The biggest unmanaged actuarial risk in most insurers today is no longer in the model. It is in the unversioned spreadsheets that adjust the model’s outputs, and the reporting packs that re-aggregate them. We have spent a decade investing in modelling engines, finance platforms and cloud infrastructure. The pain has moved one layer out — into the work that surrounds the model — and the second line of defence has not yet caught up.

By Meyr Kruger, FASSA, Actuary

Walk into a typical close

The cashflow engine has run cleanly. The numbers it produced are sitting in a database. From there, they pass through a chain of workbooks: an overlay for an assumption that the engine cannot yet model; a reconciliation against finance; a manual adjustment for a treaty that lives outside the model; a final pack that pulls all of this into a board-ready format.

Each workbook is, in isolation, defensible. Together, they are usually the largest unaudited risk on the actuarial estate. The work is real, the numbers are real, and the controls are nominal. The team that runs the close knows where the bodies are buried; nobody else does. The model risk framework rarely covers any of this, because the framework was written when models were the risk.

A small taxonomy of overlays

It helps to have a vocabulary. The overlays we typically find fall into five categories. Naming them makes them visible, which is half the battle.

  • Methodology overlays — corrections for known model limitations. The engine cannot yet handle a particular product feature, so a workbook restates the cashflows after the fact. These accumulate and rarely get rolled back into the engine when the limitation is fixed.
  • Data overlays — corrections for known data issues that have not yet been fixed upstream. The team knows the policy file is missing a treaty cession; the workbook adjusts for it. Two years later, the upstream system has been fixed, but the overlay is still applied.
  • Reconciliation overlays — adjustments to align actuarial output to a finance number that the business has already disclosed. These are the most operationally awkward, because they directionally subordinate actuarial truth to finance convenience.
  • Audit-driven overlays — corrections introduced after a prior-period review. Usually defensible at the time, but they accumulate, and the rationale fades.
  • Late-data overlays — top-ups for data that arrived after the close cut-off. Built fast, lightly controlled, and routinely promoted to permanent.

The control gap is in the aggregate

The control gap is not in any single overlay. The team that built it can usually justify it. The gap is in the population. Nobody owns it. Nobody can list every overlay applied this cycle, tell you which were also applied last cycle, which are new, which should have rolled off, and what the cumulative impact is on disclosed numbers. We have looked at this on enough estates to be comfortable saying that overlay sprawl is now a board-level risk on most insurers and that boards are not yet seeing it.

The argument that any individual overlay is small is technically true and operationally irrelevant. Risk concentrates in the place that nobody is watching. Right now that place is the spreadsheet layer.

A first-step assessment any chief actuary can run in two weeks

If you do nothing else, run this exercise next quarter. We have done versions of it for clients across the African insurance market and the output is always the same: useful, unsettling and actionable.

  1. List every workbook touched between the engine output and the disclosed number. Just the file names and locations to start. Do not sanitise the list — the messier it is, the more useful the exercise.
  2. For each workbook, name the owner, the trigger event, and the date of the last meaningful change. If nobody is sure who owns it, write that down too.
  3. Classify each adjustment using the taxonomy above. Some workbooks will contain multiple categories.
  4. Identify the three with the largest monetary impact and the three with the weakest controls. They will not be the same three. The intersection of the two lists is your top priority.
  5. Decide which are worth productionising in the next cycle. Productionised here means: moved into a versioned, reviewed, signed-off process — not necessarily into the engine itself.

What “fixed” looks like

The endpoint is not zero overlays. The endpoint is a known population of overlays, each with an owner, a reviewer, a reason-for-change and a version. That is what governance looks like, and it costs much less than people fear once you stop treating each workbook as bespoke.

The cheapest, fastest way to get there is to start surfacing the work that exists, in the language above. Most of the value is in making the invisible visible. The harder part — productionising the workflow — is then a real engineering project, not a clean-up exercise. We will write about that next.

If you want help running this assessment as a fixed-fee, fixed-duration engagement, we offer it as our Actuarial Operating Layer Assessment.