OSFI Flashcards
MCT ratio formula
MCT = CapAv / minCapReq
CapAv formula
CapAv = CapAv(gross) - deduc(UnregRe) - deduc(BC limit)
- deduc(UnregRe) is a penalty for too much unregistered reinsurance, and unregistered reinsurance is riskier than registered reinsurance
- deduc(BC limit) if the insurer is holding too much of category B and C
MinCapReq formula
MinCapReq = CapReq / 1.5
150% is OSFI minimum requirement and 100% is regulator minimum requirement
CapReq formula
CapReq = SUM(IMCO) - DC
DC formula
DC = A + I - SQRT(A^2 + I^2 + 2RAI)
A = C + M
DC is diversification credit
main components required of MCT capital required
think about the formulas
(IMCO):
- insurance risk
- market risk
- credit risk
- operational risk
define MCT insurance risk
risk of loss from the potential for claims from policyholders & beneficiaries
define MCT market risk
risk of loss from changes in prices in various markets
define MCT credit risk
risk of loss from counterparty’s potential inability or unwillingness to fully meet contractual obligations due to the insurer
define MCT operational risk
risk of loss from inadequate or failed internal proessess, people, systems or from external events
statistical definition of ‘target capital required’
capital level corresponding to CTE(99%) on the loss distribution over 1-yr time horizon
identify a proxy for capital available that appears in the Statement of Financial Position
Total Equity (line 699 from Statement of Financial Position - Liabilities & Equity)
principles of allocation regarding MCT capital requirements
(FACCS):
- free from bias
- accurate when allocating revenue & costs
- consistent with allocation methods used by the insurer for other business decision-making puposes
- consistent over time
- systematic & reasonable
describe the transitional arragement for MCT capital requirements for business combinations effective before 6/30/2019
the contractual service margin (CSM) arising from favorable development can be included in capital available
considerations in defining MCT capital available
(APAS):
- availability: is the capital element fully paid & available to absorb losses
- permanence: until when is a capital element available
- absence: ask whether a capital element has an absence of encumbrances & mandatory servicing costs
- subordination: is the capital element subordinated to rights of policyholders and creditors in insolvency or winding-up
main components of MCT capital available
- category A
- category B
- category C
- non-controlling interests in subsidiaries, subject to certain conditions
subcomponents of category A capital available as listed in the MCT source
- common shares issued by the insurer that meet the category A qualifying criteria
- surplus (share premium) resulting from the issuance of instruments included in common equity capital and other contributed surplus
- retained earnings
- earthquake, nuclear and general contingency reserves
- AOCI (accumulated other comprehensive income)
- residual interest, reported either as equity or as a liability, of owner-policyholders of mutual entities
subcomponents of category A capital available as listed on page 20.11 in the financial statements
(RC-CORNA):
under policyholder’s equity:
- residual interest (non-stock)
under shareholder’s equity: (include everything except preferred shares)
- common shares
- contributed surplus
- other capital
- retained earnings
- nuclear and other reserves
- AOCI
should dividends paid to stockholders be removed from capital available
yes
briefly describe the MCT capital composition limits
BC limit: category B + category C <= 40% * (total capital available - AOCI)
C limit: category C <= 7% * (total capital available - AOCI)
which regulatory adjustment to MCT capital available is an addition
CSM associated with the title insurance contracts
which regulatory adjustment to MCT capital available is an addition or deduction
adjustments to owner-occupied property valuations
2 uncertainties required for a risk to be considered ‘insurance risk’
- uncertainty in the amount of payments
- uncertainty in the timing of the payments
subcomponents of MCT insurance risk
- LIC
