Governance Matters...on Solvency II: 2015

Saturday 12 September 2015

EIOPA's Bernadino with keynote speech - D'ohs and Don'ts...

Solvency II implementation
- Homer called it...

The latest pit stop on the Solvency II Last Legs tour was in the picturesque, almost-an-anagram, Slovenia, where EIOPA's gaffer joined a throng of hearty souls to deliver a keynote speech last week.

Given that the outside world is seemingly becoming more sensititve to the ensuing changes (at least from a capital adequacy perspective), it has been noticeable that EIOPA's speeches have become heavier in practical tone rather than the flabbier ethereal tones of yesteryear. In particular, conduct risks, conflicts of interest and the importance of an effective second pillar to counter the aggression and self interest of distribution arms/firms have all become prominent features of what is being touted as the Solvency II benefits package. Given what it has cost, we'd better deliver it!

Back to the speech, a few basic soundbites are littered throughout, which might benefit your training packs for the home stretch;

Solvency II is "EIOPA's top priority",
It is a "pretty good starting point", rather than perfect, is "...a must and a true game changer", and "brings a new risk culture"
It is "a tool to foster a true risk culture in the organisation"
"It is clear that Solvency II will bring more awareness and transparency on the true risk profile of certain business models"
It will deliver "intelligent and effective regulation which does not stifle innovation"

A couple of open-ended questions emerge from the text itself;

Does Solvency II only "encourage" firms to define their risk profiles and risk appetites, as opposed to compel it?
Is the Solvency II take on ORSA really "best practice at international level" - seems fair, but does anyone else want a shot at the title!
Why is "overall solvency needs" constantly accompanied by bunny ears - if these guys aren't convinced by the term, what hope does the industry have of driving it into the glossary!
Is it just executives who need to know that ORSA is a "cultural change", as opposed to NEDs, non C-suite senior management and wider stakeholders. Institutional investors would surely benefit a 101 class, given their demonstrable views on what SCR coverage ratios mean for the plausibility of some firm's strategies, and while Sr. Bernadino comments that "...effort needs to be made" to explain SCR volatility on p8, a dawn chorus with Karel van Hulle on how "ridiculous" the outside world's expectations are doesn't even qualify as an hors d'ouevre.
That risk culture provides "...an appropriate balance with the natural sales driven culture" - EIOPA have alluded to this before, but never quite as explicitly as this. If the Risk function's job is predominantly to counter sales activity, can it ever be seen as value adding?

And a couple of specific themes are given special treatment for everyone's benefit;

Prudent Person Principle and the investment strategy of insurers

PPP emphasised as not giving insurers a freebie to hit the roulette tables with their asset book, and will be "...closely monitored".
Current environment encourages aggressive monitoring, with the "search for yield" quote now ubiquitous in supervisory speeches which touch on macro matters.
"Asset risk calibration in Solvency II should not be used to privilege or incentive any specific asset class" - not convinced on this front, given the remit of your friendly local CIO must contain an element of maximising gains within appetite, and the calibration can surely influence that.

Product availability

"Solvency II does not intend to unduly penalise specific products" - evidently does though, hence the sprint to the door from Ergo et al in the guaranteed interest rate product space (not unduly though to be fair, given the Teutonic pleas for transitional mercy!)

ORSA and Risk Culture

The section somewhat labours the point on coverage of all risks, assessment of all mitigation techniques, and the role of the Board in driving the associated cultural changes, but I guess given the geographical location of the speech, some of the nearby countries may benefit from the encore un foi approach - no names naturally...
"Capital will never cover up for the lack of proper governance"
"ORSA is based on the companies' DNA - their strategy"
"The key role in the implementation of ORSA belongs to the top management"
"It is up to the Boards to set, communicate and enforce a strong risk culture..."

Insurers and Supervisors in general

Talks of Risk Functions needing the correct skills to assess risks in asset classes - is there an implication here that functions will be light on quantitative skills post-2016?
Squares the circle of prudential and conduct risks on p7, talking of mitigating conduct risks "since inception" in one's product development, design and marketing processes.
That Solvency II "...requires an increased degree of supervisory judgement" in order to intervene at the right time, and the new supervisory requirements represent "...an upgrade in the quality of supervision". I'm sure some countries might take that as something of a slight, given the maturity of their existing processes, but probably fair for the majority.

Plenty of fuel for your respective Board and Senior Management briefing fires, so go forth and propogate!

Friday 28 August 2015

UK Senior Insurance Managers Regime - just be natural...

The PRA’s Supervisory Statement on Strengthening Individual Accountability in Insurance (SS35/15) has been released, not that far apart from their demolition job on Co-op Bank’s system of governance, which demonstrated something of an absence of such accountability across all three lines of defence, quite a feat!

While the Banking industry have been catered for on this topic with a few more bells and whistles, most noticeably by including an element of criminal liability for their senior management (thanks Fred!), the approach for insurers and banks is supposed to be largely consistent.

The doc itself rather awkwardly references multiple sections of the incoming PRA Rulebook which, as yet at least, doesn’t exist as a conventional reference site, though it is due for release in “the summer” (the PRA subsequently released the new site 3 days after I published this post - that'll teach me!). It still pays to fish through the appendices of old Consultation Papers to get the materials cross referenced in this Supervisory Statement (here for most of them, from p44)

SIMF Interviews - "Next"...

I did cover this topic when the consultation paper first hit the table, and for those of a nervous disposition, the PRA have since produced a nice one-pager summarising what you need to know in the context of Approved Persons, Solvency II etc here (and done so much better than me, I hasten to add!). In addition, the transitional map from CF-XX to SIMF-YY is already available here.

