Risk Is Exciting

You hear people say that risk management and regulation are not exciting topics.

However the 30,000 pageviews on this blog since Nov 2014 suggest that risk management and regulation are more interesting than it seems.  Your comments have also been very useful and instructive.  Please keep them coming.

Thank you all!    

Losses Are Not Failures of Risk Management

Well, not necessarily.  But we need to remind ourselves and our stakeholders that that’s really the point.  Losses will happen with certain regularity.  This is the message of a system of a risk appetite system where the limits are calibrated to a 1-in-10 chance over a one-year horizon.   Whether the implications are really appreciated is a different point. 

A paper by Rene Stulz (here) is a good reminder that losses may not represent a failure of risk management.  This is particularly the case where “managers [know] exactly the risks they faced―and they decided to take them.  Therefore there is no sense in which risk management failed”.  He goes on further to say that “deciding whether to take a known risk is not a decision for risk managers.  The decision depends on the risk appetite of an institution.” 

This is consistent with the practitioner’s view as expressed by James Tufts, Group CRO of Guardian Financial Services, expressed in a guest post in this blog: “[T]he objective of the ‘Risk Function’ should not be ‘risk management’.  That’s a business objective.  The objective of the ‘Risk Function’ is to provide the ERM [Enterprise Risk Management] framework and the source of challenge and oversight on all aspects of the business model, relative to this framework.”

There may be risk management failures nevertheless and Stulz’s paper goes on to provide a useful classification:

1. Mismeasurement of known risks  
2. Failure to take risks into account 
3. Failure in communicating the risks to top management 
4. Failure in monitoring risks 
5. Failure in managing risks 
6. Failure to use appropriate risk metrics

I find these categories rather intuitive and I wonder how they can be used in practice.  There is an increasing regulatory expectation of formal assessment of the effectiveness of risk management and these categories could usefully feed into that process in two complementary ways. 

Firstly, banks and insurers track a range of risk events/incidents.  It would be useful to consider if reported incidents fall into any of the above categories.  Alternatively they may be consistent with risk appetite.

Secondly, insurers and banks using an internal model are expected to use it to support a profit and loss attribution.  This means explaining actual profits and losses by reference to the output of the internal model and the risk categories considered.  It would be interesting to consider if the losses arise from changes in values consistent with risk appetite or any of the reasons set out above. 

The above might seem a simple idea but learning from failures, or risk management failures in this case, is usually anything but a simple idea.

If you found this post useful, you may want to subscribe and receive future posts by email (here). There will not be many of them.

Stress Testing: Reporting or ‘So What’?

The Bank of England (BoE) recently published the results of the first concurrent stress testing of UK banks (click here for a post about the implications of this exercise).  Stress testing is not only relevant to banks; EIOPA also initiated a similar process and carried out an exercise in 2014, which I will cover in a future post.   

Much has been written about the results for individual banks.  I would like to share some observations about an aspect of stress testing with wider implications: the consideration of ‘so what’ that may take place when the stress materialises. 

In the BoE stress testing, banks had to spell out the management actions they envisaged taking.  These actions were subject to scrutiny by the Bank of England and ‘a high threshold was set for accepting’ them. 

There is little detail about the specific management actions that were accepted.  Broadly speaking, they appear to be mainly reduction in costs and dividend.  Furthermore, the BoE clarified that they did not accept management actions that resulted in a unilateral reduction in credit supply in the stress scenario.  This approach meant that management actions had limited impacts, specifically no impact for two banks and, for the other six banks, an average improvement (i.e. an increase in common equity Tier 1 [CET1] after the stress) of 9%.  

In an earlier post (here), I suggested the consideration of ‘so what’, including the ability to carry out actions that mitigate the impact of the stress as one of the potential benefits of stress testing.  How should we reconcile this with the limited scope of management actions recognised in this exercise?

A useful starting point would be to make a clear distinction between stress testing undertaken for different purposes and audiences.  This is summarised in the table below:

	‘Internal’	‘External’ / BoE
Purpose	Identifying vulnerabilities and addressing them	Evidencing overall resilience
Focus	Lines of business/ business units	Enterprise wide

Given the BoE’s intention to continue stress testing and make them an integral part of the supervisory landscape, the question would be how to integrate these two different perspectives of stress testing. 

