EIOPA proposal for Regulatory Technical Standards (RTS) on management of sustainability risks including sustainability risk plans – Part 2

Publié le par hanswillertbleuazurconsultingeu

Our recent article presented EIOPA’s RTS proposal regarding the requirements of sustainability risk management with respect to ORSA, governance and key functions within the future, significantly broadened Solvency II framework.

This article will focus on materiality and financial assessment of sustainability risks as well as on proposed metrics, targets, and actions described by the RTS draft.

Materiality assessment

The definition of materiality under Solvency II and the European Sustainability Reporting Standards (ESRS) are aligned in their focus on the potential impact of information on decision-making.

  • Under Solvency II, for public disclosure purposes, materiality means that if an issue is omitted or misstated, it could influence the decision-making or judgment of users of the information, including supervisory authorities. As to financial materiality, sustainability risks can translate in a financial impact on the (re)insurer’s assets and liabilities through existing risk categories, such as underwriting, market, counterparty default or operational risk as well as reputational risk or strategic risk. In other words, they are ‘drivers’ to existing risk categories.
  • Similarly, the ESRS defines materiality as the potential for sustainability-related information to influence decisions that users make on the basis of the undertaking’s reporting. In the context of financial materiality, which is relevant for Solvency II purposes, the ESRS specifies that a sustainability matter is considered material if it could trigger or reasonably be expected to trigger material financial effects on the undertaking. This includes material influence on the undertaking’s development, financial position, financial performance, cash flows, access to finance or cost of capital over the short-, medium- or long-term. The materiality of risks is based on a combination of the likelihood of occurrence and the potential magnitude of the financial effects.

The two frameworks are aligned as material financial effects, as defined by the ESRS, would likely influence the decision-making or judgment of users of the information, including supervisory authorities. This alignment enables undertakings to apply a consistent materiality assessment approach across both Solvency II and ESRS reporting requirements.

Both Solvency II and ESRS do not set a quantitative threshold for defining materiality. The RTS do not specify a threshold for materiality either, considering this should be entity-specific. The undertakings should however define and document clear and quantifiable materiality thresholds, taking into account the above and provide an explanation on the assumptions made for the categorisation into non-material and on how the conclusion on the materiality has been reached. The classification of an exposure or risk as material has bearing on its prudential treatment, as it is a factor that determines whether the risk should be further subject to scenario analysis in the undertaking’s ORSA. The RTS require the undertaking to explain its materiality threshold in the plan: the assumptions for classifying risks as (non-) material in light of the undertaking’s risk appetite and strategy.

The materiality assessment should consider that:

  • Sustainability risks are potential drivers of prudential risk on both sides of the (re)insurers’ balance sheet.
  • Sustainability risks can lead to potential secondary effects or indirect impacts.
  • The exposure of undertakings to sustainability risks can vary across regions, sectors, and lines of business.
  • Sustainability risks can materialise well beyond the one-year time horizon as well as have sudden and immediate impact. Therefore, the materiality assessment necessitates a forwardlooking perspective, including short, medium, and long term. For example, certain geographical locations may not be subject to flood risk today but may be so in the future due to sea level rise. The risk assessment should be performed gross and net of reinsurance, to measure the risk of reliance on reinsurance.

The materiality assessment would consist of a high-level description of the business context of the undertaking considering sustainability risks (‘narrative’) and the assessment of the exposure of the business strategy and model to sustainability risk (‘exposure assessment’), to decide whether a risk could be potentially material. Following this, based on the identification of a potentially material risk, the undertaking would perform an assessment of the potential financial impact (i.e., financial risk assessment, as part of ORSA).

The narrative should describe the business context of the undertaking regarding sustainability risks, and the current strategy of the undertaking. It also describes the long-term outcome, the pathway to that outcome, and the related actions to achieve that outcome (e.g., emissions pathways, technology developments, policy changes and socio-economic impacts).

The narrative would include a view on the broader impact of national or European transition targets on the economy, or the effect of a transition risk throughout the value chain. The narrative should include other relevant sustainability risks than climate, such as risks related to loss of biodiversity, or social and governance risks, as well as interlinkages between sustainability risks (e.g., between climate and biodiversity or climate and social) and spill-over and compounding effects looking beyond specific sustainability risk drivers on particular lines of business.

