Operational Resilience

By Shirley Beglinger, Advisory Board Member, Crescendo Advisors

In today's interconnected financial world, "organisational resilience" must be taken to mean much more than just "a fully tested disaster recovery plan". Regulators are requiring boards to see beyond the walls of their own firm and identify its position in the economic, IT and service-delivery ecosystem with an emphasis on important services provided. This is a completely different perspective on risk.  Boards and CROs need to reconsider many tried and tested risk methodologies and metrics.

In reviewing the drivers of potential operational disruption, the CRO may identify several which are difficult or expensive to address. "Reliance on legacy infrastructure" for example will likely lead to a lengthy boardroom discussion of the expense and dangers of IT integration projects. Supply chains and data sharing quickly lead to the realisation that even if the firm's own arrangements are top-notch, there are probably other firms in their ecosystem who may not have the same level of preparedness.

Having identified potential sources of disruption, the board must then quantify potential costs (internal and external) and assess the ability to recover from severe and plausible scenarios of operational disruption and compare these with the firm's stated tolerance for operational disruption. Where necessary, remediation plans must be put in place.

While no board member wishes to explain to the regulator why their firm was the first domino in the ecosystem to fall over, such far-reaching change needs to be carefully managed.  To implement these requirements firms will benefit from a pilot that enables them to develop an understanding of the steps that would be required.  This will be less disruptive and more beneficial than a firm-wide initiative.

However, the need to scale up means that firms will need to identify or acquire in-house "resilience capabilities". A key aspect of the output from a successful pilot project would be to identify exactly what capabilities are required and how they can best be embedded within the firm's business.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

ERM in Three Lines*

One of the challenges with enterprise risk management (ERM) is how much is written on the subject.  I find it useful to identify the key components.  This provides a structure to sort out the detailed views and comments, though it is also more than that. If you are a busy CRO or senior risk leader, identifying the key components enables you to take stock and think about challenges and improvements that may be relevant to your priorities. 

Here is an attempt to sum up ERM and provide that clarity in three headlines.

1.       A vision of the ERM purpose 

My preference for financial services is ‘protect and enable’. This highlights that risk management is more than just about avoiding the downside; it is about how risk management supports decision making, including the role of the CRO in that decision making. (More on ‘protect and enable’ and different views from practitioners shared on Crescendo Advisors’ blog are available here.)

2.       An articulation of how to deliver and embed ERM in the business 

This is your ERM framework, roles and responsibilities, policies, and risk appetite. They must provide the right balance between the level of detail and clarity to create a durable product and support business implementation.

3.       Evidence of the outcomes of vision and articulation of ERM (1 and 2 above) 

This is the outcome of the ERM, i.e. the assurance that is provided to the Board. This means that a feedback mechanism that supports improvement is in place. This is partly about risk or thematic reviews, but it also represents a wider perspective that involves 1^st line and 3^rd line as well. I also find that focusing on assurance is more ‘real’ than a discussion on the extent to which processes are implemented or embedded.

At the risk of oversimplifying, here is my own take on the UK insurance business position on these three aspects

• The articulation of the ERM vision is progressing but there is still work to be done. There is a sense that, broadly speaking, people operate according to the ‘protect and enable’ vision without articulating it as clearly as it could be.  

• Good progress has been made articulating how to deliver and embed ERM in businesses; all businesses have ERM frameworks and policies in place.  Some are considering external reviews after the frameworks have been in place for some time.  

• The biggest challenge ahead is evidencing ERM implementation and providing structured assurance to the Board about ERM expectations. This is a challenge for risk management function (risk reviews?), first line (business and control reviews?) and internal audit (coordinate with first and second line?).  Please get in touch if you want to receive a paper with initial thoughts on this challenge. 

Do you agree with views about these views about the insurance sector in the UK? How about banking and asset management? How is this seen in other countries?

