Deloitte on 'regulatory uncertainty in Europe' - embedding a new modus operandi (?)

In a wonderful example of predicting the present, Deloitte have released a white paper (sign-up required) giving their take on regulatory uncertainty in the European insurance industry, and how the volume of new regulations (and their inability to land on time) is driving emerging best practices in the consideration of regulatory risk at Board level.

New Modus Operandi - alloy wheels optional?

Of course, it is always best to wait for such matters to emerge before proselytising, and the current cup of omni-postponed over-elaborate regulations is running over (Sol II, IFRS 4 Phase II, FATCA, etc), naturally causing difficulties for all those responsible for preparing for them, as well as the execs who take the topics into the boardroom every quarter, only to say "it's been delayed again, can I have more money"...

From my perspective, it was particularly interesting to see that proactivity is recommended regardless of nature/scale/complexity, bearing in mind the first time I spoke to a Board of Directors at a tiny insurer regarding Solvency II preparations was in 2009 - only consultants could comfortably suggest that an new executive-level role is established, and Board agenda time is regularly set aside, only to explain the latest delays in multi-jurisdictional regulations (I certainly know what my old CEO would have said to that!)

That aside, they suggest that two major problems need to be overcome; that few insurers have a single view of regulatory risk; and that regulatory insight is poorly represented in the strategic workings of insurers, both of which are easy to agree with purely on circumstantial evidence.

Whilst this frequently reads like a paper written to justify bringing consultants in to compensate for failing in risk and compliance professionals' armoury, Deloitte make the following noteworthy assertions/recommendations in it;

Trends

• That most insurers prefer to 'wait and see' rather than be 'first mover' when it comes to regulatory preparations - after the Solvency II experience, does that surprise anyone?
• That "...Deloitte's view is that regulation can be regarded as a 'structural' driver of the insurance industry"
• That "...Deloitte's considers a regulatory dividend can and should be sought", which is not necessarily my experience of consultancies when on site, who (presumably for legal reasons) prefer to promote a gold-plated complaince approach to regulation-driven projects.
• Cost of compliance is now materially diluting return on equity in EU insurers
• That Conduct Risk is likely to become high profile across Europe over a longer period of time than its current flavour of the month feel, thanks to IMD2/PRIPS/MIFID
• National regulators are increasingly impeding on day-to-day running - examples given (all of which have a whiff of IMAP requirements about them), include documentation improvements and influencing risk appetite/capital allocation work.

Costs and volume

• Regulation prep cost the European insurance industry €4.2-€4.7bn in 2012 - they go on to expand that to €8.1-€9.2bn over the last 3 years.
• UK industry will be subject to 29 new pieces of legislation of the next 5 years (surprisingly lower than the French at 35, and the Germans at 32!)
• That the "cost of doing nothing" while waiting for regulatory clarity may be significant - as significant as consultancy spend preparing for something which never arrives perhaps?
• That compliance functions are naturally struggling to cope with the current volume of initiatives

Solvency II-specific

• They extrapolate an estimated €550m cost of Solvency II compliance preparations in 2012 into a €1.5bn-€1.8bn 'top 40 insurers' number, and a €2.4-€2.9bn figure for the whole industry - feels a bit light, bearing in mind 'UK plc' must have done the best part of £1bn on Solvency II alone in 2012.
• They quote one strategy director as saying that "Solvency II is killing European M&A..." - p10

Their recommendations (from p19) are too woolly in aggregate to help a normal practitioner - they are probably targeted more towards programme directors and managers - but the recommendation  to establish a Regulatory Assessment and Response Executive with a suitable remit is a smart idea, even if from a practical perspective this might need to either be balled in with the responsibilities of an existing executive, or only be a mid/senior management role, in smaller companies. 

These recommendations also include the marvellous suggestion to "embed a new modus operandi" - an expression normally reserved for profilers of serial killers, and perhaps the hardest sell since Isle of Man beach holidays.

PS I apparently missed the memo where the oft-ridiculed speech of Donald Rumsfeld used to support war against Iraq became de rigeur in risk management/insurance white papers. If there is one "known known" in this world, it is that I will never use that expression on the job!

Deloitte's 8th Global Risk Management Survey - cause for concern?

A survey from Deloitte has recently hit the news stands, namely the 8th edition of their Global Risk Management Survey - I thought I'd postpone my August holidays to pick through the bones of it (?).