Sustainability narratives, indicators, and interlinkages

  • Narrative: For example, for climate change undertakings may refer to publicly available climate change pathways (i.e., the Representative Concentration Pathways (RCPs) developed by the Intergovernmental Panel on Climate Change (IPCC); Network for Greening the Financial System (NGFS)) or develop their own climate change pathway.
  • Indicators: Macro-prudential risk indicators or conduct indicators may provide additional insights and help the undertaking form its view on the future development of sustainability risks. Especially over a longer horizon, sustainability risk could have a wider and compounding impact on the economy and interactions between the financial and the real economy would need to be considered. For example, indirect impacts of climate change could lead to increase in food prices, migration, repricing of assets and rising social inequalities. All these indirect drivers will, in turn, impact the real economy as well as the financial sector, even more so as they could also trigger political instability. Macroprudential concerns could include, for example, plausible unfavourable forward-looking scenarios and risks related to the credit cycle and economic downturn, adverse investments behaviours or excessive exposure concentrations at the sectoral and/or country level. For example, EIOPA financial stability and conduct ESG risk indicators can be used to assess the external environment and business context in which climate change-related risks/opportunities can arise for the undertakings, the risk indicators will give an indication of macro-prudential risk in the insurance sector, and potential ESG related developments at sector level to the detriment of consumer protection.
  • Interlinkages: For example, increasing temperatures leading to increased mortality risk affecting health business can potentially create underwriting as well as legal transition risk if the conditions for triggering a liability insurance have been met (e.g. a company failing to mitigate/adapt the risk). But also, a sharp increase in physical risks can lead to public policies focusing on a faster economy transition, leading in turn to higher transition risks. Physical and transition risks can impact economic activities, which in turn can impact the financial system. At the same time, the interconnectedness of the financial sector, and more generally of the economy, can create secondary effects: physical risk reducing the value of property, reducing in turn the value of collateral for lending purposes or increasing the cost of credit insurance, leading to economic slowdown; or physical damage caused by extreme weather events to critical infrastructure increasing the potential for operational/IT risks, amplifying supply chain disruption and disruption to global production of goods.

Based on the narrative, through qualitative and quantitative analyses, undertakings should arrive at an assessment of the materiality of their exposure to sustainability risks. A qualitative analysis could provide insight in the relevance of the main drivers in terms of traditional prudential risks. A quantitative analysis could assess the exposure of assets and underwriting portfolios to sustainability risk.

Exposure assessment

The aim is to identify sustainability risk drivers and their transmission channels to traditional prudential risks (i.e. market risk, counterparty risk, underwriting risk, operational risk, reputational risk and strategic
risk). Additionally, the assessment should provide insight into (direct) legal, reputational or operational risks or potential (indirect) market or underwriting risks, which could arise from investing in or underwriting activities with negative sustainability impacts, or from the undertaking misrepresenting its sustainability profile in public disclosure.

  • Qualitative analysis to help identifying the main drivers of climate change risks:
    • Transition risk drivers include changes in policies, technologies, and market preferences as well as the business activities of investees and commercial policyholders and policyholder preferences. At macro level, it may include consideration of failure of national governments to meet transition targets.
    • Physical risk drivers include level of both acute and chronic physical events associated with different transition pathways and climate scenarios. This involves assessing the impact of physical risks to counterparties (investees, policyholders, reinsurers) as well the insurer’s own operations (e.g.to insurer’s business continuity, also for outsourced services). For climate change-related risks, the assessment should consider the evolution of extreme weather-related events for insurers underwriting natural catastrophe risks (incl. in property and health insurance).
  • Geographical exposure: Identify potential exposure of assets or insured objects to sustainability risk based on, for example, the location of operations, assets or insured objects or supply chain dependencies of investee companies in geographical areas, regions or jurisdictions prone to (physical) climate, other environmental or social risks.
    • Natural catastrophe and environmental risk datahubs such as the Copernicus datasets on land (use) or biodiversity can give an indication of relevant environmental risks across regions.
    • Social risk indicators identify countries or regions that are vulnerable to social risk, measure social inequality or development. These can give an indication on potential social risk exposure of assets or liabilities located in those regions.
  • Economic activity/sector-based exposure: Identify potential exposure of assets or lines of business or insured risks to potential sustainability risks based on the impact of the investee (or supply chain dependencies of the investee) or the policyholder’s economic activity, or their dependency on environmental or social factors. Such assessment should however not only focus on for example, exposures to climate related sectors, but also to other sectors which may be indirectly affected by (transition) risks.
    • Alignment of the economic activity with the climate and environmental objectives and screening criteria set out in the Taxonomy Regulation and Climate, Environmental Delegated Regulations, as supported by the taxonomyrelated disclosures.
    • Biodiversity loss, a high-level exposure assessment of could be carried out using the level of premiums written in economic sectors with a high dependence on ecosystem services and/or a high biodiversity footprint (economic exposure) and the probability of occurrence of the associated nature-related risk factors.
    • Social risks, exposure of assets or liabilities to economic activities in ‘high risk social sectors’, can be identified by referring to the Business and Human Rights Navigator (UN Global Compact), which can help mapping exposure to sectors at high risk of relying on child labour, forced labour, or sectors negatively impacting on equal treatment (incl. restrictions to freedom of association) or on working conditions (inadequate occupational safety and health, living wage, working time, gender equality, heavy reliance on migrant workers) or have negative impacts on indigenous people.

