ERM-702-12: IAA Note on ERM for Capital and Solvency Purposes in the Insurance Industry



Reading Source:

Topics Covered in this Reading:

  • Introduction
  • Governance and an Enterprise Risk Management Framework
  • Risk management Policy
  • Risk Tolerance Statement
  • Risk Responsiveness and Feedback Loop
  • Own Risk and Solvency Assessment (ORSA)
  • Economic and Supervisory Capital
  • Continuity Analysis
  • Role of Supervision in Risk Management

ERM-702-12: IAA Note on ERM for Capital and Solvency Purposes in the Insurance Industry
ERM-702-12: IAA Note on ERM for Capital and Solvency Purposes in the Insurance Industry


I’m having trouble distinguishing between risk capacity and risk tolerance. Can someone please clarify?



Hi Steve!

This is what I would say:

  • Risk Tolerance is the amount of risk that a firm is willing to take on to achieve their desired goals/obligations. This is specifically related to how much risk the firm is COMFORTABLE taking to ACHIEVE their goals.
  • Risk Capacity is the absolute max amount of risk that the firm is able to take, based on their resources and current financial obligations. If they take more risk than that, they are at risk of going insolvent.


  • Risk Appetite is the company’s general view towards risk. Are they a risk seeker? Are they risk averse? How do they feel about different risks in general. This will be cleared up when you get to the various readings on Risk Appetite Statements.


I think another key to risk appetite is the idea that this is the amount of risk a firm is willing to take while still achieving its strategic objectives…it seems like one of the big ideas on the exam is making sure that risk assessment, measurement, etc., is related to the strategic planning of a company.


This section drop me crazy!:tired_face::tired_face::tired_face:


What about this section is driving you crazy? Maybe someone can help? :construction_worker_man::rescue_worker_helmet:


Section 6 talks about ORSA, and specifically goes into detail on describing risks as being inherent (before management risk mitigation) and residual (after management risk mitigation). The article then goes on to say:

  1. Those risks whose management rely heavily on the continued and effective operation of
    key controls (high inherent risk/low residual risk)
  2. Those risks whose nature does not significantly alter following the application of controls.
    This highlights that certain controls may be ineffective and that resources might be
    utilised better elsewhere, or that different controls are needed (high inherent risk/high
    residual risk
  3. Those risks that may be over-controlled (low inherent risk/low residual risk).

Can anyone think of any real world examples to bring any or all of these three options to life a bit more?


For #1. High Inherent Risk/Low Residual Risk: Financial Risk - maybe the way an insurance company invests their assets could be seen in this category? For example, an insurer could invest a large percentage of its assets in higher yielding assets like equities and real estate, but in reality tries to lower its financial risk by implementing asset liability matching strategy as to guarantee that they will have the assets to pay out future liabilities. They could increase their risk and earn higher yield for their shareholders, but the insurer must ensure that it will remain solvent and meet its liability obligations. An insurance company is not like a hedge fund company in that it won’t take on the high risk investment opportunities; insurers are also governed by strict regulation so this assists in the investment ‘choice’ here.

For #2. High Inherent Risk/High Residual Risk: This one to me is a bit trickier. Maybe something like operational risks would fit into this category? For example, companies try to get employees to complete codes of conduct questionnaires with the hopes of mitigating dishonest and cheating behaviours. But in reality, no matter how much resources a company spends on mitigating this type of risk, humans will be humans, and there will always be someone who will try and take short cuts, and cheat the system to win.

For #3. Low Inherent Risk/Low Residual Risk: Insurance Risk - The way I look at this category for insurance companies is they probably already have a good understanding of mortality/morbidity risk, since it is a fundamental risk of the business. They spend a lot of resources performing experience studies to try and fine tune their estimates of how they think this risk is evolving over time; but in reality, this risk is probably not the one that is going to sink the company if the risk goes completely wrong. This is granted they have a diversified portfolio of policyholders, and reinsurance in place.


I think those are great examples…

Interest rate risk could be insanely high without any ALM strategy in place… but with an adequate ALM program, interest rate risk should be manageable.

Operational risk… you’re right only so much can be done. A lot of preventative measures can be put in place, but that doesn’t mean that you have prevented all possible events (a cyber attack for example, where customer data is stolen). And it only takes one event to possibly have a huge loss to it.

Insurance Risk - I would say this is true in most cases, especially volatility risk. Depending on the insurer’s business portfolio, they could still be fairly exposed to trend risk if there are lots of longevity products (annuities), or Long Term Disability products… it only takes a small error in the mortality improvement assumption to compound in the future.


For Insurance Risk though, wouldn’t a company do annual basis reviews and evaluate their assumptions through experience studies? So if they somehow managed to be off on their estimate for trend risk or mortality improvement in this case, they could always just adjust it up or down each and every annual basis review. @Andrew Does this make sense? We’re you assuming the assumption was static?


I think you’d be right for Group Insurance, or insurance that can be re-priced annually. Which is why you will often see lower or no capital requirements for trend risk for this type of insurance.

However, for something like an annuity, a single premium may be paid that must fund all future payments. So if the mortality improvement assumption is understated, and people live longer in the future than we anticipated, we will be paying out payments longer than expected, and we aren’t able to go back to the policyholder for more money.

The law of large numbers pretty much ensures insurance volatility risk will be low, I feel base mortality assumptions are fairly well understood (like your original post suggests). But I think the mortality improvement assumption is much more difficult