S&P Global Ratings has a new product for analyzing and evaluating insurance companies' enterprise risk management (ERM). Our ERM Evaluation provides a prospective view of an insurer's potential risk profile and change in capital position related to movements in risk drivers.

Our evaluation of insurance companies' ERM assesses whether an insurer executes risk management practices across the enterprise in a systematic and consistent manner. It also assesses the extent to which it effectively limits key risks within its appetite to optimally achieve its business goals and objectives.

The final outcome will reflect S&P Global Ratings analysts' qualitative opinion of a company's ERM practices, informed by interactive discussions with senior management. The evaluation will utilize data that entities supply directly and will incorporate other data, where available.

The ERM Evaluation is not a credit rating, a measure of credit risk, or a component of our credit rating methodology. However, the information we gather for an ERM Evaluation can inform our credit analysis of rated entities. The ERM Evaluation will be a stand-alone, on-request service and separate from our credit ratings.

ANALYTICAL APPROACH

Our ERM Evaluation consists of three sections--risk culture, risk exposure management, and risk optimization. Risk exposure management consists of the following subfactors:

• Risk tolerance,
• Risk controls,
• Emerging risk management,
• Model risk management, and
• Liquidity risk management.

We assess each of the three sections and then combine our assessments to derive an insurer's overall ERM Evaluation.

We evaluate an insurer's ERM as superior, strong, good, adequate, or deficient, based on our assessments of the three sections, which we score as favorable, appropriate, or unfavorable. In the risk exposure management section, we have five subfactors, which we score as favorable, appropriate, or unfavorable. We do not provide characteristics deemed appropriate, but rather our assessment is based on our analytical judgment and typically indicates aspects we view as favorable and unfavorable.

Table 1 illustrates our typical scoring approach for an insurer's ERM. Our final overall evaluation is based on the degree of favorability within each score and may be higher or lower than indicated in table 1, typically by up to one category. The evaluation is evidence-based. An insurer receives an unfavorable score for any of the three sections where, due to a failure to disclose to S&P Global Ratings key risk management information, evidence is insufficient to assign either a favorable or appropriate score.

Table 1

We evaluate overall ERM and the individual sections and subfactors in the context of an insurer's risk profile. We evaluate an insurer's risk profile based on the potential volatility of its risk capacity and its capital buffer available to absorb its potential losses above a defined threshold. We may classify a company's overall risk profile or certain of its subsector risk profiles as having high or low volatility based on our view of its inherent riskiness (absent any hedges or other controls) and its capital buffer, if such risk profile is influential to our evaluation.

We believe highly complex risks could cause a significant loss of capital and earnings and are highly uncertain, especially when they're long term. Therefore, to achieve the most favorable assessments, a more robust ERM framework is typically necessary for an insurer with high volatility. Typically, we view companies with significant exposure to risks such as natural catastrophes, reserve volatility on long-tail casualty business, or financial market volatility as having highly volatile risk profiles. Our low volatility evaluation may include insurers not significantly exposed to these types of risk or those that consistently retain significant excess capital relative to their risk profiles (as a form of risk management).

Risk Culture

The evaluation of the first ERM section, risk culture, focuses on the importance an insurer accords to risk in all key aspects of its business operations and corporate decision-making. Because risk culture encompasses all aspects of the ERM framework and all the ERM subfactors are interconnected, evaluating this section requires consideration of the overall ERM framework. Therefore, our analysis of risk culture focuses on an insurer's philosophy toward risk, including its risk governance, risk reporting and communications, risk appetite framework, and incentive compensation structure. Our evaluation assesses the degree to which there is broad understanding and participation in risk management throughout the organization.

We focus on the following key areas of risk management culture:

• Risk governance,
• Risk reporting and communication,
• Risk appetite framework, and
• Incentive compensation structures.

Risk governance and risk reporting and communication

A formal, well-defined, and independent risk governance framework and ERM organization structure with effective communication and reporting, both internally and externally, are fundamental to an effective ERM framework, and we view these attributes favorably.

