Wednesday, 24 June 2015

CRO Forum on Risk Culture - comin' from the body heat?

Risk Culture
- need another hero?
A subject which is gathering more steam than Tina Turner's windows, Risk Culture has been given the kid gloves treatment by the CRO Forum in their paper, Sound Risk Culture in the Insurance Industry.

They say at the start that the topic has become "prominent in regulatory circles", which given EIOPA appear to be wining and dining the subject (here and here in the last couple of weeks alone), is something of an understatement. Their increased interest has no doubt been fuelled by the FSB's work on the subject from a year ago. In addition, the Financial Reporting Council took a shine to the topic in its last update of guidelines in late 2014 (point 27 in particular), while cultural failings have turned the FCA into a modern day Robin Hood (speech from inception time here).

As well as fiddling around the edges of definition, the paper expands on a few examples of where cultural change can be driven from, stealing from a few other industries (aviation in particular) and a couple of insurers (Zurich receiving particular attention).

They fundamental base they work from is pretty fair:
  • No "good" or "bad" culture, hence they talk about practices that encourage a "sound" risk culture throughout. Given that ropey culture does not necessarily prevent the achievement of strategic goals, this smart.
  • No "one-size-fits-all" concept of Risk Culture (i.e. don't look for one in this paper!)
That said, the definition used for the purposes of the paper from the NN Group CRO is actually a pretty good one - "shared philosophy of managing uncertainty" etc - though it does suggest that a failure in risk culture might simply be someone not sharing the philosophy, which I suspect is where a lot of your more pragmatic colleagues sit!

There are a number of sound inclusions throughout;
  • Emphasising the links between risk culture and conduct risk currently being force-fed to the industry by EIOPA (p3)
  • The chart on p6 showing survey results of essential elements of risk culture - senior management and Boards leading by example is evidently seen as more important than risk-based remuneration, despite the legislative attention the latter receives (including this week in the UK).
  • Zurich's internal 10 question survey on culture assessment - contains the gorgeous expression "organisational humility", as well as bringing some of the granular risk culture elements onto the table, such as treatment of whistleblowers.
  • Highlighting the "common phenomenon" of management teams containing people with the same personal attitudes - could benefit the creation of a "shared philosophy" without necessarily any of the benefits.
  • The illustration of NN Group's "Risk Culture Dashboard" (p11) - I don't have preference for it either way, but it does illustrate how much effort one can direct towards risk cultural identification, assessment and monitoring, which begs the question "is there that much value in it?" They seem to like it as a way of covenying the concept in the business in any case.
  • Pages 13-14 provide some good brain candy for those who have ambitions to educate or brief their colleagues on risk cultural matters. Zurich's "we are all risk managers" campaign looks like it probably has legs (more on it here).
There are a couple of mildly objectionable parts within;
  • Concepts of "Risk Vision" and "holistic" dropped in early doors and littered throughout, as well as a few extras such as "risk perspective" - the kind of obtuse terminologies which serve to divorce Risk functions from their colleagues
  • That firms should have a "clear vision" for their risk culture - why would something as opaque as culture be expected to be "clear". They don't even define it as a term in the paper!
  • Concerned that risk culture is "...only practiced by risk specialists" currently - how can this be if risk culture is " element that influences and is influence by various forces"?
  • Tha an organisation's corporate culture and risk culture "must be linked" - how are they not one and the same thing?
  • That Risk Appetite Statements are "effectively part of the business strategy" - as opposed to "actually"?
  • Use of the term Risk Profile as if it is unquantifiable, specifically that a firms who learn from their mistakes rather than chastise those who make them "tend to have a better risk profile". Not clever.

Tuesday, 16 June 2015

ORSA's Head? International Actuarial Association on ORSA Value

Unknown unknowns
- just say it one more time...
A rather verbose piece from the International Actuarial Association, or AAI if you are inclined comme ├ža, on Delivering Value From ORSA. Always worth a glance over these at this stage of proceedings, regardless of which side of the Atlantic you are currently rocking (with both Canada and the States keeping noisy on the topic in recent weeks).