*  No pun intended about the three lines of defence.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

The New and the Old in Risk Management

I have been writing about the new and the old in risk management over the past year. This starts with the slow pace of adoption of FinTech by incumbents in financial services. I have suggested that an important component of the change needed includes incumbents amending and enhancing risk management frameworks to reflect new FinTech innovations. (See my last post on the subject.)

Recently, I came across an article from McKinsey that makes a similar point in the context of model risk and the adoption of artificial intelligence (AI) and machine learning. It turns out I am in good company! 

McKinsey’s article notes that banks have developed and implemented frameworks to manage model risk, including model validation reflecting specific regulatory frameworks, in this case from the US Federal Reserve (here). They recognise that the implementation of these frameworks is not appropriate to deal with the model risk associated with AI and machine learning. Banks are therefore proceeding cautiously and slowly introducing new modelling approaches even when these are available.

The article then shows how a standard framework for model risk management is used to identify extra considerations required for this framework to cover appropriately AI and machine learning models.  The key message is that the challenge of adopting AI and machine learning can be addressed through a careful consideration of existing approaches. 

Two further thoughts from McKinsey’s article. Firstly, the article rightly refers to model management rather than validation. It is always useful to reiterate that model validation undertaken by the risk function is just a component of how models are managed in the business. Secondly, model management should not apply only to internal models used to calculate regulatory capital, but should apply more widely to models used in the business such as those used for pricing, valuation of assets and liabilities.

The article ends with a cautionary tale of an unnamed bank where the model risk management function took initial steps to ready itself for machine learning models on the assumption that there were none in the bank. It then discovered that an innovation function had been established and was developing models for fraud detection and cybersecurity.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

Risk Management as Infrastructure for Artificial Intelligence and FinTech

During 2018, I wrote several posts about FinTech, Artificial Intelligence (AI) and risk management.  I was kindly invited to present to the Network of Consulting Actuaries, I chose to use this opportunity to consolidate my views on the subject.  

There were several ideas flowing through my mind.

Firstly, informal evidence suggests that, for all the hype, FinTech and AI have not yet become mainstream in insurance or in financial services more generally.

Secondly, the largest business transformation arising from FinTech and AI is the adoption of these technologies by incumbents.  Indeed, I explored this in the context of banking through the group project at the Oxford FinTech Programme I completed in December 2018.

Thirdly, someone who works for a multinational insurer made the observation during an InsurTech event in London that as a regulated entity, the insurer has responsibilities and obligations towards their customers and must follow due process before they roll out new technologies.  There was a hint of an apology in this observation to the nimble start-ups in the audience.

Putting all these thoughts together led me to see the main challenge to the adoption of FinTech by incumbents as governance, including how risk management is applied in practice.  If the aim of risk management is to ‘protect’ or block, then the incumbent does not have an obvious lever to support the introduction of AI tools and FinTech.  

If, on the other hand, the aim of risk management is perceived as to ‘protect and enable’, then risk management can be part of the solution.  Risk management can lead to the creation of necessary infrastructure to ensure that AI tools achieve their transformational potential.  This includes articulating a vision of how a control framework should be leveraged, considering the impact of FinTech and AI on risk management frameworks, focusing on explainable AI, and articulating the implications for the target operating model.  This will facilitate incumbents’ adoption of FinTech and AI.  

Take a look at the presentation I gave (here) for a more detailed articulation of these points.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the screen or click here. 

This Time is Different - The Digital Revolution

The August issue of Central Banking, a journal, includes my review of a book about the digital revolution by Chris Skinner.  It is a fascinating book that can change pre-determined views.  You can read the review here or below.

This Time Is Different: A book review of Digital Human by Chris Skinner, Marshall Cavendish (2018)

Mr Skinner has written two books on FinTech and banking (Digital Bank and ValueWeb), and now Digital Human is his third. This represents an opportunity to take a step back and consider some of the bigger questions about FinTech. How much of a change could this represent for banking? For financial services? For society?

