How to get the most out of your governance structures. Risk Series Paper 3

Transcription

1 How to get the most out of your governance structures Risk Series Paper 3

2 How to get the most out of your governance structures Regulation and the ever complex financial world have driven forward the need for organisations to have robust governance structures. Their true value is now ready to be realised. There is no one size fits all governance structure, but some can facilitate the key components of effective governance better than others. 2 willistowerswatson.com

3 Introduction Insurance companies have developed and enhanced their governance structures significantly over recent years. Most have structured their governance around the three lines of defence (3LoD) model, but the underlying design and configuration differ amongst companies. In principle this is fine; there is no one size fits all structure for effective governance. Indeed, in the absence of a regulatory prescription, we would expect the governance model to naturally vary according to the size and complexity of the organisation, alongside the skill sets of those in the business. However, there are key elements that ensure the success of a governance structure. Some structures can in fact make it harder to access these components. What makes good governance? Governance structures, if designed well, can add value via efficient and aligned processes that enable management to take timely decisions, with the confidence that risks to those decisions, both upside and downside, are well understood and will be appropriately managed. This helps to manage downside risk and identify upside potential, whilst also giving management the confidence that as they take decisions, the risks to those decisions will be managed through a soundly governed process. The foundations of a sound governance structure are a clearly defined organisational diagram, precise role profiles that articulate the responsibilities of the various role holders, and risk policies and standards that articulate how risks should be managed. These help to ensure that everyone understands how the business will be managed and how they will be involved. Building on these aspects, essential components of any governance structure include: Independent challenge: The third line, which exercises independent challenge in such a way that there is no undue influence, control or constraint applied to the challenger. Independent challenge is often provided by both the audit function and the Board. Committee meetings: Regular structured meetings ensure appropriate interaction within the business to support business decisions. These committees include functions such as audit, risk, investment and remuneration with clear terms of reference and responsibilities, target objectives and documented outputs. Governance structures, if designed well, typically add value by creating efficient and aligned processes with clear responsibilities and roles for all involved. Risk managers: Otherwise known as the first line in the 3LoD model, who adopt a risk-based approach to everything as the principal owners of risk acceptance and management. Integrated oversight: The second line, which ensures that critical activities are reviewed and challenged contemporaneously. This can be completed by the risk function, or others in the business, alongside the Executive Committee. 3 How to get the most out of your governance structures

4 A well-documented risk framework and policies that are aligned with each other and with the business strategy of the organisation ensure that everyone understands their roles and responsibilities and the procedures that need to be followed. Risk framework documentation and policies: A well-documented risk framework and policies that are aligned with each other and with the business strategy of the organisation ensure that everyone understands their roles and responsibilities and the procedures that need to be followed. Key components of a governance structure that form part of the risk policy suite would be: Definitions: In order to spread consistent understanding throughout the business, the risk taxonomy needs to be clear, understandable, and widely communicated. It should include definitions for processes, controls, risks, risk groups, strategies and preferences. Operating standards: Clear operating standards that are linked to the business and risk objectives ensure that the business understands how to implement these objectives at an operational level. Controls: Controls and limits support the operating standards and add governance around the decisions that are made at an operational level. Roles and responsibilities: The organisation should ensure that it has duties and responsibilities that are allocated, segregated and coordinated in line with the relevant policies and are reflected in descriptions of tasks and responsibilities. This should include ensuring that all important duties are covered and that unnecessary overlaps are avoided. In segregating responsibilities in this way, the organisation can maintain a level of independence so that the person or unit performing the tasks is not also responsible for monitoring and assessing such performance. Processes and procedures: Processes and procedures, such as sign-off and escalation procedures, should be established and documented to enhance the understanding of roles and responsibilities within the business. Attestations: Attestations ensure that those responsible for the operating standards take on this responsibility. Attestation is vital to cementing the other elements of the risk policy. Internal controls: Internal controls add value and support business decisions by providing a mechanism for monitoring the business and reporting to management. These internal controls can include elements of the risk management framework described in Paper 1 in this series, such as the risk appetite framework and the tools and processes used to manage risk. Of these key components, it is only really the positioning of who does the work and who assures it that distinguishes the different governance models that could be used by a business. All the other elements are important components for operationalising this structure and the wider risk management framework. For example, the framework documents and policies, including the components of them, help ensure that the governance structure (or do, check, review and review again ) is properly understood and managed within the business and everyone is aware of their own actions and responsibilities. 4 willistowerswatson.com