We view favorably insurers with established enterprise-level functions that aggregate and manage risks with an enterprisewide view, taking into consideration correlation and diversification. Additional attributes we view favorably include a well-defined and independent ERM governance structure that supports effective risk management at an enterprise level. Such governance structure typically involves guidance and oversight from the board of directors (or equivalent), a dedicated ERM function led by well-qualified senior executive and risk management functions at the business unit level, and a clear definition of roles, responsibilities, and reporting relationships. We believe these cultural attributes foster accountability, transparency, and behaviors supported by the relevant regulatory and legal regimes (i.e., ethical behavior). We view favorably an ERM function that has been in place for several years, has high visibility, and carries significant authority within the organization.

Additionally, insurers that have effective risk committees, both at the enterprise and business unit levels, supported by significant resources committed to day-to-day execution, are favorable. We also view favorably a long-standing culture of risk communicating and sharing, supported by a set of comprehensive and frequent risk reporting around all key areas of risk exposures both internally (to the board, senior management, and business units) and externally (to regulators, investors, and analysts). Evidence of learning from past mistakes and being open to discussing such mistakes with external constituents are positives in our evaluation.

We view unfavorably cases where we believe a board and senior management lack a thorough understanding and appreciation of the importance of ERM and have insufficient active involvement in the ERM process. We view unfavorably the absence of dedicated resources to risk management, unclear risk ownership and reporting lines, and sporadic/ad hoc board-level risk discussion. We view unfavorably insurers that manage risk in silos that have limited cross-functional communication without an enterprise-level risk view or risk supervision. We also view unfavorably insurers that lack effective or sufficient internal and external risk communications to the board or other constituents.

Risk appetite framework

We define risk appetite as an expression of the amount and type of risks an insurer is willing to assume to meet its planned objectives. It's intended to align an insurer's risk taking with its business goals, strategies, and performance expectations, as well as to create and preserve value or optimize capital management and earnings/profitability. In short, we believe risk appetite defines an insurer's inclination for volatility and uncertainty.

The risk appetite statement may document overall company:

• Objectives;
• Risk strategy;
• Preferred risks;
• Undesirable risk (aversion);
• Risk capacity;
• Allocation of risk;
• Minimum levels of regulatory, rating agency, or economic capital;
• Earnings volatility limits; and
• Credit rating maintenance.

We believe the inclusion of an appetite for operational risk may add value in some instances. We determine the degree to which the risk appetite statement shapes an insurer's defined risk tolerances, which we view as a favorable attribute of an ERM program. Risk appetite frameworks vary between companies (for example, the type of risks assumed), and we believe an aggressive risk appetite necessitates a more robust ERM framework to manage risk within chosen risk tolerances.

We view a well-defined risk appetite framework--that supports an effective risk selection process that clearly articulates risks that are preferred and risks that should be avoided--as critical to a successful ERM program. We view favorably a well-defined risk appetite framework that's developed with significant participation of senior management and business units and active involvement of the board of directors and is aligned with the organization's strategic goals, resources, and value proposition.

A clear rationale supporting chosen risk tolerances and limits, which can be easily communicated to all levels of the organization, is also favorable, as is the ability to articulate the direct linkage between enterprise risk appetite, risk tolerances, and risk limits and policies. We also view favorably the inclusion of both quantitative and qualitative objectives, such as reputational risk and investor perception, that align the interests of stakeholders, the board, shareholders, and senior management.

We view unfavorably insurers with risk appetites that are less clearly defined or that don't include all key risk exposures, are not directly linked to overall risk tolerances, or are not effectively cascaded to all levels of the organizations. We also view unfavorably a risk appetite that is unclear or inconsistent. The absence of a formal risk appetite statement would likely affect our view of risk culture because it is more challenging for an insurer to disseminate the types of risks it wants to take across the organization without one.

Incentive compensation structure

A compensation structure that uses metrics that align employee behaviors with strategic goals and objectives and longer-term performance targets, rather than those incentivizing excessive risk-taking for short-term gains or other nonaligned behaviors, is an important element of an effective risk culture. In evaluating an insurer's incentive compensation structure, we evaluate the degree to which it seeks to avoid excessive risk-taking by using a variety of risk-adjusted metrics that tie compensation to a balance of growth and profit measures (e.g., risk-adjusted return on capital) across the enterprise over different periods of time, rather than non-risk-adjusted targets, such as sales volume.

We also determine the extent to which a company uses techniques such as deferred compensation and "clawbacks" to further align its interests with employees' actions. And we look at whether compensation practices are reviewed by independent external parties to assess the effectiveness of the compensation structure in discouraging excessive risk-taking or actions not aligned with company interests.

