ICAAP. Engaging the business in risk management. A presentation to FIDE Forum by Penny Fosker. 10 January towerswatson.com

Transcription

1 ICAAP Engaging the business in risk management A presentation to FIDE Forum by Penny Fosker 10 January

2 Agenda What is an ICAAP and what s in it for me? Managing capital and risk or managing my business? Making the ICAAP proactive 2

3 ICAAP: Engaging the business in risk management What is an ICAAP and what s in it for me? 2013 Towers Watson. All rights reserved.

4 Q1. What does ICAAP stand for? A. Independent Capital Adequacy Assessment Process B. Independent Capital Adequacy Assessment Practice C. Independent Capital Adequacy Assessment Procedure D. Internal Capital Adequacy Assessment Process E. Internal Capital Adequacy Assessment Practice F. Internal Capital Adequacy Assessment Procedure 4

5 What is an ICAAP? Business strategy, including key drivers of change Financial forecasts ICAAP policy Individual Target Capital Level Risk appetite and tolerances Risk profile, including all material risks Capital Management Plan Business strategy based on a range of outcomes Details of emerging risks Risk measurement and assessment processes Continuous monitoring and reporting processes Quantity and quality of available capital ICAAP Independent review and assessment Sensitivity, stress and scenario test results Assessment of governance system ICAAP report documenting evidence of process and result Decisions relating to risk and capital allocation Board and senior management oversight 5

6 The key components of the ICAAP What if analysis Sensitivity of available capital / ITCL Effectiveness of controls Management actions Contingency / action plans ICAAP Report What if Analysis Risk Appetite Risk Appetite Risk appetite statement Approved tolerances Risk limits Link to Business Strategy Capital projections Capital planning Risk assess business plan Range of outcomes Link to Business Strategy/ Capital Planning Governance & Culture Identify & Assess Risks Identify & Assess Risks Identification Qualitative risk analysis Controls / mitigation Monitoring and Reporting Regulatory solvency monitoring Monitoring quality of available capital Monitoring, Reporting & Managing Risk Risk Measurement Risk Measurement Overall solvency needs ITCL sufficient 6

7 Why do I need to know about it? The board and senior management are responsible for ensuring that the insurer maintains an appropriate level and quality of capital for its risk profile and business plan Approve the company s risk appetite and tolerance Approve the company s capital management framework Ensure that senior management discharges its responsibilities for development and effective implementation of ICAAP 7

8 Q2. What can you get from the ICAAP? A. Fulfil your regulatory responsibilities B. Provide a clear linkage between risk management, capital planning and business planning C. Better understanding of the business and more informed decision making D. Easier and more informed communication with external parties E. Improved risk culture F. Supports achievement of strategic aims G. All of the above 8

9 ICAAP: Engaging the business in risk management Managing capital and risk or managing my business? 2013 Towers Watson. All rights reserved.

10 Why are you in business? Values Culture Capacity Objectives Appetite Set strategic aims Identity Risk/reward Goals Vision Strategy & Attitude Outcomes & sustainability Stability Protection Efficient Achieve strategic aims No intervention Continuity Value Preservation Sustainability People 10

11 Why are you in business? Values Culture Capacity Objectives Appetite Set strategic aims Identity Risk/reward Goals Vision Strategy & Attitude Culture, leadership, communication, consultation, education, integration, remuneration Structure Behaviours Committees, functions, roles, responsibilities, accountabilities, fit & proper people Identification, description, assessment, measurement, prioritisation, monitoring, reporting, escalation, review, testing, analysis Operations Processes Finance, actuarial, risk management, internal audit, control, underwriting, product development, pricing, risk mitigation, ALM, capital management, performance management, business planning Outcomes & sustainability Stability Protection Efficient Achieve strategic aims No intervention Continuity Value Preservation Sustainability People 11

12 Is there a link between making the ICAAP developing a sustainable business? proactive and Strategy & Attitude What if Analysis Risk Appetite Structure Behaviours Link to Business Strategy/ Capital Planning Governance & Culture Identify & Assess Risks Operations Processes Monitoring, Reporting & Managing Risk Risk Measurement Outcomes & sustainability 12

