Friday, 19 September 2014

FRC on Risk Management and Internal Control disclosure - insurers way ahead?

Muddy Waters
- public disclosure on Risk
The UK's Financial Reporting Council have released guidance on Risk Management, Internal Control and related reporting, just in time to help muddy the waters for UK insurers, who have no doubt finally got their risk, actuarial and compliance functions writing non-conflicting words with Solvency II preparation in mind!

Anyone who has written, peer-reviewed or socially read these sections of public reports (i.e. me, and any other geeks), will know they are normally;
  • Boiler-plate, and completely transferrable between industries, regardless of their disparate risk profiles
  • Aligned to the Strategy sections with a few anchor words, but otherwise divorced
  • Frequently unaligned with the ERM frameworks used internally - i.e. "this is what the City wants to read", not material on our actual risk profile!
Given that this is only guidance, and is further only directly relevant to LSE listed entities, readers may be inclined to take the content with a fistful of salt. There are a number of noteworthy aspects to this publication however which maybe show where the mindset of supervisory-types has got to in the eight or so years since the financial crisis commenced.

 I took the following general points from it;
  • Very little for listed insurers to be concerned about, if they have prepared adequately for ORSA and supervisory reporting (SFCR, RSR) - indeed, their reporting teams will be delighted with the amount of content crossover! Check out the (still not finalised) Delegated Acts of Solvency II in order to see why listed Insurers won't need to stretch to meet these.
  • Frequent references to "culture", as opposed to "risk culture". Checking the FSB's take on Risk Culture from April of this year, one can appreciate the FRC's desire to gemmy culture into these guidelines, if perhaps not the execution - one fears the "culture" words are likely to become a little weasely.
  • Multiple crossovers into ORSA language, in particular re-emphasising the importance of the alignment of risk management with business strategy.
  • Good work in section 4, bringing in the "IMMMR" concept from Solvency II, as well as assessment of current and emerging risks, and assessing exogenous and endogenous risks when doing so.
  • Recommend that risk assessments are performed at inherent and residual level, and that control effectiveness is also considered when arriving at one's final assessment
On the technical front, the following elements caught my eye
  • "Emerging principal risks" used as an expression - not sure if that stands up to scrutiny i.e. if something is emerging, can it be a "principal" anything? How would you measure it to gauge "principality"?
  • Reference to "high profile failures in risk management" in recent years, which feels a little finger-pointy - we could deconstruct every corporate failure to one of risk management failure
  • "Risk Appetite" put into inverted commas within the guidance, but not in the appendices - can't quite work out the aversion to definition given the FSB's work to date at the very least, but certainly EIOPA have similarly dodged it (p59), and looking at Appendix 1 of the Irish regulator's thought paper on Risk Appetite, one can see why!
  • "It is the role of management to implement and take day-to-day responsibility for board policies on risk management and internal control" - really? responsibility for their implementation, sure, but policy content?


Thursday, 4 September 2014

Solvency II Delegated Acts - whenever, wherever...

No sign of the Solvency II Delegated Acts sign-off as yet. The mighty ECON committee of the European Parliament have just about got their feet under the table after May's elections (and June, July and August's European summer holidays!), but despite meeting on the 3rd and 4th Sept, they don't appear to have discussed or even listed the matter as work in progress.

Wouldn't have felt such a big deal, given Gideon's summary on the topic back in early August, but the Mr Claffey and Co. at Milliman appear to have picked up on a potential sore point for the unit-linked boys, which might jack-up the Operational Risk SCR for anyone in standard formula world (which would cover a good number of pure unit-linked businesses I expect).

I've had a look around for the July version of the Delegated Acts, but they have yet to be leaked* as publicly as the January version - I would recommend anyone in the unit linked world gives this a once over, particularly if you still pay fat commission cheques!





* How about I shut my mouth - not only has the wonderful Petter Svensson (Sweden's foremost independent consultant) made it available on his own site, the Romanian Regulator has done similarly. Fill your boots...

