Accenture Insurance Sector research - Global Risk Management survey

Flood Risk?

A nice generic risk management benchmarking piece from the guys and girls at Accenture came out this week, and after I spent last week at the Leicester rugby game, I was happy to see another 15 "tigers", albeit this time scattered throughout the survey paper itself, presumably as a subtle metaphor for "death by tiger" risk...

It is made up of 98 C-suite respondents (nicely spread across disciplines), is Insurance sector-specific, and Global in coverage (one-third Europe, half N.America), so should be useful to any reader for trend-spotting and Board briefing.

From the document itself, I've pulled out the following;

Risk Governance

• 98% have their "risk management owner" reporting to the CEO
• 96% have a senior executive (regardless of title) as "risk management owner"
• 80% have their "risk management owner" report regularly to the Board
• 55% had a titled CRO
• A number of those stats (whilst improved since their last survey) are a poor reflection on the Global insurance industry, but perhaps reflect where corporate culture is outside of the EU/US axis
• Of the governance bodies, I was surprised to see only 60% of Life companies have an operational risk committee

Solvency II/Non EU equivalent legislation-specific

• Over 80% of Life and P&C respondents seem happy that they are preparing well for their regulatory initiatives (Solvency II or local equivalent).
• Other than Internal Model development, the main outstanding issues for Life insurers to be prepared for Solvency II/equivalent is IT architecture and Data Management/Integration. For P&C, documenting risk processes and developing a meaningful Use Test are also worrying at least half of respondents.
• Issues such as training and education, risk culture and risk governance documentation are relatively low on the priority list.
• Conversely, when asked on a 1-5 scale about specific areas of risk governance, respondents were more positive about their Data preparations than their risk governance - go figure!
• Use Test preparation remains a laggard throughout.

Generic

• Top external pressure was Legal risk, and by a good distance. Regulatory risks relatively low on the list, perhaps reflecting Europe's low weighting in the quantum surveyed.
• Risk Management seemingly well integrated with strategic deployment, but not with product development or reward.
• Poor statistics around embedding risk management into core functions.
• Two thirds of Life respondents noting that a lack of "early warning capabilities" impedes emerging risk management.
• Over half of Life companies said investment benefits ("above and beyond" continued compliance with regulations) would come from better reporting and better integration of Risk and Finance.

There is some of the softer stuff on aspirational elements of risk management thinking at the back, but if you just want to check against your peers, you can save that for a rainy day.

Financial Stability Board - Principles for an Effective Risk Appetite

Christmas has come early everyone - the Financial Stability Board have released their Principles for an Effective Risk Appetite Framework today, and I'm greedily ripping in to it before JC's birthday like a spoilt, yet handsome child...

FSB's RAF Principles published- 

send the car back lads...

There has been a reasonable amount of traffic on Risk Appetite this year (here, here and here for a start), after the FSB but announced their consultation earlier in the year, I've been on tenterhooks. This was following of the back of a thematic review on Risk Governance as a whole by the FSB, which they published back in February.

So where do they take this deep dive into Risk Appetite? Other than awkwardly shoehorning in the soup de jour of "SIFIs", they stick to the hard areas which will get every risk practitioners' attention (namely, Risk Appetite Framework, Risk Appetite Statements, Risk Limits and Roles and Responsibilities), though "for clarity and simplicity", they jettison the use of Risk Tolerance. Definitions are supplied on p2-3, which you may find useful as anchor references.

They somehow make room for anodyne flannel in this very short document, for example;

Risk Appetite Frameworks

• Should "facilitate embedding risk appetite into the financial institution’s risk culture" 
• Development and establishment is an "...iterative and evolutionary process that requires ongoing dialogue throughout the financial institution to attain buy-in across the organisation" (groan)

Risk Appetite Statements

• "Risk appetite may not necessarily be expressed in a single document; however, the way it is expressed and the manner in which multiple documents form a “coherent whole” need to be carefully reviewed to ensure that the board obtains a holistic, but compact and easy to absorb, view of the financial institution’s risk appetite"

Risk Limits

• "Having risk limits that are measurable can prevent a financial institution from unknowingly exceeding its risk capacity as market conditions change and be an effective defence against excessive risk-taking" - tell that to Lehmans!

However, the salient points for me were as follows;

Risk Appetite Frameworks

• RAF "...sets the financial institution’s risk profile" - not convinced on that one, but may be semantic issue
• "explicitly defines the boundaries within which management is expected to operate when pursuing the institution’s business strategy"
• Should "be adaptable to changing business and market conditions" to allow for limit increases where appropriate

Risk Appetite Statements

• "[should] address the institution’s material risks under both normal and stressed market and macroeconomic conditions"
• "...should establish quantitative measures of loss or negative outcomes that can be aggregated and disaggregated"
• "...include key background information and assumptions"
• "...include quantitative measures that can be translated into risk limits"
• "...be forward looking and, where applicable, subject to scenario and stress testing"

Risk Limits

• "[should] be set at a level to constrain risk-taking within risk appetite"
• "...should not be strictly based on comparison to peers or default to regulatory limits"
• "[should] not be overly complicated, ambiguous, or subjective"

Roles and Responsibilities

The Board

• ...must establish the institution-wide RAF and approve the risk appetite statement, which is developed in collaboration with the chief executive officer (CEO), chief risk officer (CRO) and chief financial officer (CFO)
• FSB specifically comment that Boards who "receive" or "note" Risk Appetite Statements have a lower understanding of risk appetite (so don't sponsor it!)
• " [should] regularly review and monitor the actual risk profile and risk limits against the agreed levels (e.g. by business line, legal entity, product, risk category), "including qualitative measures of conduct risk"
• " [should] ensure risk management is supported by adequate and robust IT and MIS to 
• enable identification, measurement, assessment and reporting of risk in a timely 
• and accurate manner."

