presenter; gary morley presenter: gary morley governance & risk appetite

of 23 /23
Presenter; Gary Morley Presenter: Gary Morley Governance & Risk Appetite

Author: aubrey-shaw

Post on 20-Jan-2016




0 download

Embed Size (px)


  • Presenter; Gary MorleyPresenter: Gary MorleyGovernance & Risk Appetite

  • The quality and frequency of risk information for governing bodies varies significantly from firm to firm.

    Where risk information is provided, performance indicators relevant to particular risks, assessments of the availability and effectiveness of treatment and comparison of risks against risk appetite are seldom included.

    Many firms have not clearly defined their appetite for, or tolerance of, risk.

  • The banking crisis and the economic environment has further highlighted the importance of firms having in place effective risk management controls driven by firms senior management. Over the last 12 months there have been various regulatory and European reports & publications on this matter for example:

    Walker Report; A review of corporate governance in UK banks and other financial industry entities, quote from report:Firms should satisfy themselves on the integrity of its risk management controls and that they are robust and defensible

  • CEIOPS Advice for Level 2 Implementing Measures on Solvency II: System of Governance Synopsis

    A clearly defined and well documented risk management strategy that includes the risk management objectives, key risk management principles, general risk appetite and assignment of risk management responsibilities across all the activities of the undertaking and is consistent with the undertakings overall business

  • Effective Corporate Governance (Significant influence controlled functions and Walker Review) Policy Statement (PS) September 2010

  • A new framework of classification of controlled functions

    NED holding a Chairman role will be reclassified:

    CF2a (Chairman)CF2b (Senior independent director)CF2c (Chairman of risk committee)CF2d (Chairman of audit committee)CF2e (Chairman of remuneration committee)

  • Chair of Risk/Audit/Remuneration Committees

    The FSA comment that they would not preclude executive directors from performing the role of chairperson for firms risk/audit/remuneration committees, where that is deemed appropriate in the circumstances of the firm, however they would expect this to be in exceptional circumstances only and for these functions typically to be filled by a NED.

  • Finance, Audit & Risk (CF28)

    The CF28 function will be spilt into three distinct functions finance, risk and internal audit CF 13, 14, and 15 respectively.

  • Internal Audit Function

    FSA adding further guidance to SUP 10 to make it clear that they expect the person responsible for CF15 (Internal Audit) not to be responsible for another governing function

    Additionally the FSA acknowledge the role of todays internal audit function and are amending SUP 10.8.3 R to include a requirement that the internal audit function reports on the effectiveness of the firms systems of internal control.

  • Outsourcing of CF 13 (Finance) & CF15 (Internal Audit)

    A third-party service provider may be used to help a firm fulfil a particular task or activity but cannot be in a position of significant influence that can only be a person at a firm. For example, if a firms internal audit function has been outsourced, the person carrying out the internal audit function (CF15) would normally be the person responsible for that function to the governing body or in larger firms to the audit committee.

  • The Walker Review - effective risk management

    Risk Committee

    Where no risk committee exists, there should, however, still be someone accountable for risk at the firm and the governing body will retain responsibility for risk oversight.

  • Risk AppetiteWhat is risk appetite?

    British Standards published BS 31100 in October 2008; offers the following definition of risk appetite the amount and type of risk that an organisation is prepared to seek, accept or tolerate.

    Some organisation prefer the distinction between risk tolerance (maximum risk that can be taken before financial distress) and risk appetite (amount of risk that is actually taken for reward)

  • Why is risk appetite important?An important mechanism for using and embedding Operational Risk frameworks

    Principle 3 Management & Control; A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems

    SYSC 4.1.1R A firm must have effective processes to identify, manage, monitor and report the risks it is or might be exposed to .

    Operational Risk Management (INSPRU 5)

  • The Walker Review:

    Para 6.9 the Board has responsibility for the determination of risk tolerance and appetite throughout the cycleRecommendation 27:the risk report should describe .the associated risk appetite and tolerance and how the actual risk appetite is assessed over time ..

