Monday, 10 December 2012

Governance Matters at ILAG - Co-operation between control functions under Solvency II

Been a bit quiet on the Blog front - not because my country and I are licking our wounds after being opened up by HMRC like a Manx kipper, but because I had been asked to chip in with my two cents at an event hosted by the Investments and Life Assurance Group in London. It was an exceptionally well run event, with some interesting takes on the participation of Risk, Actuarial and Internal Audit functions in meeting not only the Directive requirements, but also the expectations of wider stakeholders and indeed policyholders.

My particular focus was on Control Function interaction, the inevitable areas of crossover and emerging skill gaps, and I also touched on some benchmarking papers as well.

My transcript is below and, conveniently enough, reads like a Blog Post. If you would like the slides with the script/hyperlinks embedded, either register with ILAG or drop me a line at and I will send them on for the bargain price!


So back in my former life of BAU busy-ness, my interests in Control Function optimisation were generally led by budget (or lack of it), in particular;
     Professional standards – were there enough bodies, and were they sufficiently skilled or motivated, to perform the fundamentals required (bearing in mind corporate governance code reforms both in the UK (2010 changes BTW, not 2012’s!) and Ireland meant that some system of governance work had to jump the Solvency II queue regardless)
     Proportionality – would the lack of definition around the proportionality principle (Lloyds take a stab on p2) lead to companies being woefully underprepared once the national regulators inevitably bared their teeth post-2009. The impact of misinterpreting Article 41.2 genuinely put the fear in me!
     Multiple roles per person/outsourcing – Whilst some common sense calls were made at the smaller end by merging Risk and Compliance functions, the more operationally substantial calls around merging risk and actuarial functions, outsourcing internal audit/compliance advisory services and recently the march towards outsourcing independent model validation and data quality assessments all posed questions.
Of course, having now worked with one of the biggest, my natural curiosities are not piqued by the unavailability of resource and budget, more by the complexity of wading through the reams of opinion and material that large budgets generate! In particular, I have been monitoring;
     The ability to get bang for buck out of programme spend, with most Tier 1 firms having comfortable broken 3 figures despite, from a Pillar 2 perspective at least, having something akin to “textbook” governance systems at outset
     Whether the “Consultant writes/BAU implements” will be proven to be a successful method of preparing for Solvency II, or whether the plethora of Pillar 2 material outputs will, once unsupported by its transient authors, die a little death
     Control functions in Groups, and perceptions of which countries’ governance is considered superior/inferior in the world of supervisory colleges
But you lucky guys in the UK already have a decent amount of written word around what your control functions are up to, with GENPRU, INSPRU, SYSC, SUP and the Corporate Governance Code all building cases for functional remits and appropriate governance structures
     So we know our friendly actuarial function will be knocking out the sums which end up in our pricing and reserving worlds, produce the EV and capital calcs that (hopefully) keep the wolf from the door, thus quantifying any risks which lend themselves to being quantified, and all the while self-policing the suite of models, methodologies and assumptions that aid them in doing so…
     We know our compliance function will be focused on monitoring and assessing the effectiveness of an entity to comply with prevailing laws and regulations, at a micro and macro level…
     We know our beloved IA function will be assessing the effectiveness of risk management, internal controls and governance processes…
However, the one rather raggedy looking function out of the existing set up is my one, the humble Risk function! While SYSC21 has beefed up the significance of Risk in the prevailing regs, the other SYSC tasks attributed make it feel a bit powder puff functionally by comparison.
In fact, both Risk and Compliance don’t especially feel enormously catered for in the prevailing set up as opposed to Actuarial and IA – not sure whether this is due to the consistency of their development as professions dwelling in the more certain lines either side of the second or not, but it’s certainly my feel as an outsider looking in…
…but thanks to Sol II (or at least the veiled threat of its implementation before I retire), we are now looking at control functions in reasonably neat packages complete with instructions!
One of the biggest problems that I’m sure all present have easily surmounted over the last couple of years is the ambiguities in the language of the Directive and Implementing Measures.
As a man who is married to a wonderful French woman, I am used to following instructions, but of course we are frequently confronted with flowery language such as “covers”, “advises”, “provides an opinion”, “liaises”, which is a consultant’s dream come true, but doesn’t help BAU demarcate and co-operate with any great certainty.
That said, the long and short of it ends with;
Risk come out with a pretty wide-ranging remit which mostly sits in the FSA’s Dream Function world of advisory, co-ordination, challenge and monitoring, though its ability to monitor “the general risk profile” is clearly reliant on the Actuarial function. Not assuming all present are part of IMAP, but the big ownership piece comes of course with the Risk function taking on responsibility for compliance with the internal model requirements on its design, implementation, testing, validation, documentation and weakness and limitation reporting. Clearly a massive undertaking and, certainly at the small/medium end, not one that can be naturally chalked off with an existing compliment of staff.
Actuarial function requirements include requiring knowledge of actuarial and financial maths but leaving an “other standards” clause in to help out the less well-policed countries! They do also however get some wriggle room on responsibility where it would otherwise be assumed (at least by me!), and so ”co-ordinate” TP calcs, “express opinions” on reinsurance arrangements and the underwriting policy, or “contribute to” implementation of the risk management system.
Compliance are not burdened with a laundry list of tasks as such, however to advise the AMSB on compliance with Solvency II is a pretty unenviable one (particularly now!). Perhaps the biggest challenge looking at the remit impartially is the depth and breadth of coverage that the function will need to provide, not just on Level 1, 2 and 3 and SOLPRU, but also be able to challenge the adequacy of the vastly expanded internal policy suite
Internal Audit
IA get the unimaginable luxury of having a relatively unchanged remit, particularly in this neck of the woods where risk-based internal auditing and planning is de rigeur.
The aggression in the wording around the Outsourcing requirements suggests that the days of outsourcing control functions being a “write a cheque, then dusting-of-the-hands” job are at an end!

