Q1 MARIO CAN A CAPITAL CHARGE UNDER THE RISK-BASED REGULATORY FRAMEWORK MITIGATE AGAINST A REPEAT OF THE CREDIT/LIQUIDITY CRISIS ?
David, that's a very good question and it relates to the SIX DEGREES OF SEPARATION - Capital markets are a wonderful vehicle for transferring risk and providing capital to lending activities but when the transfer of risk leads to a lack of diligence markets become dysfunctional. The primary problem with the sub-prime market is that the Investor who buy the CDO bond has a long & thin contact with the Borrower. Therefore those with financial interest in the loans had too little involvement in the how the loans were made whilst those responsible for making loans had too little financial interest in the performance of those loans.
The six degrees of separation involved:
- Borrowers - who want a loan for home purchase or refinance?
- Brokers - who work with the borrowers and lenders to arrange the loan?
- Mortgage Bankers - who fund the loans and then sells the loans?
- Aggregators - (often a broker-dealer) who buy loans and then packages the loans into a securitizat ion that are sold to investors?
- CDO Managers - who buy portfolios of mortgage-backed securities for a trust that issues debt backed by those securities
- Investors - who buy the CDO debt (Collateralised Debt Obligation)
- Rating Agencies - that place a rating on the mortgage securities and on the CDO debt?
- Investment Banks - that act as underwriters and placement agents for the mortgage securities and the CDO debt
- Servicers - who keep the loan documents and collect the payments from the borrower?
While six degrees of separation creates a smaller global community, it is not sufficiently close to ensure a sound mortgage origination process. The key risk takers in the market, the CDO investors were too far from - and not sufficiently concerned with the process of loan origination. Moreover, they probably didn't even realize the extent of their risk taking. At the origination end, without the discipline of a sceptical buyer, abuses grew. The problem with the sub prime secondary market is that no one is the gate-keeper, shutting the door on uneconomic loans.
One way of mitigating a repeat of these events is the need for regulation aimed at reducing the separation between origination and investment. Capital is the key to this process. By adding capital to the key players in the mortgage chain, the capital markets would address many of the other problems that were created.
- There needs to be capital at the origination end of the process.
- There needs to be a constraint on the leverage of CDOs relative to other financial institutions
Without capital, representations and warranties have no value. Brokers (or whoever has direct contact with the borrower) should be licensed and bonded and firms in the chain of reps and warrants need to maintain sufficient reserves to support their financial promises. This capital would also be available to assess damages in the case of fraudulent or predatory practices that hurt borrowers and homeowners.
This can arise through regulation of rating agencies or through direct regulation of certain types of leveraged investment vehicles.
To some extent markets are self-correcting, but markets have surprisingly short memories and seemed to be easily fooled by structural innovations that may in some instances create smoke and mirrors relative to risk management. Therefore, without some institutional changes, these problems are likely to re-emerge. Ultimately the mortgage market can only function properly when those who are involved in the process of mortgage origination are motivated to limit the risk of mortgage investments.
So you might ask me, in view of the liquidity crisis, what is the benefit of imposing a SOLVENCY II regulatory framework that is modelled on the BASEL II framework. Now BASEL II was in the process of being implemented in the banking sector when the crisis hit. SOLVENCY II like BASEL II is a project that aims at introducing and developing a risk based supervisory framework for the Insurance Sector, in the sense that undertakings will have to hold capital on the basis of the risks they are facing and the way such risks are managed by the undertaking. In such a framework, the appropriate treatment of risks becomes a core issue for the soundness and effectiveness of the whole system. So the key message is that the Banking sector needed BASEL II and SOLVENCY II MUST BE ADOPTED BY THE INSURANCE SECTOR.
The SOLVENCY II framework has to be as effective in normal times as in crisis ones. Undertakings should carry out STRESS TEST and SCENARIO ANALYSIS in order to assess the impact on their solvency, both present and future, of different situations, both normal and extreme, that may affect them.
The restoration of normal bank lending will require a very large capital infusion from private or public sources to meet the evolving Basel II Capital Accord.
Recent risk spreads suggest that markets require circa 13% or 14% capital reserves (up from 10%) before US banks are likely to lend freely again.
The Insurance Industry under Solvency II will most likely be expected to hold significant capital reserves. As with Banks, the PE ratio of Insurance companies will be impacted and a likely outcome is higher premiums.