Financial risk assessment

Where the exposure is deemed material, based on the thresholds set by the undertaking, a more detailed evaluation of the financial risks combining quantitative and/or qualitative approaches should inform the financial impact on the undertaking’s balance sheet. Here the assessment should aim to identify the key financial risk metrics and provide a view of the expected impact of such risks under different scenarios and time horizons at various levels of granularity.

Scenarios

When assessing the potential financial impact of material sustainability risks, the RTS sets out that undertakings should specify at a minimum two scenarios that reflect the materiality of the exposure and the size and complexity of the business. One of the scenarios should be based on the narrative
underpinning the materiality assessment. Where relevant, the scenarios should consider prolonged,
clustered, or repeated events, and reflect these in the overall strategy and business model including
potential stresses linked to the

  • availability and pricing of reinsurance,
  • dividend restrictions,
  • premium increases/exclusions,
  • new business restrictions,
  • or redundancies.

For climate change risks, the Solvency II Directive requires undertakings with a material exposure to climate change risks to specify at least two long term climate change scenarios:

(a) a long-term climate change scenario where the global temperature increase remains below two degrees Celsius;

(b) a longterm climate change scenario where the global temperature increase is significantly higher than two degrees Celsius.

Experience to date shows that the most used scenarios are those designed by NGFS43, IPCC Shared Socioeconomic Pathways (SSPs) or tailor-made scenarios (set by regulators, e.g. for nature-related scenarios or for stress testing purposes.

Time horizons

The time horizon should ensure that the time horizon for analysing sustainability risks is consistent with the undertaking’s long-term commitments. The time horizon should allow to capture risks which may affect the business planning over a short-to-medium term and the strategic planning over a longer term.

The time horizon chosen for the materiality assessment in sustainability risk plan should also enable the integration of the risk assessment process with time horizons applied for the purposes of the ORSA for risk assessment purposes.

Taking the example of the impact of climate change: its impact can materialise over a longer time horizon than the typical 3-5 years (re)insurers’ strategic and business planning time horizons considered in the ORSA. It is argued that ORSA time horizons are too short to integrate the results of such longer-term climate change scenarios. Nevertheless, the ORSA should allow for the monitoring of the materialisation of risks over a longer term. At the same time, climate change-related risks and opportunities can affect the business planning over a short term and the strategic planning over a longer term.

The RTS specify the time horizons for sustainability risk assessment, to promote supervisory convergence and increase the consistency of risk assessment across undertakings and with decisionmaking. For this purpose, the RTS stipulates that the following time horizons for the sustainability risk assessment apply:

  • Short term projection: 1-5 years
  • Medium term projection: 5-15 years
  • Long term projection: min. 15 years

Documentation and data requirements

The sustainability risk assessment should be properly documented. This would include documenting the methodologies, tools, uncertainties, assumptions, and thresholds used, inputs and factors considered, and main results and conclusions reached.

Undertakings’ internal procedures should provide for the implementation of sound systems to collect and aggregate sustainability risks-related data across the institution as part of the overall data governance and IT infrastructure, including to assess and improve sustainability data quality.

Undertakings would need to build on available sustainability data, including by regularly reviewing and
making use of sustainability information disclosed by their counterparties, in particular in accordance with the CSRD or made available by public bodies.

Additional data can be sourced from interaction with investees and policyholders at the time of the
investment or underwriting of the risk, or estimates obtained from own analysis and external sources.
Undertakings should, where data from counterparties and public sources is not available or has shortcomings for risk management needs, assess these gaps and their potential impacts. Undertakings
should document remediating actions, including at least the following: using estimates or (sectoral) proxies as an intermediate step – the use of such estimates should be clearly indicated – , and seeking to reduce their use over time as sustainability data availability and quality improve; or assessing the need to use services of third-party providers to gain access to sustainability data, while ensuring sufficient understanding of the sources, data and methodologies used by data providers and performing regular quality assurance.

