Wednesday, 24 June 2015

CRO Forum on Risk Culture - comin' from the body heat?

Risk Culture
- need another hero?
A subject which is gathering more steam than Tina Turner's windows, Risk Culture has been given the kid gloves treatment by the CRO Forum in their paper, Sound Risk Culture in the Insurance Industry.

They say at the start that the topic has become "prominent in regulatory circles", which given EIOPA appear to be wining and dining the subject (here and here in the last couple of weeks alone), is something of an understatement. Their increased interest has no doubt been fuelled by the FSB's work on the subject from a year ago. In addition, the Financial Reporting Council took a shine to the topic in its last update of guidelines in late 2014 (point 27 in particular), while cultural failings have turned the FCA into a modern day Robin Hood (speech from inception time here).

As well as fiddling around the edges of definition, the paper expands on a few examples of where cultural change can be driven from, stealing from a few other industries (aviation in particular) and a couple of insurers (Zurich receiving particular attention).

They fundamental base they work from is pretty fair:
  • No "good" or "bad" culture, hence they talk about practices that encourage a "sound" risk culture throughout. Given that ropey culture does not necessarily prevent the achievement of strategic goals, this smart.
  • No "one-size-fits-all" concept of Risk Culture (i.e. don't look for one in this paper!)
That said, the definition used for the purposes of the paper from the NN Group CRO is actually a pretty good one - "shared philosophy of managing uncertainty" etc - though it does suggest that a failure in risk culture might simply be someone not sharing the philosophy, which I suspect is where a lot of your more pragmatic colleagues sit!

There are a number of sound inclusions throughout;
  • Emphasising the links between risk culture and conduct risk currently being force-fed to the industry by EIOPA (p3)
  • The chart on p6 showing survey results of essential elements of risk culture - senior management and Boards leading by example is evidently seen as more important than risk-based remuneration, despite the legislative attention the latter receives (including this week in the UK).
  • Zurich's internal 10 question survey on culture assessment - contains the gorgeous expression "organisational humility", as well as bringing some of the granular risk culture elements onto the table, such as treatment of whistleblowers.
  • Highlighting the "common phenomenon" of management teams containing people with the same personal attitudes - could benefit the creation of a "shared philosophy" without necessarily any of the benefits.
  • The illustration of NN Group's "Risk Culture Dashboard" (p11) - I don't have preference for it either way, but it does illustrate how much effort one can direct towards risk cultural identification, assessment and monitoring, which begs the question "is there that much value in it?" They seem to like it as a way of covenying the concept in the business in any case.
  • Pages 13-14 provide some good brain candy for those who have ambitions to educate or brief their colleagues on risk cultural matters. Zurich's "we are all risk managers" campaign looks like it probably has legs (more on it here).
There are a couple of mildly objectionable parts within;
  • Concepts of "Risk Vision" and "holistic" dropped in early doors and littered throughout, as well as a few extras such as "risk perspective" - the kind of obtuse terminologies which serve to divorce Risk functions from their colleagues
  • That firms should have a "clear vision" for their risk culture - why would something as opaque as culture be expected to be "clear". They don't even define it as a term in the paper!
  • Concerned that risk culture is "...only practiced by risk specialists" currently - how can this be if risk culture is " element that influences and is influence by various forces"?
  • Tha an organisation's corporate culture and risk culture "must be linked" - how are they not one and the same thing?
  • That Risk Appetite Statements are "effectively part of the business strategy" - as opposed to "actually"?
  • Use of the term Risk Profile as if it is unquantifiable, specifically that a firms who learn from their mistakes rather than chastise those who make them "tend to have a better risk profile". Not clever.

Tuesday, 16 June 2015

ORSA's Head? International Actuarial Association on ORSA Value

Unknown unknowns
- just say it one more time...
A rather verbose piece from the International Actuarial Association, or AAI if you are inclined comme ça, on Delivering Value From ORSA. Always worth a glance over these at this stage of proceedings, regardless of which side of the Atlantic you are currently rocking (with both Canada and the States keeping noisy on the topic in recent weeks).

As one might expect from a publication from an actuarial representative body (and one which aims to cover all IAIS bases, rather than the specificities of US/Canada/EU ORSA), it struggles for semblance once it needs to cover non-quant, and is therefore heavily flannelized.