Therefore as insurance premiums rise, more corporations will be incentivised to set up their own captives and Malta is well positioned for this opportunity.
Q2 MARIO, WHAT LESSONS CAN BE LEARNED BY THE INSURANCE INDUSTRY RELATIVE TO RISK MANAGEMENT FROM THE LIQUIDITY CRISIS ?
GOVERNANCE, RISK MANAGEMENT & COMPLIANCE - The crisis originated and developed in the BANKING SECTOR, but it subsequently spreading to the INSURANCE SECTOR. The risk profile of a given undertaking should take into account both the INTERNAL and EXTERNAL risks that it faces, QUANTIFIABLE and NON-QUANTIFIABLE ones. In order to do so, the undertaking must have an integrated Governance, Risk Management and Compliance framework with Pillar 1 dealing with quantifiable risks and the Pillar 2 dealing with the non-quantifiable risks such as those arising from strategic decisions or reputational risk.
As in the financial sector at large, governance, risk management, and internal controls in the insurance sector need to be strengthened. These elements are key to Solvency II's underlying philosophy of a risk-sensitive system, where the ultimate responsibility for risk identification, monitoring and steering lies with the firm's management, thus requiring from them an understanding of the rationale underlying either the standard formula or internal models. Solvency II is not just about risk measurement and quantification, rather it is about effective governance and risk management. This point is best illustrated by practical observations during the crisis focusing on CREDIT, SOLVENCY and MARKET RISK. and touch upon CONCENTRATION, CONTAGION and REPUTATIONAL RISK
In the insurance sector we have observed insurers investing in structured products they did not sufficiently understand. Effective risk management requires a strong emphasis on own risk assessment, for example where the use of external ratings by Credit Rating Agencies is contemplated. Whilst the role of CREDIT RATING AGENCIES has been severely criticised, in particular regarding the rating of complex structured products, we also observed insurers were over relying on the ratings and models of these Agencies, without an internal assessment of the underlying risks and forgetting that , when adapting for their risk management processes the model run by the CRAs , that the CREDIT RATING AGENCIES were dealing with credit risk, not with the whole risk profile of the undertaking.
Another clear lesson from the crisis is linked to what is to be understood as an effective risk transfer, and this impacts the treatment of alternative risk transfers such as the use of derivatives or securitisation of insurance risk portfolios. In many cases, due to credit risk, risks thought to be transferred were not. The same may happen in the case of reinsurance agreements where the reinsurer would default.
Similarly, LIQUIDITY RISKS will need more attention, to be followed by a higher reporting frequency in stressed situations:
We have seen how surrenders of life policies, including unit linked products, may have an adverse impact on the solvency situation of insurers, putting into question the effectiveness of ALM policies within undertakings or the profitability of certain products and lines of business.
We have also seen how there was a direct link between the need to provide additional collateral in contracts when the guarantor was downgraded and subsequent liquidity constraints.
And finally there have been cases where liquidity has flown from the Insurance to the Banking part of Financial Conglomerates during this crisis.
For the application of internal models, key success factors relate to model governance (checks and balances, proper documentation) and the involvement as well as proper understanding and steering by board and senior management, much more than to fine-tuning the ultimate risk metrics.
When it comes to Pillar 2, liquidity contingency plans, both at solo and group level, should be part of the risk management of the undertakings, to be reported to the board of directors with a higher, weekly if not daily, frequency in stressed times, and specific information should be requested by supervisors to undertakings on liquidity risks.
In 2008 insurers were hit by the impact of the crisis, and the loss of value of most of the assets within their portfolio. Property values and equities suffered significant decline, credit spreads reached unforeseen levels and currencies have been subject to very high volatilities. The crisis has clearly shown that inadequate correlations would lead to a lesser capital charge than the one that would be necessary to meet a 99,5% confidence level.
CONCENTRATION, CONTAGION & REPUTATIONAL RISK
The crisis has also highlighted the need to effectively manage concentration risk and intragroup implications on contagion and reputational risk.
The first thing that should be noted is that CONCENTRATION RISK affects both the ASSET and LIABILITY sides of the undertaking's balance sheet. A fully comprehensive approach to the issue will require that both sides are considered, as exposures in the liability side directly affect the core business of insurers.
CONCENTRATION is linked to DIVERSIFICATION. The crisis has shown that diversification benefits (among lines of business, asset classes, geographical , etc.) tend to diminish or not be realizable in stressed times.