Monday, 18 August 2014

ORSA - Institute of Risk Management special interest group

Of course while I spent the last couple of months topping up my tan in, errrrr, the Isle of Man, some of the guys in the UK and further afield have been building up an endeavour-flavoured sweat on some of the more malleable elements of Solvency II preparation.

Raining 'Mann' - Glorious Manx summer
The IRM as ever have kept the ball rolling, in particular hosting an ORSA session last month. While you can pick your way through the guest speaker presentations for ideas and comfort (one company specific, one consultant generic, and one which S&ST/RST fans might like as a sense check), I was much more interested in the attendee survey.

A whopping 34 replies came in, via which the attendees have delivered a reasonable ORSA landscape mock-up, which may help some of you get matters shuffled in your priority lists, given where your peers claim to be.

I noted in particular;
  • ORSA Process overwhelmingly run by the Risk functions (over 90%)
  • Just over half going for annual frequency, the rest (who responded) naturally more frequent - doesn't instinctively feel representative, but not all of the smaller firms would send someone down to this!
  • Around two-thirds have their "Reports" at 50 pages or less - if we assume that by "report" we mean Supervisory as well as Internal, the PRA won't be too chuffed with that given their comments at the December industry seminar.
  • Only a third have submitted draft ORSA Reports to the PRA and received feedback
  • Coverage of emerging risk appears to be an area which not only do respondees think is lacking, but has received critical feedback from the PRA
That half have used external consultants in their ORSA work to-date is certainly no surprise. I'd be worried if that consultancy had more than a year's dust on it though, so think hard before you start submitting your 2014 gear!

FTSE Insurers and Solvency II costs - quick round up

So I'm back to work after a well earned pit stop back home. I'll start with a summary of all goings-on in the Solvency II world over the summer using the following complex schematic...


Solvency II implementation costs to insurers, having experienced feast and famine over the last 2 years, will be firmly back on the bean counters' agendas now the finish line is in sight. In the past I had mopped up the 2013 financial year end here, the 2013 interims here, and 2012's full year here, so there is plenty of numbers out there for those interested.

I've therefore taken a quick look at some of the UK interim reports out over the last couple of weeks, just to see what costs/lobbying elements are included. It has been pretty dry going, which may reflect analyst fatigue on the matter more than insurer ambivalence, but I'd flag the following;

Aviva
- Costs which are "mostly" Solvency II at £41m for the half year
- No substantive comments on current legislative position

RSA
- Costs of £14m for the half year, against £20m for all of last year
- Amusingly classify Solvency II expense as "One-off non-operating costs"!

Standard Life
- "...expect [their] capital position to remain strong following implementation"
- No reference to costs

Prudential
- Implementation costs (broken out into p10 of this IFRS supplement) of £11m for half year, versus £13m for the comparable half-year, and £29m for all of 2013
- "...preparations are well advanced"
- Backwards in coming forwards over the likelihood of model approval and valuation assumptions (p17)
- Domicile change still left dangling (p24)

Old Mutual
- "...well positioned" for Solvency II, though "...continue to experience a degree of uncertainty"
- Nothing on costs

Legal and General
- "...expect the final outcome on Solvency II to result in a lower Group Solevncy Capital ratio" than existing EC. They stress in their accompanying presentation and in Nigel Wilson's speech that their existing EC is not Solvency II capital!
- Indication on  p17 of the Analyst presentation notes where L&G and the ABI have potentially fallen out (hence their recent divorce)
- Nothing on costs

Wednesday, 2 April 2014

EIOPA's Implementing Technical Standards on Approval Processes - Cut and Paste?

EIOPA have at last commenced their work on "Level 2.5" regulation in the Solvency II world, and with it being something of a trip into the unknown (only their sister body ESMA world appear to have performed a similar exercise to-date), their consultation papers will no doubt be getting torn apart like a parking ticket by Insurers and NCAs alike.

