ERM in Three Lines*

One of the challenges with enterprise risk management (ERM) is how much is written on the subject.  I find it useful to identify the key components.  This provides a structure to sort out the detailed views and comments, though it is also more than that. If you are a busy CRO or senior risk leader, identifying the key components enables you to take stock and think about challenges and improvements that may be relevant to your priorities. 

Here is an attempt to sum up ERM and provide that clarity in three headlines.

1.       A vision of the ERM purpose 

My preference for financial services is ‘protect and enable’. This highlights that risk management is more than just about avoiding the downside; it is about how risk management supports decision making, including the role of the CRO in that decision making. (More on ‘protect and enable’ and different views from practitioners shared on Crescendo Advisors’ blog are available here.)

2.       An articulation of how to deliver and embed ERM in the business 

This is your ERM framework, roles and responsibilities, policies, and risk appetite. They must provide the right balance between the level of detail and clarity to create a durable product and support business implementation.

3.       Evidence of the outcomes of vision and articulation of ERM (1 and 2 above) 

This is the outcome of the ERM, i.e. the assurance that is provided to the Board. This means that a feedback mechanism that supports improvement is in place. This is partly about risk or thematic reviews, but it also represents a wider perspective that involves 1^st line and 3^rd line as well. I also find that focusing on assurance is more ‘real’ than a discussion on the extent to which processes are implemented or embedded.

At the risk of oversimplifying, here is my own take on the UK insurance business position on these three aspects

• The articulation of the ERM vision is progressing but there is still work to be done. There is a sense that, broadly speaking, people operate according to the ‘protect and enable’ vision without articulating it as clearly as it could be.  

• Good progress has been made articulating how to deliver and embed ERM in businesses; all businesses have ERM frameworks and policies in place.  Some are considering external reviews after the frameworks have been in place for some time.  

• The biggest challenge ahead is evidencing ERM implementation and providing structured assurance to the Board about ERM expectations. This is a challenge for risk management function (risk reviews?), first line (business and control reviews?) and internal audit (coordinate with first and second line?).  Please get in touch if you want to receive a paper with initial thoughts on this challenge. 

Do you agree with views about these views about the insurance sector in the UK? How about banking and asset management? How is this seen in other countries?

*  No pun intended about the three lines of defence.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

AI and Risk Management

Earlier this year, I gave a presentation to a group of actuaries - the Network of Consulting Actuaries - on the challenge of adopting Artificial Intelligence tools in Financial Services and how risk management help.  I have transformed the speaking notes into a paper - here.  

Happy reading!

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

The New and the Old in Risk Management

I have been writing about the new and the old in risk management over the past year. This starts with the slow pace of adoption of FinTech by incumbents in financial services. I have suggested that an important component of the change needed includes incumbents amending and enhancing risk management frameworks to reflect new FinTech innovations. (See my last post on the subject.)

Recently, I came across an article from McKinsey that makes a similar point in the context of model risk and the adoption of artificial intelligence (AI) and machine learning. It turns out I am in good company! 

McKinsey’s article notes that banks have developed and implemented frameworks to manage model risk, including model validation reflecting specific regulatory frameworks, in this case from the US Federal Reserve (here). They recognise that the implementation of these frameworks is not appropriate to deal with the model risk associated with AI and machine learning. Banks are therefore proceeding cautiously and slowly introducing new modelling approaches even when these are available.

The article then shows how a standard framework for model risk management is used to identify extra considerations required for this framework to cover appropriately AI and machine learning models.  The key message is that the challenge of adopting AI and machine learning can be addressed through a careful consideration of existing approaches. 

Two further thoughts from McKinsey’s article. Firstly, the article rightly refers to model management rather than validation. It is always useful to reiterate that model validation undertaken by the risk function is just a component of how models are managed in the business. Secondly, model management should not apply only to internal models used to calculate regulatory capital, but should apply more widely to models used in the business such as those used for pricing, valuation of assets and liabilities.