I had a look through (largely ignoring the Group and Third Country specifics) to see if there was anything new and exciting since the consultation, and naturally there isn't! That said, the industry feedback received is detailed here (section 2), while I noted a few things below for my own benefit;

PRA not concerned about individuals located overseas, unless they are involved in strategic implementation, as opposed to strategy formulation (2.11).
Alerting to potential PRA blocking of SIMF applications where someone wishes to wear more than one hat, citing the obvious CEO & Chair example (2.15)
Persons allowed to do the same function in more than one firm - targeted perhaps at the floating actuary contignent who do the CF12 job for a few firms?
Awkwardly try to accommodate SIMF job-sharing, but lean towards discouraging it in the text (2.17-2.19)
List a few examples of what firms might consider to be "Key Functions" over and above those named in the Solvency II legislation, being particularly keen on Investments (2.25 and 2.27)
On the list of 11 Prescribed Responsibilities, they do their best to keep the NED world out of assuming any of them (2.40)!
Some attempt to informally restrict Chairpersons from filling their time with multiple other roles and responsibilities (2.44)
A timely reference, given the Co-op Bank Final Notice, to ensuring that Boards understand the Threshold Conditions (p12-13) and Fundamental Rules.

The Individual Conduct Standards (from p16) all seem fair at face value, with a bit of devil in the details, such as;

Key function holders being told (3.19) to not only meet the letter of the prevailing regulatory system, but also not to engage in "...creative compliance or regulatory arbitrage" - spoilsports!
Expectations that Key Function holders "take reasonable steps" to ensure that the business has sufficient systems of control, even if they delegate some, or indeed most, of the associated tasks themselves (3.20-3.22).
That should you breach any of the Conduct Standards, it materially affects your fitness and/or propriety, and therefore the PRA expect to be notified

Finally, to clear up that age-old debate, the PRA clarified in 2.4 that it "...does not expect persons other than natural persons to be approved for a SIMF". Anyone with career ambitions had better lay off the Botox and Bronzing then...

Wednesday 26 August 2015

PRA Final Notice on Co-op Bank - "cautious", with blurry lines...

"Two straws please"...

The PRA published a Final Notice last week regarding the numerous shortcomings of a UK bank over the last few years, which included the news of a colossal £121m fine which the PRA would have levied if the entity wasn't still losing wedge faster than a mojito in a cement mixer.

I'm sure some of us chortled at the Chrystal Methodist headlines a couple of years ago when the Non-Executive Chair of the UK's Co-operative Bank had his numerous vices sold to the highest tabloid bidder by a rented acquaintance. I covered some of the initial fallout on here, themed mostly around reputational risk and fit and proper persons, given the exponential effects of the exposé on the ultimate failure of the Group in its form at the time.

A document covering part of Co-op's demise, specifically its Bank, was released last week by the PRA,

The PRA's Final Notice to the Co-op Bank is issued publicly, and highlights where the firm breached what were at the time the FSA's Principles for Business, replaced since the PRA/FCA divorce by the PRA's Fundamental Rules.

Included in the Final Notice on this matter was a number of matters which risk practitioners should be salivating over, given the failures which led to this punishment include

Inappropriate culture,
Internal control framework failures,
Ineffective risk management policies, and, the jackpot,
A "three lines of defence" model "...flawed in both design and operation"!

The activities demonstrating this include a woeful suite of incomplete management information, three horrendously chancy accounting interpretations benefiting the balance sheet at the expense of real-world accuracy, and a suite of defensive line failures, all of which are followed through in forensic detail.

I have sectioned my notes below for my own use, particularly given the PRA goes on something of a limb here and provide usable definitions for certain terms which I suspect many practitioners would benefit from reading. The PRA (and EIOPA) generally try to dodge requests for definitions, so while the peg is square and the hole is round, it might be as good as you get!

Definitions and expressions

Three lines of defence - "This is a system which relies on there being an opportunity at three complementary and independent levels to identify and correct any control failures".
Second line of defence - "Second line functions should support and challenge the management of risks firm-wide, by expressing views within a firm on the appropriateness of the level of risks being run"
The above is supplemented by the following: "Responsibility for risk should not be delegated to risk management and control functions" - amen brother!
Third line of defence - "Internal Audit should provide independent assurance over firms' internal controls, risk management and governance"
Risk Appetite - "A firm's stated risk appetite is an important factor in determining whether a firm's risk and control framework is commensurate with [the] nature of its business, and should be both integral to a firm's strategy and at the heart of its risk management system" - not far off a direct quote from last year's Approach Paper on Banking Supervision (p22), though it has moved from "foundation" to "heart" in this Final Notice. I know what I prefer to build on!
"Clearly-defined strategy" - they list "well-defined objectives, responsibilities and milestones" as expected
Policies - "The establishment of appropriate policies [and procedures] governing the conduct of a firm's activities is an essential component in the exercise of appropriate organisation and control of a firm's business"
"Good risk management culture" (p7) - interestingly an expression most bodies have avoided using, preferring "sound" to "good". They later go on to talk of culture more generically in terms of "right" and "inappropriate" (p33).

Observations

Interestingly, Co-op Bank never refer to operating "3LOD" until their 2012 Annual Report (p56 for the boilerplate and clearly untrue definitions), so any deficiencies in the model before that year might be for a good reason!
First line management oversight was seen as "inadequate" and "inappropriate" (p12)
Their second line managers "...repeatedly voiced concerns" about headcount (p29), which weren't addressed until the back end of the period under scrutiny. Hard to think post-2007 it would be hard to justify reinforcing that area of the business, which perhaps says a lot about the entity's culture.
Second line not monitoring adherence to policies (p29) - quite hard to conceive of nobody in the second line doing this!
A clear distinction made more than once between "Risk Management Framework Policies" and "adequate policies and procedures" relating to operational matters (p5)
Some of the failure to follow 'internal policies' seems to have been sponsored by the acquisition of the Britannia book - perhaps a natural by-product of M&A activity, where the cultures and modus operandi clash (p21)
Second line criticised for not providing proper "independent challenge" - happy to see this, given the focus tends to be on second line oversight, which always feels like a bit of a jib-job.
Third line giving the business credit for proposed remedial action in its audit reports (p31) - even taking this into account, they were rolling over around 30% of recommended actions in their reports as "overdue"!
Head of Internal Audit reported to the Head of Risk
An implication that one may be permitted shortcomings in one's internal control framework, providing one's culture is "appropriate" (p5).
An interesting slant on reputational risk emerges from one of the accounting interpretations used, specifically that while assuming a particular accounting treatment (on the Leek notes in this case) which benefits the entity at the expense of counterparty might benefit the immediate balance sheet, the long-term effect on being able to raise new capital must be considered (p16)
External Auditors using a 1-to-7 scale to assess how punitive/liberal the accounting treatments used by clients are. These assessments have bitten this particular client on the bum, given the PRA quote them in the document in the context of whether they align with a "cautious" risk taker!

