Emerging Regulatory Risks: the Case of Pensions Legislation

This year’s announcement of the UK Government Budget includes the decision to end the compulsory annuitisation at age 75. 

Apparently, the announcement took the UK insurance industry by surprise, which in itself is surprising since the 2010 Coalition agreement included a rather blunt statement on the subject: “We will end the rules requiring compulsory annuitisation at 75.” I am sure that this statement may have been considered at the time and briefings to senior management would have been issued, etc.  Yet how could the recent Budget announcement have been a surprise to the insurance industry?

There is another, more recent, policy announcement about government policy on pensions, which might follow a similar pattern.  The Liberal Democrats published in early September a pre-manifesto entitled A Stronger Economy and a Fairer Society which includes the following objective: “Establish a review to consider the case for, and practical implications of, introducing a single rate of tax relief for pensions, which would be designed to be simpler and fairer and which would be set more generously than the current 20% basic rate relief.”

Commentators have already picked up that the “simpler and fairer” rate will be something less than the current 40% rate relief (see, for example, Ian King’s column in The Times on 15 September).  I am sure that briefing papers to senior management may already have been issued.  Some insurance companies may even be looking to assess the quantitative impact of the possible changes in tax relief.  However, this issue will remain a live issue for several years and may surprise the industry, depending on the outcome of the 2015 elections.   

From an ERM perspective, there is a simpler question.  How can you manage the emerging risk from regulatory and policy development which have a long lead time? 

The answer is to design and implement a system that captures emerging risks over time and enables their continuing assessment.  

Here are some key points to consider as part of this design:

• Have you simplified the system as much as possible to ensure that it has more chance of being implemented and used?
• What processes would you put in place to ensure that the regulatory emerging risks are re-assessed at regular intervals?
• How would you identify a person / function / business that would take action if the risk crystallises?
• How would you integrate emerging risk with the wider risk reporting?
• Would you consider contingency planning, including analysis and scoping changes in products or systems?

As ever, the challenge will be implementing and embedding.  However, these cases illustrate that there is a combination of high impacts and long lead times that can only be managed in a systematic manner to reduce the likelihood of surprises.

If you work in financial services, I would be keen to hear your thoughts about this article.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here.

Guest Post: Risk Cycles and the Use-Test (Part 2)

One of the lessons from my post on the objective of risk management was that there are number of perspectives about it.  I asked a number of leading industry experts to share their perspective.

Today, I am sharing the second part of Jim Suttcliffe’s contribution reflecting a Board perspective as Chairman of Sun Life Financial (Canada) and Chairman of BaxterBruce (UK) and former CEO of Old Mutual Group.  Jim explains how the concept of risk cycles can be used to implement the use test. (The first part on the use-test is here.) 

Previous posts on this series shared the views of James Tufts, Group CRO of Guardian Financial Services (here) and Carlos Montalvo Rebuelta, Executive Director of EIOPA (here). I will continue sharing these perspectives in the next few weeks.

****************************

Implementing the use-test: risk cycles

Jim Suttcliffe, Chairman of Sun Life Financial (Canada), and Chairman BaxterBruce (UK)

There are a number of risk cycles in use at the big consultancies, but I find that few have the ring of reality about them. We can all recite Identify, Assess, Monitor, Maintain, Report etc, but this kind of cycle, at least from the perspective of a non-executive is likely to the use test not being complied with.

For me, the first step in the process is a number of actions that are all to do with "Understanding" your risks and their shape and texture. The difference between identifying and assessing is often academic - it's the process of assessing that leads to the identification, or at least the recognition of importance. Stress tests, reverse stress tests and scenario tests are all part of understanding, and from a non-executive perspective, making sure that the executive understands, as much as ensuring the board understands.

Some risks are easily measured, others have pretend-accurate models around them, and discussion need to recognize these differences, and not bury them under pseudo-science.

