Risk appetite - Financial Services Thought Gallery · Clear link between risk appetite and risk...
Transcript of Risk appetite - Financial Services Thought Gallery · Clear link between risk appetite and risk...
Risk appetiteGetting in shape – building and sustaining your riskappetite27 February 2014
Risk appetite
Getting in shape – building and sustaining your riskappetite
James Maher
Insurance and Actuarial ServicesLeader FSO Ireland
Direct tel: +353 1 221 2117Mobile: +353 86 828 6588Email: [email protected]
Phil Vermeulen
Partner European Risk and ActuarialServices
Direct tel: +41 58 286 3297
Email: [email protected]
Agenda
I. Regulatory updateII. Background and contextIII. Embedding risk appetiteIV. Hard to measure risksV. Risk cultureVI. SummaryVII. Q&A
Risk appetite
Regulatory Update
Regulatory update
GSII
Comframe
Local/Solvency II
Source Scope Measurementand capital
Other
FSB Designation by IAIS As per Comframe[BCR]/HLA /ICS
Resolution plan; recoveryplan; systemic riskmanagement plan;liquidity risk managementplan
IAIS $50bn assets$10bn GWP3 territories
TBD - Field testingbeing initiated
[BCR]/ICS
Legal and managementstructures; governance;enterprise riskmanagement; publicdisclosure and groupreporting
EIOPA /EU
European DomicileGWP > EUR 5mnGross TP > EUR25mn
SII Balance SheetMCR/SCR
ORSA; public disclosurevia SFCR
Risk appetite
Background and context
Risk appetite
Context - Past, Present and Future
Past
Present
Future
Financial Crisis:I. Correlation to maturity of RAFII. Sovereign ExposuresIII. GuaranteesIV. Failures in insurance
Post Crisis Insurance :I. Low Interest RatesII. Conduct RisksIII. Operational RisksIV. Control failures
Current and Emerging Risks :I. Strategic RisksII. Cyber RiskIII. Regulatory RisksIV. Program Risks
need foreffective RAF
Effective risk appetite frameworkPage 7
Agents and agencies driving the agenda
Regulatory
pressures
PRA
► Increased scrutiny from PRAinto insurers’ risk appetiteframeworks based on theexperience and best practicesobserved in the bankingindustry
► Increased focus on a strongrisk culture
FSB
► FSB Principles aim toenhance the supervision offinancial institutions
► Key focus is an effective riskappetite statement thatreinforces strong risk culturewhich is critical to soundfinancial management
► The Principles set out the keyelements in achieving this
Internal Audit
IA guidance recommends:► Internal Audit should assess whether the risk
appetite has been established through theactive involvement of the board.
► Internal Audit should include within scope therisk and control culture of the organisation.
Management
► Use of multiple VaR measures and other risklimits for different risk categories leading to:
► Difficulty in aggregating risk appetite across theorganisation
► Limited understanding of the aggregate riskprofile
► Limited capability to compare risks across BUsand risk types
Internal challenges
Shareholders
► Shareholder seeking stabilityof earnings with ‘no surprises’
► Lack of transparency of therisk profiles of insurancecompanies depress marketcapitalisation
► Stakeholder managementimproved by implementing aneffective risk appetiteframework across theorganisation and embeddingin firm’s risk culture
Mar
ketp
ress
ures
Rating Agencies
► Rating agencies are placingincreasing importance on theirassessment of ERM as part ofthe rating assessmentprocess
► Risk culture and risk appetitekey parts of this assessment
Internal challenges
Risk AppetiteFramework
Page 8 Effective risk appetite framework
Areas requiring a significant effort to achieve an effectiverisk appetite framework (from EY Risk Appetite Survey)
Ineffective/partially effective attributes
Effective riskappetitestatement
Quantitative statements with dueconsideration to reputational & conductriskFirm wide statement consistent with legalentities’ strategy and risk limits
Effective riskappetiteframework
Framework communicated across theorganisationEmbedded and understood across theorganisationFacilitate embedding risk appetite in riskculture 1. Qualitative aspects of risk appetite
• Communicating risk appetite frameworkacross the organisation and embeddingrisk appetite within risk culture
2. Quantitative aspects of risk appetite• Ensuring risk appetite statement
consistent with strategy and cascading itdown to business units / legal entities andacross risk types
Key challengesfor risk appetiteimplementation
Effectively cascading the risk appetitestatement throughout the organisation
Using the risk appetite framework as adynamic tool for managing risk
Expressing risk appetite for different risktypes
FSB Principles
Alignment with FSB attributes for risk appetite frameworks
Top three challenges to risk appetite implementation
Key areas of challenge
Risk appetite
EY 2013 survey findings – what works !