Open ended questions

Is "cautious" a realistic appetite for risk at Entity level? More importantly, if one has a "cautious" risk appetite, is one obliged to manage its capital "cautiously"?
Management information was criticised for not being "sufficiently forward looking" - should it be (as opposed to mostly summarising positions at a point in time)?
Is the PRA allocating resources to firms based on their Risk Appetite Statements (p13)?
Is it possible for non-Accounting experts working in the second line to identify just how many ropey interpretations of UK GAAP/IFRS are being applied to a balance sheet? Is it plausible to leave such work to external audit firms who couldn't have a more vested interest in the grey areas of such legislation? The artificial boosting of the balance sheet listed in this notice would be subtle enough to trick an accountant or two I'd bet!
Can quant risks be effectively managed in a separate team from the qualitative world? Appreciating there is a shockingly blurry line in Co-op Bank's approach (p29), it certainly feels like Solvency II pressures might lead to similar pressures on the staffing front, particularly for modellers and small/medium sized firms where staff may wear more than one hat.

Wednesday 12 August 2015

Insurance Banana Skins in 2015 - PwC and CSFI

PwC and the CSFI guys have teamed up for another Insurance Banana Skins publication, a particularly useful doc for the BAU Risk world, and one which I have covered on the blog in years gone by (well, 2011's and 2013's anyway).

In particular, I always found it useful as a means of digging out the kinds of awkward cross-bred expressions which would invariably end up rolling out of 75-year-old INEDs’ mouths at the next Risk Committee meeting, probably due to someone trying to sell insurance cover for it, or a business journal doing a centre spread about it. On this basis, I was delighted to see “Cyber Risk” given prominence this time around, which is the highest new entry, and apparently a “new risk” - here’s the sales forum, and here’s the HBR white paper!

Sarcasm aside, given this pulled in over 800 responses from around the globe, and across the distribution and provision side of the industry, the content is worth poring over and briefing colleagues on if this is your day job. There are also plenty of quotes from the great and good wrapped up inside as well.

I’ve only jumped on a few of the findings below;

Regulation remains the top risk for the 3^rd survey running, and for the 4^th out of the 5 actually held. It did take a ‘world’s end’ scenario for investment returns to knock it off the top in 2009 though, which suggests that those surveyed are happy to bleat about regulatory concerns, regardless of the rest of the exogenous threats to insurance firms.

Much of the top ten is focused on investments and returns, whether it be interest rates, investment performance or guarantees.

Governance and management of insurance companies seen as an area of declining risk – does it therefore warrant the Banking industry-inspired whip that SIMR is about to introduce in the UK?

Similarly, Business Practices, incorporating misselling, is falling down the list – not sure a UK-only survey would be so generous!

Cyber Risk itself was only #6 on the list for Life Companies, while #1 for Non-Life – wonder why the guys who are selling cover rate it so highly? Of more interest, North America had it as #1 “by some margin” – this suggests the wave will be coming across the Atlantic in the next 12 months (a nice precursor of how that will emerge here)! It is written up nicely however, with cloud storage, and the richness of data held on customers, being elements which make insurers prime targets. It doesn’t dwell on the proliferation of legacy systems in insurers however, which always felt to me a good reason for criminals to ‘have a crack’.

Europe considered the interest rate environment, regulation and guarantees to be the top 3 banana skins, which given the aggressive tailoring applied to Solvency II in the drafting stages to negate country-specific difficulties in these areas (MA/VA/Transitionals), is no surprise.

Oh, to have a day job again…

Tuesday 11 August 2015

"Dear Deidre" - Cross border insurance flogging under General Good provisions

One for giggles more than anything else. The other day I spotted a response from Lord Hill, the esteemed EC Commissioner for Financial Stability, to a question arising from Deidre Clune, a relatively new Irish member of the European Parliament.

Good question, wrong Deidre...

Specifically, the question related to a Maltese-licenced insurer which hit the skids back in 2014, with the CBoI's summary information here. It seemingly only wrote business in Ireland (hence I suspect it was cheekily named after Ireland's TV sports channel to aid sales!), and therefore left every White Van Man/Woman without cover, until Ireland's Insurance Compensation Fund stepped in.

A few things stood out about this exchange;

The then prospective MEP used the incident as political currency in the election campaign - "Vote me in, and I'll personally fix the EU insurance industry...", she almost said!
That Ireland, the log-term epicentre of EU cross-border distribution and birthplace of Quinn (which almost turned over the UK White-Vanners back in 2010), would have the brass to nibble at the hand that feeds it! Only 3 months ago, the CBoI's Sylvia Cronin was warning of a likely "...increase in cross-border activity", and at the same time EIOPA's Sr. Bernadino left a not-too-subtle hint that "In the specific case of the Irish insurance market, special attention needs to be devoted to the fulfilment of the general good provisions of host countries by the companies selling cross-border."
That it took 6 months to get an answer to Deidre's very basic question (at least according to her first public mention of a response in this media article). It took an extra two months for that answer to be published formally.
That in that article she was reported to believe that the measures spelled out by Lord Hill were to "...prevent this from happening again" (as opposed to enhance policyholder protection while facilitating orderly failures when they occur, etc etc). To be clear though, that is quoting the article, not the member!

