Sep 25, 2011

Compliance: Sample Size

How to set an adequate sample size in case of a compliance check?

This simple question has ultimately a simple answer, but can become a "mer à boire" (nightmare) in case of a 'classic' sample size approach.....

In my last-but-one blog called 'Pisa or Actuarial Compliant?', I already stressed the importance of checking compliance in the actuarial work field.

Not only from a actuarial perspective compliance is important, but also from a core business viewpoint:

Compliance is the main key driver for sustainable business

Minimizing Total Cost by Compliance
A short illustration: We all know that compliance cost are a part of Quality Control Cost (QC Cost) and that the cost of NonCompliance (NC Cost) increase with the noncompliance rate. 

Mainly 'NC cost' relate to:
  • Penalties or administrative fines of the (legal) regulators
  • Extra  cost of complaint handling
  • Client claims
  • Extra administrative cost 
  • Cost of legal procedures

Sampling costs - on their turn -  are a (substantial) part of QC cost.

More in general now it's the art of  good practice compliance management, to determine that level of maximal noncompliance rate, that minimizes the total cost of a company.



Although this approach is more or less standard, in practice companies revenues depend strongly on the level of compliance. In other words: If compliance increases, revenues increase and variable costs decrease.

This implies that introducing 'cost driven compliance management' - in general - will (1) reduce  the total cost and (2) mostly make room for additional investments in 'QC Cost' to improve compliance and to lower variable and total cost.

In practice you'll probably have to calibrate (together with other QC investment costs) to find the optimal cost (investment) level that minimizes the total cost as a percentage of the revenues.


As is clear, modeling this kind of stuff is no work for amateurs. It's real risk management crafts-work. After all, the effect of cost investments is not sure and depends on all kind o probabilities and circumstances that need to be carefully modeled and calibrated.

From this more meta perspective view, let's descend to the next down to earth 'real life example'.

'Compliance Check' Example
As you probably know, pension advisors have to be compliant and  meet strict federal, state and local regulations.

On behave of the employee, the sponsoring employer as well as the insurer or pension fund, all have a strong interest that the involved 'Pension Advisor' actually is, acts and remains compliant.

PensionAdvice
A professional local Pension Advisor firm, 'PensionAdvice' (fictitious name), wants 'compliance' to become a 'calling card' for  their company. Target is that 'compliance' will become a competitive advantage over its rivals.

You, as an actuary, are asked to advise on the issue of how to verify PensionAdvice's compliance....... What to do?


  • Step 1 : Compliance Definition
    First you ask the board of PensionAdvice  what compliance means.
    After several discussions compliance is in short defined as:

    1. Compliance Quality
      Meeting the regulator's (12 step)  legal compliance requirements
      ('Quality Advice Second Pillar Pension')

    2. Compliance Quantity
      A 100% compliance target of PensionAdvice's portfolio, with a 5% non-compliance rate (error rate) as a maximum on basis of a 95% confidence level.

    The board has no idea about the (f)actual level of compliance. Compliance was- until now - not addressed on a more detailed employer dossier level.
    Therefore you decide to start with a simple sample approach.

  • Step 2 : Define Sample Size
    In order to define the right sample size, portfolio size is important.
    After a quick call PensionAdvice gives you a rough estimate of their portfolio: around 2.500 employer pension dossiers.

    You pick up your 'sample table spreadsheet' and are confronted with the first serious issue.
    An adequate sample (95% confidence level) would urge a minimum of 334 samples. With around 10-20 hours research per dossiers, the costs of this size of this sampling project would get way out of hand and become unacceptable as they would raise the total cost of  PensionAdvice (check this, before you conclude so!).

    Lowering confidence level doesn't solve the problem either. Sample sizes of 100 and more are still too costly and confidence levels of less than 95% are of no value in relation to the clients ambition (compliance= calling card).
    The same goes for higher - more than 5% - 'Error Tolerance' .....

    By the way, in case of samples for small populations things will not turn out better. To achieve relevant confidence levels (>95%) and error tolerances (<5%), samples must have a substantial size in relation to the population size.


    You can check all this out 'live', on the next spreadsheet to modify sampling conditions to your own needs. If you don't know the variability of the population, use a 'safe' variability of 50%. Click 'Sample Size II' for modeling the sample size of PensionAdvice.



  • Step 3: Use Bayesian Sample Model
    The above standard approach of sampling could deliver smaller samples if we would be sure of a low variability.

    Unfortunately we (often) do not know the variability upfront.

    Here comes the help of a method based on efficient sampling and Bayesian statistics, as clearly described by Matthew Leitch.

