ERM in Three Lines*

One of the challenges with enterprise risk management (ERM) is how much is written on the subject.  I find it useful to identify the key components.  This provides a structure to sort out the detailed views and comments, though it is also more than that. If you are a busy CRO or senior risk leader, identifying the key components enables you to take stock and think about challenges and improvements that may be relevant to your priorities. 

Here is an attempt to sum up ERM and provide that clarity in three headlines.

1.       A vision of the ERM purpose 

My preference for financial services is ‘protect and enable’. This highlights that risk management is more than just about avoiding the downside; it is about how risk management supports decision making, including the role of the CRO in that decision making. (More on ‘protect and enable’ and different views from practitioners shared on Crescendo Advisors’ blog are available here.)

2.       An articulation of how to deliver and embed ERM in the business 

This is your ERM framework, roles and responsibilities, policies, and risk appetite. They must provide the right balance between the level of detail and clarity to create a durable product and support business implementation.

3.       Evidence of the outcomes of vision and articulation of ERM (1 and 2 above) 

This is the outcome of the ERM, i.e. the assurance that is provided to the Board. This means that a feedback mechanism that supports improvement is in place. This is partly about risk or thematic reviews, but it also represents a wider perspective that involves 1^st line and 3^rd line as well. I also find that focusing on assurance is more ‘real’ than a discussion on the extent to which processes are implemented or embedded.

At the risk of oversimplifying, here is my own take on the UK insurance business position on these three aspects

• The articulation of the ERM vision is progressing but there is still work to be done. There is a sense that, broadly speaking, people operate according to the ‘protect and enable’ vision without articulating it as clearly as it could be.  

• Good progress has been made articulating how to deliver and embed ERM in businesses; all businesses have ERM frameworks and policies in place.  Some are considering external reviews after the frameworks have been in place for some time.  

• The biggest challenge ahead is evidencing ERM implementation and providing structured assurance to the Board about ERM expectations. This is a challenge for risk management function (risk reviews?), first line (business and control reviews?) and internal audit (coordinate with first and second line?).  Please get in touch if you want to receive a paper with initial thoughts on this challenge. 

Do you agree with views about these views about the insurance sector in the UK? How about banking and asset management? How is this seen in other countries?

*  No pun intended about the three lines of defence.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

The Curse of Risk Appetite

In this post, I go back to one of the fundamental aspects of an ERM framework: risk appetite. ‘The Curse of Risk Appetite’ is part of the title of an interesting paper reviewing the misuses of risk appetite.[1] Some of the misuses described in the paper might sound familiar, but perhaps the key point to take away from the paper is that there is a potential for risk appetite to become synonymous with ‘a consideration of risk’. I am not sure this was ever the intention. 

The paper includes several useful suggestions to enhance risk appetite. They are focused on the long-run value of the firm and on the structure of risk appetite statements, reflecting a view that risk is the likelihood of falling below critical levels of performance. However, my attention was really caught by the authors’ suggestion to improve the organisational process for risk management. They suggest that a risk function’s role should be defined to include responsibility for evaluating the combined effect of strategic initiatives and capital budgeting on the firm’s overall risk profile.

On one level, this prescription is consistent with the view that the aim of the risk function should be to ‘protect and enable’, with the emphasis on the ‘enable’ aspect which sometimes gets overshadowed by ‘protect’. I am attracted to this suggestion because it turns a vision into a practical requirement that can be incorporated into an articulation of roles and responsibilities for a CRO or risk function. 

If, however, this was implemented literally in UK financial services, I suspect there would be an issue with regulators’ expectation about the independence of the risk function (second line of defence) from the business (first line). 

A similar outcome could be reached by clarifying that the role of the CRO/risk function includes providing a risk opinion in the early stages of the consideration of major strategic initiatives that have the potential to alter the business’s risk profile. The emphasis on timing is important. Providing a risk opinion only when major strategic initiatives are presented for approval is unlikely to add value. A CRO/risk function opinion in the early stages is likely to support consideration of the details of the initiatives and how they can be shaped to strike the appropriate balance between risk and return.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here. 

---

[1] Alviniussen, Alf and Jankensgård, Håkan, The Risk-Return Tradeoff: A Six-Step Guide to Ending the Curse of Risk Appetite (May 7, 2018). 

Risk Management Lessons From the Co-op Bank's Demise

One of the fallouts from the financial crisis in the UK was the demise of the Co-op Bank as part of the Co-operative movement.  The UK regulators (the PRA and the FCA) investigated the causes of the bank’s demise and issued simultaneous enforcement notices earlier this year (here and here).  The key failures identified by the regulators are summarised in Box 1. 

One of the key points for the press was the regulators decision to waive any financial penalties, reflecting the financial conditions of the Coop Bank.  However, from a risk management perspective, the enforcement notice represents an interesting catalogue of lessons in risk management for both banks and insurers: 

1.  Risks and business strategy go hand in hand.  It is difficult to manage risks effectively in the absence of a clear and comprehensive strategy for key lines of business. 