Now the legislative ambiguities just mentioned leave ample room for control function bun-fighting due to the inevitable crossovers of skillsets for certain tasks and, perhaps most pointedly, who takes precedence in such instances.
Probably the biggest area of convergence and potential toe-stepping-on is of course the ORSA space (covered here on the blog) which in the crossover context it is more about who performs which sub-processes, under whose authority, and who “holds the pen” when collating the record of the ORSA performance.
More by process of elimination than by legislative direction, ORSA oversight seems to sit at the door of Risk, a concession even made by the SAI over in Dublin whilst simultaneously illustrating how little they are required in the ORSA Process! Is this therefore real or nominal oversight, or even worse, a PMO-type record collection role.
One other crossover area comes from the removal of the requirement (after pre-consultation) of an independent assessment of the ORSA Process – whilst losing the compulsion should be welcomed on principle, is there a danger that the IA function, through risk-based planning, may under or over-Audit the ORSA space? Just a thought...
Risk IMMMR/Advisory/Challenge
The world of risk identification/measurement/management/monitoring/reporting also becomes one with potential for friction, through the merger of the worlds of the Risk function’s qualitative risk register-type approach and the actuarial function’s established risk quantification methods, into what ultimately comprises the “general risk profile” as per the Directive text – one of the Big 4 suggested that the P&L Attribution is, for actuaries, “the real risk profile” for example, and perhaps some of you concur!
Regardless, the twin horrors of agreeing with Actuarial quantification methodologies for hard-to-quantify risks, while fostering a dependence on them for measurement, monitoring and reporting facilities around financial and insurance risks suggests more of a one-sided dependence rather than “close co-operation” between the functions.
Compliance risk
This works similarly for the world of compliance risk identification/assessment, nominally in the remit of the Compliance function - are they being dragged somewhere nearer the first line if they are producing this work for the Risk function? Just feels a bit blurry…
Emerging Risk
For emerging risks, my main concern is the robustness of the top-down/emerging risk identification process filtering its way into some quantified element within the ORSA and/or internal model – Risk is chalked down for identifying and assessing emerging risks, but their ultimate measurement isn’t catered for.
For internal Modellers
And into the internal model space, the “close co-operation” between the Risk and Actuarial functions, at firms big and small, has the potential to cause all manner of difficulties, in pure process efficiency terms as well as the cost implications of IMAP failure,. One CRO referred to this as having to “solve the risk management team/actuarial team conflict” in a recent presentation on model governance! Clearly though there is quite a gap to bridge between how this governance worked under ICA and the demands of Solvency II.
Establishing an “independent” team for regular validation, regardless of headcount seems to be something of a holy grail, with a growing trend towards “bringing someone in”, if only for the comfort of benchmarking against one’s neighbours. This also helps a company stay in line with Mr Cardoni from the FSA’s call that “individuals performing the validation must possess the necessary skills, knowledge, expertise and experience”, but does little for self-sufficiency, as well as leaving the Risk function with the job of relationship manager during validation exercises.
The approaches available for the Risk function to discharge its other responsibilities around the internal model requirements, in particular around model design and implementation, of course crossover into terra firma for the actuarial function – would be interesting to know how any modelers in the room have approached this, as a cursory sign-off from Risk on a suite of model development and implementation paperwork doesn’t feel in keeping with the spirit of the regs, though an IRM survey from March suggested at least 11 IMAP applicants were doing something along these lines!
