Implementing combined audit assurance

Publié le par hanswillertbleuazurconsultingeu

ASSESS IMPACT & CREATE AN ASSURANCE MAP

The audit impact assessment and assurance map are interdependent—and the best possible starting point for your combined assurance journey. An impact assessment begins with a critical look at the current or “as is” state of your organization. As you review your current state, you build out your assurance map with your findings. You can’t really do one without the other. The map, then, will reveal any overlaps and gaps, and provide insight into the resources, time, and costs you might require during your implementation. Looking at an assurance map example will give you a better idea of what we’re talking about. The Institute of Chartered Accountants of England and Wales (ICAEW) has an excellent template.

Galv4

The ICAEW has also provided a guide to building a sound assurance map. The institute suggests you take the following steps:

  1. Identify your sponsor (the main user/senior staff member who will act as a champion).
  2. Determine your scope (identify elements that need assurance, like operational/ business processes, board-level risks, governance, and compliance).
  3. Assess the required amount of assurance for each element (understand what the required or desired amount of assurance is across aspects of the organization).
  4. Identify and list your assurance providers in each line of defense (e.g., audit committee or risk committee in the third line).
  5. Identify your assurance activities (compile and review relevant documentation, select and interview area leads, collate and assess assurance provider information).
  6. Reassess your scope (revisit and update your map scope, based on the information you have gathered/evaluated to date).
  7. Assess the quality of your assurance activities (look at breadth and depth of scope, assurance provider competence, how often activities are reviewed, and the strengths/quality of assurance delivered by each line of defense).
  8. Assess the aggregate actual amount of assurance for each element (the total amount of assurance needs to be assessed, collating all the assurance being provided by each line of defense).
  9. Identify the gaps and overlaps in assurance for each element (compare the actual amount of assurance with the desired amount to determine if there are gaps or overlaps).
  10. Determine your course of action (make recommendations for the actions to be taken/activities to be performed moving forward).

Just based on the steps above, you could understand how your desired state evolves by the time you reach step 10. Ideally, by this point, gaps and overlaps have been eliminated. But the steps we just reviewed don’t cover the frequency of each review and they don’t determine costs. So we’ve decided to add a few more steps to round it out:

  1. Assess the frequency of each assurance activity.
  2. Identify total cost for all the assurance activities in the current state.
  3. Identify the total cost for combined assurance (i.e., when gaps and overlaps have been addressed, and any consequent benefits or cost savings).

DEFINE THE RISKS OF IMPLEMENTATION

Implementing combined assurance is a project, and like any project, there’s a chance it can go sideways and fail, losing you both time and money. So, just like anything else in business, you need to take a risk-based approach. As part of this stage, you’ll want to clearly define the risks of implementing a combined assurance program, and add these risks, along with a mitigation plan and the expected benefits, to your tool kit. As long as the projected benefits of the project outweigh the residual risks and costs, the implementation program is worth pursuing. You’ll need to be able to demonstrate that a little further down the process.

DEFINE RESOURCES & DELIVERABLES

Whoever will own the project of implementing combined assurance will no doubt need dedicated resources in order to execute. So, who do we bring in? On first thought, the internal audit team looks best suited to drive the program forward. But, during the implementation phase, you’ll actually want a cross-functional team of people from internal control, risk, and IT, to work alongside internal audit. So, when you’re considering resourcing, think about each and every team this project touches. Now you know who’s going to do the work, you’ll want to define what they’re doing (key milestones) and when it will be delivered (time frame). And finally, define the actual benefits, as well as the tangible deliverables/outcomes of implementing combined assurance. (The table below provides some examples, but each organization will be unique.)

Galv1

RAISE AWARENESS & GET MANAGEMENT COMMITMENT

Congratulations! You’re now armed with a fancy color-coded impact assessment, and a full list of risks, resources, and deliverables. The next step is to clearly communicate and share the driving factors behind your combined assurance initiative. If you want them to support and champion your efforts, top management will need to be able to quickly take in and understand the rationale behind your desire for combined assurance. Critical output: You’ll want to create a presentation kit of sorts, including the assurance map, lists of risks, resources, and deliverables, a cost/benefit analysis, and any supporting research or frameworks (e.g., the King IV Report, FRC Corporate Governance Code, available industry analysis, and case studies). Chances are, you’ll be presenting this concept more than once, so if you can gather and organize everything in a single spot, that will save a lot of headaches down the track.

ASSIGN ACCOUNTABILITY

When we ask the question, “Who owns the implementation of combined assurance?”, we need to consider two main things:

  • Who would be most impacted if combined assurance were implemented?
  • Who would be senior enough to work across teams to actually get the job done?

