Solvency II: The Beginning of the End?

This week I spoke at a client breakfast event organised by Protiviti in London. 

The ‘beginning of the end’ is not just a rhetorical question about Solvency II but the challenging issue I had to address about Solvency II becoming effective on 1 Jan 2016.  I spoke about the ‘end point’ and focused on two issues:

• whether this is the end point we expected from a policy perspective (a measured yes, though it feels more different from the current ICA regime than expected, partly because of the financial crisis), and  

• whether insurers are engaging in contingency planning to reflect regulatory uncertainties around the end point that they are targeting.

I suggested that instead of thinking that this is the ‘beginning of the end’, we consider whether this is in fact the ‘end of the beginning’ – the implementation.  Now the real challenge begins: operating Solvency II in a BAU environment.  I offered a few suggestions to facilitate that transition; take a look at the slides. 

You can subscribe to future posts here.

Financial Conduct Authority Enforcement: The Sum and the Parts

In previous posts I have covered the lessons for risk management from a number of enforcement cases from the UK Financial Conduct Authority (FCA) (e.g. here and here). 

An alternative approach is to capture summary data about all fines and assess their evolution over time.  This is what NERA – National Economics Research Associates – have been doing for a number of years.  The latest paper of this series is available here.  (Full disclosure: I worked at NERA several years ago.)

The latest report from NERA evidences the overall increase in FCA (and FSA) enforcement in the last two years.  Total fines to firms have increased from £59 million in 2011-12 to about £420 million in each of the last two full financial years.  The typical fine is also getting larger with the median fine increase from £1.4 million in 2011-12 to £5.6 million in 2013-14.  

There were also some other interesting observations:

• The overall number of cases against firms does not necessarily predict the total fines.
• While five out of the 10 top fines against firms relate to LIBOR market manipulation, the others cover “classical” issues such as client assets, unsuitable investments and mis-selling.
• The total of fines against individuals (as opposed to firms) has diminished from £19.9 million in 2011-12 to £3.9 million in 2013-14.  A similar trend is observed for number of cases pursued against individuals.

There are two points that I would like to consider.

1.    The impact of the FCA revised penalty framework

The increase in FCA fines against firms may be influenced by the reliance on the revised penalty framework.  It is summarised in five steps:

• Step 1: removal of any financial benefit derived directly from the breach  
• Step 2: the seriousness of the breach 
• Step 3: mitigating and aggravating factors
• Step 4: an increase to the result from the above steps to reflect an adjustment for deterrence 
• Step 5: settlement discount

This applies to conduct that took place since 6 March 2010.  Given the lead times for enforcement cases, this framework is probably starting to bite in earnest now and fines could stay at the current higher level and even increase further.  It will also be interesting to read in the enforcement notices how economic considerations shape the regulator’s view about the size of any financial benefit derived by the company from the breach.

2.    The decline in enforcement cases against individuals

NERA also wonders if this decline is consistent with the regulatory ambition of using enforcement to provide a “credible deterrent”.  

One possible reason for the decline in enforcement against individuals is the targeted diversion of resources to other investigations such as LIBOR and currency manipulation.  In this case, the decline would be reversed in the not-so-distant future. 

An alternative is to consider whether the change reflects the view that enforcement against firms provides a more efficient “credible deterrent”.  If this were the case, then the decline of enforcement action against individuals would not be reversed.  I have not come across evidence to support this claim but here are two arguments to consider:  

• A stronger deterrent effect is provided by the overall size of the fines, which tend to be larger for firms, than personal accountability.  
• Enforcement cases related to individuals tend to reveal individuals’ determination to breach the rules rather than weaknesses in risk management.  There may be a more limited scope for improvement in risk management while providing an effective service to customers.

I would be interested in your thoughts about the likely impact of the FCA revised penalty framework and the decline in enforcement cases against individuals.

You can subscribe to future posts here.

Emerging Regulatory Risks: the Case of Pensions Legislation

This year’s announcement of the UK Government Budget includes the decision to end the compulsory annuitisation at age 75. 