The crisis has put more emphasis on the ASSET SIDE, in particular when it comes to the excess of exposure to certain types of assets or sectors (e.g. high exposure in real estate or to other financial institutions such as banks that have been severely hit by the crisis).
The crisis has shown as well how inappropriate exposures to CONCENTRATION RISK can minimize the effects of risk transfer mechanisms where there are problems with counterparts (monoclines, certain reinsurers, corporate bonds as collaterals in structured products).
In particular, we have witnessed how SOLVENT INSURERS have been hardly hit by the belonging to a Financial Group, and the bad results of other parts of it.
We have also seen cases of LIQUIDITY TRANSFERS within FINANCIAL CONGLOMERATES, from the INSURANCE to the BANKING part of it. This may have significant consequences in case insurers demand additional capital due to liquidity constraints.
We have also seen cases where there have been increases in INVESTMENTS of insurers in the BANKING SECTOR (both equities and bonds), increasing their exposures.
We have also seen how REPUTATIONAL RISK has hit INSURERS being part of larger financial conglomerates that have been rescued during the crisis, regardless of the fact that the underlying problems didn't emerge from the insurance part. And raising capital during the turmoil is both difficult and expensive.
Q3 MARIO IN YOUR OPINION WHAT SYSTEMIC FAILIURS ARE STILL UNCORRECTED AND MAY CONTRIBUTE TO A REEAT OF THE CRISIS ?
CAPITALISM IS A SYSTEM THAT FUNCTIONS ON TRUST? but the system failed to control the animal spirits where greed was driving corporate behaviour, especially when people are too trusting.
The system will produce not only what people really want, but if it can do so profitably, it will also produce what they think they want.
So the system will produce snake oil. Not only that: it may also produce the want for the snake oil itself.
The marketplace was not selling them insurance against risk, but was, instead, selling them the financial equivalent of snake oil.
When confidence is high, and since financial instruments are hard to evaluate by those who are buying them, people will and do buy snake oil.
And when that is discovered, as it invariably must be, the confidence disappears, risk aversion sets in and the whole system collapses.
BUBBLES HAVE AND WILL CONTINUE TO HAPPEN. The hallmarks are always prolonged periods of prosperity, damped inflation and low long-term interest rates.
Euphoria-driven bubbles do not arise in inflation-racked or unsuccessful economies. We did not see bubbles emerging in the former Soviet Union.
History also demonstrates that underpriced risk the hallmark of bubbles can persist for years - as did the dotcom bubble, the US housing bubble .... and more recently Dubai ??
Once a bubble emerges out of an exceptionally positive economic environment, an inbred propensity of human nature fosters speculative fever that builds on itself, seeking new unexplored, leveraged areas of profit.
It is worth adding that it is the capital adequacy regime, and not primarily interest rate policy, which needs to be responsive to asset -price bubbles.
ECONOMIC FORECASTING has been unable to anticipate the onset of CRISIS.
Earlier this decade, for example, it was widely expected in the US that the next crisis would be triggered by the large and persistent US current-account deficit causing a collapse of the US dollar.
Instead, arguably, it was the excess securitisation of us subprime mortgages that unexpectedly set off the current solvency crisis.
The Federal Reserve, in looking at balance sheets, said in 2006 that the bank balance sheets that they oversee are in the best condition they have been in all the years that they've been auditing them. So one of the things you have to look back and say and they could have required them to hold a little more of this or a little more of that they thought they were the cleanest balance sheets they'd seen in their entire careers. Why? Because when you change one thing, it's the laws of unintended consequences. So when you say, Lets securitize and get these assets off our balance sheets,? one of the things people forget is that one of the reasons capital ratios or leverage ratios rose was on purpose.
And just like the Feds, the IMF which is in the business of dealing with crises around the world and one would expect them to know when they've got hot and cold running, with rocket scientists to help them out with the modelling, and they do a world economic report twice a year. In the early part of 2007, just before everything went bad, they put out a report that said the risks to the world economy were exceedingly low. And it's understandable why they did that. You can tick off all the reasons. It wasn't irrational to be at that place at that time. So what do we do in terms of regulation?
We need a BETTER CUSHION AGAINST RISK but we will NEVER HAVE A PERFECT MODEL OF RISK. The key problem as articulated by the ex Chairman of the US Feds - Alan Greenspan is that:
Our models both risk models and econometric models as complex as they have become, are still too simple to capture the key variables as the crisis has demonstrated.