It’s evident that a board/C-level executive should lead the project. This project will be spanning multiple departments and require buy-in from many people—so you need someone who can influence and convince. Therefore, we feel that the chief audit executive (CAE) and/or the chief revenue officer (CRO) should be accountable for implementing combined assurance. The CAE literally stands at the intersection of internal and external assurance. Where reliance is placed on the work of others, the CAE is still accountable and responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity. And the CRO is taking a more active interest in assurance maps as they become increasingly more risk-focused. The Institute of Internal Auditors (IIA), Standard 2050, also assigns accountability to the CAE, stating: “The chief audit executive should share information and coordinate activities with other internal and external assurance providers and consulting services to ensure proper coverage and minimize duplication of effort.” So, not only is the CAE at the intersection of assurance, they’re also directing traffic—exactly the combination we need to drive implementation.

Envisioning the solution

You’ve summarized the current/“as is” state in your assurance map. Now it’s time to move into a future state of mind and envision your desired state. What does your combined assurance solution look like? And, more critically, how will you create it? This stage involves more assessment work. Only now you’ll be digging into the maturity levels of your organization’s risk management and internal audit process, as well as the capabilities and maturity of your Three Lines of Defense. This is where you answer the questions, “What do I want?”, and “Is it even feasible?” Some make-or-break capability factors for implementing combined assurance include:

  1. Corporate risk culture Risk culture and risk appetite shape an organization’s decision-making, and that culture is reflected at every level. Organizations who are more risk-averse tend to be unwilling to make quick decisions without evidence and data. On the other hand, risk-tolerant organizations take more risks, make rapid decisions, and pivot quickly, often without performing due diligence. How will your risk culture shape your combined assurance program?
  2. Risk management awareness If employees don’t know—and don’t prioritize— how risk can and should be managed in your organization, your implementation program will fail. Assurance is very closely tied to risk, so it’s important to communicate constantly and make people aware that risk at every level must be adequately managed.
  3. Risk management processes We just stated that risk and assurance are tightly coupled, so it makes sense that the more mature your risk management processes are, the easier it will be to implement combined assurance. Mature risk management means you’ve got processes defined, documented, running, and refined. For the lucky few who have all of these things, you’re going to have a much easier time compared to those who don’t.
  4. Risk & controls taxonomy Without question, you will require a common risk and compliance language. We can’t have people making up names for tools, referring to processes in different ways, or worst of all, reporting on totally random KPIs. The result of combined assurance should be “one language, one voice, one view” of the risks and issues across the organization.
  5. System & process integrations An integrated system where there is one set of risks and one set of controls is key to delivering effective combined assurance. This includes: Risk registers across the organization, Controls across the organization Issues and audit findings, Reporting.
  6. Technology use Without dedicated software technology, it’s extremely difficult to provide a sustainable risk management system with sound processes, a single taxonomy, and integrated risks and controls. How technology is used in your organization will determine the sustainability of combined assurance. (If you already have a risk management and controls platform that has these integration capabilities, implementation will be easier.)
  7. Using assurance maps as monitoring tools Assurance maps aren’t just for envisioning end-states; they’re also critical monitoring tools that can feed data into your dashboard. They can inform your combined assurance dashboard, to help report on progress.
  8. Continuous improvement mechanisms A mature program will always have improvement mechanisms and feedback loops to incorporate user and stakeholder feedback. A lack of this feedback mechanism will impact the continued effectiveness of combined assurance.

We now assess the maturity of these factors (plus any others that you find relevant) and rank them on a scale of 1-4:

  • Level 1: Not achieved (0-15% of target).
  • Level 2: Partially achieved (15-50%).
  • Level 3: Largely achieved (50-85%).
  • Level 4: Achieved (85-100%).

This rating scale is based on the ISO/IEC 15504 that assigns a rating to the degree each objective (process capability) is achieved. An example of a combined assurance capability maturity assessment can be seen in Figure 2.

Galv2

GAP ANALYSIS

Once the desired levels for all of the factors are agreed on and endorsed by senior management, the next step is to undertake a gap analysis. The example in Figure 2 shows that the current overall maturity level is a 2 and the desired level is a 3 or 4 for each factor. The gap for each factor needs to be analyzed for the activities and resources required to bridge it. Then you can envision the solution and create a roadmap to bridge the gap(s).

SOLUTION VISION & ROADMAP

An example solution vision and roadmap could be:

  • We will use the same terminology and language for risk in all parts of the organization, and establish a single risk dictionary as a central repository.
  • All risks will be categorized according to severity and criticality and be mapped to assurance providers to ensure that no risk is assessed by more than one provider.
  • A rolling assurance plan will be prepared to ensure that risks are appropriately prioritized and reviewed at least once every two years.
  • An integrated, real-time report will be available on demand to show the status, frequency, and coverage of assurance activities.
  • The integrated report/assurance map will be shared with the board, audit committee, and risk committee regularly (e.g., quarterly or half-yearly).
  • To enable these capabilities, risk capture, storage, and reporting will be automated using an integrated software platform.

