Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Private: Enterprise Risk Management (IFoA ST9) > Past Exam Questions: September 2012 > Flashcards

Past Exam Questions: September 2012 Flashcards

1
Q

Company A has an ERM framework.
Company B doesn’t.

Both make similar products and have the same potential client base.

Discuss potential justifications for the two companies’ ERM strategies.

A
  • ERM is not mandatory by legislation or regulation.
  • Company A could be listed on a stock exchange that requires formal ERM.
  • But the difference is more likely to be due to either the judgement of the board / senior management or to the result of a cost-benefit analysis.
  • Company A may believe its important to have a stated risk appetite and risk tolerances and to monitor all risks to maintain within the appetite / tolerances. In doing so the company will believe that it has more control over its risks and will be less likely to make large unexpected losses in the future.
  • Company A may believe that ERM allows it to maintain a holistic risk culture which should further help to prevent risks from crystallising into loss.
  • Company A may be in more need of a higher credit rating (e.g. because it relies more on the bond markets for capital raising) which is supported by its stronger ERM framework.
  • Company B may believe that it doesn’t need a formal ERM as its informal practices are sufficient.
  • Company B may not believe that the benefit is worth the time and expense of monitoring the risks.
  • Company B may believe that it is a relatively simple business: profit and sales are targeted and all of the risks can be identified, estimated, mitigated and transferred in the separate business units. There is no need or cost savings in considering them all together.
  • Company A’s structure is such that having a good ERM framework is important for capital allocation purposes.
  • Company A believes that ERM will help it to spot upside opportunities more readily.
  • Company A has learned from past mistakes / losses.
  • Company B might be a relatively new or rapidly growing company and just has not yet got round to full implementation.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Describe initiatives that new insurance regulation could introduce in an underdeveloped country

A
  • The new regulator should collect currently available financial reports, corporate governance, board papers, internal and external audit reports.
  • The material should be analysed to see the strengths and weaknesses of the current reporting structure.
  • Some weaknesses might be easily remedied. E.g. the timing of and/or frequency of certain reports could be improved.
  • Or the detail contained in some of the reports might be quickly extended to include valuable information.
  • The new regulator should meet with and form a relationship with the insurance companies.
  • The companies should be encouraged to form a working relationship and made to believe that honesty and transparency is important.
  • For example, small breaches in guidelines can be tolerated.
  • The regulator should introduce regular inspections of insurance companies.
  • The regulator should issue guidelines of the areas to be inspected.
  • The regulator must adopt a pragmatic approach as the insurance companies won’t have many of the needed practices, information, etc. in place. The regulator should provide the company with an inspection report to help the company to introduce change.
  • If not already in place the regulator should make external audits mandatory. This will provide the regulator with another independent view of many aspects of the companies.
  • The regulator could require that investments are traded on exchange with reputable brokers and held by international custodians. This should help to ensure that all investments are contained on the company’s reports and that they are properly valued at the time of each report.
  • For the same reason, the regulator might introduce minimum internal control requirements for all money movements to ensure that all reports are complete and accurate.
  • The regulator should commence the systematic collation of available information.
  • As appropriate the regulator should seek to start to gather new information using surveys and forms.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe initiatives that would help insurance companies prepare for new regulation in an underdeveloped country

A

The regulator could ask companies to introduce or strengthen:

  • ERM committee
  • including its composition, committee charter, reporting templates
  • Corporate governance
  • Internal audits
  • Internal reporting and analysis
  • ERM risk register to help ensure that risks are being identified, monitored, measured and mitigated or transferred.

The regulator could provide guidance on the likely reporting to be required in the future.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Propose guidelines on a “whistleblowers’ hotline”

A

The guidelines should:

  • State that the purpose of the hotline is to bring to light dishonesty or incompetence on a significant scale.
  • State what types of action are likely to have given rise to a breach.
  • State what actions are not likely to be appropriate to report to the hotline.
  • State amounts which are not likely to be appropriate to report to the hotline.
  • State the minimum information necessary to report to the hotline.
  • State the potential required future involvement of anyone using the hotline.
  • State the minimum service levels that someone using the hotline can expect.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe the process that a regulator should employ to administer, assess and resolve any reported breaches of regulatory requirements.

