Sunday 28 September 2014

Pregnancy and 7 Lessons About Risk Management

When my wife was expecting our first son, it surprised me that most of the stories we heard about childbirth from other people involved something going wrong. At some point, we made a conscious decision to ‘switch off’ and ignore those stories.  I don’t really know whether our experience was representative.  

It strikes me that risk management appears a bit similar; it is easy to hear what went wrong.  Before I go any further, I admit my share of guilt for writing about risk management lessons from enforcement cases of the UK’s Financial Conduct Authority (
here, here, herehere and
here).  This post seeks to address that bias by sharing a paper about risk management success stories.

The paper is based on extensive field work with two companies outside financial services.  This makes it more even more interesting for me because it removes the inevitable interaction with regulation in financial services.  

From the perspective of designing and implementing an ERM system, there are seven lessons I take from these success stories:

1.    The background of the CRO did not seem to matter.  In one case it was someone with a business background, and in other case it was someone with a corporate background.  The common factor was the CRO’s determination from the outset to find a practical way of adding value to the business.

2.    Success seemed to be described by reference to the role of risk management in the preparation of the business plan.  The path to this involved in both cases a discrete deliverable, typically preparing and maintaining a business risk profile.

3.    Successful engagement of the risk function with the business was crucial. Needless to say, each CRO tailored it to reflect the business.  For example, one of the organisations was more project-focused, and there was more emphasis on risk assessment by business lines.

4.    It was important to develop a common risk language in an unobtrusive manner.   This could be in terms of controls and risk, impacts that reflect the various functional dimensions of the business or scenario planning.

5.    The risk function needed a degree of self-confidence.  This could be useful to start the risk assessment process, develop business-specific tools and encourage the business to take more risks where it is deemed appropriate to meet business objectives.

6.    Risk functions achieved a balance between being close to the business and being independent of the business. 

7.    An effective tone from the top was more helpful in terms of behaviours.  This is really about how CEOs interact with others and ask questions about risks as part of the usual scrutiny of initiatives.

I believe that I have come across most of these lessosn in different contexts.  It is, however, interesting to see all of them together. 

If I had to single out one lesson from the above for financial services, I would choose the link to the annual business plan.  On a scale of 0 to 100, where 0 is no risk management involvement in the annual business plan and 100 represents the full integration of the risk management in the annual business process, what would be the score for your organisation?  

More importantly, what would be your target score for the medium term?  What would that mean in terms of different activities?  What would you need to persuade your CEO to accept that involvement?   

If you work in financial services, I would be keen to hear your thoughts about this article.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts at

Thursday 18 September 2014

Guest Post: the Objective of Risk Management – EIOPA's Perspective

One of the lessons from my post on the objective of risk management was that there are a number of perspectives on the objective of risk management.  I asked a number of leading industry experts to share their perspective.

Two weeks ago, I shared the views of James Tufts, Group CRO of Guardian Financial Services (here).  His perspective emphasised that the objective of risk management is to clarify the role of risk management of the business and of the risk function.

Today, I am delighted to share the views of Carlos Montalvo Rebuelta, Executive Director of EIOPA.  As a regulator, it is perhaps not surprising that he focuses on the extent to which Solvency II regulation changes the objective of risk management.

I will continue sharing these perspectives in the next few weeks.


Solvency II: a revolution in risk culture?
Carlos Montalvo Rebuelta, Executive Director, EIOPA

As Executive Director of EIOPA, in charge of managing the Authority and an insurance supervisor that has faced very different approaches to risk management across national supervised entities, I would like to touch upon the topic of risk management in insurance.

If we start the topic far away from business, in Nature, we see how species try to do the best out of the environment they operate in, in order to survive, yes, but also in order to prevail and ensure a legacy. They are confronted with risks and they exploit opportunities, risk management at its best, albeit in a very primitive form.

Within the corporate world, but outside the financial sector, we may take the example of EIOPA, where different toolkits are used to anticipate and address challenges, but also to identify and grab opportunities. Risk logs, monitoring tools, clear reporting lines, allocation of ownership for action… doesn’t that sound familiar? Risk management, indeed, reinforced by the conviction from senior management on the usefulness of it; setting the tone from the top. 

A distinctive feature of insurance and reinsurance is that the business itself is all about risk. The core objective of (re)insurers is to deal with different kinds of risks making a profit out of them. So, the industry should already have a wide range of specific know-how and experience in the area of risk management, if only because this is what the business is all about i.e. risk.

However, the financial crisis has shown that financial market participants, including insurers, need to rely on stronger risk management capabilities in order to deal with the different challenges posed by the economic slowdown and the financial market volatility. In other words, their risk management frameworks were not always up to the challenge stemming from the crisis.

