PRA Final Notice on Co-op Bank - "cautious", with blurry lines...

"Two straws please"...

The PRA published a Final Notice last week regarding the numerous shortcomings of a UK bank over the last few years, which included the news of a colossal £121m fine which the PRA would have levied if the entity wasn't still losing wedge faster than a mojito in a cement mixer.

I'm sure some of us chortled at the Chrystal Methodist headlines a couple of years ago when the Non-Executive Chair of the UK's Co-operative Bank had his numerous vices sold to the highest tabloid bidder by a rented acquaintance. I covered some of the initial fallout on here, themed mostly around reputational risk and fit and proper persons, given the exponential effects of the exposé on the ultimate failure of the Group in its form at the time.

A document covering part of Co-op's demise, specifically its Bank, was released last week by the PRA,

The PRA's Final Notice to the Co-op Bank is issued publicly, and highlights where the firm breached what were at the time the FSA's Principles for Business, replaced since the PRA/FCA divorce by the PRA's Fundamental Rules.

Included in the Final Notice on this matter was a number of matters which risk practitioners should be salivating over, given the failures which led to this punishment include

• Inappropriate culture,
• Internal control framework failures,
• Ineffective risk management policies, and, the jackpot,
• A "three lines of defence" model "...flawed in both design and operation"!

The activities demonstrating this include a woeful suite of incomplete management information, three horrendously chancy accounting interpretations benefiting the balance sheet at the expense of real-world accuracy, and a suite of defensive line failures, all of which are followed through in forensic detail.

I have sectioned my notes below for my own use, particularly given the PRA goes on something of a limb here and provide usable definitions for certain terms which I suspect many practitioners would benefit from reading. The PRA (and EIOPA) generally try to dodge requests for definitions, so while the peg is square and the hole is round, it might be as good as you get!

Definitions and expressions

• Three lines of defence - "This is a system which relies on there being an opportunity at three complementary and independent levels to identify and correct any control failures". 
• Second line of defence - "Second line functions should support and challenge the management of risks firm-wide, by expressing views within a firm on the appropriateness of the level of risks being run"
• The above is supplemented by the following: "Responsibility for risk should not be delegated to risk management and control functions" - amen brother!
• Third line of defence - "Internal Audit should provide independent assurance over firms' internal controls, risk management and governance"
• Risk Appetite - "A firm's stated risk appetite is an important factor in determining whether a firm's risk and control framework is commensurate with [the] nature of its business, and should be both integral to a firm's strategy and at the heart of its risk management system" - not far off a direct quote from last year's Approach Paper on Banking Supervision (p22), though it has moved from "foundation" to "heart" in this Final Notice. I know what I prefer to build on!
• "Clearly-defined strategy" - they list "well-defined objectives, responsibilities and milestones" as expected
• Policies - "The establishment of appropriate policies [and procedures] governing the conduct of a firm's activities is an essential component in the exercise of appropriate organisation and control of a firm's business"
• "Good risk management culture" (p7) - interestingly an expression most bodies have avoided using, preferring "sound" to "good". They later go on to talk of culture more generically in terms of "right" and "inappropriate" (p33).