Rec
urre
ntth
emes
Linkage to strategyand planning
Strengtheningcommunication
Embedding RA intooperationalprocesses
Measurement andreporting
Roles andresponsibility“Getting a risk appetite
framework in place is a keyelement for building a strongrisk culture…”
“The best driver isconsequences for people whofail to deliver on theiraccountability”
“We have our risk appetite, ourstrategic planning and financialplanning fully integrated….”
“While the board should havea clear risk appetitestatement, a juniorunderwriter probably justneeds to know his limits…”
“There’s no silver bullet……….atthe end of the day its really howpeople behave.”
“What we have done………ishave much better clarity aroundthe organisation in terms ofroles and responsibilities…”
“The value was in the journey notthe outcome.”
Accountability
“We have a framework which is wellembedded with the plan but haveidentified improvement potential inthe risk culture awareness oforganisation so everybody in thecompany gets it.”
Behaviours andattitudes
Embedding risk appetite
Holistic approach to risk appetite
Risk appetite statements► Consistent with group, legal entity and business unit
strategies► Allow for risk types difficult to quantify such as
reputational and conduct risks
Our approach places a forward looking stressed lossmetric at the core of the risk appetite► Aligned with capital planning and scenario testing► Provides common language for risk across the
organisation► Enables the risk appetite to be consistently allocated
to BUs and risk types► Facilitates the re-allocation of risk capacity that is not
used
The allocated loss is aligned to the risk limits that thebusiness is managed to on a day-to-day basis► Clear link between risk appetite and risk limits► Supports ease of understanding across the
organisation
Risk Culture is the attitudes and behaviours of anorganisation’s people that influence risks andimpacts outcomes► A strong risk culture is one aligned to an
organisation’s risk appetite, where there is a widelyunderstood awareness for managing risk
2
3
4
1
Risk appetite
Definition ofrisk appetite
SupportingcapabilitiesKey
Governance
Monitoring and reporting
Systems and data
Econ
omic
capi
talm
odel
s
Scen
ario
test
ing
Linking appetite to risk limits
Allocation ofappetite to
business units
2
3
4
Risk culture 1
Riskappetite
statements
Risk appetite framework
Governanceand monitoring
Qua
litat
ive
risk
appe
tite
Qua
ntita
tive
risk
appe
tite
Risk appetite
Risk capacity and risk appetiteThese are based on the industry-consensus FSB definitions
Buffer► Funds held above risk appetite
due the uncertainty in thedetermination of risk appetite andrisk capacity
Risk capacity► Maximum loss a firm can sustain
and still remain viable as abusiness (ie without breachingregulatory capital, liquidity andconduct constraints)
Risk appetite► Aggregate amount of risk a firm is
willing to assume within its riskcapacity to achieve its strategicobjectives and business plan
Riskappetite
Buffer
Organisations need to be clear on what they are willing to lose, for example:(1) Over one year under normal conditions(2) In a downturn scenario(3) In an extreme scenario and still maintain viability as a businessTogether, these define a target operating range for this business
Risk appetite
Building a risk appetite statement – top down
Mission and vision for risk appetite and culture
Level 1 risk limitsLevel 2 risk limits – risk types and business unitsLevel 3 risk limits – risk types, business units, country/LE
Level 1 risk appetitesCapital► We will maintain► Over planning
period► Under stressed► Pursue Risk
types► Avoid Risk types
Operating Capacity► Pursue activities
supportable byour people,processes andtechnology
► Identify andmanage projectand operationalrisks
Earnings► Pursue earnings
targets andreturns withinbusiness plan
► Tolerance for [ ]variance over 1year
► Tolerance for [ ]cumulative planvariance
Liquidity► Maintain liquidity
to meetpolicyholderobligations
► Limit risk of cashgeneration toservicedebt/dividendsuch that targetdistributionmaintained…
Regulation► Maintain
minimumcompliance withall localregulations all thetime
► Pursue principlesbased judgementfor interpretation
► Adopt higher of► Anticipate and
prepare for
Conduct andReputation► Outcomes for