- unexpired coverage includes catastrophes other than earthquake and nuclear
- unregistered reinsurance
- earthquake and nuclear catastrophes
how is diversification risk accounted for regarding MCT insurance risk
- risk factors for each class of insurance contain an implicit diversification credit
- this is based on the assumption that insurers have a well-diversified portfolio
formula margin(LIC)
margin(LIC) = 1.1 * sum (risk factor * net LIC(issued) excl.RANF - AIC(re held) excl.RANF)
formula margin(unexpired coverage)
margin(unexpired coverage) = risk factor * max(net unexpired coverage, 30% * net premiums received past 12 months)
where
net premiums received = premiums received net of associated reinsurance premiums paid
formula net unexpired coverage
net unexpired coverage = unexpired coverage for insurance contracts issues - unexpired coverage for reinsurance contracts held
formula (GMM) unexpired coverage for insurance contracts issued
unexpired coverage for insurance contracts issued = PV(estimate of future cash flows excluding premium cash flows)
formula (PAA) unexpired coverage for insurance contracts issued
unexpired coverage for insurance contracts issued = (LRC - LC + unamortized insurance acquisition cash flows + unamortized reinsurance commissions + premiums receivable) x ELR + costs
formula (GMM) unexpired coverage for reinsurance contracts held
unexpired coverage for reinsurance contracts held = PV(estimate of future cash flows for current and future reinsurance contracts held)
formula (PAA) unexpired coverage for reinsurance contracts held
unexpired coverage for reinsurance contracts held = (A + C + P1 + P2) x ELR - (P3 + P4)
the risks of holding a reinsurance contract with a reinsurer
basically insurer not getting the money expected
- reinsurer won’t pay insurer what is owed
- mis-assessment of required provision the amount the insurer expects to be paid
define SIR(self-insured retention)
portion of loss payable by the policy holder
condition for admitting recoverability of SIRs (self-insured retention)
OSFI must be satisfied of collectability - may require collateral (i.e, lOC from policyholder)
Earthquake Reserves(ER) formula
ER = (EPR + ERC) x 1.25
where
ERC = ERX - FinRes
methods for ERX
model approach:
- ERX1 = (East Canada PML500 ^ 1.5 + West Canada PML500 ^ 1.5) ^ (1 / 1.5)
standard approach:
- ERX3 = max(East Canada PTIV - applicable deductible, West Canada PTIV - applicable deductible)
subcomponents of MCT market risk
(IFFERO):
- interest rate risk
- foreign exchange risk
- equity risk
- real estate risk
- right-of-use asset risk
- other market risk
interest rate risk formula
abs(asset duration * asset values - liability duration * liability values) * 1.25%
foreign exchange risk formula
10% * Canadian dollar value
equity risk formula
30% * market value of equities
including:
- common shares
- joint ventures where insurer holds <= 10% ownership interest
- futures
- forwards
- swaps
real estate risk formula
10% * owner-occupied property + 20% * investment property
formula margin(balance-sheet assets)
margin(credit risk) = asset value * risk factor
briefly describe what the ‘risk factor’ is for calculating the margin for credit risk
the risk factor either:
- corresponds to the external credit rating of the counterparty
- represents a prescribed factor determined by OSFI
what are off-balance sheet exposures
risk exposures that are not listed on a company balance sheet
example of off-balance sheet exposures
- structured settlements
- LOC(letters of credit)
- NOD(non-owned deposit)
- derivatives
formula margin(off-balance-sheet exposures)
margin(credit risk for off-balance sheet exposures) = (CEA - eligible collateral) x CCF) x risk factor
operational risk formula
CapReq(OpnRisk) = min(30%*CR(0), sum(A components) + max(B components))
where
CR(0) = CapReq(I) + CapReq(M) + CapReq(C)
A components:
- risk factor x CR(0)
- risk factor x DWP
- risk factor x AWP
- risk factor x CWP
- risk factor x growth above 20% x (DWP + AWP) / (1 + growth)
B components:
- risk factor x AWP(ig)
- risk factor x CWP(ig)
the upper limit dampens operational risk for high-volume, low-complexity businesses
is legal risk included in operational risk?