Risk Exposure Management

Our risk exposure management analysis considers risk tolerance, risk controls, emerging risk management, model risk management, and liquidity risk management. We assign scores of favorable, appropriate, and unfavorable to each of these five subfactors as well as separate scores for credit, market, insurance, and operational risk controls. Our overarching scores for risk controls and risk exposure management are influenced by the individual scores and their importance to the specific enterprise. The overall risk exposure management score is favorable, appropriate, or unfavorable based on the subfactor scores and their importance to the specific enterprise.

Risk tolerance

We view risk tolerance, which defines the quantitative thresholds/boundaries or acceptable range of outcomes and risks an insurer is willing to assume aggregated across the organization (may include upper and lower boundaries), as a critical part of risk exposure management. Risk tolerance is an indication of the potential for capital and earnings volatility, and therefore may necessitate more or less robust risk controls.

In effect, we view risk tolerance as the company's potential risk exposure or willingness to assume risk, which may be larger than its existing exposure. We view risk capacity as the maximum level of risk an insurer can assume given its current resources, such as capital and reinsurance, before breaching constraints determined by metrics relating to regulatory capital, ratings agencies, liquidity needs, stakeholders, and financial obligations, which we take into consideration when evaluating the company's risk tolerances.

In situations where exposure levels are significantly below risk tolerances, we typically consider the increased exposure and potential volatility that would arise if the company increases its exposure levels near the tolerance limits. Where a risk tolerance for a specific risk consumes a significant portion of capital or other resources, we may view its corresponding risk controls more critically.

We evaluate risk tolerance by considering the following:

• Appropriateness of risk tolerance relative to risk capacity (comparison with peers as a percent of capital and relative to capital buffer, ratings stability);
• Consistency between the risk appetite and the risk tolerance;
• Consistency between the metrics used in risk tolerance and those used in risk limits across the organization;
• The methodology and approval process used to derive risk tolerances including quantification;
• The risk tolerance breach escalation process or actions taken if tolerances are violated (breached), such as required escalation to specified senior managers; and
• Method used to allocate risk by risk driver when companies budget risk by type.

We would likely view favorably the following factors when evaluating risk tolerances:

• Robust process for setting risk tolerances with significant oversight from senior management and the board;
• Risk tolerance metrics that are consistent with limits at the business level;
• Risk tolerances that consider each material risk (e.g., credit, interest rate, equity) and product type;
• Multiplicity of metrics (e.g., earnings volatility, economic capital, capital ratios);
• Frequent risk tolerance testing and risk tolerance reassessments;
• Clearly defined stress scenarios and time periods (e.g., one year at a defined confidence level);
• Balance between board and business involvement in setting risk tolerance;
• Consideration of emerging risks (i.e., an understanding of the limitations of models/metrics on formerly unknown risks); and
• Capacity to satisfy potential losses at maximum potential exposure, as defined by risk tolerance.

We would likely view unfavorably the following factors when evaluating risk tolerances:

• Weak linkage between risk limits and risk tolerances (for example, tolerance for interest rate risk expressed in dollars and limit expressed in Macaulay duration);
• Ambiguous governance when applying limits that change under different economic or market environments (i.e., economic conditions or market environment is not clearly defined);
• Limited number of risk metrics used to derive risk tolerances or all material risks not captured;
• Infrequent assessments of risks relative to risk tolerances;
• Informal risk tolerance breach escalation process;
• Method used to allocate/budget risk by risk driver that is somewhat arbitrary and not based on risk optimization; and
• Lack of capacity to satisfy potential losses at maximum potential exposure, as defined by risk tolerance.

Risk controls

We assess risk controls based on our view of an insurer's ability to measure, monitor, and limit its risks and its ability to keep its losses within its defined risk tolerances. We analyze the processes and procedures insurers employ to manage their key risk exposures, including insurance risk (e.g., biometric, underwriting, catastrophe, and reserving risks), credit risk (e.g., fixed-income, counterparties, real-estate mortgage/loans), equity risk, foreign exchange risk, interest rate risk, and operational risk, which includes cyber risk. Our evaluation focuses on the risk controls that are most relevant given the insurer's business and risk profiles. We focus on the insurer's techniques for aggregating risks across risk drivers at the business level and/or enterprise level. Risks related to assessing potential mergers and acquisitions (M&A) are considered in our assessment of risk optimization.

