Deloitte's 8th Global Risk Management Survey - cause for concern?

A survey from Deloitte has recently hit the news stands, namely the 8th edition of their Global Risk Management Survey - I thought I'd postpone my August holidays to pick through the bones of it (?).

The data was gleaned from an online survey they sent out to CRO/equivalents back in Sept-Dec 2012, so is a bit dusty, and there were 86 respondents, so a half-decent sample. It isn't dominated by a particular sector or continent (p7), but there are more conglomerate/bank-heavy respondents than pure insurers.

There is an infographic for those of a short attention span with a few headline numbers, but having sifted through the larger doc, I found the following elements worthy of note;

Boards, Committees and Risk Management

• 80% of Boards are reviewing and approving Risk Management Policies/ERM Frameworks and Risk Appetite Statements. Bearing in mind the types of organisation in the sample, that is disappointingly low.
• 25% don't review individual risk policies
• 23% don't review strategy against risk profile
• Almost half don't invite CRO to EXCOM meetings
• Almost two-thirds delegate risk oversight to satellite committees (and two-thirds of those delegate to a Risk Committee)
• Only half have their Risk Committee chaired by an INED.
• Use of specific management risk committees for individual risk types tends to cluster around the 40-60% bracket (for example, 60% have an ERM committee, while 44% have an Op Risk Committee). Heavily weighted by organisation size i.e. larger ones tend to have them! 
• Emerging risk reporting not supplied to 30% of Boards
• Model validation results not supplied to 70% of Boards!
• 66% (of insurance respondents) have their Boards responsible for reviewing economic capital results

CRO and Risk Management Function

• 97% of large respondents have a CRO, 81% of smaller firms 
• 88% using "3 Lines of Defence" (almost all of the larger respondents do)
• 62% have an "ERM Programme"
• 58% increasing risk management budgets (still!)
• In the list of tasks currently performed by CROs, the fact that only 63% are involved in the approval of new business lines/products is pretty telling, and not in a good way.

Other control functions

• Almost half of respondents said that Internal Audit and the ERM Framework do not use common risk categories and language.
• 33% do not have a independent model validation 'function' (remember, the banks are in these stats as well!) - most of those who have made provision park it in the Risk Management function.

Risk management techniques

• 90% using some form of stress testing in the business, with most saying the outputs are used in business planning, strategy setting and identifying risk tolerance. More than half however don't use the outputs in the allocation of capital to lines of business.
• 74% have some type of Stress Testing policy
• Over 20% either do not have a Risk Appetite Statement, or only have a quantitative one
• Almost 70% still use regulatory capital as one of their quantitative measures in their Risk Appetite Statements
• Risk limits tending to be set at enterprise level, as opposed to business or desk/subsidiary level - stats are a little murky due to the emphasis towards banking sector.
• Model risk and Liquidity risk seem to be the risk types least factored in to companies ERM programmes

Management of Key Risks

• Full list on p24, with the percentage shown representing the number of respondents who thought their management of each risk was "extremely" or "very" effective - stand outs were that perceptions of the effectiveness of the management of Operational, Model, Outsourcing and Data risks appear to be much lower than one would hope, with Lapse risk management ranked unusually high.
• Op Risk KRIs and Loss data only collected in 60% of respondents
• Just over half are modelling Op Risk in some way - varying degrees of complexity experienced
• Most are using stress testing and/or reserving to assess Insurance risk - over 40% not currently using EC, and over 50% not using VaR.

Risk and Reward

• Almost 60% of remuneration schemes have no clawback provisions
• Almost 70% of schemes do not align incentive payouts with the term exposure of the underlying risks

Solvency II-specific

• 92% (of relevant responders) will focus resource on ORSA in next 12 months
• 77% will focus resource on Data Quality in next 12 months
• 69% will focus resource on Documentation and Reporting in next 12 months
• Less than 25% rate their processes and systems for Data Governance extremely/very effective.
• Declining trend of insurers who will be modelling economic capital (p19)
• Only 80% actually calculate Economic Capital
• Some very grim stats on p21 covering which risk types are modelled for EC purposes (underwriting risks seemingly very low on the list)

There are a number of areas touched on here which fall short of pending (or indeed actual) national/international regulations and codes, never mind "best practice". Perhaps we can account for the innate conservatism of CROs in their responses, and assume things aren't quite as bad as they have self-assessed here?

Central Bank of Ireland - Corporate Governance Code refresh

The Irish approach to corporate governance in financial services, at least up until the onset of the financial crisis in 2006/07, resembled something of an all-you-can-grasp buffet for a select number of executive golf club pals and octogenarian ex-politico Non-Executive Directors (NEDs), having their voting arms operated a la Weekend at Bernies.

Ireland pre-2007 - Waking NED?