The definition used by the IAA is:
ORSA provides a declaration of the company’s assessment of its position in terms of profit, risk and capital, both now and in the future, under different scenarios and relative to the company’s appetite to risk.
The purpose of the paper is to provide Board members with "insight into the value of the ORSA Process", which is a noble aim in itself, and a few nice touches can be found throughout, in particular:

  • The word “profit” features on virtually every page, almost unheard of in the EIOPA Guideline world where being able to “enhance the management of the undertaking” is King. Heaven forbid anyone makes a quid or two out of it!
  • The coverage of how insurance companies tend to profile risk is clean and rational (p3).
  • The concept of mitigation through company policies, overseen by good governance structures, as opposed to either holding capital or purchasing mitigation, is also expressed with clarity.
  • A company’s risk appetite, once determined by management and approved by the board, can be treated as a budget”. Lovely concept, though it needs more flesh to provide the 'insight on ORSA Process value' that the paper is intended to.

A few contradictions emerge in the document;

  • ORSA “needs to consider and be consistent with an insurance company’s business strategy” – does the process not need to as good as set it? Indeed, they go on to say on page 2 “The true value of ORSA can only be realized when ORSA becomes integral to management’s strategic decision making”!
  • Does ORSA “help build/maintain risk awareness throughout the company” – it would be a struggle to say it could do that any further than the relevant staff which EIOPA ultimately allude to. 
  • Concept of “Solvency Risk Profile” is borderline unintelligible (p3)
  • Terminologically, the section on risk appetite and risk profile on p3 is heavily quant-based, and feels country miles away from similar materials published by the CRO Forum a few weeks back. Specifically, it talks of “acceptable levels” of solvency risk, “minimum and maximum bands”, and that in aggregate across risk categories “This band of acceptable risk is referred to as the risk appetite”. Given it doesn't appear to veer to far away from the FSB's take on Risk Appetite, perhaps this is more of a step forward than EIOPA's 2013 back pass to the AMSB on the matter (p59-60)
  • That models used should be “subject to independent validation” – is it that important if you are not using your model for regulatory capital purposes (i.e. just for ORSA)?
  • The residue of Rumsfeld, which I had hoped had been resigned to the Noughties dustbin, reappears on pages 7 & 8, specifically “A complete ORSA would include the assessment of unknown unknowns”. Pacino said it best in Godfather III

Thursday, 4 June 2015

Solvency II Updates and Corporate Governance in Financials - PRA "Back for Good"?

A few releases of note out of the UK regulator over the last working week or so means I had some catching up to do - sometimes it feels like "All I do each night is PRA"...

They started off with a Director's Letter just before the bank holiday weekend. A general unwillingness to crack whips was present throughout this doc, even at this late stage, with a few references to "inform your supervisor" as opposed to "just do it".

The letter states that the PRA were due to publish some of their findings from their balance sheet review work by the end of the month - not done as yet, hopefully turns out to be money well spent

Regarding Standard Formula appropriateness:
  • They stress that firms must identify deviations from Standard Formula from their risk profiles, and include an assessment of the significance of that deviation in their ORSAs (emphasised in their October industry presentation from p6)- is the implication here that firms are not doing this at all at the moment, or just not reporting it in ORSA?
  • Highlight that "supplementary information" used to explain such deviations will also be assessed by the PRA. Does this add significance to one's qualitative commentary around Standard Formula/Risk Profile deviations? Can a good explanation be the difference between having to IM/PIM at the earliest opportunity against being given a couple of years of capital add-on breathing room?
  • The PRA note that, "...where a firm's conclusion on this question is not appropriate", it will intervene. It is not clear how a firm's conclusions about its deviation between SF and its Risk Profile could be considered "not appropriate", but I imagine that anything which attempts to dodge USPs/PIM/IM ONCE the divergence hits the limits in the Delegated Acts (276-287) would be frowned upon. There is certainly no appetite at the PRA for renewing capital add-ons in perpetuity (slide 13), which given the UK's familiarity with ICA and ICG, might be a desperado's first chance saloon.
  • The PRA are planning "specific interventions" on this front (detailed here), but not necessarily in time to correct before 2016.
Regarding Internal Models
  • Not happy with "wide variation in quality of IM Change policies. Sounds like firms are doing their best to avoid change criteria that results in frequent submissions for reapproval, which one would expect!
  • IMAP Submissions
    - Everything Changes
  • PRA seemingly expecting firms to have not only taken on board their feedback, but also had their IMs revalidated, before submitting their IM application. Given that validation will be chalked down as a 'once-a-year' job at the moment (despite the IRM's efforts), that seems highly unlikely. They give themselves a get-out-of-jail-free card though by stating that firms must be confident that any changes in their IMs both address PRA feedback and meet the tests and standards for model approval.
  • They appear to advise against submitting applications if you have a material change in the pipeline.
  • Heavily critical of Board involvement in validation. Here they look for evidence of Boards "overseeing and influencing" the validation process, whereas previous PRA presentation slides  did not have such expectations of Boards (slide 8 here), or indeed expected more (slide 9 here)!
  • The expression "internal management loadings" appeared in my life for the first time, which sounds to a non-technical person like myself that firms are effectively "dumbing-up" the capital requirement currently delivered by their IM in order to plaster over mathematical or data weaknesses. PRA certainly not impressed by industry suggestions to date.
  • Given the number of firms who must have dropped out of looking for Day 1 approval, they still shake the pineapple tree here in order to remind applicants that contingency plans should be ready in the case of application failures. "Many firms still have a considerable amount of work to do" sounds to me like some applicants are being pre-warned of their imminent failure!

