Joint Standard on IT Governance and Risk Management Presents an Opportunity for Actuaries to Rethink the Riskiness of their Models
Image by Christina Morillo on Pexels
While the new Standard, applying from November 2024, pertains to IT systems rather than end-user applications, actuaries may want to apply the spirit of the regulation to their own models.
Late last year, the Financial Sector Conduct Authority and Prudential Authority (the Authorities) jointly published the new Standard on Information Technology (IT) Governance and Risk Management.
The Standard will come into force on 15 November 2024 and applies to all financial institutions, including insurers. It sets out the principles for IT governance and risk management that financial institutions must comply with, in line with sound practices and processes in managing IT risk.
Insurers will need to incorporate diverse IT-related requirements, including strategy, risk management frameworks, handling of sensitive information, and project management.
The Standard does not explicitly refer to end-user computing (EUC), defined as the applications and models used by non-IT specialists, including most actuaries. But, given the seriousness with which our industry’s regulating authorities take the risk of IT failure, how can actuaries – keepers of insurers’ most complex calculations – ensure that their models comply with the spirit of what the Authorities are trying to achieve?
EUC Risks
Actuaries are heavy users of end-user applications (EUAs), often pushing their Microsoft Excel spreadsheets, Prophet models, Access databases, and Python scripts to their limits. Unfortunately, the flexibility, user-friendliness, and accessibility of these applications – the very qualities that make them so popular – give rise to material risk to the insurers that so heavily depend on them.
This risk stems from the general lack of oversight and control over EUAs; oversight and control which are taken for granted in more formal IT systems. These applications are also more susceptible to accidental (and malicious) human errors. Organisations such as JP Morgan, Barclays Capital and even MI5 have all experienced disastrous and embarrassing consequences due to relatively minor spreadsheet errors.
Additionally, it is commonplace at insurance companies for actuaries to act as the systems people – not only do they run their highly complex models, but they also design, develop, maintain, control and modify them. These are all functions that, in other industries, would generally be left to IT experts with formal training. Actuaries tend to learn their IT skills on the job, and may be unfamiliar with best practice and guidelines to reduce the model and operational risk posed by the applications they use. It is, therefore, even more important that deliberate controls be placed around actuarial EUAs to reduce the risks they pose.
Where to Start in Managing EUC Risk
For insurers looking to start managing their EUC risk in a controlled and deliberate way, the first step is to create an EUC control framework or policy. The EUC policy should define roles and responsibilities, how to identify and assess EUAs, and a set of risk-based controls that should be implemented to mitigate the inherent risk posed by the EUAs.
EUC Controls
There are various controls available to insurers that can substantially reduce the risk posed by their critical files and models. Some of the most important controls that actuarial teams should consider include those relating to input, access, versioning, checks and testing, documentation and general best practice conventions like avoiding hard-codings or using consistent formatting across files.
The Challenge of Implementing EUC Governance
While overhauling the how actuarial teams use EUAs can translate into a substantial and costly transformation programme, many effective quick wins may be taken advantage of at a relatively low cost. The true challenge, however, lies in changing actuaries’ perceptions and habits regarding EUA use. Anyone who has tried to influence an actuary to use a standard colour palette can attest to this!
The Importance of Buy-in
With this in mind, in implementing any EUC improvements, perhaps the first step is to obtain buy-in from the users of these files. Over time, the aim should be to cultivate a strong risk culture in the team that starts from the most senior managers and cascades all the way down to recent graduates. And when end-users start seeing these risk management controls over their models as value-adding measures rather than a compliance exercise, the results may very well be more effective than a regulatory standard could ever be.
Get an email whenever we publish a new thought piece
The last two months have been eventful in terms of climate change discussion and guidance, with the South African regulator publishing a number of documents which may be useful for
2.1 min read
GM of Property24 and ASSA President-Elect Nalen Naidoo talks to Head of Insight Life Solutions, Pamela Hellig, about all things books, leadership, and leaps of faith. It’s commonly said (by
9.6 min read