CEO should

• "...be accountable, together with the CRO, CFO, and business lines for the integrity of the RAF"
• "...ensure that the institution-wide risk appetite statement is implemented by senior management"
• "...provide leadership in communicating risk appetite to internal and external stakeholders" 
• "...establish a policy for notifying the board and the supervisor of serious breaches of risk limits and unexpected material risk exposures"

While there are specific sections for the obligations of CRO, CFO, Internal Audit and Business Unit Management, they don't necessarily expand much further than what I consider to be normal functional expectations, so I haven't elaborated on them.

One should certainly therefore expect a much more aggressive approach from supervisors in future off the back of this - combing through strategy and board papers for evidence of Risk Appetite in application, and making sure that Risk Appetite Statements are not just 'rubber stamped', for example.

I certainly don't see much in this for stakeholders. Nothing particularly new is brought to the table here, and if this is the results of peer review and shared experiences, then clearly there is concurrence on how an RAF should be constructed, what a RAS looks like, and who should do what in regard to continuous monitoring.

The skill will be for risk practitioners to convince their CEOs/NEDs that, this is no longer a sidecar activity in the ERM best practice space, but a nascent global minimum standard which will invariably surface in national regulations in the forthcoming moths and years.

Moody's survey on Solvency II compliance preparedness - the chilly third pillar

So from what I can gather it has been a terrible week for the Girondins, with a freak hailstorm wreaking havoc in a thin strip along the vineyards of Bordeaux's Entre-deux-Mers appellation - my in-laws were seemingly spared further down the river, noting that it was merely "un peux froid".

On Ice - Solvency II programmes
and this year's white Bordeaux?

And speaking of a great deal of hard work getting aimlessly destroyed by an unpredictable European storm, Solvency II (do you see what I did there?) appears to have at least enough juice in the tank to have encouraged Moodys to survey practitioners on the preparedness of the industry to achieve compliance before the deadlines currently on everyone's lips (i.e. 2014-2015 for EIOPA Guidelines, 2016 for "go-live").

That survey is available here (short sign-up required, but worth it), with a very short summary here. The media have touched on the survey (here), but only seem to have read the summary, so I've picked through the whole shooting match to see what else was worth knowing.

The sample is small at 45 contributors, but they have all been interviewed one-on-one in Q4 2012/Q1 2013, so the responses are not too dated, particularly as many Solvency II programmes have been running on meagre rations since January of this year. Coverage of 12 EU countries is included in the 45 people, with a decent split of size and insurance type. Majority of respondents were CRO/equivalent, with a few accountants, actuaries and programme managers thrown in for good measure, and just over half are on Standard Formula.

Talking points for me were;

• That 22% have frozen Pillar 3 activity, while 11% have frozen all Solvency II activity
• Half are using Standard Formula to curb costs!
• In addition to that, 20% say that the Use Test is a barrier to using models!
• 27% are approaching Pillar 1 and Pillar 3 with a tick-box mentality (i.e. happy to use multiple manual processes/excel-based tactical solutions to deliver the balance sheet and reporting template elements), while 44% have worked exclusively on Pillar 1 at the expense of Pillar 3
• Solvency II project investment levels are "considerably more" in the UK and France compared to Germany - makes you wonder why they have such a long face!
• 67% have increased their control function staffing by 10% or more - 31% have increased by 50% or more.
• Only 7% note "capital reduction" as a perceived benefit of Solvency II, with 33% selecting improved capital planning (regardless of quantum) as a benefit.
• Only 6.7% say they are receiving "high" levels of support from their national supervisory authority.

Seemingly the stats are a hostage to the sample - I'm sure the PRA would be apoplectic if this was the position of Insurers of Britain plc, but for me the big story is the indiscriminate swelling of Risk/control functions in smaller organisations that evidently are only ticking boxes. Feels a tad disingenuous to pump the staff numbers up to demonstrate compliance, but I suppose it's not me they need to satisfy!

Deloitte's 8th Global Risk Management Survey - cause for concern?

A survey from Deloitte has recently hit the news stands, namely the 8th edition of their Global Risk Management Survey - I thought I'd postpone my August holidays to pick through the bones of it (?).

The data was gleaned from an online survey they sent out to CRO/equivalents back in Sept-Dec 2012, so is a bit dusty, and there were 86 respondents, so a half-decent sample. It isn't dominated by a particular sector or continent (p7), but there are more conglomerate/bank-heavy respondents than pure insurers.

There is an infographic for those of a short attention span with a few headline numbers, but having sifted through the larger doc, I found the following elements worthy of note;

Boards, Committees and Risk Management

• 80% of Boards are reviewing and approving Risk Management Policies/ERM Frameworks and Risk Appetite Statements. Bearing in mind the types of organisation in the sample, that is disappointingly low.
• 25% don't review individual risk policies
• 23% don't review strategy against risk profile
• Almost half don't invite CRO to EXCOM meetings
• Almost two-thirds delegate risk oversight to satellite committees (and two-thirds of those delegate to a Risk Committee)
• Only half have their Risk Committee chaired by an INED.
• Use of specific management risk committees for individual risk types tends to cluster around the 40-60% bracket (for example, 60% have an ERM committee, while 44% have an Op Risk Committee). Heavily weighted by organisation size i.e. larger ones tend to have them! 
• Emerging risk reporting not supplied to 30% of Boards
• Model validation results not supplied to 70% of Boards!
• 66% (of insurance respondents) have their Boards responsible for reviewing economic capital results

CRO and Risk Management Function

• 97% of large respondents have a CRO, 81% of smaller firms 
• 88% using "3 Lines of Defence" (almost all of the larger respondents do)
• 62% have an "ERM Programme"
• 58% increasing risk management budgets (still!)
• In the list of tasks currently performed by CROs, the fact that only 63% are involved in the approval of new business lines/products is pretty telling, and not in a good way.

