The European Commission’s Impact Assessment of Solvency II: Some Useful Points

The European Commission recently published a draft of the Solvency II ‘implementing measures’.  The ‘implementing measures’ expand on the requirements set out in the Solvency II directive.  Alongside the ‘implementing measures’, the European Commission also published a draft impact assessment.  This is one the many procedural requirements that apply to the policy-making process in the Commission. 

I thought it would be interesting to review the impact assessment.  As a user, I want to consider the extent to which the impact assessment can help me to understand Solvency II. 

What did I learn from this exercise?

1.    The importance of objectives in the EU policy-making process

The impact analysis is structured around a definition of problems that the policy making will address.  During the discussions about the directive, these objectives were enhancing policyholders’ protection and the integration of insurance markets in the EU. 

The Commission’s impact analysis acknowledges that there is now a third objective that has been taken into account: fostering growth and recovery in Europe by promoting long-term investment.  In the case of insurance, the main challenges that arise relate to the low interest rate environment and the volatility of asset prices. 

2.    A useful summary of how the calibration of asset risk has evolved

The third objective mentioned above has shaped the structure and calibration of capital requirements for assets risk which has evolved over a number of years.  However, it is not easy to see in a succinct way the end product where the answer is set out over a number of articles in the implementing measures.  Surprisingly, this can be summarised in a simple table (below).

3.    The scope of impact analysis remains a tricky issue

The Commission seems to have overcome the challenge of undertaking an impact analysis that seeks to cover the impact of all rules.  The Commission states,

“The options assessed have been selected to cover the most important and representative issues from each of the three pillars of Solvency II and each of the areas of the objectives and problem trees. The areas that are merely technical, have been settled in the Directive or are uncontroversial are not assessed in detail …”

This is reasonable and can result in a more productive use of scarce analytical resources but it can also have unintended consequences.  As far as I can see, the impact analysis did not cover the treatment of long-term guarantees.  I am frankly not sure if this is because it was settled in the Directive or because it turned out to be uncontroversial.

4.    The relative priorities of the Commission: the importance of reducing over-reliance on ratings

The concern about over-reliance on ratings is not new if you have been following the development of Solvency II.  However, given the breadth of Solvency II and the focused impact assessment, I found it surprising that the Commission went out of its way to include a full two-page annex summarising the requirements aimed at reducing reliance on external ratings in the risk management of insurance “such as

          ▪ external ratings shall not prevail in risk management;

          ▪ as part of their investment risk management policy, insurers and 
          reinsurers should have their own assessment of all counterparties;

          ▪ as part of their reinsurance (or other risk mitigation techniques) policy, 
          insurers and reinsurers should have their own assessment of all 
          counterparties.”

5.    And finally, a puzzle about policy making

The Commission’s impact assessment notes that one of the issues that emerged from the QIS5 was the application of a limit to the amount of Tier 2 capital (i.e. debt) that would be allowed.  This issue has remained unclear since then. 

Interestingly, if all you read is the relevant section of the impact analysis on pages 38 to 46 which also summarises EIOPA’s recommendations, you could be forgiven for thinking that the limit would not apply.  It is only the summary on pages 50 to 51 that suggested that I might need to reconsider my initial views.  Indeed, the draft implementing measures clarify that the sum of Tier 2 and Tier 3 capital must not exceed 50% of the SCR, which is an interesting development. 

This illustrates one of the key operational challenges of impact analysis: the need to keep up with the policy.

This was a selective but nonetheless in-depth reading of the impact assessment.  Have you read the impact assessment?  Did you learn any useful points from it?

You can subscribe to future posts here.

The Three Lines of Defence: An Enforcement Perspective

Much has been written about the three lines of defence model, including whether there are really three lines of defence (or any other number) and whether the concept is dead.  I personally regard the three lines of defence as a mechanism to clarify roles and responsibilities and underpin the risk management activities of different functions in financial services.

This week there was good evidence that the concept is alive and well.  The FCA issued a penalty to Aviva Investors for failure to manage the conflicts of interests between itself and clients, and between different clients (full paper here). 

