FRC on Risk Management and Internal Control disclosure - insurers way ahead?

Muddy Waters
- public disclosure on Risk

The UK's Financial Reporting Council have released guidance on Risk Management, Internal Control and related reporting, just in time to help muddy the waters for UK insurers, who have no doubt finally got their risk, actuarial and compliance functions writing non-conflicting words with Solvency II preparation in mind!

Anyone who has written, peer-reviewed or socially read these sections of public reports (i.e. me, and any other geeks), will know they are normally;

• Boiler-plate, and completely transferrable between industries, regardless of their disparate risk profiles
• Aligned to the Strategy sections with a few anchor words, but otherwise divorced
• Frequently unaligned with the ERM frameworks used internally - i.e. "this is what the City wants to read", not material on our actual risk profile!

Given that this is only guidance, and is further only directly relevant to LSE listed entities, readers may be inclined to take the content with a fistful of salt. There are a number of noteworthy aspects to this publication however which maybe show where the mindset of supervisory-types has got to in the eight or so years since the financial crisis commenced.

 I took the following general points from it;

• Very little for listed insurers to be concerned about, if they have prepared adequately for ORSA and supervisory reporting (SFCR, RSR) - indeed, their reporting teams will be delighted with the amount of content crossover! Check out the (still not finalised) Delegated Acts of Solvency II in order to see why listed Insurers won't need to stretch to meet these.
• Frequent references to "culture", as opposed to "risk culture". Checking the FSB's take on Risk Culture from April of this year, one can appreciate the FRC's desire to gemmy culture into these guidelines, if perhaps not the execution - one fears the "culture" words are likely to become a little weasely.
• Multiple crossovers into ORSA language, in particular re-emphasising the importance of the alignment of risk management with business strategy.
• Good work in section 4, bringing in the "IMMMR" concept from Solvency II, as well as assessment of current and emerging risks, and assessing exogenous and endogenous risks when doing so.
• Recommend that risk assessments are performed at inherent and residual level, and that control effectiveness is also considered when arriving at one's final assessment

On the technical front, the following elements caught my eye

• "Emerging principal risks" used as an expression - not sure if that stands up to scrutiny i.e. if something is emerging, can it be a "principal" anything? How would you measure it to gauge "principality"?
• Reference to "high profile failures in risk management" in recent years, which feels a little finger-pointy - we could deconstruct every corporate failure to one of risk management failure
• "Risk Appetite" put into inverted commas within the guidance, but not in the appendices - can't quite work out the aversion to definition given the FSB's work to date at the very least, but certainly EIOPA have similarly dodged it (p59), and looking at Appendix 1 of the Irish regulator's thought paper on Risk Appetite, one can see why!
• "It is the role of management to implement and take day-to-day responsibility for board policies on risk management and internal control" - really? responsibility for their implementation, sure, but policy content?

Lloyds - cognition and how human factors affect risk perception

While the Solvency II world will be as grateful for as they are familiar with Lloyds of London's work in the Sol II sphere, they pushed out an intriguing paper for all risk practitioners this week around cognition, the impact of human behaviour, and our interaction with models when identifying and assessing risks.

This is a piece of academic research very much needed at this point in time, where the regulatory obligations around internal model challenge have yet to formally land, let alone be adequately road-tested, while at the same time the UK is continuing with its ICAS+ regime, where entrants will no doubt receive running commentary on their progress in upscaling both assumption/parameter challenge as well as model use.

Anyone involved in the 200-ish pre-applications for internal model use prior to Solvency II go-live in Europe would therefore benefit from a read of this, particularly if you are on the validation-side. I picked out the following;

Fundamentals which impact on modelling choices (data sets, interpolation/extrapolation, correlations, tail dependencies etc)

• "We are not equally aware of all risks...people make decisions based on a subset of the available evidence"
• "Expectations are strongly influenced by personal experience and current events"
• Tendency to "...lose sight of infrequent losses" in the face of more frequent visible events
• Tendency to procrastinate around risks which are difficult to assess
• "Some may query the relevance of human factors, given the prevalence of quantitative risk models - the suggestion being.modelling rules out biases"

Risk appetite

• "Low risk appetite can increase false alarms, and a high risk appetite increases misses"
• "The greater risk appetite of powerful individuals can stem from a tendency to focus more on rewards and successes, while people who are lacking in power are often more cautious and attentive to threats and potential obstacles" - is it this dichotomy which makes the role of the CRO ultimus inter pares in the boardroom?

Aide-memoire lists for risk practitioners

• How to counteract risk perceptions - p11
• Separating risk perceptions from immediate context - p13
• Awareness of bias linked to power - p16
• Risks in perspective - p20
• Behavioural principles which can create added value - p22