Corporate Governance and the Co-op - Never too much?

Another day another maelstrom for the UK's Co-operative Group, with their Chief Executive having his resignation accepted by the Board of Directors, this following on from a truly extraordinary story from late last year, where the Chair of its banking arm was caught in a drugs and prostitutes 'sting', which in itself followed an earlier uncovering of a £1.5bn capital hole in the banking operation!

The Group CEO, Euan Sutherland, said in a statement that without "professional and commercial governance" it would be "impossible" for him to execute the changes he had planned. A 55 page rulebook, for a Group that has six million members, doesn't feel like too much on the face of it for a man with his CV, so I was interested to see what the story behind the story was.

"Professional and commercial governance"
- Say it twice, say it thrice...

The boiling point appears to have been the leaking of details around the CEO's proposed pay packet over the weekend, which materialised publicly in a stroppy posting by him on the Co-op Employee Facebook page, pointing fingers at colleagues trying to "undermine me personally". His only-recently-active Twitter went quiet after a bout of February activity, so perhaps his attentions have been on this matter a little earlier...

The Co-op has been as leaky as a porcupine's waterbed recently, with this snippet regarding outcomes of their "top secret" self-commissioned Board review, supplementing other sensitive leaks over the last year reported here and here, so clearly there are plenty of disgruntled paper-handlers in this unique organisation.

Regardless of the well-connected source though, a quick glance across the numbers leaked to the Guardian would be enough to sponsor a sharp intake of breath for anyone in financial services (a £2m pay-off for a HR head leaving after a year? Will Hutton breaks it out in this post, and the mind boggles!). That said, take a look at these terms of reference for the Co-op Remuneration Committee and tell me where you have seen self-perpetuating pay-puffer terminologies before: every other financial services provider perhaps?

The knives were out from early on with regards to the financial arrangements of Sutherland's new team though, with the spectacularly generous relocation package for one of his lieutenants drawn out by the press soon after his hiring. Perhaps he put some noses out of joint with his remarkable show of sartorial disdain on his first day - "...I came in, walked into this brand-new building, and I was not wearing a tie" - but he did say a few other things in that early-days Telegraph interview which appear to have turned around and bitten his kitten, such as;

• “It’s very valuable to have customers in the boardroom. And for the first time I think the group board felt they were involved in strategy.”
• “There have been some very big issues that we’ve worked through [with the board.] Not bank issues, other issues”

The thread that appears to be emerging for this Group is that its uniquely assembled Board is ill-equipped to deal with such manners in a technically professional and rigorous format, whether that be rolling over for the previous leadership while they made a string of horrendous strategic decisions, or the huffy, juvenile leaking of sensitive data when the new team has come in.

This is not to say that using mutual-style democracy to elect a functional Board of Directors can't work, but perhaps it doesn't work in financial services, where the stakes are higher, the jargon is less penetrable, and failure is catastrophic. I could certainly pick through the list of values and principles and find a number of institutionally-appropriate excuses for leaking confidential paperwork

From a pure decision making perspective though, should the shop-floor proles be allowed to mix with the MBA-laden executive class of the 21st Century corporate world in a way that affords this particular entity the luxury of competing against their more cut-throat rivals, while sticking to those core values and principles while paying off their massive debts?

If Lord Myners pulls a solution out of the bag for a quid (and he doesn't sound like he's shrinking to the task), they'll surely have to promote him to Marquis!

Deloitte's 8th Global Risk Management Survey - cause for concern?

A survey from Deloitte has recently hit the news stands, namely the 8th edition of their Global Risk Management Survey - I thought I'd postpone my August holidays to pick through the bones of it (?).

The data was gleaned from an online survey they sent out to CRO/equivalents back in Sept-Dec 2012, so is a bit dusty, and there were 86 respondents, so a half-decent sample. It isn't dominated by a particular sector or continent (p7), but there are more conglomerate/bank-heavy respondents than pure insurers.