Figure 3 shows an example roadmap to achieve your desired maturity level.

Galv3

Click here to access Galvanize’s Risk Manangement White Paper

 

From Risk to Strategy : Embracing the Technology Shift

Publié le par hanswillertbleuazurconsultingeu

The role of the risk manager has always been to understand and manage threats to a given business. In theory, this involves a very broad mandate to capture all possible risks, both current and future. In practice, however, some risk managers are assigned to narrower, siloed roles, with tasks that can seem somewhat disconnected from key business objectives.

Amidst a changing risk landscape and increasing availability of technological tools that enable risk managers to do more, there is both a need and an opportunity to move toward that broader risk manager role. This need for change – not only in the risk manager’s role, but also in the broader approach to organizational risk management and technological change – is driven by five factors.

Marsh Ex 1

The rapid pace of change has many C-suite members questioning what will happen to their business models. Research shows that 73 percent of executives predict significant industry disruption in the next three years (up from 26 percent in 2018). In this challenging environment, risk managers have a great opportunity to demonstrate their relevance.

USING NEW TOOLS TO MANAGE RISKS

Emerging technologies present compelling opportunities for the field of risk management. As discussed in our 2017 report, the three levers of data, analytics, and processes allow risk professionals a framework to consider technology initiatives and their potential gains. Emerging tools can support risk managers in delivering a more dynamic, in-depth view of risks in addition to potential cost-savings.

However, this year’s survey shows that across Asia-Pacific, risk managers still feel they are severely lacking knowledge of emerging technologies across the business. Confidence scores were low in all but one category, risk management information systems (RMIS). These scores were only marginally higher for respondents in highly regulated industries (financial services and energy utilities), underscoring the need for further training across all industries.

Marsh Ex 3

When it comes to technology, risk managers should aim for “digital fluency, a level of familiarity that allows them to

  • first determine how technologies can help address different risk areas,
  • and then understand the implications of doing so.

They need not understand the inner workings of various technologies, as their niche should remain aligned with their core expertise: applying risk technical skills, principles, and practices.

CULTIVATING A “DIGITAL-FIRST” MIND-SET

Successful technology adoption does not only present a technical skills challenge. If risk function digitalization is to be effective, risk managers must champion a cultural shift to a “digital-first” mindset across the organization, where all stakeholders develop a habit of thinking about how technology can be used for organizational benefit.

For example, the risk manager of the future will be looking to glean greater insights using increasingly advanced analytics capabilities. To do this, they will need to actively encourage their organization

  • to collect more data,
  • to use their data more effectively,
  • and to conduct more accurate and comprehensive analyses.

Underlying the risk manager’s digitalfirst mind-set will be three supporting mentalities:

1. The first of these is the perception of technology as an opportunity rather than a threat. Some understandable anxiety exists on this topic, since technology vendors often portray technology as a means of eliminating human input and labor. This framing neglects the gains in effectiveness and efficiency that allow risk managers to improve their judgment and decision making, and spend their time on more value-adding activities. In addition, the success of digital risk transformations will depend on the risk professionals who understand the tasks being digitalized; these professionals will need to be brought into the design and implementation process right from the start. After all, as the Japanese saying goes, “it is workers who give wisdom to the machines.” Fortunately, 87 percent of PARIMA surveyed members indicated that automating parts of the risk manager’s job to allow greater efficiency represents an opportunity for the risk function. Furthermore, 63 percent of respondents indicated that this was not merely a small opportunity, but a significant one (Exhibit 6). This positive outlook makes an even stronger statement than findings from an earlier global study in which 72 percent of employees said they see technology as a benefit to their work

2. The second supporting mentality will be a habit of looking for ways in which technology can be used for benefit across the organization, not just within the risk function but also in business processes and client solutions. Concretely, the risk manager can embody this culture by adopting a data-driven approach, whereby they consider:

  • How existing organizational data sources can be better leveraged for risk management
  • How new data sources – both internal and external – can be explored
  • How data accuracy and completeness can be improved

“Risk managers can also benefit from considering outside-the-box use cases, as well as keeping up with the technologies used by competitors,” adds Keith Xia, Chief Risk Officer of OneHealth Healthcare in China.

This is an illustrative rather than comprehensive list, as a data-driven approach – and more broadly, a digital mind-set – is fundamentally about a new way of thinking. If risk managers can grow accustomed to reflecting on technologies’ potential applications, they will be able to pre-emptively spot opportunities, as well as identify and resolve issues such as data gaps.