Other control functions

• Almost half of respondents said that Internal Audit and the ERM Framework do not use common risk categories and language.
• 33% do not have a independent model validation 'function' (remember, the banks are in these stats as well!) - most of those who have made provision park it in the Risk Management function.

Risk management techniques

• 90% using some form of stress testing in the business, with most saying the outputs are used in business planning, strategy setting and identifying risk tolerance. More than half however don't use the outputs in the allocation of capital to lines of business.
• 74% have some type of Stress Testing policy
• Over 20% either do not have a Risk Appetite Statement, or only have a quantitative one
• Almost 70% still use regulatory capital as one of their quantitative measures in their Risk Appetite Statements
• Risk limits tending to be set at enterprise level, as opposed to business or desk/subsidiary level - stats are a little murky due to the emphasis towards banking sector.
• Model risk and Liquidity risk seem to be the risk types least factored in to companies ERM programmes

Management of Key Risks

• Full list on p24, with the percentage shown representing the number of respondents who thought their management of each risk was "extremely" or "very" effective - stand outs were that perceptions of the effectiveness of the management of Operational, Model, Outsourcing and Data risks appear to be much lower than one would hope, with Lapse risk management ranked unusually high.
• Op Risk KRIs and Loss data only collected in 60% of respondents
• Just over half are modelling Op Risk in some way - varying degrees of complexity experienced
• Most are using stress testing and/or reserving to assess Insurance risk - over 40% not currently using EC, and over 50% not using VaR.

Risk and Reward

• Almost 60% of remuneration schemes have no clawback provisions
• Almost 70% of schemes do not align incentive payouts with the term exposure of the underlying risks

Solvency II-specific

• 92% (of relevant responders) will focus resource on ORSA in next 12 months
• 77% will focus resource on Data Quality in next 12 months
• 69% will focus resource on Documentation and Reporting in next 12 months
• Less than 25% rate their processes and systems for Data Governance extremely/very effective.
• Declining trend of insurers who will be modelling economic capital (p19)
• Only 80% actually calculate Economic Capital
• Some very grim stats on p21 covering which risk types are modelled for EC purposes (underwriting risks seemingly very low on the list)

There are a number of areas touched on here which fall short of pending (or indeed actual) national/international regulations and codes, never mind "best practice". Perhaps we can account for the innate conservatism of CROs in their responses, and assume things aren't quite as bad as they have self-assessed here?

Central Bank of Ireland - Corporate Governance Code refresh

The Irish approach to corporate governance in financial services, at least up until the onset of the financial crisis in 2006/07, resembled something of an all-you-can-grasp buffet for a select number of executive golf club pals and octogenarian ex-politico Non-Executive Directors (NEDs), having their voting arms operated a la Weekend at Bernies.

Ireland pre-2007 - Waking NED?

The new FSA-flavoured approach brought in by Matthew Elderfield in 2009 (elaborated on here) fortified by the findings of a devastating 2011 report summarising the truly horrid governance practices in the Irish banking industry, has led to a change of regulatory tack at the Central Bank of Ireland that represents the biggest volte-face in Europe since the Macarena.

Alongside PRISM, a piece of revolutionary work in the assessment of financial institutions by supervisory bodies, the CBoI also made substantial changes in areas such as Annual Compliance Statements, Fitness and Probity of directors, Risk Appetite Statements.

All of this ran off the back of Mr Elderfield's first major gig in 2010, a full revamp of the Corporate Governance Code, which could hitch a ride off the back of the work of the FSA and CEIOPS (at the time!) and deliver a more substantial suite of obligations to a cabal of directors who, after feasting on carrots for years, desperately needed the stick.

This makes the release of yesterday's consultation on the Corporate Governance code a touch baffling, as the ink is barely dry on 2010's effort - it perhaps reflects that the regulator has reached optimum staffing levels if they can review it so regularly! Having said that, the level of divergence from accepted CG practices in the UK was flagged by Grant Thornton back in 2011 as being substantial, so a point-in-time revamp should not be so unwelcome, regardless of the proximity to the last one, and of course, all of this activity was too late to prevent Quinn Insurance from going down.

They emphasise that this review takes into account developments in the Solvency II space, as well as on-the-ground experience and publications from other parties of interest. Of particular note was their emphasis that, where national regulations are not as stringent as relevant EU or international one (or indeed vice versa?), the most onerous one should be complied with. In a number of instances around corporate governance, this will mean the CBoI outranking Solvency II as the more onerous of the two!

While these are proposals rather than stitched-on changes at this point, the CBoI doesn't have a great track record for backtracking these days. Highlights for me were;

Risk Committees

• Require a majority of NEDs on Risk Committees, and must be chaired by a NED

Committees in general

• Require the Risk Committee and Audit Committee chairs to sit on each other's committees
• Require the Remuneration Committee chair to sit on the Risk Committee
• In High Impact firms, the Risk Committee and Audit Committee Chair may not be the same person
• Must be at least 3 members of Risk Committees and Audit Committees

Chief Risk Officers

• They note that it is "Generally accepted best practice" to have a CRO who, amongst other tasks, is charged with "...facilitating risk appetite setting by the Board". In addition;
• All "High Impact" firms will be required to appoint a specialist CRO
• Firms with a lower PRISM rating may have a CRO who is shared with another control function, "...provided that there is no conflict of interest between the two roles". Can't help but feel that this might rule out CRO/Chief Actuary dual roles, but allows for CRO/Head of Compliance and CRO/Head of Internal Audit, which would be to the chagrin of the Society of Actuaries in Ireland!
• CRO to have direct access to the Chairman of the Board

Board Meeting frequency

• Seem to acknowledge that the compulsory 11 meetings per year for High Impact firms may be a touch much, so are looking for comments
• Also acknowledge that compulsory 1 meeting per calendar quarter is a bit constrictive for the smaller firms, so may relieve this to be pragmatic

Chairman and CEO

• Some of the restrictions around number of roles held at any one time to be relieved for smaller firms, but seemingly only to populate inter-Group roles.