There is an infographic for those of a short attention span with a few headline numbers, but having sifted through the larger doc, I found the following elements worthy of note;

Boards, Committees and Risk Management

• 80% of Boards are reviewing and approving Risk Management Policies/ERM Frameworks and Risk Appetite Statements. Bearing in mind the types of organisation in the sample, that is disappointingly low.
• 25% don't review individual risk policies
• 23% don't review strategy against risk profile
• Almost half don't invite CRO to EXCOM meetings
• Almost two-thirds delegate risk oversight to satellite committees (and two-thirds of those delegate to a Risk Committee)
• Only half have their Risk Committee chaired by an INED.
• Use of specific management risk committees for individual risk types tends to cluster around the 40-60% bracket (for example, 60% have an ERM committee, while 44% have an Op Risk Committee). Heavily weighted by organisation size i.e. larger ones tend to have them! 
• Emerging risk reporting not supplied to 30% of Boards
• Model validation results not supplied to 70% of Boards!
• 66% (of insurance respondents) have their Boards responsible for reviewing economic capital results

CRO and Risk Management Function

• 97% of large respondents have a CRO, 81% of smaller firms 
• 88% using "3 Lines of Defence" (almost all of the larger respondents do)
• 62% have an "ERM Programme"
• 58% increasing risk management budgets (still!)
• In the list of tasks currently performed by CROs, the fact that only 63% are involved in the approval of new business lines/products is pretty telling, and not in a good way.

Other control functions

• Almost half of respondents said that Internal Audit and the ERM Framework do not use common risk categories and language.
• 33% do not have a independent model validation 'function' (remember, the banks are in these stats as well!) - most of those who have made provision park it in the Risk Management function.

Risk management techniques

• 90% using some form of stress testing in the business, with most saying the outputs are used in business planning, strategy setting and identifying risk tolerance. More than half however don't use the outputs in the allocation of capital to lines of business.
• 74% have some type of Stress Testing policy
• Over 20% either do not have a Risk Appetite Statement, or only have a quantitative one
• Almost 70% still use regulatory capital as one of their quantitative measures in their Risk Appetite Statements
• Risk limits tending to be set at enterprise level, as opposed to business or desk/subsidiary level - stats are a little murky due to the emphasis towards banking sector.
• Model risk and Liquidity risk seem to be the risk types least factored in to companies ERM programmes

Management of Key Risks

• Full list on p24, with the percentage shown representing the number of respondents who thought their management of each risk was "extremely" or "very" effective - stand outs were that perceptions of the effectiveness of the management of Operational, Model, Outsourcing and Data risks appear to be much lower than one would hope, with Lapse risk management ranked unusually high.
• Op Risk KRIs and Loss data only collected in 60% of respondents
• Just over half are modelling Op Risk in some way - varying degrees of complexity experienced
• Most are using stress testing and/or reserving to assess Insurance risk - over 40% not currently using EC, and over 50% not using VaR.

Risk and Reward

• Almost 60% of remuneration schemes have no clawback provisions
• Almost 70% of schemes do not align incentive payouts with the term exposure of the underlying risks

Solvency II-specific

• 92% (of relevant responders) will focus resource on ORSA in next 12 months
• 77% will focus resource on Data Quality in next 12 months
• 69% will focus resource on Documentation and Reporting in next 12 months
• Less than 25% rate their processes and systems for Data Governance extremely/very effective.
• Declining trend of insurers who will be modelling economic capital (p19)
• Only 80% actually calculate Economic Capital
• Some very grim stats on p21 covering which risk types are modelled for EC purposes (underwriting risks seemingly very low on the list)

There are a number of areas touched on here which fall short of pending (or indeed actual) national/international regulations and codes, never mind "best practice". Perhaps we can account for the innate conservatism of CROs in their responses, and assume things aren't quite as bad as they have self-assessed here?

UK's "new" Prudential Regulatory Authority - Approach to Insurance Supervision

So a magical thing happened over the weekend: a venerable institution disappeared on Friday, only to come back reborn on Monday...

...that's right, the FSA is no more, being replaced by two more focused entities in the Prudential Regulatory Authority (PRA) and Financial Conduct Authority (FSA). This is part of the UK-specific fallout from the financial crisis, where a perceived lack of focus from the former tripartite system which housed the FSA allowed for both systemic risk (Northern Rock, RBS) and conduct risks (PPI, Interest Rate swaps) to emerge largely unchecked.

Rather excitingly, this means a new website with some natty logos from the Bank of England (which

PRA - emperor's new clothes
or Solvency II aperatif?

has rehoused the PRA side of the FSA), as well as a statement on the new supervisory approach that the PRA will be taking.