His main argument is that digitalisation has reduced the cost associated with a minimum viable product beyond recognition for nearly anything in financial services. One way of looking at FinTech is as ‘one big bucket of finance and technology’ with a range of technologies from InsurTech (based on artificial intelligence) to digital currencies, with mobile wallets and peer-to-peer lending in between. Indeed, one could make the argument that it should be called ‘TechFin’ instead. However, it is possible to make overall sense of these technologies by distinguishing between those that challenge existing business structures and those that create new ones. 

One of the main aspects of the digital revolution with respect to banking is the differential effect between the (developed) West and developing world. Surprisingly, it is not in the direction you might expect. For the West overall, FinTech represents a challenge to existing business structures. Current IT systems took shape in the 1970s and 1980s at a time when now-ubiquitous ATMs were first introduced. While the front-ends of these systems have changed over time, the core architecture has not. As Mr Skinner points out, CEOs invest significantly in systems maintenance to pass on to the next CEO rather than overhauling technology. I was left wondering if this might also be a reflection of misplaced risk aversion that contributes to the relatively short tenure of CEOs.

There also seems to be a potentially systemic issue arising from the natural ageing process of the programmers who can still write code in the language of the legacy systems (COBOL). Mr Skinner observes that more than 50% of COBOL programmers are over 45 years old, so the challenge of maintaining legacy systems is not going to get any easier.

However, the real challenge does not seem to be adopting new technologies but the vertically integrated business model of banking or, as Mr Skinner puts it rather eloquently, being ‘control freaks in a proprietary operation building everything themselves’.  As usual, technology enables the challenge but does not help the incumbent figure out how the business model should evolve and how to remain profitable. Mr Skinner offers two suggestions. The first is leveraging on its capital, history and brands and repositioning the business as a trusted party that can select specialised providers, like Amazon Marketplace. The second is leveraging on the data and focusing on advice and data analytics.

Indeed, there seems to be a change in emphasis in FinTech. Between 2010 and 2014, the focus was on disrupting existing banking business models and unbundling. Since 2014, the focus has shifted to collaboration with more dynamic banks leveraging on their customers’ reach and capital.

Perhaps the key point to emphasise is that the regulatory framework has already adapted to some extent, at least in the EU where Open Banking is already a reality because of EU directives.

If you don’t work full time in FinTech, it is difficult to form an impression about how far these trends could go.  (Yes, I know there are forecasts, but they are merely forecasts.) This is where the other part of the book is particularly useful.  

In the developing world, banking tends to be restricted to affluent clients. . FinTech does not challenge major incumbents; rather, it represents more of a development opportunity. FinTech allows for servicing relatively small transactions (by Western standards) which is compensated through a relatively large number of transactions. In this way, financial inclusion becomes a business and stops being a form of charity.

Mr Skinner illustrates extensively how far and deep these trends are going. In sub-Saharan Africa, mobile banking and e-wallets lead with the overall number of accounts growing fivefold between 2011 and 2016, reaching around 275 million accounts out of 420 million mobile subscribers. Interestingly, use is not evenly spread. Institutional design continues to matter even in the age of FinTech. In some countries, these developments are led by mobile network operators and in others by banks. Some countries actively encourage partnership and agreements to enable domestic and cross-border money transfers cheaply.

This is not just a matter of convenience. If you cannot get paid reliably and must rely on cash, there is a limited number of business opportunities that can thrive. The case study of China’s Ant Financial is therefore fascinating. It starts with a problem of trust between buyers and sellers that limits the development of the e-commerce that evolved into what we call now electronic payments. One of the lessons of this is really about the central role that the consumer plays. The business scale is staggering: in 2016, the value of transactions in the peak day (called Singles’ Day) was double the amount transacted on the US’s Thanksgiving Day, Black Friday and Cyber Monday together. It’s not just payments, as there seems to be an emerging pattern that starts with electronic payments and moves to managing money, and Ant’s money market fund is already larger than JP Morgan’s US Government money market fund.