We assess an insurer's individual risk controls of its material risks as favorable, appropriate, or unfavorable (see table 2). Our opinion of the relative importance of each risk to the insurer's overall risk profile determines each score's impact on the overall risk controls score. In general, we assess overall risk controls as favorable when we score a majority of the relevant individual risk controls as favorable. For insurers with limited exposure to a risk, we may not view unfavorably a program with relatively simple risk controls if it is commensurate with the exposure levels.

There are three main aspects of the risk control process we consider: risk identification, risk metrics and exposure, and limits and management. These include risk measurement and monitoring, risk limits and standards, the procedures to manage risks to stay within limits, and the execution and the results or effectiveness of such risk control programs. We also consider risk limit enforcement processes and the insurer's practice of learning from its own, or the industry's, experiences. The comprehensiveness and effectiveness of these aspects influence our final score for each risk control.

We view favorably an insurer with risk control programs in place that consistently and effectively identify, measure (model), monitor, and manage the risk exposures and demonstrate a track record of managing risk exposures within predetermined risk tolerances, particularly during stressful periods. Such programs are generally a result of established risk-specific risk management structures that comprehensively identify risk exposures from all sources, employ frequent risk monitoring and risk reporting using multiple appropriate risk metrics, have formal and clearly communicated risk limits, and use multiple risk mitigation strategies to proactively contain exposures within risk limits.

We view favorably clearly defined risk limit enforcement policies that promptly address breaches of risk limits. We also view favorably an insurer that continuously reviews its program's effectiveness to make improvements based on new developments as well as lessons learned.

We view unfavorably a history of incurring losses outside risk tolerances or prolonged breach of risk limits without justification, which we view as evidence of weak or inappropriate risk controls. We view unfavorably inconsistent or incomplete processes to identify risk exposures from all sources of a given risk. Additionally, informal and infrequent risk monitoring and reporting, applying overly simplistic risk metrics, or lack of formal and well-communicated risk limits are weaknesses to the risk control framework.

Emerging risk management

In our evaluation of emerging risk management, we consider how an insurer addresses evolving risks that are not a current threat but may cause potential losses in the future. We evaluate an insurer's ability to determine the likelihood, impact or severity, and velocity of the risk (speed of potential change), as well as its ability and willingness to mitigate the risk such that it does not significantly affect the company or its ability to opportunistically take advantage of the risk (level of preparedness if those emerging risks materialize). The source of such risks includes the regulatory environment, the physical environment, the macroeconomic conditions, globalization, connectivity, medical developments, and other industry disruptors.

When we evaluate a company's risk identification process, we look at its ability to leverage both internal and external informational resources across multiple functions. We also consider the company's definition of emerging risks, which is integral to the process and varies across the industry.

We view favorably well-established processes to consistently identify, assess, monitor, and potentially mitigate the threat of identified emerging risks with techniques to quantify the probability of occurrence, the velocity, and the impact or severity of emerging risks on the insurer. These risks may have a quantitative or qualitative impact on an insurer's reputation, liquidity, capitalization, financial performance, and ability to execute its strategy. And, we view favorably the ability to apply risk-mitigation techniques and develop contingency plans to address them.

We also view favorably formal governance around emerging risk and an emerging risk committee with cross-functional representation and formal documentation and communication (reporting) processes, which may take the form of a risk dashboard. Assigning ownership of emerging risks to individuals within the organization with clearly defined frequency of monitoring--with greater focus on more likely events--is an effective practice, in our assessment. We also view favorably companies that provide evidence of mitigating risks to decrease vulnerability prior to emergence, as well as companies that provide evidence of having created strategic business opportunities or new products from emerging risks.

We view unfavorably insurers that fail to quantify or subjectively assess the potential impact or severity of emerging risks or have experienced outsize losses due to past failures to identify emerging risks and haven't shown sufficient evidence of having learned from such experiences or taken actions to mitigate emerging risk.

Model risk management

Model risk management (MRM) is an integral part of a robust ERM framework. Models are used extensively to measure risk exposures, test risk correlation and diversification, validate risk mitigation strategies, and quantify capital requirements for a given risk profile.