yes
risks that excluded from MCT operational risk
- strategic risk
- reputation risk
describe the purpose of the cap on operational risk of 30%xCR(0)
to dampen operational risk for business that satisfies these conditions
- high-volume
- low-complexity
scenarios linked rapid premium growth
common sense
- mergers
- new lines of business
- changes to products or U/W criteria
briefly describe the impact of unregistered reinsurance on MCT operational risk
think about insurance risk components
when unregistered reinsurance goes up -> CapReq(OpnRsk) goes up because:
- operational risk depends on insurance and credit risk
- and insurance risk goes up because unregistered reinsurance is one of its components
define diversification credit
a reduction to capital required recognizing that not all risk categories are likely to suffer their maximum loss simultaneously
what is the general goal of ORSA
enhance insurer’s understanding of the relationship between risk profile and capital needs
does OSFI approve an insurer’s ORSA
no, but OSFI will review a company’s ORSA as part of its assessment of the company
what is the relationship between ERM & ORSA
ERM, ORSA should be well-intergrated so that analysis, results are consistent between them
ORSA’s key elements
- risk identification & assessment
- relate risk to capital
- oversight
- monitoring & reporting of risks
- internal controls & objective review
describe the ORSA key element ‘risk identification & assessment’
identify & assess the materiality of forseeable & emerging risks
describe the ORSA key element ‘relating risk to capital’
- set ICT(internal capital target) using stress-testing techniques
- must withstand a specified loss without falling below supervisery capital requirements
describe the ORSA key element ‘oversight’
think about if I’m about to manage, what I will do
senior management responsibiity: should have a good understanding of:
- nature and significance of the risk exposures
- risk mitigants
- risk management methods
- capital adequacy
describe the ORSA key element ‘monitoring & reporting’
annual reports to Board of Directors & Senior Management on risk profile & capital management
describe the ORSA key element ‘internal control & objective review’
- review for: accuracy, integrity, reasonableness
- objective reviewer: internal or external auditor or skilled professional not involved in the ORSA process
is ORSA process the same for all federal insurers
Yes and No:
- key elements are the same (remember to list them!)
- but specifics differ by company depending on risk profile & NSC(nature/scale/complexity) of operations
should ORSA be used to set ICT
yes: an important part of ORSA is to set ICT since ICT considers insurer-specific risks
should item be included in MCT calc and setting internal capital target: cyber risk
MCT: not specifically part of MCT
ORSA:
- should be considered in setting ICT
- product is sold through a mobile app (this is for the specific question, because it’s mentioned in the context)
should item be included in MCT calc and setting internal capital target: interest rate risk
MCT: part of market risk within ICT
ORSA:
- should be considered in setting ICT
- government bonds are subject to fluctuations in interest rate
should item be included in MCT calc and setting internal capital target: geographical diversification
MCT: not part of MCT
ORSA:
- should be considered in setting ICT
- company operates in several provinces
what is the relative importance of quantitative, qualitative aspects of ORSA
equally important
regarding ORSA key element ‘relating risk to capital’, identify possible approaches to calculating ICT
- complex internal model: for complex risks
- simple model: with conservative assumptions
- qualitative: includes expert judgment for difficul-to-quantify risks
similarities between DCAT & ORSA
- both are concerned with risk identification & control
- both are concerned with capital requirements
- both are submitted to BoD & regulators
differences between DCAT & ORSA
guidelines:
- DCAT: uses CIA SOPs(statement of principles)
- ORSA: uses OSFI guidelines
methods:
- DCAT: quantitative only
- ORSA: quantitative & qualitative
report:
- DCAT: by AA
- ORAS: management responsibility
advantages of ORSA over MCT
ORSA:
- includes all material risks
- uses stress-testing to set ICT
- qualitative as well as quantitative
- admits assessment of internal controls
definition of ‘stress-testing’
a risk management technique
- to evalualte effects on financial position
- due to specified changes in risk factors
- corresponding to exceptional but plausible events
purpose of stress-testing
- risk: identify & control risk
- complement: provide a complement to other risk management tools + simulate shocks
- capital management: support capital management
- liquidity management: improve liquidity management
describe risk id & control regarding purpose of stress-testing
- risk id: identify and concentration & interaction of risks
- risk control: ajdust individual portfolios & overall business strategy
describe complementing other tools regarding purpose of stress-testing
- test statistical models used to determine VaR
- simulate shocks to test model robustness to economic changes
describe supporting capital management regarding purpose of stress-testing
identify severe events and/or compouding events that impact capital managements
describe improving liquidity management regarding purpose of stress-testing
assess liquidity profile & adequacy of buffers for institutional & market-wide stresses
describe how stress-testing is a key risk management tool for coverage of overland flooding
company won’t have historical data
- identify flood risks using stress-testing models
- estimate capital required to support flood risk in different scenarios
- stress-testing could complement publicly available flood data
describe board vs. management responsibilities regarding a stress-testing program
BoD:
- ultimate responsibility for program
- ensures implementation of program by management
- should be aware of key findings
management:
- implement & manage stress-testing program
- identify PAS(plausible adverse scenario)
- develop & implement risk mitigation strategies
Bod set directions and oversight, management follow BoD’s decisions and oversight operations
rudimentary stress-testing considerations
(RUDI):
- range of perspectives:
-> perspectives: consult economists, actuaries, others
-> techniques: qualitative, quantitative
- update stress-testing framework regularly:
-> monitor effectiveness of framework with qualitative, quantitative measures & update accordingly
-> elements of a framework include: docs, data quality, assumptions
- docs: provide written docs of assumptions & fundamental elements of scenarios
- infrastructure should be flexible
-> should allow increase in sensitivity testing in times of rapid change
-> should accomodate time horizons for management action
how to improve stress testing
RUDI + includes making risks dynamic and reviewing assumptions more than once a year - focus on program not just scenarios
considerations in scenario selections
- scenarios should cover all important business & product lines
- create non-historical scenarios(events that haven’t happened but could happen)
- severe & sustained downturns includes large loses, loss of reputation, legal problems
management considers only insurance risk in stress-testing program in an earthquake-prone region - appropriate?
