Delegating Decision Making to AI Tools – Choices and Consequences*

Sometimes when I hear about Artificial Intelligence (AI) tools it seems like it is all about the technical details of the model and the data, which is certainly very important. This post is about another important aspect: the operating model in which the AI tool will operate.

There are many aspects of such an operating model.  Some are practical, such as ensuring that the tools integrate with other parts of the business.   In this post, I am focusing on the delegation of decision making to the AI tool – the choices that exist in most cases and the implications for the control environment.  These are summarised in the figure below.

At one extreme of the delegation of decision making, you have AI tools that operate independently of human intervention.  An example is algorithmic trading or an automated trading system which trade without any human intervention to use the speed and data processing advantages that computers have over a human trader.  Interestingly, this also represents one of the few prescriptive examples of PRA intervention where it requires that a human has the possibility of stopping the trading system.^[1]

At the other end of the spectrum, there are AI tools used by experts in a professional environment.  For example, actuaries might use machine learning techniques to undertake experience analysis and support reserving work.

Between these two examples, you have AI tools that provide a forecast or recommendation for consideration by an analyst.  For example, the AI tool could provide a credit rating that validates a rating derived using more traditional methods.

Another middle of the road alternative is ‘management by exception’.  This means that the AI tools have a degree of autonomy to operate within a ‘norm’, which is inferred from historical data.  Cases that are outside the norm are then referred to an analyst for consideration to improve and verify the predictions. 

These are business choices and in turn have implications for the development process of AI tools.   You would expect controls around data and model documentation in all cases.  But broadly speaking you would also expect a tighter control and a more intense validation for AI tools that operate more independently of human intervention.  This includes the depth of model’s understanding, including:

• explainability – why did the model do that;
• transparency – how does the model work;
• the impact on customers – e.g., the difference between Netflix recommendations and credit card underwriting.

The choices of operating model also have important implications for staff training.  AI tools operated by staff that have not been involved in its development must be trained to the appropriate level to ensure that the AI tool operates effectively.  For example, where ‘management by exception’ is adopted, staff would need the appropriate knowledge and skills to deal with the exceptions.

There are important choices for the operating model into which AI tools are deployed.  These choices have risk management and control implications and these choices may change over time.  An AI tool might start operating in an advisory capacity.  As trust in the AI tool increases then the delegated decision making can be increased.

These implications and choices should be considered as part of the model design.

We hope you found this post of interest. You can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

---

*  This post is based on my contribution to a virtual panel discussion organised by ActuarTech on AI Governance & Risk Management.

[1] Prudential Regulation Authority (PRA), Algorithmic trading, Supervisory Statement, 5/18, June 2018.

Operational Resilience

By Shirley Beglinger, Advisory Board Member, Crescendo Advisors

In today's interconnected financial world, "organisational resilience" must be taken to mean much more than just "a fully tested disaster recovery plan". Regulators are requiring boards to see beyond the walls of their own firm and identify its position in the economic, IT and service-delivery ecosystem with an emphasis on important services provided. This is a completely different perspective on risk.  Boards and CROs need to reconsider many tried and tested risk methodologies and metrics.

In reviewing the drivers of potential operational disruption, the CRO may identify several which are difficult or expensive to address. "Reliance on legacy infrastructure" for example will likely lead to a lengthy boardroom discussion of the expense and dangers of IT integration projects. Supply chains and data sharing quickly lead to the realisation that even if the firm's own arrangements are top-notch, there are probably other firms in their ecosystem who may not have the same level of preparedness.

Having identified potential sources of disruption, the board must then quantify potential costs (internal and external) and assess the ability to recover from severe and plausible scenarios of operational disruption and compare these with the firm's stated tolerance for operational disruption. Where necessary, remediation plans must be put in place.

While no board member wishes to explain to the regulator why their firm was the first domino in the ecosystem to fall over, such far-reaching change needs to be carefully managed.  To implement these requirements firms will benefit from a pilot that enables them to develop an understanding of the steps that would be required.  This will be less disruptive and more beneficial than a firm-wide initiative.