    A more simplified version of Leitch's approach is based on the Laplace's famous  'Rule of succession', a classic application of the beta distribution ( Technical explanation (click) ).

    The interesting aspects of this method are:
    1. Prior (weak or small) samples or beliefs about the true error rate and confidence levels, can be added in the model in the form of an (artificial) additional (pre)sample.

    2. As the sample size increases, it becomes clear whether  the defined confidence level will be met or not and if adding more samples is appropriate and/or cost effective.
  • This way unnecessary samples are avoided, sampling becomes as cost effective as possible and auditor and client can dynamically develop a grip on the distribution. Enough talk, let's demonstrate how this works.

Sample Demonstration
The next sample is contained in an Excel spreadsheet that you can download and that is presented in a simplified  spreadsheet at the end of this blog. You can modify this spreadsheet (on line !) to your own needs and use it for real life compliance sampling. Use it with care in case of small populations (n<100).

A. Check on the prior believes of management
Management estimates the actual NonCompliance rate at 8% with 90% confidence that the actual NonCompliance rate is 8% or less:



If management would have no idea at all, or if you would not (like to) include management opinion, simply estimate both (NonCompliance rate and confidence) at 50% (= indifferent) in your model.

B. Define Management Objectives
After some discussion, management defines the (target) Maximum acceptable NonCompliance rate at 5% with a 95% confidence level (=CL)



C. Start ampling
Before you start sampling, please notice how prior believes of management are rendered into a fictitious sample (test number = 0) in the model:
  • In this case prior believes match a fictitious sample of size 27 with zero noncompliance observations. 
  • This fictitious sample corresponds to a confidence level of 76% on basis of a maximum (population) noncompliance rate of 5%.
[ If you think the rendering is to optimistic, you can change the fictitious number of noncompliance observations from zero into 1, 2 or another number (examine in the spreadsheet what happens and play around).]

To lift the 76% confidence level to 95%, it would take an additional sample size of 31 with zero noncompliance outcomes (you can check this in the spreadsheet).
As sampling is expensive, your employee Jos runs a first test (test 1) with a sample size of 10 with zero noncompliance outcomes. This looks promising!
The cumulative confidence level has risen from 76% to over 85%.



You decide to take another limited sample with a sample size of 10. Unfortunately this sample contains one noncompliant outcome. As a result, the cumulative confidence level drops to almost 70% and another sample of size 45 with zero noncompliant outcomes is necessary to reach the desired 95% confidence level.

You decide to go on and after a few other tests you finally arrive at the intended 95%cumulative confidence level. Mission succeeded!



The great advantage of this incremental sampling method is that if noncompliance shows up in an early stage, you can
  • stop sampling, without having made major sampling cost
  • Improve compliance of the population by means of additional measures on basis of the learnings from the noncompliant outcomes
  • start sampling again (from the start) 

If - for example -  test 1 would have had 3 noncompliant outcomes instead of zero, it would take an additional test of size 115 with zero noncompliant outcomes tot achieve a 95% confidence level.  It's clear that in this case it's better to first learn from the 3 noncompliant outomes, what's wrong or needs improvement, than to go on with expensive sampling against your better judgment.



D. Conclusions
On basis of a prior believe that - with 90% confidence - the population is  8% noncompliant, we can now conclude that after an additional total sample of size 65, PensionAdvice's noncompliance rate is 5% or less with a 95% confidence level.

If we want to be 95% sure without 'prior believe', we'll have to take an additional sample of size 27 with zero noncompliant outcomes as a result.

E. Check out

Check out, download the next spreadsheet. Modify sampling conditions to your own needs and download the Excel spreadsheet.


Finally
Excuses for this much too long blog. I hope I've succeeded in keeping your attention....


Related links / Resources

I. Download official Maggid Excel spreadsheets:
- Dynamic Compliance Sampling (2011)
- Small Sample Size Calculator

II. Related links/ Sources:
- 'Efficient Sampling' spreadsheet by Matthew Leitch
- What Is The Right Sample Size For A Survey?
- Sample Size
- Epidemiology
- Probability of adverse events that have not yet occurred
- Progressive Sampling (Pdf)
- The True Cost of Compliance
- Bayesian modeling (ppt)

Sep 12, 2011

Pisa or Actuarial Compliant?

When we talk about actuarial compliance, we usually limit this to our strict actuarial work field.
In a broader sense as 'risk managers', we (actuaries) have a more general responsibility for the sustainability of the company we work for.

Compliance is not just about security, checks, controls, protection, preventing fraud, ethical behavior. Moreover  compliance is the basis of adequate risk management and delivering high standard service and products to your companies clients.

