On the basis that there isn't a single accepted global standard on the matter, the thematic review compares prevailing practices against an amalgamation of content from exising standards from the IAIS, OECD and other bodies. Of major interest to risk practitioners is the document's focus on areas which the IRM have covered recently, namely risk appetite/tolerance/limts/capacity and risk culture.
Bearing in mind the great and good from the prudential regulatory world are active participants in the FSB, the likelihood of their findings emerging in the regulatory principles of tomorrow are pretty high. Of course this research has been based on Non-Insurance SIFIs, and so insurers large and small who have been endeavouring to meet Solvency II Pillar II requirements will find themselves in a decent spot already.
On that basis, I noted the following;
On that basis, I noted the following;
General recommendations to supervisory bodies (p4)
- Formal requirements on the independence and skillsets of Boards
- Hold Boards directly accountable for risk governance, and whether or not their existing suite of risk MI is sufficient
- Formally elevate the stature, authority and independence of the CRO role
- Require an independent assessment of the effectiveness of the risk governance framework to be performed on an annual basis (a list of what Internal Audit would generally review in this context follows on page 24)
- Engage "more frequently" with Boards and management to assess risk culture
Sound practices list p30-34 - highlighted below are elements which may be new to the UK in particular, were they to be introduced
- Boards - annual reviews of member qualifications, skills and time commitments; meet quarterly with regulators; "effectively inculcate" an appropriate risk culture
- Risk Committee - annual approval of risk management policies
- Risk Management function - CRO to have direct reporting lines to Board/Risk Committee as well as CEO; public disclosure of CRO firing/hiring; be "actively involved" in strategic decision making processes; meet quarterly with supervisors; stress testing "on demand" at the behest of the business
Risk culture and risk governance supervisory assessment
- Notes that supervisors need to strengthen their ability to assess a firm's risk governance "...and more specifically its risk culture"
- "More work is needed" on regulatory assessment of risk appetite frameworks
- "Risk culture plays a critical role in ensuring effective risk governance practices through changing environments"
- FSB have a working group exploring the potential for formal risk culture assessments, who are reporting in September 2013
Risk management functions and CROs
- Acknowledges that there have been "[raised] supervisory expectations for the risk management function" since the financial crisis
- Highlights that "most firms note that the CRO has a direct reporting line to the CEO", though "access to the Board" apparently remains more of an expression than a vivid reality
- "Good progress" has been made on enhancing the stature, authority, and independence of the CRO position
- Rather non-descript comment that "the Chief Risk Officer and the risk management function are responsible for the firm's risk management across the entire organisation" - responsible for what element, not conduct surely?
- Acknowledge a "lack of common terminology for risk appetite, risk profile and risk capacity...within firms, across firms and across national authorities"
- Definitions of appetite and capacity used by FSB largely line up with IRM's definitions (though the IRM use 'tolerance' rather than 'capacity')
- "Key features of a Risk Appetite Framework" are listed on p22 - however even those firms considered best in breed commented that there are ongoing "operationalising" problems with RAF rollout
- Suggest that breaches of 'risk limits' should lead to reductions in exposures (piii) - not sure why the alternative of increasing appetite is not acknowledged