The new FSA-flavoured approach brought in by Matthew Elderfield in 2009 (elaborated on here) fortified by the findings of a devastating 2011 report summarising the truly horrid governance practices in the Irish banking industry, has led to a change of regulatory tack at the Central Bank of Ireland that represents the biggest volte-face in Europe since the Macarena.

Alongside PRISM, a piece of revolutionary work in the assessment of financial institutions by supervisory bodies, the CBoI also made substantial changes in areas such as Annual Compliance Statements, Fitness and Probity of directors, Risk Appetite Statements.

All of this ran off the back of Mr Elderfield's first major gig in 2010, a full revamp of the Corporate Governance Code, which could hitch a ride off the back of the work of the FSA and CEIOPS (at the time!) and deliver a more substantial suite of obligations to a cabal of directors who, after feasting on carrots for years, desperately needed the stick.

This makes the release of yesterday's consultation on the Corporate Governance code a touch baffling, as the ink is barely dry on 2010's effort - it perhaps reflects that the regulator has reached optimum staffing levels if they can review it so regularly! Having said that, the level of divergence from accepted CG practices in the UK was flagged by Grant Thornton back in 2011 as being substantial, so a point-in-time revamp should not be so unwelcome, regardless of the proximity to the last one, and of course, all of this activity was too late to prevent Quinn Insurance from going down.

They emphasise that this review takes into account developments in the Solvency II space, as well as on-the-ground experience and publications from other parties of interest. Of particular note was their emphasis that, where national regulations are not as stringent as relevant EU or international one (or indeed vice versa?), the most onerous one should be complied with. In a number of instances around corporate governance, this will mean the CBoI outranking Solvency II as the more onerous of the two!

While these are proposals rather than stitched-on changes at this point, the CBoI doesn't have a great track record for backtracking these days. Highlights for me were;

Risk Committees

• Require a majority of NEDs on Risk Committees, and must be chaired by a NED

Committees in general

• Require the Risk Committee and Audit Committee chairs to sit on each other's committees
• Require the Remuneration Committee chair to sit on the Risk Committee
• In High Impact firms, the Risk Committee and Audit Committee Chair may not be the same person
• Must be at least 3 members of Risk Committees and Audit Committees

Chief Risk Officers

• They note that it is "Generally accepted best practice" to have a CRO who, amongst other tasks, is charged with "...facilitating risk appetite setting by the Board". In addition;
• All "High Impact" firms will be required to appoint a specialist CRO
• Firms with a lower PRISM rating may have a CRO who is shared with another control function, "...provided that there is no conflict of interest between the two roles". Can't help but feel that this might rule out CRO/Chief Actuary dual roles, but allows for CRO/Head of Compliance and CRO/Head of Internal Audit, which would be to the chagrin of the Society of Actuaries in Ireland!
• CRO to have direct access to the Chairman of the Board

Board Meeting frequency

• Seem to acknowledge that the compulsory 11 meetings per year for High Impact firms may be a touch much, so are looking for comments
• Also acknowledge that compulsory 1 meeting per calendar quarter is a bit constrictive for the smaller firms, so may relieve this to be pragmatic

Chairman and CEO

• Some of the restrictions around number of roles held at any one time to be relieved for smaller firms, but seemingly only to populate inter-Group roles.

Board Diversity

• Acknowledges that, while the debate in the EU is gender-centric, that diversity of all types is a worthy target for Boards, but falls short of compelling firms to do anything at national level, choosing to seek comments and wait for the supra-national activity to drive any compulsion. This seems to fit with the thinking of Irish directors published back in 2011 i.e. no "Golden Skirt" quotas.

Random

• "...appropriate Risk Culture" makes its way in (6.3), perhaps cognisant of the FSB's proposals
• Built in a piece which allows for video-conferencing rather than physical attendance at meetings (7.5)
• Board responsibilities updated (13.1)
• Compulsory Board skills matrix (14.9)

Chartered Institute of Internal Auditors - recommendations for UK financial services

The Chartered Institute of Internal Auditors recently created a sub-committee to provide professional guidance "...designed to be a benchmark for effective internal audit in financial services in the UK", and they have just reported back with this feast of fun, which is a vital read for anyone working in control functions within financial services. The opinions they have used to create this guidance have been purloined not only from the profession itself, but also from other professions, regulatory bodies and executive/non-executive directors

They note in summary that there is "strong support for an unrestricted scope for internal audit", while drawing attention to disparity of opinion around matters such as: IA directly challenging strategy; IA reporting to Risk Committees (rather than audit committees) in certain instances; compulsory attendance of Chief Internal Auditors at Executive Committees; and the direction of managerial reporting lines.