Open until the end of June with a view to presenting this particular batch to the European Commission for endorsement by the end of October, the ITS cover how the following approvals should be applied for and administered, with definitions and rationale provided in this cover note.
  • Use of Matching Adjustment
  • Use of Internal Model, "Major" changes to that model, and changes to the Model Change Policy (phew!)
  • Use of a Group Internal Model
  • Use of Undertaking-Specific Parameters (USPs)
  • Use of Ancilliary Own Funds for SCR
  • Use of Special Purpose Vehicles for risk transference

For this post, I wanted to concentrate on the Internal Model-themed ITS (emboldened), specifically things which introduce something new to the table (i.e. not already in the thoughts of UK firms/regulators through the Directive, Delegated Acts, Preparatory Guidance or indeed the existing IMAP structure in the UK).

Therefore in the interests of recyclability, UK firms will be delighted by the requirements within this particular ITS - you will recognise the text as part of the Self-Assessment Template "tabs" which you would have been populating as part of IMAP over the last 2 years!

That text was of course co-opted from the Draft Implementing Measures from October 2011 (specifically Article 203 IM1 for the application requirements, IM2-IM8 for the model change and administrative process elements). These articles had disappeared from the latest version of the Delegated Acts, only to find its way into this ITS almost verbatim.

Elements which therefore show noteworthy change from that old text (other than semantics) include

  • The addition of a requirement for a (year-end 2014?) P&L Attribution to be submitted as part of the application.
  • Withdrawal of some of the ceremony around applying for a change to the Model Change Policy, which was a little more elaborate in the October '11 text (AMSB explanation and justification text, 6 month turnaround time for NCAs to make a ruling).
  • The same for an application for a Model Change itself, now seemingly less formal
  • Giving room for terms and conditions and transitional plans to be factored in to an NCA's decision on model approval
  • That more detail should be published on the NCA's website regarding the approval (namely that the scope of the IM should be disclosed, as well as risk categories and business units covered, which feels a touch commercially sensitive to me!)

I'm guessing this isn't the only ITS which is going to use this approach (i.e. ripping text directly out of the Oct 2011 Draft Implementing Measures where it has been seemingly jettisoned), so a bit of cross checking might help you second guess what is going to appear in the rest of the ITS!

Now I'm off to have a look at the others...


Monday, 31 March 2014

EIOPA's "Common Application Package" for Internal Model Applications - UK back to the drawing board?

The release of an EIOPA Opinion today may very well raise the heckles of the UK Insurance Industry, regarding a move towards a "Common Application Package" to be used across Europe for assessing internal model applications. This appears on the face of it to be disjoined from the internal model-related ITS already scheduled in EIOPA's calendar (p12) over the next couple of months.

Their "package", to be published after consultation with the National Competent Authorities themselves, will comprise of;

  •  Instructions 
  •  A self-assessment 
  •  Background Information 
  •  An inventory of internal documentation 
  •  An explanatory document 

Worth remembering at outset;


That said, a combination of EIOPA's desire for convergence, and the recently released and revised Delegated Acts may have a particularly destructive effect on existing IMAP efforts within the Solvency II Programmes of UK insurers. I have therefore had a deeper trawl through the Delegated Acts in order find out what the practical implication of any changes in the redrafted Delegated Acts might be.

As anyone who has worked in the UK IMAP space will (un)happily tell you;
  • The PRA's approach to assessing internal model applications (inherited from its predecessor) involves deconstructing Solvency II Directive and Delegated Act text into sentences, and in some cases sentence fragments. This created over 300 "requirements".
  • Those are transferred into a spreadsheet list, within which firms are asked to list evidence of their ability to address each item (or why the requirement is not relevant).
  • That spreadsheet list is housed on an Excel workbook known as the SAT Template, which contains various other worksheets, all of which require manual population of some kind.
  • A fully populated SAT Template is required by the PRA for IMAP participants, along with some ancilliary documents (listed here), supplemented by any further documentation which the legislation or EIOPA deem is compulsory.
It's not a tick-box exercise though...

The recent versions of the Delegated Acts which have been creeping around are therefore of some significance to this work. Over the last couple of years, firms will have populated a SAT Template which contained deconstructed sentences from the Solvency II Directive pre-Omnibus II, and the Delegated Act text from November 2011, both of which have now been superseded (without being too presumptuous!).