For example the underlying data supporting risk management state-of-the-art statistical models is drawn from both periods of EUPHORIA and periods of FEAR, with very different dynamics.
We have never successfully modelled the IRRATIONAL HUMAN BEHAVIOR associated with the transition from EUPHORIA to FEAR.
SIMILARLY PERFECT SOLVENCY REGIMES DO NOT EXIST, if only for the simple reason that any form of regulation creates new distortions in and of itself. Experience has taught that in real crisis situations, only high-quality capital elements can truly be a first line of defence in the sense of absorbing losses without taking the insurer into full bankruptcy.
The Lehman Brothers collapse highlights need for cross border supervision. International debate on cross border supervision has stimulated more questions than answers.
Capitalism's worst crisis in 70 years has illustrated that our current national framework for financial regulation is incapable of governing a global financial system.
Bankruptcy is capitalism: Companies that gamble and lose must be disposed of through bankruptcies that do not drag others down with them. But the incapacity of national governments to manage international markets has sheltered the largest financial institutions from this capitalism. Lehman Brothers, fall panicked financial markets into paralysis.
The challenge to regulators to solve the inconsistency between national regulation and modern multinational banking groups with a global footprint.
As finance became a global game, national rules could not prevent some companies from becoming too large for bankruptcy. We have discovered that:
To close down financial giants we must bail out their creditors or risk a global recession.
At the same time, those too large to fail may also be too large for national governments to save, for fiscal and political reasons.
Taxpayers have to pay for the bailout.
So how do we resolve this contradiction?
One school of thought is use regulatory capital requirements to discourage them from becoming too big and to temper their competitive advantage.
Another is the separation of commercial banking from investment banking where investment banks are left to their own creative devices, and subject essentially only to the discipline of the marketplace.
The rationale is that only a commercial banking crisis poses a systemic risk and can lead to the sort of mess we face today.
Commercial banks should not to be in a position where they can be brought down by exciting but highly risky investment banking activities.
Regulation of investment banks, has and will always be complex - either the investment bankers will outsmart the regulators, or the regulators will respond with damaging overkill.
The role for bank supervision and regulation: namely, to ensure that the core commercial banking system is thoroughly sound and adequately capitalised at all times.
We need and will see more changes in the metrics to evaluate SHAREHOLDER VALUE particularly around the TIME HORIZON
The pursuit of shareholder value, the use of stock options to motivate employees and a light regulatory touch are likely to be overhauled.
Clearly, strong total shareholder returns capital gains from the share price plus a flow of dividends are what ultimately matter to investors in a company.
BUT the short-term goal of rewarding shareholders by increasing profits and dividends every quarter which has become a mantra for companies around the world has shown to be an unreliable measure. Instead, we will see as the only reliable measure being the creation of SUSTAINABLE ECONOMIC VALUE for shareholders.
The situation is exacerbated when the metrics for shareholders wealth are linked directly with the Wall Street high-risk, high-reward model impacting top management's pay and the use of stock options to reward performance. It makes sense partly to align executives? remuneration with the stock price through share awards. But some of these schemes, particularly involving share options, can create incentives to game the stock price rather than create sound and sustainable business practices. Their vesting period, typically 3 years, may encourage managers, especially in the banking industry, to take dangerous short-term business risks, the catastrophic results of which only became evident long after the options had been monetised.
Companies should NOT be run in the interest of short-term investors and executives who are hell-bent on making a killing regardless of the risks and leave taxpayers and real long-term investors to pick up the pieces.
CHANGING ATTITUDES TO EXECUTIVE PAY - The failure of Wall Street's high-risk, high-reward model is set to bring about change on two main fronts: top management's pay & the use of stock options.
The era of rewarding ourselves with other people's money will come under heightened scrutiny.
Roel Campos, ex Commissioner of the US Securities and Exchange Commission had expressed concern that much of executive pay in the public companies in America have been in very dark corners, difficult to discern and understand fully. Retirement benefits included New York apartments and free use of corporate jets.
In 1982, the ratio between the remuneration of CEOs and the average employee was 42:1. In 2004, the ratio had risen to 431:1, yet there was no evidence that executives in the U.S. were 10 times better than in 1982.
In just a 5-year period, the CEOs of MERRILL LYNCH, CITIGROUP & COUNTRYWIDE received $US460+ million in compensation and golden handshakes, allegedly based on phantom profits, whilst presiding over major losses from falling sub- prime assets.