The article ends with a cautionary tale of an unnamed bank where the model risk management function took initial steps to ready itself for machine learning models on the assumption that there were none in the bank. It then discovered that an innovation function had been established and was developing models for fraud detection and cybersecurity.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

The Curse of Risk Appetite

In this post, I go back to one of the fundamental aspects of an ERM framework: risk appetite. ‘The Curse of Risk Appetite’ is part of the title of an interesting paper reviewing the misuses of risk appetite.[1] Some of the misuses described in the paper might sound familiar, but perhaps the key point to take away from the paper is that there is a potential for risk appetite to become synonymous with ‘a consideration of risk’. I am not sure this was ever the intention. 

The paper includes several useful suggestions to enhance risk appetite. They are focused on the long-run value of the firm and on the structure of risk appetite statements, reflecting a view that risk is the likelihood of falling below critical levels of performance. However, my attention was really caught by the authors’ suggestion to improve the organisational process for risk management. They suggest that a risk function’s role should be defined to include responsibility for evaluating the combined effect of strategic initiatives and capital budgeting on the firm’s overall risk profile.

On one level, this prescription is consistent with the view that the aim of the risk function should be to ‘protect and enable’, with the emphasis on the ‘enable’ aspect which sometimes gets overshadowed by ‘protect’. I am attracted to this suggestion because it turns a vision into a practical requirement that can be incorporated into an articulation of roles and responsibilities for a CRO or risk function. 

If, however, this was implemented literally in UK financial services, I suspect there would be an issue with regulators’ expectation about the independence of the risk function (second line of defence) from the business (first line). 

A similar outcome could be reached by clarifying that the role of the CRO/risk function includes providing a risk opinion in the early stages of the consideration of major strategic initiatives that have the potential to alter the business’s risk profile. The emphasis on timing is important. Providing a risk opinion only when major strategic initiatives are presented for approval is unlikely to add value. A CRO/risk function opinion in the early stages is likely to support consideration of the details of the initiatives and how they can be shaped to strike the appropriate balance between risk and return.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here. 

---

[1] Alviniussen, Alf and Jankensgård, Håkan, The Risk-Return Tradeoff: A Six-Step Guide to Ending the Curse of Risk Appetite (May 7, 2018). 

Monitoring the Risk and Business Impact of AI-Based Solutions

AI-based solutions can shape how financial services businesses make money, whether the business model is the same or not. For an existing financial services business, the motivations may vary and range from efficiency to expanding the business. There would be project risk as with any development, but leaving that important consideration aside, it is worth bearing in mind that AI-based solutions would also impact the risk profile of the business. This may or may not be the original intention, but it becomes more likely. The key implication is that implementing an AI-based solution would require a radically different risk oversight approach by the business.

Standard computer algorithms which are not AI-based can—and do—solve complex problems. The main feature of such algorithms is that the problem is somehow defined and an algorithm developed to solve it which will produce the same answer as long as the same inputs are provided. So a credit-scoring mechanism calibrated to capture a certain type of client gives you just that.

The answers offered by an AI-based system may change over time. New data is used to reassess the underlying relationships and recalibrate the relationship between the target variable and the potential explanatory variables. This “learning” can also happen in a standard programme when there is a process of recalibration. The difference is that in the case of AI, learning would happen on a real-time basis—that’s the essence of AI.

Alternatively, with AI a target variable may not have been defined. That’s not as unusual as it might sound. For example, algorithms assessing a loan or credit card underwriting may fall in this category because there is no single rule to predict a borrower’s likelihood of repayment. New data can lead to a certain recalibration or can be used to identify new relationships between certain data. For example, over time an AI-based system might identify that outstanding debt is a better predictor of the likelihood of borrower repayment than repayment history and penalise someone with a relatively good track record of timely repayments.

The first type of AI-based solution is called “supervised machine learning” and the second one “un-supervised machine learning”. The key difference is the extent of autonomy that goes with the learning.