Apparently, the announcement took the UK insurance industry by surprise, which in itself is surprising since the 2010 Coalition agreement included a rather blunt statement on the subject: “We will end the rules requiring compulsory annuitisation at 75.” I am sure that this statement may have been considered at the time and briefings to senior management would have been issued, etc.  Yet how could the recent Budget announcement have been a surprise to the insurance industry?

There is another, more recent, policy announcement about government policy on pensions, which might follow a similar pattern.  The Liberal Democrats published in early September a pre-manifesto entitled A Stronger Economy and a Fairer Society which includes the following objective: “Establish a review to consider the case for, and practical implications of, introducing a single rate of tax relief for pensions, which would be designed to be simpler and fairer and which would be set more generously than the current 20% basic rate relief.”

Commentators have already picked up that the “simpler and fairer” rate will be something less than the current 40% rate relief (see, for example, Ian King’s column in The Times on 15 September).  I am sure that briefing papers to senior management may already have been issued.  Some insurance companies may even be looking to assess the quantitative impact of the possible changes in tax relief.  However, this issue will remain a live issue for several years and may surprise the industry, depending on the outcome of the 2015 elections.   

From an ERM perspective, there is a simpler question.  How can you manage the emerging risk from regulatory and policy development which have a long lead time? 

The answer is to design and implement a system that captures emerging risks over time and enables their continuing assessment.  

Here are some key points to consider as part of this design:

• Have you simplified the system as much as possible to ensure that it has more chance of being implemented and used?
• What processes would you put in place to ensure that the regulatory emerging risks are re-assessed at regular intervals?
• How would you identify a person / function / business that would take action if the risk crystallises?
• How would you integrate emerging risk with the wider risk reporting?
• Would you consider contingency planning, including analysis and scoping changes in products or systems?

As ever, the challenge will be implementing and embedding.  However, these cases illustrate that there is a combination of high impacts and long lead times that can only be managed in a systematic manner to reduce the likelihood of surprises.

If you work in financial services, I would be keen to hear your thoughts about this article.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here.

Guest Post: Risk Cycles and the Use-Test (Part 2)

One of the lessons from my post on the objective of risk management was that there are number of perspectives about it.  I asked a number of leading industry experts to share their perspective.

Today, I am sharing the second part of Jim Suttcliffe’s contribution reflecting a Board perspective as Chairman of Sun Life Financial (Canada) and Chairman of BaxterBruce (UK) and former CEO of Old Mutual Group.  Jim explains how the concept of risk cycles can be used to implement the use test. (The first part on the use-test is here.) 

Previous posts on this series shared the views of James Tufts, Group CRO of Guardian Financial Services (here) and Carlos Montalvo Rebuelta, Executive Director of EIOPA (here). I will continue sharing these perspectives in the next few weeks.

****************************

Implementing the use-test: risk cycles

Jim Suttcliffe, Chairman of Sun Life Financial (Canada), and Chairman BaxterBruce (UK)

There are a number of risk cycles in use at the big consultancies, but I find that few have the ring of reality about them. We can all recite Identify, Assess, Monitor, Maintain, Report etc, but this kind of cycle, at least from the perspective of a non-executive is likely to the use test not being complied with.

For me, the first step in the process is a number of actions that are all to do with "Understanding" your risks and their shape and texture. The difference between identifying and assessing is often academic - it's the process of assessing that leads to the identification, or at least the recognition of importance. Stress tests, reverse stress tests and scenario tests are all part of understanding, and from a non-executive perspective, making sure that the executive understands, as much as ensuring the board understands.

Some risks are easily measured, others have pretend-accurate models around them, and discussion need to recognize these differences, and not bury them under pseudo-science.

But once you've understood your risks, the next step for the Risk Committee is to get them into the context of the strategy, and set up the necessary "Policy". This will include risk appetite statements, risk targets, limits on activity, statements of desired and unwanted risks, control activities and a number of similar items, all aimed at ensuring the risk reward balance in the business is what is required. From a Non-Executive perspective, this is the crucial step. Once these policies are in place, you hand over to the executive, and say, "operate within these bounds", and tell me when you step out, and how you are going to rectify it.