Frequency

The RTS aim to align the frequency of performance of the materiality and financial risk assessments
with, on the one hand, the cycle of the submission of the regular supervisory report to the supervisor ‘at least every three years’, if not stipulated differently by the supervisor, and the requirement for undertakings to assess material risks as part of their ORSA ‘regularly and without any delay following any significant change in their risk profile’.

Significant changes to the undertaking’s risk profile can include material change to its business environment including in relation to sustainability factors, such as significant new public policies or shifts in the institution’s business model, portfolios, and operations.

In addition, for the frequency of the financial risk assessment, the RTS need to consider that undertakings (except for SNCUs) are required to conduct at regular intervals, at a minimum every three years, the analysis of the impact of at least two long-term climate change scenarios for material climate change risks on the undertaking’s business.

Based on these considerations, the RTS set out that the materiality and financial risk assessment should be conducted at least every three years, and regularly and without any delay following any significant change in their risk profile.

Building on the requirements , the RTS specifies that key metrics and the results of the sustainability risk
plan should be disclosed at least every year or, for smaller and non-complex undertakings, at least every two years or more frequently in case of a material change to their business environment in relation to sustainability factors.

Metrics

Prescribing a list of metrics in sustainability risk plans can help

  • in promoting risk assessment,
  • improve comparability of risks across undertakings,
  • promote supervisory convergence in the monitoring of the risks and
  • enable relevant disclosures.

At the same time, it is important to allow undertakings flexibility in defining their metrics to avoid missing useful undertaking-specific information. Therefore, the RTS describes the key characteristics of the metrics and provides a minimum list of relevant metrics to compute.

Backward-looking (current view) and forward-looking, can be tailored to the undertaking’s business model and complexity, while following key characteristics apply. Metrics should

  • provide a fair representation of the undertakings’ risks and financial position using the most up-to-date information.
  • be appropriate for the identification, measurement, and monitoring of the actions to achieve the risk management targets.
  • be calculated with sufficient granularity (absolute and relative) to evaluate eventual concentration issues per relevant business lines, geographies, economic sectors, activities, and products to quantify and reflect the nature, scale, and complexity of specific risks.
  • allow supervisors to compare and benchmark exposure and risks of different undertakings over different time horizons.
  • be documented to a sufficient level to provide relevant and reliable information to the undertaking’s management and at the same time be used as part of supervisory reporting and, where relevant for public disclosure, ensuring sufficient transparency on the data (e.g. source, limitations, proxies, assumptions) and methodology (e.g. scope, formula) used.

The RTS requires the following minimum current view metrics:

The following list includes optional metrics which could be considered by the undertaking on a voluntary basis to report on the results of scenarios analysis (financial risk assessment) for material sustainability risks.

Targets

Based on the results of the sustainability risk assessment, the undertaking’s risk appetite and long-term
strategy, the undertaking should set quantifiable targets to reduce or manage material sustainabilityrelated exposure/risks or limits sustainability-related exposure/risks to monitoring prudential risks over the short, medium, and long term.

The undertaking should, based on its risk appetite, specify the type and extent of the material sustainability risks the undertaking is willing to assume in relation to all relevant lines of business, geographies, economic sectors, activities and products (considering its concentration and diversification objectives) and set its risk management targets accordingly.

Undertakings shall explain the way the target will be achieved or what is their approach to achieve the
target. Intermediate targets or milestones should allow for the monitoring of progress of the undertaking in addressing the risks. The undertakings should specify the percentage of portfolio covered by targets.

The targets should be consistent with any (transition) targets used in the undertaking’s transition plans and disclosed where applicable. The targets and measures to address the sustainability risks will consider the latest reports and measures prescribed by the European Scientific Advisory Board on climate change, in particular in relation to the achievement of the climate targets of the Union.

Relation between targets, metrics, and actions across transition plans, sustainability risk plans and ORSA, applied to an example for transition risk assessment for climate risk-related investments

Actions

Actions to manage risks should be risk-based and entity-specific.

  • Actions set out in undertakings’ transition plans, for example under CSDDD can inform the sustainability (transition) risk to the undertaking’s business, investment, and underwriting. Such transition plan actions typically involve:
  • Limiting investment in non-sustainable activities/companies Introduction of sustainability criteria in the investment decision.
  • Re-pricing of risks.
  • Integrating sustainability into the investment guidelines.
  • Stewardship, impact investing, impact underwriting.
  • Integrating ESG into the underwriting standards and guidelines of the undertaking.
  • Product development considering the impact on climate change.

The measures in the transition plan and actions to address financial risks arising from the transition need to be integrated into the investment, underwriting and business strategy of the undertaking. They need to be measurable and where actions fail to meet their expressed target, these should be monitored and, where necessary, adjusted.