not appropriate: stress-testing should consider all risks, not just 1 significant risk
change: consider operational risk also since call centers & claim adjusters may be overloaded after an earthquake event
management doesn’t consider earthquake risk in stress-testing program in an earthquake-prone region - appropriate?
not appropriate: earthquakes are low-frequency so lack of prior event does not indicate lack of risk
change: use external data to construct earthquake risk models
significant portion of investment portfolio is in local market - what are the interactions between risks?
insurance risk due to claims from earthquake event and market risk due to loss of income from own properties damaged in earthquake event
- a comprehensive stress-testing program would reveal these significant & interacting risks
focus areas in reponse to financial market turmoil
- risk mitigation
- s&w(securitization & warehousing)
- reputation (reputational risk)
- credit risk & counter-party risk
- concentration risk
describe focus areas when designing stress-testing program for flood&provide examples
focus 1:
- risk mitigation
- stress-testing should facilitate development of mitigation & contingency plans
focus 2:
- reputation risk
- if customers don’t trust you, you may lose business
- if existing customers are not made aware of new flood coverage they may be angry & switch providers
OSFI’s considerations in assessing stress-testing program
think about if you work for OSFI, what are the things you want to know about when you review the stress-testing program from insurers
- appropriateness: are scenarios for institution’s risk profile
- viability: are scenarios included that compromise viability
- frequency: is stress-testing frequent enough for timely management action
- severe shocks: do scenarios include severe shocks & sustained downturns
describe & contrast scenario with sensitivity testing
scenario-testing:
- significant changes to risk factors
- observe future state including ripple effects & management actions over a longer time horizon
- more complex & comprehensive
sensitivity-testing:
- incremental changes to risk factors
- shock is more immediate & time horizon shorter
- simpler fewer resources required
definition ‘MinCapReq’
MinCapReq = 100% x BaseCap
- capital required to cover risks specified in capital guidelines
- if CapAv < MinCapReq then there are critical viability concerns for insurer
definition ‘SupCapReq’
SupCapReq = 150% x BaseCap
- capital required to cover risks specified in capital guidelines + margin
- if CapAv < SupCapReq then insurer is subject to supervisory attention
definition ‘Internal Target Capital’
- a capital target determined by ORSA above supervisery capital target
- includes risks specified in capital guidelines and all insurer-specific risks
reasons for having an Internal Target Capital
- gives management time to address issues
- captures insurer-specific risks not addressed by industry-wide capital guidelines
approach to determine Internal Target Capital ratio
- includes insurer-specific risks in capital assessment
- assessment uses stress-testing
- capital level must withstand a specified level of loss without falling below supervisery capital over specified time horizon
is it ok to consider future capital projections when determining the Internal Capital Target?