As one might expect from a publication from an actuarial representative body (and one which aims to cover all IAIS bases, rather than the specificities of US/Canada/EU ORSA), it struggles for semblance once it needs to cover non-quant, and is therefore heavily flannelized.

The definition used by the IAA is:
ORSA provides a declaration of the company’s assessment of its position in terms of profit, risk and capital, both now and in the future, under different scenarios and relative to the company’s appetite to risk.
The purpose of the paper is to provide Board members with "insight into the value of the ORSA Process", which is a noble aim in itself, and a few nice touches can be found throughout, in particular:

  • The word “profit” features on virtually every page, almost unheard of in the EIOPA Guideline world where being able to “enhance the management of the undertaking” is King. Heaven forbid anyone makes a quid or two out of it!
  • The coverage of how insurance companies tend to profile risk is clean and rational (p3).
  • The concept of mitigation through company policies, overseen by good governance structures, as opposed to either holding capital or purchasing mitigation, is also expressed with clarity.
  • A company’s risk appetite, once determined by management and approved by the board, can be treated as a budget”. Lovely concept, though it needs more flesh to provide the 'insight on ORSA Process value' that the paper is intended to.

A few contradictions emerge in the document;

  • ORSA “needs to consider and be consistent with an insurance company’s business strategy” – does the process not need to as good as set it? Indeed, they go on to say on page 2 “The true value of ORSA can only be realized when ORSA becomes integral to management’s strategic decision making”!
  • Does ORSA “help build/maintain risk awareness throughout the company” – it would be a struggle to say it could do that any further than the relevant staff which EIOPA ultimately allude to. 
  • Concept of “Solvency Risk Profile” is borderline unintelligible (p3)
  • Terminologically, the section on risk appetite and risk profile on p3 is heavily quant-based, and feels country miles away from similar materials published by the CRO Forum a few weeks back. Specifically, it talks of “acceptable levels” of solvency risk, “minimum and maximum bands”, and that in aggregate across risk categories “This band of acceptable risk is referred to as the risk appetite”. Given it doesn't appear to veer to far away from the FSB's take on Risk Appetite, perhaps this is more of a step forward than EIOPA's 2013 back pass to the AMSB on the matter (p59-60)
  • That models used should be “subject to independent validation” – is it that important if you are not using your model for regulatory capital purposes (i.e. just for ORSA)?
  • The residue of Rumsfeld, which I had hoped had been resigned to the Noughties dustbin, reappears on pages 7 & 8, specifically “A complete ORSA would include the assessment of unknown unknowns”. Pacino said it best in Godfather III

Thursday, 4 June 2015

Solvency II Updates and Corporate Governance in Financials - PRA "Back for Good"?

A few releases of note out of the UK regulator over the last working week or so means I had some catching up to do - sometimes it feels like "All I do each night is PRA"...

They started off with a Director's Letter just before the bank holiday weekend. A general unwillingness to crack whips was present throughout this doc, even at this late stage, with a few references to "inform your supervisor" as opposed to "just do it".

The letter states that the PRA were due to publish some of their findings from their balance sheet review work by the end of the month - not done as yet, hopefully turns out to be money well spent