We analyze two major aspects of MRM: inventory and utilization and governance and validation. Inventory and utilization considers the type of models used to assess risks, such as credit, market, insurance, and operational risks in stress testing, capital allocation decisions, pricing, valuation, and projections, as well as enterprise risk aggregation. Typically, governance and validation broadly considers documented procedures on model development and assumption setting, model risk evaluation, model controls, model validation, and reporting and communication. In our view, these practices mitigate the risk of misinformed business or risk management decisions arising from model errors, assumption errors, and errors in interpretation relating to the insurer's models and model applications.

Typically, in cases where an insurer has an economic capital model (ECM), we broadly assess its techniques for capturing risk diversification and concentration (e.g., correlation) and its technique for risk aggregation when deriving its economic capital (EC). In our evaluation of an insurer's ECM, while we do not go into granular detail, we seek to gain an overview of how an insurer identifies, captures, and quantifies its risk exposures and whether it incorporates material considerations in its ECM.

We typically determine whether an insurer uses a stochastic and/or deterministic modeling approaching. We view stochastic modeling as providing some advantages over deterministic modeling. However, we view favorably an insurer applying a combination of the two approaches rather than a single approach. We typically consider the process and governance framework to determine the assumptions and parameterization of its models.

We evaluate the extent to which an insurer uses sensitivity analysis to determine the appropriateness of alternative assumptions and parameters. We evaluate how well an insurer optimizes its data processing into its ECM and generates meaningful output. We typically consider management actions such as hedging and capital fungibility. Lastly, at a high level, we typically consider the methodology used to capture the relevant risk drivers, such as biometric risks, credit risk, and market risks, including interest rate risks.

Inventory and utilization.  Our evaluation of inventory and utilization focuses on assessing the robustness, consistency, and completeness of an insurer's risk models, including its development and use of an economic capital model, if any. We look at the comprehensiveness and quality of the risk models used, the breadth of model utilization, the risk metrics modeled, the methodology, data and assumptions used, how the model results are used, and whether model limitations are understood by the risk managers and senior management.

We view favorably risk model systems that capture all of an insurer's material risk exposures and the interrelation between risks with comprehensive risk metrics. Insurers with the capability to apply an ECM to derive EC on a granular level (by risk type across the enterprise) and perform both stochastic and deterministic modeling supplemented with robust extreme scenario stress testing, where relevant, are also favorable. However, the use of such an EC model is not a prerequisite for a favorable score.

We view favorably insurers that fully understand model risks and compensate them with thoughtful judgment whenever possible. We also view favorably companies that effectively apply advanced techniques leveraging big data, such as predictive analytics and artificial intelligence, to improve the management of their exposure.

We view unfavorably insurers that:

• Apply assumptions that are inconsistent across various business units or are not representative of the risks,
• Apply limited stochastic modeling,
• Lack an understanding of model limitations, and
• Lack sophistication of modeling applied to capture certain risk drivers relative to the complexity of its risks (less comprehensive and less robust models).

Governance and validation.  Our evaluation of governance and validation focuses on the management and control of model risk, including documented procedures, model risk evaluation, model controls, model validation, data quality and assumptions, and reporting and communication that establish procedural discipline. We evaluate the robustness of the validation process by assessing the processes and activities of the model owners, risk management, and internal audit.

Additionally, we evaluate an insurer's model risk tiering system in consideration of staffing levels and materiality and complexity of the models being validated. For models that are more complex or pervasively used, we would expect a higher level of scrutiny, including more frequent validations, especially for more advanced modeling techniques such as artificial intelligence (where the model is more of a "black box"). We also evaluate an insurer's ability to attract and retain talent needed to properly implement and maintain highly complex models, if used.

We view favorably a rigorous model governance process where models undergo validation in which companies determine how material their model risks are according to a tiering system, which helps to use resources effectively. We also view favorably companies that consider the potential amplification of model errors when models are used across different business units (i.e., a small error across many models or businesses units may have a significant impact).

We view favorably when the staffing resources applied to validate models are consistent with the inventory and complexity of the models. We also view the incorporation of risk-reducing components in the application of a model, with the goal of avoiding improper usage, as favorable. Companies that employ a data validation process, transfer data cleanly, and use granular, high-quality data appropriate for their application are viewed favorably too. And a specific governance committee that ensures consistency of assumptions across the enterprise is also favorable.

