Of course to the grizzled old set of risk practitioners who have done the rounds for the last few years, the fundamentals of the directive's requirements on the four control functions are as basic as the ingredients list for a frozen lasagne. It naturally draws attention to the likelihood that there will be "some overlap" between the activities of Risk, Actuarial, Compliance and Internal Audit, as well as touching on outsourcing as "...an attractive way of meeting the wide range of requirements" for those
However I detected more than a whiff of controversy around the content of this particular publication (which I hasten to add is a smart read nevertheless), were one to take it at face value. In particular;
- Their use of the three lines of defence model in the publication - while perceived to be good practice for segregating operations from risk advisory from risk assurance, it is certainly not cited in any existing materials at Level 1, 2 or 3, and the structure may be disproportionate at the small end of the insurer spectrum. On top of that is the Actuarial function's acknowledged dwelling over a grey area between the first and second lines, in particular if they haven't catered separately for the reporting lines of reserving, pricing and capital management actuaries (p8).
- The comment that "The risk management function will no doubt have to include people with a professional scientific and mathematical background, ideally backed up by appropriate qualifications (eg actuaries)". Whilst, internal model or not, the Actuarial function will clearly have to provide "considerable support" to the Risk function, I don't see any reason at the small-to-medium level for the Risk function to include actuaries unless through choice, using the lever of proportionality.
- That the Risk function "...shares responsibility for the risk strategy" - I think the implication is that it shares responsibility with the Board, but the statement doesn't help identify a) who authors and authorizes it and b) who gets fired for its poor deployment! I am more inclined to think the Risk function owns the risk management system and is responsible for monitoring and reporting on the implementation of the risk strategy which sits within it. The FSA define their requirements on this page in any case.
- That the Risk function "...identify potential risks and recommend appropriate countermeasures to the Board" - as far as emerging risk/top-down risk assessment goes, I certainly expect the function to facilitate the emerging risk/scenario analysis/reverse stress test activities in this regard, but it is most certainly not a solo job.
- That "The compliance function...will have to include staff with a legal background" - appreciating what the wording of Article 46 implies in particular, this is more a proportionality/outsourcing issue for me than anything. Having said that, I'm sure any existing compliance professionals out their who didn't take the Bar might feel slighted by this!
- That "all four functions have a direct reporting line to the Board" - not certain that this is so in the vast majority of cases. Certainly via Board committees the Risk and Internal Audit functions will be well catered for (and the FSB recommended even better than that for the Risk function last week), but I suspect an executive reporting line is as good as it gets for the other two functions in most firms.
Certainly plenty to engage the grey matt with regardless of your country of origin, even around control function crossover areas (which I presented on at the end of last year), so dig in.