Ideally, a bank would start an internal review of stress vulnerabilities at the business unit level as soon as the submission to the BoE is delivered.  This would enable the bank to identify and put in place the appropriate risk mitigation.  For example, the bank may choose to adjust its credit risk mitigation by transferring loans or hedging credit before the next BoE stress testing.  Given the focus on addressing vulnerabilities, which could require board approval, it would make sense to review stress vulnerabilities of specific business units/lines of business on a staggered basis. 

Adopting this approach over time would deliver a virtuous cycle of identification of stress vulnerabilities and enhanced risk mitigation which would be reflected in the next stress testing for the BoE.

In conclusion, while the BoE may have adopted ‘a high threshold’ for accepting management actions, banks can still build in a process to identify and implement these management actions and evidence how they address vulnerabilities in key business units and product lines.

You can subscribe to future posts here.

The European Commission’s Impact Assessment of Solvency II: Some Useful Points

The European Commission recently published a draft of the Solvency II ‘implementing measures’.  The ‘implementing measures’ expand on the requirements set out in the Solvency II directive.  Alongside the ‘implementing measures’, the European Commission also published a draft impact assessment.  This is one the many procedural requirements that apply to the policy-making process in the Commission. 

I thought it would be interesting to review the impact assessment.  As a user, I want to consider the extent to which the impact assessment can help me to understand Solvency II. 

What did I learn from this exercise?

1.    The importance of objectives in the EU policy-making process

The impact analysis is structured around a definition of problems that the policy making will address.  During the discussions about the directive, these objectives were enhancing policyholders’ protection and the integration of insurance markets in the EU. 

The Commission’s impact analysis acknowledges that there is now a third objective that has been taken into account: fostering growth and recovery in Europe by promoting long-term investment.  In the case of insurance, the main challenges that arise relate to the low interest rate environment and the volatility of asset prices. 

2.    A useful summary of how the calibration of asset risk has evolved

The third objective mentioned above has shaped the structure and calibration of capital requirements for assets risk which has evolved over a number of years.  However, it is not easy to see in a succinct way the end product where the answer is set out over a number of articles in the implementing measures.  Surprisingly, this can be summarised in a simple table (below).

3.    The scope of impact analysis remains a tricky issue

The Commission seems to have overcome the challenge of undertaking an impact analysis that seeks to cover the impact of all rules.  The Commission states,

“The options assessed have been selected to cover the most important and representative issues from each of the three pillars of Solvency II and each of the areas of the objectives and problem trees. The areas that are merely technical, have been settled in the Directive or are uncontroversial are not assessed in detail …”

This is reasonable and can result in a more productive use of scarce analytical resources but it can also have unintended consequences.  As far as I can see, the impact analysis did not cover the treatment of long-term guarantees.  I am frankly not sure if this is because it was settled in the Directive or because it turned out to be uncontroversial.

4.    The relative priorities of the Commission: the importance of reducing over-reliance on ratings

The concern about over-reliance on ratings is not new if you have been following the development of Solvency II.  However, given the breadth of Solvency II and the focused impact assessment, I found it surprising that the Commission went out of its way to include a full two-page annex summarising the requirements aimed at reducing reliance on external ratings in the risk management of insurance “such as

          ▪ external ratings shall not prevail in risk management;

          ▪ as part of their investment risk management policy, insurers and 
          reinsurers should have their own assessment of all counterparties;

          ▪ as part of their reinsurance (or other risk mitigation techniques) policy, 
          insurers and reinsurers should have their own assessment of all 
          counterparties.”

5.    And finally, a puzzle about policy making

The Commission’s impact assessment notes that one of the issues that emerged from the QIS5 was the application of a limit to the amount of Tier 2 capital (i.e. debt) that would be allowed.  This issue has remained unclear since then. 

Interestingly, if all you read is the relevant section of the impact analysis on pages 38 to 46 which also summarises EIOPA’s recommendations, you could be forgiven for thinking that the limit would not apply.  It is only the summary on pages 50 to 51 that suggested that I might need to reconsider my initial views.  Indeed, the draft implementing measures clarify that the sum of Tier 2 and Tier 3 capital must not exceed 50% of the SCR, which is an interesting development. 

This illustrates one of the key operational challenges of impact analysis: the need to keep up with the policy.

