Hostname: page-component-745bb68f8f-d8cs5 Total loading time: 0 Render date: 2025-02-06T11:23:43.189Z Has data issue: false hasContentIssue false
  • English
  • Français

A common risk classification system for the Actuarial Profession ‐ Abstract of the London discussion

Published online by Cambridge University Press:  25 January 2013

Patrick Kelliher
Rights & Permissions [Opens in a new window]

Abstract

This abstract relates to the following paper:

KelliherP.O.J., WilmotD., VijJ. and KlumpesP.J.M.A common risk classification system for the Actuarial Profession ‐ Abstract of the London discussionBritish Actuarial Journal, doi:10.1017/S1357321712000293

Type
Sessional meetings: papers and abstracts of discussions
Information
British Actuarial Journal , Volume 18 , Issue 1 , March 2013 , pp. 122 - 144
Copyright
Copyright © Institute and Faculty of Actuaries 2013 

The Chairman (Mr J. Constantinou, F.F.A.): I should like to introduce Dr Klumpes who is one of the authors of the paper.

Dr P. J. M. Klumpes, F.I.A. (introducing the paper): We are concerned about enterprise risk management (ERM) and are concerned about having a common risk classification system for the profession, a common language for discussion. Obviously, we are not trying in any way to come up with one size fits all, we are trying to find common themes among the diversity that we find. There is no requirement or indication that actuaries have to adopt the common classification system but it could provide a useful touchstone and frame of reference when having a discussion about risks.

We will start with the multiple of different systems that might exist. We will then move on to some of the problems of that and then introduce our own risk classification system.

The various regulators have alternative definitions of risk. The Financial Services Authority (FSA) is one of the starting points although we know there will be other ones in Asia Pacific, the United States (US), and so forth, and the FSA hand book does provide a fairly definitive kind of identification of the major risks based on what you might call the standard of identifying market and other categories. But we note that of these, although there is reference to a specific insurance one and a group risk, there is not a reference to strategy risk which is something we might pick up on later.

We then move on to the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) in Germany and a much more detailed overview of the risk approach, and will pick up from things like concentration risk, strategy and reputation; kinds of risks that were not necessarily picked up by other regulators but as seen by BaFin as being important, and also the concentration risk is separated from things like credit risk.

Going on to corporations, and the firms as players rather than the regulators, each of them has some of their own themes that they will bring in. We have taken a few examples, one being a bank and an insurer, Lloyd's Banking Group. You will notice three of the categories, the market, credit and operational risks are consistent with what you might expect from a Basel Committee viewpoint as being the essence of capital requirements. They do claim to use an enterprise risk management framework for identifying, assessing, measuring and managing risk, but it is surprising that some of the other sources of what you might call idiosyncratic risk, such as concentration or reputation, are not defined.

Also, although operational risk seems to be based on the Basel II framework, the Solvency II framework is easing in there a little bit with some of the concepts of financial soundness and insurance. Again, a little bit of their own perspective or their own way of defining those risks.

Moving on to a more straightforward insurance application, Prudential, with its broader exposure, defines risk more consistently with those of the Solvency II in terms of the various insurance risks now being spelt out in terms of persistency, expense risks, and so forth. But they also, interestingly, have a definition of strategy even in business environment risks which are not strictly in the regulatory ones.

It is interesting with the idiosyncratic risk factors which are coming out which may be of interest given their experience with trying to pick for Asian insurers or not.

For Aegon, a Dutch insurer, they do not seem to refer to market and credit risk specifically. However, they are connected to mis-matching and investment and counterparty risks. One wonders why this mis-matching is so important for them. They must have reasons for displaying it that way.

This is just a very brief overview of some examples and is not comprehensive. Even at a very high level there is scope for confusion. There are different classification systems around. Specifically, as you go down and you start trying to drill down from top down, further confusion is possible.

There are some common categories and there are also some differences in terminology, particularly in the context of strategy risk. For instance are spread movements a credit risk or market risk? In general, you end up with a Tower of Babel confusion. That is one of the reasons why our committee would like to make a contribution.

Does it matter that there is confusion? Maybe dissembling is part of the routine. We think that it is a problem. It would inhibit discussion, and certainly researchers would get confused if they are not sure what the professionals think or what the regulators think.

In particular, it is important for the profession, in driving into areas like ERM, to see things holistically, to be able to have a discussion, that we all have a common language, about distinguishing between things like operational and strategy risk, and also in terms of Solvency II, the internal model, the Own Risk Self Assessment (ORSA) requirements. There is a need for trying to have a level of understanding at a slightly more granular level.

So different terminology therefore can provide a language barrier to find further discussion of progression into these important areas of the future of the profession.

Take Solvency II, just for an example. Mortality risk may depend on whether it is important to the business or not. There is an issue about the interaction between operational and strategy risk. There could be differences in demarcation perhaps or the line of business. Similarly for ORSA, we might want breakdown risks of equity risk into different parts. One way of doing that would be to think about what is diversifiable or what is not, parts that require market capital risk.

Again, different companies may have different views about how that is separated or distinguished. Clearly the Capital Asset Pricing Model (CAPM) will distinguish between the market risk and the non-diversifiable risk of a firm.

Essentially, what we are trying to do is to think about some common broad principles. I will introduce the overall risks framework where we start with trying to understand embedded value (which in itself is a carry on to shareholder net assets and the value in force) and relating that to essentially the Basel II elements of the market, credit, insurance and demographic risk, and then we have to think about the operational risk that contributes to that which is consistent with the Basel and the FSA framework.

Then we might want to add on liquidity risk to highlight the issues for the ability to service or deliver risk mitigation or risk transformation of the normal risks. Liquidity risk is also something which is becoming more important for the banks with the management of liquidity risks as well. Then one has to think about the issues of aggregation and interaction between those risks. We can then say maybe we can do a bit more and go to a BaFin world where we really want to define strategy risk. If strategy risk is then defined in terms of some element like covering the franchise value, the internal, the external aspects to the business (the intangibles), then you might equate that more to the goodwill of the business, however you might define that as an actuary in terms of the excess of reward to embedded value, or as an accountant to book value, or as an economist in terms of a Tobin's Q, but obviously that is at a higher level.

Getting up to the final level, the enterprise risk management, you might also be concerned about frictional risks. Frictional risks are about regulatory capital, accounting requirements, the inefficiencies of having to tie up different business lines or trying to persuade a regulator or your policy-holders that you have financial soundness.

Therefore that will give us a slightly better overview. In addition to the cash-flow orientated business lines there are also the cosmetic issues that have to be managed and lead to information asymmetries across regulatory spaces.