And what about society? Living longer, 3D printing, the Internet of Things and conquering space may well change how we live. I am sure you have heard before the old dictum that this time is different. Perhaps this time it is indeed, if only for banking because of FinTech.

Lessons from Bank Recovery and Resolution

The latest issue of the Central Banking Journal includes my review of a book about the Euro Crisis in Cyprus written by Panicos Demetriades, who was Governor of the Central Bank of Cyprus at the time.   It is an fascinating book with insights about the challenge of bank recovery.   You can read the review here or below.

Book Review: A Diary of the Euro Crisis in Cyprus: Lessons for Bank Recovery and Resolution by Panicos Demetriades, Palgrave McMillan, 2017

This book is about Panicos Demetriades’ tenure as Governor of the Central Bank of Cyprus between May 2012 and April 2014. It covers the banking crisis that hit Cyprus, the banks’ resolution and the wider lessons learned from the event. Reading this book felt in some ways like a simultaneous reading of Gabriel Garcia Marquez’s novel, Chronicle of a Death Foretold, and an economics-based thriller like Murder at the Margin by Marshall Jevons.

The book begins with Demetriades’ appointment as Governor of the Central Bank of Cyprus. You know from the beginning how it ends: Demetriades resigns as Governor. This is a manifestation of the challenge that Central Bank independence represents; banking resolution is the specific context in which the Central Bank’s independence is tested. In fact, writing this sentence already reveals one of the underlying issues: the only feature of Central Banks’s independence enshrined in European treaties is the independence of the Governor of the Central Bank.

As Demetriades discovered, there are ways to limit the practical independence of the Governor such as appointing (or firing) Deputy Governor(s), creating new Executive Directors with a seat on the Board whose roles are determined by the Board rather than the Governor, and requiring Board approval for bank licensing and amendments to existing licenses. These might look like arcane corporate governance issues, but they do matter, especially when independence is most needed, i.e. in times of financial crisis. Interestingly, the European Central Bank (ECB) and the Commission witnessed these changes but had limited powers to intervene other than expressing concerns through legal opinions.

Demetriades also plays a detective role and explains how the crisis in Cyprus came about. It is interesting that the origin of the crisis is traced back to the country’s business model – an offshore financial centre for wealthy Russians and Eastern Europeans, supported by a network of lawyers and introducers to banks. Like many of you, I have seen the term business model applied to companies, but this is first time I have seen it applied to describe a country. This suggests to me that avoiding the crisis would have required a very tough regulatory stance, and that it would have happened sooner or later, regardless of the Euro crisis.

The book identifies the trigger event for the crisis.  Interestingly for me, someone who works in risk management, the trigger is the decisions of Cyprus’ two main banks to invest most of their equity capital in Greek debt in the spring 2010, when Greece was being downgraded. This resulted in losses in excess of €4 billion.  As Demetriades notes, this decision ignored the fundamental relationship between yields and risk, and diversification of investments.

There were also challenges for international institutions in the troika. There are a number of references to the IMF analysis of debt sustainability and the assumptions underpinning it. A debt to GDP ratio of 100% was assumed to be sustainable for Cyprus, compared to 120% for Greece. In Demetriades’ view, this made the bail-in for Cyprus larger than might have been necessary. 

Demetriades’ tenure as a Governor of the Central Bank spanned a right-wing and a left-wing government. You might have preconceptions about which government would find the notion of an independent Central Bank more challenging. In fact, both governments found it equally challenging because of national pride and voting considerations. These challenges weigh heavily on Demetriades who concludes the book with a stark warning about the future of the Euro, which is in fact relevant to all the members of the Eurosystem: ‘[P]opulism, if left unchecked, can shake the foundations of the monetary union beyond the point of repair’.

While the book is entitled ‘a diary’, don’t let that word put you off. It is much more than a personal diary.