consumers► Life cycle► Market disruption► Brand value
Strategic andfinancial plan
Risk appetite
Risk MI fully aligned to the governance and decisionmaking setup of the organisation
Data, IT and infrastructure
Product development Sales andunderwriting
Investmentmanagement
Claims and policyadmin
Business planning Capital management
Operational functions
KRIs, metrics andreports;
comprehensiveanalysis
ORSA
Independentchallenge
CRO
Insurance risk
Market risk
Operational risk
Compliance
Risk function
Financial reporting
Cas
cade
ofM
Ireq
uire
men
tsan
dris
kap
petit
e
1
2
Executive andManagement Committees
3
4
5
Board andBoard Committees
6
Risk limits;management
actions
Reports on risksand proposed
actions
Managementdecisions
Support andengage
Stakeholders require different information at differentfrequencies
► Early warning information specific to urgent issues and events► Conclusions and action items
Similar to weekly information, however amended with:► Risk dashboard setting for key risk Indicators:
► Current exposure and changes against previous reporting period► Comparison against plan► Comparison againjst agreed limits► Information and high evel analysis on important risk exposures
► Provide an update to the EC/Management Team and Board on development of risk profile and capital againstplan
► Provide information on key risk issues that require attention► Inform/facilitate capital allocation process► Short 'facts and figures' dashboard to provide a snapshot of limit usage and Solvency position
► Internal analysis for Board/EC audience on the solvency position and medium term risk threats, which requiremanagement attention (Group, BU and LEs)
► Forms the basis of forward looking information in the ORSA► Strongly linked to the business planning process and incorporating risk analysis of the plan relative to risk
tolerance and limits► Includes risk limits, top risks, scenario testing and potential management actions
Annual
Quarterly
Monthly
Daily/weeklydashboard
Risk appetite
Risk dashboard – Example
Developing a leading risk MI frameworkPage 16
Overview of risk profile against plan and appetite Stress and scenario testing
Executive summaryOverall► TextFinancial markets► TextBusiness development► TextHot topic of the month► TextWatch list of KRI’s related to Top Risks► Text
Basescenario
Exposure Comparison against RAG status
Currentperiod
Previousperiod Plan Limit
Currentperiod
Previousperiod
Solvencycapitalcoverage ratio
x x x x
Earnings atrisk x x x x
Liquiditycoverage ratio x x x x
► Solvency coverage ratio: changes in the level of exposure sinceprevious valuation period are due to:► x► x
► Earnings at risk: changes in the level of exposure since previousvaluation period are due to:► x► x
► Earnings at risk: changes in the level of exposure since previousvaluation period are due to:► x► x
Risk dashboard – Example
Developing a leading risk MI frameworkPage 17
Risk dashboard by risk driver
Interest rate risk► Key changes in interest rate level and trend
► Impact of key drivers on capital, earnings and liquidity
► Follow-up on implemented mitigation actions and related impact
► Planned mitigation actions (owner, timeline and related impact)
RequiredCapital((£,m)
Exposure Comparison against RAG status
Currentperiod
Previousperiod Plan Limit
Currentperiod
Previousperiod
Market risk
Interest rate risk x x x x
Spread risk x x x x
Equity risk x x x x
Underwritingrisk
Mortality risk x x x x
Lapse risk x x x x
Counterpartydefault risk x x x x
Operational risk x x x x
Emerging risks x x x x
TCF &operational risk x x x x
Lapse risk► Key changes in policyholder behaviour:
► Drivers
► Products affected
► Impact of key drivers on capital, earnings and liquidity
► Follow-up on implemented mitigation actions and related impact
► Planned mitigation actions (owner, timeline and estimated impact)
Spread risk► Key changes in the creditworthiness of counterparties:
► Exposure to top material counterparties
► Restrictions issued for further investments with these counterparties
► Impact of key drivers on capital, earnings and liquidity
► Follow-up on implemented mitigation actions and related impact
► Planned mitigation actions (owner, timeline and estimated impact)
Risk dashboard – Example
Developing a leading risk MI frameworkPage 18
Stress and scenario testing