Mr P. O. J. Kelliher, F.I.A.: We have come up with the usual suspects of market, credit, insurance, operation and liquidity risk. We also have strategy risk covering threats to goodwill, frictional risk and then obviously the aggregation piece looking at the overall interaction.

We had a bit of debate whether we should look at events based classification or causal classification. In the end we opted for event-based classification. Take Northern Rock as an example. We said that that was a run on the bank which was a liquidity risk. We are not looking back anymore to say for instance there were some problems with the strategy, or maybe there were some problems with the governance. We feel causal analysis is very important. But a lot of the time you might find that there are two or three causes to a single event. That is why we started to focus on events.

Another concept is that focus of the common language is on gross risk and generally do not really talk about controls except in the operational risk context.

In particular, we do not really have a category called asset liability management risk. We are treating asset liability management as a control as opposed to a risk.

With regard to reputation risk, Dr Klumpes mentioned that some regulators are starting to look at this. We put this under strategy risk. Reputation damage can also lead to various other impacts on the business like mass withdrawals and lapses. I think we have already got those covered under persistency risk and liquidity risk.

Finally, we generally allow for regulatory capital and accounting impacts as well as economic impacts, under the same heading but we need to have a separate category under frictional risk for changes in regulatory capital requirements.

I should now like to go through what we did in the common language for individual categories and to highlight some of the problems that we came across.

Starting with the market risk, the FSA gives a very good definition of market risk. Our classification system covers the same ground with equities, properties, commodities, etc. The one difference is we looked a bit more into inflation. We made a distinction between changes in implied inflation and actual inflation. We felt that there was a need to distinguish between them.

Within each category, we then broke them down a lot further. We said if you look at equity risk, for instance, you can split that into specific risks relating to individual shares and sector impacts, and general market risk, in line with CAPM. You also have income risk, relating to dividends; implied volatility risk in terms of options relating to equities and model risk for adverse changes in assets and liabilities where you mark these to model.

Finally, you have a basis risk component relating to residual differences between movements in a particular exposure and assets intended to hedge this out.

In terms of the demarcation issues that we came across, the first one is private equity. Is it a distinct category in itself or subcomponent of equity risk? We assumed it is a component of equity risk. I am sure many other people would disagree. A key point to be clear on when discussing equity risk is whether or not it includes private equity.

Next, interest rate risk: how do you define interest rate risk? You can probably define it in terms of a risk free rate and movements in risk free rate. But what is that risk free rate? Is it gilts? Is it swaps? I do not think that debate has settled yet. We went for swaps as we believe that is where Solvency II seems to be going to.

To what extent are market movements driven by market risk or liquidity risk factors? We felt there was a need for demarcation there. How we demarcated it was if you have a fall in the mid-price of assets then that is market risk. But if you had another fall in your bid value due to a widening bid/offer spread from market-makers, then that is a liquidity risk. It is one way potentially of addressing this demarcation issue.

Another demarcation issue related to rogue trading. Is it operational risk? Is it market risk? We have included it under operational risk as while the loss is market related, it is contingent on an operational failing.

Lastly, sometimes falling equity markets will have an impact on the sales of equity-based products. We have said that that is strategy risk as opposed to market risk.

Turning to credit risk, we looked in a number of key different variables under credit risk:

  • Probability of Default.

  • Exposure At Default.

  • Loss Given Default.

  • Migration risk covering the risk of downgrades including the risk that you might need to increase your bad debt provisions due to internal rating changes.

Again, as for market risk, we have further broken credit risk down in the common language into a number of components:

  • Model risk – e.g. changes in bad debt provisions which might be driven by a model change.

  • Process risk – which relates to random fluctuations and their impact on individual risks

  • Parameter estimation risk – relating to the element of statistical error around any kind of estimate of, say, the probability of default.

  • Regional and sub-portfolio impacts – just like you have sector impacts in market risk, you will have regional or sub-portfolio impacts under credit risk. For instance, if you have a mortgage book you might be concerned about the impact of a downturn in a particular region as well as the impact of a nationwide downturn.

  • Domestic and overseas shocks – noting that overseas shocks could include some sort of currency shock, restricting repayment.

In terms of demarcation issues, the key issue we had was with bonds. How do you distinguish between a spread movement under market risk, and default and downgrade, which is credit risk? What you tend to see is that by the time a bond is downgraded or it defaults, a lot of that impact has already been built into the market price in terms of spread rises beforehand.

We came up with a compromise by treating only those movements arising immediately after a default or downgrade event as being the credit risk component. I know that people in practice might ask what the distinction is. I think it is a very grey area.

Another area where we found confusion is that market movements will affect collateral values and hence exposure and loss given default for over-the-counter derivatives. Is that a market risk or is it a credit risk? We decided that we would put this into credit risk on the basis that it is contingent on a credit event.

Outsourcing is another area of doubt. Generally this is considered under operational risk. But what about an outsourcing counterparty going bust? Has that any credit risk component? Our general take was that if we prepaid for services then we had an accruals risk in terms of the prepayment which is credit risk.

In terms of the wider impact of a third-party provider going bust and its implication of operations, that is treated as operational risk.

Generally, the failure of an asset manager we generally treat as an outsourcing failure with the exception of reinsured links where people access external fundings through re-insurance as opposed to bulk purchase of Open Ended Investment Companies (OEICs). We felt there is an element of credit risk because there are wider issues than you would be faced with under an OEIC.

Turning to insurance risk, we worked from the Solvency II categories very loosely. We broke this down further into five variables for general insurance:

  • In terms of the claim frequency, you have both:

    • prospective, in terms of future events;

    • the frequency of emergence of historic events which are incurred but not reported (IBNR).

  • In terms of claim severity, this is split three ways:

    • Prospective, for future events.

    • Claim severity in terms of claims reported but not settled.

    • Severity of IBNR claims.

In terms of the sub-categories we have further broken insurance risks down into:

  • Model risk, e.g. any increase in reserves due to a change in your reserving model.

  • Process risk due to random fluctuations. That could be significant for a pension scheme which has a very small number of members with a huge concentration in respect of, for instance, the CEO of the company.

  • Parameter risk which relates to statistical estimation error.

  • Heterogeneity – there can be, depending on how granular your analysis goes, heterogeneity which can cause variations in your claim experience.

  • Trend risk, which people involved in longevity will be very aware of, in terms of the rate of change being different from expected.

We have identified two other factors – endogenous shocks and exogenous shocks. An endogenous shock we see as something arising internally within an organisation, for instance, a change in underwriting standards. You might change your expectation to reflect the change in underwriting standards, but there would be an additional degree of risk and uncertainty caused by that change.