Just as I did when reading Chronicle of a Death Foretold, I wondered if Demetriades could have done something to maintain the independence of the Central Bank and avoid the clash that led to his resignation. I could not identify anything.

If you found this post of interest, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

Risk Reviews: Not 'a Bridge Too Far'

The role of a Chief Risk Officer (CRO) and her team in the context of a three-lines-of-defence model in financial services can be best described, in my view, as ‘to protect and enable’ (click here for an earlier post on the subject).   Consistent with that, financial services supervisors in the UK and EU refer to the oversight role that the CRO's team provides. 

There are many issues and considerations in embedding effective risk management in financial services businesses.  At one level, oversight requires the CRO’s team to develop the appropriate engagement with the business to provide support, to challenge and to ensure that risk management features ultimately in decision making.  This may result in recommendations for senior management. 

On its own, this is unlikely to be adequate to evidence appropriate and effective oversight for two reasons.  Firstly, the rationale for covering certain business areas or aspects would not be evident.   Secondly, there may be overlaps with the areas reviewed by Internal Audit. 

The answer is not to restrict the engagement between businesses and the CRO’s team.  Instead, the CRO should put in place a programme of risk review which is coordinated with Internal Audit to avoid overlaps or underlaps.

A structured programme of risk reviews requires consideration of the risks to which the business is exposed and their materiality, as well as business cover.  For example, it would not be sensible to cover just one business area, even if that is the main source of risk. 

The key aspect of the development of a programme of risk reviews is identifying a number of potential reviews that map into a grid of risks, materiality and business areas.  The list of reviews is then whittled down in discussions with the CRO and the leadership team to a programme that is consistent with the scale of the business and the maturity of the CRO’s team.

The Board (or a Risk Committee) should review the proposed programme of risk reviews.  Some businesses require a combined submission from Internal Audit and the CRO to identify a complete assurance landscape.  The CRO’s team should then plan the reviews, including setting out terms of reference agreed upon with the business and delivering them throughout the year.  The CRO should also provide regular reports to the Board about the findings of the various reviews and management delivery of recommendations.

Overall, a programme of risk reviews complements Internal Audit’s activities because of the involvement of the CRO’s team on a real time basis in key business processes such as business planning and product development.  Experience suggests that overlaps with Internal Audit can be avoided and that performing these reviews enables the CRO team to get even closer to the business and embed risk management ― ‘to protect and enable’.   

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

Out Outsourcing?

Well, not really.  But I am sure you have heard regulatory concerns about the lack of appropriate controls around outsourcing in financial services.  It is therefore not entirely surprising that the UK’s Prudential Regulation Authority (PRA) has recently fined a bank £1.2 million for failures in the controls associated with outsourcing (here).  There are, however, a number of interesting points about this enforcement case that have broader lessons about the supervisory expectations associated with the use of outsourcing in financial services.

1.  The regulatory expectations with respect to outsourcing within a group or to a third party outside the group are the same.  I have heard this before but I was still expecting to see a recognition that there may be a difference.  I could not really find an obvious distinction in the enforcement notice.  This is particularly relevant in financial services where brands are typically a collection of companies, sometimes with a core staff serving a number of companies, in particular with respect to finance (and, in insurance, actuarial).  This also has implications for risk functions which will also need to articulate how their oversight relates to the various companies.

2.  The outsourcing arrangements are documented appropriately in a timely manner. While putting contracts in place within a group is probably understood to be a regulatory expectation, there are two important dimensions that this case highlights.  The first of these is the importance of putting contracts in place at the outset and undertaking due diligence; bear in mind point 1 above.  This also includes signing the contracts!  Secondly, in the case of internal outsourcing involving a control function, it is important that the roles and responsibilities of the various parties are clearly defined.  This can include determining the different roles of people and teams probably sitting near each other.