For anyone in the ERM/Solvency II/Corporate Governance space, this gives us a chance to pick up on the kind of regulatory interrogation one might expect when writing/upgrading system of governance-related materials in preparation for both full Solvency II implementation in 20??, as well as how they are accommodating EIOPA's interim measures from 2014.

Remembering that the PRA's two statutory objectives are to promote safety and soundness of the firms it regulates, as well as specifically providing appropriate protection to insurance policyholders, I thought it wise to make some notes on how they have catered for Solvency II and deference (when due) to EIOPA, as well as the general content around expectations of governance systems. I found the following worthy of note;

Control function-specific

Section 82 - "[PRA] wants to be satisfies in particular that designated risk management and control functions carry real weight within insurers"

Section 117 - Should have separate risk management and individual control functions in place (dependent on nature scale and complexity etc)

Section 118 - the PRA "expects these functions to be independent of an insurer's revenue generating functions"

Section 120 - expectation of an "operationally independent Actuarial function", which the PRA consider to be "integral to the effective implementation of a firm's risk management framework"

Section 182 - "Actuaries can play an important part in supporting prudential supervision"

Section 119 - an effective Risk function on the other hand merely "ensures that material risk issues receive sufficient attention from the insurer's senior management and Board" - just because I'm paranoid, doesn't mean the Risk profession isn't being made something of a gooseberry here, particularly as the FSA/Actuarial profession love-in started some time ago!

On Risk Appetite

Section 110 - a firm's risk appetite "[is] to be integral to its strategy, and the foundation of its risk management framework"

Remuneration

Section 84 - "remuneration and incentive schemes should reward careful and prudent management" - just like Prudential's and Standard Life's did this week!

Section 194 - Hint at potentially restricting pay in firms if intervention is warranted

Stress/Reverse Stress Testing

Section 109 - the AMSB must have "...an explicit understanding of the circumstances in which their firm might fail"

Section 145 - with regards to Reverse Stress Testing, "...management should consider the reliability of the output of the internal model compared with the results of these tests"

Section 106 - "competent, and where appropriate, independent control functions" should oversee risk management and internal control frameworks

Internal Models

Section 116 - On Internal Models, the AMSB should understand;

• extent of reliance on models for managing risk;
• limitations of their structure and complexity;
• Data used;
• key underpinning assumptions

Section 140 - "PRA expects internal models to be appropriately prudent"

Section 144 - firms may not choose the lowest capital requirement to determine whether or not to model internally

Regulatory Capital

Section 135 - for capital adequacy, firms "...should not rely on regulatory minima", and also "...should not rely on aggressive interpretations of actuarial or accounting standards"

Proportionality

Sections 212-215 - touches on treatment of "low impact" firms - is this effectively where aggressive approaches to proportionality interpretation should be expected (combined control functions, limited documentation, passive acceptance of Standard Formula etc)?

p43 - table covering the allocation of supervisory staff - 10 staff to 1 firm for the 25 largest insurers, versus approaching 10 firms to 1 supervisor at the small end.

Solvency II-specific references

• In the PRA's view "[Solvency II technical detail should] leave scope for supervisors of individual insurers to make informed judgements around risks posed"
• Confirms that elements of the Directive such as Prudent Person Principle, ORSA, Control Function requirements and Pillar 1 are all aligned with the new Threshold Conditions
• Model approval will be dependent on "adequate" risk identification, measurement, management, monitoring and reporting throughout the modelling process
• Will impose capital add-ons when necessary "to ensure insurers meet the required standards"

BIS and the future of narrative reporting - two birds, one stone (if you've done your SFCR!)

Piece of good news for the plc insurers amongst us, if not the other sectors, the BIS put out the results of their consultation on narrative reporting for listed entities. Looks like there will be a requirement for a high-level "Strategic Report", which between ORSA executive summaries, RSRs and SFCRs, are probably already written for the Tier 1 companies! More detail on what respondents wanted in this Strategic report is on pages 6-8.

They also had substantial feedback recommending a section in Annual Report and Accounts documents regarding proportions of women on Boards (just discussed in earlier post), as well as our old friend remuneration disclosure.

Of course, anyone who has had the unbridled joy of reading through the Commission's draft Level 2 text will know that between the SFCR and RSR, these kind of disclosures will be de rigeur from 2014, so it remains to be seen how badly the executives get pilloried once they make it easy to gauge their annual package - Aviva's, Standard Life's and Pru's bosses had a good working over this week, and that's with a convoluted presentation style!