13 Business operations where proactive use of the ICAAP will add value Strategy and Planning Set and test business plans/optimise portfolios Validate business plans Assess the impact of alternative strategies Identify opportunities for diversification, e.g. organic growth/mergers and acquisitions Determine alternate capital structures Pricing Assess appropriate technical pricing Establish appropriate capital charges or profit loads Assess the impact of alternative pricing strategies Explore new developments: products, distribution models, new markets Control risk aggregation Risk Management Assess overall risk profile Develop holistic and more accurate view of organisation-wide risk Balance risk and reward Monitor and manage risk concentrations and aggregations Claims Management Assess the impact of changes in the external claims environment Assess impact of claims reserving: methodology, assumptions Communication Within the business With external parties Demonstrate good corporate governance Optimising Firm Value Increase returns Increase stability of returns Improve credit ratings / reduce cost of capital Strategic Optimisation Feed into performance measurement (business units, products, etc.) and management Reinsurance optimisation Asset class optimisation Capital Planning Quantify overall internal and regulatory capital requirements Quantify individual capital requirements by legal entity, division, class of business, Measure return on internal required capital To get value from the ICAAP, results and information need to be understood and used by the business 13

14 ICAAP: Engaging the business in risk management Making the ICAAP proactive 2013 Towers Watson. All rights reserved.

15 Making the ICAAP proactive 1. Organisational readiness 2. Defining uses and setting priorities Is the organisation ready to embed the risk management? Is there a clear vision of the target end state? Is there a common understanding of the existing risk culture? Does management have the will to make the necessary changes? How engaged are key functional areas such as human resources, finance, pricing and underwriting? Will an education programme be in place to support the new risk framework? Is there a communication strategy for the wider business? 1 Continuous monitoring and development 3 2 How does the business want to use the risk management framework and risk measurement tools? Is there sufficient understanding of current capabilities/limitations and associated MI? What are the short-, medium- and long-term objectives for use? Is there a development plan with realistic costs associated? What are the business benefits of each use? Is there a process for achieving a consensus on prioritising uses? 3. Reinforcing success and evidencing embedding How to implement the necessary changes in processes, documentation and behaviours? Does senior management set the tone from the top? Is there a positive feedback loop between new MI, working practices, policies, performance management and training? Does the improved information promote improvements to the governance structure, operational processes etc? Do the current Board agendas/minutes reflect the use of improved MI? Are there processes/tools to monitor progress towards target end state? 15

16 Where do I fit in? Risk culture Board / executive Risk management function Actuarial function / Finance Business strategy and risk appetite Engaging with stress tests Sign-off and overall oversight Policies and procedures Risk reporting (with others) Managing scenario testing Developing risk measurement tools Stress & scenario analysis Financial projections Set risk appetite Set risk appetite Manage risks Manage risks Set business strategy Set business strategy Capital planning Capital planning Review and challenge Strategy / Business function Business planning Capital structure Input to strategic direction Risk reportingrisk reporting Scenario testing Scenario testing External organisations / Internal Audit Challenge and benchmarking Independent review Quality assurance Measure Measure risks risks Identify Identify risks risks 16

17 Culture, more than rule books, determines how an organisation behaves Warren Buffet Current observations Inappropriate risk culture contributed to the financial crisis Increasing focus of regulators and rating agencies Difficult topic to discuss Realistic short term aspirations Develop a clear view of risk culture Leadership set the tone from the top Find opportunities in risk Practical advice Vital to show that executives are engaged Practical approaches to measuring and monitoring risk culture exist Interventions to improve risk culture include training and education, performance management criteria, rewards 17

18 What characterises a good risk culture? Vertical escalation of threats and fears Active learning from mistakes Committed leadership Continuous and constructive challenge to the organisation s actions and preconceptions An effective governance structure Horizontal information sharing Incentives that reward thinking about the whole organisation Management objectives linked to risk management objectives Reform in the Financial Services Industry: Strengthening Practices for a More Stable System 18 Institute of International Finance, 2009

19 Culture, more than rule books, determines how an organisation behaves Warren Buffet Current observations Inappropriate risk culture contributed to the financial crisis Increasing focus of regulators and rating agencies Difficult topic to discuss Realistic short term aspirations Develop a clear view of risk culture Leadership set the tone from the top Find opportunities in risk Practical advice Vital to show that executives are engaged Practical approaches to measuring and monitoring risk culture exist Interventions to improve risk culture include training and education, performance management criteria, rewards (Information + Experience) x Perceptions = Behaviour 19