3. All of this will be complemented by a third mentality: the willingness to accept change, experiment, and learn, such as in testing new data collection and analysis methods. Propelled by cultural transformation and shifting mind-sets, risk managers will need to learn to feel comfortable with – and ultimately be in the driver’s seat for – the trial, error, and adjustment that accompanies digitalization.

MANAGING THE NEW RISKS FROM EMERGING TECHNOLOGIES

The same technological developments and tools that are enabling organizations to transform and advance are also introducing their own set of potential threats.

Our survey shows the PARIMA community is aware of this dynamic, with 96 percent of surveyed members expecting that emerging technologies will introduce some – if not substantial – new risks in the next five years.

The following exhibit gives a further breakdown of views from this 96 percent of respondents, and the perceived sufficiency of their existing frameworks. These risks are evolving in an environment where there are already questions about the relevance and sufficiency of risk identification frameworks. Risk management has become more challenging due to the added complexity from rapid shifts in technology, and individual teams are using risk taxonomies with inconsistent methodologies, which further highlight the challenges that risk managers face in managing their responses to new risk types.

Marsh Ex 9

To assess how new technology in any part of the organization might introduce new risks, consider the following checklist :

HIGH-LEVEL RISK CHECKLIST FOR EMERGING TECHNOLOGY

  1. Does the use of this technology cut across existing risk types (for example, AI risk presents a composite of technology risk, cyber risk, information security risk, and so on depending on the use case and application)? If so, has my organization designated this risk as a new, distinct category of risk with a clear definition and risk appetite?
  2. Is use of this technology aligned to my company’s strategic ambitions and risk appetite ? Are the cost and ease of implementation feasible given my company’s circumstances?
  3. Can this technology’s implications be sufficiently explained and understood within my company (e.g. what systems would rely on it)? Would our use of this technology make sense to a customer?
  4. Is there a clear view of how this technology will be supported and maintained internally, for example, with a digitally fluent workforce and designated second line owner for risks introduced by this technology (e.g. additional cyber risk)?
  5. Has my company considered the business continuity risks associated with this technology malfunctioning?
  6. Am I confident that there are minimal data quality or management risks? Do I have the high quality, large-scale data necessary for advanced analytics? Would customers perceive use of their data as reasonable, and will this data remain private, complete, and safe from cyberattacks?
  7. Am I aware of any potential knock-on effects or reputational risks – for example, through exposure to third (and fourth) parties that may not act in adherence to my values, or through invasive uses of private customer information?
  8. Does my organization understand all implications for accounting, tax, and any other financial reporting obligations?
  9. Are there any additional compliance or regulatory implications of using this technology? Do I need to engage with regulators or seek expert advice?
  10. For financial services companies: Could I explain any algorithms in use to a customer, and would they perceive them to be fair? Am I confident that this technology will not violate sanctions or support crime (for example, fraud, money laundering, terrorism finance)?

SECURING A MORE TECHNOLOGY-CONVERSANT RISK WORKFORCE

As risk managers focus on digitalizing their function, it is important that organizations support this with an equally deliberate approach to their people strategy. This is for two reasons, as Kate Bravery, Global Solutions Leader, Career at Mercer, explains: “First, each technological leap requires an equivalent revolution in talent; and second, talent typically becomes more important following disruption.”

While upskilling the current workforce is a positive step, as addressed before, organizations must also consider a more holistic talent management approach. Risk managers understand this imperative, with survey respondents indicating a strong desire to increase technology expertise in their function within the next five years.

Yet, little progress has been made in adding these skills to the risk function, with a significant gap persisting between aspirations and the reality on the ground. In both 2017 and 2019 surveys, the number of risk managers hoping to recruit technology experts has been at least 4.5 times the number of teams currently possessing those skills.

Marsh Ex 15

EMBEDDING RISK CULTURE THROUGHOUT THE ORGANIZATION

Our survey found that a lack of risk management thinking in other parts of the organization is the biggest barrier the risk function faces in working with other business units. This is a crucial and somewhat alarming finding – but new technologies may be able to help.

Marsh Ex 19

As technology allows for increasingly accurate, relevant, and holistic risk measures, organizations should find it easier to develop risk-based KPIs and incentives that can help employees throughout the business incorporate a risk-aware approach into their daily activities.

From an organizational perspective, a first step would be to describe risk limits and risk tolerance in a language that all stakeholders can relate to, such as potential losses. Organizations can then cascade these firm-wide risk concepts down to operational business units, translating risk language into tangible and relevant incentives that encourages behavior that is consistent with firm values. Research shows that employees in Asia want this linkage, citing a desire to better align their individual goals with business goals.