- no, unless planned & certain
- also, cannot consider head-office guarantees & other management actions except for setting targets above internal target
required management action if capital available falls below Internal Capital Target
if this happens or expected within 2 years, notify OSFI & submit plan to restore capital to internal target level reasonably quickly
what is FRFI
federally regulated financial institution
define corporate governance
set of relationships among BoD, management, shareholders, other stakeholders
characteristics of good corporate governance
- incentivizes good behavior(i.e,advances company & shareholder interests)
- enables monitoring of operations & performance
contrast roles: BoD and senior management
- BoD: direction-setting, oversight of management
- senior management: implement BoD decisions, oversight of operations
role of corporate governance in OSFI’s supervision
- OSFI relies on good corporate governance to support its supervisery role
- OSFI required BoD involvement during interventions to determine best corrective actions
what items should a risk appetite framework contain
- RAS: risk appetitle statement
- RL: risk limits
- RR: roles/responsibilities of those implementing risk appetite framework
provide a general description of a risk appetite statement
reflects level of risk, and type of risk FRFI is willing to accept to meet business objectives
key features of the risk appetite statements
- relate to short, long-term strategies
- includes quanlitative/quantitative measures of risk
- forward-looking
- consider normal and stressed scenarios
qualitative, quantitative measures within the risk appetite statement
- qualitative: identify significants risks company wants to take/avoid + why
- quantitative: measures of ECL(earnings, capital, loss) FRFI is willing to support
describe the concepts of risk limits within the risk appetite framework
risk limits refers to allocations of FRFI’s risk appetite statement to:
- risk categories (IMCO)
- business unit
- LOB or product
once BoD approves, who implements risk appetite framework
senior management
how is compliance with risk appetite framework ensured
CRO: ensures risk limits are consistent with risk appetite statement
CRO: provides reports to BoD, senior management assessing risk limits and risk appetite statement
internal auditor: ensures compliance with risk appetite framework
broad 3-point plan for managing earthquake exposure
(MML):
- measure/monitro/limit earthquake exposures
define PML(probable maximum loss)
dollar value of loss a major earthquake is unlikely to exceed (loss expected only once per X years)
define gross PML & net PML
- gross PML: after deductible, before reinsurance
- net pML: after deductible, after reinsurance
difference is only before/after reinsurance, both have deductible applied
key principles for managing earthquake exposure
- risk management
- data management
- models
- PML
- financial resources & contingency plan
briefly describe the key principle of risk management for earthquake exposure
earthquake exposure risk management policies are overseen by senior management
briefly describe the key principle of data management for earthquake exposure
- data required is more than for traditional ratemaking
- must address data integrity, verification, limitations
briefly identify the key principles of modeling for earthquake exposure
must understand assumptions, methods, limitations or earthquake models
briefly describe the key principle of PML for earthquake exposure
PML = total expected ultimate cost
- includes considerations for data quality, non-modeled exposure, model uncertainty, multi-region exposure
briefly describe the key principle of financial resources & contingency plan for earthquake exposure
- financial resources: quantification of how financial resources cover pML
- contingency plan: how to continue efficient business operations after disaster
items that should be documented for earthquake risk management
try to extend from the key principles
- risk appetite and risk tolerance of insurer
- data management framework
- model assumptions, methods, limitations
- calculation of PMLs
- nature & adequacy of financial resources
- contingency plans supporting the risk
- how concentration of exposures is measured & monitored
best practices for earthquake modelling
(DAQKDUP):
- Docs: document use of model within risk management program
- Alternatives: explain why a particular model is used vs. alternatives
- Qualified: need qualified staff to run in-house models regularly
- Knowledge: must have knowledge of assumptions, methods, limitations of earthquake model
- Data: should provide evidence to show that granularity & quality of data is appropriate
- Uncertainty: must understand the impact of uncertainty on capital adequacy & reinsurance requirements
- PMLs: if PML(model 1) not equal to PML(model 2) then must explain the differences & any subsequent model adjustments
identify uses of earthquake models aside from PML calculation
- make U/W decisions
- monitor exposure-accumulations
sound practices for earthquake model VERSION
- use more than 1 model
- ensure timely updates of material changes to model within 1 year of change
- understand assumptions, methods, limitations of vendor software for PML calculation
- if in-house PML model is used, should compare result to alternate models
sound practices for earthquake model VALIDATION
common sense
- compare modeled losses with actual losses
- compare tail losses with market price for reinsurance
- use global data to supplement limited Canadian earthqake data
how might management adjust for low data quality in earthquake PML estimate
may add a margin of safety to the PML estimate
basically to account for uncertainty
identify non-modeled exposures when calculating PML