The next useful thing to do, is to check that "Management Action" is building the sub-blocks that are high reward/low risk and shrinking the other blocks. This is of course a hard problem, but that's why management is paid a lot. This then can also help lead you to understand she the incentives are and whether they are working properly, as well as be very informative. It will also tell you whether your Use Test is being met.

After that, check "Compliance". This should be a big dashboard maintained by the CRO and his/her team. And as with any dashboard, you should expect a lot of green, and pay attention to any reds that appear. The rules should be very firm. If you breach, report, and no exceptions or stories that it didn't matter or is about to be fixed. Report all breaches!

And lastly you are in a position to "Report". You have all the facts, your Principal risks come out of Understanding, your Going Concern Statements come from there too. You can report on the policies you have in places and the actions taken to improve the business, and you can show the use test in action.

It's a far simpler cycle, and much more realistic.

****************************

If you work in financial services, I would be keen to hear your thoughts about this perspective on the objective of risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here.  

Guest Post: the Use of the Use-Test (Part 1)

One of the lessons from my post on the objective of risk management was that there are number of perspectives about it.  I asked a number of leading industry experts to share their perspective.

Today, I am sharing the views of Jim Suttcliffe, Chairman of Sun Life Financial (Canada) and Chairman of BaxterBruce (UK) and former CEO of Old Mutual Group.  Jim sets out the objective of risk management in terms of the 'use test'.  His next post will consider how to implement it in a meaningful manner.

Previous posts on this series shared the views of James Tufts, Group CRO of Guardian Financial Services (here) and Carlos Montalvo Rebuelta, Executive Director of EIOPA (here). I will continue sharing these perspectives in the next few weeks.

****************************

Defining the use-test

Jim Suttcliffe, Chairman of Sun Life Financial (Canada), and Chairman of BaxterBruce (UK)

The Use Test is a simple but powerful concept to think about the objective of risk management. You should actually use your risk management system as part of your business, not as an afterthought.

But it's still true in many places that the risk department are those interfering people from Head Office whom we have to placate occasionally, but whom we basically avoid. Grrr.

Happily, in some of my interests, this era has passed and the power of doing things properly is showing through in the share price. 

Actually there are two sides to this story. Risk departments need to be staffed by potential CEOs and not Dr No's. Risk people need to be able to contribute to the development of these organizations, not just inhibit. But with the right people in place, good first lines will welcome the second pair of eyes, and the help in avoiding pitfalls, that risk departments with their broader vision can contribute. Bad first lines put up boundaries around their activities, and restrict access to information. They have their ears closed to different ideas, and are the weaker for it.

I sat with a lunch group of non-executive directors recently, not from the financial services industry, and found the room split between those who thought risk management was a waste of time, and those who embraced it wholeheartedly. There were few in the middle. Actually good risk management, and the embedding of risk management in the first line is not new. Good managements have always done it, and when risk is physical, as in the extractive industries, there are some very advanced techniques, and acknowledgement of the behavioural aspect of the subject.

And the Use Test has this behavioural issue at its heart. All the rules in the world won't prevent risks from crystallizing if the culture is against it. And that too needs attention. Risk managers are managers, and the art of management needs to be on the agenda as well as statistical technique and Monte Carlo simulation.

The prize is still out there to be won in many organizations. Some already have it in their hands and will be the winners in the next crunch. But beware the backwoodsmen who think that risk is for boring HO people!!

****************************

If you work in financial services, I would be keen to hear your thoughts about this perspective on the objective of risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here.  

Pregnancy and 7 Lessons About Risk Management

When my wife was expecting our first son, it surprised me that most of the stories we heard about childbirth from other people involved something going wrong. At some point, we made a conscious decision to ‘switch off’ and ignore those stories.  I don’t really know whether our experience was representative.  

It strikes me that risk management appears a bit similar; it is easy to hear what went wrong.  Before I go any further, I admit my share of guilt for writing about risk management lessons from enforcement cases of the UK’s Financial Conduct Authority (here, here, here, here and

here).  This post seeks to address that bias by sharing a paper about risk management success stories.