Consider the potential impact on conduct risk of AI-based tools. One of the expectations from Treating Customers Fairly (TCF) with respect to product governance is that they are designed to meet the needs of identified consumer groups and are targeted accordingly. This requires a clear business strategy, including identification of the target market through a combination of qualitative and quantitative research and oversight of the business to ensure that it is aligned with initial expectations of customers and business generated. Take the example of automated investment services covered in a recent FCA review. These providers would rely on some type of AI-based solution, whether supervised or unsupervised machine learning. The possibility of capturing different customers or the advice generated being different from what was envisaged cannot be ruled out. The challenge is how to put in place a monitoring approach which ensures that outcomes and risks which arise are consistent with the expectations in the business plan.

Something similar can apply from the perspective of credit risk, impacting the quality of the portfolio and performance. Suppose you have been targeting retail customers with a specific risk rating for a credit card business. If you roll out an AI-based solution to enhance the efficiency of product underwriting, you would need to have in place mechanisms to ensure that the credit quality of the portfolio is consistent with your expectations—or else change those expectations. Both options are fine. You may want to keep your target credit rating constant and seek more volume, or perhaps you see AI-based solutions as a more robust tool to support decision making and, in a controlled manner, can relax your target rating. Regardless of your choice, you would need to put in place a credit risk monitoring approach that is suited to the new AI-based solutions, as well as ensure that the business understands the portfolio implications of “learning” that is at the core of an AI-based solution system.

The salient point to take away is that the roll-out plan of AI-based tools may focus on the launch. However, the greatest challenge may well be the need to provide for the ongoing and timely monitoring of the AI-based tools and their integration in business governance and risk management, which I will cover in the next post.

Five Risk Management Lessons From Pixar

I read an interview in McKinsey Quarterly with Ed Catmull, one of the co-founders of Pixar, about his management approach for keeping the business innovative (here; registration may be required).  I hoped this article would provide an interesting window into a different sector.  When I finished reading the article, I had found something very different instead.  I had learned a number of useful lessons about the design and implementation of risk management:   

1.  That clear business objectives inform risk taking.  Are there clear business objectives?  How do they relate to risk management?

2.  The impossibility of delivering absolute clarity. Is risk management striking a balance between providing clarity and enabling staff at all levels to respond to challenges as they arise?   

3.       The importance of running experiments.  How do/can we experiment with risk management?  Is this about testing risk metrics?  Product features and claims?  Changes to underwriting criteria? 

4.       Articulating business culture to make it less dependent on key individuals and ensure it resonates beyond senior management.  How do we ensure that the ‘tone from the top’ is echoed by middle management?  

5.       The important distinction between assuming and spreading risks and their focus on the former.  How close is the risk management oversight to product development and risk taking? 

So the next time you watch a Pixar movie, remember that there is a fair amount of risk management behind the scenes. 

This post is part of the series "Aspects of Risk Management".  Other articles are available here.  

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

‘Nudging’ Meets Enterprise Risk Management?

It is no exaggeration to say that behavioural economics has become mainstream.  With hindsight, this is not really surprising because the assumptions underpinning economic theory have always been regarded as just that: assumptions. 

The key innovation of behavioural economics are the identification of specific circumstances where there are systematic departures from rational decision making and the development of context-specific predictions of behaviour.  Broadly speaking, departures from rational decision making are referred to as ‘biases’ because outcomes are poorer than the optimal outcomes under rational conditions.  These biases may affect preferences, beliefs or decision making.   Box 1 below shows some common types of biases.

Box 1: Sample of Common Types of Biases Affecting Decision Making

Type	Bias	Description	Example of bias in consumer decision making
Preferences	Reference dependence	Assessments are influenced by the reference point for the assessment ― typically the status quo ― or by a fear of losses.  Depending on the context, this can encourage either too much or too little risk taking.	Purchase decisions are driven by alternatives or product features which are irrelevant to the consumer.
Beliefs	Over-extrapolation	Predictions are made on the basis of few observations believed to be representative from which a real pattern or trend is inferred and, as a result, uncertainty is over- or under-estimated.	The quality of financial advice is assessed on the basis of few successful investments even if these could reflect pure luck.
Decision making	Rules of thumbs	Decision making is simplified by adopting specific rules of thumb such as choosing the most familiar and avoiding the most ambiguous.	Products at the top of a list or offered by large companies are selected.