The question thus becomes how risk processes can be made an easy, intuitive part of employee routines. It is also important to consider KPIs for the risk team itself as a way of encouraging desirable behavior and further embedding a risk-aware culture. Already a majority of surveyed PARIMA members use some form of KPIs in their teams (81 percent), and the fact that reporting performance is the most popular service level measure supports the expectation that PARIMA members actively keep their organization informed.

Marsh Ex 21

At the same time, these survey responses also raise a number of questions. Forty percent of organizations indicate that they measure reporting performance, but far fewer are measuring accuracy (15 percent) or timeliness (16 percent) of risk analytics – which are necessary to achieve improved reporting performance. Moreover, the most-utilized KPIs in this year’s survey tended to be tangible measures around cost, from which it can be difficult to distinguish a mature risk function from a lucky one.

SUPPORTING TRANSFORMATIONAL CHANGE PROGRAMS

Even with a desire from individual risk managers to digitalize and complement organizational intentions, barriers still exist that can leave risk managers using basic tools. In 2017, cost and budgeting concerns were the single, standout barrier to risk function digitalization, chosen by 67 percent of respondents, well clear of second placed human capital concerns at 18 percent. This year’s survey responses were much closer, with a host of ongoing barriers, six of which were cited by more than 40 percent of respondents.

Marsh Ex 22

Implementing the nuts and bolts of digitalization will require a holistic transformation program to address all these barriers. That is not to say that initiatives must necessarily be massive in scale. In fact, well-designed initiatives targeting specific business problems can be a great way to demonstrate success that can then be replicated elsewhere to boost innovation.

Transformational change is inherently difficult, in particular where it spans both technological as well as people dimensions. Many large organizations have generally relied solely on IT teams for their “digital transformation” initiatives. This approach has had limited success, as such teams are usually designed to deliver very specific business functionalities, as opposed to leading change initiatives. If risk managers are to realize the benefits of such transformation, it is incumbent on them to take a more active role in influencing and leading transformation programs.

Click here to access Marsh’s and Parima’s detailed report

Financial Risk Management – Global Practice Analysis Report

Publié le par hanswillertbleuazurconsultingeu

Survey participants indicated they are involved in the daily practice of financial risk management as financial risk managers, in supervisory roles, as consultants, academics and trainers, auditors and regulators. They self-identified as highly educated — 71 percent hold a Master’s degree or higher. While 61 percent of respondents had more than five year’s experience in the financial services industry, less than half — 41 percent — had more than five year’s experience in financial risk management. This indicates that experienced financial services professionals enter the field of risk management from other areas of responsibility at financial institutions.

GARP1

More than 40 percent of respondents worked at banks, with consulting and asset management firms employing 17 and 16 percent, respectively. Approximately one-third of respondents hold the title of risk manager, one-quarter are analysts and 11 percent are consultants. Approximately 61 percent are employed at firms with more than 1,000 employees.

The GARP Global Practice Analysis survey addressed 49 specific tasks across six process-based domains. Respondents were asked to assign an importance rating from 1 (not important) to 4 (extremely important) to each task. Significantly, all 49 tasks were found to be important on the 4-point Importance Scale, meeting the industry best-practices threshold of 2.5 out of 4. Forty-seven of the 49 tasks received a mean importance rating of at least 3.0, indicating that these tasks are considered of moderate to high importance to the work of financial risk managers.

The top five tasks identified by respondents as most important, earning a mean importance rating of at least 3.3 among all survey respondents, are to:

  1. Identify signs of potential risk based on exposure, trends, monitoring systems regulatory and environmental change, organizational culture and behavior.
  2. Analyze and assess underlying risk drivers and risk interconnections.
  3. Communicate with relevant business stakeholders.
  4. Monitor risk exposure in comparison to limits and tolerances.
  5. Evaluate materiality of risk and impact on business.

The five tasks identified as least important, with a mean importance rating of or below 3.0 among all respondents, are:

  1. Create and inventory of models.
  2. Generate, validate, and communicate standardized risk reports for external purposes.
  3. Develop transparent model documentation for independent replication/validation.
  4. Set capital allocations and risk budgets in accordance with risk management framework.
  5. Recommend policy revisions as necessary.

Respondents were asked to identify at what level of experience each task should be part of the financial risk manager’s profile, according to a five-level Experience Scale:

  • Not necessary
  • Less than 2 years
  • 2 to 5 years
  • 6 to 10 years
  • More than 10 years

One-half of respondents indicated that financial risk managers should be able to perform all 49 tasks within the first five years of practice.