This was a selective but nonetheless in-depth reading of the impact assessment.  Have you read the impact assessment?  Did you learn any useful points from it?

You can subscribe to future posts here.

The Three Lines of Defence: An Enforcement Perspective

Much has been written about the three lines of defence model, including whether there are really three lines of defence (or any other number) and whether the concept is dead.  I personally regard the three lines of defence as a mechanism to clarify roles and responsibilities and underpin the risk management activities of different functions in financial services.

This week there was good evidence that the concept is alive and well.  The FCA issued a penalty to Aviva Investors for failure to manage the conflicts of interests between itself and clients, and between different clients (full paper here). 

From a risk management perspective, there were a couple of interesting lessons:   

1.  The increased size of compensation paid as part of the enforcement case relative to the size of the regulatory fine; in this case the fine was £17.6m and the compensation to eight funds was £132m. 

2.  The FCA has drawn an explicit parallel between failures of the three lines of defence model and Principle 3 which requires that an authorised firm “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”  

The articulation of the case looks at the performance of each line of defence and articulates the observed failures which provides a useful checklist.  

1. Weaknesses in the first line of defence 

• unclear split of responsibilities between first and second line of defence 
• failure to implement appropriate controls  
• lack of system to capture the relevant information 
• weaknesses in management information produced 
• culture focused on performance together with performance management that often overlooked the importance of risk and controls  

2.  Weaknesses in the second line of defence  

• inadequate compliance monitoring 
• inadequate compliance resource and capability 

3.  Weaknesses in the third line of defence  

• unclear process to accept the risk associated with control weaknesses 
• dependency on strategic change projects without adequate consideration of whether they address the findings and support the closure 
• lack of testing of the closure of audit issues

Intuitively this characterisation of systems and controls around the three lines of defence is not new; in my view, rather, it is the explicit recognition in an enforcement case that is new.

You can subscribe to future posts here.

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page FCA enforcement.

Is It FCA Supervision or Enforcement?

One of the observations in my latest post about enforcement (here) was that fines can become a relatively small component of the cost of regulatory enforcement.  This observation was made in a context where, in addition to the fine, the firm had agreed to a number of specific measures which included replacing its executive management team and a comprehensive review of its governance structure. 

This week I came across an even better example of the blurring line between formal enforcement and where a firm agrees with the supervisor to a set of measures.  The Times reports that the London office of Deutsche Bank has been put on ‘enhanced supervision’ (here). 

Enhanced supervision is a new power acquired by the FCA, the use of which is articulated in a paper from June 2014 (here).  It explains that the application of enhanced supervision is not enforcement, although that may follow.  Enhanced supervision requires the firm’s Board to formally commit to remediation measures.  The paper sets out a comprehensive list of indicators of the failures that would lead to enhanced supervision:  

• “the observation of numerous or specially significant conduct failings or repeated failings that when examined individually might not be considered serious  
• “occurrence of failings in several business areas, as this is an indicator of wider cultural issues within the firm 
• “a poorly functioning Board, for example failing to challenge executives or take a lead in considering conduct  
• “evidence of control areas such as Risk, Compliance and Internal Audit being poorly managed, under-resourced or unable to make their voices heard at Board level 
• “evidence of weak risk management (we may consider the PRA’s findings in relation to prudential risk management), or 
• “evidence of other weaknesses in the way in which the Board and senior management influence key cultural factors, for example ‘tone from the top’, pay and incentives and their adherence to the organisation’s values.” 

There has been no formal statement from the FCA about this case. 

Perhaps the main point arising from this development is the further recognition that formal enforcement may not necessarily be the most effective tool from the point of view of meeting supervisory objectives and that fines may not be the most effective deterrent.  

You can subscribe to future posts here.

This post has been added to the page FCA enforcement in this blog which links all the enforcement cases reviewed.

FCA Enforcement: Going Global

With the advent of 2015, some people have talked about New Year's resolutions but frankly I still had one enforcement case from the Financial Conduct Authority (FCA) from 2014 I was keen to review.  

The case concerns a general insurer, Stonebridge, selling a range of accidental protection products offering cash compensation.  The FCA imposed a fine of £8.4 million as a result of the breaches identified.  (Click here to read the full details of the case.)