Cliquer pour accéder à click-here-to-access-eiopa-bos-24-458-consultation-paper-on-regulatory-technical-standards-on-management-of-sustainability-risks-2.pdf

DORA: What the new European Framework for Digital Operational Resilience means for Business

Publié le par hanswillertbleuazurconsultingeu

On 10 November 2022, the European Parliament voted to adopt a new EU regulation on digital operational resilience for the
financial sector (DORA). With obligations under DORA coming into effect late in 2024 or early 2025 at the latest, in this briefing we take a closer look at its impact and consider what the regulation will mean for firms, their senior managers and operations and what firms should be doing now in preparation for day one compliance.

What is DORA?

Aimed at harmonising national rules around operational resilience and cybersecurity regulation across the EU, DORA establishes uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide services related to information communication technologies (ICT), such as cloud platforms or data analytics services.

DORA creates a regulatory framework on digital operational resilience whereby all in-scope firms need to make sure that they can withstand, respond to, and recover from, all types of ICT-related disruptions and threats. ICT is defined broadly to include digital and data services provided through ICT systems to one or more internal or external users, on an ongoing basis.

DORA forms part of the EU’s Digital Finance Package (DFP), which aims to develop a harmonised European approach to digital finance that fosters technological development and ensures financial stability and consumer protection. The DFP also includes legislative proposals on markets in cryptoassets (MiCA), distributed ledger technology and a digital finance strategy.

Who will need to comply with DORA?

DORA will apply to financial entities, including:

  • credit institutions,
  • payment institutions,
  • e-money institutions,
  • investment firms,
  • cryptoasset service providers (authorised under MiCA) and issuers of asset-referenced tokens,
  • central securities depositories,
  • central counterparties,
  • trading venues,
  • trade repositories,
  • managers of alternative investment funds and management companies,
  • data reporting service providers,
  • insurance and reinsurance undertakings,
  • insurance intermediaries,
  • reinsurance intermediaries and ancillary insurance intermediaries,
  • institutions for occupational retirement pensions,
  • credit rating agencies,
  • administrators of critical benchmarks,
  • crowdfunding service providers and
  • securitisation repositories (Financial Entities).

DORA will also apply to ICT third-party service providers which the European Supervisory Authorities (the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), acting through their Joint Committee) (ESAs) designate as « critical » for Financial Entities (Critical ICT Third-Party Providers) through a newly established oversight framework.

The ESAs would make this designation based on a set of qualitative and quantitative criteria, including:

  • the systemic impact on the stability, continuity or quality of financial services in the event that the ICT third-party
    provider faced a large-scale operational failure to provide its services;
  • the systemic character or importance of Financial Entities that rely on the ICT third-party service provider;
  • the degree of reliance of those Financial Entities on the services provided by the ICT third-party service provider in
    relation to critical or important functions of those Financial Entities; and
  • the degree of substitutability of the ICT third-party service provider.

Any ICT third-party service provider not designated as critical would have the option to voluntarily « opt in » to the oversight. The ESAs may not make a designation in relation to certain excluded categories of ICT third–party service providers, including where Financial Entities are providing ICT services

  • to other Financial Entities,
  • to ICT third–party service providers delivering services predominantly to the entities of their own group or
  • to those providing ICT services solely in one Member State to financial entities that are active only in that Member State.

What are the key obligations?

DORA introduces targeted rules on ICT risk management capability, reporting and testing, in a way which enables Financial Entities to withstand, respond to and recover from ICT incidents. In principle, some of the requirements imposed by DORA, such as for ICT risk management, are already reflected to a certain extent in existing EU guidance (for example, the EBA Guidelines on ICT and security risk management).

The proposals include requirements relating to:

  • ICT risk management

DORA sets out key principles around internal controls and governance structures. A Financial Entity’s management body will be expected to be responsible for defining, approving, overseeing and being continuously accountable for a firm’s ICT risk management framework as part of its overall risk management framework. As part of the ICT risk management framework, Financial Entities need to maintain resilient ICT systems, revolving around specific functions in ICT risk management such as

  • identification of risks,
  • protection and prevention,
  • detection,
  • response and recovery and
  • stakeholder communication.
  • Reporting of ICT-related incidents

DORA aims to create a consistent incident reporting mechanism, including a management process to detect, manage and notify ICT-related incidents. Incidents deemed « major » would need to be reported to competent authorities within strict time frames, including initial notifications « without delay » on the same day or next day by using mandatory reporting templates. In some cases, communication to service users or customers may be required.