More than 77 percent of respondents said financial risk managers should be able to perform these specific tasks within their first five years of practice in financial risk management:

  • Monitor risk exposure in comparison to limits and tolerances
  • Define and determine type of risk (e.g., credit, market, operational) by classifying risk factors using a consistent risk taxonomy
  • Gather quantitative data to perform model evaluation
  • Select monitoring methods and set frequency (e.g., intra-daily, daily, weekly, monthly)
  • Gather qualitative information to perform model evaluation
  • Generate, validate, and communicate standardized risk reports for internal purposes (e.g., staff, executive management, board of directors)
  • Identify risk owners
  • Investigate why limits are exceeded by performing root-cause analysis
  • Analyze and assess underlying risk drivers and risk interconnections
  • Escalate breach when limits or alert levels are exceeded according to risk management plan/policies/strategies
  • Generate, validate, and communicate ad hoc reports to meet specific requirements
  • Escalate unusual behavior or potential risks according to risk management plan/ policies/strategies

GARP2

Financial risk managers are vital to any integrated financial system of managing and communicating risk. The GPA study is a contemporary and comprehensive description of the work of risk managers across work settings, geographic regions, job roles and experience levels.

The process of a practice analysis is important for programs that desire to continually evolve and reflect the critical knowledge and tasks in the industry. It is important for practitioners who desire to evolve and be successful in their career.

Click here to access GARP’s detailed survey report

 

EIOPA: Peer review assessing how National Competent Authorities (NCAs) supervise and determine whether an insurer’s set­ting of key functions fulfils the legal requirements of Solvency II

Publié le par hanswillertbleuazurconsultingeu

The main task of the European Insurance and Occupational Pensions Authority (EIOPA) is to

  • enhance supervisory convergence,
  • strengthen consumer protection
  • and preserve financial stability.

In the context of enhancing supervisory convergence and in accordance with its mandate, EIOPA regularly conducts peer reviews, working closely with national competent authorities (NCAs), with the aim of strengthening both the convergence of supervisory practices across Europe and the capacity of NCAs to conduct high-quality and effective supervision.

In line with its mandate, the outcome of peer reviews, including identified best practices, are to be made public with the agreement of the NCAs that have been subject to the review.

BACKGROUND AND OBJECTIVES

Enhancing the governance system of insurers is one of the major goals of Solvency II (SII). The four key functions (risk management, actuarial, compliance and internal audit) as required under the SII regulation are an essential part of the system of governance. These key functions are expected to be operationally independent to ensure an effective and robust internal control environment within an insurer and support high quality of decision making by the management. At the same time it is also important that these governance requirements are not overly burdensome for small and medium-sized insurers. Therefore SII allows NCAs to apply the principle of proportionality in relation to compliance with key function holder requirements for those insurers.

Under SII, insurers may combine key functions in one holder. However, such combinations have to be justified by the principle of proportionality and insurers need to properly address the underlying conflicts of interest. Holding a key function should generally not be combined with administrative, management or supervisory body (AMSB) membership or with operational tasks because of their controlling objective. Thus, these combinations should rather occur in exceptional cases, taking into account a risk-based approach and the manner in which the insurer avoids and manages any potential conflict of interest.

This peer review assesses how NCAs supervise and determine whether an insurer’s setting of key functions fulfils the legal requirements of SII with a particular emphasis on proportionality. The peer review examines practices regarding:

  • combining key functions under one holder;
  • combining key functions with AMSB membership or with carrying out operational tasks;
  • subordination of one key function under another key function;
  • split of one key function among several holders;
  • assessment of the fitness of key function holders; and
  • outsourcing of key functions.

The period examined under the scope of this peer review was 2016 but also covered supervisory practices executed before 2016 in the preparatory stage of SII. The peer review was conducted among NCAs from the European Economic Area (EEA) on the basis of EIOPA’s Methodology for conducting Peer Reviews (Methodology).

Detailed information was gathered in the course of the review. All NCAs completed an initial questionnaire. This was followed by fieldwork comprising visits to 8 NCAs and 30 conference calls.

MAIN FINDINGS

The review showed that NCAs in general apply the principle of proportionality and that they have adopted similar approaches.