However, the need to scale up means that firms will need to identify or acquire in-house "resilience capabilities". A key aspect of the output from a successful pilot project would be to identify exactly what capabilities are required and how they can best be embedded within the firm's business.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

The Curse of Risk Appetite

In this post, I go back to one of the fundamental aspects of an ERM framework: risk appetite. ‘The Curse of Risk Appetite’ is part of the title of an interesting paper reviewing the misuses of risk appetite.[1] Some of the misuses described in the paper might sound familiar, but perhaps the key point to take away from the paper is that there is a potential for risk appetite to become synonymous with ‘a consideration of risk’. I am not sure this was ever the intention. 

The paper includes several useful suggestions to enhance risk appetite. They are focused on the long-run value of the firm and on the structure of risk appetite statements, reflecting a view that risk is the likelihood of falling below critical levels of performance. However, my attention was really caught by the authors’ suggestion to improve the organisational process for risk management. They suggest that a risk function’s role should be defined to include responsibility for evaluating the combined effect of strategic initiatives and capital budgeting on the firm’s overall risk profile.

On one level, this prescription is consistent with the view that the aim of the risk function should be to ‘protect and enable’, with the emphasis on the ‘enable’ aspect which sometimes gets overshadowed by ‘protect’. I am attracted to this suggestion because it turns a vision into a practical requirement that can be incorporated into an articulation of roles and responsibilities for a CRO or risk function. 

If, however, this was implemented literally in UK financial services, I suspect there would be an issue with regulators’ expectation about the independence of the risk function (second line of defence) from the business (first line). 

A similar outcome could be reached by clarifying that the role of the CRO/risk function includes providing a risk opinion in the early stages of the consideration of major strategic initiatives that have the potential to alter the business’s risk profile. The emphasis on timing is important. Providing a risk opinion only when major strategic initiatives are presented for approval is unlikely to add value. A CRO/risk function opinion in the early stages is likely to support consideration of the details of the initiatives and how they can be shaped to strike the appropriate balance between risk and return.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here. 

---

[1] Alviniussen, Alf and Jankensgård, Håkan, The Risk-Return Tradeoff: A Six-Step Guide to Ending the Curse of Risk Appetite (May 7, 2018). 

Risk Assurance: The Challenge Ahead

I wrote about risk assurance a while ago (here). More recently, I have had a chance to talk with a few people in banking and consulting about it, and to reflect further on the subject.

By way of background, my working definition of risk assurance is a structured activity undertaken by the risk function (second line) which is aimed at evidencing that risk management is embedded in the business. Feel free to comment on this definition.

The important thing about risk assurance is that it matters because it contributes to shifting (or to maintaining, if you wish) the appropriate risk culture in the business. What do I mean by this? I hope we can all agree that the appropriate risk culture in financial services is one that includes the following:

• the business takes into account risks in decision making and can evidence that, including compliance with regulatory requirements; and
• the risk function provides the parameters for taking into account risk in decision making (risk appetite framework, stress testing, etc) and aggregate risks.

Truly achieving that is a challenging journey that takes time. Many insurers and banks started the risk management journey as a result of regulatory requirements—Solvency 2 or Basel. In practice, this has meant that sometimes risk functions have taken up activities like approvals that belong to business functions. Risk assurance will generate evidence about how risk management operates in practice. It will also help to shift the focus of the risk function—and, in turn, the business—in the appropriate direction.

I have worked with a number of clients to implement programmes of risk assurance. Interestingly, these engagements have turned out to be rather different because they must reflect the starting point for the business. In one case, the risk function was well resourced, and the focus was planning. In another case, the focus was a combination of up-skilling and evidencing through pilot risk reviews that the activity can add value.

Leaving aside the considerations associated with implementation, it is important that there be a shared perspective about the overall aim of risk assurance, i.e. ‘integrated assurance’. This reflects two simple observations:

• internal audit functions already provide assurance about the overall control environment;
• from a Board perspective, assurance is assurance, regardless of which team/line of defence provides it.