Board Diversity

• Acknowledges that, while the debate in the EU is gender-centric, that diversity of all types is a worthy target for Boards, but falls short of compelling firms to do anything at national level, choosing to seek comments and wait for the supra-national activity to drive any compulsion. This seems to fit with the thinking of Irish directors published back in 2011 i.e. no "Golden Skirt" quotas.

Random

• "...appropriate Risk Culture" makes its way in (6.3), perhaps cognisant of the FSB's proposals
• Built in a piece which allows for video-conferencing rather than physical attendance at meetings (7.5)
• Board responsibilities updated (13.1)
• Compulsory Board skills matrix (14.9)

Reactions magazine - CRO Risk Forum - Solvency II and ERM opinion

I covered the last one of these releases from Reactions magazine this time last year on the basis that it had some good all round coverage of ERM and Solvency II from Europe's highest profile risk executives, and again they haven't disappointed.

This recent release again has a veritable Who's Who of European CROs providing their take on a range of matters, so is definitely worth your time. It covers most of today's hot topics, including SIFIs, ERM, Solvency II, ORSA (in US), Internal Modelling and Emerging Risk.

I've taken the following from it;

Hannover Re CRO

• "...experiencing increasing requirements for internal model approval" - strange one this, as they have already converted to a Societas Europaea, potentially driven by a wish to escape a more onerous challenge in this respect from Bafin and the FSA - doesn't therefore sound like that tactic is of much use!
• Their internal model is currently S&P ECM III-approved - detail on the significance of that available here for those not familiar with their methodology etc, but of course a positive review of an ECM will impact both S&P's assessment of a company's ERM framework, as well as the amount of capital required to sustain a particular rating.
• The CRO uses the cost of the Risk Function against the capital savings from an approved model as a demonstration of the function's value - in the absence of a range of alternatives, I guess it's worth a shot.
• As CRO, has a veto of decision making at executive committee level
• Comments in a rather peeved manner that current draft Level 3 proposals insist upon separately staffed and operationally independent compliance, risk and actuarial functions (they appear to have everything balled up into a second line of defence 'risk control unit'  - bit confused by this, but I'm guessing he has seen something behind closed doors, and rightly doesn't appreciate EIOPA determining how a company should be departmentally structured.

SCOR CRO

• The financial crisis "...has shown that the diversification of financial risks disappears in extreme situations"

Kiln CRO

• "Every generation of activity since [Level 1] has produced ever increasing requirements for documentation"
• "We are wallowing in paperwork"
• As with Hannover Re, they cite S&P internal model approval positively against the developing EIOPA/national requirements - only 40 pages required to evidence a standard sufficient for S&P 'model approval'
• They differentiate between Strategic Risk and Emerging Risk, with the latter seen positively as product development opportunities.

AKG - Solvency II perspectives from the financial advisory industry

In the absence of materials pointed towards the sector, AKG have released a Solvency II guide for financial advisers (sign-up required, but worth it), which provides a refreshing angle change from the usual bureaucrats vs lobbyists vs politicians chatter flooding the trade presses.

Solvency II and RDR -
"mess with me, you mess
with my whole family"

While Solvency II was clearly De Vito to RDR's Schwarzenegger over the last year and a half for the financial advisory industry (indeed all bar one of those surveyed by AKG's pollsters had been concentrating "exclusively" on RDR), there was at least some familiarity with the impact on product availability from the current impasse - Protection and Annuity rates, With Profits availability and Guarantee costs are all on the industry's radar.

While there was a couple of faux pas in the document (the official timeline is certainly not "established and managed by EIOPA", and as the world and her husband will tell you, the ORSA is not an annual report!), the document helps understand the concerns and needs of the distribution world at this uncertain time. I picked out the following;

• That CROs will be more concerned about risks posed by external distributors and advisors in future
• That advisers will likewise need assurance on product supplier risks, and that provider and product ratings from external sources "...will be crucial components in gaining this reassurance"
• That the alignment of capital and risk "...will undoubtedly drive capital light products in future"
• That the mainstream press hasn't yet "gone big" on Solvency II, but that advisers may get caught out when they do
• That the advisory industry wants "...a guide [to Solvency II] to explain in an easy-to-understand, jargon-free manner" - over to you FCA!
• There are concerns around the quantum and familiarity of products/providers once Solvency II goes live and we see new market entrants/consolidation

They conclude that "advisers should not panic about Solvency II and its implications". That has a whiff of Chamberlain about it to say the least, but the "panic" would be about convincing punters to pay more for guarantees or share the risks in insurance products in the near future, as opposed to the solvency adequacy of the providers themselves.

Lloyds - cognition and how human factors affect risk perception

While the Solvency II world will be as grateful for as they are familiar with Lloyds of London's work in the Sol II sphere, they pushed out an intriguing paper for all risk practitioners this week around cognition, the impact of human behaviour, and our interaction with models when identifying and assessing risks.