20 Approaches to measuring risk culture Informal / ad-hoc Structured qualitative Structured qualitative and quantitative Some issues may be identified, but left to chance Culture may be effective, but poorly understood Culture may be vulnerable to accidental change Difficult to manage and evidence Identifies key aspects and issues Informs decision making and reporting Generates pool of rich examples to aid communications Engages key stakeholders Suitable as one-off or initial approach Quantifies specific issues Enables internal / external benchmarking and tracking over time Allows detailed analysis, ROI etc. Shows and supports organisational focus on risk culture Helps to embed understanding 20

21 Risk is like fire; if controlled it will help you; if uncontrolled it will rise up and destroy you Theodore Roosevelt Current observations Companies have a risk appetite statement in place Few firms have fully defined risk limits and tolerances Most risk appetite frameworks require further development Realistic short term aspirations Refine risk appetite to ensure it reflects company strategy Set risk limits linked to appetite for key risks Develop key risk indicators to support monitoring against risk appetite Practical advice Use an iterative approach to development Define simple key risk indicators to monitor against risk appetite and support refinement Regularly review risk appetite against strategy 21

22 A risk appetite provides a framework for managing risk An overarching framework for the conduct of the business Specifies the risks to which XYZ does and does not wish to be exposed Defines a process for managing risks by means of risk measures and other methods Defined formally by the Board to provide guidance to management Does not seek to address the detail of policies, procedures etc Aim is to define sufficiently the overall risk framework, objectives and headline metrics in order to enable the risk appetite to cascade down to the business Provides a means of communicating the Board s views / expectations on risk Certain day-to-day risk management activities may be delegated to the senior management The risk appetite statement must be objective, tangible and actionable 22

23 Setting your risk appetite Strategy STEP 1 STEP 2 STEP 3 STEP 4 STEP 5 Discovery Articulate preliminary appetite & tolerance Validate risk appetite Finalise appetite & tolerance Translate risk tolerances to risk limits 23

24 Q3. When did you last change your asset mix as a result of holdings in a particular asset category exceeding risk limits? A. Last month B. In the last three months C. In the last six months D. In the last year E. Never 24

25 Misunderstood information is a waste of everyone s time Gavin Hughes Current observations Companies produce a wealth of management information Risk reports are not focused Information is not understood or acted on in a timely manner Realistic short term aspirations A standardised reporting system that gets the right information to the right people at the right time Clear policies around when action needs to be taken and issues escalated Need for continual solvency monitoring to meet regulatory requirements Practical advice Focus risk reports on key risks and the audience to reduce irrelevant information Develop a dashboard that can communicate a lot of information in a digestible format Make sure risk information links back to risk appetite 25

26 Achieving the correct balance of management information Too much information Filter for audience Irrelevant Confusing Difficult to understand Not reaching the right people Not acted upon Too late Focus on important risks Simple, standardised format Common terminology Clear escalation processes Clear actions Regular distribution 26

27 Risk reports need to be clear and concise 27

28 Proactively using the ICAAP supports the Board and senior management providing information and insight to support strategic and day to day decision making Current Understanding / Knowledge Trends Reasons What if Do you have sufficient capital, given your strategy and the risks in your business? Is it sufficient under a range of different scenarios? Do you understand the risks to and the opportunities for increasing the value of your business? 28

29 In summary risk is opportunity Risk management should not prevent people from taking risks but allow them to understand and manage in the optimal way the risks that they take Risk in opportunity Threat Safety Survival Loss Opportunity in risk Opportunity Innovation Incentive Profit A balanced attitude to risk management with understanding and proactive assessment of the available information 29

30 Q4. What are your top ICAAP development or improvement priorities for 2013? (Please select your top three) A. Risk culture B. Risk governance and organisation C. Risk appetite definition D. Risk limits and controls E. Risk identification and assessment F. Risk measurement G. Risk monitoring and reporting H. Stress and scenario development and what if analysis 30

31 2013 Towers Watson. All rights reserved. Thank You