Exogenous shocks arise outside the organisation such as the recent Association of British Insurer (ABI) changes in non-disclosure rules which has led to step change in our experience, but also increased uncertainty and risk. That is something that we feel should be considered as part of any discussion on insurance risk.

Finally we have catastrophe risks which most people are aware of, covering flu pandemics, and the like.

In terms of the demarcation issues, one I have already mentioned is non-disclosure. A lot of people might argue it is not really an insurance risk, but is an operational risk because it is a form of fraud. From my experience, non-disclosure is often due to poor questions being asked by insurers rather than deliberate fraud on the part of the policyholder. Also, because it will be implicit in claims experience we felt we should include it under insurance risk, but we accept the argument can go either way.

Another area of confusion is option take-up rates. For a lot of financial options the take-up rate is very sensitive to market conditions. Again is that market risk or is that insurance risk? I think our view was when you have something that is so sensitive to market conditions, your base assumptions should be dynamic. Any variation from that dynamic assumption should be considered under the insurance risk category.

The final insurance risk demarcation issue I would like to touch on relates to expense inflation and property rebuild costs. This is linked to general inflation which has been covered under market risk. So should these come under market or insurance risk? We went for the latter as they will also be based on bespoke elements such as an insurer's own cost base.

Turning next to liquidity risk, which Dr Klumpes has already touched on. While the banks have an issue with it, it was not historically a problem for United Kingdom (UK) life insurers because generally they had positive cash-flow coming in. It might be more of an issue now that mortgage endowments and pension policies are maturing and we are seeing systematic outflows. Also, as life insurers make more use of derivatives, we will also see margin calls becoming a lot more important.

In terms of liquidity risk demarcation issues, one question of demarcation was the failure of somebody who is offering you a line of credit to honour that line of credit. Is that a credit risk, as it involves someone not honouring an obligation, or is it a liquidity risk in terms of loss of funding? We decided it should be treated as liquidity risk.

We also have potential issues in terms of a default of deposit counterparty. That is credit risk, but there would be second order impacts in terms of liquidity as well which we would see under liquidity risk.

To move on to operational risk, we started working from the ABI Operational Risk Consortium (ORIC) categorisation which is also the Basel II categories. There are about 20 of those. We have added another one on for Financial Services Compensation Scheme (FSCS) costs and wider changes in legislation and regulations.

There are decision trees associated with the ABI ORIC/ Basel II categorisation which you could use in risk categorisation. However we felt that there were certain issues with these. To give an example, if you have a mis-selling issue with an associated regulatory fine, the tree would class that as a Suitability, Disclosure and Fiduciary risk because of the fine, as opposed to Advisory and Mis-selling risk, which is where we felt it should be.

In terms of how we got round difficulties in categorising operational risk, we really just used brute force. We identified as part of our work something in the region of 340 sub types of operational risk to try to get clear demarcation and definition of categories.

Turning to Strategy risk which as Dr Klumpes noted relates to threats to goodwill like the value of new business streams. We looked at this risk in terms of exogenous and endogenous factors.

Exogenous factors relate to external factors and might be the impact of changes in tax regimes; or the impact of competitors. Endogenous factors relate to internal issues such as the current state of a product range, and/or project failures in terms of launching a new product.

Within endogenous factors we also have a brand and reputation risk category which covers the reputation impacts. But an important part is apart from reputation, there is another question: does a brand support a strategy?

We then have the final piece on aggregation and diversification. What we are trying to cover here is the risk of the whole being greater than the sum of the parts, and how events may lead to anticipated diversification benefits not being realised. That is one risk everybody should always have on their radar.

To conclude, there is no perfect system of classifying risks. What we have come up with is a common reference point to help the Actuarial Profession communicate with each other; a common reference point to try to get around the potential confusion that can arise.

We are not saying that there are no other equally valid ones out there. I am sure many of you think that the ones you are using in the current day to day work are superior. But I would ask that actuaries as a profession, when we do talk about risk, that we either define in detail what we mean by each risk term, or that we use the common risk classification. I do not think we can presume that people share the same understanding of what each risk term means.

The final caveat is risk classification is the first step in ERM. It helps to have some sort of coherent system for classifying risk. However you have to be very careful that you do not only look at individual risks in isolation. ERM is management of the whole as opposed to the individual risks.

Mr D. C. E. Wilson, F.I.A. (opening the discussion): A large part of the paper consists of a list of the detailed risk categories that the working party recommends are used to aid communication between actuaries on different risks. I shall leave it to others to comment on the details of that split.

The paper starts with a discussion of why such a risk classification is needed and what properties we are looking for in such a classification. So in considering the paper, I should like to reflect on three related questions.

First, is a detailed risk classification such as this useful? Second, is a common risk classification useful? And third, is this risk classification useful?

The authors provide an answer to my first question – that is, is a detailed risk classification useful? – at the very start of the paper, with section 1 claiming that coherent risk classification is essential to ERM in order to avoid confused reporting and management of risk. This certainly seems to accord with the stance taken by financial service regulators, and by many commentators.

But it may be worth examining this claim in a bit more detail. For example, is the main driver risk reporting or risk management? I should say for this purpose, I would include regulatory capital assessment as part of risk reporting, since this is about assessing capital against the risks currently being run rather than identifying ways to handle those risks.

It seems apparent that a detailed risk classification is useful for risk reporting where one is seeking to identify the magnitude of each risk. For this purpose it is necessary to be clear about what each risk covers.

But it is less apparent to me that such a detailed risk classification is necessarily the most useful starting point for managing risk. Yes, any risk management approach will need to identify detailed risk controls and allocate responsibility for managing them to identified individuals. But many of these controls could impact on a number of higher-level risks and individuals would also need to be allocated to managing such high-level risks. Hence, for the purpose of managing the risks that matter, the risk classification may be largely irrelevant in practice.

So my answer to this first question is that a detailed risk classification should be useful for risk reporting but perhaps less so for risk management.

On my second question – is a common risk classification useful – the authors are equally clear. They do not suggest that all actuaries or all firms use the same classification but rather that we agree a common language to avoid confusion when discussing risk. They also suggest that an agreed classification could be useful in orchestrating further risk research. This certainly sounds like a helpful outcome if it can be achieved.

So again my answer to this question is that yes, a common risk classification would probably be useful, but perhaps it is less necessary than the authors suggest.

I should like to come back to my third question – is this risk classification useful after I have considered a number of more detailed points. It is probably worth pointing out at this stage that the answer could still be “yes” even if the answer to my previous question was “no”. For example, the detailed work that the authors have put in could be very useful in helping others come to their own conclusions about how to identify and classify risks.