In other words, the aim would be to develop a risk-based assurance plan which covers deliverables by 2LOD and 3LOD in such a way that the Board can understand where independent assurance has been provided.

I would be interested to hear your thoughts.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

Artificial Intelligence and Machine Learning in Financial Services: Implications for Credit Risk Management

A recent paper from the Financial Stability Board[1] considers the implications for artificial intelligence (AI) and machine learning in a number of financial services sectors, including credit risk.

The paper includes a useful section on background and definitions, and provides a clear reminder that these tools identify patterns and correlations rather than causality. I suspect that we will need to be reminded of this distinction more and more, as these tools are being used to explore complex relationships. 

When it comes to credit risk scoring, the FSB is clear that AI may help to make lending decisions quicker. However, regulators are not persuaded that AI credit scoring models outperform traditional models – or at least, “it has not been proved”. For example, a recent paper from Moody’s[2] compares the performance of their own credit scoring model for corporates against three machine learning approaches. Moody’s finds that, on average, the accuracy levels of the four models are comparable, and notes that the key to enhancing credit scoring models is data.  

The FSB notes that the deployment of these AI tools would also allow access to credit to people or businesses whose creditworthiness cannot be reliably assessed through traditional credit scoring models. The FSB believes that this would be a positive development for countries with shallow credit markets (emerging markets?), though less positive for countries with deep credit markets (developed markets?). You have been warned…

Regulators are also concerned with the overall auditability of artificial intelligence models used for credit scoring and the wider impact on credit risk governance. There is an important dimension here about how the model is used in business. Is it operating with some human oversight? This is an important issue for business culture as it forces a consideration of who is ultimately in control. I suspect that the distinction between retail and commercial lending in terms of volume of transactions may become important; the volume of retail transactions might make human oversight more challenging. 

Where does that leave the CEO, CFO or CRO of a bank contemplating the use of AI tools? Here are a few suggestions: 

1.  Have a shared view of the expected business outcomes from deploying AI tools.

2.  Keep monitoring credit risk exposures and alignment with risk appetite even more intensively, as the AI tool might have unintended effects.

3.  Focus on the auditability of the AI tool and its impact on credit risk governance.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

---

[1] Financial Stability Board, “Artificial intelligence and machine learning in financial services. Market developments and financial stability implications”, Nov 2017.

[2] Bacham, D and J. Y. Zhao, “Machine Learning: Challenges Lessons and Opportunities in Credit Risk Modelling”, Moody’s Analytics Risk Perspectives, July 2017.

Brexit - implications for insurers

The European Commission has issued today a note setting out the practical implications for insurers as a result for Brexit.  There are specific impacts for group internal models, branches, intermediaries and reinsurers.  For the full document, follow this link.  

I would be happy to discuss further the implications for your company.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

Risk Reviews: Not 'a Bridge Too Far'

The role of a Chief Risk Officer (CRO) and her team in the context of a three-lines-of-defence model in financial services can be best described, in my view, as ‘to protect and enable’ (click here for an earlier post on the subject).   Consistent with that, financial services supervisors in the UK and EU refer to the oversight role that the CRO's team provides. 

There are many issues and considerations in embedding effective risk management in financial services businesses.  At one level, oversight requires the CRO’s team to develop the appropriate engagement with the business to provide support, to challenge and to ensure that risk management features ultimately in decision making.  This may result in recommendations for senior management. 

On its own, this is unlikely to be adequate to evidence appropriate and effective oversight for two reasons.  Firstly, the rationale for covering certain business areas or aspects would not be evident.   Secondly, there may be overlaps with the areas reviewed by Internal Audit. 

The answer is not to restrict the engagement between businesses and the CRO’s team.  Instead, the CRO should put in place a programme of risk review which is coordinated with Internal Audit to avoid overlaps or underlaps.

A structured programme of risk reviews requires consideration of the risks to which the business is exposed and their materiality, as well as business cover.  For example, it would not be sensible to cover just one business area, even if that is the main source of risk. 

The key aspect of the development of a programme of risk reviews is identifying a number of potential reviews that map into a grid of risks, materiality and business areas.  The list of reviews is then whittled down in discussions with the CRO and the leadership team to a programme that is consistent with the scale of the business and the maturity of the CRO’s team.