SUMMARY RESULTS OF THE COMPARATIVE ANALYSIS

  • Supervisory framework: Approximately half of NCAs use written supervisory guidance for the application of the principle of proportionality. Larger NCAs in particular use written supervisory guidance in order to ensure consistency of their supervisory practice among their supervisory staff.
  • Approach of NCAs: Most NCAs have a similar approach. NCAs assess the insurers’ choice of key function holders at the time of initial notification regarding the key function holder’s appointment. If any concerns are noted at this stage, for example regarding combinations or fitness, NCAs generally challenge and discuss these issues with the insurer, rather than issuing formal administrative decisions.
  • Combining key functions in one holder: This occurs in almost all countries. The most frequent combinations are between risk management and actuarial functions and between risk management and compliance functions. Combinations are most commonly used by smaller insurers but are also seen in large insurers. EIOPA has identified the need to draw the attention of NCAs to the need to challenge combinations more strongly, especially when they occur in bigger, more complex insurers, and to ensure that adequate mitigation measures are in place to warrant a robust system of governance.
  • Holding the internal audit function and other key functions: The combination of the internal audit function with other key functions occurs in 15 countries, although the frequency of such combinations is relatively low. Moreover, there were cases of the internal audit function holder also carrying out operational tasks which could lead to conflicts of interest and compromise the operational independence of the internal audit function. It is important to emphasise that the legal exemption of Article 271 of the Commission Delegated Regulation EU (2015/35) does not apply to the combination with operational tasks.
  • Combining a key function holder with AMSB membership: Most NCAs follow a similar and comprehensive approach regarding the combination of key function holder and AMSB member. In this regard, NCAs accept such cases only if deemed justified under the principle of proportionality. This peer review shows that two NCAs request or support combinations of AMSB member and the risk management function holder regardless of the principle of proportionality in order to strengthen the knowledge and expertise regarding risk management within the AMSB.
  • Combining key function holders (excluding internal audit function holder) with operational tasks: In nearly all countries combinations of risk management, actuarial and compliance key function holders with operational tasks occur, but such combinations generally occur rarely or occasionally. However, several NCAs do not have a full market overview of such combinations with operative tasks. Adequate mitigating measures are essential to reduce potential conflicts of interest when key function holders also carry out operational tasks. The most common combinations are the compliance function holder with legal director and the risk management function holder with finance director.
  • Splitting a key function between two holders: About half of the NCAs reported cases where more than one individual is responsible for a particular key function (‘split of key function holder’). The most common split concerns the actuarial function (split between life and non-life business). NCAs should monitor such splits in order to maintain appropriate responsibility and accountability among key function holders.
  • Subordination of a key function holder to another key function holder or head of operational department: This is observed in half of the countries reviewed. An organisational subordination can be accepted, but there needs to be a direct ‘unfiltered’ reporting line from the subordinated key function holder to the AMSB. In cases of subordination, conflicts of interest have to be mitigated and operational independence needs to be ensured including the mitigating measures concerning the remuneration of the subordinated key function holders.
  • Fitness of key function holders: Most NCAs assess the fitness of the key function holder at the time of initial notification and apply the principle of proportionality. Several NCAs did not systematically assess the key function holders appointed before 2016. These NCAs are advised to do so using a risk-based approach.
  • Outsourcing of key function holders: Most NCAs have observed outsourcing of key function holders. According to the proportionality principle, an AMSB member may also be a designated person responsible for overseeing and monitoring the outsourced key function. Eight NCAs make a distinction between intra-group and extra-group outsourcing and six NCAs do not require a designated person in all cases, which may give rise to operational risks.

BEST PRACTICES

Through this peer review, EIOPA identified four best practices.

  • When NCAs adopt a structured proportionate approach based on the nature, scale and complexity of the business of the insurer regarding their supervisory assessment of key function holders and combination of key function holders at the time of initial notification and on an ongoing basis. The best practice also includes supervisory documentation and consistent and uniform data submission requirements (for example an electronic data submission system for key function holder notification). This best practice has been identified in Ireland and the United Kingdom.
  • When an NCA has a supervisory panel set up internally which discusses and advises supervisors about complex issues regarding the application of the proportionality principle in governance requirements regarding key functions. This best practice has been identified in the Netherlands.
  • When assessing the combination of key function holder with AMSB member, EIOPA considers the following as best practice for NCAs:
    • To publicly disclose the NCA’s expectations that controlling key functions should generally not be combined with operational functions for example with the membership of the AMSB. Where those cases occur, NCAs should clearly communicate their expectation that the undertaking ensures that it is aware of possible conflicts of interest arising from such a combination and manages them effectively.
    • To require from insurers that main responsibilities as a member of the AMSB do not lead to a conflict of interest with the tasks as a key function holder.
    • To assess whether the other AMSB members challenge the key function holder also being an AMSB member.

This best practice has been identified in Lithuania.

  • When NCAs apply a risk-based approach for the ongoing supervision that gives the possibility to ensure the fulfilment of fitness requirements of KFHs at all times by holding meetings with key function holders on a regular scheduled basis as part of an NCA’swork plan (annual review plan). The topics for discussion for those meetings can vary, depending for example on actual events and current topics. This best practice has been identified in Ireland and the United Kingdom.