Regarding Standard Formula appropriateness:
  • They stress that firms must identify deviations from Standard Formula from their risk profiles, and include an assessment of the significance of that deviation in their ORSAs (emphasised in their October industry presentation from p6)- is the implication here that firms are not doing this at all at the moment, or just not reporting it in ORSA?
  • Highlight that "supplementary information" used to explain such deviations will also be assessed by the PRA. Does this add significance to one's qualitative commentary around Standard Formula/Risk Profile deviations? Can a good explanation be the difference between having to IM/PIM at the earliest opportunity against being given a couple of years of capital add-on breathing room?
  • The PRA note that, "...where a firm's conclusion on this question is not appropriate", it will intervene. It is not clear how a firm's conclusions about its deviation between SF and its Risk Profile could be considered "not appropriate", but I imagine that anything which attempts to dodge USPs/PIM/IM ONCE the divergence hits the limits in the Delegated Acts (276-287) would be frowned upon. There is certainly no appetite at the PRA for renewing capital add-ons in perpetuity (slide 13), which given the UK's familiarity with ICA and ICG, might be a desperado's first chance saloon.
  • The PRA are planning "specific interventions" on this front (detailed here), but not necessarily in time to correct before 2016.
Regarding Internal Models
  • Not happy with "wide variation in quality of IM Change policies. Sounds like firms are doing their best to avoid change criteria that results in frequent submissions for reapproval, which one would expect!
  • IMAP Submissions
    - Everything Changes
  • PRA seemingly expecting firms to have not only taken on board their feedback, but also had their IMs revalidated, before submitting their IM application. Given that validation will be chalked down as a 'once-a-year' job at the moment (despite the IRM's efforts), that seems highly unlikely. They give themselves a get-out-of-jail-free card though by stating that firms must be confident that any changes in their IMs both address PRA feedback and meet the tests and standards for model approval.
  • They appear to advise against submitting applications if you have a material change in the pipeline.
  • Heavily critical of Board involvement in validation. Here they look for evidence of Boards "overseeing and influencing" the validation process, whereas previous PRA presentation slides  did not have such expectations of Boards (slide 8 here), or indeed expected more (slide 9 here)!
  • The expression "internal management loadings" appeared in my life for the first time, which sounds to a non-technical person like myself that firms are effectively "dumbing-up" the capital requirement currently delivered by their IM in order to plaster over mathematical or data weaknesses. PRA certainly not impressed by industry suggestions to date.
  • Given the number of firms who must have dropped out of looking for Day 1 approval, they still shake the pineapple tree here in order to remind applicants that contingency plans should be ready in the case of application failures. "Many firms still have a considerable amount of work to do" sounds to me like some applicants are being pre-warned of their imminent failure!

The PRA also released a consultation paper entitled Corporate Governance: Board Responsibilities, which has the rather light ambition of identifying "key aspects of good board governance to which the PRA attaches particular importance in the conduct of its supervision".

A few straggler items in it;

  • That failures in governance and/or risk management have been a key factor in "many" financial sector failures - as opposed to "all"
  • That they consider the FRC's Corporate Governance Code, amongst others, a "comprehensive guide to good corporate governance" - given the firms experiencing the financial sector failures were most probably complying with it, not a great advert!
  • "Culture is the collective responsibility of the Board" - a bit of a nowhere comment, but instinctively, I don't see how this can be right. They can be accountable to both supervisors and shareholders/members for cultural failings, but where could such a responsibility materialise into demonstrable actions? 
  • "...the Board is responsible for the oversight of, but not for managing the business" - in relation to my comment directly above, can both statement be correct?
  • "The Risk Control Framework should flow from the Board's Risk Appetite" - I'll work on the premise that this is missing the word "statement" at the end of the line
  • Section 11 on remuneration expects that incentives are aligned with "prudent risk taking" - what if prudence is too conservative for one's risk appetite?
Into some of the expected themes;
  • Strategy to be "owned by the Board as a whole"
  • They wed Culture and Remuneration " encourage and enforce the kind of behaviours the Board wished to see"
  • They want a "well articulated and measurable" Risk Appetite Statement which can also be "...readily understood by employees throughout the business". Doesn't seem feasible, given the metrics commonly used in risk appetite statements are not exactly Finance 101 (Solvency/Liquidity/Earnings-related),
  • "It is the responsibility of the Board to ensure that the effectiveness of the Risk Control framework is kept actively under review" - has at least an air of COSO about it, don't think it was deliberate
  • Big section (6) on responsibilities and accountabilities of exec and non-exec directors.
  • Followed in 7.1 with "...non-executives should not simply delegate responsibility for major decisions to individuals among them who are considered specialist in the area" - this has internal models written all over it (p5-6)!
Happy to see this second document, though I don't know what it adds to firms' understanding about what is "good and bad".

Tuesday, 2 June 2015

PWC's Risks in Review - White Paper, Black Sabbath...

A quick dive into the wider world of ERM, courtesy of one of our Big 4 friends, ambiguously titled Risks in Review.  PwC's document (short sign-up required) is US-centric and multi-industry, so for the Solvency II crowd you might need to sift for the goodies (a good illustration of which side of the Atlantic it leans towards is that reported on its highlights), but for anyone in the ERM space, there should be something for you here.

