When we talk about actuarial compliance, we usually limit this to our strict actuarial work field.
In a broader sense as 'risk managers', we (actuaries) have a more general responsibility for the sustainability of the company we work for.

Compliance is not just about security, checks, controls, protection, preventing fraud, ethical behavior. Moreover  compliance is the basis of adequate risk management and delivering high standard service and products to your companies clients.

Pisa Compliant
No matter how brilliant and professional our calculations, if the data - on which these calculations are based on -  are 'limited', 'of insufficient quality' or 'too uncertain', we as actuaries will finally fail.

Therefore , building actuarial sandcastles is great art, however completely useless. Matthew 7:26 tells us :  it's a foolish man who builds his actuarial house on the sand....

And so, let's take a look if we have indeed become 'Pisa Compliant' by checking if our actuarial compliance is build on sand or on solid ground. In other words: let's check if actuarial compliance itself is compliant...nd.

Actuarial Data Governance
To open discussion, let's start with some challenging Data Governance questions:

• Data quality compliance
  How is 'data quality compliance' integrated in your actuarial daily work? Have you addressed this issue? And if so, do you just rely on statements and reports of others (auditors, etc), can you agree upon the data quality standards (if there are any). In other words: are the data, processes and reports you base you calculations on, 100%  reliable and guaranteed? If not, what's the actual confidence level of your data en do you report about this confidence level to the board?
  
  
• 
  Data quality Conformation
  Have you checked your calculation data  set on bases of samples or second opinions?
  
  And if so, do you approve with the methods used, the confidence level and the outcome of the data audit? 
  
  Or do you just 'trust' on the blue eyes of the accountant or auditor and formally state you're "paper compliant"?
  
  Did you check if  client information, e.g. pension benefit statement, are not only in line with the administrative data, but also in line with insurance policy conditions or pension scheme rules?
  
  
• Up to date, In good time
  To what quantitative level is the administrative data  'up to date' and is it transparent?
  
  Do you receive administrative backlog and delays reporting and tracking and if so, how do you translate these findings in your calculations?
  
  
• Outsourcing
  From a risk management perspective, have you formulated quantitative and qualitative demands (standards) in outsourced contracts, like 'asset management', 'underwriting'  and 'administration' contracts?
  
  Do you agree on these contracts, do 'outsourcing partners' report on these standards and do you check these reports regularly on a detail level (samples)? 

And some more questions you have to deal with as an actuary:

• Distribution Compliance
  Is the intermediary and are the employers and customers your company deals with, compliant? What's the confidence level of this compliance and in  case of partially noncompliance, what could be the financial consequences? (Claims)
  
  
• Communication Compliance
  Is communication with employees, customers, regulators, supervisors and shareholders compliant? Has your board (and you!) defined what compliance actually means in quantitative terms?
  
  
  
  Is 'communication compliance' based on information (delivery and check) or on communication?
  
  In this case, have you've also checked if  (e.g.) customers understood what you tried to tell them?
  
  Not by asking if your message was understood, but by quantitative methods (tests, polls, surveys, etc) that undisputed 'prove' the customer really understood the message.
  
  
  
  Effective Communication Practice
  Never ask if someone has understood what you've said or explained. Never take for granted someone tells you he or she 'got the picture'.
  
  Instead act as follows: At the end of every (board) presentation, ask that final and unique question of which the answer  assures you, your audience has really understood what your tried to bring across.

Now we get to the quantitative 'hard part' of compliance:


This interesting topic will be considered in my next blog.... ;-)

To lift a little corner of the veil, just a short practical tip to conclude this blog:


This type of question is a typical case of:

Answer.

The upper limit can be roughly estimated by a simple rule of thumb, called 'Rule of three'....




In this case one can be roughly 95% sure the noncompliance rate is less than 10% (= 3/30). Interesting, but slightly disappointing, as we want to chase noncompliance rates in the order of 1%.

Working backwards on the rule of three, a 1% noncompliance rate would urge for samples of 300 or more. Despite the fact that research for 46 international organizations showed that on average, noncompliance cost is 2.65 times the cost of compliance, this size of samples is often (perceived as) too cost inefficient and not practicable.

Read my next blog to find out how to solve this issue....

Related Links:
- Actuarial Compliance Guidelines
- What Is The Right Sample Size For A Survey?
- Epidemiology
- Probability of adverse events that have not yet occurred
- The True Cost of Compliance (2011)
- 'Rule of three'
- Compliance testing: Sampling Plans (accounting standards) or Worddoc

Risk management is tricky business... Being 'Officially Compliant', 'Just Compliant' or in other words "Supervisory Compliant", is not enough to help your CEO survive with your company in the complex market battle!

Whether you're an Actuary or Risk Manager of an Insurance company, Bank or a Pension Fund, the risk of being 'Supervisory Compliant' is simply : bankruptcy!

Becoming 'Supervisory Compliant' in complex programs like Solvency-II, Basel III or Legal Pension Fund Risk Frameworks, consumes so much time and effort, that almost no time seems to be left for contemplating or doing the essential Risk Management work properly.

Just being 'Supervisory Compliant' implies:  constantly running after the Supervisor to become  'just in time' officially compliant and not having enough time to think about the (f)actual relevant risks.

Supervisory Compliance becomes very frighting when Risk Appetite and Valuations are rashly based upon the minimum Supervisory requirements, as is (e.g.) the case in the Dutch Pension Fund legal framework. Boards stop thinking about the actual risks and feel compliant and satisfied once the Supervisory Compliance Boxes are checked.

A new look at compliance
Let's take a look from a new point of view at the complete Risk Management Compliance Field:

In basis there are three types of 'being compliant':

1. Supervisory Compliant
   When you're Supervisory Compliant, you officially comply to all legal Risk Management compliance requirements. Your Supervisor is happy...
   
   
2. Professional Compliant
   You comply to your own professional Risk Management standards. You are happy...  but what about your Supervisor? Comply or Explain....
   
   
3. Success Compliant
   Being Success Compliant implies that all Risk Management requirements that are key to have success - e.g. key to survive in the market on the long run - are met.

Let's zoom in at some specific areas in this chart:

It's perhaps hard to admit, but in our attempt to be complete, we define and manage a lot of (small) risks that do actually exist, but are in fact not really or limited relevant with regard to company continuity.

The Distinctive Character area is perhaps the most interesting area. To get grip on this area urges us to 'Think outside the Circle'.

By doing so we'll be able to manage risks that  our competitors fail to do. Here we can achieve 'Distinctive Character' by managing risks more efficient or by turning risks into profits. Examples are: Derivatives that limit our investment risks. Specialized experience rating (rate making) on your portfolio on basis of characteristic and unique risk profiles.

Tricky area
The tricky area is the area that consists of Supervisory Risks you tend not to find important, but that are very important for achieving success in the market. Tricky areas could e.g. be: Deflation Risk, Longevity Risk or Take Over Risk.

Reversed Thinking area
This is perhaps the most interesting risk area.

To explore this area you'll not only have  to 'think outside of your circle', but - just like in reversed stress tests with Banks - try to think backwards, to find out what could cause a certain event or loss.

This reversed thinking process succeeds best as a group. Group members should be professionals and non-professionals from different types of business, education and background.

A successful group mix could e.g. consist of : an actuary, an accountant, a manager, a marketing manager, a compliance officer, an employee, a client, a shareholder representative and last but not least the receptionist.

Finally.....
Try to find time to manage your company to new heights and stop being just 'Supervisory Compliant'.....