FRC on Risk Management and Internal Control disclosure - insurers way ahead?

Muddy Waters
- public disclosure on Risk

The UK's Financial Reporting Council have released guidance on Risk Management, Internal Control and related reporting, just in time to help muddy the waters for UK insurers, who have no doubt finally got their risk, actuarial and compliance functions writing non-conflicting words with Solvency II preparation in mind!

Anyone who has written, peer-reviewed or socially read these sections of public reports (i.e. me, and any other geeks), will know they are normally;

• Boiler-plate, and completely transferrable between industries, regardless of their disparate risk profiles
• Aligned to the Strategy sections with a few anchor words, but otherwise divorced
• Frequently unaligned with the ERM frameworks used internally - i.e. "this is what the City wants to read", not material on our actual risk profile!

Given that this is only guidance, and is further only directly relevant to LSE listed entities, readers may be inclined to take the content with a fistful of salt. There are a number of noteworthy aspects to this publication however which maybe show where the mindset of supervisory-types has got to in the eight or so years since the financial crisis commenced.

 I took the following general points from it;

• Very little for listed insurers to be concerned about, if they have prepared adequately for ORSA and supervisory reporting (SFCR, RSR) - indeed, their reporting teams will be delighted with the amount of content crossover! Check out the (still not finalised) Delegated Acts of Solvency II in order to see why listed Insurers won't need to stretch to meet these.
• Frequent references to "culture", as opposed to "risk culture". Checking the FSB's take on Risk Culture from April of this year, one can appreciate the FRC's desire to gemmy culture into these guidelines, if perhaps not the execution - one fears the "culture" words are likely to become a little weasely.
• Multiple crossovers into ORSA language, in particular re-emphasising the importance of the alignment of risk management with business strategy.
• Good work in section 4, bringing in the "IMMMR" concept from Solvency II, as well as assessment of current and emerging risks, and assessing exogenous and endogenous risks when doing so.
• Recommend that risk assessments are performed at inherent and residual level, and that control effectiveness is also considered when arriving at one's final assessment

On the technical front, the following elements caught my eye

• "Emerging principal risks" used as an expression - not sure if that stands up to scrutiny i.e. if something is emerging, can it be a "principal" anything? How would you measure it to gauge "principality"?
• Reference to "high profile failures in risk management" in recent years, which feels a little finger-pointy - we could deconstruct every corporate failure to one of risk management failure
• "Risk Appetite" put into inverted commas within the guidance, but not in the appendices - can't quite work out the aversion to definition given the FSB's work to date at the very least, but certainly EIOPA have similarly dodged it (p59), and looking at Appendix 1 of the Irish regulator's thought paper on Risk Appetite, one can see why!
• "It is the role of management to implement and take day-to-day responsibility for board policies on risk management and internal control" - really? responsibility for their implementation, sure, but policy content?