Section 3 covers the working party view of risk. They see risk as impacting on the economic value of an enterprise, and for many organisations this will be true, particularly commercial organisations. But it is certainly not true, for example, for government departments or for charities. Even in the case of financial institutions, which the authors acknowledge are their primary focus, this may require further refinement for mutual insurers, for example, or building societies. Nevertheless, this view of risk does provide a useful focus for the subsequent analysis for those organisations where it is relevant.

The authors explain that they have chosen to separate out strategy risks from other possibly underlying risks on the basis that the controls required to manage such risks are different. I think this provides a useful focus on how risks are best managed. Perhaps it is best to think of strategic risks as those risks which are of such significance and magnitude that they require the attention of the organisation's top level management committee or board.

I certainly endorse the authors’ comment in section 3.6 that it is important to look at how risks may come together as a whole as well as individually. For example, sometimes it is a combination of seemingly small events that can produce a major outcome. Of course, this provides a potential challenge for risk based capital systems that require capital to be assessed and allocated against individual risks.

Section 4 describes the key principles behind the chosen risk classification system. For example, section 4.1 explains that the system is event-based rather than cause-based, one reason being that multiple causes can often be identified as leading up to a single event. A third possibility, which is not mentioned but which I would distinguish, is an outcome-based classification.

One argument for such an approach is that it is often easier to think about a limited number of outcomes and then consider all the possible events that might lead to those outcomes rather than start with all the things that might possibly go wrong and then think about what the results might be. I would suggest that there is less danger of missing something important if you adopt the outcome-based approach. For example, take IT systems risk, which occurs in the classification. Arguably, it is not the risk that there is a problem with the IT that matters. It might instead be brand damage due to dissatisfied customers due to poor service. But this outcome might also arise from, for example, an unguarded comment from the CEO or from lots of other events. Sometimes focusing on that outcome-based approach, and thinking beneath that, to my mind, can provide a clearer way of thinking about managing risk.

This is not to imply that the best risk classification system is necessarily outcome-based, but again perhaps it depends on what the system is to be used for. Perhaps a risk management rather than risk reporting perspective might increase the attractions of an outcome-based approach.

Section 4.5 discusses the distinction between risk and uncertainty. However, I am left unsure about how the authors intended this distinction to be applied and how they are suggesting uncertainty is handled. For example, is the classification intended to cover uncertainty as well as risk? If not, is there no benefit to be gained from seeking to classify uncertainty? I would certainly suggest that there are ways in which uncertainty ought to be taken into account when managing risk, for example choosing a course of action which reduces the exposure to uncertainty or keeping one's options open as to a future course of action until uncertainty is reduced.

Most of the remaining sections of the paper give detailed comments on each high-level risk category including subcomponents and demarcation issues. In general, I found most of the decisions made regarding questions of demarcation seemed sensible, but I would suggest that in most cases the actual decision made is of lesser importance than the simple fact that a decision has been made so that there is no ambiguity as to what constitutes each risk being considered.

So, let me come back to my third question: is this risk classification useful? I believe that it will provide a very useful checklist for insurers in particular to help them identify if there are potential risks identified by the working party that they have not considered internally. Similarly, regulators may well find it helpful to challenge companies as to how they have allowed for all these different risks.

The Chairman: that was an interesting opening to the discussion, with three interesting questions posed; Is it useful to have a risk classification system? Should it be common across the industry or within companies and for different purposes, and is this particular system a good one?

Mr R. Anderson (guest, deputy chairman of the Institute of Risk Management): It seems to me that this classification taxonomy is a really important part of the ERM debate. I think that there are a number of different taxonomies that we can consider I think there is a taxonomy of risk for the identification of risk.

There is another taxonomy about how do we manage it because the types of risk that we are looking at might well be more akin to the nature of the risk. Different taxonomies for different purposes within the organisation.

I think one of the exciting opportunities that opens up to us is that all of those different taxonomies can potentially be captured in some way such as by the development of some kind of risk based Extensible Business Reporting Language (XBRL) language. I think that would be an exciting development that various professional bodies might explore.

The most important thing that we need to develop for risk is understanding how to define an individual risk rather than where we classify it. I see a lot of my clients, many of whom are not in the financial services arena, struggling with beginning to identify the context, the event and the consequence of a risk. It is more important as to whether or not they use the subjunctive in describing the risk rather than trying to put it into a particular pigeonhole.

Mr G. E. Lyons, F.I.A.: It is stated in the paper that the main aim is to facilitate communication between actuaries. Is not a bigger problem communication between actuaries and non-actuaries? I note that there is an ERM guide being produced that is going to be more generic than this one. Might that not be a better guide to communication with everybody rather than just with actuaries?

Mr N. R. Bankhead, F.I.A.: Risk management is a very important and complex area. As a profession, we should do all we can to help its development. It tends to be very unfamiliar to most people and it is a subject which is not well understood and most people do not find intuitive. There seems to be something where we do not have an intuitive grasp of it. Added to that, you often find the technical measurement of it is done by one group of people and the management of it rests with another group of hands. In actual fact, it can make that more complicated.

I see risk management as having three aspects. One is the terminology. What do we call it? The other aspect is measurement; the other aspect being management. We should not try, in my view, to develop a terminology which is peculiar to actuaries.

We should be looking for a general terminology that is common to the whole subject area and not particularly focused on the profession. We should also look at the external terminology and, as far as we can, make sure that it is consistent and should try to keep it as simple as possible.

The paper defines three risk categories. I did not disagree that they were there, but I question whether they were really high level risk categories.

The first observation of the paper is around aggregation and diversification. To me that seems to be a measurement problem. We added the different bits of risk but when we put them together they did not add up. Does that really make it a risk or is it really just a measurement issue that the numbers individually when we put them into boxes do not add up, and so we put another box in which just shows this is the diversification benefit. I would pose the question: if you are looking at things like origin of the risk, is that really a box which deserves and warrants its own category or is it really that we have mis-measured the other items so they do not add up to the whole?

The second question related to what we were trying to measure by way of risk. I think the paper starts off and it says what we are really trying to measure is economic value and the risk to economic value.

When you read a set of accounts, it breaks down the items but it does not add up to market capitalisation. A balance sheet does not give you that. It takes the different ingredients which are there and it reports on those, assets and liabilities, but it is not a market capitalisation so an economic value type assessment, yet from a risk perspective we are almost taking economic value as the base point and saying, “Let us measure risk from there.”