From a risk management perspective, there were a couple of interesting lessons:   

1.  The increased size of compensation paid as part of the enforcement case relative to the size of the regulatory fine; in this case the fine was £17.6m and the compensation to eight funds was £132m. 

2.  The FCA has drawn an explicit parallel between failures of the three lines of defence model and Principle 3 which requires that an authorised firm “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”  

The articulation of the case looks at the performance of each line of defence and articulates the observed failures which provides a useful checklist.  

1. Weaknesses in the first line of defence 

• unclear split of responsibilities between first and second line of defence 
• failure to implement appropriate controls  
• lack of system to capture the relevant information 
• weaknesses in management information produced 
• culture focused on performance together with performance management that often overlooked the importance of risk and controls  

2.  Weaknesses in the second line of defence  

• inadequate compliance monitoring 
• inadequate compliance resource and capability 

3.  Weaknesses in the third line of defence  

• unclear process to accept the risk associated with control weaknesses 
• dependency on strategic change projects without adequate consideration of whether they address the findings and support the closure 
• lack of testing of the closure of audit issues

Intuitively this characterisation of systems and controls around the three lines of defence is not new; in my view, rather, it is the explicit recognition in an enforcement case that is new.

You can subscribe to future posts here.

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page FCA enforcement.

Is It FCA Supervision or Enforcement?

One of the observations in my latest post about enforcement (here) was that fines can become a relatively small component of the cost of regulatory enforcement.  This observation was made in a context where, in addition to the fine, the firm had agreed to a number of specific measures which included replacing its executive management team and a comprehensive review of its governance structure. 

This week I came across an even better example of the blurring line between formal enforcement and where a firm agrees with the supervisor to a set of measures.  The Times reports that the London office of Deutsche Bank has been put on ‘enhanced supervision’ (here). 

Enhanced supervision is a new power acquired by the FCA, the use of which is articulated in a paper from June 2014 (here).  It explains that the application of enhanced supervision is not enforcement, although that may follow.  Enhanced supervision requires the firm’s Board to formally commit to remediation measures.  The paper sets out a comprehensive list of indicators of the failures that would lead to enhanced supervision:  

• “the observation of numerous or specially significant conduct failings or repeated failings that when examined individually might not be considered serious  
• “occurrence of failings in several business areas, as this is an indicator of wider cultural issues within the firm 
• “a poorly functioning Board, for example failing to challenge executives or take a lead in considering conduct  
• “evidence of control areas such as Risk, Compliance and Internal Audit being poorly managed, under-resourced or unable to make their voices heard at Board level 
• “evidence of weak risk management (we may consider the PRA’s findings in relation to prudential risk management), or 
• “evidence of other weaknesses in the way in which the Board and senior management influence key cultural factors, for example ‘tone from the top’, pay and incentives and their adherence to the organisation’s values.” 

There has been no formal statement from the FCA about this case. 

Perhaps the main point arising from this development is the further recognition that formal enforcement may not necessarily be the most effective tool from the point of view of meeting supervisory objectives and that fines may not be the most effective deterrent.  

You can subscribe to future posts here.

This post has been added to the page FCA enforcement in this blog which links all the enforcement cases reviewed.

FCA Enforcement: Going Global

With the advent of 2015, some people have talked about New Year's resolutions but frankly I still had one enforcement case from the Financial Conduct Authority (FCA) from 2014 I was keen to review.  

The case concerns a general insurer, Stonebridge, selling a range of accidental protection products offering cash compensation.  The FCA imposed a fine of £8.4 million as a result of the breaches identified.  (Click here to read the full details of the case.)

The business involved outsourcing sales process to a number of third party companies.  The products were sold in the UK and in a number of European countries (France, Germany, Italy and Spain) over the phone on a non-advised basis.  Names of potential clients were obtained from a range of business partners which were remunerated when sales were made.  These business partners were not involved in selling the products. 