We view a less formalized model governance process and a less robust model validation process unfavorably. We view unfavorably companies that have an undefined data quality process or lack the ability to derive data from multiple sources in consistent formats (concerns over transfer of data). An undefined tiering process that results in an inefficient use of limited resources is also unfavorable. And we view unfavorably companies that have limited documentation for the rationale of assumptions used and methodologies applied.

Liquidity risk management

We view liquidity risk as the risk of an insurer, even if adequately capitalized, lacking sufficient available cash flow, collateral, or other resources to meet its obligations as they become due, or only being able to secure them in a severely disadvantageous and uneconomical manner. The sources of liquidity risk may include:

• Payments relating to insurance obligations (e.g., catastrophe [CAT] claims, annuity and life insurance payments, commissions),
• Debt payments,
• Collateral-posting requirements on reinsurance agreements or relating to credit support annexes (CSAs) on over-the-counter (OTC) derivatives, and
• Variation margins on exchange-traded derivatives, which are influenced by rating triggers, covenant requirements, and confidence sensitivity on liabilities.

Liquidity risk management is viewed in the context of an insurer's liquidity profile, and, therefore, a practice that is favorable for one company might be less favorable for a different company. For example, a personal lines company with little exposure to CAT risk would be viewed differently than a company with monoline operations focused largely on CAT risk.

In our evaluation, we determine whether the formalized liquidity risk management framework includes clearly defined roles and responsibilities (for example, responsibility for reporting and decision-making). We typically review standards for identifying and reporting liquidity risk, including the establishment of limits and a limit breach policy and status of limit compliance, categorization of the level of funding requirements, applied modeling methodologies, and contingency plans under a liquidity crisis.

We evaluate an insurer's ability to effectively measure liquidity risk by forecasting cash flow and collateral liquidity needs in both a normal and stressed environment and reflecting all major sources and uses of liquidity. We evaluate the comprehensiveness of the insurer's liquidity risk management in considering the impact on liquidity of potential market movements such as foreign exchange rates, interest rates, and equity levels on liability draws, collateral-posting requirements, and the value of eligible collateral held. We evaluate its ability to consider stressed single liquidity events and events over extended periods as well as the potential impact of events and risks that may be correlated (for example, multiple significant CAT events), especially for monoline companies.

We determine whether the forecasting period applied in the company's liquidity modeling allows sufficient time to take actions to maintain sufficient liquidity resources to absorb these risks. Resources may include appropriately liquid securities, securities lending, repurchase agreement arrangements, and committed backup liquidity facilities.

We evaluate the tolerances and limits established as well as the rationale for them, which may include asset-liability mismatch limits, asset position limits, and probable maximum loss (PML) thresholds or minimum levels of liquidity support, which may include securities lending and repurchase lines or bank liquidity facilities. We also evaluate the assumed transferability of funds between entities.

We view favorably a robust liquidity stress-testing framework that includes the impact of relevant stressed market movements that may drive liability cash flows, variation margin requirements, and collateral posting on OTC derivatives, and may change the value of eligible collateral held. We view favorably preplanning for stressed environments that considers possible actions given the potential for multiple stressed events that happen concurrently--for example, a downgrade leads to less access to liquidity resources at the same time collateral-posting requirements increase. We typically seek to understand whether the framework delineates the amount of assets that can be immediately sold or used as collateral by required currency.

We view favorably reporting frameworks that provide information necessary for senior management or board members to make decisions and consider options in an expeditious manner. We also view favorably companies that consider the implications of liquidity in their product design and strategic asset allocation and perform contingent liquidity planning.

We view committed contingent liquidity lines favorably relative to uncommitted lines, as well as companies that maintain a presence in their chosen funding markets (e.g., securities lending). We also view favorably participation by an asset-liability management (ALM) or similar committee in the development of the investment strategy and strategic asset allocation in consideration of liquidity relating to products and potential collateral requirements. An insurer that performs timely reviews of the suitability of its limits, methods, and assumptions for analyzing and assessing liquidity risks in the context of its changing business mix and external conditions is also viewed favorably.

We view unfavorably a liquidity framework that does not fully capture the potential impact of market movements in its liquidity modeling and does not fully consider the asset illiquidity that may occur in severely stressed financial markets or other stressed events, such as the termination of a reinsurance or derivative contract. We view unfavorably when fractured systems are used to model data that are aggregated in a cumbersome way to measure liquidity.