The PRA also released a consultation paper entitled Corporate Governance: Board Responsibilities, which has the rather light ambition of identifying "key aspects of good board governance to which the PRA attaches particular importance in the conduct of its supervision".

A few straggler items in it;

  • That failures in governance and/or risk management have been a key factor in "many" financial sector failures - as opposed to "all"
  • That they consider the FRC's Corporate Governance Code, amongst others, a "comprehensive guide to good corporate governance" - given the firms experiencing the financial sector failures were most probably complying with it, not a great advert!
  • "Culture is the collective responsibility of the Board" - a bit of a nowhere comment, but instinctively, I don't see how this can be right. They can be accountable to both supervisors and shareholders/members for cultural failings, but where could such a responsibility materialise into demonstrable actions? 
  • "...the Board is responsible for the oversight of, but not for managing the business" - in relation to my comment directly above, can both statement be correct?
  • "The Risk Control Framework should flow from the Board's Risk Appetite" - I'll work on the premise that this is missing the word "statement" at the end of the line
  • Section 11 on remuneration expects that incentives are aligned with "prudent risk taking" - what if prudence is too conservative for one's risk appetite?
Into some of the expected themes;
  • Strategy to be "owned by the Board as a whole"
  • They wed Culture and Remuneration " encourage and enforce the kind of behaviours the Board wished to see"
  • They want a "well articulated and measurable" Risk Appetite Statement which can also be "...readily understood by employees throughout the business". Doesn't seem feasible, given the metrics commonly used in risk appetite statements are not exactly Finance 101 (Solvency/Liquidity/Earnings-related),
  • "It is the responsibility of the Board to ensure that the effectiveness of the Risk Control framework is kept actively under review" - has at least an air of COSO about it, don't think it was deliberate
  • Big section (6) on responsibilities and accountabilities of exec and non-exec directors.
  • Followed in 7.1 with "...non-executives should not simply delegate responsibility for major decisions to individuals among them who are considered specialist in the area" - this has internal models written all over it (p5-6)!
Happy to see this second document, though I don't know what it adds to firms' understanding about what is "good and bad".

Tuesday, 2 June 2015

PWC's Risks in Review - White Paper, Black Sabbath...

A quick dive into the wider world of ERM, courtesy of one of our Big 4 friends, ambiguously titled Risks in Review.  PwC's document (short sign-up required) is US-centric and multi-industry, so for the Solvency II crowd you might need to sift for the goodies (a good illustration of which side of the Atlantic it leans towards is that reported on its highlights), but for anyone in the ERM space, there should be something for you here.

A bizarre stat is laid out at the beginning in that 73% of the 1,200+ senior executive[s] and Board members respondents to the survey agreed that "risks to their companies are increasing". Whether this be in reference to the number of risks faced, increases in the likelihood/severity of one's existing risk universe, or their perceptions on emerging risks, it certainly suggests that exogenous and endogenous concerns have not abated in the minds of corporate leaders. However, given the risk immaturity within firms that the rest of the document serves to highlight, the lack of definition is rather unhelpful.

Appetite - For Risk or Bats?
As the survey covers multiple industries, it has the more generic risk classifications in mind (i.e all major quantitative risk balled up into "Financial Risk"), which will no doubt gnaw at anyone on the financial services side, but at the same time, it's not all about you!

