as same source is used
□ Yes, synergies between two processes
□ No, as two different processes
2.10Are there occasions when the management committees’ understanding of risks diverges from the business functions’ view?
□ Yes
□ No
2.11Do risk reports provoke sufficient discussion and challenge in management discussions?
□ Yes, on specific topics
□ Yes, on specific topics as well as regular reports
□ No
2.12How is the discussion and challenge evidenced?
□ Minutes and formal documents
□ Actions from the meeting followed up
□ Not sufficient documentation
□ Not applicable
2.13Is the audience sufficiently informed of reliances and limitations underlying the reporting, including areas of significant approximations or judgements?
□ Yes
□ No
3.Link to risk appetite and use
3.1Do risk reports include the monitoring of risk exposure against the stated risk appetite?
□ Yes
□ No
□ In the process of development
3.2Do you use the risk reporting to drive business and strategic decisions?
□ Yes
□ No
□ In the process of development
3.3Are risk reporting processes sufficiently salient and granular enough for managing the strategic risks affecting the business?
□ Yes, credible and granular
□ Yes, credible but more granularity is required
□ Yes, granular but not credible as inconsistency between reports
□ No
3.4Do the risk owners (1 st line/business functions) understand the risk reports and have the understanding of risk drivers in the business?
□ Yes
□ To an extent
□ No
3.5Do the risk owners (1 st line/business functions) use the risk reports in the business?
□ Yes
□ To an extent
□ No
3.6Is the risk reporting process integrated with other business processes?
□ Business planning
□ Capital management
□ Investment strategy
□ All of the above
4.Reporting capabilities
4.1Which reporting systems are equipped to generate reporting information on a timely, regular, as well as ad hoc basis?
□ IT systems
□ Data warehouse
□ Dedicated ERM databases
□ Actuarial and Risk Models
□ All of the above
□ None of the above
4.2Are different reporting systems (e.g. Finance and Risk) in synergy and are consistent in terms of the information and data?
□ Yes
□ Broad synergy
□ No
4.3Does the internal risk reporting unit currently have sufficient resource capability to effectively identify; analyse; evaluate and communicate information about emerging strategic risks affecting the business?
□ Yes
□ Requires further development
4.4What level of confidence do you generally have in the information and data load effectiveness of the risk reporting processes underlying the risk reports?
□ High
□ Medium
□ Low
4.5What type of IT structure exists in your company?
□ Centralised
□ Decentralised ((i.e.) business unit, regional)
□ Mixed
4.6What is the minimum ‘lead’ time you need to get access to consolidated financial information?
□ 1 day
□ 1 week
□ Fortnight
□ Month