  • Testing

As part of the ICT risk management framework, DORA requires Financial Entities to adopt a robust and comprehensive digital operational resilience testing programme covering ICT tools, systems and processes. Certain Financial Entities must carry out advanced testing of their ICT tools, systems and processes at least every three years using threat-led penetration tests.

  • Information sharing

DORA contains provisions which should facilitate the sharing, among Financial Entities, of cyber threat information and intelligence, including

  • indicators of compromise,
  • tactics,
  • techniques and procedures,
  • cyber security alerts and
  • configuration tools

to strengthen digital operational resilience.

  • Localisation

Financial Entities will only be permitted to make use of the services of a third-country Critical ICT Third-Party Provider if such provider establishes a subsidiary in the EU within 12 months following its designation as a Critical ICT Third-Party Provider.

A simplified set of ICT risk framework requirements will apply to certain Financial Entities, including small and non-interconnected investment firms and payment institutions exempted under the Second Payment Services Directive. Such entities will need to comply with a reduced set of requirements under DORA, including the requirement to put in place and maintain a sound and documented risk management framework that details the mechanisms and measures aimed at a quick, efficient and comprehensive management of all ICT risks, including for the protection of relevant physical components and infrastructures.

What should firms be doing now to prepare?

Although it is not expected that DORA will apply to in-scope entities until late 2024 (see below), firms should now begin
considering the steps that they will need to take to ensure day one compliance. These include:

  • Scope out impact

Taking a risk-based approach reflective of their size, nature, scale and the complexity of their services and operations, Financial Entities should begin to scope out the impact of DORA on their business. Firms should carry out a comprehensive gap analysis of their existing ICT-risk management processes against the new requirements introduced by DORA to identify any aspects of their existing processes that will be impacted by the new requirements and develop detailed implementation plans setting out the steps that will need to be taken to effect relevant changes. As part of this, Financial Entities should ensure that they have in place appropriate:

(i) capabilities to enable a strong and effective ICT risk management environment;

(ii) mechanisms and policies for handling all ICT-related incidents and reporting major incidents; and

(iii) policies for the testing of ICT systems, controls and processes and the management of ICT third-party risk.

This process will be iterative as some of the more detailed requirements of DORA will be further developed through technical standards to be published by the ESAs in due course.

  • Critical ICT Third-Party Providers

Critical ICT Third-Party Providers will be required to have in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which they may pose to Financial Entities. Although DORA provides that the designation mechanism (pursuant to which the ESAs may designate an ICT third-party service provider as « critical ») must not be used until the Commission has adopted a delegated act specifying further details on the criteria to be used in making such an assessment (to be adopted within 18 months after the date on which DORA enters into force), it is expected that certain categories of providers, such as cloud computing service providers who provide ICT services to Financial Entities, will be designated as Critical Third-Party Providers.

Consequently, such providers may wish to begin the task of benchmarking their existing systems, controls and processes against existing guidelines, such as the EBA Guidelines on ICT and security risk management and Guidelines on outsourcing arrangements, to the extent required, to identify areas that require further investment and maturity. They will also need to consider whether new and existing contracts give them sufficient flexibility to comply with new regulatory rules, orders and directions, even if this would otherwise be inconsistent with their contractual obligations. As set out above, certain categories of ICT third-party service providers are expressly excluded from the designation mechanism, including Financial Entities providing ICT services to other Financial Entities, ICT intra-group service providers and ICT third-party service providers providing ICT services solely in one Member State to Financial Entities that are only active in that Member State.

  • Third Country Critical ICT – Third-Party Providers – Subsidiarisation

The EU subsidiarisation requirement that will apply to third country Critical ICT Third-Party Providers is one that will necessitate early engagement between such providers and the Financial Entities that they serve. While it is not clear what role the EU subsidiary must play in the provision of services to the relevant Financial Entity (e.g. whether the provider must act as contractual counterparty), Recital 58 of DORA indicates that the requirement to set up a subsidiary in the EU does not prevent ICT services and related technical support from being provided from facilities and infrastructures located outside the EU. Nevertheless, where a relevant third country ICT third-party provider that is likely to be designated as « critical » indicates that it does not intend to establish a subsidiary in the EU, even following a designation as such by the ESAs, Financial Entities may wish to commence the process of identifying alternative providers, since they will not be permitted to obtain ICT services from a third country Critical ICT Third-Party Provider that fails to establish a subsidiary in the EU within 12 months following its designation as critical.

Companies that consider they are likely to be classified as Critical ICT Third-Party Providers that do not already have an establishment or subsidiary located in the EU should begin to consider now which Member State would be most appropriate to establish a new subsidiary in, taking into account their business operations and the various applicable legal requirements.