So even if Sol II doesn’t directly ask for enhanced skill sets, we in all functions can all see the iceberg coming if we don’t fix up and look sharp. As ever, the most fascinating movements are in the actuarial space as they meander over towards the risk in what is lined up to be the biggest land grab since Enclosure!
There is certainly plenty of encouragement, in a profession which one of its own was happy to recently decry is “trained to deal principally in numbers and statistics”, to branch out into Risk, with the CERA qualification – “the most comprehensive and rigorous demonstration of ERM expertise available” – perhaps leading the way. While the profession is quick enough to highlight the weaknesses and limitations of an Actuarial CRO, does this additional qualification do enough to bridge the gap?
Certainly the GCAE suggest in their work that professional education may need further enhancement especially in relation to risk management. Over in Ireland however, the SAI are taking it one step further in their Strategic Plan for the profession, going as far as looking to partner up with a university to develop a risk programme for anyone “who wants to skill up quickly in the area”. Can’t say I’m sure what the rush is, other than opportunity knocking!
On the Risk front, the IRM were very quick to respond to the FSA’s Dream Function presentation back in April 11 with a vigorous defence of the appropriateness of non-Actuarial heads-of-risk, noting that the two professions were “extremely complimentary while different”, whilst mockingly emphasizing that the very concept of CERA highlighted that “Core [actuarial] qualifications do not give sufficiently broad training”.
That said, while the IRM have focused attention on some big ticket items such as Risk Appetite and Risk Culture  over the last 18 months, is it fair to say that training or certification touching on capital measurement and management, modeling, financial and insurance risks and their strategic application would have been a welcome addition to the qualification roster (notwithstanding what is available elsewhere through GARP’s FRM designation)? I rather embarrassingly had to answer a question from a colleague the other day about “how did you get qualified for Solvency II” – I won’t tell you how I answered!
For IA, there is a brave new world for anyone with the chops to upskill or expand their horizons. While the ever-moving implementation date maybe postpones any programme assurance work that IA could have picked up on the run-in to go-live, there is clearly an expectation at the FSA that they will contribute to activity such as internal model validation and data quality assessments, though I’m not seeing anything in the world of training to aid them in doing this (hence the consultancies are doing so well out of it I suspect!).
Deloitte do present a nice picture of some of the additional skills that IA may fall short on, in particular a natural aversion to covering non-Operational risks, despite their relatively higher contribution to the risk profile of insurers. One other thing I had in mind, knowing the IA profession’s predeliction for COSO was changes in the world of Insurer ERM since the last refreshes of COSO’s ERM work, particularly COSO’s latest take on risk assessment – instinctively feels like there may be some catch-up work to do in the IA field, but may be wrong.
For the compliance guys, is it fair to say that you already have your work cut out swallowing Level 1, 2 and 3 paperwork as well as any handbook changes which will emerge at the end of the PRA/FCA divorce. Interested to know if anyone getting roped into other activities!
The last thing I was going to mention was that, in the absence of rapid upskilling, and the wind-down/mothballing of organisation’s Solvency II Programmes, has anyone worked out whose BAU budgets any outsourcing will come out of for the next couple of years?
Moving on to how people are doing on the functional operation and indeed co-operation front, there is a reasonable amount of intel and ideas out there, which you may have clocked on its way through, but maybe makes a bit more sense in aggregate.
Risk function effectiveness
As far as Risk function effectiveness goes, the IRM straw-polled their Solvency II SIG this year, and identified some worrying trends from a Sol II readiness perspective, in particular;
Only half have their CRO communicating directly with the Board on risk matters – breathes some life into the quote from Axa’s Life CRO that risk management is too important to leave to the risk management department”…