The proposed guidance reads very much like the Corporate Governance Code, and is relatively light. It is broken into the following sections, where I have noted anything I found new or controversial alongside (my focus being predominantly scope creep into the Risk function's activity):

1. Role and Mandate of IA - increased focus on risk assessment and risk coverage adequacy
2. Scope and Priorities of IA - unrestricted scope ultimately advised; expected to "independently determine" key risks, and assess "the setting of, and adherence to, risk appetite"; assess the "risk and control culture"; allows for potential involvement of IA on "real time basis" in key corporate events (mergers, disposals, new lines of business etc)
3. Reporting results - factors in reporting obligations to both Risk and Audit Committees where appropriate, and builds in an expectation of an annual independent assessment of governance (which covers off one of the FSB's recommendations covered yesterday!)
4. Interaction with Risk, Compliance and Finance functions - nothing new
5. Independence and Authority - Chief Internal Auditor expected to be executive committee-equivalent, have the right to attend Excom, access to all MI, and report directly to either the Chairman of the Board, Audit Committee or at a push, Risk Committee. A secondary line to an executive director should only go to CEO
6. Resources - all resourcing decisions effectively divorced from the business, to reside with the Chief Internal Auditor and the Audit Committee
7. Quality assessment - external assessment of the function recommended periodically.
8. Relationships with regulators - nothing new
9. Wider considerations - expectation that the "tone at the top" of a firm should be what fosters acceptance of IA

Any controversy? Perhaps around the seniority of the Chief Internal Auditor, and their assessment of the setting of and adherence to Risk Appetite. I think my main concern as a risk practitioner would be the potential for differences of opinion around what constitutes "adequate" risk management, given the Internal Audit predeliction for COSO on all things risk-related, against the IRM or ISO31000. 

Let battle commence?

IRM Solvency II Special Interest Group - Risk Comittee effectiveness

Bit of an odd one this presentation, on the basis that the survey clearly contains a mixture of genuine Board-delegated Risk Committees, and some executive risk committees, but it contains some insights which may be of use regarding membership, agenda content, meeting regularity and methods of assessing effectiveness. In addition, one of the IRM Directors pitches in with a presentation on the topic, which is good food for thought, in particular if your Boards have delegated any matters to the Risk Committee for Solvency II.

Financial Reporting Council - new guidance on company stewardship and public reporting

Just in case you UK insurers don't have enough to factor in to your next annual report and accounts (least of all commencing the alignment piece between SFCR/ORSA content and the risk/strategy/capital aspects of your existing reporting releases) , the Financial Reporting Council (FRC) have dropped a couple of grenades into to mix with this release on Effective Company Stewardship, and perhaps more significantly for our kind, the expanded commentary regarding Boards and Risk which was gleaned through a range of interviews.

The stewardship document obviously has some "comply or explain" regulatory relevance for UK readers, whereas the second is a phenomenally useful benchmarking tool to match up against your own board/executive/committee considerations of risk regardless of your jurisdiction.

The stewardship document then focuses more on reporting obligations, in particular Audit, and the associated consultation was triggered in Jan 2011. I was drawn to their findings on reporting "Strategy, Risk and Going Concern" which touch on communication of risk appetite, namely;

• "differing views as to whether it is either necessary or possible for a board to apply a single, aggregated definition of its appetite for risk as a whole"
• "when developing [the] strategy however, it is important for boards to agree their appetite or tolerance for individual key risks"
• "reporting on the company's risk appetite was felt to be difficult, even if it could be defined, as risk appetite is not constant but varies depending on market conditions

The FRC's proposals were therefore (on the basis that the legal obligation is to report on "principle risks and uncertainties);

• Focus reporting primarily on strategic risks (as opposed to those which occur without company action) and 
• Disclose such risks to business model and the strategy for implementing said model
• Not to "scatter" descriptions of the risks faced by the company throughout the document

All of this is a little plus ca change for insurers, who are already pretty good at these aspects!

The second document carried additional interest for me, bearing in mind it collates genuine opinion of the decision making bodies on their existing risk management obligations (and therefore could provide insight into future issues with Use Test evidence, ORSA processes and SFCR/RSR sign-offs). They reiterate that this is not guidance!

Obvious headline from this work is that the Turnbull Guidance will get a brush up in 2012, but I also picked out the following aspects;

• Risk Committee should not be obligatory for all industries
• Boards need to focus on risks that undermine strategy or long-term viability (i.e Reverse Stress Testing)
• The "velocity of risk" meant that reputational risk requires greater attention
• Essential that boards should focus on "gross" as well as "net" risk (inherent and residual in our lexicon)
• Challenge of determining whether a particular risk should be brought to the board's attention remains one of the greatest challenges
• Risk and Internal Audit should have clear reporting lines to board committees
• Investors are seeking "more meaningful reporting on risk", much like that prescribed earlier
• Risk categorisation terminology used is relatively crude (operational and strategic risks being the main distinction made)

I suspect most insurers would rest pretty easy if they benchmark their ERM frameworks against the contents of this paper.