Monday 29 September 2014

CRO Forum's Principles on Operational Risk Measurement - "Quant touch this"...

Hammer Time?
Current efforts in Op Risk quantification
Despite practitioners efforts over the last few years, Operational Risk continues to live on starvation rations when it comes to considered quantification. Never treated as an alpha-topic by executives inside insurance institutions, it has been treated with similar indifference by legislators, culminating in the  "totally inadequate" take-a-percentage methodology for calculating Operational Risk capital in the Standard Formula.

Internal Modellers on the whole are not likely to be shaming that technique with their efforts either (basic summary of their problems here, while InsuranceERM cover struggles as a whole with a roundtable here). A paucity of operational risk event (and near miss) data within firms may be good news for ORIC as a vendor, but from a parameter and data uncertainty perspective, it leaves internal model operators and validators in an invidious position, particularly due to the quantum of insurers' capital likely to be involved (10%, give or take?).

It's not that the actuarial world hasn't taken a stab at it before (here), aren't fully aware of the data holes (here), or haven't used the word "Bayesian" in a sentence (here). However an activity which was "in its infancy" in the UK as far back as 2005, is surely now old enough to be working in the mines...

I was therefore happy to see the unprolific-yet-important CRO Forum bring a white paper to the table, Principles of Operational Risk Management and Measurement. It is an update to a 2009 version which takes into account Solvency II demands, as well as developing practice within insurers over the period, the suggestion being that 2009's efforts were a little too Banking Industry-influenced.

While this document might feel at outset like an idiot's guide to "quanting" operational risk (and bearing in mind the number of prospective standard formula applicants - 9 out of 10 in UK - one may be needed soon!), the document touches on a number of noteworthy technical matters, in particular;
  • The Definition section doesn't read well, but they have attempted to include outcomes other than monetary loss into the Op Risk definition, which from experience will improve discourse within firms. Are they attempting to squeeze strategic and reputational risks into this box though?
  • Nice coverage of Boundary Events, and encouraging firms to consider them in their management of Op Risk.
  • Very specific treatment of Risk Tolerance throughout, using it in preference to Risk Appetite. This is because it cannot be avoided, and so tolerance levels should be used to trigger "RAG"-type reporting up the chain. Nice work, and well justified, but I have certainly seen the expression "Zero Appetite" used for Op Risk, so no doubt this is not an industry standard perspective yet! (p5-6)
  • No problems with their coverage of tried and tested techniques - "Top Down", RCSA's & Loss Event analysis (p9-10)
  • Nice turn of phrase regarding emerging risks on p9 - "...assess the proximity of new risks to the organisation". It may need to include an attempt to quantify to be fully useful for ORSA purposes.
  • Concept of residual risk arrives quite late in the day, but isn't omitted. Important, given how much qualitative, or spuriously quantitative, material is being promoted as aiding this measurement work (p10)
  • Seem to accept at the bottom of p10 that Internal Modellers must do more than curve fit on internal Op Risk Event data - good news I guess.
  • Internal Model validation pressures on current Op Risk quantification practices flagged directly (p16 in particular)
  • Guidelines on embedding Op Risk monitoring processes highlight just how much work some practitioners are managing to cover (p11). Quite disheartening for those with smaller budgets.
Ther are a few points to make on section B around quantification:
  • Pretty scathing on Standard Formula relevance. (p14)
  • Scenario Analysis sold as something of a panacea to cure the ills of incomplete Op Risk Event data sets, but no mention of the biases which seem to permeate the creation of the scenarios, which is sadly a hostage to the invitee list. (p14)
  • Expand more on scenario analysis, bringing the "severe but plausible" terminology to the table (p15)
As well as the following generic comments;
  • Is risk measurement - "a tool for embedding risk culture in the organisation"? I would say so, particularly in the Op Risk arena, where decision makers will need to be involved at scenario-compilation time.
  • That said, they then go on to reference "senior management sign-off" of scenario work, which is somewhat contradictory!
  • Overweight in references to "culture" and "tone at the top", like most white papers these days (see the FRC's efforts from the other week). Playing with fire as a profession by shoehorning references to "culture" into everything.
  • A couple of horror-show schematics used on pages 7 and 8 - the Forum must know how much time risk professionals lose walking non-experts through things like this. They serve no purpose, and detract from surrounding text.
  • Attempt on p9 to solicit business for ORIC?
It was Professor Jagger who accurately prophesised "You can't always get what you Quant" - I'd say the Risk profession concurs, based on these very welcome principles.