It seemed to me to be slightly different. I think it was from that that we ended up with two risk categories which would be very difficult to value. One was the strategic risk element, and the other was the frictional risk, where we are trying to say what risk is there to the value of an entity from everything else that happens in the rest of the world.

Mr P. J. Turvey, F.I.A.: My concern is that if we develop a detailed “shopping list” that gets some kind of official approval, we could concentrate too much on going through that shopping list. I have a nightmare vision of a future FSA Arrow visit where we are asked to demonstrate that we have been through all 784 (or whatever) risks in the category and have carefully thought about each of them. That is bad because it will take one's eye off the ball and stop one concentrating on what real ERM is all about. That is my fundamental concern.

It was said earlier on that one of the advantages of a commonly agreed classification system would be that it could reduce the amount of debate about whether risk falls into category A or category B. We are in danger of only changing the boundaries. Instead of looking at A versus B, because we are now adding several layers of detail, we can debate whether it is AAA or AAB.

The Chairman: Mr Turvey has made the point about over- elaboration and over- complication. The previous speaker talked about simplicity in classification. Does anybody want to discuss that?

Mr E. M. Varnell, F.I.A.: On having lots and lots of risk categories versus having a smaller number, I think it is probably worth making the point that if we divided into too many sub-categories we end up perhaps suffering from a lack of credibility of data. One of the key things that I see as a benefit of having common risk taxonomy is you can start to put the data together and build more credible estimates if you want to do statistical fitting to some of those.

The other thing I thought about in that regard was to what extent does the risk taxonomy that we are talking about here work in other jurisdictions, for example? Is this something which we think could work across the European Union in a typical European insurance company or even in other industries as well? If it can, then that gives it more value in the sense that it means more data can be brought together in maybe a common pool and used for analysis where the credibility of the firm's own data is insufficient.

I want to agree with Mr Wilson's comment that the classification certainly to my mind is more useful for reporting, where we need to ensure that we are comparing apples with apples and not apples with oranges when we stick something into a risk category.

Of course it would be nice if we could decompose those risks into their component parts but that might be a step further than current systems allow.

Finally, picking up on the point about looking at risk in its entirety around the firm, my suggestion would be this. It is about taking a systems approach to the overall organisation, and whether that would be a better way of trying to manage risk within a firm rather than just looking at the buckets, even though it might be that we still have to look at the buckets in order to do our risk reporting in the short to medium-term.

The Chairman: Any response to those particular points or any new points that anybody would like to make?

Mr A. Christian (guest, founder of Governance Matters): There was a piece in the paper where it said it was not seeking to find a one size fits all. I thought was there maybe something that the profession was able to do to support a one size fits all and maybe imposed it as opposed to suggest it? I found certainly working with categories that are visceral is much easier for a mixture of risk and actuarial skills in a risk function. I thought imposing it is maybe a better idea than perhaps suggesting it.

The demarcation work throughout the paper was excellent. I fully agree with Mr Wilson's comments before that the justification of the demarcation is probably more important than the side that you landed on itself.

There was a good point made earlier on about the ERM guide. I did not know whether this piece of research was being factored into the ERM guide that is being written, but it seemed like the two of those would be very good bedfellows.

I got the feeling that the way it was referred to, the selection of events based classification was that it was felt to be an easier way to make decisions. Whether or not it was, I thought it was well justified in the actual paper itself.

On governance, weak governance in the paper was cut off a bit short. I would really like to have seen that particular area explored a bit more where it is referenced in the strategy risk section.

The number of risks is obviously very intimidating which has already been alluded to. That may put off some risk functions. It is extremely useful for risk reporting; I know having tried to convey on a number of occasions embedded value to city analysts.

Finally, bringing the two professions together, risk and actuarial, I did not know if perhaps there was a suggestion that the profession needs to tone it down in order to fit or whether or not some of the non-actuarial risk functions may need to up skill.

The Chairman: Mr Christian has posed the question. I am not sure whether there is anybody who can answer the question about the ERM guide and about this piece of work or the work done by the working party.

Mr Kelliher: I think when we were developing the paper, Mr Lewin was working in parallel. We did touch base towards the end. Mr Lewin helped out with section 12 on alternative classification systems which also covered the ERM guide.

Possibly we could have linked up more, but I would note that Mr Lewin was also working from a much bigger picture. He was getting something that was fit for purpose for pretty much any kind of organisation. I must confess that this paper really is focusing more on financial services. One of the examples is we have a category called market risk. Anybody working in financial services will think that is the stock market. But if you go to Tesco, for example, they probably think that market risk has to do with brand and sales rather than the stock market or interest yields.

In general, the ERM guide is attacking a much bigger issue.

The Chairman: Mr Christian raised another interesting point. He said what if we imposed this risk classification system and did not simply suggest it?

Dr Klumpes: In the accounting auditing sphere there is this debate about rules versus principles approach. One of the rationales for true and fair is in fact moving away from having to impose rules which then get captured by lawyers and regulators.

In the accounting environment, setting rules is only going to create Enron type organisations, who know those rules backwards, and you give them more details, you give them more details, and they just work around it.

There is this kind of experience from the auditing accounting profession that having lots of rules is not necessarily a great idea and certainly not wanting to impose them as rules as opposed to, say, guidelines.

Mr A. N. Hitchcox, F.I.A.: I am generally against compulsion of using classifications. Having said that, within financial services I can see some advantages of a move towards a common classification, even by compulsion at the highest level, even though I think there are some issues. What I am definitely against is any kind of read across into outside financial services, not that we would have the influence to do that it, or within financial services trying to impose any lower level classifications.

I think the lower level classifications are extremely useful as a supplement to a company's own brainstorming but the reality is even different insurance companies will have massively different risks. So, for example, a term assurance insurer will not generally have large credit risks or indeed investment risks more generally. A longevity insurer or re-insurer, taking on single premium business, for example, may have quite significant credit risks as well as obviously the longevity risks. So in that case they would choose to drill down but you would not want to impose on a term assurance insurer the lower level credit risks.

The Chairman: Mr Hitchcox raises an interesting point. Is there anybody else who would like to comment on how they would use this risk classification system? Does it make sense for you in your profession or in your businesses?

Mr R. J. Houlston, F.I.A.: I believe, that risk classification is more risk identification. As such, it is very, very useful and the process has been very worthwhile.

I do believe that the risk categories that have come up are more to do with reporting. One thing that the working party has demonstrated is that it is so difficult to allocate things to an individual category that perhaps we need a framework to suggest where it might be appropriate to report things slightly differently. I think they have suggested that if your risks are different you should say what you want. But perhaps rather than some formal requirement, maybe some guidelines about where there are some very complex risks, you should disclose them separately and give much more detail. That might be a useful thing for guidance. I do not like the idea of prescription.