This is a piece of academic research very much needed at this point in time, where the regulatory obligations around internal model challenge have yet to formally land, let alone be adequately road-tested, while at the same time the UK is continuing with its ICAS+ regime, where entrants will no doubt receive running commentary on their progress in upscaling both assumption/parameter challenge as well as model use.

Anyone involved in the 200-ish pre-applications for internal model use prior to Solvency II go-live in Europe would therefore benefit from a read of this, particularly if you are on the validation-side. I picked out the following;

Fundamentals which impact on modelling choices (data sets, interpolation/extrapolation, correlations, tail dependencies etc)

• "We are not equally aware of all risks...people make decisions based on a subset of the available evidence"
• "Expectations are strongly influenced by personal experience and current events"
• Tendency to "...lose sight of infrequent losses" in the face of more frequent visible events
• Tendency to procrastinate around risks which are difficult to assess
• "Some may query the relevance of human factors, given the prevalence of quantitative risk models - the suggestion being.modelling rules out biases"

Risk appetite

• "Low risk appetite can increase false alarms, and a high risk appetite increases misses"
• "The greater risk appetite of powerful individuals can stem from a tendency to focus more on rewards and successes, while people who are lacking in power are often more cautious and attentive to threats and potential obstacles" - is it this dichotomy which makes the role of the CRO ultimus inter pares in the boardroom?

Aide-memoire lists for risk practitioners

• How to counteract risk perceptions - p11
• Separating risk perceptions from immediate context - p13
• Awareness of bias linked to power - p16
• Risks in perspective - p20
• Behavioural principles which can create added value - p22

Protiviti - top risks for 2013

Nice piece of 'top risks' benchmarking for practitioners was pushed out this week by Protiviti - heavily US-centric, cross-industry (around 25% financial services, but all respondents are C-suite types), and the 'risks' are provided as a selection of 20 pre-written items, but the work has still got some mileage, even if I am far from convinved by the early statement that "...the first question an organisation seeks to answer in risk management is 'what are our most critical risks'" with no reference to their strategic objectives!

Let's take that as an editorial oversight, and pick through the highlights;

• Unsurprisingly, economic conditions and regulatory change/scrutiny are top of the financial services hitlist of 'top risks' (and indeed other industries)
• CROs and Chief Audit Executives were less likely to rate a risk "less significant" than their first-line counterparts - nest feathering or legitimate conservatism?
• Financial services considerably more likely to deploy additional resource to enhance risk management capabilities in the next year

There is also a "suggested questions for Boards" list at the back, which covers (albeit in a rather flannel-y fashion) the kind of items which emerged in the FSB's risk governance recommendations from earlier in the week, such as;

• Is the Board sufficiently involved in/informed of the risk assessment process regarding the implementation of strategy (mergers & acquisitions, new lines etc)?
• Is the MI around the Risk Profile sufficient?
• Is there an existing emerging risk management process?
• Is the risk profile consistent with risk appetite?

A decent piece to run through your NEDs at the very worst, and potentially of some use for your emerging risk/reverse stress testing activities for 2013.

Aon Benfield's CRO guide to Solvency II - in case you're not ready yet...

For all those CROs who are about to get left holding the Solvency II baby three years early by their over-enthusiastic executive colleagues, Aon Benfield pulled together a CRO guide to Solvency II which aims to take the journey "from complexity to best practice". 10 out of 10 for ambition...

It leans heavily towards General Insurers/Reinsurers (indeed it reads like a reinsurance sales brochure in many parts!), but nevertheless contains a suite of very useful content for anyone in the Risk space, as well as attempting to shatter a few myths. I took the following from it;

• Steady early bits on capital planning and common questions a CRO should be posing in that space
• On page 5, an excellent table comparing standard formula against internal modelling by risk driver, in particular emphasising why internal modelling may be more appropriate, rather than how much capital it could shave off. Being able to explain to the national regulator why one has neglected to apply the enhancements that internal modelling introduces to the accuracy of one's quantitative risk profile would be a smart thing for CROs to practice!
• The undo some of that noble work by suggesting part of any IM feasibility study should include estimating the capital benefits!
• Nice examples at the top of p6 of what mixes of business lend themselves to benefitting from an IM approach
• Highlighting that domicile of firm continues to dictate feasibility of IMs for smaller firms (i.e some countries can't staff it!).
• Recommend reviewing SF SCR factoring in the draft L2 asap. As was clear from the E&Y research I covered yesterday, many firms across the EU consider themselves to be advanced in the Pillar 1 space while disregarding draft L2. They highlight the Swiss experience as one where they struggled to authorise models for "Day 1" approval, and the Aon crowd propose some meaningful contingencies on p8
• Useful analysis of capital drivers and optimisation strategies (p9-10)
• Section on expert judgement validation (p15), touching on the Level 3 expectations, and in particular how a (non-Actuarial) CRO may struggle to adequately challenge certain judgement calls, such as selected data series or correlation matrices, without specialist advice. Very hard for smaller firms to obtain that, as most of their actuarial function will have probably contributed to the judgement!
• Note that one of the key challenges for documenting the IM is getting the best-placed people (who are normally swimming in BAU) to pick up a pen and write!
• Neat section on ORSA (p27-29), emphasising that SF firms with complex risk profiles may find they struggle to justify that approach when concluding the assessment. They go on to suggest that early experiences of ORSA Report/process documentation submissions have left CROs feeling that the regulatory approach is (Level 3?) tickbox as to content expectations.
• Key challenges for CRO in briefing and educating senior colleagues for Solvency II-readiness are all fair, in particular the gap that could emerge if a CRO is not also an executive member.
• The section on Risk Appetite is particularly useful for smaller non-IMAP firms, who may struggle to quantify their target measures - whether using Standard Deviations/volatility measures as suggested is a touch too simple depends on the business I guess.
• The Pillar 3 section hits on the same issues I (and the FSA!)have picked up on earlier, such as end-user computing, inability to transition to BAU, data ownership issues etc.