Another innovation of behavioural economics is the notion that it is sometimes possible to address those biases, and thereby enhance outcomes, by making small changes to the environment ― hence the number of books about behavioural economics with the word ‘nudging’ in the title.  I have come across nudging considerations in terms of sales (e.g. how the default option affects customers’ choices) and in terms of public policy (e.g. the introduction of cooling-off periods in financial services). 

One of the key motivating aspects of enterprise risk management is its effectiveness.  This is not just a challenge concerning an outcome at a particular point in time.  The main aspect of the challenge is putting in place a process that drives enhanced effectiveness.  This is an aspect that has not escaped EU supervisors framing risk and capital requirements for banks and insurers in the EU, which require assessments of risk management effectiveness. 

So how could these two meet?  An assessment of risk management effectiveness could seek to identify behavioural biases that affect the management of risk across the business: for example, in terms of underwriting and investments.  Consider again the biases set out in Box 1: which ones could be relevant to risk management?  If we identify the biases that shape risk management, we can also assess their materiality and consider whether there are ways of addressing them through changes in the operating environment.  If you have any thoughts about how these biases, or others, could affect risk management, I would be very interested to hear them.

This post is part of the series "Aspects of Risk Management".  Other articles are available here.  

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

Risk Reviews: Not 'a Bridge Too Far'

The role of a Chief Risk Officer (CRO) and her team in the context of a three-lines-of-defence model in financial services can be best described, in my view, as ‘to protect and enable’ (click here for an earlier post on the subject).   Consistent with that, financial services supervisors in the UK and EU refer to the oversight role that the CRO's team provides. 

There are many issues and considerations in embedding effective risk management in financial services businesses.  At one level, oversight requires the CRO’s team to develop the appropriate engagement with the business to provide support, to challenge and to ensure that risk management features ultimately in decision making.  This may result in recommendations for senior management. 

On its own, this is unlikely to be adequate to evidence appropriate and effective oversight for two reasons.  Firstly, the rationale for covering certain business areas or aspects would not be evident.   Secondly, there may be overlaps with the areas reviewed by Internal Audit. 

The answer is not to restrict the engagement between businesses and the CRO’s team.  Instead, the CRO should put in place a programme of risk review which is coordinated with Internal Audit to avoid overlaps or underlaps.

A structured programme of risk reviews requires consideration of the risks to which the business is exposed and their materiality, as well as business cover.  For example, it would not be sensible to cover just one business area, even if that is the main source of risk. 

The key aspect of the development of a programme of risk reviews is identifying a number of potential reviews that map into a grid of risks, materiality and business areas.  The list of reviews is then whittled down in discussions with the CRO and the leadership team to a programme that is consistent with the scale of the business and the maturity of the CRO’s team.

The Board (or a Risk Committee) should review the proposed programme of risk reviews.  Some businesses require a combined submission from Internal Audit and the CRO to identify a complete assurance landscape.  The CRO’s team should then plan the reviews, including setting out terms of reference agreed upon with the business and delivering them throughout the year.  The CRO should also provide regular reports to the Board about the findings of the various reviews and management delivery of recommendations.

Overall, a programme of risk reviews complements Internal Audit’s activities because of the involvement of the CRO’s team on a real time basis in key business processes such as business planning and product development.  Experience suggests that overlaps with Internal Audit can be avoided and that performing these reviews enables the CRO team to get even closer to the business and embed risk management ― ‘to protect and enable’.   

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

Feedback Loops and Enterprise Risk Management (ERM)

One should not take things for granted and this also applies to ERM.  In the case of ERM, this would mean identifying feedback mechanisms about the effectiveness of ERM to provide assurance to boards about the value generated.  This should also generate further insights to enhance ERM’s value added.  