The Board (or a Risk Committee) should review the proposed programme of risk reviews.  Some businesses require a combined submission from Internal Audit and the CRO to identify a complete assurance landscape.  The CRO’s team should then plan the reviews, including setting out terms of reference agreed upon with the business and delivering them throughout the year.  The CRO should also provide regular reports to the Board about the findings of the various reviews and management delivery of recommendations.

Overall, a programme of risk reviews complements Internal Audit’s activities because of the involvement of the CRO’s team on a real time basis in key business processes such as business planning and product development.  Experience suggests that overlaps with Internal Audit can be avoided and that performing these reviews enables the CRO team to get even closer to the business and embed risk management ― ‘to protect and enable’.   

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

Out Outsourcing?

Well, not really.  But I am sure you have heard regulatory concerns about the lack of appropriate controls around outsourcing in financial services.  It is therefore not entirely surprising that the UK’s Prudential Regulation Authority (PRA) has recently fined a bank £1.2 million for failures in the controls associated with outsourcing (here).  There are, however, a number of interesting points about this enforcement case that have broader lessons about the supervisory expectations associated with the use of outsourcing in financial services.

1.  The regulatory expectations with respect to outsourcing within a group or to a third party outside the group are the same.  I have heard this before but I was still expecting to see a recognition that there may be a difference.  I could not really find an obvious distinction in the enforcement notice.  This is particularly relevant in financial services where brands are typically a collection of companies, sometimes with a core staff serving a number of companies, in particular with respect to finance (and, in insurance, actuarial).  This also has implications for risk functions which will also need to articulate how their oversight relates to the various companies.

2.  The outsourcing arrangements are documented appropriately in a timely manner. While putting contracts in place within a group is probably understood to be a regulatory expectation, there are two important dimensions that this case highlights.  The first of these is the importance of putting contracts in place at the outset and undertaking due diligence; bear in mind point 1 above.  This also includes signing the contracts!  Secondly, in the case of internal outsourcing involving a control function, it is important that the roles and responsibilities of the various parties are clearly defined.  This can include determining the different roles of people and teams probably sitting near each other.

3.  The legal form of the outsourcing provider does not matter.  A JV form that effectively provides an outsourcing activity should also be treated as outsourcing. 

4.  The consequences of a lack or breakdown of controls matter a great deal.  If the finance function is outsourced within the group, then a breakdown can have severe financial implications (e.g. unauthorised payments) and can include misreporting of the capital and liquidity position to the PRA.

Last but not least, the response when the issue is discovered remains crucial.  In this case, it involved terminating certain outsourcing contracts and putting in place new ones, transferring finance teams to the relevant company and ensuring operational separation of the Bank from the rest of the group.  In addition, the bank commissioned a firm of accountants to review the matter, undertook its own review of all outsourcing contracts and was subject to a skilled persons review by the PRA.  As in other cases, the fine may not have been the largest cost to the bank.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis but I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of the blog.

Risk Management Lessons From the Co-op Bank's Demise

One of the fallouts from the financial crisis in the UK was the demise of the Co-op Bank as part of the Co-operative movement.  The UK regulators (the PRA and the FCA) investigated the causes of the bank’s demise and issued simultaneous enforcement notices earlier this year (here and here).  The key failures identified by the regulators are summarised in Box 1. 

One of the key points for the press was the regulators decision to waive any financial penalties, reflecting the financial conditions of the Coop Bank.  However, from a risk management perspective, the enforcement notice represents an interesting catalogue of lessons in risk management for both banks and insurers: 

1.  Risks and business strategy go hand in hand.  It is difficult to manage risks effectively in the absence of a clear and comprehensive strategy for key lines of business. 

2.  A ‘cautious’ risk appetite statement is not enough.  Business decisions still must be evidenced as ‘cautious’ in practice even if this happens on a qualitative basis. 

3. The remit of the risk function includes valuations and accounting decisions.  This is particularly relevant in terms of the challenge and governance to (changes to) assumptions associated with discretionary features about valuation e.g. about the timing of redemption of capital instruments.   