  • Setting a risk appetite

    1).Setting a boundary on a probability and impact grid

    2).Economic capital measures / balance sheet based expressions

    3).Changes in credit ratings (headroom before a potential downgrade)

    4).Profit and loss measures (e.g. tolerable level of annual loss)

    5).Value based measures (based on probability of ruin or default)

    6).Limits / targets or thresholds for key indicators (e.g. +/- 5% variation in profit or 1 - 2 % variation in revenue)

    7).Qualitative statements (e.g. zero tolerance for regulatory breaches or loss of life)

  • Elements of good practice in the area of risk appetite are:

    Start with a top down approach as this aligns better to strategy setting processes in an organisation

    Balance the requirements of various stakeholders (not just shareholders)

    Understand an organisations strategic objectives and associated risks

  • Align risk appetite with existing management processes (especially personal performance management process)

    Differentiate between short-term and longer term risk appetite

    Broad communication of risk appetite in an organisation (beyond senior management)

    Monitor risk appetite changes over time (retrospectively and prospectively)

  • How are risk appetites expressed?How an organisation expresses its appetite for risk is a key component of the challengeSome expressions are highly theoretical and quantitative and while they may appear to be robust, they cannot always be understood and therefore used effectively by an organisations decision makers. In contrast more subjective expressions of risk appetite can be both vague and imprecise (such as statements like we have no appetite for making a loss) and may actually promote inappropriate risk taking behaviour on the part of an organisations decision makers.

  • Benefits of risk appetite?Improved Board risk oversight and risk governance

    Communicate expectations for risk-taking to managers Communicate risk to the Board of Directors

    Achieve greater management consensus around risk

    Set limits for risk / reward trade-offs

    Increase accountability for management decision-making

  • Effective Communication of an Organisations Risk Appetitive

    There is little point going to the expense of determining an organisations appetite for risk if this is not subsequently cascaded to all of its decision makers, so that they can understand the rules within which they should be operating.

  • Embedding Risk Appetite into Managerial Decision-making

    Staff training initiatives which could be used to promote risk awareness and reinforce an organisations qualitative risk appetite statements

    Incentive schemes, whereby management might be rewarded for achieving specific economic targets whilst keeping risk indicators within agreed limits

    Performance management and objective setting initiatives where staff are given objectives that are directly aligned to current risk appetite priorities

  • The Link between Risk Appetite and Risk Monitoring

    Both the risk appetite and risk profile should be continuously monitored by the Board (or equivalent) and formally reviewed at least annually alongside the organisations strategy and planning processes. This should consider whether the organisations risk appetite aligns with the organisations risk profile and that the risk appetite remains appropriate to deliver the organisations objectives in light of internal and external drivers and constraints.

  • In the later part of 2009 the FSA launched there intensive and more intrusive regulatory approach to regulation, evidence of this can be seen in the difference in FSA fines for firms and individuals (approved persons):

    2009 Data:Final Notices: 169;FSA Fines 2009 totalled 35,005,522;FSA Fines 2010 totalled 84,816,599:the largest fine was 33,320,000 for J P Morgan Securities Ltdwith 44 out of the 67 fines on individuals ranging between 5,000 and 976,005.There has also been an increase in the number of individuals whistle blowing to the FSA. In recent years, the FSA's whistleblower line received the following number of reports from the financial services sector:2006 7772007 8352008 11862009 1890 Covers the following areas:

    General Governance Requirements Fit and Proper Requirements Risk Management SystemInternal Control Internal Audit Actuarial Function Outsourcing

    Risk Management areas:

    Risk Management SystemAreas to be covered by the risk management system:Underwriting and reservingAsset-liability & Policy on asset-liability managementInvestment, including derivatives and similar commitmentsLiquidity risk managementConcentration risk managementOperational risk management Risk mitigation techniques & Reinsurance and similar risk mitigation techniquesFinancial risk mitigation techniquesCredit risk managementStrategic riskReputational riskRisk management function

    Most recently following on from the FSAs January 2010 Consultation Paper (CP) CP10/3: In September the FSA published:Effective Corporate Governance (Significant influence controlled functions and Walker Review) Policy Statement (PS) September 2010 the proposed changes detailed in the policy statement will affect and require firms to review there risk management frameworks:

    a new framework of classification of controlled functions; other changes to the approved person regime, including the scope and definition of certain, already existing controlled functions; some guidance detailing our expectations of the role played by non-executive directors (NEDs) and a proposal to delete current guidance that discusses the limits of a NEDs liability; and guidance on risk governance and our plans to support the implementation of recommendations in relation to this area made by Sir David Walker in his review.