THE PENDULUM WILL SWING BACK - At some point, the cycle will begin afresh and the pendulum will begin to swing back.
GREED and FEAR are always in the balance. And greed will ultimately come back, and whoever is working on the economic system, the financial system, will find some way to find a loophole through whatever antidote is now proposed, and ultimately you will have another bubble in some other area.
And you can't eliminate asset bubbles from a capitalist society no matter what you do. So if the G20 is on a mission to eliminate asset bubbles, it's going to fail. Rather, it should focus on measures to limit the amplitude of the cycles so that the peaks and valleys are not quite so devastating. After all, a big part of what drove what happened in this last cycle, a lot of it came from things that we deliberately wanted to happen and we set in motion through legislation, regulation, etc. It would take a number of bilateral instruments today to create a total lack of transparency in the markets and put them on to exchanges.
Henry Kravis of the private equity house KKR recently said that at least $300bn-$400bn of private equity money is waiting for deals.
Eventually, low stock market valuations will become irresistible, and the gears of mergers and acquisitions will again crunch into action albeit with considerably less leverage than before.
Q4 BASED ON YOUR Basel II EXPERIENCE, WHAT CHALLENGES DO YOU SEE FOR THE INSURANCE INDUSTRY TO TRANSITION INTO THE SOLVENCY II REGULATORY REGIME?
David, the regulatory agenda is striving to achieve a commercial balance between regulated trust and self-regulation. The regulatory agenda has been evolving against a backdrop of high-profile corporate scandals and collapses where greed is seen as driving corporate behaviour and eroding public trust. The growth in private pools of capital, such as hedge funds, has made the financial markets wider and deeper, supported significant product innovation, and allowed for greater risk transfer.
Fully aware of industry concern that regulation is not a free commodity and ultimately adds to the cost of every single financial product, the challenge facing regulators in a more globalised commercial environment is to maintain a grip on 'regulated trust' via prescriptive rules-based regulation, where the system trusts the rules that corporations, professions or individuals will, out of self-interest, follow and passing more of the compliance onus onto the regulated via a more flexible, risk-based, principlesdriven regulation.
There is also a strong prevailing view that tougher rules and regulations are the way to restore trust in the corporate world and stability in the financial markets.
SELF REGULATION - ENTERPRISE-WIDE RISK MANAGEMENT
Under the self-regulatory framework, regulatory compliance is synonymous with the quality of an insurance company's integrated risk management framework. We are witnessing a convergence towards the risk-based, principles-driven regulation and supervisory oversight by prudential, securities, conduct, systemic stability and specialised anti-money laundering regulators.
- The evolving risk-based, principles-driven regulatory supervision has brought about a major shift in the compliance COMPLIANCE ONUS from the regulator onto the regulated where 'ignorance of the situation in your institution is no longer a defense'.
- EVERYTHING OLD IS NEW AGAIN - The fundamentals are not new. Risk and control are virtually inseparable like two sides of a coin, meaning that risks first must be identified and assessed, and then managed and mitigated by the implementation of a strong system of internal control.
Compliance needs to be integrated into the organisation's ERM framework, thereby making the management of regulatory risk a key part of effective overall compliance.
Compliance needs to be seen less as a function and more as an institutional state of mind, helping organisations to anticipate risk as well as avoid it. Embedding compliance as a corporate discipline ensures that internal controls are entrenched in people's roles and responsibilities. The risk management function must not only address the compliance requirements of the organisation, but must also serve as an agent for improved decision making, loss reduction and competitive advantage within the marketplace.
Therefore simply complying with the rules is not enough and insurance companies should approach this as part of their companies DNA.
Insurance companies can approach investments in corporate governance, risk management practices and regulatory compliance (GRC) initiatives as one-off, isolated activities, or they can use these investments as an opportunity to strengthen and unify their risk culture, aligning best practices to protect and enhance shareholder value. A silo-based approach to GRC not only will be insufficient, but also will result in compliance processes layered one upon the other, adding cost and duplication, and reducing the overall agility of the business in effect, increasing risk. This piecemeal reactive approach also leaves a gap between the processes designed to keep the undertakings in line with its regulatory obligations and the policies needed to protect and improve the franchise. Therefore insurance companies are as strong as their weakest components like the links in a chain.