The pat on the back for those surveyed is the sobriquet of "true risk management leaders", handed out to 12% of respondents. It frankly doesn't feel like a valid aspiration for an entity, more that being a "risk management leader" would be an implicit part of the make up of any firm which successfully delivers on its strategic objectives.

That aside, the Leaders (of which financial services companies "...represent a sizeable portion" of!) are congratulated for;
  • Aligning RM Programs with their businesses.
  • Communicating Risk Appetite and Risk Tolerance through the business - nothing on hard risk limits in the paper though
  • Being "able to take greater business risks" - I don't necessarily make the link between being "good" at risk management equating to taking greater risks, unless that is part of the business strategy one has aligned the RM Program with.
  • Take aggregated views of risk over multiple areas
  • Using techniques such as emerging risk identification/forecasting, scenario planning and stress testing
Laggards on the other hand
  • Have no formal Risk Appetite Framework (only 38% of respondents do)
  • Don't integrate Risk Management Strategy with business strategy (only 31% do)
They also hook the leadership qualities of risk management to some quantitative "value of good risk management" work on p5 (a topic which Towers Watson recently tiptoed around due to a lack of quant), namely that their profit margins and margin growth will outstrip peers. The growth of profit margins might be a bum steer, as the macroeconomic environment is perhaps less kind to industries other than financial services, who of course would have seen margins peak comparably faster over recent years due to the size of the trough in 2006/08!

As ever, the lexicon used in papers such as this takes a dip in the lake of dubiosity, for example:
  • That companies should "...treat risk management strategically" - as opposed to what, "operationally"? This kind of expression suggests that risk is not already considered in strategy, which feels unfair and unrealistic, even on the immature firms surveyed. That there isn't a functional ERM Framework to enhance that work does not mean it isn't done at all.
  • Risk Appetite Framework should have "buy-in" from senior management and the Board. Why "buy-in"? They should be deeply involved in the construction of an RAF, and their successes or failures as management should be inextricably linked to operating in line with it, not asked to nod in approval at the next Board/EXCO
  • "Having a clearly defined risk appetite framework allows companies to quickly assess strategic decisions in the context of risk" - that of course was not a given...
  • They also follow the tactic used in the Towers Watson paper in referring to risk management "programs" as opposed to "systems" or "frameworks- again, I'm not trying to labour the sematics of it, but a Programme for me has an end, and the work of a risk management function simply does not. This is perhaps just a psychological angle being worked here to drill into prospective clients that Programs can be boosted with a burst of external advice, but I find it increasingly disagreeable, particularly given the risk management leadership traits highlighted in this document, which most certainly do not lend themselves to the workings of a transient Programme.
Other stand out points would include
  • Alignment of RM Programmes against each business function (p9) - horrible result for Sales & Marketing, even for Leaders, and suggests it is an area for us all to redouble our efforts
  • Similar to Towers, talk of firms "drowning in data" - cannot fathom this for the life of me, but perhaps that's because I can use pivot tables and SQL server!
  • GE Capital's approach to administering Risk Appetite (p16) - very clean, and in a manner which the CRO Forum would appreciate.
  • Finally, a really nice section on p19 which shows the discrepancies between executives and risk professionals regarding their own firms' prospects. The Fannie Mae CRO suggests that Risk Management staff are "paraniods by profession" which given his employer's recent history, doesn't mean people aren't out for you!

Thursday, 28 May 2015

IRM on Internal Model Validation - Red Card or Green Card?

Cyclic Validation - Quelle horreur...
Just back from Paris, where I spent a weekend queueing behind selfie-taking tourists before taking out a second mortgage to buy bottled water. A beautiful place, though I found Depardieu was much quieter off-screen...

Onto the topic in hand, the PRA were pretty vicious back in the day on Validation efforts in their infancy, with Julian Adams lambasting both progress ("significantly behind") and validation scope ("narrow"). Given that the Solvency II sabbatical which bridged half of 2012 and all of 2013 gave firms time to catch up and widen, you might think that those with internal model ambitions would be pretty tidy by now. The PRA have even told firms how they believe "good" model application paperwork to look, carving out for themselves and the Validators of the world an easy-to-read "model reviewer" level of detail (p1).

In those salad days, Internal Model Validation felt to me like it would be the chernozem of the nascent Risk Management profession in insurers; a skill set that a quant or a non-quant could acquire, apply, and ultimately ease through the promotional path within insurance entities, given the depth and breadth of technical and strategic information the process challenges...

