SOA Mini-Seminar Notes—Tom Grondin—July 20, 2004

Tom Grondin's Presentation
July 20, 2004
9:00 a.m. Central Time

At Aegon we focus on our core businesses of life and pensions. There is a heavy concentration in the U.S., Netherlands and the U.K. In addition to the key markets on this slide, I consider Spain a key market as well. As a result you can see we are spread geographically and we continue to expand opportunistically.

Aegon USA is an Aegon within Aegon. It complicates the challenge from a risk management standpoint.

From a risk management structure perspective it starts with the board. The responsibility for authority has been delegated to the Group Risk and Capital Committee.

For every division there is another risk committee that exists for every division in the U.S. The support is Division Risk Management.

The Risk Reporting Task force is a risk methodology task force. This is a collective effort.

When was the risk management structure established?
It was established last year at the Group level. It has existed at the country unit and division level for many years.

How has this structure been supported by division heads?
The most recent change at the group level has been widely accepted across the company. The emphasis placed on this project by the Board of Governors has contributed to its acceptance.

Is there a formal process to identify and evaluate new risks from new directions?
There are processes in terms of integration between risk committees and the existence of a risk reporting task force that has country unit membership that deals with risk coverage and methodology. I would not go as far as saying it is formal however.

• Responsibilities of County Unit Risk and Capital Committee
• Methodologies used and scope of risk covered needs to be appropriate.
• The environment may change and limits may have changed as well. They are the approval body for pricing. They are responsible for promoting strong risk management.

• Responsibilities of Division Portfolio Management Teams
• They monitor and assist in ALM, support product development and review white papers. Also forming a partnership for product development itself.
• They have a responsibility for maximizing profit.

• Group Risk Responsibilities
• Build relationships
• Develop an understanding of the business
• Build an AEGON risk report

What have the benefits been from this Group Risk Reporting initiative thus far?
The benefits have been not so much in new types of information as how quickly we are able to obtain it. When J.P. Chase bought Bank One we knew what our exposure was within an hour. We have a view of our aggregate credit risk and the distribution of that risk. The results have been very good thus far.

RCC is Risk and Capital committee.

Risk Management Process
They would review and make decisions based on the reporting they see.

Country Unit Risk and Capital Committee is CU RCC

Group Risk and Capital Committee is GR CC.

Do you sometimes have confusion regarding what is a risk decision versus what is a business decision?
If there is a risk policy limit in place and an exception is being made to that policy then it is a risk and business decision. Likely the risk exception is made for business reasons. It stills goes through the same process.

Credit risk exists in assets in the general and separate account as well as reinsurance, derivatives and other areas.

Credit exposure
How much do we want to set aside for risks that are not actively managed from a credit exposure but the amount at risk is variable?

We use a potential exposure approach which is current exposure plus some variation in exposure as a result of movement in the underlying risk variables such as interest rates or currencies for swaps.

We want to truly manage our maximum exposure to credit default.

Credit risk is managed at the local level by credit analysts. There are limits that are in place by ratings, asset classes, etc.

Risk Reporting—3 sections—what is the current trend in the market and trends in Aegon and are they aligned? There are "what if" scenarios where we stress test what can happen and how the company would be impacted.

We look at what is Aegon aggregate credit lost distribution. Then we overlay meaningful points in time so that the reader can relate the distribution to history.

Liquidity risk perspective—liquidity is a profit source and a drain on the company. It is traded and has a cost associated with it.

It is important to have modeling and a crisis planning perspective. What is the plan in case of a crisis? It is important to have that documented before the event occurs in order to have a guide so people know what their roles are. Who has responsibility for managing liquidity crisis? Who has the right to declare a crisis? Who must be notified? How often does the team meet? What does crisis-reporting look like? What are we trying to measure from a crisis? How do crisis management teams coordinate?

From a modeling perspective we look at liquidity modeling from a cash source and need approach. We estimate liquidity needs (a run on the bank scenario). What is the liquidity in each asset class? Try to sell assets in an orderly manner and to not flood the market.

We don't count surplus assets. Liquidity risk isn't managed by capital or reserves so we shouldn't count on surplus assets.

Market risk perspective—risk of economic loss due to changes in market variables.

Reporting takes on what are the market trends?