  • Documentation impact

As noted above, DORA sets out core contractual rights in relation to several elements in the performance and termination of contracts with a view to enshrine certain minimum safeguards underpinning the ability of Financial Entities to monitor effectively all risk emerging at ICT third-party level. Some contractual requirements set out in DORA are mandatory and will need to be included in contracts, if not already reflected. Others take the form of principles and recommendations and may require negotiation between the relevant parties. Early mapping and engagement in this respect will be important. Additionally, parties may wish to consider benchmarking their existing contractual arrangements against relevant requirements set out in DORA, as well as existing standard contractual clauses developed by EU institutions.

For example, Recital 55 of DORA notes that « the voluntary use of contractual clauses developed by the Commission for cloud computing services may provide comfort for Financial Entities and ICT third-party providers by enhancing the level of legal certainty on the use of cloud computing services in full alignment with requirements and expectations set out by the financial services regulation ».

As the industry awaits more detailed technical standards to be developed and published by the relevant ESAs, as well as DORA compromise/Level 1 text, in-scope entities may consider using existing guidelines such as the EBA Guidelines on ICT and security risk management and Guidelines on outsourcing arrangements as useful benchmarking tools in preparation for day one compliance.

How does DORA interact with NIS2?

The second iteration of the Security of Network and Information Systems Directive (NIS2) aims to strengthen security requirements and provide further harmonisation of Member States’ cybersecurity laws, replacing the original NIS Directive of 2016 (NIS1). Its timeline is similar to that for DORA, with a provisional agreement among EU institutions reached in May 2022, and its adoption confirmed in a European Parliament plenary session vote on 10 November 2022. NIS2 significantly extends the scope of NIS1 by adding new sectors, including « digital providers » such as social media platforms and online marketplaces, for example, but importantly also introduces uniform size criteria for assessing whether certain financial institutions (and other entities) fall within its scope. NIS2 sets out cybersecurity risk management and reporting obligations for relevant organisations, as well as obligations on cybersecurity information sharing, so there is some overlap in coverage with DORA.

However, this has been addressed during the legislative process to ensure that financial entities will have full clarity on the different rules on digital operational resilience that they need to comply with when operating within the EU. NIS2 specifically provides that any overlap will be addressed by DORA being considered as lex specialis (ie a more specific law that will override the more general NIS2 provisions).

How does DORA compare with international developments?

The introduction of DORA in the EU reflects a global focus on operational resilience and strengthening cybersecurity standards in the wake of ever-increasing digitalisation of financial services and increasingly sophisticated cyber incidents. For example, in March 2021, the Basel Committee on Banking Supervision issued its Principles for operational resilience, as well as an updated set of Principles for the sound management of operational risk (PSMOR), which aim to make banks better able to withstand, adapt to and recover from severe adverse events.

In October 2022, following a G20 request, the Financial Stability Board (FSB) published a consultation on Achieving Greater Convergence in Cyber Incident Reporting, recognising that timely and accurate information on cyber incidents is crucial for effective incident response and recovery and promoting financial stability and with a view to ensuring that financial institutions operating across borders are not subject to multiple conflicting regimes. The FSB proposals include recommendations to address the challenges to achieving greater international convergence in cyber incident reporting, work on establishing common terminologies related to cyber incidents and a proposal to develop a common format for incident reporting exchange.

Following its departure from the EU, the UK has introduced a Financial Services and Markets Bill (the UK Bill) which includes proposals to regulate cloud service providers and other critical third parties supplying services to UK regulated firms and financial market infrastructures. HM Treasury would have powers to designate service suppliers as ‘critical’ and the UK regulators would have new powers to directly oversee designated suppliers, which would be subject to new minimum resilience standards. While the proposals have the same ambitions as, and there are similarities with, the requirements under DORA, there are a number of key differences between them.

For example, the proposed enforcement regime under DORA for Critical ICT Third-Party Providers is very different from the equivalent regime proposed by the UK Bill. Under DORA, the ESAs will be designated as « Lead Overseers », but with the power only to make ‘recommendations’ to Critical ICT Third-Party Providers, in contrast to the ability for UK regulators to make rules applying to, or to give directions to, critical third parties subject to the UK Bill, with the ability to issue sanctions for non-compliance. Under DORA, non-compliance by a Critical ICT Third-Party Provider with recommendations gives the Lead Overseer the ability to notify and publicise such non-compliance and « as a last resort » the option to require Financial Entities to temporarily suspend services provided by such provider until the relevant risks identified in the recommendations have been addressed.

This means that the liability and contractual issues for Critical ICT Third-Party Providers providing services in the EU will be different than for those providing services in the UK, and that contracts for each will need to be considered and negotiated carefully.

