Challenges of Operational Risk Quantification for Insurers

ASHK Investment and

Risk Management Symposium

27 March 2012

Carla Seat, FSA CFA

Principal Financial Group

Art or Science?

Operational Risk Definition

• Arises from execution of business functions

• Basel II set standard definition

– “The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.”

• Solvency II copies Basel II definition

– Includes legal risks

– Excludes strategic and reputational risks

Basel II Event Type Categories

• Internal Fraud

• External Fraud

• Employment Practices & Workplace Safety

• Clients, Products & Business Practices

• Damage to Physical Assets

• Business Disruption & System Failures

• Execution, Delivery & Process Management

Focus on Operational Risk

• Regulatory Actions

• Corporate Disasters

• Industry Initiatives

• Corporate Programs

• Technology Developments

Rogue Trading Losses

• Societe Generale (Jerome Kerviel)– 2008, US$ 7 billion

• UBS (Kweku Adoboli)

– 2011, US$ 2 billion

• Barings Bank (Nick Leeson)

– 1995, US$ 1.3 billion

• Allied Irish Banks (John Rusnak)

– 2002, US$ 0.7 billion

• National Australia Bank (Group of traders)

– 2004, US$ 0.3 billion

Insurer Settlements

• Prudential Insurance Company of America

– Allegations of sales abuses

– US$ 2 billion settlement

• State Farm Insurance

– Lawsuit over use of inferior parts

– US$ 1.2 billion settlement

Historical Crises

Many studies cite failures in risk control as ultimate culprits:

•Lax management oversight

•Inadequate assessment of risk

•Lack of transparency

•Inadequate communication of information

•Inadequate or ineffective audit and compliance programs

EU Report, “Prudential Supervision of Insurance Undertakings,” December 2002 (Sharma study)

Sharma Study: Causal Chain

Sharma Study: Underlying Causes

• Failures directly attributed to underwriting risk or investment risk

• Trigger event easiest to identify, but only partially explains chain of events

• Study concluded that poor management is the primary root cause of most problems in insurance firms

“Internal underlying causes to do with management

underlay every case, but only in 2 out of 21 cases were

these problems identified and addressed before adverse

external events had serious effects.”

Challenge #1: Nature of Risk

Operational risk is fundamentally qualitative in nature

“It is unlikely that the management of operational risk will

ever become a wholly data-driven process; given the

nature of operational risk, it will always be more of a

management issue than a measurement issue.”

-- James Lam

Low Low?High

High

Solvency II

• Two approaches to quantification

– Standard or factor-based

– Internal model

• Confidence Level: 99.5% over one year

• QIS5: Most participants opting for standard formula approach rather than internal models

• Regulator can prescribe use of internal model if standard formula deemed not to reflect business risks

Challenge #2: Data

• Internal

– Historical data often limited or inconsistent

– Difficult to gather retrospectively

– Consider boundary issues

• External

– Consider selection and scaling

– Data often truncated (losses > US$ 1 million)

• Expert Judgment

– Data often subjective for most critical risks

– May have to rely on self-assessments

External Data Example

• Purchased external operational loss database

• Chose universe of companies

• Chose time period

• Scaled the data

• Grouped into frequency distribution

• Calculated average severity for each bucket

• Calculated desired confidence level

• Allocated to product / business line

Loss Database Observations

• Majority of events in “Clients, Products & Business Practices” (70%)

– Improper trade/market practices

– Antitrust issues

– Fiduciary breaches/guideline violations

– Lender liability

• Second highest category was “Execution, Delivery & Process Management” (15%)

Challenge #3: Models

• Lack of guidelines for modeling operational risk

– Insurance industry looking to banking industry

• Models must be specific to a company

• Parameters must be supported by suitability analysis

• Dependencies between risk types are common

• Must pass the “use” test

Event Types

• Low Frequency / High Severity

– Dominate tail behavior

– Most difficult to quantify

– Might be insurable

• High Frequency / Low Severity

– Relatively low unexpected loss

– Expected losses may be part of budget

– Risk capital likely relatively low

• Medium Frequency / Medium Severity

– Likely the focus for measurement

Loss Distribution Approach (LDA)

• For each event type, determine:

– Loss frequency distribution

– Loss severity distribution

• Compound frequency and severity distributions to create loss distribution for each event type

– Assume frequency and severity independent

– Use Monte Carlo simulation

• Combine results for event types into aggregate Operational Risk Capital (ORC)

Loss Frequency

• Discrete random variable

• Commonly-used distributions:

– Binomial (N, p)

– Poisson (λ)

– Negative Binomial (α, β)

• Functional form depends on type and sources of data

• Poisson often used in practice

– Consistent with self-assessment results

– May not know total number of events

Loss Severity

• Continuous random variable

• Commonly-used distributions:

– Lognormal

– Gamma

– Two-Parameter Hyperbolic

• Functional form depends on type and sources of data

• Extreme Value Theory (EVT) can be used for data where only extreme losses are recorded

Total Loss Distribution

• Compound frequency and severity distributions assuming independence

• Basic algorithm:

– Random draw from frequency distribution, n

– n random draws from severity distribution

– Sum n simulated losses to get total loss

– Repeat many, many times

• Result is distribution of simulated total loss

Expected Loss

Unexpected Loss

99.5th Percentile

Aggregating Total ORC

• Positive dependencies between risk types is common

• Practical approach uses 2 simple assumptions:

1. Upper bound – Full dependency

Sum to get total result

Errs on conservative side

2. Lower bound – No dependency

Square root of sum of squares

Unlikely there will be large negative dependencies

• Caution: Dependency tends to increase in the tail

Model Risk Summary

• Most important source of model risk is how dependencies are modeled and results aggregated

• Obtaining reliable data is a significant issue

– May have to use subjective data

• In contrast to credit or market risk, fitting the best functional form to data is not a primary risk

• Consider parsimony

– More parameters are not always better!

Scenario Analysis (SA)

• May be useful for low-frequency, high-severity events, where LDA approach more difficult

• Tends to rely on expert judgment

– Important to document well

• Challenging to calibrate

– What is 99.5th percentile scenario?

• Challenging to combine LDA and SA results

– Approaches range from simple sum to simulation

A Final Reminder

“An increase in capital will not itself reduce risk; only

management action can achieve that.”

-- Moody’s report