I did take exception to a couple of bits in here, where the industry or indeed common sense appears to suggest otherwise;

• The "fallacy" outlined on p5 that an IM enables a firm to hold less capital than an SF equivalent. The research I pointed to yesterday (p20) suggests across the EU that modellers are already "making it rain" with their capital savings
• That the IM alternative for Op Risk is based on ORIC and individual loss event info. I'd certainly seen Milliman suggest that this approach is as flimsy as the SF approach, recommending options such as Bayesian networks to generate IM inputs.
• Concerns that evidencing senior management model "use" could create a "value-destroying documentation burden". Is that what we call "minutes" these days!
• Comments around the documentation delivery for the Internal Model Application Process becoming detached from the underlying processes referenced in those docs influencing BAU value-adding activity are perfectly valid, but no real solution is proposed.
• The operation of the Model Change Policy features heavily (p19-21), as anyone in that space would expect. Again. little offered in the way of solutions, but I certainly would have expected more discussion on the "scope" of the model, which in my experience is a solid, liquid or gas depending on which control function you speak to, and I'm sure the FSA would agree!

PS All the best to you guys on the US East Coast, let's hope the worst has passed...

Deloitte and Forbes - the new world of Risk Management

This Deloitte/Forbes paper is sub-titled "Aftershock", which makes anyone of my age immediately recoil at the though of the world's most repulsive bar shooter - it is in fact a pretty decent stab at running on from the kinds of financial services-specific research which came off the back of the 2006-2008 mega-turbulence (these were mostly titled "We've broken the World, what are we going to do" :-( )

At 192 respondents it is a decent sample size, though is US-centric and non-Finance organisations, so not a great all-rounder for you global readers. However, the central message that risk management programmes and frameworks remain in a state of flux (hence the aftershock motif) is a worrying one when one examines the stats behind it:

• 91% are reorganising and reprioritising approach to risk management in next 3 years, citing continued market volatility.
• Only 37% had plans to provide additional training in that respect
• Centralisation cited as more efficent way of bubbling risks to the top - interested to know if that is everyone's experience?
• Around 50% retain primary responsibility for the "risk management approach" with CEO or CFO, with the CRO in third at 20% - should we be expecting that percentage to be moving up or down at this juncture (in particular, does a CRO need a seat at the top table to be responsible for ERM approach?).
• Example cited of ERM being managed in the corporate strategy department, which I thought was an interesting development.
• Biggest challenges included; 26% stating that incentives are not rewarding 'risk based decisions'; 22% struggling with the misalignment of the business operating model and the ERM model, and 23% suffering a lack of information to make risk based decisions. These three (there are of course more in the list!) struck me as common issues when preparing for Solvency II, so handy stats in that respect.
• Staggeringly, Social Media is equal fourth on the list of "most important risk sources over the next 5 years" - equal with Financial Risk! Not to underplay the emergence of social media and its multiplier effect on reputational risk, but seriously?
• Most "risk types" are monitored either periodically or continuously, though strategic and reputational risks seem to be most likely to be measured on an ad-hoc basis (something which you ORSA consultants out there will sympathise with!)
   

I say "worrying" at the top here from a professional perspective - is it reasonable after events as seismic as those experienced in the last 5 years for the risk profession to still be sliding in a mass of new parts into the ERM machine, as opposed to tinkering under the bonnet?

Bearing in mind this doesn't include the financial services industry, maybe the timelag is rational, as the other industries have had plenty of time to learn what not to do!

InsuranceERM's Roundtable on Solvency II - extracting value and meeting challenges

InsuranceERM have kindly taken their pay barrier off the outputs of the Roundtable they hosted with Deloitte, bringing some of the talking heads we know and love and discussing the challenges of Solvency II, as well as the struggle to extract value from the project.

I thought the following was worthy of comment (too much effort to attibute to each commentator, so read the article if something tickles your fancy!);

From the value section;

• Suggestion that small/medium sized insurers required "education" on risk management to attain the awareness and levels of larger firms (patronising but fair?)
• Comment tha "documentation probably isn't as good as it should be" - the FSA would certain concur, based on their speech last month, and indeed the deal they cut with Lloyds last week.
• All references to ORSA centre on the ORSA Report/"Record of the ORSA Process", rather than the process itself. This is very natural (I fight it on a daily basis), but if it is a continuous assessment process, then we must redouble our efforts to talk of it as such, and not as a reporting process.
• Strange comment that non-executive directors feel they are being asked to do too much ("act like executive directors"). Appreciating this is a once-in a career suite of legislative activity, it's not that bad for a few days work, get on with it!
• Big statement made about Boards having internal model knowledge "before Solvency II came in" - I suspect the depth and breadth of what the Board needs to know about their models will be one of the hardest knowledge gaps to bridge for the 70-odd model applicants, so surprised to hear someone so dismissive.
• On Risk Appetite, a comment that ORSA is "forcing boards to actually reflect and achieve concensus around risk appetite" (which I would be mortified if Boards didn't already do), followed by a mention of monitoring "unused risk-bearing capacity" in one's risk profile, which I really like.
• One guy notes that UK capital requirements are not driven by regulatory capital, but rather ratings agency capital (or economic capital/overall solvency needs by another name) - while its a big statement, it is probably fair, bearing in mind where the big boys have calibrated their EC measures (all at or around AA - coincidence?).
• Quite a disappointing section on diversification benefits, which pretty much touched on M&A, and not much else