A
  • Appoint an officer to handle the alleged breach.
  • Review the information given to the regulator by the company which is relevant to the alleged breach.
  • Discuss the alleged breach with the whistleblower (if applicable).
  • Approach the company and seek further information relevant to the alleged breach.
  • If necessary, conduct an unscheduled inspection of the company to obtain records if it is felt that evidence might be destroyed.
  • Make a decision on whether the alleged breach is valid, and if so, how serious it is.
  • Inform the company of the decision and implications.
  • This might be a fine or other disciplinary action.
  • And likely also increased levels of inspection in the future.
  • There may need to be an appeal process, but ideally all relevant evidence will have been provided and discussed adequately prior to the final decision.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define operational risk

A

Operational risk is the risk of losses resulting from inadequate or failed internal processes, people and systems, or from external events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe options available to an insurer to mitigate its various operational risks

A
  • Operational risks are generally best controlled through the implementation of an appropriate system of processes and controls.
  • These may, for example, include doer and checker processes and/or spot checks to guard against errors and deliberate and unintentional bias.
  • New processes that are introduced should be subjected to stress testing to understand what may go wrong with these processes, how material the resulting issues may be and how best to manage those issues.
  • Outsourcing some processes to external organisations can also be used to manage operational risk. However it should be recognised that whilst outsourcing might provide a benefit through the use of dedicated expertise, it requires additional resources to be spent on monitoring and results in less control over the outsourced function, plus exposure to counterparty risk.
  • Business continuity risk can be managed through the adoption of contingency plans for an alternative business location (with property either owned outright or an option to use a property at short notice) and the ability to use backup servers and data.
  • Regulatory risk can be managed through the employment of an in-house department that focuses on regulations and imminent changes and to disseminate them around the firm. The department may also undertake lobbying directly on behalf of the insurer or support existing lobbying groups.
  • Technology risk can be managed through the employment of a dedicated central IT resource. One of the key decisions in this respect relates to how much work relating to technology to carry out in-house and how much to outsource. The central IT resource, whether internal or external, should provide a response to IT problems in a time scale appropriate to the nature of the issue.
  • Crime risk, such as fraud risk, can be managed through the framework of controls, where these are consistent with the size of the risk. In other words, a framework of controls that reduces the cost of fraud but costs more than that saving is not a good framework.
  • People risk can be managed through the employment of a sufficiently skilled human resource team that oversees:
  • – recruitment processes designed to ensure the right people are recruited
  • – performance management and remuneration to ensure the right people are promoted and retained
  • – trained to ensure the people have the necessary skills to carry out their work
  • – cultural aspects to ensure the organisation encourages openness and diversity
  • – alignment to the needs of many stakeholders in the business.
  • Legal risk can be managed through the employment of a central legal team along with the use of external legal teams on areas of contention, so that appropriate legal counsel is sought on areas of concern.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Managing operational risks:

Legal risk

A
  • Legal risk can be managed through the employment of a central legal team along with the use of external legal teams on areas of contention, so that appropriate legal counsel is sought on areas of concern.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Managing operational risks:

People risk

A
  • People risk can be managed through the employment of a sufficiently skilled human resource team that oversees:

— recruitment processes designed to ensure the right people are recruited

— performance management and remuneration to ensure the right people are promoted and retained

— trained to ensure the people have the necessary skills to carry out their work

— cultural aspects to ensure the organisation encourages openness and diversity

— alignment to the needs of many stakeholders in the business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Managing operational risks:

Crime risk

A
  • Crime risk, such as fraud risk, can be managed through the framework of controls, where these are consistent with the size of the risk. In other words, a framework of controls that reduces the cost of fraud but costs more than that saving is not a good framework.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Managing operational risks:

Technology risk

A
  • Technology risk can be managed through the employment of a dedicated central IT resource.

One of the key decisions in this respect relates to how much work relating to technology to carry out in-house and how much to outsource.

The central IT resource, whether internal or external, should provide a response to IT problems in a time scale appropriate to the nature of the issue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Managing operational risks:

Regulatory risk

A
  • Regulatory risk can be managed through the employment of an in-house department that focuses on regulations and imminent changes and to disseminate them around the firm.

The department may also undertake lobbying directly on behalf of the insurer or support existing lobbying groups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Managing operational risks:

Business continuity risk

A
  • Business continuity risk can be managed through the adoption of contingency plans for an alternative business location (with property either owned outright or an option to use a property at short notice) and the ability to use backup servers and data.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Describe two types of “market risk”

A

Market risk encompasses risks arising from changes in investment market values or other features correlated with investment markets, such as interest rates and inflation rates.
This would include the consequence of investment market value changes on liabilities, and may also include the consequence of mismatching asset and liability cashflows.