3.  The legal form of the outsourcing provider does not matter.  A JV form that effectively provides an outsourcing activity should also be treated as outsourcing. 

4.  The consequences of a lack or breakdown of controls matter a great deal.  If the finance function is outsourced within the group, then a breakdown can have severe financial implications (e.g. unauthorised payments) and can include misreporting of the capital and liquidity position to the PRA.

Last but not least, the response when the issue is discovered remains crucial.  In this case, it involved terminating certain outsourcing contracts and putting in place new ones, transferring finance teams to the relevant company and ensuring operational separation of the Bank from the rest of the group.  In addition, the bank commissioned a firm of accountants to review the matter, undertook its own review of all outsourcing contracts and was subject to a skilled persons review by the PRA.  As in other cases, the fine may not have been the largest cost to the bank.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis but I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of the blog.

Risk Management Lessons From the Co-op Bank's Demise

One of the fallouts from the financial crisis in the UK was the demise of the Co-op Bank as part of the Co-operative movement.  The UK regulators (the PRA and the FCA) investigated the causes of the bank’s demise and issued simultaneous enforcement notices earlier this year (here and here).  The key failures identified by the regulators are summarised in Box 1. 

One of the key points for the press was the regulators decision to waive any financial penalties, reflecting the financial conditions of the Coop Bank.  However, from a risk management perspective, the enforcement notice represents an interesting catalogue of lessons in risk management for both banks and insurers: 

1.  Risks and business strategy go hand in hand.  It is difficult to manage risks effectively in the absence of a clear and comprehensive strategy for key lines of business. 

2.  A ‘cautious’ risk appetite statement is not enough.  Business decisions still must be evidenced as ‘cautious’ in practice even if this happens on a qualitative basis. 

3. The remit of the risk function includes valuations and accounting decisions.  This is particularly relevant in terms of the challenge and governance to (changes to) assumptions associated with discretionary features about valuation e.g. about the timing of redemption of capital instruments.   

4.  Policies are more than documents.   Compliance with policies must be evidenced.  A complex and changing business reality cannot be captured through prescriptive policies.  Certain discretions must be factored into decision making processes.  The risk oversight should cover how those discretions are applied in practice.   

5.   An open and cooperative relationship with the regulators is not just about issues.  It includes updating the supervisor regarding concerns about the position of senior individuals leading to intended changes.

6.  An effective risk culture is an outcome of business decisions about risk.  This was one of the concerns of the regulators.  The regulator’s articulation of an effective risk culture is interesting: ‘A culture in which accepted orthodoxies are challenged, action is taken to address risks on a timely basis and risk and control functions carry real weight is likely to support prudent management.’  In a nutshell, a risk culture is not end in itself but the means to support prudent management.

The enforcement notice mentions other issues regarding the shortcomings of the risk management oversight and internal audit. 

Finally, it is worth noting that the period of time formally considered by the regulators stretches from July 2009 – weeks before the Co-op Bank’s merger with the Britannia Building Society – to December 2013 – when it ceases to be a wholly owned subsidiary of the Co-op Group.   I don’t think the shortcomings just materialised in July 2009. 

This suggests that the perceived connection between responses to the financial crisis and strengthening risk management may not have been as widespread as it might have seemed.  The shortcomings are clearly serious and while they may not be critical when taken individually or addressed within a short period of time, it is the cumulative impact that had the effect of bringing the Co-op bank's demise.    

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of Crescendo ERM blog.

Is the Governance Map Also the Territory?

One of the financial crisis’s lessons for regulators has been discovering the ‘accountability firewall’ of collective responsibility which prevents actions against individuals even if they are approved for specific roles.  This was one of the lessons from the UK Parliamentary Commission on Banking Standards from 2013.

UK regulators have been tasked with the challenge of breaking down that ‘firewall’ for both banks and insurance.  The UK has had a regime of approved persons for some time.  The PRA and the FCA have been consulting on proposals aimed at strengthening the accountability of senior management.  For insurers, this is referred to as the Senior Insurance Managers Regime (SIMR).