4.  Policies are more than documents.   Compliance with policies must be evidenced.  A complex and changing business reality cannot be captured through prescriptive policies.  Certain discretions must be factored into decision making processes.  The risk oversight should cover how those discretions are applied in practice.   

5.   An open and cooperative relationship with the regulators is not just about issues.  It includes updating the supervisor regarding concerns about the position of senior individuals leading to intended changes.

6.  An effective risk culture is an outcome of business decisions about risk.  This was one of the concerns of the regulators.  The regulator’s articulation of an effective risk culture is interesting: ‘A culture in which accepted orthodoxies are challenged, action is taken to address risks on a timely basis and risk and control functions carry real weight is likely to support prudent management.’  In a nutshell, a risk culture is not end in itself but the means to support prudent management.

The enforcement notice mentions other issues regarding the shortcomings of the risk management oversight and internal audit. 

Finally, it is worth noting that the period of time formally considered by the regulators stretches from July 2009 – weeks before the Co-op Bank’s merger with the Britannia Building Society – to December 2013 – when it ceases to be a wholly owned subsidiary of the Co-op Group.   I don’t think the shortcomings just materialised in July 2009. 

This suggests that the perceived connection between responses to the financial crisis and strengthening risk management may not have been as widespread as it might have seemed.  The shortcomings are clearly serious and while they may not be critical when taken individually or addressed within a short period of time, it is the cumulative impact that had the effect of bringing the Co-op bank's demise.    

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of Crescendo ERM blog.

Is the Governance Map Also the Territory?

One of the financial crisis’s lessons for regulators has been discovering the ‘accountability firewall’ of collective responsibility which prevents actions against individuals even if they are approved for specific roles.  This was one of the lessons from the UK Parliamentary Commission on Banking Standards from 2013.

UK regulators have been tasked with the challenge of breaking down that ‘firewall’ for both banks and insurance.  The UK has had a regime of approved persons for some time.  The PRA and the FCA have been consulting on proposals aimed at strengthening the accountability of senior management.  For insurers, this is referred to as the Senior Insurance Managers Regime (SIMR).

The proposals may well increase the scope of senior managers, and will strengthen conduct requirements that apply to them.  It seems to me that the most innovative (and, dare I say, revolutionary) aspect of the proposals is the requirement that firms produce a ‘governance map’.   As with all good ideas, it is simple.  The regulator identifies a set of responsibilities and then asks firms to map them to senior managers who are subject to regulatory approvals and sanctions.  

The list of responsibilities is long.  For example, the list for insurers is as follows:

1.       ensuring that the firm has complied with the obligation to satisfy itself that persons performing a key function are fit and proper;

2.       leading the development of the firm’s culture and standards;

3.       embedding the firm’s culture and standards in its day-to-day management;

4.       production and integrity of the firm’s financial information and regulatory reporting;

5.       allocation and maintenance of the firm’s capital and liquidity;

6.       development and maintenance of the firm’s business model;

7.       performance of the firm’s Own Risk and Solvency Assessment (ORSA);

8.       induction, training and professional development for all the firm’s key function holders;

9.       maintenance of the independence, integrity and effectiveness of the whistleblowing procedures, and the protection of staff raising concerns;

10.   oversight of the firm’s remuneration policies and practices.

For banks, there is no direct equivalent to 7 even if there is an ICAAP.   However, the list includes the following additional responsibilities:

1.       funding is also mentioned in 5. above as well as an additional responsibility in respect of the bank’s treasury management functions;

2.       developing a firm’s recovery plan and resolution pack and overseeing the internal processes regarding their governance;  

3.       managing the firm’s internal stress-tests and ensuring the accuracy and timelines of information provided to the PRA and other regulatory bodies for the purpose of stress testing; 

4.       safeguarding the independence of and overseeing the performance of the compliance function, internal audit and risk function respectively; these are three different responsibilities.

There are some interesting differences between banking and insurance.