This connection between ERM and value has not escaped supervisors.   On a company level, EU directives covering prudential regulation of banks and insurers include requirements that aim to formalise these feedback mechanisms.

While boards and regulators may be interested in the effectiveness of ERM in specific companies, there seems to be less evidence at an industry level.  Wouldn’t it be useful to understand the link between ERM effectiveness and the role and experience of the CRO? How does board oversight contribute to ERM effectiveness? 

These are challenging questions, which are considered in a recent working paper by Cristina Bailey, assistant professor at the University of New Hampshire, using data for publicly traded US insurers.*  There is a fair amount of statistics and econometrics in this paper which would have been covered through peer review.  There are differences between regulatory requirements on the two sides of the Atlantic, which could challenge the ability to infer from US data for Europe.  However, it would seem that ERM effectiveness is driven by the underlying business rather than regulatory requirements and that the lessons should be transferable. 

So what can we learn from this paper?  There are a number of measures of ERM effectiveness and benefits.  The effectiveness of risk management can be gauged by reference to the ratings awarded by S&P for risk management.  There are five possible ratings: very strong, strong, adequate with strong risk control, adequate and weak.  In the paper, ERM is defined as holistic risk management and is associated with the top two S&P ratings.  ERM benefits can be considered by referring to the volatility in stock returns.  ERM benefits can also be inferred using a measure of strategic industry positioning defined as the difference between the return on assets for the insurer and the top quartile.

Normally, it is important to consider the experience that the CRO brings to the role.  A number of experiences are specifically identified: oversight (e.g. prior experience as CEO or COO), financial (e.g. accountancy qualification or prior role as CFO or financial controller), industry (previous employment in the insurance industry) and risk (previous experience as a CRO or a senior risk management position). 

The analysis suggests that the breadth of the CRO’s experience is positively related to ERM effectiveness after controlling for a wide range of relevant factors.  However, this logic does not seem to apply to the expertise of the risk or audit committee.  But before you despair about the value of effective risk governance provided by a board committee, consider the impact on ERM benefits mentioned earlier by reference to volatility or strategic industry positioning.  The breadth of expertise of the committee members turns out to be a significant determinant of the ERM benefits. 

This result is a useful reminder of the difference between outputs (effective ERM) and business outcomes (e.g. risk reduction).  A potential way of pulling together these results is as follows: a CRO with broad expertise can successfully shape the effectiveness of ERM.  However, the wider ERM benefits depend on shaping the overall direction of the company which requires, amongst others, board committee members with a similar breadth of experience to act on the outputs that the CRO leading an effective ERM system would generate.  The above points to the importance of the qualities of CROs. 

Headhunters Hedley May have also published an interesting paper on the role of the CRO – and the risk function – based on discussions with CROs in banking, insurance, investment management and other stakeholders.**  Their analysis seems to support the above hypotheses about the difference between an effective ERM system and delivering business benefits such as lower volatility.  The qualities of a good CRO were found to include relationship building, influence and an ability to synthesise. These would provide the CRO with appropriate credibility in front of the board to go beyond an effective ERM and affect business decisions.

* ‘The Effect of Chief Risk Officer and Risk Committee Expertise on Risk Management', (forthcoming, www.ssrn.com)

** ‘The Post Financial Crisis Chief Risk Officer: The Teenage Years’, 2015

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

Creating Your Own Risk Wave

During a recent family vacation, I had the opportunity to watch something unusual in the Mediterranean Sea.  The sea was rough and I saw people surfing at a beach where one usually sees children paddling.  There were about twenty surfers in the sea waiting for a wave.  When a wave came, a few would successfully ride it.  Then they had to paddle back to the ‘line’ and wait for the next wave.

