Week 9 Ture False

Criteria | Insurance | General:

Enterprise Risk Management

Primary Credit Analysts:

Li Cheng, CFA, FRM, FSA, New York (1) 212-438-1849; [email protected]

Miroslav Petkov, London (44) 20-7176-7043; [email protected]

Secondary Contacts:

Eric E Hedman, CFA, New York 212-438-2482; [email protected]

Jackson E Griffith, London (44) 20-7176-3579; [email protected]

Andy Chang, CFA, FRM, Taipei (8862) 8722-5815; [email protected]

Criteria Officer:

Emmanuel Dubois-Pelerin, Paris (33) 1-4420-6673; [email protected]

Table Of Contents

SCOPE OF THE CRITERIA

SUMMARY OF THE CRITERIA

IMPACT ON OUTSTANDING RATINGS

EFFECTIVE DATE AND TRANSITION

METHODOLOGY

The Subfactors Of Enterprise Risk Management Analysis

ASSUMPTIONS

Determining An Insurer's Enterprise Risk Management Score

Risk Management Culture

Risk Controls

Emerging Risk Management

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 1

1388662 | 301135087

Table Of Contents (cont.)

Risk Models

Strategic Risk Management

APPENDIX I: Definitions

APPENDIX II: Risk Controls Of Major Risks

RELATED CRITERIA AND RESEARCH

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 2

1388662 | 301135087

Criteria | Insurance | General:

Enterprise Risk Management (Editor's Note: We originally published this criteria article on May 7, 2013. We're republishing this article following our

periodic review completed on Fe. 26, 2015. As a result of our review, we updated the author contact information.)

1. Standard & Poor's Ratings Services is publishing this article to help market participants better understand its approach

to assessing insurance companies' enterprise risk management (ERM). Our assessment of ERM examines whether

insurers execute risk management practices in a systematic, consistent, and strategic manner across the enterprise that

effectively limits future losses within the insurers' optimal risk/reward framework.

2. These criteria supersede the articles titled:

• "Evaluating The Enterprise Risk Management Practices Of Insurance Companies," published Oct. 17, 2005; • "Refining The Focus Of Insurer Enterprise Risk Management Criteria," published June 2, 2006; • "Extending The Insurance ERM Criteria To The Health Insurance Sector," published Nov. 8, 2006; • "Nonlife Insurance Risk Control Criteria And Their Role In Enterprise Risk Management," published Oct. 31, 2007; • "Summary Of Standard & Poor's Enterprise Risk Management Evaluation Process For Insurers," published Nov. 26,

2007;

• "Methodology: Assessing Management's Commitment To And Execution Of Enterprise Risk Management Processes," published Dec. 17, 2009;

• "Expanded Definition Of Adequate Classification In Enterprise Risk Management Scores," published Jan. 28, 2010; and

• "Refined Methodology For Assessing An Insurer's Risk Appetite," published March 30, 2010.

3. This article also partially supersedes "Bond Insurance Rating Methodology And Assumptions," published Aug. 25,

2011.

SCOPE OF THE CRITERIA

4. These criteria apply to all global insurance ratings, including life, health, property/casualty (P/C; known as non-life

outside of the U.S.) insurers, reinsurers, bond insurers, insurance and reinsurance brokers, and mortgage and title

insurers.

SUMMARY OF THE CRITERIA

5. The evaluation of insurance companies' ERM is a component of our rating analysis. ERM examines whether insurers

execute risk management practices in a systematic, consistent, and strategic manner across the enterprise that

effectively limits future losses within an optimal risk/reward framework. ERM analysis also provides a prospective

view of the insurer's risk profile and capital needs.

6. ERM analysis is tailored to each insurer's risk profile and focuses on five main areas: risk management culture, risk

controls, emerging risk management, risk models, and strategic risk management.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 3

1388662 | 301135087

7. These criteria bring enhanced transparency to our ratings by articulating how we score each of the abovementioned

five subfactors and how we derive an insurer's ERM based on these five subfactor scores.

IMPACT ON OUTSTANDING RATINGS

8. We do not expect any rating changes for the majority of insurance companies as a result of these criteria.

EFFECTIVE DATE AND TRANSITION

9. These criteria are effective immediately, and we will review our ratings over the next six months. To the extent that

elements of these criteria apply to Lloyd's Syndicate Assessments, the effective date is Nov. 1, 2013.

METHODOLOGY

The Subfactors Of Enterprise Risk Management Analysis

10. ERM analysis is comprised of five subfactors:

• Risk management culture, • Risk controls, • Emerging risk management, • Risk models, and • Strategic risk management.

11. The criteria in this article determine how each of these five subfactors is assessed and how the assessments of these

five subfactors are combined to derive the insurer's ERM score.

ASSUMPTIONS

Determining An Insurer's Enterprise Risk Management Score

12. An insurer's ERM is scored as (from most to least credit-supportive) (1) "very strong", (2) "strong", (3) "adequate with

strong risk controls", (4) "adequate", or (5) "weak", based on the assessments of the five subfactors, which we classify

as "positive", "neutral", or "negative" (see tables 1 and 2). The criteria identify key considerations in the assessment of

the subfactors. Table 2 describes these considerations but it is not an exhaustive list of circumstances under which

corresponding scores are assigned.

13. The analysis is evidence-based. An insurer receives a neutral score for any of the five subfactors where evidence is

insufficient to assign either a positive or a negative score. However, a history of failing to disclose key enterprise risk

exposures and risk management information could lead to a negative score.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 4

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

Table 1

ERM Assessment

Score Assessment Guideline What it means in our opinion

1 Very Strong Positive score for all subfactors and economic

capital model (ECM) is assessed either “good”

or “superior” under our criteria.

The insurer has very strong capabilities to consistently

identify, measure, and manage its risk exposures and losses

within its chosen risk tolerances.

The insurer’s risk control processes are leading edge, applied

consistently, and executed effectively. The insurer continues

to develop its risk control processes to integrate new

technologies and adapt to the changing environment.

There is consistent evidence of the insurer’s practice of

optimizing risk-adjusted returns, resulting in an overall

stronger financial performance than peers’.

Risk and risk management heavily influence the insurer's

decision-making.

The insurer is highly unlikely to experience unexpected losses

that are outside of its risk tolerances, in our opinion.

2 Strong The risk management culture, risk controls, and

strategic risk management subfactors are

scored positive, one or both of the other two

subfactors is scored neutral, and no subfactor is

scored negative.

The insurer has strong capabilities to consistently identify,

measure, and manage risk exposures and losses within

chosen risk tolerances.

There is clear evidence of the insurer's practice of optimizing

risk-adjusted returns. But such practice is not as well

developed as that of a very strong ERM insurer or has a

shorter track record of success.

Risk and risk management are important considerations in

the insurer's corporate decision-making.

In our opinion, the insurer is somewhat more likely to

experience unexpected losses that are outside of its risk

tolerances than an insurer with a very strong ERM score.

3 Adequate with

strong risk control

The risk controls subfactor is scored positive,

the strategic risk management subfactor is

scored neutral, and no subfactor is scored

negative.

The insurer has all the characteristics of an insurer with an

adequate score, but has also established a variety of risk

controls that we view in aggregate as positive.

4 Adequate The risk controls and risk management culture

subfactors are scored at least neutral; overall

doesn’t satisfy the requirement for adequate

with strong risk control.

The insurer has capabilities to identify, measure, and manage

most key risk exposures and losses, but the process has not

been extended to all significant risks facing the enterprise.

The insurer’s loss/risk tolerance guidelines are less

developed than those of insurers with a higher ERM score.

The insurer demonstrates sufficient execution of its existing

risk management programs, albeit less comprehensive than

that of insurers with a strong ERM score.

Risk and risk management are often important considerations

in the insurer's decision-making.

In our opinion, the insurer is more likely to incur unexpected

losses than an insurer with a strong ERM score.

5 Weak One or both of the risk controls and risk

management culture subfactors are scored

negative.

The insurer has limited capabilities to consistently identify,

measure, and manage risk exposures across the enterprise

and, thereby, limit losses.

The insurer demonstrates sporadic execution of its risk

management program; losses aren’t expected to be limited in

accordance with a set of predetermined risk tolerance

guidelines.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 5

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

Table 1

ERM Assessment (cont.)

The insurer has yet to adopt a risk management framework

and is currently satisfying regulatory minimums without

regularly applying risk management to business decisions; or

it has very recently adopted a risk management system that

has yet to be tested.

Risk and risk management are sometimes considered in the

insurer’s corporate decision-making process.

Table 2

Scoring The Five ERM Subfactors

Subfactor Positive Neutral Negative

Risk management

culture (see

paragraphs 18 to 34)

ERM is well entrenched in the organization

with a formal ERM framework, an

independent and well-staffed ERM

department, and active Board participation.

The insurer has some ERM functions at

the enterprise level that cover most

material risks.

ERM is not practiced, or is

practiced inconsistently, across

the enterprise, with limited Board

participation.

The insurer has a clear vision of enterprise

risk profile and risks are managed both at a

business unit and an enterprise level within

risk tolerances.

There is limited or infrequent Board

participation.

The insurer lacks clear

understanding of its enterprise

risk profile.

The insurer’s risk appetite framework is

clearly communicated and linked directly to

risk limits.

Risk and risk management are mainly

responsibilities of business functions

with limited enterprise view.

The insurer manages risks

predominantly in silos.

The insurer has a culture of risk

communication and information sharing,

internally and externally.

The insurer understands its enterprise

risk profile around key risk exposures

and manages them within chosen risk

tolerances.