Mr Varnell: There are quite a few ISO standards which purport to define things one of which ISO 31 000 does start to address risk management and tries to put definitions around risks.

I am not quite sure that everyone would agree with the definitions that are in there but they could be augmented with those in this paper for some standardised definitions.

Even if people do not decide necessarily to use them, it is the sort of thing that software developers find useful when they are putting systems together to have a standard which they all commonly work to. That helps with the interoperability of software.

Mr Lyons: If we are going to go for a common classification we should use the same classification as the general population. Dr Klumpes has mentioned market risk as meaning something different to the general population. Should we not be using the general definition rather than the actuarial definition? We have enough problems with other professions such as accountants using “provision” while we use “reserves”. We have enough difficulty with definitions without compounding it.

The Chairman: Do the authors want to respond to any other points which have been made?

Mr Kelliher: Just to take a few of the points, Mr Wilson mentioned risk and uncertainty and whether the classification system was trying to address uncertainty. One problem with uncertainty is how do you define something that we do not know about? This is the problem with the unknown unknowns.

It is touched on however in the classification system in areas like the endogenous and exogenous sub-categories of insurance risk. Implicit in these sub-categories is there are things out there that we do not know about that but which are going to come along and affect say our mortality experience or maybe our persistency experience. There are certain aspects of experience that we can model like statistical parameter estimation error. But there are other things that we do not know about but which are still going to affect our experience and I did try and make some allowance for that in the classification system.

Another question is whether aggregation and diversification is a risk category in its own right. I believe it is. Most people, when doing an economic capital calculation, will consider some element of diversification. The $64 million question is are we taking too much diversification into account? Even if we were not, sometimes things like longevity and interest rate risk can be super additive, so you end up with the whole thing being greater than the sum of the parts.

In terms of whether there is too much detail, the reason that we went down to such a very high level of detail was that it was only by going down to that level of detail that you are able to identify where some of the potential demarcation issues could arise.

An example would be statistical parameter estimation error. Obviously, there is certain statistical error to our estimate for a lapse rate.

But there is another kind of error associated with that which is the operational error that we have made some mistake in the calculation of that rate. It is only when you go down to that level that you realise that you need to distinguish between the two. So that was a key driver behind going into such detail; trying to flesh out all the potential areas of overlap.

Regarding the point raised of the nightmare of the FSA using this as a checklist, I think Solvency II is pushing us down to the level where we need to start breaking our risks down to the level in this risk classification system. I think just going down to the level of say equity risk is not going to cut the mustard anymore, particularly for ORSA. What I think you need to be saying for ORSA is that we have allowed something for equity risk based on a model of index returns for the beta risk and assuming that diversification addresses all the other pieces.

That is where your systems and controls need to start coming into play. I think that we probably will need to start going down to the nth degree for ORSA and for Solvency II more generally.

Another aspect mentioned is Mr Wilson's point about complex systems. I think this classification system can complement a complex systems-based approach as I believe you need consistency in terminology to implement such an approach.

I work a lot on operational risk. One thing that drives me to distraction is where you go along to four or five different business units and nobody understands what each category of operational risks relates to as they are working with an unrefined definition of operational risk.

You find their risks are the same but they may be classifying them differently. Or they may not be the same, but they are still getting mapped to the same category. This could frustrate system based modelling.

For the operational risk classification in particular, I think the fact that we define in detail something like 350 different categories and then map them back up to the 20 odd ORIC categories is something that could support work in the area of systems.

A final point is on compulsion. Everybody has their own particular system of classification. I do not think the profession has any remit to go in and to tell those people that they should use something else. I think we have always had a very narrow focus in this piece of work which is something to help actuaries discuss risks. It is really a starting point for other things that are to come like systems and like other discussions on risk.

Dr Klumpes: If you think about risk management as a process, then I suspect what we are doing here is very much at the beginning stages of identifying and perhaps trying to classify some of these risks. We certainly would not want to suggest this is going to be a system for measurement or necessarily reporting.

On the other side of it, though, I think that there is a connection to reporting. I think what is very useful for me in this exercise is trying to get a connection between different values and different components of the valuation of an enterprise and then trying to connect that to different risks. Whether again, as the accounting academic contributor, there are some quibbles and some issues that anyone would have, certainly from an accounting perspective you have to understand enterprise risk management, you have to think about what the objective is. If the objective is to provide information to a capital provider, you might have a slightly different slant on the system.

There is the question of the unit of analysis. Are we talking about the regulated unit or are we talking about the entity that is reporting to shareholders? The importance and the weighting and the mix of the different risks that we have identified would have to be weighted differently or perhaps thought differently or maybe even defined differently.

I suppose we are not trying to be overambitious. Clearly, that would need to be finessed moving forward.

The Chairman: Any responses to the authors?

Mr Turvey: One of the things that has been noted is the level of detail and granularity. The paper provides a useful check list for someone working on risk management. I would have liked to have heard more about the need to do some lateral thinking and think of the black swans that affect our businesses.

How are we going to use this concept in the future? As a non-executive director, I cannot hope to check that this list has been gone through completely within the organisation or whether I agree with the conclusions to which management has come.

I now have a very long list of potential risks. I can speed read this and pick on one or two likely candidates and ask, “I wonder if that applies to us”. By chasing those down I can form an opinion on the quality of the organisation, and whether they have thought the subject through.

One of the things that I have seen working for the UK subsidiary of a German multi-national is that even within the same organisation you get different terminology between the UK and Germany, and sometimes the same word is used with two different meanings within the same organisation

I want to support the view that we should not be concentrating on a language that makes sense in the context of UK financial services companies. We need to have something that makes sense in an international context, and we need to have something that makes sense in a cross-disciplinary context so it is equally valid to Tesco as it is to the Prudential Insurance Company.

Actuaries want to lay claim to being risk managers. Unless we have a single language that works across Tesco and insurance, we are not going to have a very good go at that new claim to fame.

Mr D. B. Martin, F.F.A.: There is a growing part of the pensions industry which is to do with measuring the covenant which is the ability, willingness and, to some extent, legal entitlement, a legal requirement, on the sponsoring employers to support the pension scheme.

We have a complete diversity of approach on this. There are lots of different firms doing the measurement of covenants, and they have different scales and different approaches. Within the last few days the European regulator for insurance and pensions has issued a consultation document which, to use a shorthand, might be regarded as Solvency II for pensions. They talk about a coherent approach to the provision of pensions. Part of that is the ability and willingness of the sponsoring company to make up the difference between the actual assets held by the pension scheme and the total liabilities that they have.