How do the changes affect the contents of firm's existing IMAP templates, and indeed does it matter? Well, it goes without saying that the SAT Template will need to be amended and reissued by the PRA, regardless of what EIOPA produce. The question for UK firms, having spent considerable money and resource on populating the template in 2011/2012, is whether or not to start from scratch, now that time is something of a luxury, and the end-game is more definitive.

With 2013 being something of a write-off for both Solvency II programmes and the PRA's IMAP campaign (although the costs suggest otherwise!), it is likely that existing SAT templates, crammed with bespoke explanatory text and document references, have either gathered dust for a month or twelve, or received only minimal maintenance.

To see exactly how much of those early efforts will be salvageable, I have taken a look at the Delegated Act articles from January 2014* regarding the Tests and Standards for Internal Model Approval (or 'TSIM', after the acronym allocated to these articles by the draughtsmen), and compared it against the November 2011 version of the same text, and found some significant changes in form and substance, which may render some of your earlier SAT population efforts chocolate-fireguard useful.

The 24 original TSIMs, once deconstructed, respresent over 200 (almost two-thirds) of the "requirements" listed within the SAT template, so any changes in them could massively impact the recyclability of existing content.

IMAP Changes - has EIOPA gone Gaga?
I found, of those 24;
  • 6 are unchanged verbatim
  • 2 have minor definitional tweaks, but are otherwise unchanged
  • 2 have been merged
  • 2 'new' articles have been introduced into the section, though neither are labelled "TSIM" at this point.
  • All others have been changed in at least form, and in the majority of cases, substance
IMAP candidate firms have therefore been left to contend with more awkward changes than a Lady Gaga concert in a broom cupboard...

Those which have received the most aggressive reworking include;
  • Article 225 TSIM 15 - Management Actions
  • Article 229 TSIM 18 - Model Validation Process
  • Article 230 TSIM 19 - Validation Tools
  • Article 232 TSIM 21 - Minimum content of the documentation
It is fair to say therefore that UK-centred internal model applicants may struggle to recycle their existing IMAP drafting efforts without re-engaging Business-As-Usual staff in a substantial way, and that is before we even get to what EIOPA may propose in the "common application package". It also remains to be seen how the other European countries react to the likely Anglicisation of internal model assessment.

If you need help with this on your Solvency II Programme, don't be afraid to get in touch at allan@governance-matters.co.uk


* Just for reassurance, the TSIM text doesn't change between the January 2014 and March 2014 versions, but unless someone published the March version online, you'll have to take my word for that!

Wednesday, 26 March 2014

Solvency II Delegated Acts available online (kind of...), plus EIOPA's plans for 2014/15

So let's start with something a bit unexpected - DRAFT DELEGATED ACTS! ONLINE!

I'm not sure who the leaky uploader is (appears to be a Spanish consultancy firm), but the document is very much online. Sadly, it is only the January 2014 version, which as you will see in the rest of the post, has just been superseded, but it definitely pairs up with the version currently doing the rounds, I promise!

I have managed to get a sneak preview of the latest version of this document (dated 14th March) which have seemingly managed to burst the banks of the tightly-knit circle of advisors, and are now no doubt winging their way to a Solvency II Programme Director near you! There are "tracked changes" on the March document now circulating, which only appears to cover changes since the emergence of the January document hyperlinked above.

Lord help anyone who wants to trace it back to the more familiar 2011 (unpublished) draft, you might as well draw a load of foxheads on sticks...

Insurance Europe were obviously part of the privileged few for the March revisions, hence they fired out this missive last week regarding all of the Pillar 1 technical areas which they feel (on behalf of the industry) remain deficient. There are no real surprises in their list - it is the same topics which have been on the whinge-list since EIOPA's LTGA last year, and indeed earlier in the case of the Currency Risk approach and Own Funds classification.

Following on from the draft Delegated Acts being made more widely available, there has been a reasonable amount of noise in the paid-for press (here, here and here for subscribers), as well as Insurance Europe's top man having a lobbying call published in the FT (here).

Being more of a Pillar 2 man myself, I thought I would check to see what, if anything, had been tweaked in my areas of interest. The impression given earlier this year was that little had changed outside of the Long-Term Guarantee elements, and that was certainly true if you compared the November 2011 and January 2014 documents.