The insurer lacks a formal risk

appetite framework supported by

clear rationale; risk limits do not

exist or are very basic.

The insurer’s incentive compensation

supports ERM goals.

The insurer’s risk appetite is less

clearly defined or communicated; risk

limits are fairly simple or do not align

with overall risk tolerances.

Risk controls (see

paragraphs 35 to 42)

The insurer has identified all material risks

from all sources and frequently monitors its

risk exposures with multiple metrics.

The insurer has identified and monitors

its main sources of material risks.

The insurer does not consistently

identify and monitor its key risk

exposures.

The insurer has a comprehensive risk limit

system and strict formal limit breach

policies.

The insurer has risk limits around its

material risks, but the limits are

relatively simply or lack linkage to risk

appetite.

The insurer has limited formal

risk limits, or its risk limits are

overly aggressive, providing no

practical value in controlling

exposures.

The insurer uses multiple risk management

strategies to effectively manage exposures

within limits.

The insurer has a formal limit

enforcement policy in place.

The insurer has no limit

enforcement policy; there is

evidence of prolonged breach of

limits.

We score risk controls of material risks

predominantly as positive, and none

negative.

The insurer generally manages its risk

exposures within the risk limits.

We score one or more risk

controls on material risks as

negative.

We score no risk controls of material

risks as negative.

Emerging risk

management (see

paragraphs 43 to 46)

The insurer has well-established processes

for identifying and monitoring emerging

risks, analyzing their significance, and

preparing for and/or potentially mitigating

them.

The insurer has some processes in

place to identify and analyze the

impact of emerging risks; but these

processes are more ad-hoc and don’t

lead to risk mitigations.

The insurer doesn’t have

processes for identifying and

evaluating emerging risks.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 6

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

Table 2

Scoring The Five ERM Subfactors (cont.)

Risk models (see

paragraphs 47 to 52)

The insurer’s risk models capture all

material risks and risk interrelations in

aggregating exposures.

The insurer’s risk models capture

major risks. However, the models are

less comprehensive or process used to

aggregate enterprise risk exposures are

less sophisticated than those at

insurers scored positive.

The insurer doesn’t use risk

models or the risk models fail to

capture major risks.

The insurer’s models have undergone

robust validation and vetting and are under

strict model governance processes.

Model results are used to support the

insurer’s decision-making process, but

are not as extensive as to pass “use

test”.

The insurer’s risk models have

undergone limited validation or

vetting.

Model limitations are understood and

compensated within the organization.

There are general concerns about

data quality, assumptions, and

governance.

These models perform both stochastic and

deterministic scenario analysis.

The insurer makes little use of, or

overly relies on, model results in

decision-making.

The insurer uses model results extensively

in the decision-making process (or “use

test” in industry parlance).

Strategic risk

management (see

paragraphs 53 to 56)

The insurer has a track record of

consistently using a risk vs. reward

decision-making framework to optimize

risk-adjusted returns at an enterprise level.

The insurer uses some risk/reward

analysis in decision-making, but the

metrics and processes applied are

inconsistent across the company.

The insurer does not optimize

risk-adjusted returns; risk and

risk/reward analysis is not

adequately reflected in the

insurer’s decision making.

Risk considerations and risk adjusted return

metrics, including economic capital model

results, significantly influence the insurer’s

decisions around pricing, risk management

strategies, capital allocation, strategic

planning, reinsurance decisions, and

strategic asset allocation.

The insurer’s capital allocation is

risk-based, but mainly reflects the

views of external constituents, e.g.

regulators.

The insurer’s capital

management process only

reflects the views of external

constituents, e.g. regulators.

14. All else being equal, an insurer with a stronger ERM score is less likely to experience losses outside its predetermined

risk tolerances under our criteria. The aggressiveness or conservativeness of its risk tolerances, although related to

ERM, is assessed in the management and governance analysis (see "Methodology: Management And Governance

Credit Factors For Corporate Entities And Insurers," published Nov. 13, 2012).

15. The importance of ERM to the rating is "high" for insurers exposed to complex risks that could cause a significant loss

of capital and earnings in a short period of time or that are highly uncertain and usually long term in nature. Typically,

high importance applies to companies with significant exposure to risks such as natural catastrophes, reserve volatility

of their long-tail casualty business, or financial market volatility. If the insurer is not significantly exposed to these

types of risk or regularly retains excess capital relative to risk, the ERM importance is "low".

16. To derive insurance groups' group credit profiles (GCPs), we generally assign a single ERM score because the scope of

our analysis is the whole enterprise, encompassing all subsidiaries. The group's ERM score is assigned to group

members that are either "core" or "highly strategic". (See "Group Rating Methodology," published May 7, 2013.) The

group's ERM score could also be assigned to "strategically important" group members that are well integrated into the

group ERM processes, such that their processes are virtually indistinguishable. For all other cases, the ERM score is

assigned from a stand-alone perspective and may deviate from the ERM score of the group. We incorporate significant

deficiencies in their ERM practices, if any, in our analysis of the group's ERM.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 7

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

17. In general, start-up companies are not assigned an ERM score higher than adequate, due to insufficient historical

evidence of effective processes; they nevertheless are scored on all five subfactors. A start-up insurer may receive a

score higher than adequate if, for example, it was part of a larger organization with a strong ERM score, and if it can

demonstrate that it has the commitment, resources, and plans in place to continue the robust ERM practices already in

place within the start-up.

Risk Management Culture

18. The analysis of the first ERM subfactor, risk management culture, focuses the importance accorded to risk and ERM in

all key aspects of the insurer's business operation and corporate decision-making. As risk management culture

encompasses all aspects of the ERM framework and all the ERM subfactors are interconnected, it is difficult to

evaluate this subfactor without reference to the others. For that reason, the analysis of the risk management culture

subfactor focuses on the insurer's philosophy towards risk, especially its risk appetite framework, risk governance and

organizational structure, risk communications and reporting, and the embedding of risk metrics in its compensation

structure. The analysis also evaluates the degree to which there is broad understanding and participation in risk

management throughout the organization.

19. Standard & Poor's analysis focuses on, in particular, indicators in the following key areas of the risk management

culture:

• Risk governance and organization structure, • Risk appetite framework, • Risk reporting and communication, and • Incentive compensation structures.

Risk governance and organization structure

20. A formal, well-defined, and independent risk governance and ERM organization structure is fundamental to an

effective ERM framework. A positive risk management culture is typically characterized by a well-defined and

independent ERM governance structure that supports effective risk management at an enterprise level. Such

governance structure typically involves guidance and oversight from the Board of Directors, a dedicated ERM function

led by a well-qualified senior executive and risk management functions at the business unit level, and a clear definition

of roles, responsibilities, and reporting relationships. Additional evidence that supports a positive score can include an

ERM function that has been in place for several years, enjoys high visibility, and carries significant authority within the

organization. Insurers with a positive risk management culture score typically have an effective system of risk

committees both at the enterprise and the business unit levels, supported by significant resources committed to

day-to-day execution. The insurer also has enterprise level functions that aggregate and manage risks with an

enterprise view, taking into consideration correlation and diversification.

21. An insurer with a neutral score on the risk management culture subfactor typically has some of the characteristics of

those with a positive score, but with a risk governance and organizational structure that isn't equally comprehensive or

is still fairly new. Insurers may also receive a neutral score if the management of key exposures is mainly a function of

the insurer's business units, without enterprise-level risk view or risk supervision.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 8

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

22. An insurer's risk management culture score is negative if the Board and senior management display a lack of

understanding of the importance of ERM and have insufficient active involvement in the ERM process. Evidence that

might lead to such a score includes the absence of dedicated resources to risk management, blurry risk ownership and

reporting lines, and sporadic/ad-hoc Board level risk discussion. If an insurer has a risk management structure where

key risks are managed in complete silos, the score could also be negative.

Risk appetite framework

23. Strong ERM is consistent with a well-defined risk appetite framework that supports the effective selection of risks, so

that the insurer takes only desired risks where sufficiently rewarded. All insurers, independent of their size and

complexity, need to have some capabilities to limit their risk exposure and losses within their chosen risk tolerances.

The aggressiveness or conservatism of an insurer's risk appetite is a related issue, but separately considered under the

financial risk tolerance criteria detailed in "Methodology: Management And Governance Credit Factors For Corporate

Entities And Insurers," published Nov. 13, 2012. The ERM score reflects our view of management's ability to operate

within stated risk tolerances. In cases where we consider an insurer's risk appetite aggressive, we believe the strength

of its ERM framework is critical to the management of risks within the chosen risk tolerances.

24. The meanings of terms such as risk appetite, risk preferences, and risk tolerances vary across the industry and in

reference materials. Appendix 1 contains the definitions our criteria use. The criteria concentrate on the processes

around the establishment and use of risk appetite, rather than the precise definitions insurers use.

25. Insurers with a positive score on risk management culture typically demonstrate a thorough understanding of the

enterprise risk profile in relation to its risk appetite, a well-defined risk appetite framework, and a track record of

containing risk exposures within the chosen tolerances and limits. Such risk appetite framework typically means active

involvement from the Board, and strong buy-in from senior management and business units, while being well aligned

with the organization's strategic goals, resources, and value proposition. There are clear rationales supporting the

chosen risk tolerances and limits. The insurer typically is able to articulate the direct linkage between enterprise risk

preferences, risk tolerances, and risk limits and policies.

26. A neutral subfactor score is assigned to insurers with a risk appetite that is less clearly defined or communicated or

hasn't extended to all key risk exposures. An insurer with a neutral score generally has a system of risk limits in place

on its key exposures, although these limits might be fairly simple or not directly linked to overall risk tolerances.