Many industry studies have concluded that:
Part of the reason some financial institutions are not making the grade is that they equate effective governance with meeting the demands of regulators and legislators, i.e., they tend to look at governance as another compliance exercise
This compliance mentality is limiting the ability of these institutions to achieve strategic advantages through governance
Too often, financial institutions have fallen into the trap of treating compliance as a box to tick when the business of the day is done
Many have been dealing with aspects of governance, especially compliance, on the back foot, so they are always reacting. Instead, they should be on the balls of their feet anticipating.
THE CRO FUNCTION - A fundamental prerequisite to corporate governance, risk management practices and regulatory compliance (GRC) is the appointment of a Chief Risk Officer (CRO) with clear and unencumbered accountability to the board. The CRO fills a niche by 'elevating the visibility of risk and bringing a risk perspective to strategic decisions'.1 As the chief risk management advocate and gatekeeper of risk management disclosure, the CRO is responsible for ensuring the following:
GRC/enterprise risk management (ERM) model, A sustainable and consistent GRC/ERM model is established.
Common risk language, Standardised definitions of risk and methodologies for calculating risks are adopted to ensure a single, coherent risk management framework.
Risk appetite, The risk appetite is clearly defined and approved by the board.
Risk profile, The major risks facing the organisation are identified, assessed, managed, monitored and reported on a consistent basis.
Risk owners, The risk owners are identified with clear accountabilities amongst functions owning and managing risks, functions overseeing risks, and functions providing independent assurance.
Risk-based performance, Performance measurement is based on economic, risk-based capital allocation.
Risk-based decisions, Key decisions are made consciously and based on reliable risk vs. reward data. Risk is an integral component of the organisation's strategic direction.
Board reporting, The board is getting an integrated, holistic picture of the true state of the organisation's risk profile.
External reporting, Risk reporting to regulators and the market is timely and factual.
BULWARK NEVER FAILING
The underlying premise of ERM, as articulated in the COSO framework, is that every entity exists to provide value for its stakeholders. All entities face uncertainty and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. ERM enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.
Value is maximised when management sets strategy and objectives to strike an optimal balance between growth (and return goals) and related risks, and efficiently and effectively deploys resources in pursuit of the entity's objectives. The COSO ERM framework encompasses the following:
Aligning risk appetite and strategy, Management considers the entity's risk appetite in evaluating strategic alternatives, setting related objectives and developing mechanisms to manage related risks.
Enhancing risk response decisions, ERM provides the rigour to identify and select amongst alternative risk responses (i.e., risk avoidance, reduction, sharing, acceptance).
Reducing operational surprises and losses, Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.
Identifying and managing multiple and cross-enterprise risks, Every enterprise faces myriad risks affecting different parts of the organisation, and ERM facilitates effective response to the interrelated impacts and integrated responses to multiple risks.
Seizing opportunities, By considering a full range of potential events, management is positioned to identify and proactively realise opportunities.
Improving deployment of capital, Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation. The achievement of an entity's objectives categorised into strategic (high-level goals, aligned with and supporting its mission), operations (effective and efficient use of its resources), reporting (reliability of reporting) and compliance (with applicable laws and regulations) is treated as an outcome of the integrated ERM framework.
LINES OF DEFENCE + WHISTLEBLOWER PROTECTION
In a marketplace where one person can undermine the reputation of a regulated entity, all parts of the organization must be aware of and take responsibility for compliance related risks. As an organisation is as strong or as ethical as its weakest or most unethical employee, the blame for a poor control environment must be shouldered throughout the organisation. Whilst the board and senior management must set the tone at the top of the organisation for a corporate culture that acknowledges and maintains an effective control environment, each and every person within the organization should be 'tuned in' to internal controls. Rules are meaningless in a culture of noncompliance. Increasingly, organisations are adopting a 'three lines of defence' approach to ERM, embedding risk management capability across the organisation. The three lines of defence model distinguishes among functions owning and managing risks, functions overseeing risks and functions providing independent assurance, each playing an important function within the integrated ERM, as follows:
The Board sets the organisation's risk appetite, approves the strategy for managing risk and is ultimately responsible for the organisation's system of internal control. The chief executive, supported by senior management, has overall responsibility for the management of risks facing the organisation. Business management and staff members have the primary responsibility for managing risk. They are required to take responsibility for the identification, assessment, management, monitoring and reporting of enterprise risks arising within their respective businesses. Unit, line and product managers consistently use the chosen ERM framework where all decisions proactively consider risk, thereby ensuring an informed risk and reward balance.