Does anyone think that now, even after EIOPA's efforts to-date, that supervisory colleges will be effective enough to prevent these kind of events, or do we just buy local and hope for the best?

2015 FTSE Interim Reporting and Solvency II costs - forewarned and forearmed?

Solvency II costs - impressed?

I always liked to keep an eye on the FTSE lads’ Interim and Full Year pronouncements on the Solvency II front back in the day, but given the legslative delays and sporadic cost reporting over the last couple of years, plus the internal model hokey-cokey, disclosures on the topic have been “Slim Pickens” to say the least.

For those interested, the sweep I did last year is here, and while a few of the firms featured have attempted to expand out, they have largely disclosed the same information as last year (Boiler-plate disclosures? Never!).

However, a few of the great and good have chirped up some extras about Solvency II on the home straight, none more revealing than the Canary-supporting egg-chasers at Aviva. They dished up the basics as a matter of course;

Solvency II costs of £46m for the half year (£39m for last half year)

Submitted Solvency II internal model in June and expect approval in December. – must be a good one, Hannover Re-style!

Currently operating within our expected Solvency II target range, regardless of any changes in economic capital surplus quantum and composition driven by Solvency II

The InsuranceERM lads expanded on that, having presumably dialled in to associated conference call! In a suit-and-tie version of Surprise Surprise (R.I.P Cilla), the CEO shocked listeners with the following statements;

"[Solvency II] has taken an inordinate amount of management time and I'd really like that time back"

"It has cost us in the region of £400m [$620m]. This figure does not impress me one little bit…” – to my shame I did do the countback on published costs, as if a CEO couldn’t count to £400m, and it does add up!

RSA, in between flirting sessions with the watchmaking fraternity, were similarly revealing, confirming;

Solvency II costs of £14m for the half year (same as last half-year)

“…application for Internal Model approval under Solvency II has been submitted and we target a positive outcome by year end”

"…current Internal Model for Solvency II shows higher coverage ratios than our ECA model.”

Old Mutual does its best to treat the SAM/Solvency II imposters the same in its reporting, but in recent times has been light on our side. There was a bit more in the bag this time round though, particularly;

"Based on the current underlying timetable and regulation of Solvency II, we estimate the total cost of completion will be up to £20 million, of which £10 million will be incurred in H2 2015, and the balance running into H1 2016".

"The Solvency II regime will introduce a different lens through which to look at Group capital. It will use a more conservative 1 in 200 stress scenario in determining capital requirements and apply a more rules-based determination of capital fungibility and transferability"

Given their tone on the “inherent conservatism” of Solvency II and their loving gazes at the existing FGD treatment of capital fungibility, can we read some indifference to their current treatment as a Group by the PRA, perhaps?

"During July 2015, we completed our initial reporting to regulators under the interim arrangements of Solvency II"

I suppose the biggest surprises continue to be the (potential) absence of compulsion to internally model for entities such as Old Mutual (confirmed as “out” of IMAP on p82 here). Given the PRA’s pronouncements on Standard Formula appropriateness and capital add-ons, you might expect them to be marched down the aisle before too long.

Standard Life,perhaps betraying where their strategic priorities lie (nicely covered here), did little more than state that they will “remain strong” on the capital front – nothing on costs, nothing on implications, and nothing on modelling (though they confirm here that they are “in” apparently!). “In”, but on the naughty step perhaps, or is the topic just unworthy of comment?

L&G were happy to talk technical, rather than cry about hundreds and millions of pounds of spilt milk – their release touched on the following;

Implementing a ‘capital-lite’ model for bulk annuity new business, by reinsuring out some of the risk (light detail here and here, more detail on p5 of the interims).

Solvency II internal model is being reviewed by the PRA, and “…It is anticipated that our Solvency II internal model will be approved in Q4 2015, ready for use on the Solvency II go live date - 1 January 2016”

Also have applications in for the use of transitionals, matching adjustments and using deduction and aggregation for its American business

“We expect the final outcome of Solvency II to result in a lower Group capital surplus and solvency ratio than the Economic Capital basis. Our Economic Capital model has not been reviewed by the Prudential Regulatory Authority (PRA), nor will it be.”

"We note recent clarification from the PRA to the effect that transitional capital will count as Tier One capital, including for assessments of dividend-paying capacity". This is particularly piquant given Sam Woods’ coverage of the “dividend” issue a few weeks ago when trying to reassure a room full of analysts that the insurance sector isn’t a busted flush from an investment perspective!

A busy reporting week for sure, with seemingly no horror stories come at the top-end of the UK Insurance Industry...Including a post-script from the Pru today.

They have revealed a miniscule spend of £17m on Solvency II costs in the year-to-date (against £28m for all of last year), as well as a few nuggets in the same vein as the competition;

"...we submitted our Solvency II internal model applications to the Prudential Regulation Authority in June 2015"
"We continue to seek opportunities to transfer longevity risk to reinsurers or to the capital markets and have transacted when terms are sufficiently attractive and aligned with our risk management framework."
"We also noted at the time that certain aspects of our economic capital methodology are different to those required under Solvency II and that the outcome under Solvency II would be lower than our reported economic capital level. This remains the case." - same issue as Old Mutual, one presumes?

They even dropped a Solvency II slide into this morning's presentation pack (slide 28). Interesting that they go to the trouble of highlighting that the transitionals and risk margin "broadly offset" on the UK Life book, as well as their distinct gripes in their Asian and US businesses.

...and another post-script from Royal London (so I have everything on one page!)