27. Insurers with a negative score have failed to demonstrate a clear understanding of their risk profile. That is, their risk

appetite is either unclear or inconsistent or not supported by robust risk/reward metrics. Either the insurer has not

imposed limits on some of its key exposures or its risk limits are overly aggressive to allow for outsized risk taking.

Risk reporting and communication

28. A positive risk management culture score typically is consistent with an insurer's extensive and clear communications,

both internally and externally, around its risk exposures and ERM practice. Such insurer has a long-standing culture of

risk communicating and sharing, supported by a web of comprehensive and frequent risk reporting around all key

areas of risk exposures. Enterprise risk profile and risk management practices are typically clearly communicated

internally (to the Board, senior management, and to business level) and externally (notably to regulators, investors, and

analysts). Also supporting a positive score is an insurer's commitment to a high level of transparency during its

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 9

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

discussions with Standard & Poor's. For example, the management is open to discussing with external constituents

lessons learned from past mistakes or current areas of improvement.

29. A negative score is assigned to insurers with only very limited internal risk communications to the Board or external

disclosure about its risk management practices; or if the insurer uses risk reports that are not frequently updated or not

granular enough to reflect its risk exposures; or if the insurer has a track record of failing to disclose key enterprise risk

exposures and risk management information.

30. An insurer will get a neutral score if it fits into neither the positive or negative category.

Incentive compensation structures

31. The alignment of a compensation structure with metrics that encourage long-term goals, rather than those

incentivizing excessive risk taking is an important element of a positive risk management culture subfactor. Evidence

that the insurer's incentive compensation structure rewards managers based on an analysis of risk/return tradeoffs,

and that it is consistent with the insurer's strategic goals and objectives, generally supports a positive risk management

culture score.

32. Incentive compensation structures not supported by robust risk reward metrics that reward managers predominately

using medium- to long-term profitability targets, but that do not promote short-term risk taking, are consistent with a

neutral subfactor score.

33. A negative score is generally assigned where short-term profitability or business-volume is the key influence of an

insurer's compensation design.

34. The analysis of an insurer's risk management culture subfactor involves assessing the above-mentioned components,

as well as considering the reflection of risk management culture in the other ERM subfactors.

Risk Controls

35. The second subfactor, risk controls, analyzes the processes and procedures insurers employ to manage their key risk

exposures within the general areas of credit and counterparty risk, equity risk, interest risk, insurance risk (including

reserving risk), and operational risk. The specific risks on which the analysis focuses are a function of the insurer's

business and risk profiles. For example, market risk is a focus for an insurer with a large U.S. variable annuity business

or a large U.K. life with-profits business, but not so much for a property and casualty insurer with only short-term

liabilities and limited equities and real estate in its investment portfolio. The analysis may also extend beyond these

broad risk categories, for example, to merger and acquisition (M&A) risks if the insurer has an acquisitive business

strategy.

36. To score the risk controls subfactor for an insurer, the criteria first require scoring of the risk controls of each of the

insurer's material risks as positive, neutral, or negative. The combination of these individual risk controls scores

determine the overall risk controls score using the same scale of positive, neutral, or negative. Each risk's relative

importance to the insurer's overall risk profile determines its weight in the score combination. Table 3 describes the

general guidelines used to derive an insurer's risk controls subfactor score from the individual assessments of risk

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 10

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

controls on the insurer's key risks.

Table 3

Risk Controls Subfactor Assessment

Score Guideline

Positive Risk controls of materials risks are predominantly scored positive; no risk controls of an individual risk is scored negative

Neutral All other combinations

Negative One or more risk controls of material risks is scored negative

37. To arrive at one individual risk control score for each of the insurer's major risks, various aspects of the risk control

process, including risk identification, risk measurement and monitoring, risk limits and standards, the procedures to

manage risks to stay within limits, and the execution and the results or effectiveness of such risk control programs, are

analyzed. The criteria also consider risk limit enforcement processes and the insurer's practice of learning from its

own, or the industry's, experiences. The combined quality, comprehensiveness, and effectiveness of these aspects of

an insurer's risk controls lead to the assessment of risk controls for each of the insurer's major risks.

38. A positive individual risk control score is assigned if the insurer has an effective risk control program in place to

consistently identify, measure, monitor, and manage the risk exposures and is able to demonstrate a track record of

effectively managing risk exposures within pre-determined risk tolerances, even during stressful periods. Such program

generally involves an established risk-specific risk management structure, comprehensively identifies risk exposures

from all sources, employs frequent risk monitoring and risk reporting using multiple appropriate risk metrics, has a

formal and clearly-communicated risk limit system, and uses multiple risk mitigation strategies to proactively contain

exposures to be within risk limits. The insurer follows clearly defined risk limit enforcement policies and promptly

addresses breach of risk limits. A risk control program that receives a positive score is also characterized by the

insurer's continuous efforts to review the program's effectiveness and to improve the program based on new

developments as well as lessons learned from the past.

39. A neutral assessment typically indicates that the insurer has generally effective risk control programs in place to

identify, measure, monitor, and manage the risk. However, the risk control program is less comprehensive or effective

than one in the positive category. Fairly new risk control programs are typically scored as neutral until there is a track

record of consistent effectiveness. An insurer with limited exposure to a risk and consequently a relatively simple

control program that is commensurate with the exposure would receive a neutral score.

40. Generally, a negative assessment occurs only if that particular risk is a material exposure to the insurer and there are

major deficiencies in the insurer's risk control processes. Examples of such deficiencies include, but are not limited to,

the insurer's history of incurring losses outside its risk tolerance, lack of a consistent process to identify risk exposures

from all sources, informal and infrequent risk monitoring and reporting using overly simplistic risk measures, lack of

formal and well-communicated risk limits, and observed prolonged breach of risk limits without justification or timely

action. A negative score is also assigned if the insurer deliberately takes on outsized risk positions in an attempt to

speculate on future market movements.

41. The main risk categories in the analysis of an insurer's risk controls are:

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 11

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

• Credit risk, • Interest rate risk, • Market risk, • Insurance risk, and • Operational risk.

42. Appendix 2 provides examples of how we assess risk controls of each of the insurer's major risks, taking into

consideration the various aspects of risk control processes (as described in paragraph 37), including risk identification,

risk measurement and monitoring, risk standards and limits and limit enforcement, risk management, and risk learning.

Appendix 2 also provides examples to illustrate how we analyze risk controls of each one of the main risk categories,

including credit, interest rate, market, insurance, and operational risks. These examples are for illustrative purpose only

and should not be interpreted as either a constraining or exhaustive list based on which we form our assessments.

While some of these risks and the related risk control practices are common to all insurance companies, others are

more relevant to individual insurers in specific sectors. As such, the scope of our analysis is adjusted to reflect an

individual insurer's risk profile.

Emerging Risk Management

43. The emerging risk management subfactor analyzes how the insurer addresses risks that are not a current threat to

creditworthiness, but could become a threat in the future. In addition, it assesses the insurer's level of preparedness if

those emerging risks materialize. Such risks could derive from areas such as regulation, the physical environment, the

macroeconomic environment, and medical developments. Effective emerging risk management serves as an

early-warning system so that such risks do not catch the insurer by surprise.

44. The subfactor is scored positive if evidence shows that the insurer has well-established processes to consistently

identify, assess, monitor, and potentially mitigate the threat of each identified emerging risk if necessary. Typically,

insurers that receive a positive score perform scenario analysis to estimate the impact of possible adverse events on

the insurer's reputation, liquidity, and overall financials, taking into consideration existing and new risk mitigation and

contingency plans.

45. The score is neutral if the insurer has some processes in place for anticipating emerging risks and envisioning their

significance, but these processes are limited to the identification of the emerging risks with limited or no measurement

and mitigation.

46. If an insurer doesn't have any emerging risk management process, either formal or informal, or has experienced

outsized losses due to past failures to identify emerging risks and hasn't shown sufficient evidence of having learned

from such experiences, it would receive a negative score.

Risk Models

47. Risk models are an integral part of a robust ERM framework. They are used extensively to measure risk exposures, test

risk correlation and diversification, validate risk mitigation strategies, and quantify capital requirements for a given risk

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 12

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

profile. The subfactor covers not only the risk models related to distinct risks (for example, credit, market, insurance,

and operational) and enterprise risk aggregation across risks, but also other models used in the insurer's day-to-day

operations, including pricing, valuation, and projections. If available, the analysis factors in the insurer's economic

capital model where the insurer measures its overall risk exposure considering correlation and diversification.

48. The analysis of risk models focuses on assessing the robustness, consistency, and completeness of the insurer's risk

models, including, where relevant, its development and use of an economic capital model, and the processes for model

governance and validation. The subfactor score reflects the comprehensiveness and quality of the risk models used,

the risk measures adopted, the methodology, data and assumptions used, the incorporation of risk-mitigation activities

in those models, the infrastructure to support the risk models, how the model results are used, and whether model

limitations are communicated and understood by the risk managers and senior management.

49. The score is positive if the insurer's risk model system captures the insurer's material risk exposures and the

interrelation between risks. The models have undergone extensive validation and are under a rigorous model

governance process. Such risk models typically employ comprehensive metrics to measure risk. They generally have

the capability to perform both comprehensive stochastic analysis and deterministic stress scenario analyses. Model

risks are fully understood by the insurer and have been compensated with thoughtful judgment whenever possible.

Also, characteristics of a positive subfactor score include evidence that the insurer uses model results extensively in

making ERM decisions. For example, risk models are used to ensure risk exposures are within the predetermined risk

tolerances to compare and validate risk mitigation strategies.

