The social security institution establishes a risk function that oversees the management of risk and reports to the board, if any, and/or management. This function, and the processes carried out or overseen by it, require actuarial input. The risk function coordinates with other functions to ensure effective risk management.
Due to their understanding of risk issues, actuaries should be involved in the management of risk within a risk management function and/or involved in the risk management process. This may include contribution to a risk management plan and the setting of an appropriate risk budget and/or risk appetite for the social security institution.
The issue of risk is increasingly important for social security institutions due to the complexity of benefit provisions and financing, the risks inherent in the investment process, the use of information and communication technology (ICT), and reputational risk linked to the increasing scrutiny of what social security institutions do and how they do it. In addition, an understanding of potential changes in the external environment will also be required to ensure that appropriate analysis is undertaken today to anticipate the evolution of risks in the future. Many institutions have responded to this reality with the creation of specific risk management functions or departments facilitating the input of risk specialists, including actuaries, in this area.
The management of risk enables the social security institution to increase the likelihood of achieving its objectives. However, managing risk is not simply a passive exercise where the institution responds to the risks it faces; it requires the setting up of a project management cycle to define the risk appetite and risk budget of the institution, assess the risks faced by the institution now and in the future and make the most appropriate decision on the treatment of risk.
An effective governance structure is an important element of risk management. It should ensure that sufficient information on risks is collected and managed and that appropriate structures and mechanisms are put into place to address them.
Actuarial involvement in risk management touches on many aspects of social security institutional practice. Other individual guidelines in this document refer to risk issues in different areas such as investment, financing and benefit design. These specific considerations will feed into the overall risk management considerations and process set out in this part.
Social security seeks to respond to the life-cycle risks of the population it covers. These risks include death, disability, illness, unemployment, retirement, changes in family structure, and health-care cost changes. While the design and delivery of benefits seeks to respond to these population risks appropriately, by taking on these responsibilities the institution itself becomes responsible for managing certain risks. The assessment and treatment of risk seeks to ensure that the risks the institution takes on are understood and assessed, but also that due consideration is given to the transfer and sharing of risk and the reduction of risk that is retained. Effective risk management seeks to ensure an appropriate split between the transfer, reduction and retention of risk.
- The management or treatment of risk, once identified and quantified, includes removal or reduction of the risk, mitigation of the impact of the risk, and a choice between transfer and retention of the risk. The risk management process seeks to identify the most appropriate mix of these three options, which will depend on:
- The nature of the benefits and financing method;
- Risk retention and management capacities within the organization;
- The covered population;
- The risk transfer mechanisms available.
- A risk management process allows those responsible for risk management to undertake this procedure effectively and efficiently. The social security institution should document this process through a risk management plan which details the institution’s attitude to risk (e.g. risk budget), responsibilities and methods for identification and monitoring of risk and the key principles underlying decisions regarding the treatment of risk.
- The actuary, with his or her knowledge of risk and its treatment as well as an understanding of the many processes of the institution where risk is important (e.g. investment, operational risk, benefit payments, etc.) should be solicited for input into the process. It is important that correct analysis is used to assess risk and that actuaries liaise closely with other stakeholders regarding its management.
- The actuary and institution should refer to international risk management standards where these are relevant. These standards cover the principles, definitions, principles and processes surrounding risk management. The supporting material to these Guidelines sets out more details of risk management standards that may be relevant.
- The risk management framework requires that risk is identified, analysed and treated. At a system-wide level, overall risk should be mitigated through the different mechanisms available to the institution. The risk management framework should be defined and constantly assessed.
Risk management framework
- The management of risk affects a number of different areas of operation and should be overseen by a risk function reporting to the board and/or management. The role of this risk function is to set up and manage the risk management framework and process. Integral to this process is the design, implementation and monitoring of a risk management plan.
- The role of different stakeholders involved directly or indirectly in the risk management process should be identified. The expertise and experience of these stakeholders should feed into the risk management process. This can be done through effective coordination between stakeholders, but will require clear and monitored structures and processes. The risk function should manage this process.
- The key element of risk management is the identification, measurement and treatment of risk (Guidelines 30−32). However, an effective management process requires that an analysis of appropriate risk appetite or risk budget is undertaken and reviewed regularly. The risk budget depends on a number of factors which will vary by institution, but include the objectives of the system, the benefit aims, design and financing, the management capacities and governance budget as well as an appreciation of external factors. The term “risk/return trade-off”, although more typically used for investment risk considerations, expresses the concept that risk should be rewarded and that reducing risk has a potential cost to the system.
- Once a risk budget has been set, one of the most important financial decisions for the institution is whether to directly assume or transfer this risk, and how to accomplish the decision taken. For a risk that is retained, the risk function responsibilities include making sure that each risk has an owner and that the risk owners are taking the appropriate actions to quantify and manage their risks, including putting in place appropriate risk mitigation. The risk function should monitor and review this process, including setting out the guidelines for decision-making (e.g. materiality limits), and should report to senior management or the board on how each risk is being managed and who is responsible for managing it. Social security institutions are particularly relied on, and expected, to retain many types of risk so that any decision to transfer risk to other parties (e.g. employers, employees, individuals) must be carefully considered.
- The risk management process should be properly documented (including objectives, personnel involved, instruments used, results and monitoring) and reviewed on a regular basis. The required competencies of those involved in the process should be defined and gaps in knowledge and experience identified and addressed. Outside expertise should be sought if required (e.g. if expertise does not exist within the institution).