Wednesday 24 September 2014

KPMG on Pillar 3 and Public Disclosure - in or out?

Pillar 3 - rude awakening?
The operational reality of Solvency II Pillar 3 is seemingly about to deliver a ruder awakening than breakfast at Chubby Brown's. Whilst for example the UK's regulator has offered an element of flexibility in the content of the QRT reporting to be submitted during the Solvency II preparatory phase (Q21 here), Finance functions across the EU will be in an spreadsheet-fuelled scramble to deliver Solvency I, Solvency II and public reporting from now on in.

The lie of the land is not pretty as it stands. Evidently the PRA's crack team of Pillar 3 regulator and industry expets is tabling some sobering questions, given their recently revised Q&A, and both software solution providers (here) and asset data firms (here) continue to ebb and flow with their contributions to preparedness, depending on the pay-off. Some co-odination efforts have recently begun on asset data transference involving the larger EU players, but doesn't yet sound like the golden ticket for the teams charged with delivering Pillar 3 material.

Even EIOPA, the new custodians of the word ERRATA, are seemingly tied up with the less technologically developed EU members in an Excel-flavoured workaround to the xBRL question which, judging by the number of QRT template amendments already applied, has an air of inevitability about it.

It was therefore nice to see one of the Big 4 release results from this survey on how firms are preparing for Pillar 3 in the content of existing and future public disclosure requirements. Small sample (11 firms, all multinationals), and all evidently have existing plc-type disclosure requirements, but the topics and trends covered should inform anyone in the Pillar 3 space who has transitioning on their agendas.

Worthy of note:

  • Pre-Solvency II disclosure of quantitative material not favoured - not much to be gained I suppose
  • No-one planning to publish projected capital adequacy!
  • Responders in IMAP seemingly working on the basis that "Plan B" won't be required
  • Few likely to publish "internal views of capital" ( for this read "overall solvency needs" or "ORSA Capital") - analysts felt unlikely to be looking for it.
  • Most common differences between Pillar 1 and OSN used were treatment of contract boundaries and the risk-free rate, with the list of distinctions going into double figures
  • Some provisional plans for IFRS alignment on the balance sheet methodology front
  • Embedded Value about to be jettisoned as a reporting metric - analysts are of course devastated!

Who said accountancy was boring?

Monday 22 September 2014

Central Bank of Ireland and ORSA - fancy a bunch of FLAORs?

So the Central Bank of Ireland went and knocked together an ORSA Reporting tool for the less complex end of the Irish Insurance industry, specifically the "low" and "medium-low" rated insurers. And to think I have spent 4 years railing at the consultancy and supervisory industries for catering for the big boys, while ignoring the immaterial...

2014 FLAORs
- a serious affair
The tool was released back in July, and while it (intelligently?) copy-pastes EIOPA's guidance and dissects most of those words into a set of obvious questions, there are some aspects which are very revealing in respect of where supervisory expectations for 2014's ORSA reporting and process development efforts perhaps are at the less material end of the industry.

They have evidently taken the approach that most large programmes will have used over the last 3 years, namely to deconstruct paragraphs in Directive/Delegated Acts/EIOPA Guidelines in an Excel spreadsheet, and pose them as questions. Not every firm's budgets would have stretched to accommodate even that level of analysis though, so I'm sure the CBoI's efforts have been warmly received to date.

For example, the following elements are very shocking to me, given our proximity to go-live;
  • No compulsion for ORSA Policy (and therefore process) to be documented and Board-approved in 2014 (2.3 and 2.4)
  • No expectation that the 2014 version assesses one's ability to continue past the 1 year horizon (4.8)
These elements are perhaps revealing as to supervisory planning for 2015 and beyond;
  • Asking when the Board approved the results and conclusions - likely to be hunting for evidence in minutes (2.2)
  • Asking which personnel/units have been briefed as to the ORSA results - is there a feeling that outside of EXCOM and control functions, the reports won't see the light of day? (3.4)
  • Highlight what they are really interested in, in the context of "overall solvency needs" quantification - risk measure, confidence level and time horizon, which feels proportionately light in focus given the detail in Article 262 of the Delegated Acts (4.1).
Some good elements include;
  • Uses of ORSA in decision-making process listed in 1.1 - some are directly lifted from EIOPA, but couple of other examples may help focus the mind (I would add that setting "risk limits" feel sloppy, given the legislation uses "risk tolerance limits")
  • Ask for a table to be populated with quantitative results for each risk category, but don't prescribe the category names, rather provide the legislative categories as examples - this is how it should be, especially for the smaller firms. (4.2)
  • No expectation that the "medium or long-term" capital is calculated at this point - the column provided is marked *OPTIONAL* (4.2) 
Whilst the data gleaned from the template they have provided may be a bit cumbersome, fair to say that CBoI's efforts will be welcomed by both the qualifying firms (as a pro-forma) and the larger firms as an INED guide.