The business involved outsourcing sales process to a number of third party companies.  The products were sold in the UK and in a number of European countries (France, Germany, Italy and Spain) over the phone on a non-advised basis.  Names of potential clients were obtained from a range of business partners which were remunerated when sales were made.  These business partners were not involved in selling the products. 

The case results from the breaches of FCA principles concerning the fair treatment of customers (Principle 3) and appropriate systems and controls, including appropriate risk management (Principle 6).  The case provides a number of interesting lessons about the interaction of risk management and regulation.

1.  Fines may become a small component of the cost to firms of regulatory enforcement

In this case and in addition to the fine, the company committed to undertake a range of voluntary measures.  This includes a review of past business sold in the UK and European countries and compensation where losses arise as a result of the failings identified in this case.  

In addition to that, the company has replaced its executive management team, has ceased distribution of all products in the UK and European countries and has undertaken a comprehensive review of its governance structure, including new terms of reference and risk management framework.

2.  The FCA is applying UK requirements to non-UK operations

This is intentionally blunt!  In more subtle phraseology, the enforcement notice makes a distinction between the failure “to pay due regard to the interests of customers in the UK and treat them fairly” (my emphasis) and the failure to implement adequate systems and control which applies to the entire business, including European business.  The FCA identified significant failures which included inadequate management information, executive and board oversight and compliance oversight.   

3.  The importance of proactively managing the process

I have already written on the importance of proactively managing the enforcement process and contrasted two different responses to technical breaches (here and here).   This case provides an alternative perspective.  

The starting point seems to be an FCA review of a sample of sales calls during March and April 2012, an action presumably arising from the FCA’s ongoing supervision of Stonebridge.  The enforcement case ends up covering sales all around Europe, post-sale cancellation and the company’s systems and controls. 

When confronted with the initial findings from a regulator, there may be a temptation to challenge the findings.  This would be appropriate up to a point.  

An alternative approach would be to accept the substance of the findings and consider how the underlying events could have happened from a risk governance perspective.  This would require reviewing governance arrangements through the company, the risk management framework and the effectiveness of the oversight provided by the second line of defence.  Hindsight is always a powerful tool but it seems that this course of action could have been more effective in limiting the potential consequences.

Finally, this case also illustrates other failures such as controls of outsourcing and a skewed sales incentive mechanism.

You can subscribe to future posts here.

This post has been added to the page FCA enforcement in this blog which links all the enforcement cases I have reviewed.

Hunting Elephants: The Ultimate Frontier for Enterprise Risk Management (ERM)?

One of the aspects of implementing ERM is putting in place an approach to consider its effectiveness.  A combination of approaches are typically suggested for this purpose including a consideration of the approaches adopted and evidence of the risk culture.  

An alternative would be to establish whether the implementation of ERM supports the appropriate conversations about risks are taking place in the business.  The elephant the proverbial unspoken element of a discussion – about risks in this case. 

An interesting paper from a working group of the UK Institute of Actuaries entitled ‘Risk: Elephants in the Room’ looks into the causes that may explain why conversations about risks have not been happening effectively in insurers.  (Click here for the paper.) 

The paper identifies two main reasons why these conversations may not be taking place:

1.     There is limited understanding of the underlying issues. 

This could result from limited knowledge depth on the relevant subject.  I suppose this is the typical regulatory concern about insurers investing in new types of assets or venturing into non-core areas.

The paper offers a good list of examples of typical elephants (pages 7 to 9) which could help senior management self-check whether something has been missed.  It also outlines two approaches to identify elephants – based on risk lineage and scenarios – which seem a useful starting point.

2.     ‘Soft’ factors prevent risk discussions from happening or limit their effectiveness, even where risk elephants are known.

The paper identifies a number of such ‘soft’ factors: 

• risk culture prevents free and open discussion about risks; 
• complexity of the underlying issues can alienate audience;
• regulatory perspective sometimes associated with risk tunes out executives;
• over-reliance on quantification; after a risk is quantified the level of oversight diminishes, which is particularly risky for low-frequency and high-severity risks;
• risk universe bias; an elephant can be a risk that does not fit into one of the existing risk categories.

Two practical implications from this paper strike me:

1.     A risk function should have appropriate resources to identify relevant elephants.

This would require a combination of internal and external resources.  For example, if an insurer chooses to invest in alternative assets, it should develop appropriate expertise in the area.  However, the risk function may need external support to ensure that elephants in other areas are also identified.