    Changes will be made to the following FSA handbooks:Senior Management Arrangements, Systems and Controls (SYSC) / Statements of Principle and Code of Practice for Approved Persons (APER) / The Fit and Proper test for Approved Persons (FIT) / Supervision manual (SUP) / Credit Unions sourcebook (CRED)

    Changes affective 1st May 2011

    However, due to the complexity and diversity of corporate governance models and the challenge in measuring their effectiveness, the FSA are mindful of the fact that not all of the proposed changes will be relevant to all firms.

    Firms will be required to notify the FSA on a specified form between 1 May and 31 July 2011of those individuals currently performing the CF28 role.

    The FSA comment that this function is a key element in ensuring the effective governance of a firm and, to facilitate this, it is helpful to ensure that the person performing it is independent in the organisation from the functions on which they give assurance.

    1st bullet point: Many firms already have in place a wholly independent internal audit structure that allows for the individual's holding the internal audit role not to be responsible for other functions. However the FSA acknowledge many smaller firms, many of which may have no alternative, due to their scale, to have individuals responsible for both the internal audit and other roles. So they intend, for reasons of proportionality, to limit the scope of the application of the new guidance in SUP to those firms we assess to have an impact score of low to medium or higher (those firms that are uncertain of their impact score are advised to contact our supervisors).

    In our case we outsource our Internal Audit function to a third party who currently holds CF 28 (Internal Audit & Risk) position, as noted this will not be allowable from 1st May 2011. Following discussions with our supervisory team the Chair of our Audit Committee will take on CF 15 (Internal Audit) role. Due to our business model, scale and complexity we will not require a CF14 (Risk) /Chief Risk Officer (CRO), however a member of the societys board will take on the role of risk champion.

    The FSA have confirmed that it is for each individual firm to determine, based on its nature, scale and complexity, as well as its attitude and exposure to risk, whether or not to establish a risk committee of the governing body. Where no risk committee has been established, the FSA would expect the firm to keep this situation under regular review (e.g. as part of the firms business strategy review) and to create such a committee should circumstances change and/or, for relationship managed firms, on the advice of their supervisor. Moreover, even where no risk committee exists, there should, however, still be someone accountable for risk at the firm and the governing body will retain responsibility for risk oversight; risk champion

    What is risk appetite?

    British Standards published BS 31100 in October 2008; offers the following definition of risk appetite the amount and type of risk that an organisation is prepared to seek, accept or tolerate.

    Some organisation prefer the distinction between risk tolerance (maximum risk that can be taken before financial distress) and risk appetite (amount of risk that is actually taken for reward)

    What are FSAs expectations?

    Risk appetite can be expressed and calculated in a number of ways.

    Risk appetite statements tend to be created in order to improve Board riskoversight and risk governance or to communicate expectations for risk-takingto managers and / or the Board of Directors.

    Top down approach helps to reinforce the governance and risk culture of an organisation by setting an appropriate tone from the top.

    The solution to this dilemma is to accept that in most cases there is no right way to express an organisations appetite for risk and that, depending on the nature, scale and complexity of their activities, different organisations are likely to choose different methods of expression.

    A key benefit is that by determining its appetite an organisation should be able to allocate its limited risk management resources more efficiently. In addition, it should help to improve buy-in for risk management activities by highlighting the consequences of not maintaining appropriate levels of risk exposure.

    The importance of effective communication is emphasised by almost all commentators. Effective communication of risk appetite an organisation will help ensure that its management / staff are motivated to make decisions that are in accordance with its appetite for risk.

    Moreover if an organisations risk appetite is communicated effectively it should promote a risk aware culture where the board / management are not only prepared to talk about their organisations risks, but also take prompt action to respond to those risks that are outside of its appetite.

    Motivating an organisations employees is never easy however there are some practical solutions that can be utilised. Notably an organisation might decide to reflect its appetite for risk within (ref to slide)

    The last significant good practice lesson relates to the importance of risk monitoring within any sound risk appetite framework.

    The logic behind this lesson is very simple in that there is no point an organisation going to the trouble of determining its appetite for risk if it does not then monitor the state of its actual risk profile and the extent to which this deviates from its ideal. This is emphasised within the new British Standard (see slide)

    How an organisation goes about determining and monitoring appropriate management information will clearly vary according to the nature, scale and complexity of its activities. If it is to be effective the approach must be aligned to the ways in which risk appetite is expressed within the organisation.

    Refer to University of Nottingham Research paper on the concept of risk appetite