Friday 19 September 2014

FRC on Risk Management and Internal Control disclosure - insurers way ahead?

Muddy Waters
- public disclosure on Risk
The UK's Financial Reporting Council have released guidance on Risk Management, Internal Control and related reporting, just in time to help muddy the waters for UK insurers, who have no doubt finally got their risk, actuarial and compliance functions writing non-conflicting words with Solvency II preparation in mind!

Anyone who has written, peer-reviewed or socially read these sections of public reports (i.e. me, and any other geeks), will know they are normally;
  • Boiler-plate, and completely transferrable between industries, regardless of their disparate risk profiles
  • Aligned to the Strategy sections with a few anchor words, but otherwise divorced
  • Frequently unaligned with the ERM frameworks used internally - i.e. "this is what the City wants to read", not material on our actual risk profile!
Given that this is only guidance, and is further only directly relevant to LSE listed entities, readers may be inclined to take the content with a fistful of salt. There are a number of noteworthy aspects to this publication however which maybe show where the mindset of supervisory-types has got to in the eight or so years since the financial crisis commenced.

 I took the following general points from it;
  • Very little for listed insurers to be concerned about, if they have prepared adequately for ORSA and supervisory reporting (SFCR, RSR) - indeed, their reporting teams will be delighted with the amount of content crossover! Check out the (still not finalised) Delegated Acts of Solvency II in order to see why listed Insurers won't need to stretch to meet these.
  • Frequent references to "culture", as opposed to "risk culture". Checking the FSB's take on Risk Culture from April of this year, one can appreciate the FRC's desire to gemmy culture into these guidelines, if perhaps not the execution - one fears the "culture" words are likely to become a little weasely.
  • Multiple crossovers into ORSA language, in particular re-emphasising the importance of the alignment of risk management with business strategy.
  • Good work in section 4, bringing in the "IMMMR" concept from Solvency II, as well as assessment of current and emerging risks, and assessing exogenous and endogenous risks when doing so.
  • Recommend that risk assessments are performed at inherent and residual level, and that control effectiveness is also considered when arriving at one's final assessment
On the technical front, the following elements caught my eye
  • "Emerging principal risks" used as an expression - not sure if that stands up to scrutiny i.e. if something is emerging, can it be a "principal" anything? How would you measure it to gauge "principality"?
  • Reference to "high profile failures in risk management" in recent years, which feels a little finger-pointy - we could deconstruct every corporate failure to one of risk management failure
  • "Risk Appetite" put into inverted commas within the guidance, but not in the appendices - can't quite work out the aversion to definition given the FSB's work to date at the very least, but certainly EIOPA have similarly dodged it (p59), and looking at Appendix 1 of the Irish regulator's thought paper on Risk Appetite, one can see why!
  • "It is the role of management to implement and take day-to-day responsibility for board policies on risk management and internal control" - really? responsibility for their implementation, sure, but policy content?


Thursday 4 September 2014

Solvency II Delegated Acts - whenever, wherever...

No sign of the Solvency II Delegated Acts sign-off as yet. The mighty ECON committee of the European Parliament have just about got their feet under the table after May's elections (and June, July and August's European summer holidays!), but despite meeting on the 3rd and 4th Sept, they don't appear to have discussed or even listed the matter as work in progress.

Wouldn't have felt such a big deal, given Gideon's summary on the topic back in early August, but the Mr Claffey and Co. at Milliman appear to have picked up on a potential sore point for the unit-linked boys, which might jack-up the Operational Risk SCR for anyone in standard formula world (which would cover a good number of pure unit-linked businesses I expect).

I've had a look around for the July version of the Delegated Acts, but they have yet to be leaked* as publicly as the January version - I would recommend anyone in the unit linked world gives this a once over, particularly if you still pay fat commission cheques!





* How about I shut my mouth - not only has the wonderful Petter Svensson (Sweden's foremost independent consultant) made it available on his own site, the Romanian Regulator has done similarly. Fill your boots...