The paper is based on extensive field work with two companies outside financial services.  This makes it more even more interesting for me because it removes the inevitable interaction with regulation in financial services.  

From the perspective of designing and implementing an ERM system, there are seven lessons I take from these success stories:

1.    The background of the CRO did not seem to matter.  In one case it was someone with a business background, and in other case it was someone with a corporate background.  The common factor was the CRO’s determination from the outset to find a practical way of adding value to the business.

2.    Success seemed to be described by reference to the role of risk management in the preparation of the business plan.  The path to this involved in both cases a discrete deliverable, typically preparing and maintaining a business risk profile.

3.    Successful engagement of the risk function with the business was crucial. Needless to say, each CRO tailored it to reflect the business.  For example, one of the organisations was more project-focused, and there was more emphasis on risk assessment by business lines.

4.    It was important to develop a common risk language in an unobtrusive manner.   This could be in terms of controls and risk, impacts that reflect the various functional dimensions of the business or scenario planning.

5.    The risk function needed a degree of self-confidence.  This could be useful to start the risk assessment process, develop business-specific tools and encourage the business to take more risks where it is deemed appropriate to meet business objectives.

6.    Risk functions achieved a balance between being close to the business and being independent of the business. 

7.    An effective tone from the top was more helpful in terms of behaviours.  This is really about how CEOs interact with others and ask questions about risks as part of the usual scrutiny of initiatives.

I believe that I have come across most of these lessosn in different contexts.  It is, however, interesting to see all of them together. 

If I had to single out one lesson from the above for financial services, I would choose the link to the annual business plan.  On a scale of 0 to 100, where 0 is no risk management involvement in the annual business plan and 100 represents the full integration of the risk management in the annual business process, what would be the score for your organisation?  

More importantly, what would be your target score for the medium term?  What would that mean in terms of different activities?  What would you need to persuade your CEO to accept that involvement?   

If you work in financial services, I would be keen to hear your thoughts about this article.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts at http://crescendo-erm.blogspot.co.uk.

Guest Post: the Objective of Risk Management – EIOPA's Perspective

One of the lessons from my post on the objective of risk management was that there are a number of perspectives on the objective of risk management.  I asked a number of leading industry experts to share their perspective.

Two weeks ago, I shared the views of James Tufts, Group CRO of Guardian Financial Services (here).  His perspective emphasised that the objective of risk management is to clarify the role of risk management of the business and of the risk function.

Today, I am delighted to share the views of Carlos Montalvo Rebuelta, Executive Director of EIOPA.  As a regulator, it is perhaps not surprising that he focuses on the extent to which Solvency II regulation changes the objective of risk management.

I will continue sharing these perspectives in the next few weeks.

****************************

Solvency II: a revolution in risk culture?

Carlos Montalvo Rebuelta, Executive Director, EIOPA

As Executive Director of EIOPA, in charge of managing the Authority and an insurance supervisor that has faced very different approaches to risk management across national supervised entities, I would like to touch upon the topic of risk management in insurance.

If we start the topic far away from business, in Nature, we see how species try to do the best out of the environment they operate in, in order to survive, yes, but also in order to prevail and ensure a legacy. They are confronted with risks and they exploit opportunities, risk management at its best, albeit in a very primitive form.

Within the corporate world, but outside the financial sector, we may take the example of EIOPA, where different toolkits are used to anticipate and address challenges, but also to identify and grab opportunities. Risk logs, monitoring tools, clear reporting lines, allocation of ownership for action… doesn’t that sound familiar? Risk management, indeed, reinforced by the conviction from senior management on the usefulness of it; setting the tone from the top. 

A distinctive feature of insurance and reinsurance is that the business itself is all about risk. The core objective of (re)insurers is to deal with different kinds of risks making a profit out of them. So, the industry should already have a wide range of specific know-how and experience in the area of risk management, if only because this is what the business is all about i.e. risk.