2.     Consider the ‘soft’ factors that may hamper the effectiveness of risk discussions, and risk management more generally.

This consideration of soft factors should be part of an ERM implementation.  However, it should also be a consideration of any assessment of the operational effectiveness of the risk function.

What do you think?  Do you have any thoughts on these suggestions about risk elephants and their identification? 

You can subscribe to future posts here.

Solvency II: The Beginning of the End?

This week I spoke at a client breakfast event organised by Protiviti in London. 

The ‘beginning of the end’ is not just a rhetorical question about Solvency II but the challenging issue I had to address about Solvency II becoming effective on 1 Jan 2016.  I spoke about the ‘end point’ and focused on two issues:

• whether this is the end point we expected from a policy perspective (a measured yes, though it feels more different from the current ICA regime than expected, partly because of the financial crisis), and  

• whether insurers are engaging in contingency planning to reflect regulatory uncertainties around the end point that they are targeting.

I suggested that instead of thinking that this is the ‘beginning of the end’, we consider whether this is in fact the ‘end of the beginning’ – the implementation.  Now the real challenge begins: operating Solvency II in a BAU environment.  I offered a few suggestions to facilitate that transition; take a look at the slides. 

You can subscribe to future posts here.

Financial Conduct Authority Enforcement: The Sum and the Parts

In previous posts I have covered the lessons for risk management from a number of enforcement cases from the UK Financial Conduct Authority (FCA) (e.g. here and here). 

An alternative approach is to capture summary data about all fines and assess their evolution over time.  This is what NERA – National Economics Research Associates – have been doing for a number of years.  The latest paper of this series is available here.  (Full disclosure: I worked at NERA several years ago.)

The latest report from NERA evidences the overall increase in FCA (and FSA) enforcement in the last two years.  Total fines to firms have increased from £59 million in 2011-12 to about £420 million in each of the last two full financial years.  The typical fine is also getting larger with the median fine increase from £1.4 million in 2011-12 to £5.6 million in 2013-14.  

There were also some other interesting observations:

• The overall number of cases against firms does not necessarily predict the total fines.
• While five out of the 10 top fines against firms relate to LIBOR market manipulation, the others cover “classical” issues such as client assets, unsuitable investments and mis-selling.
• The total of fines against individuals (as opposed to firms) has diminished from £19.9 million in 2011-12 to £3.9 million in 2013-14.  A similar trend is observed for number of cases pursued against individuals.

There are two points that I would like to consider.

1.    The impact of the FCA revised penalty framework

The increase in FCA fines against firms may be influenced by the reliance on the revised penalty framework.  It is summarised in five steps:

• Step 1: removal of any financial benefit derived directly from the breach  
• Step 2: the seriousness of the breach 
• Step 3: mitigating and aggravating factors
• Step 4: an increase to the result from the above steps to reflect an adjustment for deterrence 
• Step 5: settlement discount

This applies to conduct that took place since 6 March 2010.  Given the lead times for enforcement cases, this framework is probably starting to bite in earnest now and fines could stay at the current higher level and even increase further.  It will also be interesting to read in the enforcement notices how economic considerations shape the regulator’s view about the size of any financial benefit derived by the company from the breach.

2.    The decline in enforcement cases against individuals

NERA also wonders if this decline is consistent with the regulatory ambition of using enforcement to provide a “credible deterrent”.  

One possible reason for the decline in enforcement against individuals is the targeted diversion of resources to other investigations such as LIBOR and currency manipulation.  In this case, the decline would be reversed in the not-so-distant future. 

An alternative is to consider whether the change reflects the view that enforcement against firms provides a more efficient “credible deterrent”.  If this were the case, then the decline of enforcement action against individuals would not be reversed.  I have not come across evidence to support this claim but here are two arguments to consider:  

• A stronger deterrent effect is provided by the overall size of the fines, which tend to be larger for firms, than personal accountability.  
• Enforcement cases related to individuals tend to reveal individuals’ determination to breach the rules rather than weaknesses in risk management.  There may be a more limited scope for improvement in risk management while providing an effective service to customers.

I would be interested in your thoughts about the likely impact of the FCA revised penalty framework and the decline in enforcement cases against individuals.

You can subscribe to future posts here.