2.  A ‘cautious’ risk appetite statement is not enough.  Business decisions still must be evidenced as ‘cautious’ in practice even if this happens on a qualitative basis. 

3. The remit of the risk function includes valuations and accounting decisions.  This is particularly relevant in terms of the challenge and governance to (changes to) assumptions associated with discretionary features about valuation e.g. about the timing of redemption of capital instruments.   

4.  Policies are more than documents.   Compliance with policies must be evidenced.  A complex and changing business reality cannot be captured through prescriptive policies.  Certain discretions must be factored into decision making processes.  The risk oversight should cover how those discretions are applied in practice.   

5.   An open and cooperative relationship with the regulators is not just about issues.  It includes updating the supervisor regarding concerns about the position of senior individuals leading to intended changes.

6.  An effective risk culture is an outcome of business decisions about risk.  This was one of the concerns of the regulators.  The regulator’s articulation of an effective risk culture is interesting: ‘A culture in which accepted orthodoxies are challenged, action is taken to address risks on a timely basis and risk and control functions carry real weight is likely to support prudent management.’  In a nutshell, a risk culture is not end in itself but the means to support prudent management.

The enforcement notice mentions other issues regarding the shortcomings of the risk management oversight and internal audit. 

Finally, it is worth noting that the period of time formally considered by the regulators stretches from July 2009 – weeks before the Co-op Bank’s merger with the Britannia Building Society – to December 2013 – when it ceases to be a wholly owned subsidiary of the Co-op Group.   I don’t think the shortcomings just materialised in July 2009. 

This suggests that the perceived connection between responses to the financial crisis and strengthening risk management may not have been as widespread as it might have seemed.  The shortcomings are clearly serious and while they may not be critical when taken individually or addressed within a short period of time, it is the cumulative impact that had the effect of bringing the Co-op bank's demise.    

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of Crescendo ERM blog.

Securitisations and Solvency II: An opportunity? Or one to be missed?

To put it mildly, securitisations did not a get a good reputation as a result of the financial crisis.  Things are now changing.   This is illustrated well in a discussion paper from the Bank of England and the European Central Bank extolling the virtues of securitisations (here).    It is difficult to disagree with the key message; securitisations can be a win-win transactions that enhances the ability to redistribute risks more efficiently in the economy while enabling institutional investors to access a wider pool of investment.  

The Solvency II Delegated Acts (‘implementing measures’) built up a more favourable capital treatment for securitisations.  It is now recognised as a category of its own for the purposes of spread risk.  This evolution can be evidenced in the Commission’s Impact Analysis published at the time of the publication draft Delegated Acts (here).  As recognised in the Delegated Acts, this even includes recognising the name ‘securitisation’ instead of the name used in the Solvency II Directive in 2009: ‘investment in tradable securities or other financial instruments based on repackaged loans’.

As one would expect, the calibration of the standard formula spread risk for securitisation reflects the maturity of the exposure and its credit rating.  However, there is an interesting innovation.  The Delegated Acts identify two types of securitisation exposures: ‘good’ and ‘bad’, or in policy terms, type 1 and type 2.  The criteria are set out in the Delegated Acts and are quite detailed.  

Exposures of type 1 must meet 20 conditions including a rating of ‘BBB’ or above, the seniority of the exposure in the securitisation, SPV arrangements, listing in an OECD or EU exchange, and backing by residential loans, commercial loans or auto loans and leases.   The list of conditions is somewhat shorter for securitisations that were issued before the Delegated Acts came into force. Type 2 securitisations are simply those not meeting these criteria.  

Figure 1 shows the significant difference that meeting the conditions for type 1 makes to the capital charges.  It is a noticeably a more important consideration than the rating or maturity of the exposure.  

Figure 2 shows an alternative view of the spread risk capital requirements for type 1 securitisations compared against the equivalent ones for corporate bonds of equivalent ratings.   The differences aren’t that large in particular for short maturities.

All this raises a number of interesting considerations for an insurer’s capital management strategy. 

Firstly, there may be tactical adjustments where insurers find that they are holding type 2 securitisation paper as part of the Solvency II implementation work.  In this case, the insurers may seek to dispose of these investments before 1 Jan 2016 to avoid the capital increases that Figure 1 suggests.  However, given insurers’ relatively small holdings of securitisations, this may not be a material issue.

The bigger issue is the extent to which there is an appetite to consider the capital treatment of type 1 securitisation as a more strategic opportunity and readjust investment strategies.  Indeed, would it be possible to do so before 1 Jan 2016 to enhance the matching of cash flows of annuity liabilities and subject to Matching Adjustment? 