From the challenges section;

• Beautifully timetabled comment regarding the FSA and Lloyds "not delaying their timetables" - obviously didn't get the inside track on that one!
• One personal concern tabled that "given the level of resources in the FSA, the tier-one approval process may well drag out longer" - obviously DID get the inside track!
• "Many UK firms are targeting IMAP in the fourth quarter of this year" - so now we know?
• Guarded comment about regulators needing to be open and honest "about the basis and whether reliefs and concessions are going to be extended" regarding IMAP.
• Good comment regarding contingency plans for failed model applications - "capital loadings will come into play, rather than having to revert back to a standard formula", which is easy to forget when constructing said plans
• Another less well trodden discussion regardin the FSA compelling an organisation without resource to use an internal model - not certain of likelihood, but always good to be reminded of the Standard Formula not being a safety blanket in that respect.
• Nice piece on difficulties for groups, with "parents and subsidiaries running at different speeds depending on where they are located", followed on by regulatory arbitrage comment - is the FSA effective enough to coax the less well armed regulators to work at their speed?
• One commentator with a US presence noted he is participating lobbying the NAIC on ORSA and its value (it would certainly help the equivalence argument no end if they could get that one to stick, and it's already going well).
• Ends with one of my pet peeves, the CRO/Actuary debate - one commentator nails it with the CROs needing to be "broad-based business leaders with a high level of financial literacy", as opposed to an actuary, while another commends the "wave" of actuarial CROs, but is generous enough to say he can see it "broadening out a little bit" - thanks pal!

IRM Solvency II Special Interest Group - making Risk Function more relevant

The IRM guys always put on a good show with their Special Interest Group activity for Solvency II, and generally has relevance outside of the Insurance industry. Couple of interesting subject matters for the last two, my notes below.

Developing the Risk Function to be Board-relevant (under Solvency II) - international flavour in presenters, so bear that in mind when you look at the slides!

• Jose Morago presentation - Aviva's EU Risk Director has a nice slide on educating and supporting the Board on risk responsibilities, but on the Risk function's "four distinct personalities", I would disagree that the function "leads the optimisation of the insurer's risk/capitalisation profile" (advises, certainly, but leads?). The personalities seem to be light on review and challenge activity as well, and there is a fair amount of risk jargon, which Boards are never keen on in my experience.
• Kendra Felisky presentation - While Jose went with Risk function as "Officer, Business Leader, Teacher and Advisor", Kendra has the second line of defence as "Assess, Monitor, Support and Challenge", which I concur with, and goes on to comment that "Our job is to enable to Board to do their job", which I would also subscribe to. She has a rather dated slide showing what the Risk function was compared to what it is/needs to be (you'd need a time machine to remember the 'old' Risk function!), and a good slide on levels of participation in risk management, and MI requirements. The slide on how to talk to the Board recommends 'no jargon' (which cuts across Jose's terminology a bit!), and the section on Key Risk reporting seems to be focused on risk mitigation and elimination, rather than optimisation.
• Pierre-Andre Camps presentation - Feels like a lot is lost in translation on these slides, so have a leaf through, but don't hang your hat on anything.

Survey findings on  making the Risk function Board relevant (35 participants, so small sample)

• Only half have their CRO communicating directly with the Board on risk matters- surely explains the necessity of this event!
• Horrifically, almost half said risk papers are "noted with a short discussion" at Boards - is the problem that all papers are not 'risk papers', hence it can be siloed as a talking point?
• Half said the process of implementing Solvency II affects their ability to becoime relevant to the Board - that is definitely a bad development all round
• Three-quarters said there is no action plan or training programme to aid the Risk function in communicating and presenting to Boards.
• A third of attendees report to a CRO, while a quarter report to a CEO (I find that instinctively high)
• Not surprised by smattering of risks not covered by the attendees' functions - smaller companies are unlikely to cover financial and non-financial categories, and the categories with least coverage tend to lean towards having expert ownership and established controls (ALM in particular).
• Over half felt they had overlap with either Actuarial or Compliance
• A worrying number are not directly delivering testing and validation of the internal model. Understandable on the design/implementation/documentation front, but surely testing and validation?

Should the CRO carry the can?

Normally after a high profile operational risk materialises, the end cost normally determines how high up the food chain the sackings go,but they generally would stay in the first line of defence.

This one therefore stood out for me as a bit of a outlier. I'm all for individual and collective responsibility, and would personally have fallen on my sword if I was within a square mile of this abomination regardless of my job spec. However, is it correct to dismiss the CRO because of an internal control failing (albeit a whopper!)?

CERA and the challenge to the Risk Profession

Very reassuring article in the Actuary magazine regarding one aspect of the inevitable land grab between risk and actuarial professionals (which I have blogged on several times), this one covering the thoughts of a few CERA students as to whether this qualification was likely to enhance their career prospects.

Judging by the responses of those students likely to be CERA-qualified in the near future, I suspect that the Risk profession will still be gainfully employed for some years to come - particularly liked the reponse about selling the qualification in one sentence "It counts as verifiable CPD!"

PS The score on CRO hires moved to 4-0 to the Actuaries this month with Aviva UK's new guy - however, the hunter has become the hunted, with the new top man at the Institute and Faculty of Actuaries being a chartered accountant!

CFOs, CROs, conflicting messages and strategy - FERMA paper

A couple of pieces of work caught my eye this week on the subject of risk leadership and participation in strategy, with a distinctly financial twist.