These best practices provide guidance for a more systematic approach regarding the application of the principle of proportionality as well as for ensuring consistent and effective supervisory practice within NCAs.

EIOPA NCA KFH

Click here to access EIOPA’s full report on its Peer Review

 

The IFRS 9 Impairment Model and its Interaction with the Basel Framework

Publié le par hanswillertbleuazurconsultingeu

In the wake of the 2008 financial crisis, the International Accounting Standards Board (IASB) in cooperation with the Financial Accounting Standards Board (FASB) launched a project to address the weaknesses of both International Accounting Standard (IAS) 39 and the US generally accepted accounting principles (GAAP), which had been the international standards for determining financial assets and liabilities accounting in financial statements since 2001.

By July 2014, the IASB finalized and published its new International Financial Reporting Standard (IFRS) 9 methodology, to be implemented by January 1, 2018 (with the standard available for early adoption). IFRS 9 will cover financial organizations across Europe, the Middle East, Asia, Africa, Oceana, and the Americas (excluding the US). For financial assets that fall within the scope of the IFRS 9 impairment approach, the impairment accounting expresses a financial asset’s expected credit loss as the projected present value of the estimated cash shortfalls over the expected life of the asset. Expected losses may be considered on either a 12-month or lifetime basis, depending on the level of credit risk associated with the asset, and should be reassessed at each reporting date. The projected value is then recognized in the profit and loss (P&L) statement.

Most banks subject to IFRS 9 are also subject to Basel III Accord capital requirements and, to calculate credit risk-weighted assets, use either standardized or internal ratings-based approaches. The new IFRS 9 provisions will impact the P&L that in turn needs to be reflected in the calculation for impairment provisions for regulatory capital. The infrastructure to calculate and report on expected loss drivers of capital adequacy is already in place. The data, models, and processes used today in the Basel framework can in some instances be used for IFRS 9 provision modeling, albeit with significant adjustments. Not surprisingly, a Moody’s Analytics survey conducted with 28 banks found that more than 40% of respondents planned to integrate IFRS 9 requirements into their Basel infrastructure.

Arguably the biggest change brought by IFRS 9 is incorporation of credit risk data into an accounting and therefore financial reporting process. Essentially, a new kind of interaction between finance and risk functions at the organization level is needed, and these functions will in turn impact data management processes. The implementation of the IFRS 9 impairment model challenges the way risk and finance data analytics are defined, used, and governed throughout an institution. IFRS 9 is not the only driver of this change.

Basel Committee recommendations, European Banking Authority (EBA) guidelines and consultation papers, and specific supervisory exercises, such as stress testing and Internal Capital Adequacy Assessment Process (ICAAP), are forcing firms to consider a more data-driven and forward-looking approach in risk management and financial reporting.

Accounting and Risk Management: An Organization and Cultural Perspective

The implementation of IFRS 9 processes that touch on both finance and risk functions creates the need to take into account differences in culture, as well as often different understandings of the concept of loss in the two functions.

  • The finance function is focused on product (i.e., internal reporting based on internal data) and is driven by accounting standards.
  • The risk function, however, is focused on the counterparty (i.e., probability of default) and is driven by a different set of regulations and guidelines.

This difference in focus leads the two functions to adopt these differing approaches when dealing with impairment:

  • The risk function uses a stochastic approach to model losses, and a database to store data and run the calculations.
  • Finance uses arithmetical operations to report the expected/ incurred losses on the P&L, and uses decentralized data to populate reporting templates.

In other words, finance is driven by economics, and risk by statistical analysis. Thus, the concept of loss differs between teams or groups: A finance team views it as part of a process and analyzes loss in isolation from other variables, while the risk team sees loss as absolute and objectively observable with an aggregated view.

IFRS 9 requires a cross-functional approach, highlighting the need to reconcile risk and finance methodologies.

The data from finance in combination with the credit risk models from risk should drive the process.

  • The risk function runs the impairment calculation, whilst providing objective, independent, and challenger views (risk has no P&L or bonus-driven incentive) to the business assumptions.
  • Finance supports the process by providing data and qualitative overlay.

Credit Risk Modeling and IFRS 9 Impairment Model

Considering concurrent requirements across a range of regulatory guidelines, such as stress testing, and reporting requirements, such as common reporting (COREP) and financial reporting (FINREP), the challenge around the IFRS 9 impairment model is two-fold:

  • Models: How to harness the current Basel-prescribed credit risk models to make them compliant with the IFRS 9 impairment model.
  • Data: How (and whether) the data captured for Basel capital calculation can be used to model expected credit losses under IFRS 9.

IFRS9 Basel3

Click here to access Moody’s detailed report