The proposals may well increase the scope of senior managers, and will strengthen conduct requirements that apply to them.  It seems to me that the most innovative (and, dare I say, revolutionary) aspect of the proposals is the requirement that firms produce a ‘governance map’.   As with all good ideas, it is simple.  The regulator identifies a set of responsibilities and then asks firms to map them to senior managers who are subject to regulatory approvals and sanctions.  

The list of responsibilities is long.  For example, the list for insurers is as follows:

1.       ensuring that the firm has complied with the obligation to satisfy itself that persons performing a key function are fit and proper;

2.       leading the development of the firm’s culture and standards;

3.       embedding the firm’s culture and standards in its day-to-day management;

4.       production and integrity of the firm’s financial information and regulatory reporting;

5.       allocation and maintenance of the firm’s capital and liquidity;

6.       development and maintenance of the firm’s business model;

7.       performance of the firm’s Own Risk and Solvency Assessment (ORSA);

8.       induction, training and professional development for all the firm’s key function holders;

9.       maintenance of the independence, integrity and effectiveness of the whistleblowing procedures, and the protection of staff raising concerns;

10.   oversight of the firm’s remuneration policies and practices.

For banks, there is no direct equivalent to 7 even if there is an ICAAP.   However, the list includes the following additional responsibilities:

1.       funding is also mentioned in 5. above as well as an additional responsibility in respect of the bank’s treasury management functions;

2.       developing a firm’s recovery plan and resolution pack and overseeing the internal processes regarding their governance;  

3.       managing the firm’s internal stress-tests and ensuring the accuracy and timelines of information provided to the PRA and other regulatory bodies for the purpose of stress testing; 

4.       safeguarding the independence of and overseeing the performance of the compliance function, internal audit and risk function respectively; these are three different responsibilities.

There are some interesting differences between banking and insurance.

The overall message is rather simple: there is an individual presumption of responsibility in the event of a breach.  In those cases, the relevant individual will need to demonstrate that he took reasonable steps to prevent the breach in the relevant area. 

Firms’ senior managers will spend time discussing the mapping of responsibilities.  This may well be the easy part.  Undoubtedly, the challenge for senior managers will not be the map, but the territory, i.e. how to manage the relevant responsibility.  For some responsibilities there will processes, teams and awareness within the company to ensure that something happens; think of item 7 above, the ORSA.  In other cases, the challenge will be determining which business function will assume the relevant responsibility and what approaches, processes and resources will be needed as evidence that reasonable steps were taken.  What should be done to prove that ‘firm’s culture and standards’ are developed and embedded?  

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox. 

Risk Is Exciting

You hear people say that risk management and regulation are not exciting topics.

However the 30,000 pageviews on this blog since Nov 2014 suggest that risk management and regulation are more interesting than it seems.  Your comments have also been very useful and instructive.  Please keep them coming.

Thank you all!    

Losses Are Not Failures of Risk Management

Well, not necessarily.  But we need to remind ourselves and our stakeholders that that’s really the point.  Losses will happen with certain regularity.  This is the message of a system of a risk appetite system where the limits are calibrated to a 1-in-10 chance over a one-year horizon.   Whether the implications are really appreciated is a different point. 

A paper by Rene Stulz (here) is a good reminder that losses may not represent a failure of risk management.  This is particularly the case where “managers [know] exactly the risks they faced―and they decided to take them.  Therefore there is no sense in which risk management failed”.  He goes on further to say that “deciding whether to take a known risk is not a decision for risk managers.  The decision depends on the risk appetite of an institution.” 

This is consistent with the practitioner’s view as expressed by James Tufts, Group CRO of Guardian Financial Services, expressed in a guest post in this blog: “[T]he objective of the ‘Risk Function’ should not be ‘risk management’.  That’s a business objective.  The objective of the ‘Risk Function’ is to provide the ERM [Enterprise Risk Management] framework and the source of challenge and oversight on all aspects of the business model, relative to this framework.”