The first, a joint effort between FERMA and Finance Director Europe covers a number of themes leading on from FERMA's conference a month back. Some of this report seemed to fly in the face of best practice ERM (for example, broader strategic ERM has evolved through executives realising they need to manage downside risk better? Does it perhaps represent a little more than that in 2011?).

A FERMA board member is cited as believing risk should be "supporting strategy development" rather than participating (which would leave a CRO where exactly?). The next article indeed directly contradicts this view, quoting a risk executive who actively participated in the GRC strategy formulation for his firm, followed swiftly by the AIRMIC/Cass Business School research which bemoans the 'glass ceiling' which prevents risk managers addressing issues in a company's top echelons!

That article also has the UK "...leading the way in enterprise risk management and corporate governance" (I would probably go US and Ireland respectively with a 2011/12 hat on).

The VP of FERMA is then quoted in day-job mode  noting "risk management...is partly about comforting non-executive directors so that they are less risk-averse" - personally I like a bit of conservatism in my NEDs, and I wouldn't like to think I am employed to teach them how to gamble! This is accompanied by the CFO of the same firm notes "the CFO and CRO may have natural conflict, the former driving growth and the latter controlling risk" - again, are Risk, as the second line of defence, really there to 'control' risk?

Finally, the CFO at Old Mutual is quoted as suggesting the complexity of proposed EU regulation (citing Solvency II specifically) might be contributing to elements of risk it is supposed to be preventing.

Solvency II and CRO jobs - speech from president elect of the Institute and Faculty of Actuaries

Some very intriguing words spoken by the incoming president of the IFA regarding the challenges and opportunities for the Actuarial profession in Asia (summarised at the Actuary Magazine). As you know I keep a watching brief on the likely collision at C-suite level between the Risk and Actuarial professions, and so I pulled the following out from the "opportunities" themes in Mr Scott's speech. They were;

• The skills of actuaries helped keep the insurance industry out of the headlines during the "enormous economic storms" (pulling a rabbit out of an empty hat for an encore I guess...)
• Acknowledges that Solvency II does not require an actuarial function to be run by an actuary
• "...Many [actuaries] will expect to be able to find employment in the risk function
• Lines up a few soft skills which will need to be enhanced in this regard (improved comms and decision making understanding, as well as "becoming more risk focused")
• Skills from the CERA qualification "should open up a whole range of career opportunities for those who take up the challenge"
• Looking to define (with CERA) "the distinctive contribution that actuaries provide as practical, mathematically skilled, rigorous and regulated risk professionals"

I guess it is the last statement that would perhaps put one or two IRM/FERMA/GARP noses out of joint* - is the Risk profession itself so disregarded that the Actuarial profession can usurp the established offerings with CERA?

* I say this somewhat reluctantly as someone who, thanks to a rugby players errant knee, literally has his nose out of joint currently!

CRO to CEO - what's your skillset?

As flagged on the Reputability blog, Allianz Re have recently promoted their Chief Risk Officer to the top job. Fantastic news for those super-ambitiousin the function, and tactit recognition perhaps that the balanced skillset of the latter day CRO is coming the boil nicely. You will notice that the blogger doesn't prescribe to CRO-to-CEO promotion, seeing the role as a destination, not a hub.

As an avid follower of activity on the CRO front (in particular the sustained attack on the role from the Actuarial profession as an alternative avenue to the C-suite), and was delighted to see that his background was...errr...Actuarial! To all you "Riskies" reading, please see the earlier comments from the FERMA VP on upskilling...

A nice translated piece was published by Clifford Chance regarding CROs in the EU (specifically with Germany in mind) - covers the EC green paper angles on risk governance and risk executives, as well as correctly highlighting that "Solvency II is a key ally in institutionalising the new role of the CRO"

CROs and the Society of Actuaries in Ireland - from the President's mouth

A subject very dear to my heart (from a self preservation perspective more than anything!) was the subject of additional comment in the President of the Society of Actuaries in Ireland when giving the president's address for 2011.

Whilst he naturally states (p8) that the head of the actuarial function roles will be the preserve of the current holders of appointed/signing actuary roles, and that "any other outcome would be bizarre", he then goes on to talk of the "big Solvency II prize for us as a profession" of leadership of the risk management function, which anecdotal evidence suggests is a role favouring the actuarial profession ahead of other disciplines.

Of course while I would love to counter the argument with the Institute of Risk Management's suite of arguments in favour of the risk management profession (blogged on extensively already), I then found that the latest CRO hire was of course an actuary (making the score 3-0 to the actuaries since I started keeping it)!

Time to step up our game 'Riskies'...

Active Risk - 'What makes a great Risk Manager' results...

I participated in a survey a little while back about "what makes a great risk manager" which involved looking at personality traits, and the guys at Active Risk posted the results today.

While I was hoping the results would look like my CV (!), there were some interesting findings from the 200-ish sample;

•  Categorises risk managers into Traditionalists (from the 'department who likes to say no'!), Drivers (who are pragmatic and impatient) and Evangelists (who have the CRO style, without necessarily the substance. The split of respondents was 60/10/30 respectively. The obvious thought for me was that this was the perfect ratio of the three skillsets to arrive at a quality Chief Risk Officer, and the conclusions touch on this throughout.
• Suggests traditionalists may be holding their companies back due to presentational shortcomings (probably fair), while Drivers should understand their impatience can come over as aggression and Evangelists should wind back on what I like to call 'risk rabbit' (where throwing terminology left and right leaves the consumer disinterested or confused.

Should certainly be of interest to my friends at Clarity Resourcing, as these kinds of considerations cross over most industries when fishing for risk talent - I hasten to add that I can't immediately recall what I was classed as!

Late post-script - found my personalised report, and I was down as a "reactive extrovert" - I'll settle for that!