However, having examined the amendments in the March 2014 version, I have found is that a few areas of governance (both SOG and Internal Model governance) which were previously untouched have actually received a fair bit of treatment, for example;
  • Changes to the requirements for internal audit function holders not to cover multiple control functions (this constraint has been removed). This is presumably to pacify the smaller firms across Europe who have a Risk/Compliance/Internal Audit multi-tasker, so textbook "three lines of defence" have taken a bath in the interests of proportionality.
  • The devil remains in the detail though, as the amended text allows someone to "carry out" more than the IA function, but seems to stop shy of them "taking responsibility" for other functions. Not sure how that will work in practice.
  • Changes in the IM Validation space, in particular the removal of the requirement for a "Validation Policy". Fair to say most firms in IMAP would have produced one of these at least a year ago now (plenty of industry references here, here, here (p8) and here for example!), and while still a document of merit, does a "validation policy" now constitute gold-plating?
  • Changes in the required Internal Model Documentation, targeting a much slimmer set of compulsory documents. This includes replacing a number of "policies" with "descriptions of...", which will no doubt be well received by those supervisors with multiple internal models to assess over the next 18 months!
  • The tiered timescales for submitting QRTs, SFCRs and RSRs have now moved into the Directive, via Omnibus II text (as opposed to haveing been deleted, which is what it looks like at first glance!)
  • A few of the other TSIM articles (Tests and Standards for Internal Model Approval) have been enhanced. "At least quarterly..." assessment of the IMs coverage of material risks is now specified, for example. Quite how the hard-coding of the regularity cramps your actuaries' style is another thing! 
I strongly suggest you all get back to work and check for yourselves!

Thursday, 20 March 2014

The PRA and Insurer Business Model Analysis - emerging risks into capital add-ons?

A rather revealing "topical article" was pushed out by our pals at the PRA this week, mouthwateringly titled "The role of business model analysis in the supervision of insurers".

I obviously threw my Woman's Weekly professional reading materials to one side in order to see how much juice there was in this particular fruit, and it is certainly worth a glance for anyone in the risk management game, if only for the idiot's guide to Life and General insurer business models it provides!

Ironically, in the Life Insurer case (where they have chosen 'non-standard annuities' as a paradigm-changing product offering), they weren't able to forecast yesterday's scuppering of the UK annuities market in its entirety in their business model analysis!

It actually reads as quite a good case study in how we should be conducting emerging risk assessment against one's prevailing strategy, walking through specific changes in the operating environments of Life and General Insurers driven by both exogenous and endogenous factors.

With the price comparison website example, it is a good example of how a strategic risk filters down into second order risks which require reconsideration. The annuity example shows how the impact of competitors can impact both existing new business streams and the risk profile of one's existing book.

There is evidently an enormous emphasis being paid in the regulator's BMA activity to those grim business school concepts no doubt already permeating your emerging risk assessment processes such as SWOT and PESTLE analysis, as well as what (in future) will be supplied under Solvency II, most notably Profit and Loss Attributions and ORSA supervisory reports. I'm sure we will see over the next couple of years how the PRA's demand for these very sensitive in-house outputs materialises into supervisory action!

What perhaps Risk and Capital Management functions should be particularly cautious of is the leitmotif of the PRA "responding pre-emptively" where they feel that profits are not aligned with the risks insurance firms are taking. The following quote is of particular concern, as I can't see how this and the ORSA supervisory report aren't sharing the same womb (my emphasis)!;
"...the results of a BMA exercise help to inform the PRA's expectations of a firm's financial and non-financial resources. For example, the PRA might raise capital requirements, or require a firm to improve its governance process, to address weaknesses identified by BMA"
Bearing in mind we are months away from the first glut of ORSA material being delivered to Moorgate's finest, is the industry about to fertilise an expensive new world of capital add-ons via supplementary business model disclosure?

I appreciate that it has been emphasised by the PRA (p8) that ORSAs, and their supervisory reports, simply cannot be used to set regulatory capital, but in the context of what is being stated by the BMA team here, would they really be ignored?