0%1%2%3%4%5%6%7%
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Previous - Base Current -Base Current - Stressed
Stress scenario 1: significant increase in interest rates
Stress scenario 2: Significant credit spread widening (2008 crisis)
Stress scenario 3: Government default on largest 3 exposures
Stressedscenarios
Stress scenario 1RAG status
Stress scenario 2RAG status
Stress scenario 3RAG status
Stressed Current Stressed Current Stressed Current
Solvencycapitalcoverage ratio
Earnings at risk
Liquiditycoverage ratio
Country 1 Country 2 Country 3
Stressed Current Stressed Current Stressed Current
Value ofholding
Profit shareimpact
Risk dashboard – Example
Developing a leading risk MI frameworkPage 19
Econ
omic
View
Ope
ratio
nalV
iew
Capital management dashboard by major BU
Capital surplus/shortfall by BU (bUSD) Risk adjusted profit by BUGroup target
Risk adjusted profit margin development (%)
Recommendations:
0
5
10
15
20
25
30
Q1 2013 2013e 2014e 2015e 2016e 2017e
RoE development (%)
13.8%
(3.0%)
15.0%
7.2%
17.3%
10.4%
6.0
(1.0)
1.0
(4.0)
20.0
(10.0)
Group
Corporate Center
BU 4
BU 3
BU 2
BU 1
Dividendable Cash (bUSD) RoE by BUGroup target
13.4%
(2.0%)
2.6%
6.7%
8.9%
26.7%
6.0
(1.0)
2.0
(5.0)
5.0
5.0
Group
Corporate Center
BU 4
BU 3
BU 2
BU 1
0
5
10
15
20
Q1 2013 2013e 2014e 2015e 2016e 2017e
BU 4GroupBU 2
BU 3BU 1
BU 4GroupBU 2
BU 3BU 1
Recommendations:
Hard to measure risks
Conduct Risk – definition and scope
Firms must be clear on conduct risks within their business and reflect them within their risk management frameworks so they can measureand manage them adequately and appropriately
Conduct risk
Retailconduct Wholesale conduct
Delivering fairoutcomes
Delivering fairvalue
Wholesalecustomers
FinancialcrimeMarket integrity
► Market derivedincome
► Remunerationand incentivesstructures
► Bribery andCorruption/third partypayments
► Sanctions► Money Laundering► Fraud
► Fair treatment ofcustomers across thecustomer life cycle
► Claims and complaints► Delegated authorities► Data security
► Commercial claims► Conflicts of interest
► New products► Add-ons► Renewal process► Product governance► Aggregators
Risk appetite
Moving towards conduct risk
Top down approachBoard direction on how to embed goodconsumer outcomes in the business
Bottom up approachReview of individual risk frameworkcomponents
Design and implementation of a Conductrisk framework
Board sets clear vision and overall strategy and direction for the management ofconduct of business risk by addressing the following:
► Main areas of conduct risk in the business – retail and wholesale
► Overall approach (e.g., 'TCF plus' or other..)
► How to put the customer at the 'heart of the business'
► What the 'tone from the top' should be
► What level of control and oversight the Board expects from the business andassurance functions, and the level of reporting they expect
► How to embed and evidence a positive risk culture
Individual components of the Risk Management Framework are assessed to determinehow conduct risk should be incorporated, including:
► Controls over the product life cycle
► Conduct of business policies
► Conduct risk appetite statement
► Conduct risk MI
► Processes for identification, assessment, measurement, monitoring andmanagement of conduct risk
► Oversight and challenge by Compliance and Risk; assessment by Internal Audit
Firms have used both top down and bottom up approaches in designing and implementing aconduct risk framework:
Risk appetite
Risk culture
Risk appetite
Top challenges to strengthen risk culture:Responses to the 2013 IIF Survey
* Each institution could select three challenges
►General shift from creatingframeworks and policies, tochanging behaviour to operateappropriately within these
►Still a tendency towardscompliance rather thanunderstanding among first linerisk takers
►Focus on behaviours,ownership
►Systems and data remain ahindrance to adequatereporting necessary toimplement the frameworks,
Risk culture indicators – how do we measure
Risk appetite
► Over confidence and unauthorised dealings► Intolerance of open discussions and challenge► Outliers, areas outside of governance structure► Disregard for the views of the Risk community► Ineffective escalation and fear of bad news► Mis-alignment of incentives► Unclear level of tolerances.