The case results from the breaches of FCA principles concerning the fair treatment of customers (Principle 3) and appropriate systems and controls, including appropriate risk management (Principle 6).  The case provides a number of interesting lessons about the interaction of risk management and regulation.

1.  Fines may become a small component of the cost to firms of regulatory enforcement

In this case and in addition to the fine, the company committed to undertake a range of voluntary measures.  This includes a review of past business sold in the UK and European countries and compensation where losses arise as a result of the failings identified in this case.  

In addition to that, the company has replaced its executive management team, has ceased distribution of all products in the UK and European countries and has undertaken a comprehensive review of its governance structure, including new terms of reference and risk management framework.

2.  The FCA is applying UK requirements to non-UK operations

This is intentionally blunt!  In more subtle phraseology, the enforcement notice makes a distinction between the failure “to pay due regard to the interests of customers in the UK and treat them fairly” (my emphasis) and the failure to implement adequate systems and control which applies to the entire business, including European business.  The FCA identified significant failures which included inadequate management information, executive and board oversight and compliance oversight.   

3.  The importance of proactively managing the process

I have already written on the importance of proactively managing the enforcement process and contrasted two different responses to technical breaches (here and here).   This case provides an alternative perspective.  

The starting point seems to be an FCA review of a sample of sales calls during March and April 2012, an action presumably arising from the FCA’s ongoing supervision of Stonebridge.  The enforcement case ends up covering sales all around Europe, post-sale cancellation and the company’s systems and controls. 

When confronted with the initial findings from a regulator, there may be a temptation to challenge the findings.  This would be appropriate up to a point.  

An alternative approach would be to accept the substance of the findings and consider how the underlying events could have happened from a risk governance perspective.  This would require reviewing governance arrangements through the company, the risk management framework and the effectiveness of the oversight provided by the second line of defence.  Hindsight is always a powerful tool but it seems that this course of action could have been more effective in limiting the potential consequences.

Finally, this case also illustrates other failures such as controls of outsourcing and a skewed sales incentive mechanism.

You can subscribe to future posts here.

This post has been added to the page FCA enforcement in this blog which links all the enforcement cases I have reviewed.

Hunting Elephants: The Ultimate Frontier for Enterprise Risk Management (ERM)?

One of the aspects of implementing ERM is putting in place an approach to consider its effectiveness.  A combination of approaches are typically suggested for this purpose including a consideration of the approaches adopted and evidence of the risk culture.  

An alternative would be to establish whether the implementation of ERM supports the appropriate conversations about risks are taking place in the business.  The elephant the proverbial unspoken element of a discussion – about risks in this case. 

An interesting paper from a working group of the UK Institute of Actuaries entitled ‘Risk: Elephants in the Room’ looks into the causes that may explain why conversations about risks have not been happening effectively in insurers.  (Click here for the paper.) 

The paper identifies two main reasons why these conversations may not be taking place:

1.     There is limited understanding of the underlying issues. 

This could result from limited knowledge depth on the relevant subject.  I suppose this is the typical regulatory concern about insurers investing in new types of assets or venturing into non-core areas.

The paper offers a good list of examples of typical elephants (pages 7 to 9) which could help senior management self-check whether something has been missed.  It also outlines two approaches to identify elephants – based on risk lineage and scenarios – which seem a useful starting point.

2.     ‘Soft’ factors prevent risk discussions from happening or limit their effectiveness, even where risk elephants are known.

The paper identifies a number of such ‘soft’ factors: 

• risk culture prevents free and open discussion about risks; 
• complexity of the underlying issues can alienate audience;
• regulatory perspective sometimes associated with risk tunes out executives;
• over-reliance on quantification; after a risk is quantified the level of oversight diminishes, which is particularly risky for low-frequency and high-severity risks;
• risk universe bias; an elephant can be a risk that does not fit into one of the existing risk categories.

Two practical implications from this paper strike me:

1.     A risk function should have appropriate resources to identify relevant elephants.

This would require a combination of internal and external resources.  For example, if an insurer chooses to invest in alternative assets, it should develop appropriate expertise in the area.  However, the risk function may need external support to ensure that elephants in other areas are also identified.