And it can refer to the risk of lower sales or profit margins resulting from changes in market conditions, where “market” is interpreted as the market into which the products or services of that entity are sold.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Prepayment risk

A

The risk that a mortgage holder chooses to repay his mortgage early thereby reducing the profitability of the security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Why may it not be appropriate to treat prepayment risk as its own risk category?

A

The level of prepayment risk will be heavily influenced by the level of interest rates, i.e. if rates fall customers would be more likely to refinance their homes and prepayments would increase.

So closely related are they that from a quantitative perspective it may be impossible to separate the impact of a change in interest rates from the customers’ propensity to prepay.

As a consequence the two risks are likely to be considered as one exposure by management.

17
Q

What is the likely impact of a larger bank acquiring a smaller one on the smaller bank’s profit margin.

A

If the larger bank has a higher credit rating, it may be considered a better credit risk. Therefore, the larger bank’s borrowing costs are lower than that of the smaller bank.

Assuming the combined entity retains the higher credit rating, the cost of funding will fall. Thus the expected profit margin can be expected to increase.

Possible benefits from economies of scale.

Possible benefits from tax synergies.

18
Q

Outline the impact of acquiring a smaller bank on a larger bank’s risk profile

A

Foreign exchange risk
If the bank operates in a different currency

Strategic risk
Acquisition may fail

Agency risk
The bank may have no familiarity in the new territory / market and may have to rely on the smaller bank’s management whose incentives may not be aligned to the overall entity.

Operational risk

Political, legal, regulatory risks
New territories have different rules and regulations

Economic risks
A new economy, and potentially a new industry

Credit risk
Increased borrowing to sustain the business model

Liquidity risk
Acquisition may reduce available cash

Reputational risk
Association with another brand

The aggregate risk position of the combined entity will include diversification credits which were not there prior to the acquisition.

19
Q

Outline the advantages of providing staff health / life insurance cover via a wholly owned captive

A
  • Likely to be more cost-effective than going to the retail market as the direct market reinsures at least in part large risks to reinsurers anyway.
  • Also, a certain level of claims are virtually inevitable. Cash can be retained in the captive to meet these claims which reduces the cost of the reinsurance premiums.
  • May be the only way the company can get cover for all employees through a single scheme.
  • Affords the company a degree of control over the level of benefits and servicing requirements which may not be possible through a retail arrangement.
  • Possible tax benefits
20
Q

Outline the disadvantages of providing staff health / life insurance cover via a wholly owned captive

A
  • Captive is subject to regulatory requirements - so there will be additional costs / regulations
  • The internal administration costs of the captive may not be less than the savings in the expense loading in the direct premium.
  • May be an industry that the larger company has no existing internal expertise in.
  • May not provide adequate protection for extreme events.
21
Q

Why will reinsurance not remove all of the risks relating to a captive insurer’s cover?

(Where the captive is set up to provide staff health / life insurance cover to a larger entity)

A
  • Reinsurance will transfer the insurance risk. However, this is replaced by a new credit risk exposure to the event that the reinsurer defaults.
  • In addition, the risk exposure is so concentrated in the event of a catastrophe - for example - a single event could trigger a large number of claims from staff in a single location such as a head office - it may not be possible to arrange sufficient reinsurance and some risk will have to be retained.
  • At the very least, this could mean that the credit risk exposure is not insignificant.
  • Further, claims from this event may create a liquidity constraint while the captive waits to recover from the reinsurer.
  • Insurance risk events may trigger risk events in other categories. E.g. in the extreme scenario the loss of a large number of staff will not only have financial but also operational consequences.
  • For direct insurance, there is one contract between the company and the insurer. In the case of the captive, there is a contract between the company and the captive and then another contract between the captive and the reinsurer. This gives rise to potential basis risk between the two contracts leaving the company in the position that it may be exposed to claims that are not covered under the reinsurance.
22
Q

Suggest actions a company can take to reduce the mortality and morbidity risks which are being insured by a wholly owned captive.

