The scope of risk identification and analysis of risk interdependencies should cover, at least: insurance risk, market risk, credit risk, concentration risk, operational risk and liquidity risk. Other risks may be included, such as conduct risk, legal risk, political risk, reputational risk, strategic risk and group risk.

An insurer should consider the sources of different risks and their impacts and assess the relationship between risk exposures. By doing so, an insurer can better identify both strengths and weaknesses in governance, control functions and business units. The insurer should use and improve risk management policies, techniques and practices and change its organisational structure to make these improvements where necessary. The insurer should also assess external risk factors which, if they were to crystallise, could pose a significant threat to its business.

In assessing the relationship between risk exposures, consideration should be given to correlations between the tails of risk profiles. For example, risks that show no strong dependence under normal economic conditions (such as catastrophe risks and market risks) could be more correlated in a stress situation.

Assessments of risk exposures should consider macroeconomic exposures. For example, an insurer should consider interdependencies between guarantees and options embedded in its products, the assets backing those products, financial markets and the real economy.

Sources of risks may include catastrophes, downgrades from rating agencies or other events that may have an adverse impact on the insurer’s financial condition and reputation. These events can result, for example, in an unexpected level of claims, collateral calls or policyholder terminations and may lead to serious liquidity issues. The ERM framework should adequately address the insurer’s options for responding to such events.

Group risk is the risk that the financial condition of a group or a legal entity within the group may be adversely affected by a group-wide event, an event in a legal entity, or an event external to the group. Such an event may either be financial or non-financial (such as a restructuring).

Group risk may arise, for example, through contagion, leveraging, double or multiple gearing, concentrations, large exposures and complexity. Participations, loans, guarantees, risk transfers, liquidity, outsourcing arrangements and off-balance sheet exposures may all give rise to group risk. Many of these risks may be borne by stand-alone insurance legal entities and are not specific to being a legal entity that is part of a group. However, the inter-relationships among legal entities within a group including aspects of control, influence and interdependence alter the impact of risks on the legal entities and should therefore be taken into account in managing the risks of an insurance legal entity within the insurance group and in managing the risks of that insurance group as a whole.

The ERM framework of an insurance group should address the direct and indirect interrelationships between legal entities within the insurance group. The more clearly-defined and understood such relationships are, the more accurately they can be allowed for in the group-wide solvency assessment. For example, legally enforceable capital and risk transfer instruments between legal entities within a group may help with the effectiveness of its ERM framework for group-wide solvency assessment purposes. To be effective, the management of insurance group risk should take into account risks arising from all parts of an insurance group, including non-insurance legal entities (regulated or unregulated) and partly-owned entities.

Assumptions that are implicit in the solvency assessment of an insurance legal entity may not apply at an insurance group level because of separation of legal entities within the insurance group. For example, there may be few, if any, constraints on the fungibility of capital and the transferability of assets within an individual insurance legal entity. However, such constraints may feature much more prominently for an insurance group and may restrict the degree to which benefits of diversification of risks across the group can be shared among legal entities within the insurance group. Such constraints should be taken into account in both the insurance group’s and the insurance legal entity’s ERM frameworks.

• savings-oriented products (or protection-oriented products with a savings component) that offer unmatched guarantees on policyholders’ premium payments, often combined with embedded options for policyholders;
• products embedding features such as automatic asset sales triggered by asset value decreases or that require dynamic hedging; and
• derivatives contracts such as financial guarantee products including credit default swaps (CDS) that are not used to hedge risk.

• the nature, scale and complexity of: the insurer, its activities, business model and products, including the characteristics of the guarantees it provides;
• the characteristics of any automatic asset reallocation mechanisms;
• the use of dynamic hedging and the extent to which such guarantees are matched or hedged; and
• its activity in derivatives markets.

An insurer's ERM framework should reflect how its risk management coordinates with strategic planning and its management of capital (regulatory capital requirement and economic capital).

As an integral part of its ERM framework, an insurer should also reflect how its risk management links with corporate objectives, strategy and current circumstances to maintain capital adequacy and solvency and to operate within the risk appetite and risk limits described in the risk appetite statement.