50. While an economic capital model is a substantive enhancement to any risk model system in that it provides a valuable

enterprise-wide and economic-based view of the insurer's risk profile, the existence and the use of the economic

capital model is not a pre-requisite for a positive risk models subfactor score.

51. The score is neutral if the insurer has effective models in place for its materials risks, but the risk models are less

comprehensive or robust compared to those in the positive category; or if the results of these models are not used

extensively in guiding risk management decisions.

52. The score is generally negative if:

• The risk models are not complete or granular enough to accurately reflect the insurer's major risk exposures and enterprise risk profile;

• The reasonableness of the methodologies and assumptions used, or the robustness of the model validation and the process to obtain data used in the models, is questionable;

• The insurer's use of risk models is limited to satisfying the regulatory requirements; or • The insurer performs limited sensitivity or stress testing, or has shown no or limited use of model results in

decision-making.

Strategic Risk Management

53. Strategic risk management is the process through which insurers facilitate the optimization of risk-adjusted returns,

starting with a view of the required risk capital and a well-defined process for allocating capital among different

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 13

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

products, lines of business, and risk factors. The strategic risk management subfactor assesses the insurer's program to

optimize risk-adjusted returns and to evaluate and prioritize strategic options on a level playing field. The analysis is

based on evidence of situations where the insurer has made strategic decisions using economic risk/reward metrics

that are consistent with its risk appetite; and on how an insurer balances other concerns, including regulatory and

accounting considerations. The analysis focuses not only on the choice and outcome of the strategic decisions, but,

more importantly, on the risk/reward rationale underlying the insurer's chosen strategy.

54. The score is positive if the insurer executes consistent and effective risk-reward analysis in the majority of the key

areas of analysis, including the company's strategic planning, product pricing and re-pricing, strategic asset allocation,

reinsurance strategy and net retained risk profile, new risk-bearing initiatives (including M&A, entry into new markets),

capital and/or economic capital budgeting, and optimization of risk-adjusted returns. The score is positive only if the

insurer demonstrates a history of successful execution of its strategic risk management program, including for example

better-than-peer risk-adjusted returns and a track record of successful M&A that is consistently accretive on a

risk-adjusted basis.

55. The score is neutral if the insurer does execute some risk-reward analysis in some of the key areas and plans to add the

rest eventually. However, the insurer uses an approach to optimize risk-adjusted returns that is based on relatively

simplistic capital metrics compared to that used by insurers with positive scores. The score could also be neutral if an

insurer has developed an economic capital model and uses model results in the strategic risk management process, but

the economic capital model has limited history or credibility.

56. If the insurer doesn't use a risk-reward optimization approach in any of the aforementioned key areas, so that capital

management is very basic with no consideration of enterprise level risk reward optimization; or if the insurer's capital

management program is solely premised on the view of external constituents (e.g. regulatory capital requirements)

with no adjustments, a negative score is assigned.

APPENDIX I: Definitions

57. The criteria use the following definitions:

• Risk appetite as the framework that establishes the risks that the insurer wishes to acquire, avoid, retain, and/or reduce.

• Risk preferences as qualitative risk appetite statements that guide the insurer in the selection of risks. These qualitative risk appetite statements (risk preferences) may or may not be risk specific, but nevertheless, establish the

underlying principles for the selection of risks. For example, "The Group has no appetite for unrewarded risk", or

"The Group has an appetite for insurance risks as these are expected to be value additive".

• Risk tolerances as quantitative risk appetite statements that guide the insurer in the selection of risks. These statements typically specify maximum acceptable losses. They help the insurer to translate the qualitative risk

preferences into action by constraining the insurer's exposures to risks, as defined by its risk limits (see below). Risk

tolerances are often probabilistic in nature with reference to, for example, the insurer's solvency or earnings over a

specified period at a chosen confidence level. Examples of risk tolerances include "Maintaining capital adequacy

consistent with target rating following a 30% equity market decline" or "Constraining losses to within one-quarter's

planned earnings following a 1 in 250 year event over the following year".

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 14

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

• Risk limits as quantitative boundaries that serve to constrain specific risk-taking activities at the operational level within the business. The risk appetite statements are usually implemented within the business through the use of

risk limits. For example, an insurer may express risk limits as maximum percentage of total investments in equities,

maximum duration mismatch, or maximum exposure by geography.

APPENDIX II: Risk Controls Of Major Risks

58. This appendix provides examples of how we analyze the risk controls subfactor. For each of the insurer's major risks,

we assign one individual risk control score by assessing the overall effectiveness of the risk control processes,

including the quality of risk identification, risk measurement and monitoring, the comprehensiveness and robustness of

risk limits and standards, the rigor of the procedures to manage risks to stay within limits, and the execution and the

results or effectiveness of such risk control programs. We also consider risk limit enforcement processes and the

insurer's practice of learning from its own, or the industry's, experiences.

59. Table 4 below provides some detailed examples of how we analyze these various aspects of the risk control process in

assigning an individual risk control score. Examples that are more favorable support a positive risk control score while

the less favorable ones may lead to a negative score. We do not assign scores to each of these risk control aspects,

such as risk identification or risk limit. But rather, the combined quality, comprehensiveness, and effectiveness of all

these aspects lead to the assessment of risk controls for each of the insurer's major risks. The granularity of our

analysis is tailored based on the materiality of a particular risk in the insurer's overall risk profile.

60. The rest of Appendix 2 translates the general examples outlined in Table 4 into examples that are risk specific. These

examples are for illustrative purpose only and should not be interpreted as an exhaustive list based on which we form

our rating opinions. The risks discussed in this appendix include:

• Credit risk, • Interest rate risk, • Market risk, • Insurance risk, and • Operational risk.

Table 4

Examples Of Individual Risk Control Assessments

More Favorable Neutral Less Favorable

Risk identification The insurer has a comprehensive process of

identifying all risk exposures.

The insurer has identified all material risk

exposures.

Not all significant risk exposures

have been identified.

Risk measurement

and monitoring

The insurer monitors all significant risks on a

regular basis, using multiple measures.

The insurer monitors all significant risks,

although the process is not as

comprehensive or frequent as the leading

peers'.

The insurer’s risk monitoring is

informal, irregular, and of

questionable accuracy.

The insurer uses a combination of stochastic

analysis and deterministic sensitivity and

stress tests to ensure containment of

exposure, considering diversification and risk

correlation.

Stress testing is performed sometimes,

but the scenarios might not be stressful

enough or the results of the testing aren’t

used in decision making.

Stress testing is rarely or never

performed.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 15

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

Table 4

Examples Of Individual Risk Control Assessments (cont.)

The insurer has comprehensive risk reports

that are updated frequently to reflect risk

profile by risk, business line, and at the

enterprise level.

Risk reports are updated regularly. Risk reports are sporadic and

inconsistent, making it difficult to

have a clear understanding of

enterprise risk profile.

Risk exposures are clearly communicated to

all levels of the organization.

Risk exposures are communicated across

the organization, but the communication

is less formal or not as extensive as that

of insurers with a positive risk controls

score.

Risk standards and

limits

The insurer has clearly documented

comprehensive risk limits, risk standards,

and early warning systems for risk taking and

risk management.

The insurer has limits for all material risk

exposures, but some of them might not

be as equally comprehensive as those of

leading peers or not clearly documented

or communicated.

Risk limits don’t exist for some

material risk exposures, or are

not documented, or are overly

aggressive to constrain risk

taking.

Risk limits are directly linked to risk

tolerances and are clearly communicated

and widely understood within the company.

Risk limits are conservative in general,

although lacking strong rationale.

Risk limits and policies are not

well communicated or

understood internally.

Risk limits are expressed in multiple

measures.

Corporate risk policies are not

completely documented or well

communicated.

Corporate risk policies don’t exist

for some material risks; product

development policies don’t exist

or don’t include any risk metrics.

The insurer clearly documents and

communicates its risk policies and has formal

corporate product development policies to

ensure new products comply with clearly

defined risk standards.

Risk management The insurer has formal programs in place

and uses multiple strategies to proactively

manage the risks within tolerances.

The insurer has risk management

programs in place, but the execution

might not be consistent all the time.

The insurer’s risk management

activities are situational, ad hoc,

and driven by individual

judgment.

The insurer has a formal risk-specific risk

management structure starting with risk

committee and dedicated resources,

supported by coordination with and effective

feedback between all related business

functions.

Risk is managed mainly at business unit

level with some coordination and

feedback between related functions.

There is no or very limited

coordination and feedback

between risk managers and other

business functions.

There are clear rationales supporting the

chosen risk management strategies and

well-defined measurements of effectiveness.

Risk is an important consideration in

product pricing and development, but the

insurer lacks a consistent way to assess

risks in new products across product

lines.

Risk is not a major consideration

in product pricing and

development.

Risk and risk management are key

considerations in product pricing and

development.

The insurer has, in general, not incurred

losses outside its chosen tolerances,

maybe with only a few exceptions.

The insurer deliberately takes

outsized risk positions in an

attempt to speculate future

market movements.

The insurer has a good track record of not

incurring losses outside its risk tolerances,

even in stressful periods.

The insurer has a history of

incurring losses outside its risk

tolerances.

Risk limit

enforcement

The insurer has clear processes to correct a

breach of risk limits and to respond to early

warning limits within a prescribed time limit.

Breaches of limits are usually corrected,

but there is no formal procedure or time

requirement to address breach of limits.

The insurer’s review of

compliance of limits is irregular,

and often there are no

consequences or actions for

exceeding limits.