Observations

• Interestingly, Co-op Bank never refer to operating "3LOD" until their 2012 Annual Report (p56 for the boilerplate and clearly untrue definitions), so any deficiencies in the model before that year might be for a good reason!
• First line management oversight was seen as "inadequate" and "inappropriate" (p12)
• Their second line managers "...repeatedly voiced concerns" about headcount (p29), which weren't addressed until the back end of the period under scrutiny. Hard to think post-2007 it would be hard to justify reinforcing that area of the business, which perhaps says a lot about the entity's culture. 
• Second line not monitoring adherence to policies (p29) - quite hard to conceive of nobody in the second line doing this!
• A clear distinction made more than once between "Risk Management Framework Policies" and "adequate policies and procedures" relating to operational matters (p5)
• Some of the failure to follow 'internal policies' seems to have been sponsored by the acquisition of the Britannia book - perhaps a natural by-product of M&A activity, where the cultures and modus operandi clash (p21)
• Second line criticised for not providing proper "independent challenge" - happy to see this, given the focus tends to be on second line oversight, which always feels like a bit of a jib-job.
• Third line giving the business credit for proposed remedial action in its audit reports (p31) - even taking this into account, they were rolling over around 30% of recommended actions in their reports as "overdue"!
• Head of Internal Audit reported to the Head of Risk
• An implication that one may be permitted shortcomings in one's internal control framework, providing one's culture is "appropriate" (p5). 
• An interesting slant on reputational risk emerges from one of the accounting interpretations used, specifically that while assuming a particular accounting treatment (on the Leek notes in this case) which benefits the entity at the expense of counterparty might benefit the immediate balance sheet, the long-term effect on being able to raise new capital must be considered (p16)
• External Auditors using a 1-to-7 scale to assess how punitive/liberal the accounting treatments used by clients are. These assessments have bitten this particular client on the bum, given the PRA quote them in the document in the context of whether they align with a "cautious" risk taker!

Open ended questions

• Is "cautious" a realistic appetite for risk at Entity level? More importantly, if one has a "cautious" risk appetite, is one obliged to manage its capital "cautiously"?
• Management information was criticised for not being "sufficiently forward looking" - should it be (as opposed to mostly summarising positions at a point in time)?
• Is the PRA allocating resources to firms based on their Risk Appetite Statements (p13)?
• Is it possible for non-Accounting experts working in the second line to identify just how many ropey interpretations of UK GAAP/IFRS are being applied to a balance sheet? Is it plausible to leave such work to external audit firms who couldn't have a more vested interest in the grey areas of such legislation? The artificial boosting of the balance sheet listed in this notice would be subtle enough to trick an accountant or two I'd bet!
• Can quant risks be effectively managed in a separate team from the qualitative world? Appreciating there is a shockingly blurry line in Co-op Bank's approach (p29), it certainly feels like Solvency II pressures might lead to similar pressures on the staffing front, particularly for modellers and small/medium sized firms where staff may wear more than one hat.

Financial Stability Board - Principles for an Effective Risk Appetite

Christmas has come early everyone - the Financial Stability Board have released their Principles for an Effective Risk Appetite Framework today, and I'm greedily ripping in to it before JC's birthday like a spoilt, yet handsome child...

FSB's RAF Principles published- 

send the car back lads...

There has been a reasonable amount of traffic on Risk Appetite this year (here, here and here for a start), after the FSB but announced their consultation earlier in the year, I've been on tenterhooks. This was following of the back of a thematic review on Risk Governance as a whole by the FSB, which they published back in February.

So where do they take this deep dive into Risk Appetite? Other than awkwardly shoehorning in the soup de jour of "SIFIs", they stick to the hard areas which will get every risk practitioners' attention (namely, Risk Appetite Framework, Risk Appetite Statements, Risk Limits and Roles and Responsibilities), though "for clarity and simplicity", they jettison the use of Risk Tolerance. Definitions are supplied on p2-3, which you may find useful as anchor references.

They somehow make room for anodyne flannel in this very short document, for example;

Risk Appetite Frameworks

• Should "facilitate embedding risk appetite into the financial institution’s risk culture" 
• Development and establishment is an "...iterative and evolutionary process that requires ongoing dialogue throughout the financial institution to attain buy-in across the organisation" (groan)

Risk Appetite Statements

• "Risk appetite may not necessarily be expressed in a single document; however, the way it is expressed and the manner in which multiple documents form a “coherent whole” need to be carefully reviewed to ensure that the board obtains a holistic, but compact and easy to absorb, view of the financial institution’s risk appetite"

Risk Limits

• "Having risk limits that are measurable can prevent a financial institution from unknowingly exceeding its risk capacity as market conditions change and be an effective defence against excessive risk-taking" - tell that to Lehmans!