     Nearly half said risk papers are "noted with a short discussion" at Boards
     A number of risks were not covered by the respondees' risk functions – ALM and strategic risk in particular
     Over half felt they had overlap with either Actuarial or Compliance, and a quarter with IA
     As mentioned before, a decent number of risk functions are not directly delivering documentation, testing and validation of the internal model.
     Half said the process of implementing Solvency II affects their ability to become relevant to the Board
The IRM also very recently performed a survey (with a reduced quantum due to the subject) on Internal Model Governance trends, which highlighted that;
     Risk is “responsible” for IM governance (with no exceptions in the survey), but Actuarial are “involved”, but with no further details
     And many respondents feel “real decisions” continue to be made outside of IM Governance framework, in particular around stress testing, back testing, model change and expert judgement – makes one wonder if an Actuarial CRO could counter that governance leakage?
Risk appetite design and application
There was a paper released by our hosts this year which emphasized the differences in design and implementation of Risk Appetite Frameworks between Risk and Actuarial functions, noting that a quant heavy actuarial approach gets more traction and quicker! This doesn’t augur well for the new ORSA world of “everything must be quantified”, as it is the qualitative risks that need the most attention.
Reporting lines
The world of reporting lines remains a pretty hot topic, with KPMG putting out a decent paper which recommended, amongst other things, that the Actuarial function should consider a formal demarcation between risk taking and risk assessing/measuring actuaries, which would negate the trend of shoehorning capital actuaries through the Head of Risk, keeping them all reporting through the AFH. They also added that at least half of the respondees were not yet at their desired end-state regarding the basic new Actuarial function requirements around underwriting and reinsurance adequacy opinion provision.
IM Validation
In the model validation space, as early as the end of last year we saw KPMG reporting that half of the IM production staff were also involved in the validation process, emphasizing the practical difficulties in functional separation whilst in Programme mode – would love to see how those numbers have moved since. 
Having seen the FSA’s feedback in May on what had been observed at that point in time (in particular that independence from model development and being “sufficiently competent” went hand in hand), one can imagine that IA’s role in the activity will be marginalized in future at the ongoing expense of bringing in the Big Guns every year.
Things a Risk function could be doing
And finally, while I have touched repeatedly on activities which a Risk function may find cannibalized by their ravenous Actuarial counterparts, as well as responsibilities bestowed upon it that it may not be equipped to discharge, I have seen a few pieces around activities that the Risk function would probably love to be doing more of, given half a chance.
A recent piece by Accenture got my engine running, around the future of data analytics – I definitely feel that, with the appropriate informational power at their hands, the risk function can provide a massively enhanced IMMMR and advisory services at little additional cost (the main cost of course already being sunk into data  quality and data warehousing projects independent of the function)
One lovely piece, pitched in the context of why Equitable failed, reads like a list of things a CRO should be focused on, such as NED ambivalence and underperformance, or executive hubris, while a Towers Watson presentation on prepping for the future draws out the most practical big ticket activities such as superior understanding of model weaknesses and limitations and tail risk, rather than a more general clutch at the full bag of responsibilities bestowed on the function by Sol II.
A research piece from the CII (sadly no longer free!) compliments that, suggesting that a “balance between modeling and judgement” must be struck by Risk departments in order to breath relevance into a function that the author was outspokenly critical of in his research.

No comments:

Post a Comment