There is frequent monitoring of compliance

against all established risk limits and policies.

The insurer monitors compliance of risk

limits and policies, but less frequently or

rigorously than the leading peers.

Observed evidence of prolonged

breach of limits without

justification or action.

Special situations falling outside the limits

are constantly monitored until resolved.

Key risk exposures are generally

managed within limits.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 16

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

Table 4

Examples Of Individual Risk Control Assessments (cont.)

All risk exposures are managed within

chosen risk limits.

Risk learning The insurer has a defined process to analyze

and learn from past losses, near-misses, as

well as successes; enhancements to ERM

framework occur as a result of such process.

The insurer reviews loss events, but such

reviews are more ad-hoc in nature and

do not necessarily lead to actions.

The insurer quickly puts loss

situations behind without review

or with a review of limited scope.

The insurer might also perform back-testing

to ensure the effectiveness of the changes

and enhancements.

The insurer might also institute

drastic changes to the ERM

program as a result of recent

losses but without sound reasons.

Credit risk controls

61. Credit risks are the exposures an insurer faces from incurring economic losses caused by the default of another

company on that company's obligations, or losses from the perceived or actual deterioration of another company's

creditworthiness. Credit risk exposure could also come from counterparty risk, which is the risk of counterparties

failing to fulfill their obligations in full and in a timely manner. Typical counterparties for an insurer are reinsurers,

derivative counterparties, and other business partners, including banks, brokers, and dealers and third party

administrators. Credit deterioration of these entities can also create credit risk. In addition, some insurance liabilities

have a very high correlation to credit risk, such as director's and officer's coverage. In evaluating credit risk controls at

insurance companies, it is important to acknowledge that there may be a high degree of correlation between these

sources of exposures.

62. To assess an insurer's credit risk controls, we evaluate the processes and practices around risk identification, risk

measurement and monitoring, risk limits and standards, enforcement of risk limits, risk management, and risk learning.

The assessment of strength and effectiveness of all these aspects supports our view of the overall robustness of the

insurer's risk control program on credit risk controls.

63. Table 5 provides some examples of the credit risk-specific evidence that informs our analysis. These examples are

consistent with the examples in Table 4.

Table 5

Credit Risk Controls Assessment

Positive Neutral Negative

The insurer has identified and captured all potential credit

risk sources (for example, investment portfolios, derivative

counterparties, credit default swaps [CDS], brokers,

reinsurers, policyholders), and exposures are aggregated

across all sources.

The insurer has identified and captured all

major credit risk exposures, including the

investment portfolio and key

counterparties, and aggregates all major

credit exposure.

Insurer does not, as a practice, identify

credit risk other than within the

investment portfolio while it is

exposed to other sources.

The insurer uses multiple metrics to measure credit

exposure, incorporating both internal and external credit

assessments. It may also use other parameters such as

movements in equity prices, including advanced

frameworks such as value at risk (VaR) or the Merton

model.

Credit exposures are measured using only a

few relatively simple metrics.

Credit risk is mainly managed at

portfolio or business unit level. The

insurer doesn’t aggregate exposures

across the enterprise and all sources.

The insurer’s risk control framework takes into

consideration codependences between sources of credit

risks.

The insurer’s modeled credit loss doesn’t

incorporate the actual concentrations of

credit risks or codependences among

various credit risk sources.

Credit risk exposure information is not

made readily available to those

making credit decisions.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 17

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

Table 5

Credit Risk Controls Assessment (cont.)

The insurer performs frequent stress testing, including both

systemic and single obligor/sector credit events.

The insurer uses a system of credit limits,

but there is no clear linkage to the insurer’s

risk appetite.

The insurer uses a simple metric to

monitor credit risk.

The insurer has comprehensive credit risk limits (for

example, single obligor, credit quality, concentration by

geography and sector).

The insurer relies mainly on external credit

assessment to monitor creditworthiness.

Risk limits do not exist, are not

documented, or are overly broad to

provide any constraining effect on

credit risk-taking.

Risk limits are expressed in multiple measurements, e.g.,

limits around notional amount (e.g. market value as a

percentage of total invested assets) as well as around

exposures (e.g. value-at-risk, max dollar value change due

to spread widening).

The insurer performs stress testing, but the

testing is not as frequent or as sophisticated

as that of the leading peers.

The insurer uses simplistic credit risk

measures and management

techniques; however, decisions are

frequently made based on the

judgment of the portfolio manager.

Counterparty risk exposures are strictly managed through

a centralized counterparty approval process and the use of

a combination of minimum rating requirement, frequent

monitoring of obligor creditworthiness, and collateral

requirement.

64. An insurer's interest risk controls are the (i) processes of identifying and measuring the exposures through its portfolios

of assets and liabilities to losses resulting from movements in interest rate risk components and (ii) managing and

mitigating such risks to be consistent with the insurer's business goals and risk appetite. Our analysis therefore

considers the factors that can cause assets and liabilities, including hedge instruments, to expose insurers to potential

downside financial risks.

65. Interest rate risk can arise from a variety of sources and is typically most significant in cases where the assets and/or

liabilities are long term in nature, or product profitability is sensitive to asset performance, or assets and/or liabilities

contain implicit or explicit options that cause the cash flows to change dynamically based on interest rate movements.

Examples exclude options in the investment portfolios (e.g. call options and prepayment) as well as options granted to

policyholders in the liability portfolios (for example, flexible premiums, lapse, and withdrawal). Interest rate risk may

arise from exposures to absolute changes in interest rate rates, relative changes in interest rates (spread relationship),

and interest rate volatilities. For each of these, an insurer's exposures could be to one or more points along the term

structure and, in some cases, to interest rate movements in multiple financial markets.

66. Table 6 provides some examples of the interest rate risk-specific evidence that informs our analysis.

Table 6

Interest Risk Controls Assessment

Positive Neutral Negative

The insurer has identified and captured all exposures

from assets, liabilities, and hedge instruments to all

sources of interest rate risks (e.g. change in yield

curve level and shape, volatility, spread, and spread

volatility).

Insurer has identified and captured all major

interest rate exposures from assets liabilities and

hedge instruments.

Insurer has only identified some of

the interest rate risks of its assets or

liabilities.

All relevant component exposures are measured and

monitored using multiple metrics (e.g. duration, key

rate duration, spread duration convexity, value at risk

[VaR], dollar duration, capital at risk) at both the

sub-portfolio and the enterprise level.

The insurer segments asset and liability portfolio

into homogeneous sub-portfolios with clear

interest rate risk limits.

The insurer doesn’t have a formal

framework to control interest rate

risks; interest rate risk monitoring is

infrequent and primarily takes place

to meet regulatory requirements.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 18

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

Table 6

Interest Risk Controls Assessment (cont.)

Asset and liabilities are segmented into sub-portfolios;

interest rate risk limits, e.g. cash flow/key rate

duration/convexity mismatch limits, are employed for

each sub-portfolio as well as at enterprise level.

The insurer monitors multiple metrics, but the key

focus of risk monitoring and risk limits is duration

only; or captures only the impact of absolute rate

changes at one or multiple points along the term

structure.

The insurer doesn’t segment its

portfolio, even when underlying

asset and liabilities have varying

interest rate risk characteristics.

Stress testing analyzes the impact on the insurer’s

financials, liquidity, and underlying economics of

scenarios such as low interest rates, rate spikes,

systemic and idiosyncratic spread movements, taking

into consideration the interaction between asset and

liability cash flows.

Performs sensitivity and stress tests to analyze the

impact of interest rate movements; however, such

analysis might not capture the dynamic

interaction between asset and liability cash flow

(e.g. uses static lapse assumption for interest

sensitivity products regardless of rate

movements).

The insurer performs very limited

stress testing and lacks thorough

understanding of the impact of

adverse interest rate scenarios.

The insurer uses multiple interest rate risk

management strategies, including active management

of “inforce” business, strategic asset allocation, and

hedging.

The insurer uses appropriate interest rate

management strategies, including inforce

management and product pricing.

There is evidence of substantial

breach of interest rate risk limits

without remediation.

The insurer’s product development team works

closely with interest rate risk management team to

develop investment and/or hedging strategies and to

ensure new products have desirable asset liability

management (ALM) characteristics.

Although risk is an important consideration, risk

management is not an integral part of the product

development process as it is in the case of insurers

with a positive assessment.

Management deliberately takes

interest rate positions to speculate

on future rate movements.

There is no or very limited

coordination between risk

management, product pricing, and

inforce management.

Market risk controls

67. Our analysis of an insurer's market risk controls mainly focus on its process of capturing the exposure to equity, real

estate, and foreign exchange risk and its ability to manage and mitigate such risks to within the insurer's

pre-determined risk tolerances. Since foreign exchange risks are generally managed fairly tightly at insurance

companies, we typically place more emphasis on equity risks (where applicable).

68. The major sources of an insurer's exposures to equity and property risks are its investments in equities, equity linked

securities, and insurance liabilities that contain embedded options or guarantees that are linked to equity and real

estate investment performance, which include variable annuities, equity indexed annuities, and with profit funds.

Equity risk also manifests itself through the volatility of account-value-based fee revenues that fluctuate as a result of

equity market movements.

69. Given the potential volatility of equity and real estate risks relative to other risk drivers, we view the analysis of an

insurer's market risk controls as a critical part of ERM analysis in instances where the insurer provides certain of the

products listed above, or where equities and real estate related investment form a substantial portion of the insurer's

investment portfolio. During periods of economic stress, a sharp decline in equity markets or drastic increase in equity

market volatility could put significant strain on these insurers' financial condition. We also analyze risk controls related

to foreign exchange risks, especially for insurers with a substantial international business or international investments

outside their home country currency.