Royal London will use the Solvency II standard formula approach initially and will consider seeking approval for its internal capital model in due course

We expect to meet the new Capital requirements without material adverse impact on policyholders but there are significant details which remain to be clarified about the new regime. It is possible the outcome from Solvency II will require insurance companies to hold more regulatory capital than is currently required. If Royal London was required to hold significantly increased capital, then the levels of Royal London Profit Share we are able to allocate to our participating members may need to be restricted

...and two more post scripts: firstly Admiral

"Admiral is developing an internal economic capital model which will be used to calculate regulatory capital requirements following approvals from the Group's regulators in the UK and Gibraltar. Such approval is not likely to be sought or granted before 2017."
"The Group's regulatory capital from January 2016 will, therefore, be based on the Solvency II Standard Formula, with a capital add-on agreed by the PRA to reflect recognised limitations in the Standard Formula with regards to Admiral Group's business (predominantly in respect of profit commission arrangements in co- and reinsurance agreements and risks arising from actual and potential Periodic Payment Order (PPO) claims)."
"The level of capital add-on and resulting Group capital requirement from January 2016 is expected to be confirmed by the PRA in the final quarter of 2015."

...and secondly Phoenix

"...submitted its application for regulatory approval of its Internal Model in June 2015"
"...Group capital position under Solvency II expected to be in excess [of current surplus]
"Over 2015, clarity on Solvency II regulations has improved but uncertainties remain in relation to the Group's IMAP and other Solvency II-related applications"

Wednesday 24 June 2015

CRO Forum on Risk Culture - comin' from the body heat?

Risk Culture
- need another hero?

A subject which is gathering more steam than Tina Turner's windows, Risk Culture has been given the kid gloves treatment by the CRO Forum in their paper, Sound Risk Culture in the Insurance Industry.

They say at the start that the topic has become "prominent in regulatory circles", which given EIOPA appear to be wining and dining the subject (here and here in the last couple of weeks alone), is something of an understatement. Their increased interest has no doubt been fuelled by the FSB's work on the subject from a year ago. In addition, the Financial Reporting Council took a shine to the topic in its last update of guidelines in late 2014 (point 27 in particular), while cultural failings have turned the FCA into a modern day Robin Hood (speech from inception time here).

As well as fiddling around the edges of definition, the paper expands on a few examples of where cultural change can be driven from, stealing from a few other industries (aviation in particular) and a couple of insurers (Zurich receiving particular attention).

They fundamental base they work from is pretty fair:

No "good" or "bad" culture, hence they talk about practices that encourage a "sound" risk culture throughout. Given that ropey culture does not necessarily prevent the achievement of strategic goals, this smart.
No "one-size-fits-all" concept of Risk Culture (i.e. don't look for one in this paper!)

That said, the definition used for the purposes of the paper from the NN Group CRO is actually a pretty good one - "shared philosophy of managing uncertainty" etc - though it does suggest that a failure in risk culture might simply be someone not sharing the philosophy, which I suspect is where a lot of your more pragmatic colleagues sit!

There are a number of sound inclusions throughout;

Emphasising the links between risk culture and conduct risk currently being force-fed to the industry by EIOPA (p3)
The chart on p6 showing survey results of essential elements of risk culture - senior management and Boards leading by example is evidently seen as more important than risk-based remuneration, despite the legislative attention the latter receives (including this week in the UK).
Zurich's internal 10 question survey on culture assessment - contains the gorgeous expression "organisational humility", as well as bringing some of the granular risk culture elements onto the table, such as treatment of whistleblowers.
Highlighting the "common phenomenon" of management teams containing people with the same personal attitudes - could benefit the creation of a "shared philosophy" without necessarily any of the benefits.
The illustration of NN Group's "Risk Culture Dashboard" (p11) - I don't have preference for it either way, but it does illustrate how much effort one can direct towards risk cultural identification, assessment and monitoring, which begs the question "is there that much value in it?" They seem to like it as a way of covenying the concept in the business in any case.
Pages 13-14 provide some good brain candy for those who have ambitions to educate or brief their colleagues on risk cultural matters. Zurich's "we are all risk managers" campaign looks like it probably has legs (more on it here).

There are a couple of mildly objectionable parts within;

Concepts of "Risk Vision" and "holistic" dropped in early doors and littered throughout, as well as a few extras such as "risk perspective" - the kind of obtuse terminologies which serve to divorce Risk functions from their colleagues
That firms should have a "clear vision" for their risk culture - why would something as opaque as culture be expected to be "clear". They don't even define it as a term in the paper!
Concerned that risk culture is "...only practiced by risk specialists" currently - how can this be if risk culture is "...an element that influences and is influence by various forces"?
Tha an organisation's corporate culture and risk culture "must be linked" - how are they not one and the same thing?
That Risk Appetite Statements are "effectively part of the business strategy" - as opposed to "actually"?
Use of the term Risk Profile as if it is unquantifiable, specifically that a firms who learn from their mistakes rather than chastise those who make them "tend to have a better risk profile". Not clever.

Tuesday 16 June 2015

ORSA's Head? International Actuarial Association on ORSA Value

Unknown unknowns
- just say it one more time...

A rather verbose piece from the International Actuarial Association, or AAI if you are inclined comme ça, on Delivering Value From ORSA. Always worth a glance over these at this stage of proceedings, regardless of which side of the Atlantic you are currently rocking (with both Canada and the States keeping noisy on the topic in recent weeks).

As one might expect from a publication from an actuarial representative body (and one which aims to cover all IAIS bases, rather than the specificities of US/Canada/EU ORSA), it struggles for semblance once it needs to cover non-quant, and is therefore heavily flannelized.

The definition used by the IAA is:

ORSA provides a declaration of the company’s assessment of its position in terms of profit, risk and capital, both now and in the future, under different scenarios and relative to the company’s appetite to risk.

The purpose of the paper is to provide Board members with "insight into the value of the ORSA Process", which is a noble aim in itself, and a few nice touches can be found throughout, in particular:

The word “profit” features on virtually every page, almost unheard of in the EIOPA Guideline world where being able to “enhance the management of the undertaking” is King. Heaven forbid anyone makes a quid or two out of it!
The coverage of how insurance companies tend to profile risk is clean and rational (p3).
The concept of mitigation through company policies, overseen by good governance structures, as opposed to either holding capital or purchasing mitigation, is also expressed with clarity.
“A company’s risk appetite, once determined by management and approved by the board, can be treated as a budget”. Lovely concept, though it needs more flesh to provide the 'insight on ORSA Process value' that the paper is intended to.