...but the moves never came. Despite the actuarial world themselves happily disassembling the complexities of quantitative modelling into easy-to-digest IM Validation themes, the non-quant world has waited patiently to see if anything of substance would emerge from one of its representative bodies.

And this week it arrived! The Institute of Risk Management has delivered, as part of its Internal Model Industry Forum (IMIF), a white paper on the validation cycle.

The IRM have been active in this area prior to the formation of the IMIF. I have covered an ERM in Insurance event at the start of 2014 here, while this more volumous slide pack featuring a number of the Billy and Betty Big Biscuits of the field emerged from summer of last year, when the IMIF seemed to come to fruition. This white paper itself appears to move along the concepts and ideas inside an IRM slide deck from last Christmas.

Given that the IRM is not-for-profit, there is always a likelihood that sponsors will unduly influence the products (indeed the IRM Chair notes in this that they rely on "enlightened industry support" to knock these documents out).

Sadly in this case, the sponsors include Three of the "Big 4" (with the fourth on the IMIF steering committee) , leaving the document dripping with consultancy hallmarks rather than pragmatic solutions to execute the tasks in hand.

That view is reinforced somewhat by this follow-on presentation to the IMIF from last week by this white paper's workstream lead and supporting consultant - one selected industry comment on slide 8 (presumably from a chocolate bar shortly before it ate itself) reads, "validators should really be experienced modellers"!

A few general points jump out of the white paper;
  • That a firm's IM is " the heart of risk and capital evaluation" - I thought it was supposed to "inform" this evaluation, not dominate it (slide 3 here, as well as Julian Adams's speech from a couple of years ago [p4]).
  • Is the insurance industry "...increasingly reliant on sophisticated models" - maybe in terms of AUM/Market Cap, but given the UK IMAP queue is down to approximately 40 firms out of over 400 (p4), and that number has steadily reduced over the last 3 years, feels a touch disingenuous. I've no doubt the firms represented on the Steering Group are "...increasingly reliant" though
  • The document claims to set out "best practice principles" - not sure if "practice" and "principle" share the same bed, but that aside, would anyone find it remotely acceptable to have the consultancy world fund a document which details "best practice" on IM Validation?

And a few stand out elements from the proposed Validation Cycle, which is heavily influenced by EIOPA's guidelines:
  • "Best practice now requires firms to demonstrate, with evidence, that the cycle...[is] being actively and effectively carried out" - how can best practice "require" anything from anyone?
  • "...resulting best practice that is emerging" (p4)  - how is any practice considered "best" at this stage of proceedings, when we are literally practising! Against what criteria?
  • References to "model risk impact assessment" and the "model risk assessment process" (p5) seem to come from nowhere. Alluding to something formal, but not very clear
  • Lot of coverage of "triggers" of IM Validation, which feels like a fishing expedition for the paper sponsors, rather than direct address of L2 Art 241 - the number of areas of "change" to consider as IM Validation triggers covers pretty much any change, anywhere, both inside and outside of an insurer (p8)! Most would also be ad-hoc ORSA triggers in my experience, so this potentially sets up insurers for a bucketload of work every time they hear a pin drop.
  • Formulaic and periodic IM Validation a "needless cost"? Surely periodic validation, no matter how badly executed, is compulsory (L1 Art 125)?
  • The Trigger Impact Assessment stage (p10) is barely legible - "The trigger impact assessment against model risk appetite stage" - and terminologically it is all well above legislative requirements.
  • "Unexpected triggers" (p12) get a mention. Again, not making sense to me - you either know your triggers or not.
  • "Model validation is complex" and "less than black and white" (p16) - certainly is if you try and follow this process! A focus on plain questions and less quant can only help the models non-expert users (slide 7).
  • If the validation cycle, processes and execution are "continuously evolving" (p18), are they reliable? Feels difficult to meet L2 Art 241.3, at least from a planning and execution perspective, if the process is constantly being tinkered with 
  • "Developing a communications strategy" (p20) as part of the validation scoping and planning stage feels terribly over-elaborate.
  • "Robust planning" expected to be common (p22), which doesn't necessarily marry up with the expectation of dynamic rather than cyclic validation in future (p10)
I think it is right to take the hump to a certain extent here. The PRA have been cunningly silent on capital add-ons to date, but given the implication that they will not be applied and renewed ICG-style (slide 13), there is likely to be many more less monied Partial IM applicants to follow over the next couple of years. Having the most influential consultancy firms decide on what is "best" in the validation world (and for it to have this many bells, whistles and legislative off-roads) feels like setting those firms up for either a fall, or another bill.