Clearly, this is going to stretch the pensions covenant industry because at the moment we do not have actual numbers. We just have a scale. I do not know whether the authors have any views as to how risk measurement might apply in this area. It seems to me to put a number on this covenant to give an answer to say how well funded the pension scheme might be and, taking into account this extra liability, might be used. It does seem to me one way of expanding this risk measurement from financial services companies to any company that might be sponsoring a pension scheme.

Mr Kelliher: We have talked about all the different types of credit risk, like re-insured fund links. One thing we do not have is covenant credit risk. That is an omission. Essentially, you have a credit risk there. From the pension scheme point of view, it has a credit risk with respect to the sponsoring employer.

In terms of its nature, firstly you have a probability of default of an employer. I think that is often readily available. Other aspects are the exposure at default and the loss given default. For the exposure at default you can say that this is essentially fair value or some other valuation of your liabilities. Your loss given default is a function of this, your scheme assets, and any recoveries from the employer.

There are some novel ways we can look at pension schemes when we look it as a credit risk problem. One way you could think about the pension scheme obligation is that you have a covered bond issued by the employer with a ring fenced pool of assets, the scheme assets, covering the obligation. The only problem is that the collateral pool is only reassessed very infrequently and often it is under collateralised rather than over collateralised.

I believe there may be a lot of synergy between pension scheme actuaries and those involved on the credit risk side. There can be a lot of fruitful discussion and areas to be explored there.

Dr Klumpes: It is important to clarify the governance issues for the pension scheme. If you go across to Europe you have a lot of these hybrid schemes. Clearly, the governance and the arrangements about that hybrid will have an impact on things like, for example, the strategy side and then connecting it back to some of the other points made. One would need to be clear not just to “cookie cut” this framework onto an organisation which was not originally envisaged. In attempting to migrate or adapt it, one would have to be conscious of the corporate governance issues that will differ especially going across into Europe.

Mr R. Kelsey, F.F.A.: It may be that a common language is a little bit too optimistic. Coming from capital modelling, it is quite easy to assign unique values to the big buckets equity such as market or insurance risk.

Then there is operational risk which I usually call “other” because it has all the difficult bits which are awkward to fit into the rest of the framework. There will always be an “other” which against trying to analyse the risks too deeply or to have a universal classification system.

Mr Kelliher: I would go the opposite way. I was involved in an operational risk modelling as well. The one thing I find the most frustrating is the data you have got to model with. There are generally problems with quantity as life offices and general insurers have only been collecting data for about five years, maybe less, on operational losses. That is one problem.

Another problem is a lot of the losses themselves are not properly categorised. We come back to this issue that you might find the same kind of risk getting reported under three different categories. That makes modelling a lot harder.

This is where I do see some use into having a common language that we can map risks onto. It is much clearer in terms of mapping risks onto, let's say, the ABI ORIC categories.

You can then link that in with the ABI ORIC external loss database. I believe there are a lot of firms out there who do this.

I see the detailed classification here as potentially helping to create a much more rigorous set of operational loss data. Also, we could use the same list of risks for scenario analysis, as well.

Mr D. I. W. Reynolds, F.I.A. (in a written contribution that was read to the meeting): I am absolutely delighted to read the last sentence in par.4.4 of the paper:

‘…risks cannot be considered in isolation to reward’

This should be at the top of every paper presented to Boards, and Risk and Audit Committees by Chief Risk Officers.

We should also ban the term ERM, it should always be EROM – enterprise risk and opportunity management.

In paragraph 5.3 the authors acknowledge that government securities are not risk free. So I think we should also stop using the term ‘risk free’? May I suggest we use a term such as ‘base risk’ from which other risks increase?

Mr Hitchcox: I have to manage my local risks for my local managers and my local customers. I then have to report back to my investors or Head Office through my Board and Risk Committee.

What we found is we have been doing risk registers for about six years now. We refresh them probably every other year just to keep things fresh.

The outcome is that we end up having what we call a local risk classification that suits the local business and the local firm. Then we accept as an additional job we have to map it back to our Head Office risk classification system because in the end theirs is not identical to ours and it is not the fault of either side of that equation.

But when you go back up to Head Office level, they are only interested in the systematic risks across the whole Group, i.e. worldwide. My local risks diversify away at his top level. But a local risk for me, which is quite small investment risk, small in my portfolio, accumulates with every single other investment risk he has worldwide. So his perspective as to what accumulates, what diversifies, what earns a margin and what does not, is quite different from mine at local perspective.

So I end up with two risk classification systems: the local one and the Head Office one.

To engage our local managers in risk classification discussions, we have ended up with two ways to drive the classification. How do you manage it?

We want to take lots of underwriting risk so we manage it through underwriting expertise and being willing to accumulate risk when they are profitable and not being scared of something highly volatile; a fire could cause something to burn down and cost us $100 million. We have not got to be afraid of that if we have a $10 million balance sheet. But an operational risk of £1 million is a terrible loss.

So we do in our firm split our risk skills between what I call positive skills, taking more risk to make money, and negative risk skills, squeezing the risk out of the system because it can only cost us money. It is quite interesting, our local classification is driven by how we manage it and whether we get rewarded for it or not. We end up with four categories in total and then it is the job of my risk management team to map those back onto our Head Office categories and make sure that we do not miss anything that they are looking out for. We do find that very fruitful.

Coming back to your first question, the local one we use for management risks. The Head Office we use for reporting risks. Our classification systems touch on both of your identified needs.

Mr A. R. Thompson, F.I.A.: I would like to consider the application of the classification approach to management mitigation, which is arguably more important than reporting.

It is important to cover all the risks and the classification provides a framework for this. You have mentioned the demarcation quite a lot. I believe that we should consider how the classification will affect the approach to risk. This would probably influence the correlations that get considered and focused on.

There might be stronger correlations within a grouping than across groupings. The classification also provides for similarities of approach within the groupings.

I wonder whether each risk should really be analysed according to the particular circumstances and its idiosyncratic features, rather than strictly following the classification.

So, perhaps, despite best intentions, there is a possibility that this approach could reduce flexibility in analysing the risks.

Mr M. H. D. Kemp, F.I.A (closing the discussion): I chair the Enterprise Risk Management Practice Executive Committee and it is great privilege to see a number of different papers presented at this type of forum and other forums which are raising the profile of enterprise risk management. I see the type of discussion that we have had this evening as a very helpful way of progressing the actuarial push into enterprise risk management. I hope that those of you who work in the ERM space have found that this paper has triggered a large number of thoughts that you can take back to your day-to-day work.