- exposure growth between date of data & relevant exposure period
- consider adequacy of ITV
- consider GRC(guaranteed replacement cost)
- increased seimicity after large event
2 examples of model uncertainty
- uncertainty associated with conversion from location-specific ground motion to actual damage levels
- model assumptions are being continuously updated & refined
how might management adjust for model uncertainty in earthquake PML estimate
may add a margin of safety to the PML estimate
regarding multi-region exposures, identify disadvantages of using the maximum of BC, QC exposures
basically think about the impacts of missing other regions
- understates risk for insurers with exposure in both regions
- ignores earthquake elsewhere, which could be material
how should PMLs be reported for Canadian vs. foreign insurers with exposure outside Canada
BoD, senior management would report PMLs to OSFI as follows:
- Canadian insurers report PMLs based on worldwide exposure
- foreign insurers report PMLs based on Canada-wide exposure
identify financial resources for covering PML for earthquake exposure
- capital & surplus (max 10% of capital & surplus)
- resinsurance (most insurers use cat reinsurance)
- earthquake reserves calculated as part of MCT
- capital marketing financing
identify a restrictive condition on earthquake exposure financial resources for: reinsurance coverage
when including non-cat reinsurance must consider ‘per event’ limits and other events that may exhaust coverage
identify a restrictive condition on earthquake exposure financial resources for: capital marketing financing
OSFI prior approval is required before recognition as a financial resource under MCT guidelines
identify a restrictive condition on earthquake exposure financial resources for: capital & surplus
limited to a maximum of 10% of capital & surplus
identify a restrictive condition on earthquake exposure financial resource for: EPR
must not exceed countrywide PML 500
ways to improve risk estimation & cat risk management for this insurer
- tech investments
- audit data
- ensure adequate financial resources & contingency plan
- measure/monitor/limit earthquake exposure
what are OSFI’s earthquake exposure reporting requirements
- file earthquake exposure data form annually
- if no material exposure then submit letter stating so
what are OSFI’s earthquake exposure supervisory requirements
if an insurer has material earthquake exposure:
- insurer must submit earthquake risk management policies
- must submit FCT report that includes earthquake exposure scenario or provide reason for not including
what is the difference between OSFI’s earthquake exposure reporting & supervisory requirements
- for reporting purposes: just submit the standard earthquake exposure data form
- for supervisory purposes: must submit comprehensive risk management policies
what are OSFI’s supervisory options when an insurer’s earthquake exposure risk management principles are not being followed
OSFI may adjust capital or asset requirements or TSR(target solvency ratio)
what are the duties of senior management regarding earthquake exposure risk management
- implement risk management plan & internal controls
- discretion to increase PML from model due to low data quality or model uncertainty
- a senior manager reports to all senior management about compliance and the PML
what is included in a senior officer’s regular reports to senior management regarding earthquake exposure
- state compliance with risk management policies except where noted
- explain calculation of PML with details of supporting financial resources
what are the duties of the BoD regarding earthquake exposure risk management
oversight of risk management plan & ensuring adequacy of internal controls
main responsibility of OSFI relationship manager
main point of contract between FRFI and OSFI
-> responsible for maintaining an up-to-date risk assessment of FRFI
key principles of risk assessment
- identify material risks
- should be forward-looking & allow for early intervention
- use sound predictive judgment
- understand risk drivers
- differentiate between inherent risks & management of those risks
- dynamic adjustment
- assess whole institution by calculation a CRR(composite risk rating)
primary concepts of risk assessment
- significant activities
- inherent risk
- quality of risk management
- net risk
- importance & overall net risk
- earnings
- capital
- liquidity
- risk matrix & CRR(composite risk rating)
describe significant activities
- anything that is fundamental to the business model (LOB, unit, process,…)
- it’s the fundamental risk assessment concept within the supervisory framework
describe quality of risk management
- control level 1: operational day-to-day control of significant activities
- control level 2: oversight of finance, compliance, actuarial,…
describe net risk
- net risk of significant activity = judgment on inherent risk & quality of risk management
- can be low, moderate, above average, high + trend
describe risk matrix, CRR(composite risk rating)
- risk matrix: records assessment of significant activities and risks
- CRR: culmination of assessment can be low, moderate, above average, high
risk assessment of core supervisory processes
- planning
- execution & updating risk profile
- reporting & intervention
fundamental concept in OSFI’s supervision of risk assessment
significant activities
OSFI’s steps
STEP1: identify significant activities
STEP2: assess inherent risks and quality of risk management
STEP3: calculate net risk for each significant activity
STEP4: use risk matrix to assess intervention status and CRR
If inherent risk = above average and quality of risk management = needs improvement determine net risk assessment
net risk = high