The data was gleaned from an online survey they sent out to CRO/equivalents back in Sept-Dec 2012, so is a bit dusty, and there were 86 respondents, so a half-decent sample. It isn't dominated by a particular sector or continent (p7), but there are more conglomerate/bank-heavy respondents than pure insurers.

There is an infographic for those of a short attention span with a few headline numbers, but having sifted through the larger doc, I found the following elements worthy of note;

Boards, Committees and Risk Management

• 80% of Boards are reviewing and approving Risk Management Policies/ERM Frameworks and Risk Appetite Statements. Bearing in mind the types of organisation in the sample, that is disappointingly low.
• 25% don't review individual risk policies
• 23% don't review strategy against risk profile
• Almost half don't invite CRO to EXCOM meetings
• Almost two-thirds delegate risk oversight to satellite committees (and two-thirds of those delegate to a Risk Committee)
• Only half have their Risk Committee chaired by an INED.
• Use of specific management risk committees for individual risk types tends to cluster around the 40-60% bracket (for example, 60% have an ERM committee, while 44% have an Op Risk Committee). Heavily weighted by organisation size i.e. larger ones tend to have them! 
• Emerging risk reporting not supplied to 30% of Boards
• Model validation results not supplied to 70% of Boards!
• 66% (of insurance respondents) have their Boards responsible for reviewing economic capital results

CRO and Risk Management Function

• 97% of large respondents have a CRO, 81% of smaller firms 
• 88% using "3 Lines of Defence" (almost all of the larger respondents do)
• 62% have an "ERM Programme"
• 58% increasing risk management budgets (still!)
• In the list of tasks currently performed by CROs, the fact that only 63% are involved in the approval of new business lines/products is pretty telling, and not in a good way.

Other control functions

• Almost half of respondents said that Internal Audit and the ERM Framework do not use common risk categories and language.
• 33% do not have a independent model validation 'function' (remember, the banks are in these stats as well!) - most of those who have made provision park it in the Risk Management function.

Risk management techniques

• 90% using some form of stress testing in the business, with most saying the outputs are used in business planning, strategy setting and identifying risk tolerance. More than half however don't use the outputs in the allocation of capital to lines of business.
• 74% have some type of Stress Testing policy
• Over 20% either do not have a Risk Appetite Statement, or only have a quantitative one
• Almost 70% still use regulatory capital as one of their quantitative measures in their Risk Appetite Statements
• Risk limits tending to be set at enterprise level, as opposed to business or desk/subsidiary level - stats are a little murky due to the emphasis towards banking sector.
• Model risk and Liquidity risk seem to be the risk types least factored in to companies ERM programmes

Management of Key Risks

• Full list on p24, with the percentage shown representing the number of respondents who thought their management of each risk was "extremely" or "very" effective - stand outs were that perceptions of the effectiveness of the management of Operational, Model, Outsourcing and Data risks appear to be much lower than one would hope, with Lapse risk management ranked unusually high.
• Op Risk KRIs and Loss data only collected in 60% of respondents
• Just over half are modelling Op Risk in some way - varying degrees of complexity experienced
• Most are using stress testing and/or reserving to assess Insurance risk - over 40% not currently using EC, and over 50% not using VaR.

Risk and Reward

• Almost 60% of remuneration schemes have no clawback provisions
• Almost 70% of schemes do not align incentive payouts with the term exposure of the underlying risks

Solvency II-specific

• 92% (of relevant responders) will focus resource on ORSA in next 12 months
• 77% will focus resource on Data Quality in next 12 months
• 69% will focus resource on Documentation and Reporting in next 12 months
• Less than 25% rate their processes and systems for Data Governance extremely/very effective.
• Declining trend of insurers who will be modelling economic capital (p19)
• Only 80% actually calculate Economic Capital
• Some very grim stats on p21 covering which risk types are modelled for EC purposes (underwriting risks seemingly very low on the list)

There are a number of areas touched on here which fall short of pending (or indeed actual) national/international regulations and codes, never mind "best practice". Perhaps we can account for the innate conservatism of CROs in their responses, and assume things aren't quite as bad as they have self-assessed here?

Internal Model Validation - the "desire for certainty"

Some useful snippets on the links here for anyone in the model validation space, whether if be the practical applications of Monte-Carlo simulation outside of the insurance industry, actuarial perspectives on model risks themselves such as parameter uncertainty and goodness of fit testing where "the problem is more often too many candidate distributions" as opposed to restrictions in choice.