However, the salient points for me were as follows;

Risk Appetite Frameworks

• RAF "...sets the financial institution’s risk profile" - not convinced on that one, but may be semantic issue
• "explicitly defines the boundaries within which management is expected to operate when pursuing the institution’s business strategy"
• Should "be adaptable to changing business and market conditions" to allow for limit increases where appropriate

Risk Appetite Statements

• "[should] address the institution’s material risks under both normal and stressed market and macroeconomic conditions"
• "...should establish quantitative measures of loss or negative outcomes that can be aggregated and disaggregated"
• "...include key background information and assumptions"
• "...include quantitative measures that can be translated into risk limits"
• "...be forward looking and, where applicable, subject to scenario and stress testing"

Risk Limits

• "[should] be set at a level to constrain risk-taking within risk appetite"
• "...should not be strictly based on comparison to peers or default to regulatory limits"
• "[should] not be overly complicated, ambiguous, or subjective"

Roles and Responsibilities

The Board

• ...must establish the institution-wide RAF and approve the risk appetite statement, which is developed in collaboration with the chief executive officer (CEO), chief risk officer (CRO) and chief financial officer (CFO)
• FSB specifically comment that Boards who "receive" or "note" Risk Appetite Statements have a lower understanding of risk appetite (so don't sponsor it!)
• " [should] regularly review and monitor the actual risk profile and risk limits against the agreed levels (e.g. by business line, legal entity, product, risk category), "including qualitative measures of conduct risk"
• " [should] ensure risk management is supported by adequate and robust IT and MIS to 
• enable identification, measurement, assessment and reporting of risk in a timely 
• and accurate manner."

CEO should

• "...be accountable, together with the CRO, CFO, and business lines for the integrity of the RAF"
• "...ensure that the institution-wide risk appetite statement is implemented by senior management"
• "...provide leadership in communicating risk appetite to internal and external stakeholders" 
• "...establish a policy for notifying the board and the supervisor of serious breaches of risk limits and unexpected material risk exposures"

While there are specific sections for the obligations of CRO, CFO, Internal Audit and Business Unit Management, they don't necessarily expand much further than what I consider to be normal functional expectations, so I haven't elaborated on them.

One should certainly therefore expect a much more aggressive approach from supervisors in future off the back of this - combing through strategy and board papers for evidence of Risk Appetite in application, and making sure that Risk Appetite Statements are not just 'rubber stamped', for example.

I certainly don't see much in this for stakeholders. Nothing particularly new is brought to the table here, and if this is the results of peer review and shared experiences, then clearly there is concurrence on how an RAF should be constructed, what a RAS looks like, and who should do what in regard to continuous monitoring.

The skill will be for risk practitioners to convince their CEOs/NEDs that, this is no longer a sidecar activity in the ERM best practice space, but a nascent global minimum standard which will invariably surface in national regulations in the forthcoming moths and years.

Towers Watson - 'Risk Appetite revisited' (did we ever leave it?)

I have been doing a little work on Risk Appetite in the background recently, so was intrigued to have a read through this recent release by Towers Watson on the subject, seemingly targeted at North American and UK markets, but relevant to any practitioner in this space. Somehow I wasn't put off by p6 when, in response to the hypothetical question 'What is Risk Appetite', they responded with, "...we do not want to focus too much on the issue..."!

Appetite - second helpings?

I had blogged earlier this year on Risk Appetite, covering the expectations of EIOPA on the matter (which are few), as well as the more pokey/proddy stakeholders like the PRA/Central Bank of Ireland/S&P (which are several!), so the backdrop of risk appetite's practical significance to insurers doesn't need to be repeated here, more how consultants and practitioners are improving their game on the ground. Worth noting here that a few of the other consultancies have proffered their two cents on the matter over the last year or so (here, here, and here).