A few contradictions emerge in the document;

ORSA “needs to consider and be consistent with an insurance company’s business strategy” – does the process not need to as good as set it? Indeed, they go on to say on page 2 “The true value of ORSA can only be realized when ORSA becomes integral to management’s strategic decision making”!
Does ORSA “help build/maintain risk awareness throughout the company” – it would be a struggle to say it could do that any further than the relevant staff which EIOPA ultimately allude to.
Concept of “Solvency Risk Profile” is borderline unintelligible (p3)
Terminologically, the section on risk appetite and risk profile on p3 is heavily quant-based, and feels country miles away from similar materials published by the CRO Forum a few weeks back. Specifically, it talks of “acceptable levels” of solvency risk, “minimum and maximum bands”, and that in aggregate across risk categories “This band of acceptable risk is referred to as the risk appetite”. Given it doesn't appear to veer to far away from the FSB's take on Risk Appetite, perhaps this is more of a step forward than EIOPA's 2013 back pass to the AMSB on the matter (p59-60)
That models used should be “subject to independent validation” – is it that important if you are not using your model for regulatory capital purposes (i.e. just for ORSA)?
The residue of Rumsfeld, which I had hoped had been resigned to the Noughties dustbin, reappears on pages 7 & 8, specifically “A complete ORSA would include the assessment of unknown unknowns”. Pacino said it best in Godfather III…

Thursday 4 June 2015

Solvency II Updates and Corporate Governance in Financials - PRA "Back for Good"?

A few releases of note out of the UK regulator over the last working week or so means I had some catching up to do - sometimes it feels like "All I do each night is PRA"...

They started off with a Director's Letter just before the bank holiday weekend. A general unwillingness to crack whips was present throughout this doc, even at this late stage, with a few references to "inform your supervisor" as opposed to "just do it".

The letter states that the PRA were due to publish some of their findings from their balance sheet review work by the end of the month - not done as yet, hopefully turns out to be money well spent

Regarding Standard Formula appropriateness:

They stress that firms must identify deviations from Standard Formula from their risk profiles, and include an assessment of the significance of that deviation in their ORSAs (emphasised in their October industry presentation from p6)- is the implication here that firms are not doing this at all at the moment, or just not reporting it in ORSA?
Highlight that "supplementary information" used to explain such deviations will also be assessed by the PRA. Does this add significance to one's qualitative commentary around Standard Formula/Risk Profile deviations? Can a good explanation be the difference between having to IM/PIM at the earliest opportunity against being given a couple of years of capital add-on breathing room?
The PRA note that, "...where a firm's conclusion on this question is not appropriate", it will intervene. It is not clear how a firm's conclusions about its deviation between SF and its Risk Profile could be considered "not appropriate", but I imagine that anything which attempts to dodge USPs/PIM/IM ONCE the divergence hits the limits in the Delegated Acts (276-287) would be frowned upon. There is certainly no appetite at the PRA for renewing capital add-ons in perpetuity (slide 13), which given the UK's familiarity with ICA and ICG, might be a desperado's first chance saloon.
The PRA are planning "specific interventions" on this front (detailed here), but not necessarily in time to correct before 2016.

Regarding Internal Models

Not happy with "wide variation in quality of IM Change policies. Sounds like firms are doing their best to avoid change criteria that results in frequent submissions for reapproval, which one would expect!

IMAP Submissions
- Everything Changes

PRA seemingly expecting firms to have not only taken on board their feedback, but also had their IMs revalidated, before submitting their IM application. Given that validation will be chalked down as a 'once-a-year' job at the moment (despite the IRM's efforts), that seems highly unlikely. They give themselves a get-out-of-jail-free card though by stating that firms must be confident that any changes in their IMs both address PRA feedback and meet the tests and standards for model approval.
They appear to advise against submitting applications if you have a material change in the pipeline.
Heavily critical of Board involvement in validation. Here they look for evidence of Boards "overseeing and influencing" the validation process, whereas previous PRA presentation slides did not have such expectations of Boards (slide 8 here), or indeed expected more (slide 9 here)!
The expression "internal management loadings" appeared in my life for the first time, which sounds to a non-technical person like myself that firms are effectively "dumbing-up" the capital requirement currently delivered by their IM in order to plaster over mathematical or data weaknesses. PRA certainly not impressed by industry suggestions to date.
Given the number of firms who must have dropped out of looking for Day 1 approval, they still shake the pineapple tree here in order to remind applicants that contingency plans should be ready in the case of application failures. "Many firms still have a considerable amount of work to do" sounds to me like some applicants are being pre-warned of their imminent failure!

The PRA also released a consultation paper entitled Corporate Governance: Board Responsibilities, which has the rather light ambition of identifying "key aspects of good board governance to which the PRA attaches particular importance in the conduct of its supervision".

A few straggler items in it;

That failures in governance and/or risk management have been a key factor in "many" financial sector failures - as opposed to "all"
That they consider the FRC's Corporate Governance Code, amongst others, a "comprehensive guide to good corporate governance" - given the firms experiencing the financial sector failures were most probably complying with it, not a great advert!
"Culture is the collective responsibility of the Board" - a bit of a nowhere comment, but instinctively, I don't see how this can be right. They can be accountable to both supervisors and shareholders/members for cultural failings, but where could such a responsibility materialise into demonstrable actions?
"...the Board is responsible for the oversight of, but not for managing the business" - in relation to my comment directly above, can both statement be correct?
"The Risk Control Framework should flow from the Board's Risk Appetite" - I'll work on the premise that this is missing the word "statement" at the end of the line
Section 11 on remuneration expects that incentives are aligned with "prudent risk taking" - what if prudence is too conservative for one's risk appetite?