This fantastic blog post from one of Willis's finest is about as blunt a critique of actuarial modelling activity and its potential for subsequent misuse as I have read, and I would strongly recommend it on to non-expert risk practitioners who may one day find themselves in the model validation/use test firing line. A few of the pearls of wisdom offered (focused on reinsurance industry, but relevant to all) include;

• How the human "want to believe" and "desire for certainty" can lead to models making rather than guiding decisions
• Reliance of models on "large numbers of heroic assumptions"
• "Data is always limited and flawed"
• That "models take combinations of assumptions and torture them to come to conclusions"
• The revisiting of assumptions only when the answers don't fit expectations ("euphemistically called 'calibration'", hilarious!)
• That using models for setting regulatory capital, rather than just informing decision making, has led to "extremely onerous" IMAP activity i.e. the limitations noted above are so well established that the regulators cannot ignore them at a granular level.

Then there this piece from Deloitte US on model validation, or more specifically, research into the quality of existing actuarial modelling controls, is an eye-opener for anyone working in the validation space. With RMORSA and associated capital modelling firmly on the agenda Stateside, it is interesting to watch how aggressively they approach validation, bearing in mind this work was commissioned by the Society of Actuaries, whose members may ultimately be charged with applying some of these recommendations!

This research in particular assesses current state versus best practice controls over the assumptions, inputs and outputs of actuarial models, and though the sample of respondents to the survey is relatively small (representing "30 unique companies"), the absence of suitable supporting documentation around model governance so evident in the UK's IMAP process appears to be a depressingly constant theme. This report at least includes recommendations as to how the US actuarial profession may bridge some of the gaps Deloitte identify.

In the NAIC's ORSA Manual, they ask that "ORSA Summary Report should provide a general description of the insurer’s process for model validation, including factors considered and model calibration" (p7), which I guess is what one expects to see in the EU (i.e. validation being a sub-process of the ORSA, which can be summarised in the ORSA reports). That said, the breadth of validation work performed over there will surely be driven by S&P expectations communicated in ERM Level III reviews, rather than profession-sponsored consultancy recommendations!


Finally (and slightly off track), an odd piece from Towers Watson on validating ORSAs, pitched to a room full of Internal Auditors. Would be unfair to say there aren't some salient points throughout, but given that there is "no clear requirement" to validate ORSAs (there was something on the matter in the original CEIOPS ORSA pre-consultation, but it was dropped in the public consultation and the final advice), then you would think it could be covered in less than 30+ slides!

As it happens, the TW slide pack for internal model validation appears to have been raided and had the acronym 'ORSA' jemmied into the text for much of the second half of it.

Deloitte with more on the US-of-ORSA

Billed as a "regulatory guidepost to the future", Deloitte in the States have published their thoughts on ORSA developments, following on from recent activity in the space, most notably the NAIC's adoption of the RMORSA Act a few weeks back.

Hard to tell whether Deloitte have borrowed much from their European counterparts, who ponied up with the EIOPA-compliant equivalent document last week, but both documents ultimately point at the same end goal, namely getting the ORSA Process and ORSA Report content right.

Confidently declaring the first regulatory filing of an ORSA Report to be precisely, errr, "Sometime in 2015", the stateside plans are anchored more to ERM and, I guess by association, ratings agency implications. The document does help identify a couple elements which, with the Solvency II hat on, are easy to forget;

• IAIS ICP 16 is bringing ORSA to the table of all signatories at some future juncture (which means I may get a job back home one day!)
• Existing techniques for monitoring solvency, even in a jurisdiction of this size, are seemingly past their sell-by-date in terms of both content and turnaround time (p2) - holds true for many of the Solvency II-covered countries as well (plenty on that topic in here).

The rest of the document draws out the preparatory work which firms should be undertaking, despite the relative lack of certainty at this point in time, such as increasing real-time data availability and changes in reporting, management and governance structures. It also touches on suggested content, process implementation (more like formalisation from experience), and a checklist of operational considerations, resourcing (or even briefing/coaching) being highest priority in my mind in 2012.

Good document for you statesiders to pass round your friendly non-executive directors anyway, as an early socialising of the concept in this format goes a long way when you have tiny windows to educate them on the topic over the next 3 years - looks like you will be filing ORSA Reports before we are!