The PRA actually delivered something with much less padding to the IRM back at the end of 2013, so I'm struggling to see why that has justifiably been turbo-charged. Given they have three of their finest involved with the IMIF, but are continuing to be directly vocal on this topic (as recently as March 2015), it sends a worrying message to the capital add-on brigade that the IMAP early birds will be setting disproportionately high bars for 2017 and beyond when they deliver their PIMs.

Ultimately, I was disappointed by the publication, which reads more like a flannel manual, and is certainly not the kind of Risk Profession contribution that the topic so badly needs if the PRA's dreams of Board's "directing" and "owning" the IM valdiation process (slide 9) are ever going to come true. The 200 page novella world of Validation Reporting feels closer than ever...

Tuesday, 19 May 2015

Towers Watson's Global ERM Survey - Knowing ERM, Knowing You...

A couple of treats from two of the powerhouses of the 'writing things down' industry on the practical use of ERM to drive decision making, rather than simply accompany it.

Towers Watson are targeting the Solvency II audience (at least on this side of the Atlantic) with a timely release of the results of their 8th Biennial Global ERM Survey. I say the results, as there is no sign of the full survey itself - any closer to their chest, it would be an areola's backpack...

As ever, these kinds of publications oscillate between flannel and insight, so while I cover those below, feel free to read the infographic and call it quits!

General observations from the main press release include;
  • Three-quarters of (the almost 400) respondents say they are viewed as "important strategic partners" by the Board and Executive - I'm less inclined to see that as a mark of superiority, given that risk functions in some firms won't have the ambition or aptitude to achieve that status
  • Implication that some respondents do not have a risk appetite framework in place - very worrying, unless this is just bad wording.
  • Some firms said to be only "...using ERM for regulatory compliance". It may depend on jurisdiction, but I'm not inclined to agree that is even possible.
  • The "ultimate vision" for a firm's ERM capabilities is referred to, which is a brow furrer, even conceptually. TW seem to bundle up risk culture, risk monitoring and risk tolerance into the "Vision" bucket, in case that term takes your fancy.
  • The expression "very strategic approach" appears in print for the first time!
Getting Value from ERM?
- "Kiss my Face"
From the more elaborate Q&A document, we find the main granular material which TW were prepared to publish. Fortunately for readers this side of the Atlantic, the EMEA Director Mike Wilkinson holds sway over much of that conversation, including his tale of the firm who recently had an ERM/Business Strategy-inspired "Aha" moment.

That session contains a fair bit of contention, such as;
  • Asking the questions "What's the purpose of risk management" or indeed the "purpose of your ERM Program" in the Q&A - if these had been directed to the respondents themselves, it would have contextualised a number of the seemingly negative responses i.e. If the purpose of your ERM Program is "don't get shut down", you are probably less bothered about being a "strategic partner"!
  • That the business should "...challenge the risk group to create reports that help them make decisions" - Excel Jockey is hardly the work of a strategic partner...
  • In a similar vein, that insurers are "drowning in data, drowning in metrics" - hardly a new phenomenon, and doesn't give any credit to the critical faculties of employees to filter what they do have.
  • "...many [internal capital] models have matured" - a sharp intake of breath can be heard down at Moorgate!
  • That " ERM Program can't properly be assessed until it has been in place for a while" - pretty sure the S&P crowd wouldn't hold off assessing you while you "embed"
Mike in particular does manage to keep a good focus throughout the Q&A on maximising trade-offs between risk and return being the big differentiator between Risk functions who are capable of influencing strategic decision making, and those who are perhaps more likely to be tabling red-amber-green reports tracking the outcomes of decisions which have already been made.

Other strong points include;
  • In the context of Risk Tolerance, how to cater for the discretion required by an insurer's asset managers in handling investment portfolios.
  • Touches on a couple of pieces which stood out in the CRO Forum's Risk Appetite publication last month, namely around the increasing number of measures being used to run businesses other than capital, allowance of movement within risk tolerance levels, and whether firms have effectively articulated their organisation-wide Risk Appetite and Risk Tolerance limits down into its subsidiaries/departments.
One aspect which gnawed at me throughout this reading is the constant referrals to "ERM Programs" - I don't think I am bathing in semantics to suggest that Programs normally start and end, whilst ERM would surely constitute a Framework. You might choose to redecorate the Framework periodically with a Program (Solvency II a prime example), but you wouldn't expect a Program to "mature" or "evolve", you expect it to conclude!