70. While all insurers are exposed to market risks to certain degrees, some insurers' exposures are fairly limited. Such a

limited exposure lowers the importance we place on this portion of our ERM analysis. In such cases, we focus on the

insurer's risk controls that are commensurate with the limited exposure and would not always view the use of a

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 19

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

sophisticated equity hedge program necessary for a neutral risk control score here. In other instances where equity risk

is a key risk exposure of an insurer, our assessment involves an in-depth analysis of the insurer's ability to manage the

risk, including the complexity of risk metrics used, the frequency and robustness of risk reporting, the risk mitigation

strategies in place, the instruments used to hedge exposures, the choice of hedge targets, and hedge effectiveness and

characteristics of embedded options in the liability portfolio. We also assess the product pricing and development and

inforce management process in the context of equity risk controls.

71. Table 7 provides some examples of the market risk-specific evidence that informs our analysis.

Table 7

Market Risk Controls Assessment

Positive Neutral Negative

The insurer has identified and captured equity, real estate, and

foreign exchange exposures from all sources.

The insurer has identified and captured

equity, real estate, and foreign exchange

exposures from major sources.

The insurer has only identified

and captured equity, real estate,

and foreign exchange exposures

from its investments and lacks a

clear understanding of its

exposures through its liabilities, if

applicable.

Frequency of risk measurement and monitoring is consistent

with tolerance and hedging strategy (e.g. dynamic strategy vs.

static strategy using over the counter derivatives).

The insurer frequently monitors multiple

risk metrics and has risk limits in place, but

the metrics used and stress tests performed

are not as comprehensive as those for an

insurer with a positive score.

The insurer uses only a few

simple metrics to monitor equity

exposures through the liability

and/or hedge portfolio (if

material), e.g. account value only.

The applied metrics capture all relevant component equity

risks (e.g. Delta, Gamma, Vega, and Rho), on both gross and

net of hedges. The insurer performs supplemental stress tests

and supplemental historical VaR.

The insurer has a hedge program or other

risk mitigation strategies in place if equity

and/or foreign currency exposures are

material.

The insurer applies overly simply

risk limits, mainly on its

investments, or very broad risk

limits that provide no

constraining value.

The insurer uses comprehensive risk limits expressed in

multiple metrics (e.g. equity as a percentage of invested assets,

single name/industry limits, the Greeks, VaR).

Hedge program is generally effective, but

hedging targets are not backed by a clear

rationale. Hedging coverage is low relative

to the risk tolerances.

The insurer performs very limited

or no stress tests beyond

regulatory requirements.

The insurer effectively measures foreign exchange exposure in

all currencies it has exposure to and has stated risk limits to

movements in foreign exchange exposure because of each

relevant currency.

Hedge performance is monitored, but

limited hedge performance or attribution

analysis is performed.

The insurer doesn’t have a hedge

program at all (if it has material

exposures) or such program does

exist, but exposures are outside of

its tolerances and such program

provides no practical value.

The insurer applies hedging strategies and risk mitigation

techniques to ensure retained risk exposures are within defined

risk limits.

The hedge portfolio is rebalanced frequently

enough to reflect the market developments,

but is less responsive on risk mitigating

product strategies.

Other risk mitigation strategies

(such as bonus policies and use of

surplus capital buffers policies)

are not well defined or ineffective

in times of stress. The insurer

does not perform adequate

studies about profit distribution

and capital sustainability.

The insurer has clearly defined hedge targets (e.g. protection of

capital, reduction of earnings volatility, economics) and has

been very effective in achieving the chosen targets; unhedged

residual exposure is fairly small and within risk tolerances.

The insurer may have risk mitigation

strategies in place similar to insurers with a

positive assessment, but there is evidence

that these strategies were not fully

implemented or effective during financial

crises. These strategies are regularly

reviewed based on profit distribution and

capital sustainability under a range of

market scenarios but mainly based on

scenario testing.

The insurer deliberately takes

outsized risk positions to

speculate on future market

movements.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 20

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

Table 7

Market Risk Controls Assessment (cont.)

The insurer closely monitors hedge performance and

frequently rebalances, if hedge strategy necessitates, to reflect

trends and developments, including deviation of policyholder

behavior from expected and higher-than-expected market

volatility.

The insurer relies mainly on third party

software with some vetting, but has a

limited view of potential model limitation

and model risk.

Thorough hedge performance, basis risk, and attribution

analysis and results are used to support hedge program

enhancements or changes, model improvements, product

development, and inforce management.

Equity risks and risk controls are an

important consideration in product

development and inforce management.

The insurer has well-defined and embedded risk mitigation

strategies (such as adjusting policyholder’s profit distribution,

use of surplus capital buffers, re-pricing of guarantees, and

change in equity and real estate exposures to reflect capital

buffer). There is a track record of these strategies being

implemented in times of stress. These strategies are also

regularly reviewed based on extensive studies about profit

distribution and capital sustainability under a wide range of

market scenarios utilizing stochastic modeling and scenario

testing.

Risk managers work closely with product managers to embed

risk mitigation strategies in product development and inforce

management.

Life and health insurance risk controls--mortality, longevity, morbidity, and policyholder behavior risks

72. Most life insurers are exposed to mortality risk, longevity risk, morbidity risk, and policyholder behavior risks, while

health insurers are typically exposed to morbidity risk. These risks arise from the deviations of actual experiences from

those expected in pricing and reserving and could potentially hurt product profitability if adverse deviations exceed the

margins built into the product by the insurer. An insurer's exposure to these insurance risks depends on its product

offerings and benefit structures. Therefore, our assessment of insurance risk controls focuses on an insurer's key

exposures given its liability profile.

73. Table 8 provides some examples of the life and health insurance risk-specific indicators that inform our analysis.

Table 8

Life And Health Insurance Risk Controls Assessment--Mortality, Longevity, Morbidity, And Policyholder Behavior Risks

Positive Neutral Negative

The insurer has identified and captured exposures from all

sources (e.g. underwriting, mortality volatility, concentration,

pandemic) and has a clear understanding of all potential

policyholder behavior risks (e.g. lapse, flexible premium,

annuitization, withdrawal), especially the “in-the-moneyness”

of policyholder options.

The insurer has identified and

captured exposures from all major

sources and has some understanding

of potential policyholder behavior

risks.

The insurer has not clearly identified

major exposures.

The insurer performs frequent and comprehensive experience

studies to compare actual experience vs. expected (including

mortality rates, morbidity claim incidence and severity,

policyholder demographic distribution, concentrations);

experiences in recent years have generally been favorable.

The insurer performs some experience

studies, but not frequently enough

compared to the trends and

development.

Experience studies are either not

performed, or are too infrequent or

simple to provide real value. There is

very limited monitoring of new business

and inforce experiences.

The insurer has formal limits that are directly linked to its risk

appetite (e.g. retained risk, concentration).

The insurer has clear underwriting

standards that are well documented

and communicated.

Retention limits and the use of

reinsurance are ad-hoc.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 21

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

Table 8

Life And Health Insurance Risk Controls Assessment--Mortality, Longevity, Morbidity, And Policyholder Behavior Risks (cont.)

The insurer has clear underwriting standards and authorities

that are well documented and communicated; compliances

are closely monitored and rigorously audited.

Retention limits are in place, but not

necessary linked to risk tolerances.

Underwriting standards do exist, but the

enforcement lacks rigor. Limits and

standards are breached without

remediation.

The insurer has a disciplined product development process

and close monitoring of new business sales and inforce

business experiences on all key profitability drivers.

Some feedback from experience

monitoring and study to other areas

(claim management, underwriting,

product development and risk

management), but generally lag

behind experience developments.

The insurer has a history of overly

optimistic/aggressive assumption

setting that isn’t supported by any

experiences studies or research.

The insurer has an effective feedback loop from experience

monitoring and studies to claim management, underwriting,

product development, and risk management areas.

Pricing and valuation assumptions are

generally set conservatively based on

relevant experience; however, limited

sensitivity and stress testing is

performed to test the robustness of

these assumptions.

The insurer has had continued

unfavorable experiences in recent years

compared to pricing or reserving and no

action was taken.

Pricing and valuation assumptions are set prudently and are

refreshed frequently to reflect recent experiences; product

benefits are structured to discourage excessive policyholder

anti-selection. The insurer performs extensive sensitivity and

stress testing in pricing and valuation on key insurance

assumptions, especially those with less credible experiences.

Property and casualty risk controls--reserve and claim management risks

74. This section, as well as the next two sections, provide examples of how Standard & Poor's assesses risk controls

related to property and casualty insurance risks.

75. Loss reserves tend to be the largest source of uncertainty in the balance sheets of many property and casualty insurers.

Loss reserve is the estimate of funds required in order to fulfill all claims arising from prior policies. The ultimate

amount of these future payments can be highly uncertain, both in terms of the amount and the timing. Reserving risk

relates to the uncertainty surrounding (1) the level of reserves that will ultimately be needed to meet all liabilities and

(2) the timing of those liabilities. Claims risk arises when claims paid deviate significantly from the insurer's expectation

due to irregularities in the claim management processes, insufficient rigor to the claims process, or unexpected

legislative, regulatory, or court intervention in the claims process. The processes, controls, and reviews used to

manage the uncertainties around loss reserves and claim management form the foundation of our analysis of an

insurer's reserve risk controls.

76. Table 9 provides examples of an insurer's loss reserve and claim management risk control indicators that inform our

analysis.