Next steps and legislative timeline

Following adoption of DORA by the European Parliament plenary session on 10 November 2022, the regulation is now passing through the final technical stages of the formal procedure for European legislation. The text still needs to be formally approved by the Council of the EU before being published in the Official Journal, which is expected in December 2022 or January 2023.

DORA will come into effect on the twentieth day following the day on which it is published in the Official Journal. It will apply, with direct effect, 24 months from the date on which it enters into force. Therefore, it is expected that DORA will apply to in-scope firms from late 2024 or early 2025 at the latest.

click-here-to-access-clifford-chances-comments-nov-2022-3Télécharger

Financial Risk Management – Global Practice Analysis Report

Publié le par hanswillertbleuazurconsultingeu

Survey participants indicated they are involved in the daily practice of financial risk management as financial risk managers, in supervisory roles, as consultants, academics and trainers, auditors and regulators. They self-identified as highly educated — 71 percent hold a Master’s degree or higher. While 61 percent of respondents had more than five year’s experience in the financial services industry, less than half — 41 percent — had more than five year’s experience in financial risk management. This indicates that experienced financial services professionals enter the field of risk management from other areas of responsibility at financial institutions.

GARP1

More than 40 percent of respondents worked at banks, with consulting and asset management firms employing 17 and 16 percent, respectively. Approximately one-third of respondents hold the title of risk manager, one-quarter are analysts and 11 percent are consultants. Approximately 61 percent are employed at firms with more than 1,000 employees.

The GARP Global Practice Analysis survey addressed 49 specific tasks across six process-based domains. Respondents were asked to assign an importance rating from 1 (not important) to 4 (extremely important) to each task. Significantly, all 49 tasks were found to be important on the 4-point Importance Scale, meeting the industry best-practices threshold of 2.5 out of 4. Forty-seven of the 49 tasks received a mean importance rating of at least 3.0, indicating that these tasks are considered of moderate to high importance to the work of financial risk managers.

The top five tasks identified by respondents as most important, earning a mean importance rating of at least 3.3 among all survey respondents, are to:

  1. Identify signs of potential risk based on exposure, trends, monitoring systems regulatory and environmental change, organizational culture and behavior.
  2. Analyze and assess underlying risk drivers and risk interconnections.
  3. Communicate with relevant business stakeholders.
  4. Monitor risk exposure in comparison to limits and tolerances.
  5. Evaluate materiality of risk and impact on business.

The five tasks identified as least important, with a mean importance rating of or below 3.0 among all respondents, are:

  1. Create and inventory of models.
  2. Generate, validate, and communicate standardized risk reports for external purposes.
  3. Develop transparent model documentation for independent replication/validation.
  4. Set capital allocations and risk budgets in accordance with risk management framework.
  5. Recommend policy revisions as necessary.

Respondents were asked to identify at what level of experience each task should be part of the financial risk manager’s profile, according to a five-level Experience Scale:

  • Not necessary
  • Less than 2 years
  • 2 to 5 years
  • 6 to 10 years
  • More than 10 years

One-half of respondents indicated that financial risk managers should be able to perform all 49 tasks within the first five years of practice.

More than 77 percent of respondents said financial risk managers should be able to perform these specific tasks within their first five years of practice in financial risk management:

  • Monitor risk exposure in comparison to limits and tolerances
  • Define and determine type of risk (e.g., credit, market, operational) by classifying risk factors using a consistent risk taxonomy
  • Gather quantitative data to perform model evaluation
  • Select monitoring methods and set frequency (e.g., intra-daily, daily, weekly, monthly)
  • Gather qualitative information to perform model evaluation
  • Generate, validate, and communicate standardized risk reports for internal purposes (e.g., staff, executive management, board of directors)
  • Identify risk owners
  • Investigate why limits are exceeded by performing root-cause analysis
  • Analyze and assess underlying risk drivers and risk interconnections
  • Escalate breach when limits or alert levels are exceeded according to risk management plan/policies/strategies
  • Generate, validate, and communicate ad hoc reports to meet specific requirements
  • Escalate unusual behavior or potential risks according to risk management plan/ policies/strategies

GARP2

Financial risk managers are vital to any integrated financial system of managing and communicating risk. The GPA study is a contemporary and comprehensive description of the work of risk managers across work settings, geographic regions, job roles and experience levels.

The process of a practice analysis is important for programs that desire to continually evolve and reflect the critical knowledge and tasks in the industry. It is important for practitioners who desire to evolve and be successful in their career.

Click here to access GARP’s detailed survey report