A bizarre stat is laid out at the beginning in that 73% of the 1,200+ senior executive[s] and Board members respondents to the survey agreed that "risks to their companies are increasing". Whether this be in reference to the number of risks faced, increases in the likelihood/severity of one's existing risk universe, or their perceptions on emerging risks, it certainly suggests that exogenous and endogenous concerns have not abated in the minds of corporate leaders. However, given the risk immaturity within firms that the rest of the document serves to highlight, the lack of definition is rather unhelpful.

Appetite - For Risk or Bats?
As the survey covers multiple industries, it has the more generic risk classifications in mind (i.e all major quantitative risk balled up into "Financial Risk"), which will no doubt gnaw at anyone on the financial services side, but at the same time, it's not all about you!

The pat on the back for those surveyed is the sobriquet of "true risk management leaders", handed out to 12% of respondents. It frankly doesn't feel like a valid aspiration for an entity, more that being a "risk management leader" would be an implicit part of the make up of any firm which successfully delivers on its strategic objectives.

That aside, the Leaders (of which financial services companies "...represent a sizeable portion" of!) are congratulated for;
  • Aligning RM Programs with their businesses.
  • Communicating Risk Appetite and Risk Tolerance through the business - nothing on hard risk limits in the paper though
  • Being "able to take greater business risks" - I don't necessarily make the link between being "good" at risk management equating to taking greater risks, unless that is part of the business strategy one has aligned the RM Program with.
  • Take aggregated views of risk over multiple areas
  • Using techniques such as emerging risk identification/forecasting, scenario planning and stress testing
Laggards on the other hand
  • Have no formal Risk Appetite Framework (only 38% of respondents do)
  • Don't integrate Risk Management Strategy with business strategy (only 31% do)
They also hook the leadership qualities of risk management to some quantitative "value of good risk management" work on p5 (a topic which Towers Watson recently tiptoed around due to a lack of quant), namely that their profit margins and margin growth will outstrip peers. The growth of profit margins might be a bum steer, as the macroeconomic environment is perhaps less kind to industries other than financial services, who of course would have seen margins peak comparably faster over recent years due to the size of the trough in 2006/08!

As ever, the lexicon used in papers such as this takes a dip in the lake of dubiosity, for example:
  • That companies should "...treat risk management strategically" - as opposed to what, "operationally"? This kind of expression suggests that risk is not already considered in strategy, which feels unfair and unrealistic, even on the immature firms surveyed. That there isn't a functional ERM Framework to enhance that work does not mean it isn't done at all.
  • Risk Appetite Framework should have "buy-in" from senior management and the Board. Why "buy-in"? They should be deeply involved in the construction of an RAF, and their successes or failures as management should be inextricably linked to operating in line with it, not asked to nod in approval at the next Board/EXCO
  • "Having a clearly defined risk appetite framework allows companies to quickly assess strategic decisions in the context of risk" - that of course was not a given...
  • They also follow the tactic used in the Towers Watson paper in referring to risk management "programs" as opposed to "systems" or "frameworks- again, I'm not trying to labour the sematics of it, but a Programme for me has an end, and the work of a risk management function simply does not. This is perhaps just a psychological angle being worked here to drill into prospective clients that Programs can be boosted with a burst of external advice, but I find it increasingly disagreeable, particularly given the risk management leadership traits highlighted in this document, which most certainly do not lend themselves to the workings of a transient Programme.
Other stand out points would include
  • Alignment of RM Programmes against each business function (p9) - horrible result for Sales & Marketing, even for Leaders, and suggests it is an area for us all to redouble our efforts
  • Similar to Towers, talk of firms "drowning in data" - cannot fathom this for the life of me, but perhaps that's because I can use pivot tables and SQL server!
  • GE Capital's approach to administering Risk Appetite (p16) - very clean, and in a manner which the CRO Forum would appreciate.
  • Finally, a really nice section on p19 which shows the discrepancies between executives and risk professionals regarding their own firms' prospects. The Fannie Mae CRO suggests that Risk Management staff are "paraniods by profession" which given his employer's recent history, doesn't mean people aren't out for you!