Into some of the expected themes;

Strategy to be "owned by the Board as a whole"
They wed Culture and Remuneration "...to encourage and enforce the kind of behaviours the Board wished to see"
They want a "well articulated and measurable" Risk Appetite Statement which can also be "...readily understood by employees throughout the business". Doesn't seem feasible, given the metrics commonly used in risk appetite statements are not exactly Finance 101 (Solvency/Liquidity/Earnings-related),
"It is the responsibility of the Board to ensure that the effectiveness of the Risk Control framework is kept actively under review" - has at least an air of COSO about it, don't think it was deliberate
Big section (6) on responsibilities and accountabilities of exec and non-exec directors.
Followed in 7.1 with "...non-executives should not simply delegate responsibility for major decisions to individuals among them who are considered specialist in the area" - this has internal models written all over it (p5-6)!

Happy to see this second document, though I don't know what it adds to firms' understanding about what is "good and bad".

Tuesday 2 June 2015

PWC's Risks in Review - White Paper, Black Sabbath...

A quick dive into the wider world of ERM, courtesy of one of our Big 4 friends, ambiguously titled Risks in Review. PwC's document (short sign-up required) is US-centric and multi-industry, so for the Solvency II crowd you might need to sift for the goodies (a good illustration of which side of the Atlantic it leans towards is that CFO.com reported on its highlights), but for anyone in the ERM space, there should be something for you here.

A bizarre stat is laid out at the beginning in that 73% of the 1,200+ senior executive[s] and Board members respondents to the survey agreed that "risks to their companies are increasing". Whether this be in reference to the number of risks faced, increases in the likelihood/severity of one's existing risk universe, or their perceptions on emerging risks, it certainly suggests that exogenous and endogenous concerns have not abated in the minds of corporate leaders. However, given the risk immaturity within firms that the rest of the document serves to highlight, the lack of definition is rather unhelpful.

Appetite - For Risk or Bats?

As the survey covers multiple industries, it has the more generic risk classifications in mind (i.e all major quantitative risk balled up into "Financial Risk"), which will no doubt gnaw at anyone on the financial services side, but at the same time, it's not all about you!

The pat on the back for those surveyed is the sobriquet of "true risk management leaders", handed out to 12% of respondents. It frankly doesn't feel like a valid aspiration for an entity, more that being a "risk management leader" would be an implicit part of the make up of any firm which successfully delivers on its strategic objectives.

That aside, the Leaders (of which financial services companies "...represent a sizeable portion" of!) are congratulated for;

Aligning RM Programs with their businesses.
Communicating Risk Appetite and Risk Tolerance through the business - nothing on hard risk limits in the paper though
Being "able to take greater business risks" - I don't necessarily make the link between being "good" at risk management equating to taking greater risks, unless that is part of the business strategy one has aligned the RM Program with.
Take aggregated views of risk over multiple areas
Using techniques such as emerging risk identification/forecasting, scenario planning and stress testing

Laggards on the other hand

Have no formal Risk Appetite Framework (only 38% of respondents do)
Don't integrate Risk Management Strategy with business strategy (only 31% do)

They also hook the leadership qualities of risk management to some quantitative "value of good risk management" work on p5 (a topic which Towers Watson recently tiptoed around due to a lack of quant), namely that their profit margins and margin growth will outstrip peers. The growth of profit margins might be a bum steer, as the macroeconomic environment is perhaps less kind to industries other than financial services, who of course would have seen margins peak comparably faster over recent years due to the size of the trough in 2006/08!

As ever, the lexicon used in papers such as this takes a dip in the lake of dubiosity, for example:

That companies should "...treat risk management strategically" - as opposed to what, "operationally"? This kind of expression suggests that risk is not already considered in strategy, which feels unfair and unrealistic, even on the immature firms surveyed. That there isn't a functional ERM Framework to enhance that work does not mean it isn't done at all.
Risk Appetite Framework should have "buy-in" from senior management and the Board. Why "buy-in"? They should be deeply involved in the construction of an RAF, and their successes or failures as management should be inextricably linked to operating in line with it, not asked to nod in approval at the next Board/EXCO
"Having a clearly defined risk appetite framework allows companies to quickly assess strategic decisions in the context of risk" - that of course was not a given...
They also follow the tactic used in the Towers Watson paper in referring to risk management "programs" as opposed to "systems" or "frameworks- again, I'm not trying to labour the sematics of it, but a Programme for me has an end, and the work of a risk management function simply does not. This is perhaps just a psychological angle being worked here to drill into prospective clients that Programs can be boosted with a burst of external advice, but I find it increasingly disagreeable, particularly given the risk management leadership traits highlighted in this document, which most certainly do not lend themselves to the workings of a transient Programme.

Other stand out points would include

Alignment of RM Programmes against each business function (p9) - horrible result for Sales & Marketing, even for Leaders, and suggests it is an area for us all to redouble our efforts
Similar to Towers, talk of firms "drowning in data" - cannot fathom this for the life of me, but perhaps that's because I can use pivot tables and SQL server!
GE Capital's approach to administering Risk Appetite (p16) - very clean, and in a manner which the CRO Forum would appreciate.
Finally, a really nice section on p19 which shows the discrepancies between executives and risk professionals regarding their own firms' prospects. The Fannie Mae CRO suggests that Risk Management staff are "paraniods by profession" which given his employer's recent history, doesn't mean people aren't out for you!

Thursday 28 May 2015

IRM on Internal Model Validation - Red Card or Green Card?

Cyclic Validation - Quelle horreur...

Just back from Paris, where I spent a weekend queueing behind selfie-taking tourists before taking out a second mortgage to buy bottled water. A beautiful place, though I found Depardieu was much quieter off-screen...