(Where the captive is set up to provide staff health / life insurance cover to a larger entity)

A
  • Investment in physical measures to improve safety, e.g. better fire prevention measures or security at office buildings.
  • Health and safety screenings of all suppliers (e.g. canteen operators)
  • Regular medical examinations for staff
  • Encouragement of healthy lifestyle, e.g. healthy food options in the canteen.
  • Or provision of sports / gym facilities to encourage exercise.
  • Have some degree of underwriting, particularly for higher sums assured.
  • Exclude pre-existing conditions from insurance cover.
  • Other exclusions, e.g. claims due to hazardous hobbies
  • Have robust and active sickness management policies, e.g. regularly following up those off work due to sickness.
  • Have rehabilitation policies, e.g. allowing employees to return to work part-time after a long illness.
  • Staff training programs to reduce the risk of accidents in the workplace.
  • Reduce amounts of cover provided.
  • Limit cover to a subset of staff.
23
Q

Outline Solvency II’s mandatory risk framework

Pillar 1: Quantitative Requirements

A

Prescribes the minimum amount of capital that must be set aside based on the estimated aggregate financial risk of the company.

The calibration of the Solvency Capital Requirement (SCR) is a 99.5% level of confidence over a one-year time horizon.

The aggregated financial risk is either modelled using an “internal model” or is calculated using a prescribed standard formula.

In order to estimate or calculate the aggregated financial risk it is necessary to identify and model many types of risk including market risk and credit risk.

If an internal model is used, it must meet a number of criteria, including the “use test”, and be approved by the regulator.

There is also a Minimum Capital Requirement (MCR) below which the company would lose its authorisation.

As for ERM, the requirements call for complete and up-to-date documentation and back-testing to evidence the appropriateness of the results.

24
Q

Outline Solvency II’s mandatory risk framework

Pillar 2: Qualitative Requirements

A

Assessing risk through the other business practices including:

  • corporate governance
  • health and safety
  • business plans
  • management experience and expertise

Plus regulatory scrutiny of overall strategy and business models.

25
Q

Outline Solvency II’s mandatory risk framework

Pillar 3: Disclosure

A

Seeking to encourage the full disclosure of risks in order to encourage companies to fully
- identify
- monitor
- measure
- mitigate
- transfer etc,
keeping net risks which are in line with the stated company’s objectives.

26
Q

List 6 categories of risk underlying the standard formula for the Solvency Capital Requirement

A
  • Non-Life underwriting risk
  • Life underwriting risk
  • Health underwriting risk
  • Market risk
  • Counterparty default risk
  • Operational risk
27
Q

Give examples of key risk indicators (KRIs) for:

Underwriting risks

A
  • Risk aggregations (sum insured)
  • Split for example by region, peril/product type, distribution channel
  • New business levels by similar splits
  • Reserve strengthening / release
28
Q

Give examples of key risk indicators (KRIs) for:

Market risk

A
  • Value at Risk (VaR)

- Stress and Scenario test results

29
Q

Give examples of key risk indicators (KRIs) for:

Counterparty default risk

A

Counterparty credit quality and diversity for assets and liabilities - credit rating analysis.

30
Q

Give examples of key risk indicators (KRIs) for:

Operational risk

A
  • Analysis of key risks (operational risk profile)
  • Internal audit results
  • IT downtime
  • Staff turnover rates
31
Q

Explain the various internal and external stakeholders that would be interested in monitoring KRIs of a company on a regular basis

A

Audit Committees
To monitor material financial risks and mitigation of those.

Executives
To review risk information for completeness.

Managers
To review risk information for completeness and changes in risk profile or control effectiveness.

Risk Owners
To update risk information and escalating changes in likelihood, impact or control effectiveness as required.

Control Owners
To update status of treatments for controls that they are responsible for

Internal Audit
To review the effectiveness of internal control measures

External Stakeholders
Reviews by supervisory bodies for regulatory solvency purposes

Credit Rating Agencies
As part of their credit rating monitoring and review process

32
Q

Discuss whether a metric used as a key performance indicator (KPI) can also be used as a key risk indicator (KRI)

A

KPIs are used to monitor the performance of the organisation. They are therefore associated with the return side of the risk-return equation and wouldn’t strictly be an indicator of the risk exposure.

However, to the extent that both KPIs and KRIs use proxies for the underlying risk and return drivers, they may well be the same.

For example, a life company selling unit-linked policies may use an equity index as a KPI (to proxy changes to the level of fund management charges it expects to receive) and a KRI (to proxy changes in market risk capital).

The key difference between the use of a metric as a KPI or KRI is the interpretation which is applied to it and the subsequent set of actions / responses it will result in.

For example, KPIs will result in actions by the Finance Function, while KRIs will result in actions by the Risk function.

Private: Enterprise Risk Management (IFoA ST9) (48 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions