Lessons Learnt from Covid-19 ... or Not?

Covid-19 is a health crisis, a business crisis and an economic crisis which has struck the insurance industry hard.

Claims spiked in some areas while volatile financial markets made it almost impossible to steer the investment portfolio, and lockdown measures kept staff at home while struggling to cope with surging call and claim volumes. Meanwhile, there is vocal pressure from some quarters for a “flexible” approach to claims, where “flexible” is shorthand for dishing out large amounts of money for claims which may or may not be covered.  

How has the industry coped, and what lessons has it learned?

To answer that question, Crescendo Advisors carried out a series of structured interviews with a selection of risk and finance professionals from insurance firms. Most of the firms were UK based, with an aggregate turnover of £120 billion in 2019.

Although the firms varied in size and portfolio mix, there was a high degree of consensus in their opinions. Here are Crescendo’s top five findings and conclusions:

• While most UK firms have weathered the crisis to date, it appears that few did so as laid out in their pre-Covid-19 business continuity planning.  Business continuity plans usually assumed local outbreaks and had to be re-created in the face of a total and global shutdown.

• All firms who viewed their lockdown experience as ‘successful’ attributed that to excellent, ongoing communication from senior management to all stakeholders;

• The traditional hostility to staff working from home has changed from “not possible” to “why not?”. Going forward firms expect staff to continue working at least part-time from home, and hence plan on reductions in their office footprint;

• As remote working and virtual teams have become the post-Covid vogue, the purpose and value of The Office is being critically re-evaluated. It may still be the best place for meetings and staff onboarding, but do we really need all those desks crowded together?

• With staff working remotely, the cost-benefit dynamic of outsourcing could be changed so that firms will find it beneficial and desirable to bring activities back in-house.

Interestingly, while most participants anticipated the need for a lessons learnt exercise, only one of them acknowledged at the time that his firm was already kicking off such an exercise.

Are insurers perhaps being complacent? They had six weeks to prepare for lockdown and they put the time to good use. By the time staff were required to stay home, many did so with newly acquired laptops and secure connections. The main limitations on productivity came from the lack of suitable home office facilities or from inadequate broadband speeds. The show stayed on the road with remarkably few wobbles.

Next year UK insurers are likely to work in the implementation of operational resilience requirements.  There are lessons to be learnt from Covid-19.  But here’s a thought, if working from home is no longer the backup disaster recovery plan – it is the new normal – what is the new disaster recovery plan?

This post has been written by Isaac Alfon (Managing Director) and Shirley Beglinger (Advisory Board Member) at Crescendo Advisors.  

Crescendo Advisors (www.crescendo-erm.com) is a boutique risk management consultancy.  We would be happy to share an overview of the findings of this survey.  We can also support your efforts to both learn lessons from Covid-19 using the tools we developed for this survey and consider the implications of working from home arrangements for the risk and control environment.

Good risk management is not just about good ideas

One might say that this is stating the obvious and that it is understood that implementation also matters.  A recent FCA enforcement case against Moneybarn would suggest that it is not so obvious after all.

Moneybarn is a lender that provides motor finance for used vehicles to ‘non-standard’ customers.[1] The case against them related to the regulatory expectations for treatment of and communication to customers that fall into financial difficulties, i.e. the exercise and communication of appropriate forbearance by the lender.  Here, we seek to tease out the implications of this case for the risk management activities of FCA regulated business.

1.  Appropriate policy design

As one would expect, policies need to cover the appropriate ground.  This can include articulating the appropriate range of options (in this case, for customers forbearance and resolution), the considerations that would be taken into account and the governance that would apply to different options. 

It is worth noting that in this enforcement case, it appears that the FCA had no obvious concerns about the relevant policies and procedures reviewed.  

2.  Implementation

The challenge is how these policies and procedures are translated in the business, e.g. whether the call scripts are consistent with the policies.  In some case, this means that calls would be far from “linear”.  Customer service agents will have to consider a range of options and guide the customer.  This would have implications for training and tools available for customer service agents. 

The FCA notes that “from the review of the sample the use of any other forbearance options”, other than clearing their arrears over a short period of time, “despite the fact that policies and procedures referred to other available options”.   

3.  Monitoring and assurance

There is usually a combination of first line monitoring and oversight by 2^nd and 3^rd line functions.  To some extent, who provides assurance becomes less important than whether assurance is provided.

It is important to recognise that assurance should be provided about the processes and about the outcomes.  Where the nature of the issue involves considering customers’ individual circumstances in response to financial difficulties, then it is important to evidence that the range of options set out in the policy have been delivered.   This is more challenging to monitor than following a process. 

It is interesting that in this enforcement note there are no references to assurance or to the role of 2^nd and 3^rd line functions.

4.  Regulatory relationship management

The FCA initial engagement starts with a seemingly low-profile review of a “limited number” of files and call records leading to a visit in July 2016 to assess forbearance and termination practices.  There were then several interactions with the FCA in September 2016 and January 2017, leading to a formal request for imposition of a requirement in June 2017 and eventually enforcement action.  One must wonder if a more proactive engagement with the FCA would have prevented the escalation to enforcement.

It is usually noted that proactive engagement with the FCA and the issues raised would have been expensive.  Hindsight may be a powerful tool but it is not clear that the cost of the proactive engagement would have been unlikely to exceed the enforcement costs, which ended up being very substantial – the fine of £2.7m, the impact on senior management’s time, and the £30.3m of compensation paid to customers potentially affected by these failings. 

This post is part of the materials discussed in episode 3 of RegNut Podcast.   If you found this post of interest, subscribe to RegNut.  You can also subcribe to the blog and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

---

[1] Non-standard customers are those that cannot access finance from mainstream lenders because they have a poor or no credit history or past problems with credit due to unemployment, ill health or other adverse events.

ERM in Three Lines*

One of the challenges with enterprise risk management (ERM) is how much is written on the subject.  I find it useful to identify the key components.  This provides a structure to sort out the detailed views and comments, though it is also more than that. If you are a busy CRO or senior risk leader, identifying the key components enables you to take stock and think about challenges and improvements that may be relevant to your priorities. 

Here is an attempt to sum up ERM and provide that clarity in three headlines.

1.       A vision of the ERM purpose 

My preference for financial services is ‘protect and enable’. This highlights that risk management is more than just about avoiding the downside; it is about how risk management supports decision making, including the role of the CRO in that decision making. (More on ‘protect and enable’ and different views from practitioners shared on Crescendo Advisors’ blog are available here.)

2.       An articulation of how to deliver and embed ERM in the business 

This is your ERM framework, roles and responsibilities, policies, and risk appetite. They must provide the right balance between the level of detail and clarity to create a durable product and support business implementation.

3.       Evidence of the outcomes of vision and articulation of ERM (1 and 2 above) 

This is the outcome of the ERM, i.e. the assurance that is provided to the Board. This means that a feedback mechanism that supports improvement is in place. This is partly about risk or thematic reviews, but it also represents a wider perspective that involves 1^st line and 3^rd line as well. I also find that focusing on assurance is more ‘real’ than a discussion on the extent to which processes are implemented or embedded.

At the risk of oversimplifying, here is my own take on the UK insurance business position on these three aspects

• The articulation of the ERM vision is progressing but there is still work to be done. There is a sense that, broadly speaking, people operate according to the ‘protect and enable’ vision without articulating it as clearly as it could be.  

• Good progress has been made articulating how to deliver and embed ERM in businesses; all businesses have ERM frameworks and policies in place.  Some are considering external reviews after the frameworks have been in place for some time.  

• The biggest challenge ahead is evidencing ERM implementation and providing structured assurance to the Board about ERM expectations. This is a challenge for risk management function (risk reviews?), first line (business and control reviews?) and internal audit (coordinate with first and second line?).  Please get in touch if you want to receive a paper with initial thoughts on this challenge. 

Do you agree with views about these views about the insurance sector in the UK? How about banking and asset management? How is this seen in other countries?

*  No pun intended about the three lines of defence.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

An FCA Enforcement Case Or an Example of Board Maturity?

The FCA issued an enforcement action recently against the CEO of Barclays –– as a result of the CEO’s attempt to identify a whistle-blower.  (Click here for the FCA enforcement notice and here for a short summary of the facts of the case.) There have been impassioned comments about the appropriateness of the FCA’s response, i.e. a fine imposed on the CEO. However, I would like to focus on something else.  

One of the most revealing aspects of FCA enforcement cases is how the issue comes to the FCA’s attention. Typically, FCA supervision or thematic work would identify serious shortcomings in a firm that lead to enforcement action. This one was rather interesting because there was none of that. 

There was an internal investigation of the anonymous letters by Group Compliance which was formally closed on 9 January 2017. The FCA explained that “early in 2017”, the Board became aware of the CEO’s attempt to identify the whistle-blower and that after conducting its own investigation, the Board decided to refer the CEO to the FCA. Can you imagine this ten or twenty years ago? Unlikely, I would say.

There are a number of interpretations one could advance. However, I am inclined to see this as evidence of the significant progress made in corporate governance in recent years and of the maturity boards can achieve in the appropriate environment. I can guess that it may not have been easy for Barclays’ board to refer the CEO to the regulator, but who said that being a board director would be easy?

If you found this post of interest, you may want to subscribe and receive further posts by email. See the box on the right-hand side of the screen or click here. 

Conflicts of Interest: Connecting Enforcement and Supervision

The FCA announced enforcement action against a commercial broker and a fine of £4 million in late 2017 as a result of failures associated with the broker’s management of conflicts of interest. The details of the case are here.

Conflicts of interest can be anywhere, and firms are well aware of that. However, there is a qualitative difference between the conflict of interest that an individual might have with, say, a supplier, and what the FCA identifies as an ‘inherent conflict of interest’ in the business model or ownership structure. This is the risk that commercial intermediaries must manage.[1] It is not static, and it changes as intermediaries take up other activities where they act as an agent of the insurer.

The FCA has also undertaken a thematic review of commercial insurance intermediaries focusing on this issue. (It published the results in 2014 here.) The FCA evidence included a survey of small and medium enterprises (SMEs).[2] This suggests that many SME customers do not fully understand the intermediary’s role and how it may have changed in recent years. For example, four of five SME customers expect an intermediary to get quotes from two insurers, which is not consistent with how intermediaries operate, in particular for micro SME customers (fewer than nine employees).

There are wider messages from this enforcement action for the practical management of inherent conflicts of interest. To begin with, there should be a regular process to identify conflicts of interest.  This might be challenging but following the sources of revenue would enable a robust identification of conflicts and of the impact of changes in the business model.

While a policy on conflict of interest is a regulatory requirement, it needs to be comprehensive enough to enable staff in the business to actually manage conflicts of interest. This would require specific guidance articulating how to deal with customers, including what information to collect, what checks to undertake, and the production of meaningful management information.

Business arrangements such as ‘preferred facilities’ are not ruled out but must be managed and monitored carefully, taking into account links to brokers’ remuneration, how the firm presents itself to SMEs, the existence of ‘Chinese walls’ and customers’ (probably limited) understanding of the intermediary’s role.

Any quality reviews by the first line should be designed with a view to oversee how inherent conflicts of interest have been identified, managed and mitigated. The process should be risk based, i.e. always applying the same degree of checks to all brokers is unlikely to be appropriate.

Last but not least, as ever, culture is a factor. If statements from senior management do not recognise and support the need to manage inherent conflicts of interests, don’t expect much of the above to be in place.

The FCA will usually say something about how the case was discovered, by either supervisory activity or internal review. I was puzzled that the FCA was rather vague on this occasion. On reflection, I suspect (but cannot be certain) that there may be a dependency with the FCA’s thematic review on conflicts of interest mentioned earlier. If that’s the case, it is useful for firms to understand the potential consequences of being unprepared for a thematic review when invited to participate.

---

[1] This risk is not exclusive to commercial intermediaries. It exists in other parts of financial services and has also been covered in other FCA enforcement activities.

[2] Businesses with fewer than 250 employees.

Out Outsourcing?

Well, not really.  But I am sure you have heard regulatory concerns about the lack of appropriate controls around outsourcing in financial services.  It is therefore not entirely surprising that the UK’s Prudential Regulation Authority (PRA) has recently fined a bank £1.2 million for failures in the controls associated with outsourcing (here).  There are, however, a number of interesting points about this enforcement case that have broader lessons about the supervisory expectations associated with the use of outsourcing in financial services.

1.  The regulatory expectations with respect to outsourcing within a group or to a third party outside the group are the same.  I have heard this before but I was still expecting to see a recognition that there may be a difference.  I could not really find an obvious distinction in the enforcement notice.  This is particularly relevant in financial services where brands are typically a collection of companies, sometimes with a core staff serving a number of companies, in particular with respect to finance (and, in insurance, actuarial).  This also has implications for risk functions which will also need to articulate how their oversight relates to the various companies.

2.  The outsourcing arrangements are documented appropriately in a timely manner. While putting contracts in place within a group is probably understood to be a regulatory expectation, there are two important dimensions that this case highlights.  The first of these is the importance of putting contracts in place at the outset and undertaking due diligence; bear in mind point 1 above.  This also includes signing the contracts!  Secondly, in the case of internal outsourcing involving a control function, it is important that the roles and responsibilities of the various parties are clearly defined.  This can include determining the different roles of people and teams probably sitting near each other.

3.  The legal form of the outsourcing provider does not matter.  A JV form that effectively provides an outsourcing activity should also be treated as outsourcing. 

4.  The consequences of a lack or breakdown of controls matter a great deal.  If the finance function is outsourced within the group, then a breakdown can have severe financial implications (e.g. unauthorised payments) and can include misreporting of the capital and liquidity position to the PRA.

Last but not least, the response when the issue is discovered remains crucial.  In this case, it involved terminating certain outsourcing contracts and putting in place new ones, transferring finance teams to the relevant company and ensuring operational separation of the Bank from the rest of the group.  In addition, the bank commissioned a firm of accountants to review the matter, undertook its own review of all outsourcing contracts and was subject to a skilled persons review by the PRA.  As in other cases, the fine may not have been the largest cost to the bank.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis but I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of the blog.

Risk Management Lessons From the Co-op Bank's Demise

One of the fallouts from the financial crisis in the UK was the demise of the Co-op Bank as part of the Co-operative movement.  The UK regulators (the PRA and the FCA) investigated the causes of the bank’s demise and issued simultaneous enforcement notices earlier this year (here and here).  The key failures identified by the regulators are summarised in Box 1. 

One of the key points for the press was the regulators decision to waive any financial penalties, reflecting the financial conditions of the Coop Bank.  However, from a risk management perspective, the enforcement notice represents an interesting catalogue of lessons in risk management for both banks and insurers: 

1.  Risks and business strategy go hand in hand.  It is difficult to manage risks effectively in the absence of a clear and comprehensive strategy for key lines of business. 

2.  A ‘cautious’ risk appetite statement is not enough.  Business decisions still must be evidenced as ‘cautious’ in practice even if this happens on a qualitative basis. 

3. The remit of the risk function includes valuations and accounting decisions.  This is particularly relevant in terms of the challenge and governance to (changes to) assumptions associated with discretionary features about valuation e.g. about the timing of redemption of capital instruments.   

4.  Policies are more than documents.   Compliance with policies must be evidenced.  A complex and changing business reality cannot be captured through prescriptive policies.  Certain discretions must be factored into decision making processes.  The risk oversight should cover how those discretions are applied in practice.   

5.   An open and cooperative relationship with the regulators is not just about issues.  It includes updating the supervisor regarding concerns about the position of senior individuals leading to intended changes.

6.  An effective risk culture is an outcome of business decisions about risk.  This was one of the concerns of the regulators.  The regulator’s articulation of an effective risk culture is interesting: ‘A culture in which accepted orthodoxies are challenged, action is taken to address risks on a timely basis and risk and control functions carry real weight is likely to support prudent management.’  In a nutshell, a risk culture is not end in itself but the means to support prudent management.

The enforcement notice mentions other issues regarding the shortcomings of the risk management oversight and internal audit. 

Finally, it is worth noting that the period of time formally considered by the regulators stretches from July 2009 – weeks before the Co-op Bank’s merger with the Britannia Building Society – to December 2013 – when it ceases to be a wholly owned subsidiary of the Co-op Group.   I don’t think the shortcomings just materialised in July 2009. 

This suggests that the perceived connection between responses to the financial crisis and strengthening risk management may not have been as widespread as it might have seemed.  The shortcomings are clearly serious and while they may not be critical when taken individually or addressed within a short period of time, it is the cumulative impact that had the effect of bringing the Co-op bank's demise.    

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of Crescendo ERM blog.

Capital Markets, Financial Crisis and ‘Diversions’

Sometimes the same word can have different meanings in different languages.  One example is 'diversion'.  In English it means typically a different way.  However, in Spanish 'diversion' means having fun.  I guess that when you take a different way, it can be fun.

Once upon a time, I spent time assessing the efficiency of UK equity markets.  The key idea was that if markets are efficient and there is no manipulation (e.g. information leakage), then we should be able to use the logic of event studies and test that there are no abnormal equity price movements before a corporate announcement.  I moved on, and the initial work was eventually carried out.  It was published by the FSA (here) and as far as I can recall, it made it as far as the front page of the Financial Times! 

I thought that it would be a good diversion from my current activities to read something about capital markets.  I came across an interesting paper on market efficiency published in Institutional Investor (here).  The paper was written in the wake of the award of the 2013 Nobel Prize in Economics to three economists, including Eugene F. Fama and Robert J. Shiller.  What made the award interesting is that it recognises the challenges of assessing efficient markets; Fama pioneered the notion of efficient capital markets and Shiller has challenged it.  (The third Nobel laureate was Lars Peter Hansen who, as I understand it, deserves it for his work on the maths of finance.)

The paper is an interesting tour of many years of research by the authors – applied and academic.  It explains in simple language the ‘joint hypotheses’, i.e. the need to test jointly the assumption of efficient capital markets with an equilibrium pricing model, usually capital asset pricing model (CAPM), and the potential implications, e.g. the market may be efficient but assets may not be priced according to the CAPM

The paper also provides a clear articulation of the challenges to the efficient market hypotheses.  One of the responses is to test alternatives to the CAPM model, e.g. momentum strategies.  One of them is that there are behavioural biases, e.g. investors overreact to both good news and bad news, and capital markets are not efficient.  Overall, the authors come out in favour of efficient markets, ‘at least as the base case’, without committing to a view that markets are ‘perfectly efficient’.  One of the implications of less than perfect efficiency of capital markets is that market arrangements, including regulation, matter to some degree.

In my view, the best point made in the article is the consideration of the link between belief in market efficiency – ‘market fundamentalism’ – and the recent (or ongoing) financial crisis.  As the authors put it, financial crises are not created by someone buying something that he thinks is a fair deal in an efficient market.  Financial crises are created by people that think that markets are inefficient, i.e. an impossibly good deal is available and will continue to be available.   

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox. 

Is the Governance Map Also the Territory?

One of the financial crisis’s lessons for regulators has been discovering the ‘accountability firewall’ of collective responsibility which prevents actions against individuals even if they are approved for specific roles.  This was one of the lessons from the UK Parliamentary Commission on Banking Standards from 2013.

UK regulators have been tasked with the challenge of breaking down that ‘firewall’ for both banks and insurance.  The UK has had a regime of approved persons for some time.  The PRA and the FCA have been consulting on proposals aimed at strengthening the accountability of senior management.  For insurers, this is referred to as the Senior Insurance Managers Regime (SIMR).

The proposals may well increase the scope of senior managers, and will strengthen conduct requirements that apply to them.  It seems to me that the most innovative (and, dare I say, revolutionary) aspect of the proposals is the requirement that firms produce a ‘governance map’.   As with all good ideas, it is simple.  The regulator identifies a set of responsibilities and then asks firms to map them to senior managers who are subject to regulatory approvals and sanctions.  

The list of responsibilities is long.  For example, the list for insurers is as follows:

1.       ensuring that the firm has complied with the obligation to satisfy itself that persons performing a key function are fit and proper;

2.       leading the development of the firm’s culture and standards;

3.       embedding the firm’s culture and standards in its day-to-day management;

4.       production and integrity of the firm’s financial information and regulatory reporting;

5.       allocation and maintenance of the firm’s capital and liquidity;

6.       development and maintenance of the firm’s business model;

7.       performance of the firm’s Own Risk and Solvency Assessment (ORSA);

8.       induction, training and professional development for all the firm’s key function holders;

9.       maintenance of the independence, integrity and effectiveness of the whistleblowing procedures, and the protection of staff raising concerns;

10.   oversight of the firm’s remuneration policies and practices.

For banks, there is no direct equivalent to 7 even if there is an ICAAP.   However, the list includes the following additional responsibilities:

1.       funding is also mentioned in 5. above as well as an additional responsibility in respect of the bank’s treasury management functions;

2.       developing a firm’s recovery plan and resolution pack and overseeing the internal processes regarding their governance;  

3.       managing the firm’s internal stress-tests and ensuring the accuracy and timelines of information provided to the PRA and other regulatory bodies for the purpose of stress testing; 

4.       safeguarding the independence of and overseeing the performance of the compliance function, internal audit and risk function respectively; these are three different responsibilities.

There are some interesting differences between banking and insurance.

The overall message is rather simple: there is an individual presumption of responsibility in the event of a breach.  In those cases, the relevant individual will need to demonstrate that he took reasonable steps to prevent the breach in the relevant area. 

Firms’ senior managers will spend time discussing the mapping of responsibilities.  This may well be the easy part.  Undoubtedly, the challenge for senior managers will not be the map, but the territory, i.e. how to manage the relevant responsibility.  For some responsibilities there will processes, teams and awareness within the company to ensure that something happens; think of item 7 above, the ORSA.  In other cases, the challenge will be determining which business function will assume the relevant responsibility and what approaches, processes and resources will be needed as evidence that reasonable steps were taken.  What should be done to prove that ‘firm’s culture and standards’ are developed and embedded?  

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox. 

Risk Is Exciting

You hear people say that risk management and regulation are not exciting topics.

However the 30,000 pageviews on this blog since Nov 2014 suggest that risk management and regulation are more interesting than it seems.  Your comments have also been very useful and instructive.  Please keep them coming.

Thank you all!    

Stress Testing: Reporting or ‘So What’?

The Bank of England (BoE) recently published the results of the first concurrent stress testing of UK banks (click here for a post about the implications of this exercise).  Stress testing is not only relevant to banks; EIOPA also initiated a similar process and carried out an exercise in 2014, which I will cover in a future post.   

Much has been written about the results for individual banks.  I would like to share some observations about an aspect of stress testing with wider implications: the consideration of ‘so what’ that may take place when the stress materialises. 

In the BoE stress testing, banks had to spell out the management actions they envisaged taking.  These actions were subject to scrutiny by the Bank of England and ‘a high threshold was set for accepting’ them. 

There is little detail about the specific management actions that were accepted.  Broadly speaking, they appear to be mainly reduction in costs and dividend.  Furthermore, the BoE clarified that they did not accept management actions that resulted in a unilateral reduction in credit supply in the stress scenario.  This approach meant that management actions had limited impacts, specifically no impact for two banks and, for the other six banks, an average improvement (i.e. an increase in common equity Tier 1 [CET1] after the stress) of 9%.  

In an earlier post (here), I suggested the consideration of ‘so what’, including the ability to carry out actions that mitigate the impact of the stress as one of the potential benefits of stress testing.  How should we reconcile this with the limited scope of management actions recognised in this exercise?

A useful starting point would be to make a clear distinction between stress testing undertaken for different purposes and audiences.  This is summarised in the table below:

	‘Internal’	‘External’ / BoE
Purpose	Identifying vulnerabilities and addressing them	Evidencing overall resilience
Focus	Lines of business/ business units	Enterprise wide

Given the BoE’s intention to continue stress testing and make them an integral part of the supervisory landscape, the question would be how to integrate these two different perspectives of stress testing. 

Ideally, a bank would start an internal review of stress vulnerabilities at the business unit level as soon as the submission to the BoE is delivered.  This would enable the bank to identify and put in place the appropriate risk mitigation.  For example, the bank may choose to adjust its credit risk mitigation by transferring loans or hedging credit before the next BoE stress testing.  Given the focus on addressing vulnerabilities, which could require board approval, it would make sense to review stress vulnerabilities of specific business units/lines of business on a staggered basis. 

Adopting this approach over time would deliver a virtuous cycle of identification of stress vulnerabilities and enhanced risk mitigation which would be reflected in the next stress testing for the BoE.

In conclusion, while the BoE may have adopted ‘a high threshold’ for accepting management actions, banks can still build in a process to identify and implement these management actions and evidence how they address vulnerabilities in key business units and product lines.

You can subscribe to future posts here.

The European Commission’s Impact Assessment of Solvency II: Some Useful Points

The European Commission recently published a draft of the Solvency II ‘implementing measures’.  The ‘implementing measures’ expand on the requirements set out in the Solvency II directive.  Alongside the ‘implementing measures’, the European Commission also published a draft impact assessment.  This is one the many procedural requirements that apply to the policy-making process in the Commission. 

I thought it would be interesting to review the impact assessment.  As a user, I want to consider the extent to which the impact assessment can help me to understand Solvency II. 

What did I learn from this exercise?

1.    The importance of objectives in the EU policy-making process

The impact analysis is structured around a definition of problems that the policy making will address.  During the discussions about the directive, these objectives were enhancing policyholders’ protection and the integration of insurance markets in the EU. 

The Commission’s impact analysis acknowledges that there is now a third objective that has been taken into account: fostering growth and recovery in Europe by promoting long-term investment.  In the case of insurance, the main challenges that arise relate to the low interest rate environment and the volatility of asset prices. 

2.    A useful summary of how the calibration of asset risk has evolved

The third objective mentioned above has shaped the structure and calibration of capital requirements for assets risk which has evolved over a number of years.  However, it is not easy to see in a succinct way the end product where the answer is set out over a number of articles in the implementing measures.  Surprisingly, this can be summarised in a simple table (below).

3.    The scope of impact analysis remains a tricky issue

The Commission seems to have overcome the challenge of undertaking an impact analysis that seeks to cover the impact of all rules.  The Commission states,

“The options assessed have been selected to cover the most important and representative issues from each of the three pillars of Solvency II and each of the areas of the objectives and problem trees. The areas that are merely technical, have been settled in the Directive or are uncontroversial are not assessed in detail …”

This is reasonable and can result in a more productive use of scarce analytical resources but it can also have unintended consequences.  As far as I can see, the impact analysis did not cover the treatment of long-term guarantees.  I am frankly not sure if this is because it was settled in the Directive or because it turned out to be uncontroversial.

4.    The relative priorities of the Commission: the importance of reducing over-reliance on ratings

The concern about over-reliance on ratings is not new if you have been following the development of Solvency II.  However, given the breadth of Solvency II and the focused impact assessment, I found it surprising that the Commission went out of its way to include a full two-page annex summarising the requirements aimed at reducing reliance on external ratings in the risk management of insurance “such as

          ▪ external ratings shall not prevail in risk management;

          ▪ as part of their investment risk management policy, insurers and 
          reinsurers should have their own assessment of all counterparties;

          ▪ as part of their reinsurance (or other risk mitigation techniques) policy, 
          insurers and reinsurers should have their own assessment of all 
          counterparties.”

5.    And finally, a puzzle about policy making

The Commission’s impact assessment notes that one of the issues that emerged from the QIS5 was the application of a limit to the amount of Tier 2 capital (i.e. debt) that would be allowed.  This issue has remained unclear since then. 

Interestingly, if all you read is the relevant section of the impact analysis on pages 38 to 46 which also summarises EIOPA’s recommendations, you could be forgiven for thinking that the limit would not apply.  It is only the summary on pages 50 to 51 that suggested that I might need to reconsider my initial views.  Indeed, the draft implementing measures clarify that the sum of Tier 2 and Tier 3 capital must not exceed 50% of the SCR, which is an interesting development. 

This illustrates one of the key operational challenges of impact analysis: the need to keep up with the policy.

This was a selective but nonetheless in-depth reading of the impact assessment.  Have you read the impact assessment?  Did you learn any useful points from it?

You can subscribe to future posts here.