There may be risk management failures nevertheless and Stulz’s paper goes on to provide a useful classification:

1. Mismeasurement of known risks  
2. Failure to take risks into account 
3. Failure in communicating the risks to top management 
4. Failure in monitoring risks 
5. Failure in managing risks 
6. Failure to use appropriate risk metrics

I find these categories rather intuitive and I wonder how they can be used in practice.  There is an increasing regulatory expectation of formal assessment of the effectiveness of risk management and these categories could usefully feed into that process in two complementary ways. 

Firstly, banks and insurers track a range of risk events/incidents.  It would be useful to consider if reported incidents fall into any of the above categories.  Alternatively they may be consistent with risk appetite.

Secondly, insurers and banks using an internal model are expected to use it to support a profit and loss attribution.  This means explaining actual profits and losses by reference to the output of the internal model and the risk categories considered.  It would be interesting to consider if the losses arise from changes in values consistent with risk appetite or any of the reasons set out above. 

The above might seem a simple idea but learning from failures, or risk management failures in this case, is usually anything but a simple idea.

If you found this post useful, you may want to subscribe and receive future posts by email (here). There will not be many of them.

Stress Testing: Reporting or ‘So What’?

The Bank of England (BoE) recently published the results of the first concurrent stress testing of UK banks (click here for a post about the implications of this exercise).  Stress testing is not only relevant to banks; EIOPA also initiated a similar process and carried out an exercise in 2014, which I will cover in a future post.   

Much has been written about the results for individual banks.  I would like to share some observations about an aspect of stress testing with wider implications: the consideration of ‘so what’ that may take place when the stress materialises. 

In the BoE stress testing, banks had to spell out the management actions they envisaged taking.  These actions were subject to scrutiny by the Bank of England and ‘a high threshold was set for accepting’ them. 

There is little detail about the specific management actions that were accepted.  Broadly speaking, they appear to be mainly reduction in costs and dividend.  Furthermore, the BoE clarified that they did not accept management actions that resulted in a unilateral reduction in credit supply in the stress scenario.  This approach meant that management actions had limited impacts, specifically no impact for two banks and, for the other six banks, an average improvement (i.e. an increase in common equity Tier 1 [CET1] after the stress) of 9%.  

In an earlier post (here), I suggested the consideration of ‘so what’, including the ability to carry out actions that mitigate the impact of the stress as one of the potential benefits of stress testing.  How should we reconcile this with the limited scope of management actions recognised in this exercise?

A useful starting point would be to make a clear distinction between stress testing undertaken for different purposes and audiences.  This is summarised in the table below:

	‘Internal’	‘External’ / BoE
Purpose	Identifying vulnerabilities and addressing them	Evidencing overall resilience
Focus	Lines of business/ business units	Enterprise wide

Given the BoE’s intention to continue stress testing and make them an integral part of the supervisory landscape, the question would be how to integrate these two different perspectives of stress testing. 

Ideally, a bank would start an internal review of stress vulnerabilities at the business unit level as soon as the submission to the BoE is delivered.  This would enable the bank to identify and put in place the appropriate risk mitigation.  For example, the bank may choose to adjust its credit risk mitigation by transferring loans or hedging credit before the next BoE stress testing.  Given the focus on addressing vulnerabilities, which could require board approval, it would make sense to review stress vulnerabilities of specific business units/lines of business on a staggered basis. 

Adopting this approach over time would deliver a virtuous cycle of identification of stress vulnerabilities and enhanced risk mitigation which would be reflected in the next stress testing for the BoE.

In conclusion, while the BoE may have adopted ‘a high threshold’ for accepting management actions, banks can still build in a process to identify and implement these management actions and evidence how they address vulnerabilities in key business units and product lines.

You can subscribe to future posts here.