Pisa Compliant
No matter how brilliant and professional our calculations, if the data - on which these calculations are based on -  are 'limited', 'of insufficient quality' or 'too uncertain', we as actuaries will finally fail.

Therefore , building actuarial sandcastles is great art, however completely useless. Matthew 7:26 tells us :  it's a foolish man who builds his actuarial house on the sand....

And so, let's take a look if we have indeed become 'Pisa Compliant' by checking if our actuarial compliance is build on sand or on solid ground. In other words: let's check if actuarial compliance itself is compliant...nd.

Actuarial Data Governance
To open discussion, let's start with some challenging Data Governance questions:

  • Data quality compliance
    How is 'data quality compliance' integrated in your actuarial daily work? Have you addressed this issue? And if so, do you just rely on statements and reports of others (auditors, etc), can you agree upon the data quality standards (if there are any). In other words: are the data, processes and reports you base you calculations on, 100%  reliable and guaranteed? If not, what's the actual confidence level of your data en do you report about this confidence level to the board?

  • Data quality Conformation
    Have you checked your calculation data  set on bases of samples or second opinions?

    And if so, do you approve with the methods used, the confidence level and the outcome of the data audit? 

    Or do you just 'trust' on the blue eyes of the accountant or auditor and formally state you're "paper compliant"?

    Did you check if  client information, e.g. pension benefit statement, are not only in line with the administrative data, but also in line with insurance policy conditions or pension scheme rules?

  • Up to date, In good time
    To what quantitative level is the administrative data  'up to date' and is it transparent?

    Do you receive administrative backlog and delays reporting and tracking and if so, how do you translate these findings in your calculations?

  • Outsourcing
    From a risk management perspective, have you formulated quantitative and qualitative demands (standards) in outsourced contracts, like 'asset management', 'underwriting'  and 'administration' contracts?

    Do you agree on these contracts, do 'outsourcing partners' report on these standards and do you check these reports regularly on a detail level (samples)? 

And some more questions you have to deal with as an actuary:
  • Distribution Compliance
    Is the intermediary and are the employers and customers your company deals with, compliant? What's the confidence level of this compliance and in  case of partially noncompliance, what could be the financial consequences? (Claims)

  • Communication Compliance
    Is communication with employees, customers, regulators, supervisors and shareholders compliant? Has your board (and you!) defined what compliance actually means in quantitative terms?

    Is 'communication compliance' based on information (delivery and check) or on communication?

    In this case, have you've also checked if  (e.g.) customers understood what you tried to tell them?

    Not by asking if your message was understood, but by quantitative methods (tests, polls, surveys, etc) that undisputed 'prove' the customer really understood the message.

    Effective Communication Practice
    Never ask if someone has understood what you've said or explained. Never take for granted someone tells you he or she 'got the picture'.

    Instead act as follows: At the end of every (board) presentation, ask that final and unique question of which the answer  assures you, your audience has really understood what your tried to bring across.

Checking Compliance
Now we get to the quantitative 'hard part' of compliance:

How to check compliance?

This interesting topic will be considered in my next blog.... ;-)

To lift a little corner of the veil, just a short practical tip to conclude this blog:

Compliance Sample Test
From a large portfolio you've taken a sample of 30 dossiers to check on data quality. All of them are found compliant. What's the upper limit of the noncompliance rate in case of a 95% confidence level?

This type of question is a typical case of:

“If nothing goes wrong, is everything alright?”

Answer.
The upper limit can be roughly estimated by a simple rule of thumb, called 'Rule of three'....



'Rule of three for compliance tests'
If no noncompliant events occurred in a compliance test sample of n cases, one may conclude with 95% confidence that the rate of  noncompliance will be less than  3/n.

In this case one can be roughly 95% sure the noncompliance rate is less than 10% (= 3/30). Interesting, but slightly disappointing, as we want to chase noncompliance rates in the order of 1%.

Working backwards on the rule of three, a 1% noncompliance rate would urge for samples of 300 or more. Despite the fact that research for 46 international organizations showed that on average, noncompliance cost is 2.65 times the cost of compliance, this size of samples is often (perceived as) too cost inefficient and not practicable.

Read my next blog to find out how to solve this issue....

Related Links:
- Actuarial Compliance Guidelines
- What Is The Right Sample Size For A Survey?
- Epidemiology
- Probability of adverse events that have not yet occurred
- The True Cost of Compliance (2011)
- 'Rule of three'
- Compliance testing: Sampling Plans (accounting standards) or Worddoc