Self-regulation within undertakings proved insufficient. Very often, any concerns raised about long-term sustainability of the company were ignored or even ferociously denied. Wrong incentives, short term gambits, unsustainable growth… reality was far away from what undertakings claimed to be their situation, with the consequences we all have witnessed.

The upcoming supervisory and regulatory framework for insurance - Solvency II - is going to make significant changes in the current risk culture of many insurers.  It is a different way of looking at and managing risks. First of all, it presents risk management not as a point in time procedure, but as a continuous process that should be used in the implementation of the undertaking’s overall strategy.

There is a purpose, and tangible outcomes. The Solvency II framework aims at establishing high quality risk management standards that will be beneficial for insurance undertakings, shareholders and consumers. One of the main requirements of a risk-based regulatory regime is that risk and capital should not be considered separately. This approach will allow top management to ensure that the company does not take on more risks than its capital base allows. It is also an opportunity for the senior executives to anchor a risk culture in an insurer’s day-to-day operations; again, setting the tone from the top.

The Solvency II regime  requires insurers and reinsurers to have in place an effective risk management system comprising strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report, on a continuous basis the risks, both at individual and aggregated levels, they are or could be exposed, and their interdependencies. Nothing new under the sun? Unfortunately, this is not the case.

One of the most innovative changes introduced by Solvency II is the requirement that insurance companies develop their Own Risk and Solvency Assessment (ORSA) as a tool of their overall risk management system. Insurers will need to properly assess their own short- and long-term risks as well as the amount of their own funds necessary to cover them to ensure on-going compliance with capital requirements. Quoting the lyrics of a song by The Velvet Underground, “I will be your mirror, reflect what you are, in case you don’t know it”.

I believe that the Solvency II approach to risk management will allow for an enhanced understanding of the nature and significance of the risks to which a company is exposed, including its sensitivity to those risks and its ability to mitigate them. This understanding will help companies to see their real opportunities and manage their business on that basis.Strong risk management will also be beneficial also for the customers of insurance companies. It will allow insurers to better meet their claims towards clients and, thus, to promote confidence in the insurance sector.

All in all, Solvency II should lead to a win-win situation and bring a risk-based regulatory framework to a business that deals with risk.


If you work in financial services, I would be keen to hear your thoughts about this perspective on the objective of risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here.  

Wednesday 10 September 2014

Business Model Analysis Coming of Age?

I wrote a few months ago (here) that one of the common areas of prudential and conduct supervision is the focus on understanding business models.  The Prudential Regulation Authority (PRA) published an interesting paper about the application of business model analysis to developments in the insurance sector (here).

However, it still felt that business model analysis remained something confined to policy and supervisory circles.  I was therefore pleasantly surprised to read about it in a quick Q&A session with Sir Win Bischoff in The Times (Saturday, 6 September).  In response to a question about his views on leadership, he said, “establish the business model, set the strategy and then let management get on with it.”

Given Sir Win Bischoff's role as a former chairman of several major banks, there are a number of messages in this answer: 

1.  confirmation of boards' interest in oversight of the business model, meaning it is not just a supervisory issue; and   

2.  a pecking order with the business model setting the wider parameters for the strategy.

With hindsight, it is possible to see that what may have seemed changes to business strategy were really changes to the business model.  Seeking to separate decisions about business model and strategy would go some way to supporting an enhanced oversight of risk taking.  How would risk functions rise to this challenge?     

If you work in financial services, I would be keen to hear your thoughts about business model and risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here and receive them by email about once a week.   

Thursday 4 September 2014

Guest Post: the Objective of Risk Management – a CRO View

One of the lessons from my post on the objective of risk management was that there are different perspectives on this subject.  I asked a number of leading industry experts to share their perspective on the objective of risk management.

I am delighted that James Tufts, Group Chief Risk Officer at Guardian Financial Services has agreed to share his thoughts.  I will continue sharing perspectives from leading industry experts in the next few weeks.


The objective of risk management
James Tufts, Group Chief Risk Officer, Guardian Financial Services

Risk management is fundamental to what an insurance company does and the core of its business purpose.  Insurers take on risk and through a variety of different techniques and tools, they manage those risks such that they can charge an appropriate premium to customers, service those customers, meet regulatory requirements and produce an acceptable return on capital for the owners – this is the embodiment of risk management.

Risk management is therefore fundamental to all the activities in the business and the Enterprise Risk Management (ERM) framework is the core model for how the business operates.

Perhaps surprisingly, the objective of the “Risk Function” should not be “risk management”.  That’s a business objective.  The objective of the “Risk Function” is to provide the ERM framework and the source of challenge and oversight on all aspects of the business model, relative to this framework.  It is only when this distinction is fully understood and internalised in a company that risk management adds value.


If you work in financial services, I would be keen to hear your thoughts about this perspective on the objective of risk management.  If you don’t, I would be keen to know if this resonates with your experience. 

You can subscribe to future posts here.