Monday, 18 May 2015

Central Bank of Ireland speeches - "and there's more"...

Solvency II-ready?
"It's the way I tell them"...
I rejoiced on Friday at the sight of more speech material emerging from the Central Bank of Ireland directorate, if only due to the Frank Carson* gag I could wheel out due to the volume of their recent speech-giving...

As an industry we should always be happy to hear the regulator on lead vocals, so I gave the pair of speeches released a once-over to see what Irish concerns have justified the recent bounty of public addresses.

Deputy Governor Cyril Roux was very targeted in his speech, delivered to PwC's Annual CEO Dinner. It apparently gave him "great pleasure" to be in PwC's offices, which presumably means they weren't on the meter...

Some of the statistics and comments served to highlight that Ireland is something of a special case in the context of Solvency II, in that two-thirds of Irish gross premiums are to cover 'foreign risks', and that many insurers under their auspices will not have proximity to or oversight of much of their distribution network.

A few messages jumped out from the rest of the speech;

  • A lot of positive messages had a caveat implicitly wrapped with them - "...we are in the main satisfied with your engagement with the Central Bank"; "On the whole international firms generally file returns on time..."; "I also commend your general adherence to our Corporate Governance Code..."
  • Goes as far as using the IMF's recent review findings to tell firms to stop poaching regulatory staff while simultaneously complaining about turnaround time!
  • Nice point about keeping focused on current risks through the PRISM framework, rather than drifting into Solvency II mode before 2016.
  • Having recently been complimented by Sr. Bernadino on Ireland's reserving governance (p12), he reinforced that assumptions pertaining to reserves are expected to be "critically debated".
  • On ORSA, that the CBoI "...expects to see Boards actively directing the use of risk management tools...such s stress or scenario testing"
  • On Internal Modelling, he not only expects Boards to "...have sufficient knowledge and skill to challenge the model outputs", but adds that they " to see a Board direct the modellers in their firms to run specific stresses and scenarios prior to an item being discussed at the Board" - a big advance on previous murmurings on use test from supervisory bodies.
  • Pulls up firms who are seemingly not tailoring their model's parameters for the Irish-specific business.
  • Similarly a message of insisting that cross-border distributors tailor Group-driven materials and processes for the Irish market such as " policies and output, such as the ORSA, and internal model...".
  • A cute but important distinction that "embedding" Solvency II, rather than complying with it on paper, is still going to take considerable effort.
Sylvia Cronin's speech (well, the Solvency II aspect of it) stayed along the same lines as she pursued at the Industry event in late April, where she was harsh on a number of specific elements in preparatory phase ORSA Reports which had been observed.

In a section of the speech covering "challenges to be overcome", a number of pieces of insistent ORSA direction are given, for example;
  • "Your Board must use the ORSA to more fully align business strategy and capital"
  • "You also need to use it as a lever to discharge your core responsibility not to take on risks and exposures which the capital base does not support".
  •  "...there is a lot of work yet to do by firms to get this element of the new regime embedded to the extent we required" - I add here that, given they will have only reviewed 2014's preparatory phase ORSA Reports and Processes, is this not a given, particularly after CBoI sponsored a template-filling approach for the smaller firms?
On the wider world, the speech covers;
  • That Solvency II sets out "clear standards and expectations around your internal control and risk management" - agree on the latter, but the former?
  • Believes that the "scope for subjective judgement" may open up regulatory arbitrage opportunities, and that "a number of iterations" will be required before EU-wide consistency is achieved, in a sly dig at, errrr, everyone in mainland Europe
  • Similarly, the volume of cross border business HQd in Dublin poses a problem due to the geographical boundary of CBoI's "prudential remit"
  • Reinforces the message fro April that Pillar 3 readiness is a growing concern
  • A large suite of views on Conduct Risk, where "culture" and "conduct" are hogtied together as the grimmest twins since DeVito and Schwarzenegger - that message won't be changing in a hurry, so I strongly recommend your work in that area caters to the supervisor's tastes.
Useful insight from what appears to be a supervisor with their sleeves rolled-up - keep up the good work.

* PS I know the connection is tenuous as he's a Belfast man, but give me a chance!