Interesting footnote is that AIG have been labelled as a potential SIFI today - ORSA may be 5 years too late to have saved the behemoth it once was, but let's hope it can help its slimmed down current-day version.

Deloitte on "How to conduct the ORSA" - facts and apocrypha

While our pals at the FSA, EIOPA, the CRO Forum, 3 of the Big 4 (here, here and here), the Little 3 (here, here and here), the IRM,  the Irish SoA, and even the guys in the stars and stripes have deemed to recommend to all and sundry what ingredients will make a good ORSA, Deloitte have chipped in this week with a 50-page whopper that tells us everyone else was wrong and they are right...

...well OK, not quite! Deloitte's release about this "important yet enigmatic" area, which seems to have a mainland Europe-flavour to it, works its way through EIOPA's reformulated opinion on L3 ORSA guidance released in July, summarising what changed between the Nov 2011 and July 2012 versions. I of course managed this feat two months ago, but I couldn't quite pad it to 50 pages! They then embellish a section-by-section analysis of the two documents with some charming apocryphal tales of what "many companies" or "the industry" are struggling with currently (i.e. their clients' problems!).

As with most things generated by the behemoths, it is a really useful piece of material despite on the face of it not adding anything new to the knowledge pool, so from an ORSA consultant's perspective, I've made the following notes;

• Emphasises that supervisory intervention will come from lax ORSA processes, as opposed to ORSA Report content (which will drive the US approach)
• Notes that, given the opportunity for the ORSA and the SCR calculations to to be conducted on different reference dates, that this may allow organisations to keep any existing strategic planning processes where they already are in the calendar, rather than unnecessarily shift them to, say, follow financial year-ends. The proviso of "no material change in the risk profile" may of course discourage that, if only due to the need to define "material"!
• Some rather controversial free text around risk appetite ("intuitively simple" as a concept) and risk appetite frameworks ("very much a work in progress" at insurers) - appreciating progress is somewhat inconsistent across industries and the inter-body squabbling on the matter, I can imagine many practitioners would argue the opposite of both points - it's complex, but we're well on the way!
• Highlights difficulties with performing obligatory entity-level ORSAs if risk appetite is expressed in regions/products/funds, which seem perfectly reasonable anchors for risk appetite statements on the face of it.
• "Most organisations" defining AMSB as parent company Boards, plus entities if applicable - no evidence provided though.
• "Many firms" struggling with the "cultural challenge" of getting Boards to drive ORSAs - this I found odd, as many ORSA processes will already be in place to a greater or lesser extent, and most would feature in their individual crystallised reporting form in a BAU board pack. They go on to suggest that getting AMSB input into stress and scenario testing is one way of evidencing ORSA "driving".
• Comment that "In general, the ORSA guidelines were seen as too prescriptive" [my emphasis] - I generally recall the clamour from the industry over the last 3 years being that there isn't enough!
• Common (unevidenced) theme identified that ORSA policies have tended to be signed off by Risk Committees, which may not satisfy the AMSB sign-off requirement
• "Some organisations" electing to split out record of the ORSA Process from the ORSA Report to trim the document size - makes perfect sense, as there's no danger of the co-ordinating function not retaining those records for repeatability purposes.

Plenty of other clutter in there on risk quantification and capital management, but nothing controversial, just nice to read. Bon appetit...

Deloitte and Forbes - the new world of Risk Management

This Deloitte/Forbes paper is sub-titled "Aftershock", which makes anyone of my age immediately recoil at the though of the world's most repulsive bar shooter - it is in fact a pretty decent stab at running on from the kinds of financial services-specific research which came off the back of the 2006-2008 mega-turbulence (these were mostly titled "We've broken the World, what are we going to do" :-( )

At 192 respondents it is a decent sample size, though is US-centric and non-Finance organisations, so not a great all-rounder for you global readers. However, the central message that risk management programmes and frameworks remain in a state of flux (hence the aftershock motif) is a worrying one when one examines the stats behind it:

• 91% are reorganising and reprioritising approach to risk management in next 3 years, citing continued market volatility.
• Only 37% had plans to provide additional training in that respect
• Centralisation cited as more efficent way of bubbling risks to the top - interested to know if that is everyone's experience?
• Around 50% retain primary responsibility for the "risk management approach" with CEO or CFO, with the CRO in third at 20% - should we be expecting that percentage to be moving up or down at this juncture (in particular, does a CRO need a seat at the top table to be responsible for ERM approach?).
• Example cited of ERM being managed in the corporate strategy department, which I thought was an interesting development.
• Biggest challenges included; 26% stating that incentives are not rewarding 'risk based decisions'; 22% struggling with the misalignment of the business operating model and the ERM model, and 23% suffering a lack of information to make risk based decisions. These three (there are of course more in the list!) struck me as common issues when preparing for Solvency II, so handy stats in that respect.
• Staggeringly, Social Media is equal fourth on the list of "most important risk sources over the next 5 years" - equal with Financial Risk! Not to underplay the emergence of social media and its multiplier effect on reputational risk, but seriously?
• Most "risk types" are monitored either periodically or continuously, though strategic and reputational risks seem to be most likely to be measured on an ad-hoc basis (something which you ORSA consultants out there will sympathise with!)
   

I say "worrying" at the top here from a professional perspective - is it reasonable after events as seismic as those experienced in the last 5 years for the risk profession to still be sliding in a mass of new parts into the ERM machine, as opposed to tinkering under the bonnet?

Bearing in mind this doesn't include the financial services industry, maybe the timelag is rational, as the other industries have had plenty of time to learn what not to do!

Deloitte and economist intelligence unit - where are insurers heading on Solvency II

Always nice to see a benchmarking piece at a time when the legislative process has conceded that Eurocracy has led us to Solvency one and a half and we are no nearer to hearing whether the trialogue discussions are going to keep the new timetable on track.

This one comes from our old friends the EIU, with Deloitte riding shotgun. 60 firms, mostly UK domiciled and a good mix of Life/Non-Life, polled in what is a follow-up to last year's survey from the same authors. Already covered as highlights in a few articles (here for example), but I found the following salient:

• Change in emphasis from restructuring and introducing new risk mitigation techniques to repricing and/or redesigning new products.
• 20% of respondents noting they will need to "significantly change investment strategy" - perhaps as a result of the firming up of lobbying positions on the sticking points of Omnibus II?
• ORSA a key area of focus for the majority of respondents over the next 6 months - strange in light of model applicants use test obligations that it is only an area of focus now. Fascinatingly, data quality was only 4th on the priority list, with model embedding/use and risk appetite naturally high up the list.
• Even-ish split between those who are confident of timely implementation of the Directive by the industry and those who are concerned
• Majority have seen their project costs hiked due to the delay to 2014 - not especially new news, though the scale of increase seems relatively modest, with only 5% saying they have ponied up more than 10% over budget
• Only 45% worried about dual running ICA and SCR next year, weighted much more heavily towards the larger companies.
• Big changes in the profile of firms modelling habits year-on-year, the movements strangely towards more complexity (standard formula to partial internal model, or partial to full). A likely link to the earlier stats on radical changes in investment strategy and repricing becoming higher priority? Regardless, it's more work for our pals in Canary Wharf!
• A quarter of eligible respondents are in the FSA landing windows of 2013 (lucky devils!), with a suprisingly large number pencilled in for this year. Bearing in mind the scathing summary of IMAP materials issued to date by Julian Adams last week, should we expect these candidates to one-by-one ask for more time (and potentially get chucked out, as previously indicated?) Seemingly not too many respondents interested in the suggestion that there will be sugnificant tangile business benefits off the back of their Solvency II Programmes.

UK-centric as a piece of research for sure, but certainly some ideas to be gleaned by EU internal model candidates off the back of it, as well as some comfort for anyone lagging on ORSA.

The Risk Intelligent CFO - Deloitte

Don't believe you need a subscription, so dive in to Deloitte's (US-centric) research on how to make your CFO more "Risk Intelligent". It is light in certain areas (reputation in particular), and outlandish in others (the CFO is apparently "a catalyst, strategist, operator and steward with respect to risk decision making") but has some neat touches such as;

• Concept of Strategy Risk being split between "Risks to" and "Risks of"
• Refining risk reporting/metrics down to the "vital few"

It does however cross over into other Insurance-entity disciplines (CRO, Chief Actuary etc), and it provides 4 "major risk categories" that are wholly unsuited to insurers and banks, but it doesn't purport to be for financial services only - take whatever you can from it, and certainly don't be afraid to wave it under your CFO's nose.