Table 9

Property And Casualty Risk Controls Assessment--Reserve And Claim Management Risks

Positive Neutral Negative

The insurer has a track record of reserve release consistent

with target reserve levels and has an effective feedback

loop from actuarial to underwriting to claim management.

The insurer has no major adverse reserve

development for recent underwriting years.

The insurer has experienced chronic

adverse development.

The insurer uses a centralized reserving function

independent from the risk-taking business function, with

coordination and support from all business functions and

units.

The insurer shares information among

actuarial, underwriting, and claim

management, but the feedback loop may not

always be very effective.

The insurer exhibits lack of adequate

understanding and modeling of the

risk of adverse loss development.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 22

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

Table 9

Property And Casualty Risk Controls Assessment--Reserve And Claim Management Risks (cont.)

Assumptions (e.g. claim-cost-trend and loss-development)

are robustly set and justified, and allow for emerging

changes in the development of premium, losses, and

claims.

Reserving is predominately a province of

business units, but there may be some

coordination through the headquarters

office.

Reserving is disconnected from

claims and might be pressured from

underwriting.

The insurer uses appropriate and extensive data in setting

assumptions; performs thorough reconciliation to ensure

completeness and reliability; may supplement internal data

with external one.

Reserves are based on traditional actuarial

ultimate-loss projections calculated and

reviewed by qualified actuaries.

Reserving is fragmented in business

units without centralized coordination

or supervision.

The insurer uses stochastic reserve models to help

evaluate the risk of adverse reserve development and may

also feed that information into economic capital models.

The insurer performs sensitivity analyses

(e.g. to high claim-cost inflation) to help

assess reserve adequacy.

The insurer uses overly optimistic

assumptions.

The insurer has deep in-house expertise, supplemented by

the use of external expertise.

The insurer has well-defined claims

management authority levels.

The review process is unsatisfactory

and has failed to reveal chronic

issues.

The insurer employs a robust review process, including

both internal and third party actuarial reviews (beyond

audit).

There are no claims management

authority levels or they’re not applied

in practice.

The insurer has a well-defined and extensive claims

management framework with clear authority levels, which

are consistently applied.

Property and casualty risk controls--underwriting, pricing, and cycle management risks

77. P/C insurers typically establish multiple controls to address the risk that the premiums charged for unearned business,

together with the premiums to be charged for prospective business, may be insufficient to cover losses experienced

and expenses incurred from these exposures. Specifically, underwriting risk is the risk that the insurance coverage

offered has a different risk profile and therefore different loss distribution than is needed to achieve the targeted

profitability. Pricing risk may arise even when the coverage offered has the exact risk characteristics that were

expected in pricing, but the loss distribution differs from expectation. The differences emerge because the process that

formed the expected loss distribution was flawed in some way. For example, the process flaw could be due to bad

data, bad process, or an unanticipated change in trend. Cycle management risk is the risk that the insurer writes

business during a soft market that is later found to have claim costs significantly higher than premiums because of

higher claim frequency/severity and/or softer policy terms and conditions.

78. An insurer uses controls associated with underwriting, pricing, and cycle management to ensure that risks are

adequately priced. To achieve so, pricing needs to proactively take into account the industry cycle, and to prevent

adverse risk selection, especially in a soft cycle. In assessing the strength of these controls, we seek evidence such as

the examples in Table 10.

Table 10

Property And Casualty Risk Controls Assessment--Underwriting, Pricing, And Cycle Management Risks

Positive Neutral Negative

The insurer has a track record of higher-than-peer

underwriting returns with low volatility.

There may be some pockets of strength,

but the overall results (underwriting

returns and volatility) are average

among its peers.

The insurer has experienced chronic

underperformance relative to industry and

peers.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 23

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

Table 10

Property And Casualty Risk Controls Assessment--Underwriting, Pricing, And Cycle Management Risks (cont.)

The insurer uses a comprehensive system of

underwriting authorities (experience- and risk-based),

limits, peer reviews, and audits.

The insurer has formal underwriting

authorities and limits and performs

multiple reviews and audits, including

departmental self-audits and peer

reviews.

There are concerns about the insurer’s ability

to thoroughly understand and capture the

complexities of risks and their

interdependencies.

The insurer performs rigorous audits (including

underwriting audits and counterparty/client audits)

following a pre-defined risk-based cycle.

The insurer performs underwriting

audits following a pre-defined cycle for

all material exposures.

The insurer has underwriting authorities and

limits in place. However, the execution lacks

rigor, and there is observed evidence of

breaches of underwriting authority and limits

without remediation.

Underwriting platforms have pre-built quality controls

and facilitate information sharing and reporting.

The insurer performs some analyses of

pricing trends, and provides quantitative

support to pricing, although such

analysis isn’t as advanced or

comprehensive as leading peers’.

There is evidence of top-line based incentives

for underwriters that provide incentive for risk

taking.

The insurer uses a portfolio (enterprise-wide,

ECM-informed) approach to setting risk-adjusted

underwriting targets.

Instances of underpricing are rare, and

corrective actions are prescribed and

taken, although the insurer might not

have a formal remediation plan in place.

There is evidence of insurer’s excessive

exposure concentrations and lack of intent to

better diversify the portfolio.

The insurer has in place robust cycle-management

plans and has demonstrated a record of disciplined

and stable pricing and terms over the course of a

cycle.

The insurer’s compensation system

provides no incentive to chase top-line

results.

The insurer uses advanced analyses of pricing and

exposure trends using a comprehensive basket of

tools (e.g. expert opinion, trade journals, broker

survey, premium rate indices); such analysis provides

robust quantitative support to pricing.

The insurer uses cost/benefit analyses

in reinsurance purchase decisions.

The insurer uses multiple risk management strategies

with a goal to optimize the balance between risk

retention and risk transfer (e.g. reinsurance,

catastrophe bonds) for maximum cost-efficiency and

capital utilization.

Close coordination across different business lines,

geographies, as well as with areas such as actuarial,

claims, and legal.

Property and casualty insurance risk controls--catastrophe risks

79. Catastrophe risk is the risk that a single event, or series of events of major magnitude, usually over a short period,

leads to a significant deviation in actual claims from the expected claims. Such events can occur naturally, such as

tornadoes, floods, or earthquakes, or they can be man-made, such as an accidental explosion or an act of terrorism.

These events are typically infrequent but significant in loss potential. Writers of commercial lines, personal lines, and

reinsurance lines may all face catastrophe risks within their insurance portfolio.

80. Given the potential devastating effect of catastrophic events on an insurer's financial health and the substantial

challenges in quantifying exposures and losses related to catastrophic events, an insurer's risk controls of catastrophe

risks is of crucial importance to its sustained financial health, even survival in some instances. Our analysis focuses on

the insurer's risk management program around catastrophe risk if it is deemed a material exposure of the insurer. Key

areas of our assessment include:

• The insurer's risk tolerance for catastrophe risk and the analysis behind chosen tolerances; • Risk correlations: although many insurance risks often have inherent correlations, these correlations tend to be even

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 24

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

more pronounced during extreme events, exacerbating the adverse impact; and

• Modeling risk: quantifying exposures and potential losses related to catastrophic events is a challenging task and even the best modeling efforts are susceptible to errors and misuse.

81. Table 11 provides some examples of the catastrophe risk-specific evidence that informs our analysis.

Table 11

Property And Casualty Risk Controls Assessment--Catastrophe Risks

Positive Neutral Negative

The insurer has a granular and up-to-date view of catastrophe risk

exposure.

The insurer has a granular view of

exposure in areas of high

concentration.

Catastrophe risk (if major) is not

adequately measured or monitored;

the insurer doesn’t have a clear

vision of its catastrophe risk profile.

Catastrophe risk tolerance is well defined and supported by a clear

rationale and thorough analysis.

Catastrophe risk tolerance is

defined and translated into

risk-taking limits; however, the

tolerance may not be supported by

a clear rationale.

There are no retained probable

maximum loss (PML) or

concentration limits.

The insurer has a comprehensive system of risk limits that are linked

to the chosen risk tolerances; risk-taking is strictly constrained by

limits (e.g. zonal limits).

Concentrations are monitored

across the main lines of business

relative to the limits in the most

exposed zones.

The insurer has some high zonal

accumulation of exposures that

raises concerns.

The insurer performs frequent and thorough analysis of

concentration, relative to limits; such analysis spans across all lines of

business, exposed risk classes, and geographic zone.

The insurer has some in-house

expertise, with reliance on external

(brokers, vendors, consultants)

resources.

There is insufficient data

reconciliation and checking; the

quality of data is questionable.

The insurer has deep in-house expertise, which is supplemented by

use of external resources.

The insurer has a formalized

process for vetting the service

providers, including periodic

re-evaluations.

The insurer has scarce in-house

skills and over-reliance on external

expertise (e.g. brokers); external

advice may be used without

sufficient validation.

The insurer performs regular rigorous reviews of proprietary models,

e.g. those used to capture "non-modeled" (such as severe weather)

risks, and makes continued improvements to these models; model

risks and limitations are well understood and compensated.

The insurer performs sufficient

validation of in-house models and

data.

The insurer does not conduct stress

analyses to test its ability to absorb

losses.

The insurer performs thorough validation of vendor-provided models

and data.

Stress scenarios are used to

evaluate the impact of extreme

events.

The insurer uses scenario/impact analyses (Realistic Disaster

Scenarios) to supplement stochastic models, and to help test the

effectiveness of controls (e.g. zonal limits, reinsurance, catastrophe

bonds) and ensure risk containment.