However, the financial crisis has shown that financial market participants, including insurers, need to rely on stronger risk management capabilities in order to deal with the different challenges posed by the economic slowdown and the financial market volatility. In other words, their risk management frameworks were not always up to the challenge stemming from the crisis.

Self-regulation within undertakings proved insufficient. Very often, any concerns raised about long-term sustainability of the company were ignored or even ferociously denied. Wrong incentives, short term gambits, unsustainable growth… reality was far away from what undertakings claimed to be their situation, with the consequences we all have witnessed.

The upcoming supervisory and regulatory framework for insurance - Solvency II - is going to make significant changes in the current risk culture of many insurers.  It is a different way of looking at and managing risks. First of all, it presents risk management not as a point in time procedure, but as a continuous process that should be used in the implementation of the undertaking’s overall strategy.

There is a purpose, and tangible outcomes. The Solvency II framework aims at establishing high quality risk management standards that will be beneficial for insurance undertakings, shareholders and consumers. One of the main requirements of a risk-based regulatory regime is that risk and capital should not be considered separately. This approach will allow top management to ensure that the company does not take on more risks than its capital base allows. It is also an opportunity for the senior executives to anchor a risk culture in an insurer’s day-to-day operations; again, setting the tone from the top.

The Solvency II regime  requires insurers and reinsurers to have in place an effective risk management system comprising strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report, on a continuous basis the risks, both at individual and aggregated levels, they are or could be exposed, and their interdependencies. Nothing new under the sun? Unfortunately, this is not the case.

One of the most innovative changes introduced by Solvency II is the requirement that insurance companies develop their Own Risk and Solvency Assessment (ORSA) as a tool of their overall risk management system. Insurers will need to properly assess their own short- and long-term risks as well as the amount of their own funds necessary to cover them to ensure on-going compliance with capital requirements. Quoting the lyrics of a song by The Velvet Underground, “I will be your mirror, reflect what you are, in case you don’t know it”.

I believe that the Solvency II approach to risk management will allow for an enhanced understanding of the nature and significance of the risks to which a company is exposed, including its sensitivity to those risks and its ability to mitigate them. This understanding will help companies to see their real opportunities and manage their business on that basis.Strong risk management will also be beneficial also for the customers of insurance companies. It will allow insurers to better meet their claims towards clients and, thus, to promote confidence in the insurance sector.

All in all, Solvency II should lead to a win-win situation and bring a risk-based regulatory framework to a business that deals with risk.

****************************

If you work in financial services, I would be keen to hear your thoughts about this perspective on the objective of risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here.  

Business Model Analysis Coming of Age?

I wrote a few months ago (here) that one of the common areas of prudential and conduct supervision is the focus on understanding business models.  The Prudential Regulation Authority (PRA) published an interesting paper about the application of business model analysis to developments in the insurance sector (here).

However, it still felt that business model analysis remained something confined to policy and supervisory circles.  I was therefore pleasantly surprised to read about it in a quick Q&A session with Sir Win Bischoff in The Times (Saturday, 6 September).  In response to a question about his views on leadership, he said, “establish the business model, set the strategy and then let management get on with it.”

Given Sir Win Bischoff's role as a former chairman of several major banks, there are a number of messages in this answer: 

1.  confirmation of boards' interest in oversight of the business model, meaning it is not just a supervisory issue; and   

2.  a pecking order with the business model setting the wider parameters for the strategy.

With hindsight, it is possible to see that what may have seemed changes to business strategy were really changes to the business model.  Seeking to separate decisions about business model and strategy would go some way to supporting an enhanced oversight of risk taking.  How would risk functions rise to this challenge?     

If you work in financial services, I would be keen to hear your thoughts about business model and risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here and receive them by email about once a week.   

Guest Post: the Objective of Risk Management – a CRO View

One of the lessons from my post on the objective of risk management was that there are different perspectives on this subject.  I asked a number of leading industry experts to share their perspective on the objective of risk management.

I am delighted that James Tufts, Group Chief Risk Officer at Guardian Financial Services has agreed to share his thoughts.  I will continue sharing perspectives from leading industry experts in the next few weeks.