It reminded me of blogging (in general, not just this one).  You start by identifying a number of ideas, like the surfer’s positioning to wait for a wave.  You develop one of them into a post and publish it.  You then need to start all over again, like the surfers paddling back out to sea after they have caught a wave.  As with surfing (I guess) that’s the fun of it.

But it also reminded me of risk management: you implement an enterprise risk management (ERM) system, then wait for the events (or the wave) which will come sooner or later and learn about the effectiveness of ERM implementation. 

It occurred to me that the differences between surfing and risk managements are more revealing.  Firstly, surfers look for the best opportunity to ride a wave.  Risk management, on the other hand, usually aims to protect a business franchise rather than embrace risk taking. But see this post for an alternative view.

Secondly, the existence of a back book in banking and insurance means that there is not an obvious notion of going back to the beginning as there is in surfing and paddling back out to sea.  

Finally, building up a banking or insurance back book, or acquiring one, involves more choice than a surfer has in choosing a wave.  Indeed, it may be the equivalent of creating your own wave.  In some cases, it would be a wave of longevity risks.  In other cases, it would be a wave of ‘interest rate risk mismatch’. 

So next time you happen to see a surfer, think like one of them and consider how risk management can help your business thrive.  But also remember that if surfers have dreams, they probably dream of creating their own wave.

If you found this post useful, you may want to subscribe and receive future posts by email (here). There will not be many of them.

Risk Is Exciting

You hear people say that risk management and regulation are not exciting topics.

However the 30,000 pageviews on this blog since Nov 2014 suggest that risk management and regulation are more interesting than it seems.  Your comments have also been very useful and instructive.  Please keep them coming.

Thank you all!    

Losses Are Not Failures of Risk Management

Well, not necessarily.  But we need to remind ourselves and our stakeholders that that’s really the point.  Losses will happen with certain regularity.  This is the message of a system of a risk appetite system where the limits are calibrated to a 1-in-10 chance over a one-year horizon.   Whether the implications are really appreciated is a different point. 

A paper by Rene Stulz (here) is a good reminder that losses may not represent a failure of risk management.  This is particularly the case where “managers [know] exactly the risks they faced―and they decided to take them.  Therefore there is no sense in which risk management failed”.  He goes on further to say that “deciding whether to take a known risk is not a decision for risk managers.  The decision depends on the risk appetite of an institution.” 

This is consistent with the practitioner’s view as expressed by James Tufts, Group CRO of Guardian Financial Services, expressed in a guest post in this blog: “[T]he objective of the ‘Risk Function’ should not be ‘risk management’.  That’s a business objective.  The objective of the ‘Risk Function’ is to provide the ERM [Enterprise Risk Management] framework and the source of challenge and oversight on all aspects of the business model, relative to this framework.”

There may be risk management failures nevertheless and Stulz’s paper goes on to provide a useful classification:

1. Mismeasurement of known risks  
2. Failure to take risks into account 
3. Failure in communicating the risks to top management 
4. Failure in monitoring risks 
5. Failure in managing risks 
6. Failure to use appropriate risk metrics

I find these categories rather intuitive and I wonder how they can be used in practice.  There is an increasing regulatory expectation of formal assessment of the effectiveness of risk management and these categories could usefully feed into that process in two complementary ways. 

Firstly, banks and insurers track a range of risk events/incidents.  It would be useful to consider if reported incidents fall into any of the above categories.  Alternatively they may be consistent with risk appetite.

Secondly, insurers and banks using an internal model are expected to use it to support a profit and loss attribution.  This means explaining actual profits and losses by reference to the output of the internal model and the risk categories considered.  It would be interesting to consider if the losses arise from changes in values consistent with risk appetite or any of the reasons set out above. 

The above might seem a simple idea but learning from failures, or risk management failures in this case, is usually anything but a simple idea.

If you found this post useful, you may want to subscribe and receive future posts by email (here). There will not be many of them.

The Three Lines of Defence: An Enforcement Perspective

Much has been written about the three lines of defence model, including whether there are really three lines of defence (or any other number) and whether the concept is dead.  I personally regard the three lines of defence as a mechanism to clarify roles and responsibilities and underpin the risk management activities of different functions in financial services.