2.     Consider the ‘soft’ factors that may hamper the effectiveness of risk discussions, and risk management more generally.

This consideration of soft factors should be part of an ERM implementation.  However, it should also be a consideration of any assessment of the operational effectiveness of the risk function.

What do you think?  Do you have any thoughts on these suggestions about risk elephants and their identification? 

You can subscribe to future posts here.

Solvency II: The Beginning of the End?

This week I spoke at a client breakfast event organised by Protiviti in London. 

The ‘beginning of the end’ is not just a rhetorical question about Solvency II but the challenging issue I had to address about Solvency II becoming effective on 1 Jan 2016.  I spoke about the ‘end point’ and focused on two issues:

• whether this is the end point we expected from a policy perspective (a measured yes, though it feels more different from the current ICA regime than expected, partly because of the financial crisis), and  

• whether insurers are engaging in contingency planning to reflect regulatory uncertainties around the end point that they are targeting.

I suggested that instead of thinking that this is the ‘beginning of the end’, we consider whether this is in fact the ‘end of the beginning’ – the implementation.  Now the real challenge begins: operating Solvency II in a BAU environment.  I offered a few suggestions to facilitate that transition; take a look at the slides. 

You can subscribe to future posts here.

Financial Conduct Authority Enforcement: The Sum and the Parts

In previous posts I have covered the lessons for risk management from a number of enforcement cases from the UK Financial Conduct Authority (FCA) (e.g. here and here). 

An alternative approach is to capture summary data about all fines and assess their evolution over time.  This is what NERA – National Economics Research Associates – have been doing for a number of years.  The latest paper of this series is available here.  (Full disclosure: I worked at NERA several years ago.)

The latest report from NERA evidences the overall increase in FCA (and FSA) enforcement in the last two years.  Total fines to firms have increased from £59 million in 2011-12 to about £420 million in each of the last two full financial years.  The typical fine is also getting larger with the median fine increase from £1.4 million in 2011-12 to £5.6 million in 2013-14.  

There were also some other interesting observations:

• The overall number of cases against firms does not necessarily predict the total fines.
• While five out of the 10 top fines against firms relate to LIBOR market manipulation, the others cover “classical” issues such as client assets, unsuitable investments and mis-selling.
• The total of fines against individuals (as opposed to firms) has diminished from £19.9 million in 2011-12 to £3.9 million in 2013-14.  A similar trend is observed for number of cases pursued against individuals.

There are two points that I would like to consider.

1.    The impact of the FCA revised penalty framework

The increase in FCA fines against firms may be influenced by the reliance on the revised penalty framework.  It is summarised in five steps:

• Step 1: removal of any financial benefit derived directly from the breach  
• Step 2: the seriousness of the breach 
• Step 3: mitigating and aggravating factors
• Step 4: an increase to the result from the above steps to reflect an adjustment for deterrence 
• Step 5: settlement discount

This applies to conduct that took place since 6 March 2010.  Given the lead times for enforcement cases, this framework is probably starting to bite in earnest now and fines could stay at the current higher level and even increase further.  It will also be interesting to read in the enforcement notices how economic considerations shape the regulator’s view about the size of any financial benefit derived by the company from the breach.

2.    The decline in enforcement cases against individuals

NERA also wonders if this decline is consistent with the regulatory ambition of using enforcement to provide a “credible deterrent”.  

One possible reason for the decline in enforcement against individuals is the targeted diversion of resources to other investigations such as LIBOR and currency manipulation.  In this case, the decline would be reversed in the not-so-distant future. 

An alternative is to consider whether the change reflects the view that enforcement against firms provides a more efficient “credible deterrent”.  If this were the case, then the decline of enforcement action against individuals would not be reversed.  I have not come across evidence to support this claim but here are two arguments to consider:  

• A stronger deterrent effect is provided by the overall size of the fines, which tend to be larger for firms, than personal accountability.  
• Enforcement cases related to individuals tend to reveal individuals’ determination to breach the rules rather than weaknesses in risk management.  There may be a more limited scope for improvement in risk management while providing an effective service to customers.