Onto the topic in hand, the PRA were pretty vicious back in the day on Validation efforts in their infancy, with Julian Adams lambasting both progress ("significantly behind") and validation scope ("narrow"). Given that the Solvency II sabbatical which bridged half of 2012 and all of 2013 gave firms time to catch up and widen, you might think that those with internal model ambitions would be pretty tidy by now. The PRA have even told firms how they believe "good" model application paperwork to look, carving out for themselves and the Validators of the world an easy-to-read "model reviewer" level of detail (p1).

In those salad days, Internal Model Validation felt to me like it would be the chernozem of the nascent Risk Management profession in insurers; a skill set that a quant or a non-quant could acquire, apply, and ultimately ease through the promotional path within insurance entities, given the depth and breadth of technical and strategic information the process challenges...

...but the moves never came. Despite the actuarial world themselves happily disassembling the complexities of quantitative modelling into easy-to-digest IM Validation themes, the non-quant world has waited patiently to see if anything of substance would emerge from one of its representative bodies.

And this week it arrived! The Institute of Risk Management has delivered, as part of its Internal Model Industry Forum (IMIF), a white paper on the validation cycle.

The IRM have been active in this area prior to the formation of the IMIF. I have covered an ERM in Insurance event at the start of 2014 here, while this more volumous slide pack featuring a number of the Billy and Betty Big Biscuits of the field emerged from summer of last year, when the IMIF seemed to come to fruition. This white paper itself appears to move along the concepts and ideas inside an IRM slide deck from last Christmas.

Given that the IRM is not-for-profit, there is always a likelihood that sponsors will unduly influence the products (indeed the IRM Chair notes in this that they rely on "enlightened industry support" to knock these documents out).

Sadly in this case, the sponsors include Three of the "Big 4" (with the fourth on the IMIF steering committee) , leaving the document dripping with consultancy hallmarks rather than pragmatic solutions to execute the tasks in hand.

That view is reinforced somewhat by this follow-on presentation to the IMIF from last week by this white paper's workstream lead and supporting consultant - one selected industry comment on slide 8 (presumably from a chocolate bar shortly before it ate itself) reads, "validators should really be experienced modellers"!

A few general points jump out of the white paper;

That a firm's IM is "...at the heart of risk and capital evaluation" - I thought it was supposed to "inform" this evaluation, not dominate it (slide 3 here, as well as Julian Adams's speech from a couple of years ago [p4]).
Is the insurance industry "...increasingly reliant on sophisticated models" - maybe in terms of AUM/Market Cap, but given the UK IMAP queue is down to approximately 40 firms out of over 400 (p4), and that number has steadily reduced over the last 3 years, feels a touch disingenuous. I've no doubt the firms represented on the Steering Group are "...increasingly reliant" though
The document claims to set out "best practice principles" - not sure if "practice" and "principle" share the same bed, but that aside, would anyone find it remotely acceptable to have the consultancy world fund a document which details "best practice" on IM Validation?

And a few stand out elements from the proposed Validation Cycle, which is heavily influenced by EIOPA's guidelines:

"Best practice now requires firms to demonstrate, with evidence, that the cycle...[is] being actively and effectively carried out" - how can best practice "require" anything from anyone?
"...resulting best practice that is emerging" (p4) - how is any practice considered "best" at this stage of proceedings, when we are literally practising! Against what criteria?
References to "model risk impact assessment" and the "model risk assessment process" (p5) seem to come from nowhere. Alluding to something formal, but not very clear
Lot of coverage of "triggers" of IM Validation, which feels like a fishing expedition for the paper sponsors, rather than direct address of L2 Art 241 - the number of areas of "change" to consider as IM Validation triggers covers pretty much any change, anywhere, both inside and outside of an insurer (p8)! Most would also be ad-hoc ORSA triggers in my experience, so this potentially sets up insurers for a bucketload of work every time they hear a pin drop.
Formulaic and periodic IM Validation a "needless cost"? Surely periodic validation, no matter how badly executed, is compulsory (L1 Art 125)?
The Trigger Impact Assessment stage (p10) is barely legible - "The trigger impact assessment against model risk appetite stage" - and terminologically it is all well above legislative requirements.
"Unexpected triggers" (p12) get a mention. Again, not making sense to me - you either know your triggers or not.
"Model validation is complex" and "less than black and white" (p16) - certainly is if you try and follow this process! A focus on plain questions and less quant can only help the models non-expert users (slide 7).
If the validation cycle, processes and execution are "continuously evolving" (p18), are they reliable? Feels difficult to meet L2 Art 241.3, at least from a planning and execution perspective, if the process is constantly being tinkered with
"Developing a communications strategy" (p20) as part of the validation scoping and planning stage feels terribly over-elaborate.
"Robust planning" expected to be common (p22), which doesn't necessarily marry up with the expectation of dynamic rather than cyclic validation in future (p10)

I think it is right to take the hump to a certain extent here. The PRA have been cunningly silent on capital add-ons to date, but given the implication that they will not be applied and renewed ICG-style (slide 13), there is likely to be many more less monied Partial IM applicants to follow over the next couple of years. Having the most influential consultancy firms decide on what is "best" in the validation world (and for it to have this many bells, whistles and legislative off-roads) feels like setting those firms up for either a fall, or another bill.

The PRA actually delivered something with much less padding to the IRM back at the end of 2013, so I'm struggling to see why that has justifiably been turbo-charged. Given they have three of their finest involved with the IMIF, but are continuing to be directly vocal on this topic (as recently as March 2015), it sends a worrying message to the capital add-on brigade that the IMAP early birds will be setting disproportionately high bars for 2017 and beyond when they deliver their PIMs.

Ultimately, I was disappointed by the publication, which reads more like a flannel manual, and is certainly not the kind of Risk Profession contribution that the topic so badly needs if the PRA's dreams of Board's "directing" and "owning" the IM valdiation process (slide 9) are ever going to come true. The 200 page novella world of Validation Reporting feels closer than ever...