While interest in 'risk appetite' is currently piqued at governmental level thanks to the forensic examination of the banking industry's failings (multiple references in Parliamentary Commission evidence here and here for example), the driver of activity in the UK and Ireland is predominantly from the regulatory compliance perspective rather than expectations of bespoke, strategy-driving activity. In addition, we now see the emergence of Internal Audit as a party with a vested interest in the matter, which has the potential to draw the subject even more to a tidy, but ultimately superfluous documentation exercise.

With that in mind, Towers note that this paper is focused on "...enhancing risk appetite by improving its articulation, via clearer linkages to mission and strategy", and a rather derisive tone is therefore applied throughout regarding the familiar quantification methods preferred by regulators to monitor likelihood of insolvency in the next 12 months, giving equal billing to non-monetary capital and qualitative measurements. The paper also crosses some familiar ground, such as a lack of consistent terminology, which it tries to address (below).

Oddly, the document does not reference the FSB's thematic review of risk governance earlier this year, which will surely drive efforts in this space in the medium term, if only due to the paucity of certainty on the subject. That the FSB believe that regulators have "more work to do" is striking, and while they also bemoan the lack of common terminology, they don't let that prevent them from offering definitions of their own, as well as listing their "Key features" of a Risk Appetite Framework.

More obvious statements

• "..clearer linkages are needed to mission and strategy for risk appetite to be effective"
• "risk appetites must include boundary constraints"
• "We suggested that greater clarity around the definition of risk is needed..."

Definitions

• Risk - "In this context, risk should be defined in terms of those events and circumstances that may result in an insurer failing to deliver on its mission."
• Risk appetite - "...the manner in which a company expresses an identified set of risk-trading opportunities, and sets boundaries on its risk-trading among those opportunities, aligned with successfully delivering on its mission."
• Risk strategy - "The company’s risk strategy articulates how risk fits with the mission".
• Risk tolerance - "Risk tolerances are a quantitative extension of the risk strategy...risk tolerances must be measurable...[and] place quantitative boundaries on the company’s strategy"
• Risk limits - "Risk limits are more granular tolerance levels expressed for specific risk sources, business units, and/or products that are used to implement the risk tolerances."
• Risk appetite statement - "...risk appetite statements should be taken as the combination of risk strategy tolerances and preferences, bringing together qualitative and quantitative enterprise perspectives on risk as both opportunity and threat."
• Mission - "mission is the insurer’s unique multi-period and multi-stakeholder value creation proposition."

Technical suggestions

• They promote four facets of risk assessment: size, likelihood, impact and significance.
• For those working on statement content, they recommend "...since published mission statements can be fairly terse, the risk appetite may need to look beyond the explicit elements of the mission and consider elements that are implicit." Instinctively that feels unfair, but I guess the world of implicity is one for the second line to inhabit, while the first line concentrate on value-adding.
• Concept of adaptive buffers sits nicely with me - the most visceral ones being economic capital and reinsurance/hedging/liquidity facilities, but TW attempt to expand that over qualitative areas of the risk appetite statement
• Risk preference ranking of 0-4 depicted at the back is a handy schematic

Sore points

• "Some take the view that risk appetite can be expressed as a single metric, or perhaps a small set of metrics, that capture the organisation’s willingness and ability to bear risk." - that 'some' would include the FSB, COSO, the Central Bank of Ireland and the IRM, so I wouldn't be too sniffy at efforts to-date
• "Much of the work to-date on risk appetite statements has been driven by solvency supervision requirements, many statements tend to focus primarily on potential losses of capital"- a natural and by no means unwelcome by-product of having regulators in the box-seat, as opposed to stakeholders combining their efforts to establish compulsory risk appetite statement content?
• "While most insurers have, by now, developed risk appetite policy statements and discussed them with their boards, many have expressed dissatisfaction with the exercise" - that feels a rather loose statement, and if true says more about the personnel charged with performing the work.