I would be interested in your thoughts about the likely impact of the FCA revised penalty framework and the decline in enforcement cases against individuals.

You can subscribe to future posts here.

Emerging Regulatory Risks: the Case of Pensions Legislation

This year’s announcement of the UK Government Budget includes the decision to end the compulsory annuitisation at age 75. 

Apparently, the announcement took the UK insurance industry by surprise, which in itself is surprising since the 2010 Coalition agreement included a rather blunt statement on the subject: “We will end the rules requiring compulsory annuitisation at 75.” I am sure that this statement may have been considered at the time and briefings to senior management would have been issued, etc.  Yet how could the recent Budget announcement have been a surprise to the insurance industry?

There is another, more recent, policy announcement about government policy on pensions, which might follow a similar pattern.  The Liberal Democrats published in early September a pre-manifesto entitled A Stronger Economy and a Fairer Society which includes the following objective: “Establish a review to consider the case for, and practical implications of, introducing a single rate of tax relief for pensions, which would be designed to be simpler and fairer and which would be set more generously than the current 20% basic rate relief.”

Commentators have already picked up that the “simpler and fairer” rate will be something less than the current 40% rate relief (see, for example, Ian King’s column in The Times on 15 September).  I am sure that briefing papers to senior management may already have been issued.  Some insurance companies may even be looking to assess the quantitative impact of the possible changes in tax relief.  However, this issue will remain a live issue for several years and may surprise the industry, depending on the outcome of the 2015 elections.   

From an ERM perspective, there is a simpler question.  How can you manage the emerging risk from regulatory and policy development which have a long lead time? 

The answer is to design and implement a system that captures emerging risks over time and enables their continuing assessment.  

Here are some key points to consider as part of this design:

• Have you simplified the system as much as possible to ensure that it has more chance of being implemented and used?
• What processes would you put in place to ensure that the regulatory emerging risks are re-assessed at regular intervals?
• How would you identify a person / function / business that would take action if the risk crystallises?
• How would you integrate emerging risk with the wider risk reporting?
• Would you consider contingency planning, including analysis and scoping changes in products or systems?

As ever, the challenge will be implementing and embedding.  However, these cases illustrate that there is a combination of high impacts and long lead times that can only be managed in a systematic manner to reduce the likelihood of surprises.

If you work in financial services, I would be keen to hear your thoughts about this article.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here.

Guest Post: Risk Cycles and the Use-Test (Part 2)

One of the lessons from my post on the objective of risk management was that there are number of perspectives about it.  I asked a number of leading industry experts to share their perspective.

Today, I am sharing the second part of Jim Suttcliffe’s contribution reflecting a Board perspective as Chairman of Sun Life Financial (Canada) and Chairman of BaxterBruce (UK) and former CEO of Old Mutual Group.  Jim explains how the concept of risk cycles can be used to implement the use test. (The first part on the use-test is here.) 

Previous posts on this series shared the views of James Tufts, Group CRO of Guardian Financial Services (here) and Carlos Montalvo Rebuelta, Executive Director of EIOPA (here). I will continue sharing these perspectives in the next few weeks.

****************************

Implementing the use-test: risk cycles

Jim Suttcliffe, Chairman of Sun Life Financial (Canada), and Chairman BaxterBruce (UK)

There are a number of risk cycles in use at the big consultancies, but I find that few have the ring of reality about them. We can all recite Identify, Assess, Monitor, Maintain, Report etc, but this kind of cycle, at least from the perspective of a non-executive is likely to the use test not being complied with.

For me, the first step in the process is a number of actions that are all to do with "Understanding" your risks and their shape and texture. The difference between identifying and assessing is often academic - it's the process of assessing that leads to the identification, or at least the recognition of importance. Stress tests, reverse stress tests and scenario tests are all part of understanding, and from a non-executive perspective, making sure that the executive understands, as much as ensuring the board understands.

Some risks are easily measured, others have pretend-accurate models around them, and discussion need to recognize these differences, and not bury them under pseudo-science.