An insurer’s ERM framework should use reasonably long time horizon, consistent with the nature of the insurer’s risks and the business planning horizon, so that it maintains relevance to the insurer's business going forward. This can be done by using methods (such as scenario models) that produce a range of outcomes based on plausible future business assumptions which reflect sufficiently adverse scenarios. The analysis of these outcomes may help the Board and Senior Management in strategic business planning.

Risks should be monitored and reported to the Board and Senior Management, in a regular and timely manner, so that they are fully aware of the insurer's risk profile and how it is evolving and make effective decisions on risk appetite and capital management.

Where internal models are used for business forecasting, the insurer should perform back-testing, to the extent practicable, to validate the accuracy of the model over time.

• reflect the insurer’s risk limits structure;
• play a role in mitigating risk; and
• impact the insurer’s capital requirements.

An insurer’s risk appetite statement should include qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate.

• complement quantitative measures;
• set the overall tone for the insurer’s approach to risk taking; and
• articulate clearly the motivations for taking on or avoiding certain types of risks, products, jurisdictional/regional exposures, or other categories.

Risk appetite may not necessarily be expressed in a single document. However the way it is expressed should provide the insurer’s Board with a coherent and holistic, yet concise and easily understood, view of the insurer’s risk appetite.

• the investment and liability strategies allow for the interaction between assets and liabilities;
• the liability cash flows will be met by the cash inflows; and
• the economic valuation of assets and liabilities will change under a range of different scenarios.

The insurer’s ALM policy should recognise the interdependence between all of the insurer’s assets and liabilities and take into account the correlation of risk between different asset classes as well as the correlations between different products and business lines, recognising that correlations may not be linear. The ALM policy should also take into account any off-balance sheet exposures that the insurer may have and the contingency that risks transferred may revert to the insurer.

Different strategies may be appropriate for different categories of assets and liabilities. One possible approach to ALM is to identify separate homogeneous segments of liabilities and obtain investments for each segment that would be appropriate if each liability segment was a stand-alone business. Another possible approach is to manage the insurer’s assets and liabilities together as a whole. The latter approach may provide greater opportunities for profit and management of risk than the former. If ALM is practised for each business segment separately, this is likely to mean that the insurer may not benefit as much from the benefits of scale, hedging, diversification and reinsurance.

However, for some types of insurance business it may not be appropriate to manage risks by combining liability segments. It may be necessary for the insurer to devise separate and self-contained ALM policies for particular portfolios of assets that are ring-fenced or otherwise not freely available to cover obligations in other parts of the insurer.

Assets and liabilities may be ring-fenced to protect policyholders. For example, non-life insurance business is normally ring-fenced from life insurance business, and likewise, participating business is separated from non-participating. Supervisory requirements or the insurer’s ERM framework may require some liabilities to be closely matched with the supporting assets. For example, equity-linked or indexed-linked benefits may be closely matched with corresponding assets, and annuities’ cash outflows may be closely matched with cash inflows from fixed income instruments.

Some liabilities may have particularly long durations, such as certain types of liability insurance and whole-life policies and annuities. In these cases, assets with sufficiently long duration may not be available to match the liabilities, introducing a significant reinvestment risk, such that the present value of future net liability cash flows is particularly sensitive to changes in interest rates. There may also be gaps in the asset durations available. An ALM policy should address the risks arising from duration or other mismatches (for example, by holding adequate capital or having appropriate risk mitigation in place). The ERM framework should reflect the insurer’s capacity to bear ALM risk, according to the insurer’s risk appetite and risk limits structure.

An investment policy may set out the insurer’s strategy for optimising investment returns and specify asset allocation strategies and authorities for investment activities and how these are related to the ALM policy.

The investment policy should address the safe-keeping of assets including custodial arrangements and the conditions under which investments may be pledged or lent.

Credit risk should be considered in the investment policy.

• type of asset;
• credit rating;
• issuer/counterparty or related entities of an issuer/counterparty;
• financial market;
• sector; and
• geographic area.

It is important for the insurer to understand the source, type and amount of investment risk. For example, it is important to understand who has the ultimate legal risk or basis risk in a complex chain of transactions. Similar questions arise where the investment is via external funds, especially when such funds are not transparent.

A number of factors may shape the insurer’s investment strategy. For insurers in many jurisdictions concentration risk arising from the limited availability of suitable domestic investment vehicles may be an issue. By contrast, international insurers’ investment strategies may be complex because of a need to manage or match assets and liabilities in a number of currencies and different markets. In addition, the need for liquidity resulting from potential large-scale payments may further complicate an insurer’s investment strategy.