The overall message is rather simple: there is an individual presumption of responsibility in the event of a breach.  In those cases, the relevant individual will need to demonstrate that he took reasonable steps to prevent the breach in the relevant area. 

Firms’ senior managers will spend time discussing the mapping of responsibilities.  This may well be the easy part.  Undoubtedly, the challenge for senior managers will not be the map, but the territory, i.e. how to manage the relevant responsibility.  For some responsibilities there will processes, teams and awareness within the company to ensure that something happens; think of item 7 above, the ORSA.  In other cases, the challenge will be determining which business function will assume the relevant responsibility and what approaches, processes and resources will be needed as evidence that reasonable steps were taken.  What should be done to prove that ‘firm’s culture and standards’ are developed and embedded?  

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox. 

Securitisations and Solvency II: An opportunity? Or one to be missed?

To put it mildly, securitisations did not a get a good reputation as a result of the financial crisis.  Things are now changing.   This is illustrated well in a discussion paper from the Bank of England and the European Central Bank extolling the virtues of securitisations (here).    It is difficult to disagree with the key message; securitisations can be a win-win transactions that enhances the ability to redistribute risks more efficiently in the economy while enabling institutional investors to access a wider pool of investment.  

The Solvency II Delegated Acts (‘implementing measures’) built up a more favourable capital treatment for securitisations.  It is now recognised as a category of its own for the purposes of spread risk.  This evolution can be evidenced in the Commission’s Impact Analysis published at the time of the publication draft Delegated Acts (here).  As recognised in the Delegated Acts, this even includes recognising the name ‘securitisation’ instead of the name used in the Solvency II Directive in 2009: ‘investment in tradable securities or other financial instruments based on repackaged loans’.

As one would expect, the calibration of the standard formula spread risk for securitisation reflects the maturity of the exposure and its credit rating.  However, there is an interesting innovation.  The Delegated Acts identify two types of securitisation exposures: ‘good’ and ‘bad’, or in policy terms, type 1 and type 2.  The criteria are set out in the Delegated Acts and are quite detailed.  

Exposures of type 1 must meet 20 conditions including a rating of ‘BBB’ or above, the seniority of the exposure in the securitisation, SPV arrangements, listing in an OECD or EU exchange, and backing by residential loans, commercial loans or auto loans and leases.   The list of conditions is somewhat shorter for securitisations that were issued before the Delegated Acts came into force. Type 2 securitisations are simply those not meeting these criteria.  

Figure 1 shows the significant difference that meeting the conditions for type 1 makes to the capital charges.  It is a noticeably a more important consideration than the rating or maturity of the exposure.  

Figure 2 shows an alternative view of the spread risk capital requirements for type 1 securitisations compared against the equivalent ones for corporate bonds of equivalent ratings.   The differences aren’t that large in particular for short maturities.

All this raises a number of interesting considerations for an insurer’s capital management strategy. 

Firstly, there may be tactical adjustments where insurers find that they are holding type 2 securitisation paper as part of the Solvency II implementation work.  In this case, the insurers may seek to dispose of these investments before 1 Jan 2016 to avoid the capital increases that Figure 1 suggests.  However, given insurers’ relatively small holdings of securitisations, this may not be a material issue.

The bigger issue is the extent to which there is an appetite to consider the capital treatment of type 1 securitisation as a more strategic opportunity and readjust investment strategies.  Indeed, would it be possible to do so before 1 Jan 2016 to enhance the matching of cash flows of annuity liabilities and subject to Matching Adjustment? 

In any event, Figure 2 above suggests that there may be an interesting question about the risk and return trade-off of corporate bonds versus type 1 securitisations.  Would the returns from securitisations be sufficiently higher to justify the additional capital requirements?  Figure 2 suggests that for low maturities, e.g. up to 7 to 10 years, this could be finely balanced in particular for ‘BBB’ bonds.  If so, would insurers be willing to tilt their investment strategies to include more type 1 securitisation?  The answer to this question requires appropriate consideration, cash-flow matching including risk appetite, stress testing and governance.   