Liquidity reviews that are not frequent enough to capture potential movements in factors that may affect liquidity--such as market movements and changes in business profile--are also unfavorable. In addition, we view unfavorably liquidity management plans that do not consider the correlation between liquidity events or anticipate the impact that market turmoil can have on liquidity when relying on the liquidation of a large concentration of other than the most highly liquid assets in a systemic liquidity crisis (e.g., the financial crisis).

Risk Optimization

Risk optimization is the process by which insurers facilitate the optimization of risk-adjusted returns, starting with a view of the required risk capital and a well-defined and effective process for allocating capital among different products, lines of business, and risk drivers. We assess an insurer's ability to optimize risk-adjusted returns when evaluating and prioritizing strategic options, pricing products, allocating capital, and making M&A decisions based on a risk-reward rationale that is consistent across the company and is aligned with the company's long-term goals, strategies, and key stakeholder objectives. When evaluating metrics of risk-adjusted returns between companies, we consider the different stress levels, correlation impact, assumptions, methodologies (e.g., VaR, deterministic), and calculation basis (i.e. STAT, GAAP, economic), which often includes the use of an ECM.

Our evaluation is supported by evidence of an insurer making strategic decisions based on its economic risk/reward metrics that are consistent with its risk appetite. We also view favorably an insurer incorporating business considerations, such as competiveness and diversification benefit and impact on capital buffer and regulatory and accounting considerations, in its ERM framework. The evaluation considers the choice and outcome of the strategic decisions and, more importantly, the risk/reward rationale underlying the insurer's chosen strategy.

Mutual companies often allocate capital with the goal of supporting the expansion of its policyholder base rather than maximizing returns to shareholders. Therefore, we evaluate mutual companies on how effectively they use higher risk/return or opportunistic businesses to support the growth of foundational/core businesses and their defined business goals, as well as to maximize value to policyholders.

We would likely view favorably an insurer that executes consistent and effective risk-reward analysis in its strategic planning, product pricing and repricing, strategic asset allocation, reinsurance strategy and net retained risk profile, new risk-bearing initiatives (including M&A and entry into new markets), capital and/or economic capital budgeting, and optimization of risk-adjusted returns.

We view favorably companies that provide evidence of deriving targeted risk-adjusted returns across their business units. We review evidence of a track record of successful execution of a strategic risk management program, which may include better-than-peer risk-adjusted returns and successful M&A that is consistently accretive on a risk-adjusted basis and incorporates lessons learned from previous decisions. We also view favorably insurers that include evidence of using model results extensively in ERM decision-making.

We would likely view unfavorably an insurer that doesn't apply consistent metrics or an effective methodology to allocate risk-based capital to the different businesses across the organization or does not reflect other considerations that may be relevant. Cases where a process has been recently developed and, therefore, the company does not have evidentiary history could also negatively affect our view.

APPENDIX: EVALUATING INDIVIDUAL RISK CONTROLS

Here we provide examples of how we evaluate the individual risk control subfactors.

For each of an insurer's major risks, we assign one individual risk control score based on the overall effectiveness of the risk control processes, including the quality of risk identification, risk measurement and monitoring, the comprehensiveness and robustness of risk limits and standards, the rigor of the procedures available to manage risks to stay within limits, and the execution and effectiveness of such risk control programs. We also consider risk limit enforcement processes, and the insurer's history of learning from its own, and the industry's, experiences.

Table 2 provides some examples of how we analyze various aspects of the risk control process in assigning an individual risk control score. We provide examples of key characteristics that we would view favorably and unfavorably for each risk factor. We do not list characteristics deemed appropriate, but rather an assessment of appropriate is based on our analytical judgment and typically has aspects viewed as both favorable and unfavorable.

It is important to note that our evaluation reflects subjective factors, and a specific risk control practice in the favorable or unfavorable column does not solely drive our evaluation. These examples are for illustrative purposes only and should not be interpreted as an exhaustive list of considerations used to form our overall evaluation.

Furthermore, we view the risk controls in the context of an insurer's risk profile and, therefore, a practice that is favorable for one company might not be as favorable at a different company that has more volatile or complex risks. For example, we would typically evaluate interest rate risk controls for a property/casualty (P/C) company differently than a life company. The granularity of our evaluation is tailored based on the materiality of a particular risk driver in the insurer's overall risk profile.

Table 2