Lessons Learnt from Covid-19 ... or Not?

Covid-19 is a health crisis, a business crisis and an economic crisis which has struck the insurance industry hard.

Claims spiked in some areas while volatile financial markets made it almost impossible to steer the investment portfolio, and lockdown measures kept staff at home while struggling to cope with surging call and claim volumes. Meanwhile, there is vocal pressure from some quarters for a “flexible” approach to claims, where “flexible” is shorthand for dishing out large amounts of money for claims which may or may not be covered.  

How has the industry coped, and what lessons has it learned?

To answer that question, Crescendo Advisors carried out a series of structured interviews with a selection of risk and finance professionals from insurance firms. Most of the firms were UK based, with an aggregate turnover of £120 billion in 2019.

Although the firms varied in size and portfolio mix, there was a high degree of consensus in their opinions. Here are Crescendo’s top five findings and conclusions:

• While most UK firms have weathered the crisis to date, it appears that few did so as laid out in their pre-Covid-19 business continuity planning.  Business continuity plans usually assumed local outbreaks and had to be re-created in the face of a total and global shutdown.

• All firms who viewed their lockdown experience as ‘successful’ attributed that to excellent, ongoing communication from senior management to all stakeholders;

• The traditional hostility to staff working from home has changed from “not possible” to “why not?”. Going forward firms expect staff to continue working at least part-time from home, and hence plan on reductions in their office footprint;

• As remote working and virtual teams have become the post-Covid vogue, the purpose and value of The Office is being critically re-evaluated. It may still be the best place for meetings and staff onboarding, but do we really need all those desks crowded together?

• With staff working remotely, the cost-benefit dynamic of outsourcing could be changed so that firms will find it beneficial and desirable to bring activities back in-house.

Interestingly, while most participants anticipated the need for a lessons learnt exercise, only one of them acknowledged at the time that his firm was already kicking off such an exercise.

Are insurers perhaps being complacent? They had six weeks to prepare for lockdown and they put the time to good use. By the time staff were required to stay home, many did so with newly acquired laptops and secure connections. The main limitations on productivity came from the lack of suitable home office facilities or from inadequate broadband speeds. The show stayed on the road with remarkably few wobbles.

Next year UK insurers are likely to work in the implementation of operational resilience requirements.  There are lessons to be learnt from Covid-19.  But here’s a thought, if working from home is no longer the backup disaster recovery plan – it is the new normal – what is the new disaster recovery plan?

This post has been written by Isaac Alfon (Managing Director) and Shirley Beglinger (Advisory Board Member) at Crescendo Advisors.  

Crescendo Advisors (www.crescendo-erm.com) is a boutique risk management consultancy.  We would be happy to share an overview of the findings of this survey.  We can also support your efforts to both learn lessons from Covid-19 using the tools we developed for this survey and consider the implications of working from home arrangements for the risk and control environment.

Delegating Decision Making to AI Tools – Choices and Consequences*

Sometimes when I hear about Artificial Intelligence (AI) tools it seems like it is all about the technical details of the model and the data, which is certainly very important. This post is about another important aspect: the operating model in which the AI tool will operate.

There are many aspects of such an operating model.  Some are practical, such as ensuring that the tools integrate with other parts of the business.   In this post, I am focusing on the delegation of decision making to the AI tool – the choices that exist in most cases and the implications for the control environment.  These are summarised in the figure below.

At one extreme of the delegation of decision making, you have AI tools that operate independently of human intervention.  An example is algorithmic trading or an automated trading system which trade without any human intervention to use the speed and data processing advantages that computers have over a human trader.  Interestingly, this also represents one of the few prescriptive examples of PRA intervention where it requires that a human has the possibility of stopping the trading system.^[1]

At the other end of the spectrum, there are AI tools used by experts in a professional environment.  For example, actuaries might use machine learning techniques to undertake experience analysis and support reserving work.

Between these two examples, you have AI tools that provide a forecast or recommendation for consideration by an analyst.  For example, the AI tool could provide a credit rating that validates a rating derived using more traditional methods.

Another middle of the road alternative is ‘management by exception’.  This means that the AI tools have a degree of autonomy to operate within a ‘norm’, which is inferred from historical data.  Cases that are outside the norm are then referred to an analyst for consideration to improve and verify the predictions. 

These are business choices and in turn have implications for the development process of AI tools.   You would expect controls around data and model documentation in all cases.  But broadly speaking you would also expect a tighter control and a more intense validation for AI tools that operate more independently of human intervention.  This includes the depth of model’s understanding, including:

• explainability – why did the model do that;
• transparency – how does the model work;
• the impact on customers – e.g., the difference between Netflix recommendations and credit card underwriting.

The choices of operating model also have important implications for staff training.  AI tools operated by staff that have not been involved in its development must be trained to the appropriate level to ensure that the AI tool operates effectively.  For example, where ‘management by exception’ is adopted, staff would need the appropriate knowledge and skills to deal with the exceptions.

There are important choices for the operating model into which AI tools are deployed.  These choices have risk management and control implications and these choices may change over time.  An AI tool might start operating in an advisory capacity.  As trust in the AI tool increases then the delegated decision making can be increased.

These implications and choices should be considered as part of the model design.

We hope you found this post of interest. You can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

---

*  This post is based on my contribution to a virtual panel discussion organised by ActuarTech on AI Governance & Risk Management.

[1] Prudential Regulation Authority (PRA), Algorithmic trading, Supervisory Statement, 5/18, June 2018.

‘Nudging’ Meets Enterprise Risk Management?

It is no exaggeration to say that behavioural economics has become mainstream.  With hindsight, this is not really surprising because the assumptions underpinning economic theory have always been regarded as just that: assumptions. 

The key innovation of behavioural economics are the identification of specific circumstances where there are systematic departures from rational decision making and the development of context-specific predictions of behaviour.  Broadly speaking, departures from rational decision making are referred to as ‘biases’ because outcomes are poorer than the optimal outcomes under rational conditions.  These biases may affect preferences, beliefs or decision making.   Box 1 below shows some common types of biases.

Box 1: Sample of Common Types of Biases Affecting Decision Making

Type	Bias	Description	Example of bias in consumer decision making
Preferences	Reference dependence	Assessments are influenced by the reference point for the assessment ― typically the status quo ― or by a fear of losses.  Depending on the context, this can encourage either too much or too little risk taking.	Purchase decisions are driven by alternatives or product features which are irrelevant to the consumer.
Beliefs	Over-extrapolation	Predictions are made on the basis of few observations believed to be representative from which a real pattern or trend is inferred and, as a result, uncertainty is over- or under-estimated.	The quality of financial advice is assessed on the basis of few successful investments even if these could reflect pure luck.
Decision making	Rules of thumbs	Decision making is simplified by adopting specific rules of thumb such as choosing the most familiar and avoiding the most ambiguous.	Products at the top of a list or offered by large companies are selected.

Another innovation of behavioural economics is the notion that it is sometimes possible to address those biases, and thereby enhance outcomes, by making small changes to the environment ― hence the number of books about behavioural economics with the word ‘nudging’ in the title.  I have come across nudging considerations in terms of sales (e.g. how the default option affects customers’ choices) and in terms of public policy (e.g. the introduction of cooling-off periods in financial services). 

One of the key motivating aspects of enterprise risk management is its effectiveness.  This is not just a challenge concerning an outcome at a particular point in time.  The main aspect of the challenge is putting in place a process that drives enhanced effectiveness.  This is an aspect that has not escaped EU supervisors framing risk and capital requirements for banks and insurers in the EU, which require assessments of risk management effectiveness. 

So how could these two meet?  An assessment of risk management effectiveness could seek to identify behavioural biases that affect the management of risk across the business: for example, in terms of underwriting and investments.  Consider again the biases set out in Box 1: which ones could be relevant to risk management?  If we identify the biases that shape risk management, we can also assess their materiality and consider whether there are ways of addressing them through changes in the operating environment.  If you have any thoughts about how these biases, or others, could affect risk management, I would be very interested to hear them.

This post is part of the series "Aspects of Risk Management".  Other articles are available here.  

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

Risk Reviews: Not 'a Bridge Too Far'

The role of a Chief Risk Officer (CRO) and her team in the context of a three-lines-of-defence model in financial services can be best described, in my view, as ‘to protect and enable’ (click here for an earlier post on the subject).   Consistent with that, financial services supervisors in the UK and EU refer to the oversight role that the CRO's team provides. 

There are many issues and considerations in embedding effective risk management in financial services businesses.  At one level, oversight requires the CRO’s team to develop the appropriate engagement with the business to provide support, to challenge and to ensure that risk management features ultimately in decision making.  This may result in recommendations for senior management. 

On its own, this is unlikely to be adequate to evidence appropriate and effective oversight for two reasons.  Firstly, the rationale for covering certain business areas or aspects would not be evident.   Secondly, there may be overlaps with the areas reviewed by Internal Audit. 

The answer is not to restrict the engagement between businesses and the CRO’s team.  Instead, the CRO should put in place a programme of risk review which is coordinated with Internal Audit to avoid overlaps or underlaps.

A structured programme of risk reviews requires consideration of the risks to which the business is exposed and their materiality, as well as business cover.  For example, it would not be sensible to cover just one business area, even if that is the main source of risk. 

The key aspect of the development of a programme of risk reviews is identifying a number of potential reviews that map into a grid of risks, materiality and business areas.  The list of reviews is then whittled down in discussions with the CRO and the leadership team to a programme that is consistent with the scale of the business and the maturity of the CRO’s team.

The Board (or a Risk Committee) should review the proposed programme of risk reviews.  Some businesses require a combined submission from Internal Audit and the CRO to identify a complete assurance landscape.  The CRO’s team should then plan the reviews, including setting out terms of reference agreed upon with the business and delivering them throughout the year.  The CRO should also provide regular reports to the Board about the findings of the various reviews and management delivery of recommendations.

Overall, a programme of risk reviews complements Internal Audit’s activities because of the involvement of the CRO’s team on a real time basis in key business processes such as business planning and product development.  Experience suggests that overlaps with Internal Audit can be avoided and that performing these reviews enables the CRO team to get even closer to the business and embed risk management ― ‘to protect and enable’.   

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

Out Outsourcing?

Well, not really.  But I am sure you have heard regulatory concerns about the lack of appropriate controls around outsourcing in financial services.  It is therefore not entirely surprising that the UK’s Prudential Regulation Authority (PRA) has recently fined a bank £1.2 million for failures in the controls associated with outsourcing (here).  There are, however, a number of interesting points about this enforcement case that have broader lessons about the supervisory expectations associated with the use of outsourcing in financial services.

1.  The regulatory expectations with respect to outsourcing within a group or to a third party outside the group are the same.  I have heard this before but I was still expecting to see a recognition that there may be a difference.  I could not really find an obvious distinction in the enforcement notice.  This is particularly relevant in financial services where brands are typically a collection of companies, sometimes with a core staff serving a number of companies, in particular with respect to finance (and, in insurance, actuarial).  This also has implications for risk functions which will also need to articulate how their oversight relates to the various companies.

2.  The outsourcing arrangements are documented appropriately in a timely manner. While putting contracts in place within a group is probably understood to be a regulatory expectation, there are two important dimensions that this case highlights.  The first of these is the importance of putting contracts in place at the outset and undertaking due diligence; bear in mind point 1 above.  This also includes signing the contracts!  Secondly, in the case of internal outsourcing involving a control function, it is important that the roles and responsibilities of the various parties are clearly defined.  This can include determining the different roles of people and teams probably sitting near each other.

3.  The legal form of the outsourcing provider does not matter.  A JV form that effectively provides an outsourcing activity should also be treated as outsourcing. 

4.  The consequences of a lack or breakdown of controls matter a great deal.  If the finance function is outsourced within the group, then a breakdown can have severe financial implications (e.g. unauthorised payments) and can include misreporting of the capital and liquidity position to the PRA.

Last but not least, the response when the issue is discovered remains crucial.  In this case, it involved terminating certain outsourcing contracts and putting in place new ones, transferring finance teams to the relevant company and ensuring operational separation of the Bank from the rest of the group.  In addition, the bank commissioned a firm of accountants to review the matter, undertook its own review of all outsourcing contracts and was subject to a skilled persons review by the PRA.  As in other cases, the fine may not have been the largest cost to the bank.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis but I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of the blog.

Risk Management Lessons From the Co-op Bank's Demise

One of the fallouts from the financial crisis in the UK was the demise of the Co-op Bank as part of the Co-operative movement.  The UK regulators (the PRA and the FCA) investigated the causes of the bank’s demise and issued simultaneous enforcement notices earlier this year (here and here).  The key failures identified by the regulators are summarised in Box 1. 

One of the key points for the press was the regulators decision to waive any financial penalties, reflecting the financial conditions of the Coop Bank.  However, from a risk management perspective, the enforcement notice represents an interesting catalogue of lessons in risk management for both banks and insurers: 

1.  Risks and business strategy go hand in hand.  It is difficult to manage risks effectively in the absence of a clear and comprehensive strategy for key lines of business. 

2.  A ‘cautious’ risk appetite statement is not enough.  Business decisions still must be evidenced as ‘cautious’ in practice even if this happens on a qualitative basis. 

3. The remit of the risk function includes valuations and accounting decisions.  This is particularly relevant in terms of the challenge and governance to (changes to) assumptions associated with discretionary features about valuation e.g. about the timing of redemption of capital instruments.   

4.  Policies are more than documents.   Compliance with policies must be evidenced.  A complex and changing business reality cannot be captured through prescriptive policies.  Certain discretions must be factored into decision making processes.  The risk oversight should cover how those discretions are applied in practice.   

5.   An open and cooperative relationship with the regulators is not just about issues.  It includes updating the supervisor regarding concerns about the position of senior individuals leading to intended changes.

6.  An effective risk culture is an outcome of business decisions about risk.  This was one of the concerns of the regulators.  The regulator’s articulation of an effective risk culture is interesting: ‘A culture in which accepted orthodoxies are challenged, action is taken to address risks on a timely basis and risk and control functions carry real weight is likely to support prudent management.’  In a nutshell, a risk culture is not end in itself but the means to support prudent management.

The enforcement notice mentions other issues regarding the shortcomings of the risk management oversight and internal audit. 

Finally, it is worth noting that the period of time formally considered by the regulators stretches from July 2009 – weeks before the Co-op Bank’s merger with the Britannia Building Society – to December 2013 – when it ceases to be a wholly owned subsidiary of the Co-op Group.   I don’t think the shortcomings just materialised in July 2009. 

This suggests that the perceived connection between responses to the financial crisis and strengthening risk management may not have been as widespread as it might have seemed.  The shortcomings are clearly serious and while they may not be critical when taken individually or addressed within a short period of time, it is the cumulative impact that had the effect of bringing the Co-op bank's demise.    

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of Crescendo ERM blog.

The Three Lines of Defence: An Enforcement Perspective

Much has been written about the three lines of defence model, including whether there are really three lines of defence (or any other number) and whether the concept is dead.  I personally regard the three lines of defence as a mechanism to clarify roles and responsibilities and underpin the risk management activities of different functions in financial services.

This week there was good evidence that the concept is alive and well.  The FCA issued a penalty to Aviva Investors for failure to manage the conflicts of interests between itself and clients, and between different clients (full paper here). 

From a risk management perspective, there were a couple of interesting lessons:   

1.  The increased size of compensation paid as part of the enforcement case relative to the size of the regulatory fine; in this case the fine was £17.6m and the compensation to eight funds was £132m. 

2.  The FCA has drawn an explicit parallel between failures of the three lines of defence model and Principle 3 which requires that an authorised firm “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”  

The articulation of the case looks at the performance of each line of defence and articulates the observed failures which provides a useful checklist.  

1. Weaknesses in the first line of defence 

• unclear split of responsibilities between first and second line of defence 
• failure to implement appropriate controls  
• lack of system to capture the relevant information 
• weaknesses in management information produced 
• culture focused on performance together with performance management that often overlooked the importance of risk and controls  

2.  Weaknesses in the second line of defence  

• inadequate compliance monitoring 
• inadequate compliance resource and capability 

3.  Weaknesses in the third line of defence  

• unclear process to accept the risk associated with control weaknesses 
• dependency on strategic change projects without adequate consideration of whether they address the findings and support the closure 
• lack of testing of the closure of audit issues

Intuitively this characterisation of systems and controls around the three lines of defence is not new; in my view, rather, it is the explicit recognition in an enforcement case that is new.

You can subscribe to future posts here.

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page FCA enforcement.

Pregnancy and 7 Lessons About Risk Management

When my wife was expecting our first son, it surprised me that most of the stories we heard about childbirth from other people involved something going wrong. At some point, we made a conscious decision to ‘switch off’ and ignore those stories.  I don’t really know whether our experience was representative.  

It strikes me that risk management appears a bit similar; it is easy to hear what went wrong.  Before I go any further, I admit my share of guilt for writing about risk management lessons from enforcement cases of the UK’s Financial Conduct Authority (here, here, here, here and

here).  This post seeks to address that bias by sharing a paper about risk management success stories.

The paper is based on extensive field work with two companies outside financial services.  This makes it more even more interesting for me because it removes the inevitable interaction with regulation in financial services.  

From the perspective of designing and implementing an ERM system, there are seven lessons I take from these success stories:

1.    The background of the CRO did not seem to matter.  In one case it was someone with a business background, and in other case it was someone with a corporate background.  The common factor was the CRO’s determination from the outset to find a practical way of adding value to the business.

2.    Success seemed to be described by reference to the role of risk management in the preparation of the business plan.  The path to this involved in both cases a discrete deliverable, typically preparing and maintaining a business risk profile.

3.    Successful engagement of the risk function with the business was crucial. Needless to say, each CRO tailored it to reflect the business.  For example, one of the organisations was more project-focused, and there was more emphasis on risk assessment by business lines.

4.    It was important to develop a common risk language in an unobtrusive manner.   This could be in terms of controls and risk, impacts that reflect the various functional dimensions of the business or scenario planning.

5.    The risk function needed a degree of self-confidence.  This could be useful to start the risk assessment process, develop business-specific tools and encourage the business to take more risks where it is deemed appropriate to meet business objectives.

6.    Risk functions achieved a balance between being close to the business and being independent of the business. 

7.    An effective tone from the top was more helpful in terms of behaviours.  This is really about how CEOs interact with others and ask questions about risks as part of the usual scrutiny of initiatives.

I believe that I have come across most of these lessosn in different contexts.  It is, however, interesting to see all of them together. 

If I had to single out one lesson from the above for financial services, I would choose the link to the annual business plan.  On a scale of 0 to 100, where 0 is no risk management involvement in the annual business plan and 100 represents the full integration of the risk management in the annual business process, what would be the score for your organisation?  

More importantly, what would be your target score for the medium term?  What would that mean in terms of different activities?  What would you need to persuade your CEO to accept that involvement?   

If you work in financial services, I would be keen to hear your thoughts about this article.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts at http://crescendo-erm.blogspot.co.uk.

The Piano, FCA Enforcement and Lloyds TSB, Halifax and Bank of Scotland

I heard once that you can’t learn music from the noise that a grand-piano makes when you drop it down a staircase.  Alas, we should be able to learn something about risk management from the FCA’s enforcement notices.  That’s one of my ambitions for 2014. 

I am starting with the FCA’s enforcement action on Lloyds TSB, Halifax and Bank of Scotland announced on 10^th December 2013 (here – all references are from this document).  The case relates to the lack of appropriate controls around financial incentives to advisers in branches.   

The FCA clarifies at the outset that there is nothing in the rules against “[incentivising] staff to sell a particular product” provided that a firm’s “systems and controls are sufficiently robust and sophisticated to mitigate effectively the risk of any adverse impact the incentives may have on staff behaviour”.

It is therefore not entirely surprising that the FCA articulates in detail the specific features of the remuneration system that added to the risk of consumer detriment, including

1.       variable basic salaries;
2.       bonus thresholds disproportionate effects for marginal sales;

3.       uncapped bonuses; and
4.       advanced bonus payments that could result in advisers being in debt. 

The FCA makes an interesting comment about the sophistication of the performance reward and the concern that senior management did not appreciate the potential consequences.  “The root cause of these deficiencies was the collective failure of the Firms’ senior management to identify sufficiently remuneration and incentives given to advisers as a key area of risks.” 

I was puzzled as to why this could happen.  Here are my own explanation from reading the details of the case.

1.     The complexity of the system makes it challenging understanding the incentive properties.  It seems that the system involved: (a) translating premium and product features into “points” (see example in page 15); (b) checking against target “points” monthly and on a rolling three months basis; and (c) translating points into pounds.  Inferring the incentive properties and potential product bias would not have been straightforward for busy executives. 

2.      A possible misunderstanding of the incentive properties of headline bonuses.  In some cases, the incentives could be small in absolute terms, e.g. £5,000 over a year if monthly targets were consistently met.  However, I wonder if there was an appreciation of the impact on behaviour for someone on a £33k salary (mid-tier adviser, para 4.29)  Indeed, the FCA says that the relevant governance committee “only considered the [remuneration] schemes at a high level” (para 4.104(1)).

Given that, it is not surprising that these performance incentives were not backed by appropriate controls.  In particular, it is not surprising that quality controls such as file reviews focused on sales that were regarded as ‘high risk’ by reference to customer rather than the adviser profile or track record. 

There are also two interesting comments in the enforcement notice about controls. 

1.       The main failure was not the absence of controls but the lack of appropriate linkages between relevant controls.  In particular, while there were certain quality assessments of sales, advisers could receive their bonuses even if issues had been identified.

2.       “The large number of people involved in the process [of governance over the incentive schemes] and the fragmented nature of the controls.” 

This is a good illustration of the observation that the main challenge of risk management is to apply the appropriate “top down” vision and strategy.  In its absence plenty of activity and resources, leading to potential complexity, will take place as evidenced here but with limited effectiveness.  In this case, the fine was £28m which excludes remediation costs, compensation and management time.