The CRO, supported by the risk functions within the organisation, has overall responsibility for the second line of defence. The CRO is accountable to the board risk committee and, ultimately, to the main board. Day-to-day management of risks is not the accountability of the CRO, but rests with the first line of defence. Typically, the risk function recommends risk policies to the board for approval, and oversees the effectiveness of the ERM framework in the identification, assessment, management, and monitoring and reporting of risks.
The third line of defence, internal audit, provides independent assurance on the effectiveness of the first and second lines of defence in the management of enterprise risks across the organisation. The internal audit function is accountable to the board audit committee and, ultimately, to the main board. Recent surveys show the internal audit function becoming more standardised throughout the world, and it is predicted to expand its role in organisational governance and risk management.
Regulators are increasingly seeking formal internal control assurances from regulated entities. Organisations should formally assess the risks and controls on an ongoing basis. At least once a year, management within each of the three lines of defence should formally attest or provide assurance on the capability maturity6 of the ERM framework as it relates to risks within their scope of authority. Business line management would provide assurances to the chief executive, and the CRO and head of internal audit would attest to the board risk committee and board audit committee, respectively. The ERM assurance framework should cover the responsibilities and accountabilities of the three lines of defence across each and every major risk faced by the organisation.
Whistle-blower protection designed to protect employees who generally may be advantageously positioned to report conduct that is inconsistent with corporate obligations. Companies retaliating against such employees may be liable for any damages caused to the employee because of unlawful discrimination.
SEEING THE FOREST AND THE TREES - ROBUSTNESS OF INTERNAL MODELS AND THEIR APPROVAL
Popular wisdom, such as 'IF YOU CAN'T MEASURE IT, YOU CAN'T MANAGE IT? and 'GARBAGE IN/GARBAGE OUT', is making a comeback. Internal models are increasingly being implemented by insurance undertakings, in particular the larger insurers, as a toolkit to better manage their risks. The robustness of internal models and their approval underpins Solvency II compliance. Like Basel II, data quality is emerging as the Achilles' heel in the challenge to comply with Solvency II, and is to be expected to get renewed attention by regulators. The challenge is more about sustainable data quality governance than building a data warehouse and there are no 'silver bullets'.
Industry surveys have highlighted that:
A high proportion of respondents are not very comfortable in the quality of their data
Most organisations still view data quality management as an IT issue, rather than an issue for senior management, the managing director or corporate board
There is a critical gap between intention and execution Entities that treat data as an organisational asset are in a better position to proactively manage the data's quality. The commitment needs to be driven from the top, with a clear line of accountability throughout the organisation. Ultimately, the board, the chief executive, the chief financial officer and the CRO are accountable for data quality.
Like Basel II, in a Solvency II environment could we imagine a 21st century aircraft where pilots would receive faxed reports of their coordinates and occasional printouts of the engines pressure, Time has come to make financial institutions as reactive and reliable as 747s.
The FSA expects most UK firms (70% or more) to apply for internal models approval and must meet the following tests:
Use Test and Model Governance
Insurance and reinsurance undertakings have to demonstrate that their internal models are widely used in and play an important role in their business and their governance and risk management system.
This also implies the need to be able to perform calculations on a more frequent basis, and to be able to allocate risk measures and capital requirements at a relatively granular level within the organisation.
Appropriate model governance is required, with senior management ownership, and actuarial & risk participation.
Statistical Quality Standards
The methods used to calculate the probability distribution forecast must be based on adequate actuarial and statistical techniques. The ability of the internal model to rank risk must be sufficient to ensure its wide use.
Data used for the internal model must be accurate, complete and appropriate.
For internal risk and capital management purposes, and for Pillar 2 solvency assessment, firms may use different risk measures based on their internal models; but for Pillar 1 SCR purposes, the model must be recalibrated so that it is equivalent to a VaR measure at a confidence level of 99.5% over a one-year horizon.
Internal models must be back-tested against actual P&L experience. Evidence of the use of sensitivity, stress testing and scenario analysis is also required.
Firms must implement a regular cycle of independent model validation which includes monitoring model performance, reviewing the on-going appropriateness of its specification, and testing results against outcomes.
Firms must provide a detailed outline of the mathematical and empirical basis and assumptions underlying internal models and indicate circumstances under which they do not work effectively.