But once you've understood your risks, the next step for the Risk Committee is to get them into the context of the strategy, and set up the necessary "Policy". This will include risk appetite statements, risk targets, limits on activity, statements of desired and unwanted risks, control activities and a number of similar items, all aimed at ensuring the risk reward balance in the business is what is required. From a Non-Executive perspective, this is the crucial step. Once these policies are in place, you hand over to the executive, and say, "operate within these bounds", and tell me when you step out, and how you are going to rectify it.

The next useful thing to do, is to check that "Management Action" is building the sub-blocks that are high reward/low risk and shrinking the other blocks. This is of course a hard problem, but that's why management is paid a lot. This then can also help lead you to understand she the incentives are and whether they are working properly, as well as be very informative. It will also tell you whether your Use Test is being met.

After that, check "Compliance". This should be a big dashboard maintained by the CRO and his/her team. And as with any dashboard, you should expect a lot of green, and pay attention to any reds that appear. The rules should be very firm. If you breach, report, and no exceptions or stories that it didn't matter or is about to be fixed. Report all breaches!

And lastly you are in a position to "Report". You have all the facts, your Principal risks come out of Understanding, your Going Concern Statements come from there too. You can report on the policies you have in places and the actions taken to improve the business, and you can show the use test in action.

It's a far simpler cycle, and much more realistic.

****************************

If you work in financial services, I would be keen to hear your thoughts about this perspective on the objective of risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here.  

Guest Post: the Use of the Use-Test (Part 1)

One of the lessons from my post on the objective of risk management was that there are number of perspectives about it.  I asked a number of leading industry experts to share their perspective.

Today, I am sharing the views of Jim Suttcliffe, Chairman of Sun Life Financial (Canada) and Chairman of BaxterBruce (UK) and former CEO of Old Mutual Group.  Jim sets out the objective of risk management in terms of the 'use test'.  His next post will consider how to implement it in a meaningful manner.

Previous posts on this series shared the views of James Tufts, Group CRO of Guardian Financial Services (here) and Carlos Montalvo Rebuelta, Executive Director of EIOPA (here). I will continue sharing these perspectives in the next few weeks.

****************************

Defining the use-test

Jim Suttcliffe, Chairman of Sun Life Financial (Canada), and Chairman of BaxterBruce (UK)

The Use Test is a simple but powerful concept to think about the objective of risk management. You should actually use your risk management system as part of your business, not as an afterthought.

But it's still true in many places that the risk department are those interfering people from Head Office whom we have to placate occasionally, but whom we basically avoid. Grrr.

Happily, in some of my interests, this era has passed and the power of doing things properly is showing through in the share price. 

Actually there are two sides to this story. Risk departments need to be staffed by potential CEOs and not Dr No's. Risk people need to be able to contribute to the development of these organizations, not just inhibit. But with the right people in place, good first lines will welcome the second pair of eyes, and the help in avoiding pitfalls, that risk departments with their broader vision can contribute. Bad first lines put up boundaries around their activities, and restrict access to information. They have their ears closed to different ideas, and are the weaker for it.

I sat with a lunch group of non-executive directors recently, not from the financial services industry, and found the room split between those who thought risk management was a waste of time, and those who embraced it wholeheartedly. There were few in the middle. Actually good risk management, and the embedding of risk management in the first line is not new. Good managements have always done it, and when risk is physical, as in the extractive industries, there are some very advanced techniques, and acknowledgement of the behavioural aspect of the subject.

And the Use Test has this behavioural issue at its heart. All the rules in the world won't prevent risks from crystallizing if the culture is against it. And that too needs attention. Risk managers are managers, and the art of management needs to be on the agenda as well as statistical technique and Monte Carlo simulation.

The prize is still out there to be won in many organizations. Some already have it in their hands and will be the winners in the next crunch. But beware the backwoodsmen who think that risk is for boring HO people!!

****************************

If you work in financial services, I would be keen to hear your thoughts about this perspective on the objective of risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here.