However, even if the risk and return trade-off mentioned above appears appropriate, it seems that there may be a limited supply of type 1 securitisations.  If so, there would be a limited opportunity for insurers in the short to medium term.  This would be more of an opportunity for investment banks to structure securitisation transactions.

This post is part of a series of posts on Solvency II.  To see the list, click here. 

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox. 

Reverse Stress Testing (RST): The Return of ‘Adequacy’

RST is one of the additional challenges that financial regulators have added following the financial crisis.  I spoke today on the subject at an event organised by the Institute of Risk Management. 

The effective implementation of RST builds on the articulation of the underlying business model.  This is something that UK supervisors have put on the agenda recently to signal a more holistic approach to supervision.  I have written a number of posts on the subject which you can access here.   

There are a number of challenges to deliver a RST.  The return of ‘adequacy’ might seem an odd title for my presentation.  It seeks to convey a simple message about the main challenge of RST: the assessment and judgement about the resilience of the business model.  It’s a ‘return’ because the term ‘adequacy’ used to be more prominent.  You may remember the Capital Adequacy Directive before it became the Capital Requirement Directive.  Anyway, the graph below seeks to illustrate the challenge of adequacy, which also serves to bring on a page the various stress and scenario tests that banks and insurers are considering on a regular basis. 

The key message from the graph is that if business failure scenarios are ‘close’ to the 1-in-200 scenarios, the adequacy of the business model and the strategy could be challenged.  Management may need to consider how to mitigate the risks to the business model. 

The full set of slides is available here.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox.  

Stress Testing: Reporting or ‘So What’?

The Bank of England (BoE) recently published the results of the first concurrent stress testing of UK banks (click here for a post about the implications of this exercise).  Stress testing is not only relevant to banks; EIOPA also initiated a similar process and carried out an exercise in 2014, which I will cover in a future post.   

Much has been written about the results for individual banks.  I would like to share some observations about an aspect of stress testing with wider implications: the consideration of ‘so what’ that may take place when the stress materialises. 

In the BoE stress testing, banks had to spell out the management actions they envisaged taking.  These actions were subject to scrutiny by the Bank of England and ‘a high threshold was set for accepting’ them. 

There is little detail about the specific management actions that were accepted.  Broadly speaking, they appear to be mainly reduction in costs and dividend.  Furthermore, the BoE clarified that they did not accept management actions that resulted in a unilateral reduction in credit supply in the stress scenario.  This approach meant that management actions had limited impacts, specifically no impact for two banks and, for the other six banks, an average improvement (i.e. an increase in common equity Tier 1 [CET1] after the stress) of 9%.  

In an earlier post (here), I suggested the consideration of ‘so what’, including the ability to carry out actions that mitigate the impact of the stress as one of the potential benefits of stress testing.  How should we reconcile this with the limited scope of management actions recognised in this exercise?

A useful starting point would be to make a clear distinction between stress testing undertaken for different purposes and audiences.  This is summarised in the table below:

	‘Internal’	‘External’ / BoE
Purpose	Identifying vulnerabilities and addressing them	Evidencing overall resilience
Focus	Lines of business/ business units	Enterprise wide

Given the BoE’s intention to continue stress testing and make them an integral part of the supervisory landscape, the question would be how to integrate these two different perspectives of stress testing. 

Ideally, a bank would start an internal review of stress vulnerabilities at the business unit level as soon as the submission to the BoE is delivered.  This would enable the bank to identify and put in place the appropriate risk mitigation.  For example, the bank may choose to adjust its credit risk mitigation by transferring loans or hedging credit before the next BoE stress testing.  Given the focus on addressing vulnerabilities, which could require board approval, it would make sense to review stress vulnerabilities of specific business units/lines of business on a staggered basis. 

Adopting this approach over time would deliver a virtuous cycle of identification of stress vulnerabilities and enhanced risk mitigation which would be reflected in the next stress testing for the BoE.

In conclusion, while the BoE may have adopted ‘a high threshold’ for accepting management actions, banks can still build in a process to identify and implement these management actions and evidence how they address vulnerabilities in key business units and product lines.

You can subscribe to future posts here.