****************************

The objective of risk management

James Tufts, Group Chief Risk Officer, Guardian Financial Services

Risk management is fundamental to what an insurance company does and the core of its business purpose.  Insurers take on risk and through a variety of different techniques and tools, they manage those risks such that they can charge an appropriate premium to customers, service those customers, meet regulatory requirements and produce an acceptable return on capital for the owners – this is the embodiment of risk management.

Risk management is therefore fundamental to all the activities in the business and the Enterprise Risk Management (ERM) framework is the core model for how the business operates.

Perhaps surprisingly, the objective of the “Risk Function” should not be “risk management”.  That’s a business objective.  The objective of the “Risk Function” is to provide the ERM framework and the source of challenge and oversight on all aspects of the business model, relative to this framework.  It is only when this distinction is fully understood and internalised in a company that risk management adds value.

****************************

If you work in financial services, I would be keen to hear your thoughts about this perspective on the objective of risk management.  If you don’t, I would be keen to know if this resonates with your experience. 

You can subscribe to future posts here.   

Big-Data – a Small Risk Transformation?

These days big-data seems to be so ‘big’ that it is everywhere.   I have read with some interest ‘Big data’ by Mayer-Schonberger and Cukier.  I was looking to form some views about it reflecting my perspective of risk management in financial services and ‘value enhancement’. These are three of the key points I took from the book. 

1.    Big-data is not about size but about the ability to work with full data sets. 

This means that the constraints that might arise from sampling are avoided.  Interestingly, there will be cases where adopting a big-data approach means handling a relatively small data set. 

2.    The shift from causation (small data) to correlation (big-data). 

The ability to create additional data at low cost and join up data sets means that we are likely to increase our ability spot correlations.  This would help us understand the ‘what’ even if we don’t fully understand the ‘why’ or the causation. 

3.    All data has value and a company’s ability to extract the value depends on the business model and skills.   

The value of data arises from secondary uses which are difficult to predict when the data is collected.  Companies can extract the value by hoarding the data, analysing it and identifying opportunities for big-data. 

This led me to three observations about big-data and risk management:

1.    Risk managers need to identify the aspects of risk management that can be enhanced by understanding correlations (‘what’) and the aspects that can be enhanced by causation (‘why’). 

While the message of big-data is that correlation is becoming cheaper to identify and offers more value in a shorter period of time, there isn’t a one fits all!  For example, insurers’ ability to spot financial crime, cases of fraud and price insurance risks would be enhanced by the ability to identify the correlation between key variables.  On the other hand, understanding correlations between risk drivers may need some plausible stories to make them actionable.

2.    Existing risk management and regulatory concepts would need to be revisited.

One of the features of big-data is that when different data sets are combined the resulting data is ‘messy’ with many empty cells.  How do you apply existing criteria for data quality governance, in particular ‘completeness’?

How do you validate models?  The authors bring in an interesting example where a simple model performs more effectively than any of the alternatives when a significant amount of data is fed into the model.

3.    Extracting value from data would need careful thinking.

One of the fundamental technological changes is that data is generated in many un-suspected places and situations, e.g. internet searches.  Spotting those opportunities requires a big-data mind set.  Capitalising them requires the ability to capture the data and / or use it.  One implication is that the value of data is something that would need to be factored into commercial outsourcing with third parties.

Overall, this could lead to a significant transformation of how risk is managed and become a new ‘normal’.   However, between now and then companies would need to tread carefully to avoid chasing ‘big-data’ opportunities of limited value.   

If you work in financial services, I would be keen to hear your thoughts about big-data and risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email - no more than once a week.  You will need to provide an email address and then confirm the subscription.  Your email address will not be shared.

My Son the Risk Manager?

That’s not a question for me.  I guess I am already there.  It is more of a potential question for my children – and yours as well.  The ultimate question is whether you would be happy to encourage your children (or perhaps the children of one of your best friends) to go into risk management as a career.

Put it differently, has risk management become like accountancy or law? Is risk-management a generic business qualification that can be applied in different business contexts?