I'll take a look at the diversity of definition in the risk appetite space across different bodies in a separate post - for now, just enjoy this tidy piece of work for what it is.

Financial Stability Board - Thematic review and recommendation on risk governance

The Financial Stability Board (FSB) have been sticky-beaking around systematically important financial institutions (SIFIs) with a relative unchecked remit ever since the financial crisis first reared its head. This week they have emerged with a very significant document for Risk practitioners across the globe, with a thematic review of Risk Governance (press release also available here). The participants were 36 banking and broker/dealer institutions of interest, as well as major supervisory bodies and NGOs.

On the basis that there isn't a single accepted global standard on the matter, the thematic review compares prevailing practices against an amalgamation of content from exising standards from the IAIS, OECD and other bodies. Of major interest to risk practitioners is the document's focus on areas which the IRM have covered recently, namely risk appetite/tolerance/limts/capacity and risk culture.

Bearing in mind the great and good from the prudential regulatory world are active participants in the FSB, the likelihood of their findings emerging in the regulatory principles of tomorrow are pretty high. Of course this research has been based on Non-Insurance SIFIs, and so insurers large and small who have been endeavouring to meet Solvency II Pillar II requirements will find themselves in a decent spot already.

On that basis, I noted the following;

General recommendations to supervisory bodies (p4)

1. Formal requirements on the independence and skillsets of Boards
2. Hold Boards directly accountable for risk governance, and whether or not their existing suite of risk MI is sufficient
3. Formally elevate the stature, authority and independence of the CRO role
4. Require an independent assessment of the effectiveness of the risk governance framework to be performed on an annual basis (a list of what Internal Audit would generally review in this context follows on page 24)
5. Engage "more frequently" with Boards and management to assess risk culture

Sound practices list p30-34 - highlighted below are elements which may be new to the UK in particular, were they to be introduced

• Boards - annual reviews of member qualifications, skills and time commitments; meet quarterly with regulators; "effectively inculcate" an appropriate risk culture
• Risk Committee - annual approval of risk management policies
• Risk Management function - CRO to have direct reporting lines to Board/Risk Committee as well as CEO; public disclosure of CRO firing/hiring; be "actively involved" in strategic decision making processes; meet quarterly with supervisors; stress testing "on demand" at the behest of the business

Risk culture and risk governance supervisory assessment

• Notes that supervisors need to strengthen their ability to assess a firm's risk governance "...and more specifically its risk culture"
• "More work is needed" on regulatory assessment of risk appetite frameworks
• "Risk culture plays a critical role in ensuring effective risk governance practices through changing environments"
• FSB have a working group exploring the potential for formal risk culture assessments, who are  reporting in September 2013

Risk management functions and CROs

• Acknowledges that there have been "[raised] supervisory expectations for the risk management function" since the financial crisis
• Highlights that "most firms note that the CRO has a direct reporting line to the CEO", though "access to the Board" apparently remains more of an expression than a vivid reality
• "Good progress" has been made on enhancing the stature, authority, and independence of the CRO position
• Rather non-descript comment that "the Chief Risk Officer and the risk management function are responsible for the firm's risk management across the entire organisation" - responsible for what element, not conduct surely?

Risk appetite/tolerance/limts/capacity

• Acknowledge a "lack of common terminology for risk appetite, risk profile and risk capacity...within firms, across firms and across national authorities"
• Definitions of appetite and capacity used by FSB largely line up with IRM's definitions (though the IRM use 'tolerance' rather than 'capacity')
• "Key features of a Risk Appetite Framework" are listed on p22 - however even those firms considered best in breed commented that there are ongoing "operationalising" problems with RAF rollout
• Suggest that breaches of 'risk limits' should lead to reductions in exposures (piii) - not sure why the alternative of increasing appetite is not acknowledged