� Tone-at-the-top continuously provides leadership around theimportance of risk management
� Corporate values promote good behaviours and stress theimportance of risk management
� People not only understand but are motivated to apply rulesaround appetite and limits consistently
� Delegation of authority is designed to embrace various points ofview and enable consensus on key capital deployment and riskmanagement decisions
� Management focuses on risk in reporting and controls
� Examples of good risk management are shared openly andencouraged across the organisation
� Individuals are provided with the ability to learn more on whatgood risk management looks like
� Management provides business and support functions withappropriate level of risk resources
� Management reinforces the linkage between careeropportunities, incentives, rewards and practices of sound riskmanagement.
Signs indicating attitudes and behaviours mayimpact outcomes negatively
Signs indicating attitudes and behaviours mayimpact outcomes positively
► New business outside the scope of core activities► Fast growing existing business► Geographically ‘remote’ business► Personnel with closest access to customers► Commission-based personnel► New people in fast growing division.
Areas where attitudes and behaviours have mostpotential to impact outcomes negatively
Influencing culture – the EY Risk Culture model
Risk appetite
Incentives andrewards
Knowledge andskills
Leadership andauthorities
Risk and controlmanagement
Designing initiatives to change behaviour requiresconsideration of behavioural economics
Page 27
The elephantrepresents themoreemotional/behavioural aspects of thebrain –
The Riderrepresents therational, logical andanalytical aspectsof the brain
Messenger We are heavily influenced by who communicates information
Incentives Our responses to incentives are shaped by predictablemental shortcuts such as loss avoidance
Norms We are strongly influenced by what others do
Defaults We ‘go with the flow’ of pre-set options
Salience Our attention is drawn to what is novel and seems relevant tous
Priming Our acts are often influenced by sub-conscious cues
Affect Our emotional associations can powerfully shape our actions
Commitments We seek to be consistent with our public promises andreciprocate acts
Ego We act in ways that make us feel better about ourselves
Most initiatives undertaken by firms assume people arerationally driven by incentives and punishment. This leavesthem ineffective in many cases
Effective cultural change initiatives require influencingemotional as well as rational centres
Ways you can improve your risk culture – how do wechange
Risk appetite
►Improve communication on risk►Establish a risk culture component within existing risk frameworks►Conduct employees survey and testing to assess and reinforce risk
awareness►Execute customized training on risk culture and risk appetite►Establish a common framework to assess and monitor risk
culture, and embed in the employee lifecycle
Example initiative 1Customized training on risk appetite logic
Risk appetite
Communication of RiskAppetite
Capital & ScenarioChallenge
Risk preferenceWorkshops Creating Future Value
Example initiative 2Measurement and embedding in employee lifecycle
Risk appetite
Assessment and design ofthe measurement process
Defining effectivemeasurement criteria
Embedding assessementinto employee lifecycle
Leveraging to report onrisk culture
Summary
Summary
Risk appetite
► Strategy► Risk appetite framework► 3 E’s – Existing, effective, Efficient► Culture
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisoryservices. The insights and quality services we deliver help build trustand confidence in the capital markets and in economies the world over.We develop outstanding leaders who team to deliver on our promisesto all of our stakeholders. In so doing, we play a critical role in buildinga better working world for our people, for our clients and for ourcommunities.
EY refers to the global organisation and may refer to one or more of themember firms of Ernst & Young Global Limited, each of which is aseparate legal entity. Ernst & Young Global Limited, a UK companylimited by guarantee, does not provide services to clients. For moreinformation about our organisation, please visit ey.com.
© 2014 Ernst & Young. Published in Ireland. All Rights Reserved.
4877.pptx 02/14 Artwork by the BSC (Ireland)
ED none
The Irish firm Ernst & Young is a member practice of Ernst & YoungGlobal Limited. It is authorised by the Institute of CharteredAccountants in Ireland to carry on investment business in the Republicof Ireland.
Ernst & Young, Harcourt Centre, Harcourt Street, Dublin 2, Ireland.
Information in this publication is intended to provide only a generaloutline of the subjects covered. It should neither be regarded ascomprehensive nor sufficient for making decisions, nor should it beused in place of professional advice. Ernst & Young accepts noresponsibility for any loss arising from any action taken or not taken byanyone using this material.
ey.com