• Operational Risk
• Processes
• People
• Systems
• External Events

It's most important to imbed into the culture of the organization about what is operational risk and have a comprehensive plan to measure it.

We look at process descriptions and this is helped by Sarbanes Oxly. As a cultural step it's important to identify the controls.

Key risk indicator perspective—look at management indicators and a view of the present. For self assessment, we look at the future of what could go wrong. It is also important to capture losses in a database so that you can learn from the losses, analyze trends and measure improvement and benefits of the operational risk initiative.

You can see a grid forming with the 8 categories of operational risk and the 4 sources of operational risk. Within each cell you could drill down to see the building blocks (process descriptions, self-assessment, key risk indicators and loss data) of operational risk measurement.

Quantification of operational risk
Step back and think about what type of operational risk charge is sensible and reasonable for the company. Come up with relative risk assessment. You can defend that the relative ranking of operational risk are right or close to right. The key is to provide incentive to keep the numbers down. Keep in mind that the goal isn't to manage the operational risk to zero as there are operational complex processes that we go through because we get paid to do it.

• Economic Capital
• Where are we headed?
• Tabular capital models do not currently cover all risks and for those risks they do cover, they don't get the degree of risk right. Everyone would agree to that. If you are an international company the tabular models vary from country to country.

Models should be dynamic and also must undergo a recurring assessment process. Models must be reviewed and audited. Trust everyone but you need to be able to verify.

Diversification perspective—we look to apply it across risk types and measured at the group level. Do you want an annuity business to enter the health insurance business for diversification reasons? We think it is important that your economic capital model encourage the behavior desired.

Economic capital model will be used for pricing, unit performance measurement and business growth decisions.

Role of internal audit versus operational risk

An internal auditor has an oversight function. They have to have an independent role in the company and not be part of the business operations. An operational risk manager—to be effective—must have a hands on approach and working within the business.

Level of involvement with IT security, compliance, etc. —Everyone has operational risk responsibility. The operational risk manager coordinates and plays an active role in decisions.

How is the covariance aspect of risk measure across risk types handled and the benefits allocated?
The diversification within risk types goes to the business unit. The diversification across risk types is measured at the group level and may or may not be allocated back to units. The answer depends on where regulatory or rating agency required capital is relative to economic capital.

Where do you think the Risk Management Task Force and the Risk Management Section of the SOA should focus over the next few years?
Within the insurance profession actuaries are already recognized as leading managers. Financial economics should be part of the course work. We still aren't using market approached to pricing projects and reporting what the profits would be. We should continue to push ourselves in the direction of financial economics! We need to try to be in front of management to promote actuaries. We need to continue to promote the profession at the schools to feed the profession with top quality students. They need to get into a position of senior management. They need to have a solid business mind as well as being good at mathematics and to understand the business implications of the risk management decisions we have to make.

Are there projects that the SOA could sponsor that would help practitioners?
Spearhead an effort in terms of covariance and diversification benefit within and across risk types. Basel II gave no credit across risk types to the banks. We need to educate the regulators today that there are some practical approaches to this that do not have to be overly complex. It might also be interesting to do something on operational risk management in banks and how this can be applied to the insurance industry.

How does Aegon track qualitative risk? What technology do you use for this?
We have a few systems. One is called Magique (a UK company) and we use BWise (a company in the Netherlands). We are currently reviewing our operational risk system requirements and there may be changes to what we use in the future.

Where/how do you provide for terrorism or similar risks?
We look at industries that would be hit hardest from a terrorist attack. Most important is to be familiar with what your exposure is in the at risk sectors.

From an underwriting risk perspective, look at geographic distribution of mortality and morbidity risk across the county.

Understand your group exposure by location.

Are you referring to S&P credit rating or do they have an ERM model?
S&P ratings - they have a tabular risk based capital model.

Are there items that are more effective than setting measures or metrics?
From a cultural perspective it takes a long time to build up the culture and it's up to the leaders of the company. The leaders need to use consistent words over time.

Sarbanes Oxley leveraged in operational risk management?
It goes a long way to satisfying Process Descriptions on the financial side.

How is liquidity risk incorporated into pricing?
Look at how quickly cash can be demanded from a product. Asset mix used to price the product should be able to meet the liquidity needs of the product on a standalone basis. If not the product should be charged as it is buying liquidity from another product.