David Kirk

Getting this right matters for your own risk management and decision making, supported by robust analysis. Regulatory approvals should then follow more easily.

If you think the standard formula doesn't fit your risk profile, analyse your own experience and volatility. Actually, even if you think it does, it's good practice to do the analysis to demonstrate that it is appropriate.

All of these affect your true 99.5th percentile. This is especially relevant for niche or unusual or developing products. It may be that those seemingly harsh premium volatility factors still understate risk for your developing portfolio.

This also links to another interest area of mine: are the standard formula factors appropriate for your specific portfolio? The standard formula has no allowance for small portfolio size, heterogeneous exposure sizes, or different levels of dependence.

Some LoB classifications automatically exclude catastrophe risk. Others require specific regulatory approval for the same exclusion. So the choice matters more than just the applicable premium volatility factor.

It's still a crude approximation, where the specific distribution of underlying risks should in theory be known through analysis of historical index data.

This matters because agricultural business under SAM doesn't have its own catastrophe module - instead, the premium volatility factor is set high to capture both normal volatility and large losses in one factor.

The challenge extends to newer products that don't fit traditional categories. Parametric insurance in South Africa often gets allocated to agricultural classes regardless of the actual exposure.

Same underlying risk - vet bills for cats and dogs with some third-party liability - yet different capital charges depending on where you're regulated.

Take pet insurance. In the UK and Germany, most insurers classify it as miscellaneous financial loss (MFL). French insurers often use medical expenses. Swedish insurers report it as property damage.

Are LoB allocations always clear and accurate?
Line of business (LoB) classification under Solvency II or SAM can materially impact your solvency capital requirement. The choice is sometimes less clear than many realise.

For anyone ready to look past regulatory convenience and see what actually happens in the tail.

The article expands on an earlier post with concrete cases (synthetic CDOs and a mass-lapse reinsurance analogue), why banking moved to ES after 2008, how equal 99.5% VaR can mask very different CTEs (and shaky SCR multiples), and why explicit uncertainty beats false confidence

Quick reminder: VaR tells you how bad it gets at 99.5% and then stops. CTE gives the average of what lies beyond.

za.milliman.com/en-GB/insigh...

A while back I posted about VaR vs CTE and why risk doesn’t stop at the 99.5th percentile. Character-constrained posts only go so far, so I’ve written a full article for those who’d rather not learn by scrolling comment threads.

The worst policies are risk-management busy-work. The best improve consistency, quality, and speed of decisions.

You cannot send a 300-page pack of all policies once a year to committees and boards expecting insight or value. It may feel like death by a thousand cuts, but spreading policies throughout the year means you might actually get useful input. I’m not convinced the opposite is ever true.

When reviewing policies, it’s easy to criticise. The challenge for reviewers: what would you actually want the policy to say? What would be practical and useful for people complying? What could go wrong if it wasn’t there? Sometimes that makes petty issues disappear, or drafts really great wording.

Actually, speaking of legalese, there is a valid view that as much as culture eats strategy, culture snacks on governance policies like you eat popcorn in a dark movie theatre. If you rely solely on policy compliance for sensible risk aware decisions and checks and balances, you're bound to fail.

Same goes for passive voice, which kills clarity about roles and responsibilities.

That way you’re not just reviewing policies, you’re reviewing real processes, and strengthening both.

As much as possible, cut the legalese. No “forthwiths”, no “abovementioneds”, and absolutely no "Without prejudice to the generality of the foregoing".

They’re also far more likely to be understood and lived by the people who have to follow them.

That doesn’t mean there’s no place for independent risk or compliance review. There is, and this second step brings the independent perspective, fresh challenge, familiarity with regulations.

They really can get to a useful, helpful state – helpful for new joiners, ensuring consistency between products and business units, and learning from past mistakes without relying purely on institutional memory.

I have seen good policies. They’ve usually matured over several years. First lesson: don’t stop working on them too soon. Don’t give up because you’re tired of it.

Don’t begin with regulatory requirements. Begin by codifying what the business actually does. Current processes and real constraints are usually a much better starting point than something written from a theoretical, disconnected risk or compliance perspective.

Having something drafted, reviewed, presented to the board, then stuck in a drawer for 12 months until it all happens again is a complete waste of everybody’s time.

They’re so vague and generic they provide no guidance. So wide open they never actually stop you doing anything or help you avoid rehashing ground that's been covered and decided before. And if a policy isn’t stopping you or guiding you, what’s the point?

The usual complaint is how onerous and bureaucratic they are. Sure, those exist, but far more common in my experience is the opposite: policies that don’t actually guide you or constrain you.

Most risk and governance policies are a mess.

I’ve drafted many policies, reviewed many policies, and had to operate by many policies. More often than not, they’re a mess.