In any event, Figure 2 above suggests that there may be an interesting question about the risk and return trade-off of corporate bonds versus type 1 securitisations.  Would the returns from securitisations be sufficiently higher to justify the additional capital requirements?  Figure 2 suggests that for low maturities, e.g. up to 7 to 10 years, this could be finely balanced in particular for ‘BBB’ bonds.  If so, would insurers be willing to tilt their investment strategies to include more type 1 securitisation?  The answer to this question requires appropriate consideration, cash-flow matching including risk appetite, stress testing and governance.   

However, even if the risk and return trade-off mentioned above appears appropriate, it seems that there may be a limited supply of type 1 securitisations.  If so, there would be a limited opportunity for insurers in the short to medium term.  This would be more of an opportunity for investment banks to structure securitisation transactions.

This post is part of a series of posts on Solvency II.  To see the list, click here. 

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox. 

Creating Your Own Risk Wave

During a recent family vacation, I had the opportunity to watch something unusual in the Mediterranean Sea.  The sea was rough and I saw people surfing at a beach where one usually sees children paddling.  There were about twenty surfers in the sea waiting for a wave.  When a wave came, a few would successfully ride it.  Then they had to paddle back to the ‘line’ and wait for the next wave.

It reminded me of blogging (in general, not just this one).  You start by identifying a number of ideas, like the surfer’s positioning to wait for a wave.  You develop one of them into a post and publish it.  You then need to start all over again, like the surfers paddling back out to sea after they have caught a wave.  As with surfing (I guess) that’s the fun of it.

But it also reminded me of risk management: you implement an enterprise risk management (ERM) system, then wait for the events (or the wave) which will come sooner or later and learn about the effectiveness of ERM implementation. 

It occurred to me that the differences between surfing and risk managements are more revealing.  Firstly, surfers look for the best opportunity to ride a wave.  Risk management, on the other hand, usually aims to protect a business franchise rather than embrace risk taking. But see this post for an alternative view.

Secondly, the existence of a back book in banking and insurance means that there is not an obvious notion of going back to the beginning as there is in surfing and paddling back out to sea.  

Finally, building up a banking or insurance back book, or acquiring one, involves more choice than a surfer has in choosing a wave.  Indeed, it may be the equivalent of creating your own wave.  In some cases, it would be a wave of longevity risks.  In other cases, it would be a wave of ‘interest rate risk mismatch’. 

So next time you happen to see a surfer, think like one of them and consider how risk management can help your business thrive.  But also remember that if surfers have dreams, they probably dream of creating their own wave.

If you found this post useful, you may want to subscribe and receive future posts by email (here). There will not be many of them.

Losses Are Not Failures of Risk Management

Well, not necessarily.  But we need to remind ourselves and our stakeholders that that’s really the point.  Losses will happen with certain regularity.  This is the message of a system of a risk appetite system where the limits are calibrated to a 1-in-10 chance over a one-year horizon.   Whether the implications are really appreciated is a different point. 

A paper by Rene Stulz (here) is a good reminder that losses may not represent a failure of risk management.  This is particularly the case where “managers [know] exactly the risks they faced―and they decided to take them.  Therefore there is no sense in which risk management failed”.  He goes on further to say that “deciding whether to take a known risk is not a decision for risk managers.  The decision depends on the risk appetite of an institution.” 

This is consistent with the practitioner’s view as expressed by James Tufts, Group CRO of Guardian Financial Services, expressed in a guest post in this blog: “[T]he objective of the ‘Risk Function’ should not be ‘risk management’.  That’s a business objective.  The objective of the ‘Risk Function’ is to provide the ERM [Enterprise Risk Management] framework and the source of challenge and oversight on all aspects of the business model, relative to this framework.”

There may be risk management failures nevertheless and Stulz’s paper goes on to provide a useful classification:

1. Mismeasurement of known risks  
2. Failure to take risks into account 
3. Failure in communicating the risks to top management 
4. Failure in monitoring risks 
5. Failure in managing risks 
6. Failure to use appropriate risk metrics

I find these categories rather intuitive and I wonder how they can be used in practice.  There is an increasing regulatory expectation of formal assessment of the effectiveness of risk management and these categories could usefully feed into that process in two complementary ways. 

Firstly, banks and insurers track a range of risk events/incidents.  It would be useful to consider if reported incidents fall into any of the above categories.  Alternatively they may be consistent with risk appetite.

Secondly, insurers and banks using an internal model are expected to use it to support a profit and loss attribution.  This means explaining actual profits and losses by reference to the output of the internal model and the risk categories considered.  It would be interesting to consider if the losses arise from changes in values consistent with risk appetite or any of the reasons set out above. 

The above might seem a simple idea but learning from failures, or risk management failures in this case, is usually anything but a simple idea.

If you found this post useful, you may want to subscribe and receive future posts by email (here). There will not be many of them.