The insurer uses portfolio-based pricing, taking into account

(cross-class) exposure accumulations/concentrations.

There is a comprehensive process for ensuring accuracy of exposure data.

Health insurance risk controls--underwriting, pricing, claims management, and provider renewal risks

82. Health insurers face certain risk exposures that differ in scope from those faced by other insurers. Some of the more

significant risks are rising medical costs, changing regulations and legislation, and less-than-perfect data in the

underwriting and pricing processes. Moreover, controls to counter these risks might be effective or permissible in one

region or country, but not in another. Some health insurance risk exposures are unique in nature and require different

risk control practices. This section provides examples of how we analyze the risk controls related to these unique

health insurance risks. Examples of our analysis of health insurer's risk controls of morbidity risks are provided in table

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 25

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

8.

83. Health insurance companies use underwriting to assess the health insurance risk, either on an individual or an

employer group basis, and estimate the cost of coverage. Underwriting risk arises when the health insurance coverage

offered has a different risk profile and therefore different loss distribution than is expected and assumed in pricing.

Another factor that further complicates the underwriting risks is that not all health coverage is underwritten. For

example, large group accounts typically do not include medical underwriting of the participants, or when "community

rating" is used. Pricing risk refers to the risk that the health insurance premium is not sufficient and can't be adjusted

quickly to cover the cost of providing the health insurance coverage. This risk is particularly prominent when medical

costs continue to rise at an accelerated pace. Claim management risk includes all exposures that arise from an insurer's

practices around claim processing, reserving, and payment. Claim management risk may manifest itself as failures to

identify claims filings abuse, miss-assessment of treatment necessity, and claim-cost development.

84. Provider renewal risk arises when the health insurer experiences a drastic rise or sudden changes in health service cost

of providers, but isn't able to promptly adjust provider contracts in response to the rise or the change. Particularly

susceptible to provider renewal risks are insurers with heavy provider concentration, more provider renewals around a

particular date (for many, January 1), or limited negotiation power with providers.

85. Table 12 provides some examples of health insurance risk-specific evidence that informs our analysis.

Table 12

Health Insurance Risk Controls Assessment--Underwriting, Pricing, And Claim Management Risks

Positive Neutral Negative

The insurer uses a discipline underwriting process

with clearly defined limits (e.g. concentration

limits and minimum enrollment requirements) and

authorities.

The insurer has a system of underwriting

limits and authorities, but not as

comprehensive as leading peers’.

Underwriting limits and authorities are

blurry.

The insurer performs active monitoring and

analysis of claim experience (incidence rates and

severity), which provide feedback into the pricing

and projection process.

Claim experiences are monitored and shared

with other areas, although the feedback loop

might not be very effective.

The insurer readily assumes a large

concentration, in a certain group, sector, or

regions, even when limits are breached.

The insurer judiciously performs reviews and

audits of underwriting and claim management.

Pricing updates are mainly reactive, and the

techniques used to reflect medical cost and

health care trends are not very sophisticated.

There is a recurrence of

longer-than-expected claims process.

The insurer performs an ongoing review of health

care trends, medical advances, and medical costs

and assesses their impact as well as mitigation

strategies. In addition, the insurer uses multiple

medical care cost forecasting techniques.

There is some cost-benefit analysis of

reinsurance usage, but not very robust.

The pricing assumptions are updated

infrequently, and there is no system or

process to identify medical cost trends or

incorporate health care developments.

When possible, the insurer staggers rates renewals

throughout the year to facilitate prompt pricing

adjustments.

The compensation system provides no

incentive to chase top-line results.

The reviews and audits of underwriting and

claim management are infrequent and fail to

identify past issues.

The insurer maintains effective communication

with regulators and health care providers to

address existing and future issues to avoid

surprises.

The insurer uses standard policy provisions,

although some exceptions are granted.

The insurer routinely accepts inconsistent

policy terms and has very little pricing

power.

The insurer carefully selects reinsurance

coverage, balancing risk retention and risk

transfer.

The insurer uses more than a few providers,

but its provider network is not as diversified as

the leading peers’.

The insurer is highly concentrated in a few

providers.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 26

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

Table 12

Health Insurance Risk Controls Assessment--Underwriting, Pricing, And Claim Management Risks (cont.)

Incentive structure is tied to the portfolio-based

performance targets that balance risk and

rewards.

The insurer has some negotiation power, but

doesn’t have the ability to consistently

negotiate more-favorable-than-peer terms with

providers.

Products and service offerings are extremely

limited in scope.

The insurer uses standard policy provisions that

are applied to all providers and consistently

maintains pricing power and has the ability to

negotiate favorable terms with sponsors and

networks.

The insurer maintains multiple providers in the

portfolio; when possible, provider contract

renewals are staggered throughout the year.

Operational risk controls

86. Operational risk for insurers is the risk of loss resulting from inadequate or failed internal processes, people, and

systems or from external events. Specifically, operational risks include information technology and business continuity

processes, environmental issues, regulation, compliance, fraud, terrorism as well as human resources, change

management, distribution, and outsourcing. Also included is reputation risk, which usually arises with or after some

other significant loss.

87. While insurers might be exposed to vastly different operational risks, some of the key elements are essential to all

insurers' operational risk controls. These include, firstly, procedures in places to systematically identify operational

risks and to monitor, assess, and mitigate those identified risks. Secondly, a sound business continuity plan (BCP) that

has undergone multiple drills. A business continuity plan comprises processes and procedures the insurer would follow

to limit the adverse impact of an event. Such event could be a natural disaster or terrorist attack that causes a major

interruption to the normal course of business operations. Our analysis also focuses on the risk controls around

operational risks that are of particular importance to the individual insurer. For examples, a health insurer's risk

controls around compliance risks.

88. Table 13 provides some examples of the operational risk-specific evidence that informs our analysis.

Table 13

Operational Risk Controls Assessment

Positive Neutral Negative

The insurer has thoroughly identified all major

operational risks using industry’s and insurer’s own

experience, with a focus on high priority risks.

The insurer focuses on compliance and uses a

bottom-up process for risk identification. The

process is mostly informed by internal audits.

The insurer has frequent incidences of

noncompliance, fraud, and system

failures.

For each key operational risk, risk owners are

assigned, close monitoring is in place, mitigation

actions are initiated, and progresses are monitored

The insurer’s identified operational risks are

prioritized (using more of an intuitive

assessment) according to their likelihood and

impact.

Operational risks are not systematically

identified, nor are they clearly prioritized.

The insurer has comprehensive compliance

standards that are clearly documented, well

communicated, and subject to rigorous compliance

reviews and audits.

The insurer has some mitigation actions in place,

but they’re not as proactive or comprehensive as

those of leading peers.

Remediation is sporadic and poorly

enforced (with no or limited

accountability).

The insurer has effective internal audit and

compliance functions that work in close

coordination with the ERM function, and help

assess and monitor operational risks.

There is a focus on disaster recovery rather than

business continuity.

There is no disaster-recovery testing.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 27

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

Table 13

Operational Risk Controls Assessment (cont.)

Business-continuity and disaster-recovery

programs are in place and regularly tested.

The insurer hasn’t suffered major losses from

operational risk events in recent years; or has

had only minor losses and the insurer quickly

revised and enhanced the program as a result.

The insurer hasn’t translated past

operational risk losses into

enhancements to the program; losses are

quickly put behind.

Loss events and "near misses" are meticulously

recorded and (along with industry data) inform the

quantification of operational risk.

The insurer hasn’t suffered major losses from

operational risk events in recent years.

RELATED CRITERIA AND RESEARCH

• Insurers: Rating Methodology, May 7, 2013 • Group Rating Methodology, May 7, 2013 • Methodology For Linking Short-Term And Long-Term Ratings For Corporate, Insurance, And Sovereign Issuers,

May 7, 2013

• A New Level Of Enterprise Risk Management Analysis: Methodology For Assessing Insurers' Economic Capital Models, Jan. 24, 2011

These criteria represent the specific application of fundamental principles that define credit risk and ratings opinions.

Their use is determined by issuer- or issue-specific attributes as well as Standard & Poor's Ratings Services' assessment

of the credit and, if applicable, structural risks for a given issuer or issue rating. Methodology and assumptions may

change from time to time as a result of market and economic conditions, issuer- or issue-specific factors, or new

empirical evidence that would affect our credit judgment.

Additional Contact:

Sridhar Manyem, New York (1) 212-438-3128; [email protected]

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 28

1388662 | 301135087

Criteria | Insurance | General: Enterprise Risk Management

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P

reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites,

www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription) and www.spcapitaliq.com

(subscription) and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information

about our ratings fees is available at www.standardandpoors.com/usratingsfees.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective

activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established

policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain

regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P

Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any

damage alleged to have been suffered on account thereof.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and

not statements of fact. S&P's opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase,

hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to

update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment

and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does

not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be

reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives.

No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part

thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval

system, without the prior written permission of Standard & Poor's Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be

used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or

agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not

responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for

the security or maintenance of any data input by the user. The Content is provided on an "as is" basis. S&P PARTIES DISCLAIM ANY AND ALL

EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR

A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT'S FUNCTIONING

WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no

event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential

damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by

negligence) in connection with any use of the Content even if advised of the possibility of such damages.

Copyright © 2015 Standard & Poor's Financial Services LLC, a part of McGraw Hill Financial. All rights reserved.

WWW.STANDARDANDPOORS.COM/RATINGSDIRECT MAY 7, 2013 29

1388662 | 301135087

__MACOSX/._S&P Insurance ERM Rating Criteria May 7, 2013.pdf