Once I started thinking about this I realised that it wasn’t clear to me if risk management is a career in its own right.  The alternative is that risk management would be a common and reasonably well-defined role in many sectors.  This matters because one of the next questions in that hypothetical conversation would be along the lines of “how do I get there”.

The main argument in favour regarding risk management as a career in its own right is that there seems to be an emerging body of risk management theory that cuts across sectors.  This can be evidenced from the emergence of standardised approaches to risks management that cut across sectors, e.g. ISO 31000, and professional associations.

A similar argument would be in terms of the skills needed to perform successfully in the role.  While my experience is limited to financial services, my feeling is that the blend of skills needed in risk roles tend to be slightly different from those required for other roles – in no particular order, they include the ability to see the big-picture, communication, determination, ability to keep things simple.

At the same time, while developing tools and approaches for risk management is a considerable ongoing challenge, the main one is the implementation.  However, implementing successfully risk management and certainly generating value depends on business knowledge and understanding of the corporate environment.

All in all, I am more inclined to suggest to my children the following:

•  choose a degree you like – IT, law, economics, engineering, finance – and a sector; 
•  consider risk management as a role that would help career advancement; and
• explore ways of getting ready for that challenge.

If you work in financial services, I would be keen to hear your thoughts about these suggestions.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

If you found this interesting, you can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email - no more than once a week.  You will need to provide an email address and then confirm the subscription.  Your email address will not be shared.  Alternatively, if we share a group in “LinkedIn” you can choose "follow" Isaac Alfon. 

Enforcement Lessons: 5 Lessons from a Fine Chance*

The UK Financial Conduct Authority (FCA) published recently the details (here) of an enforcement case involving Credit Suisse International (CSI) and Yorkshire Building Society (YBS).  They were fined for failing to meet the requirement that financial promotions are ‘clear, fair and not misleading’ £2m and £1.4m respectively.

Not much new so far but the circumstances of the case indicate how financial services are evolving and the challenges for risks management.

The case involves a structured product providing capital protection, a guaranteed minimum return and the potential for achieving a higher return under certain conditions related to the performance of FTSE100 index.  CSI manufactured the product and YBS distributed (most of) it.  The product raised nearly £800m and reached 84 thousand customers.

At the heart of this case there is a concern that product complexity can reach a level such that it is difficult to ensure that disclosures to retail customers are clear, fair and not misleading.  For example, the FCA was concerned that the disclosures suggested that this was a simple index tracker – it wasn’t.  This can distort customers’ ability to infer the likelihood of a maximum return. 

In addition, there are five interesting points to take away from this case:

1.    Distribution arrangements give rise to significant conduct risk, even if no financial advice is provided.    

2.    The chances of relevant events need to be taken into account in financial promotions.  A ‘maximum return’ that can be achieved with nearly zero probability based on past history is not really a ‘maximum return’!

3.    Third party consumer advocates can have an impact.  The UK Consumers Association (‘Which?’) approached YBS and CSI in September 2010 with concerns about financial promotions and the chance of achieving the maximum return advertised.  This resulted in limited changes to disclosures: more emphasis on the conditions required to achieve the maximum return and less emphasis on the presentation of the maximum return.

4.    The target consumer group has practical importance.  The disclosures will be crucial to ensure appropriate consumer outcomes if you are targeting ‘stepping stone customers’, ‘typically conservative, risk averse customers’, with a structured product and don’t offer advice.

5.    Slow reaction to regulatory developments persists.   The relevant period when the breach took place stretches to 30 months from November 2009 to June 2012.  The earlier intervention by ‘Which?’ and concerns raised by the FCA had limited effect. 

It is interesting to see all these different factors coming together in a case.  This may be one of the few occasions (if not the first) where a fine results because financial promotions did not take into account the chances of the underlying events. 

If you work in financial services, I would be keen to hear your thoughts about these lessons for the management of conduct risk.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

* Thanks to my colleagues for suggesting a title.

If you found this interesting, you can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email - no more than once a week.  You will need to provide an email address and then confirm the subscription.  Your email address will not be shared.  Alternatively, if we share a group in “LinkedIn” you can choose "follow" Isaac Alfon.