But once you've understood your risks, the next step for the Risk Committee is to get them into the context of the strategy, and set up the necessary "Policy". This will include risk appetite statements, risk targets, limits on activity, statements of desired and unwanted risks, control activities and a number of similar items, all aimed at ensuring the risk reward balance in the business is what is required. From a Non-Executive perspective, this is the crucial step. Once these policies are in place, you hand over to the executive, and say, "operate within these bounds", and tell me when you step out, and how you are going to rectify it.

The next useful thing to do, is to check that "Management Action" is building the sub-blocks that are high reward/low risk and shrinking the other blocks. This is of course a hard problem, but that's why management is paid a lot. This then can also help lead you to understand she the incentives are and whether they are working properly, as well as be very informative. It will also tell you whether your Use Test is being met.

After that, check "Compliance". This should be a big dashboard maintained by the CRO and his/her team. And as with any dashboard, you should expect a lot of green, and pay attention to any reds that appear. The rules should be very firm. If you breach, report, and no exceptions or stories that it didn't matter or is about to be fixed. Report all breaches!

And lastly you are in a position to "Report". You have all the facts, your Principal risks come out of Understanding, your Going Concern Statements come from there too. You can report on the policies you have in places and the actions taken to improve the business, and you can show the use test in action.

It's a far simpler cycle, and much more realistic.

****************************

If you work in financial services, I would be keen to hear your thoughts about this perspective on the objective of risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here.  

Guest Post: the Use of the Use-Test (Part 1)

One of the lessons from my post on the objective of risk management was that there are number of perspectives about it.  I asked a number of leading industry experts to share their perspective.

Today, I am sharing the views of Jim Suttcliffe, Chairman of Sun Life Financial (Canada) and Chairman of BaxterBruce (UK) and former CEO of Old Mutual Group.  Jim sets out the objective of risk management in terms of the 'use test'.  His next post will consider how to implement it in a meaningful manner.

Previous posts on this series shared the views of James Tufts, Group CRO of Guardian Financial Services (here) and Carlos Montalvo Rebuelta, Executive Director of EIOPA (here). I will continue sharing these perspectives in the next few weeks.

****************************

Defining the use-test

Jim Suttcliffe, Chairman of Sun Life Financial (Canada), and Chairman of BaxterBruce (UK)

The Use Test is a simple but powerful concept to think about the objective of risk management. You should actually use your risk management system as part of your business, not as an afterthought.

But it's still true in many places that the risk department are those interfering people from Head Office whom we have to placate occasionally, but whom we basically avoid. Grrr.

Happily, in some of my interests, this era has passed and the power of doing things properly is showing through in the share price. 

Actually there are two sides to this story. Risk departments need to be staffed by potential CEOs and not Dr No's. Risk people need to be able to contribute to the development of these organizations, not just inhibit. But with the right people in place, good first lines will welcome the second pair of eyes, and the help in avoiding pitfalls, that risk departments with their broader vision can contribute. Bad first lines put up boundaries around their activities, and restrict access to information. They have their ears closed to different ideas, and are the weaker for it.

I sat with a lunch group of non-executive directors recently, not from the financial services industry, and found the room split between those who thought risk management was a waste of time, and those who embraced it wholeheartedly. There were few in the middle. Actually good risk management, and the embedding of risk management in the first line is not new. Good managements have always done it, and when risk is physical, as in the extractive industries, there are some very advanced techniques, and acknowledgement of the behavioural aspect of the subject.

And the Use Test has this behavioural issue at its heart. All the rules in the world won't prevent risks from crystallizing if the culture is against it. And that too needs attention. Risk managers are managers, and the art of management needs to be on the agenda as well as statistical technique and Monte Carlo simulation.

The prize is still out there to be won in many organizations. Some already have it in their hands and will be the winners in the next crunch. But beware the backwoodsmen who think that risk is for boring HO people!!

****************************

If you work in financial services, I would be keen to hear your thoughts about this perspective on the objective of risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here.