This week there was good evidence that the concept is alive and well.  The FCA issued a penalty to Aviva Investors for failure to manage the conflicts of interests between itself and clients, and between different clients (full paper here). 

From a risk management perspective, there were a couple of interesting lessons:   

1.  The increased size of compensation paid as part of the enforcement case relative to the size of the regulatory fine; in this case the fine was £17.6m and the compensation to eight funds was £132m. 

2.  The FCA has drawn an explicit parallel between failures of the three lines of defence model and Principle 3 which requires that an authorised firm “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”  

The articulation of the case looks at the performance of each line of defence and articulates the observed failures which provides a useful checklist.  

1. Weaknesses in the first line of defence 

• unclear split of responsibilities between first and second line of defence 
• failure to implement appropriate controls  
• lack of system to capture the relevant information 
• weaknesses in management information produced 
• culture focused on performance together with performance management that often overlooked the importance of risk and controls  

2.  Weaknesses in the second line of defence  

• inadequate compliance monitoring 
• inadequate compliance resource and capability 

3.  Weaknesses in the third line of defence  

• unclear process to accept the risk associated with control weaknesses 
• dependency on strategic change projects without adequate consideration of whether they address the findings and support the closure 
• lack of testing of the closure of audit issues

Intuitively this characterisation of systems and controls around the three lines of defence is not new; in my view, rather, it is the explicit recognition in an enforcement case that is new.

You can subscribe to future posts here.

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page FCA enforcement.

Hunting Elephants: The Ultimate Frontier for Enterprise Risk Management (ERM)?

One of the aspects of implementing ERM is putting in place an approach to consider its effectiveness.  A combination of approaches are typically suggested for this purpose including a consideration of the approaches adopted and evidence of the risk culture.  

An alternative would be to establish whether the implementation of ERM supports the appropriate conversations about risks are taking place in the business.  The elephant the proverbial unspoken element of a discussion – about risks in this case. 

An interesting paper from a working group of the UK Institute of Actuaries entitled ‘Risk: Elephants in the Room’ looks into the causes that may explain why conversations about risks have not been happening effectively in insurers.  (Click here for the paper.) 

The paper identifies two main reasons why these conversations may not be taking place:

1.     There is limited understanding of the underlying issues. 

This could result from limited knowledge depth on the relevant subject.  I suppose this is the typical regulatory concern about insurers investing in new types of assets or venturing into non-core areas.

The paper offers a good list of examples of typical elephants (pages 7 to 9) which could help senior management self-check whether something has been missed.  It also outlines two approaches to identify elephants – based on risk lineage and scenarios – which seem a useful starting point.

2.     ‘Soft’ factors prevent risk discussions from happening or limit their effectiveness, even where risk elephants are known.

The paper identifies a number of such ‘soft’ factors: 

• risk culture prevents free and open discussion about risks; 
• complexity of the underlying issues can alienate audience;
• regulatory perspective sometimes associated with risk tunes out executives;
• over-reliance on quantification; after a risk is quantified the level of oversight diminishes, which is particularly risky for low-frequency and high-severity risks;
• risk universe bias; an elephant can be a risk that does not fit into one of the existing risk categories.

Two practical implications from this paper strike me:

1.     A risk function should have appropriate resources to identify relevant elephants.

This would require a combination of internal and external resources.  For example, if an insurer chooses to invest in alternative assets, it should develop appropriate expertise in the area.  However, the risk function may need external support to ensure that elephants in other areas are also identified.

2.     Consider the ‘soft’ factors that may hamper the effectiveness of risk discussions, and risk management more generally.

This consideration of soft factors should be part of an ERM implementation.  However, it should also be a consideration of any assessment of the operational effectiveness of the risk function.

What do you think?  Do you have any thoughts on these suggestions about risk elephants and their identification? 

You can subscribe to future posts here.