Where appropriate, the investment policy should outline how the insurer deals with inherently complex financial instruments such as derivatives, hybrid instruments that embed derivatives, private equity, hedge funds, insurance linked instruments and commitments transacted through special purpose entities. Complex or less transparent assets may present operational risks that are difficult to assess reliably, especially in adverse conditions.

An effective investment policy and ERM framework should provide for appropriately robust models reflecting relevant risks of complex investment activities (including underwriting guarantees for such complex securities). There should be explicit procedures to evaluate non-standard risks associated with complex structured products, especially new forms of concentration risk that may not be obvious.

• the potential exposure cannot be reliably measured;
• closing out of a derivative is difficult considering the illiquidity of the market;
• the derivative is not readily marketable as may be the case with over-the-counter instruments;
• independent (ie external) verification of pricing is not available;
• collateral arrangements do not fully cover the exposure to the counterparty;
• the counterparty is not suitably creditworthy; and
• the exposure to any one counterparty exceeds a specified amount.

• the terms on which contracts are written and any exclusions;
• the procedures and conditions that need to be satisfied for risks to be accepted;
• additional premiums for substandard risks; and
• procedures and conditions that need to be satisfied for claims to be paid.

• the insurer’s reinsurance programme provides coverage appropriate to its level of capital, the profile of the risks it underwrites, its business strategy and risk appetite; and
• the risk will not revert to the insurer in adverse circumstances.

• product classes the insurer is willing to write;
• relevant exposure limits (eg geographical, counterparty, economic sector); and
• a process for setting underwriting limits.

• how an insurer analyses emerging risks in the underwritten portfolio; and
• how emerging risks are considered in modifying underwriting practices.

• market liquidity in normal and stressed conditions, quality of assets and its ability to monetise assets in each situation
• characteristics of insurance contracts that may affect policyholder behaviour around lapse, withdrawal or renewal;
• adverse insurance events that may trigger short-term liquidity needs, including catastrophes;
• non-insurance activities such as margining or posting collateral for derivatives contracts, securities lending or repurchase agreements; and
• contingent sources of liquidity (including committed lines of credit or future premium income) and whether these would be available in stressed conditions.

An insurer should have well-defined processes and metrics in place, which may be simple or more advanced depending on its activities, to assess its liquidity position at different time horizons on a regular basis. An insurer’s liquidity analysis should cover both normal and stressed market conditions. The insurer should assess the results of such analysis in light of its risk appetite.

• derivatives, particularly any collateral or margin that needs to be posted for mark-to-market declines in the value of the contract;
• securities financing transactions, including repurchase agreements and securities lending
• insurance products that contain provisions that allow a policyholder to withdraw cash from the policy with little notice or penalty; and
• insurance products covering natural catastrophes.

The insurer should document the main outcomes, rationale, calculations and action plans arising from its ORSA.

The Board should adopt a rigorous process for setting, approving, and overseeing the effective implementation by Senior Management of the insurer’s ORSA.

• What are the roles and responsibilities within the ERM framework?
• Is the insurer within its stated risk appetite
• What governance has been established for the oversight of outsourced elements of the ERM framework?
• What modelling and stress testing (including reverse stress testing) is done?
• Has the model risk management been applied in the ERM framework?
• How does the insurer maintain a robust risk culture that ensures active support and adjustment of the insurer’s ERM framework in response to changing conditions?

• a description of the relevant material categories of risk that the insurer faces;
• the insurer’s risk appetite and risk limits structure;
• the insurer’s overall financial resource needs, including its economic capital and regulatory capital requirements, as well as the capital available to meet these requirements; and
• projections of how such factors will develop in future.

• scope of risk categories of the internal model
• the insurer’s prioritisation of risks in its risk appetite; and
• the insurer’s use of the outputs in making major management decisions on capital planning for meeting regulatory capital requirements.

• How well is the group’s ERM framework tailored to the group?
• Are decisions influenced appropriately by the group’s ERM framework outputs?
• How responsive is the group’s ERM framework to changes in individual businesses and to the group structure?
• How does the framework bring into account intra-group transactions; risk mitigation; and constraints on fungibility of capital, transferability of assets, and liquidity?