The social security institution sets out appropriate processes and structures to identify risk.
The first element of the risk management process is the identification of risk. There are two main types of risks faced by the institution: scheme-related risks with typically direct financial implications (covered in Guideline 33), and operational risks with typically indirect financial implications (covered in Guideline 34). The identification of all risks requires a review and assessment of all the activities of the social security institution, including the design, delivery, financing and funding, management, administration, and communication of benefits and services. This process should provide information to the institution regarding which risks exist, their importance and their likely evolution in the future.
- The actuary may provide specific input into the identification of different risks. The actuarial valuation and asset liability management processes provide useful information on the nature of certain risks. In addition, actuarial input is likely to be required in other areas where actuaries have developed expertise, such as an understanding of the nature of benefit payments and an analysis of external trends impacting liabilities (e.g. changes in legislation, mortality experience development).
- Other sources of information on risk which directly or indirectly involve actuaries may include input from auditors and independent audits or assurance reviews, cash flow controls and input from other stakeholders, inputs from professional advisors (e.g. external investment managers or external actuaries) and external experts who may be commissioned to analyse risk within the organization. The actuary should work closely with other professionals and ensure communication and reporting are clear.
- The risk function should manage the process of securing information on the different risks facing the social security institution.
- The actuary is likely to play a key role in this process in two ways: through the identification of the different risks faced by the institution and through providing data on certain risks.
- A database of risks or risk inventory should be maintained by the institution and its operation and maintenance reviewed on a regular basis. Communication of risks by different stakeholders (e.g. the investment function, administrators, actuaries, etc.) should be encouraged and facilitated as a part of this process.