The discussion, as always with these types of meetings, has been wide-ranging and not necessarily quite what I expected when I first read the paper.

I would like to highlight a few of the topics on which the discussion focused. At the start of the meeting Dr Klumpes and Mr Kelliher gave us a very comprehensive analysis of what was in the paper and went through some of the issues that arise when you try to demarcate between different risks.

We then had Mr Wilson presenting three questions, namely: (a) do we need a detailed risk classification system, (b) is a common risk classification system useful; and (c) is this particular risk classification useful?

A number of people sought to address Mr Wilson's questions, particularly the first question. A range of views were expressed. There were some who thought that the level of detail that might exist in the paper is perhaps too much and therefore there is a danger that we would fail to see the forest from the trees, because we would delve too much into the detail.

There were others who thought having a detailed risk classification system made a lot of sense. Listening to the debate, the way I square these two lines of reasoning is via the link to risk reporting that several people also highlighted.

If we do have a requirement to report risks to some central body (for example, if the regulators require firms to summarise for them risk events that have occurred to them) then there needs to be some agreed classification which says that if the event was of a particular sort then it needs to be classified in a particular manner. In a similar vein, Mr Hitchcox mentioned that often there may need to be some mapping between the perspective of a subsidiary and the perspective of the parent. It seems to me that for risk reporting purposes you will often need to have someone standardise the reporting frameworks that everyone then adopts.

I was very interested in Mr Anderson's comment in this context that maybe this required use of XBRL or the equivalent. For those of you who are not familiar with XBRL, it is a framework, based on XML, that aims to define standards for electronic transmission of business reporting data. It is one of the ways in which EU regulators are likely to expect insurance companies to report quantitative data under Solvency II when they are submitting material to their supervisors. So, if the data they need to submit includes risk event data then we will have exactly this type of development occurring.

Several people referred to the need for definitions to be not just ones derived by actuaries, but ones which were consistent with how terminology was used in the wider community (both the wider risk community and, ideally, also the general public.

A document like this should help people to choose a sensible meaning to ascribe to a particular term. Again, in my opinion, this highlights the usefulness of this document, which should help to frame the debate and to take things forward.

Mr Bankhead raised a number of points. He made the point again that we should be looking for terminology which is not just for actuaries and we should try to keep it as simple as possible. He also questioned whether aggregation and diversification really was a type of risk as such, as the paper seems to propose, or whether it was primarily to do with the way in which we add together risks. He also queried whether the authors’ approach of beginning with economic value is really the most effective way to start.

I've already noted that the general view on terminology was that it is a good idea to be using terminology that is widely accepted and understood, a view that I myself favour. It makes sense for us not to focus just on the language specific to actuaries, but to come up with something that is broader than just the Actuarial Profession.

In terms of keeping terminology as simple as possible, this again seems a laudable aim, and well worth trying to achieve, where practical. Consider for example terminology relating to liquidity risk. In the literature, a distinction can be discerned between ‘funding’ liquidity risk and ‘asset’ liquidity risk, depending whether or not you are seeking to borrow money against your assets (funding liquidity risk), or seeking to sell the assets as and when you want at a reasonable price (asset liquidity risk).

These two types of liquidity risk are related but they are also different. In certain types of organisations they can be very importantly different. Banks went bust during the credit crisis not always because it was harder to sell assets than they expected. They may never have expected to sell the assets in the first place. Instead, in some cases the greater immediate challenge was their inability to borrow against the assets in a sufficiently timely or effective manner. Inability to do so then jeopardised their entire business model which in some cases triggered bank runs and bail-outs etc.

So, for certain industries and at certain times, delving into the detail can be very important. It seems to me that a real challenge with a classification system like this is to come up with something which is sufficiently detailed to be able to handle all of the subtleties that can affect particular organisations at particular times, but is also sufficiently general that you do not then get people complaining about it being too detailed.

There was some discussion about risk versus uncertainty. Mr Kelliher viewed this as included in the paper but very difficult to handle. I think all of us would agree that unknown unknowns are rather challenging to handle in practice. How to do so in practice is another area that could usefully be expanded upon by anyone willing to take this paper further.

Mr Christian highlighted the point about this document being particularly useful for risk reporting purposes.

I hope that I have referred to most of the topics that were raised in the discussion. The main lesson that I take away is that risk classification is viewed as important, particularly in terms of the risk reporting space and particularly if there is an intrinsic need for standardisation, e.g. as often arises in a regulatory context.

Is this particular risk classification the right one? That was Mr Wilson's final question. If it is not the right one then it is at least a good start and it has opened the debate that will help those who eventually have to decide on such things to come up with the best possible answer for us all.

The Chairman: As is the convention, I will ask the authors to make some comments.

Mr Kelliher (replying): I agree very much with Mr Kemp that this is just a beginning. There is a lot more that we can do with this. I found a new category of risk which I had not thought about before in terms of sponsor covenant. I think we can do a number of things with this classification system. One is to expand it more, covering not just the type of risk but why it is taken on and the reward it has generated, and the context of taking on that risk. I see that as a kind of development area.

I see an area of trying to link it in with the wider ERM guide and do something that is more general than something that is financial services specific.

I have no doubt we can make improvements as we go along.

Dr Klumpes: It occurred to me that you have to think about this framework for different purposes. You may be using it for planning; you may be using it for control; an outside director querying; or you might be thinking about it in the context of performance evaluation of unit or employee. Therefore the risk/reward issues become more significant.

I am very pleased about the point concerning the XBRL framework. I think that is part of having a public discussion, thinking about it as a public good, not necessarily a private good, owned by a consulting firm or something.

I am certainly pleased about the risk reporting side. I am trying to set up a risk reporting group. I note on the comment about whether this is the appropriate framework that, in fact, the German Accounting Standard 5-20, (which is a reporting requirement for insurance companies) use a similar categorisation to the one we have used, and it is a requirement in Germany. The question is whether this also is applicable in a regulatory environment, and whether for shareholder reporting you might want a particular slant, for example.

Finally, I note the comments about corporate governance. I think the comment about the pension was important. We have to be careful that for other organisations such as mutuals and not for profit organisations, there are slightly different, less clearly defined, objectives which have to be thought about.

The question about risk and uncertainty is an interesting one. As accountants we always worry about the errors that actuaries make which come through in the reserves, the shareholder reserves, what is called “other comprehensive income”.

Thinking about uncertainties is important and it is something that needs to be considered.

The Chairman: Thank you very much. Just to wrap up, my thanks to the authors; Mr Wilson, thanks for opening and Mr Kemp, thanks for closing. Thanks to everybody who contributed to the debate.