5 A higher purpose A strong governance structure provides a framework which supports the company in fulfilling its objectives by enabling everyone within the business to make risk-informed decisions that have been either controlled or reviewed, challenged and signed off. Good governance adds value for stakeholders by ensuring that the decision-making process is as streamlined as possible, whilst at the same time providing reassurance and protection so that risks are fully understood and monitored across the organisation. How the governance structure is formed to meet these criteria depends on many shifting elements of the business and its operating environment. A suitable structure may therefore change for a company in times of stress, such that the governance is tightened when the risk profile of a business warrants it. Consequently, a preferable structure is one that can adapt to the circumstances, such that the key components are flexible. What do we currently have? A commonly used structure amongst insurers is the 3LoD model, which can meet all the criteria of a good governance structure if configured effectively. Good governance adds value for stakeholders by ensuring that the decision-making process is as streamlined as possible, whilst at the same time providing reassurance and protection so that such risks are fully understood and monitored across the organisation. 5 How to get the most out of your governance structures

6 Overview of the 3LoD model Many insurers would indicate they use the 3LoD model as part of their governance structure, but the exact configuration of that model differs greatly from one business to the next. In general, the 3LoD model helps organisations to coordinate risk management and governance responsibilities in a structured manner, by separating risk taking and management from risk oversight. It provides clarity on the roles that individuals and departments must carry out in order to develop and maintain effective risk management processes and systems. The model should aid communication, both internally and externally, on risk management and governance by ensuring clarity and defined responsibilities within the overall risk management framework. Our take on the structure (see Figure 1) is that the first line owns the risk management of the business in line with the risk framework, which in turn is owned by the second line. The second line then provides integrated oversight to the first line contemporaneously, rather than just at sign-off. Perhaps the role is best described as a critical friend, with oversight discussed with Line 1 for amendments and reported to the company s delegated Board committees, the Board Risk Committee and, ultimately the Board itself. The third line provides independent challenge and review across all other lines, as well as providing assurance to governing bodies and senior management on the effectiveness or otherwise of the risk management framework. The Board has ultimate responsibility for the governance of the business and independent challenge will also be given by the non-executive directors, the Actuarial Function Holder and the With-Profits Actuary. Figure 1. 3LoD model First line of Defence Second line of Defence Third line of Defence Operational business units Risk management Risk Function Integrated oversight Internal Audit Independent challenge Day-to-day running of the business and managing risks Reporting performance to the board Contemporaneous challenge of the first line (for example, assumptions and methodology) Setting frameworks for the first line to follow Reporting on risk management performance to the Board Independent review and oversight of the first and second lines: Frameworks and processes Work completed Report findings to the Board The model should aid communication, both internally and externally, on risk management and governance by ensuring clarity and defined responsibilities within the overall risk management framework. 6 willistowerswatson.com

7 How do companies differ? Rather surprisingly, there is only relatively high-level guidance as to how a 3LoD model should be organised, and companies differ in their interpretations of the roles and responsibilities for each line, as well as the definitions of the role of the Chief Risk Officer (CRO) within the wider organisation (see also our article The Evolving Chief Risk Officer Role, Get Ready for CRO 3.0 which covers the role of the CRO and how this is changing). Similarly, the applications of the 3LoD differ depending on the individual companies. The main areas of difference include: The position of the CRO within an organisation: The CRO has an important and strategic role within the 3LoD model. However, there are specific challenges in relation to the roles and responsibilities of the CRO which might vary between organisations. Examples include: Whether the CRO plays a dual role within an organisation (for example, also Chief Actuary) Whether the CRO is viewed as a peer by the rest of the C-suite. In some cases, typically where the CRO reports to the Chief Finance Officer (CFO) rather than the Chief Executive Officer (CEO), the CRO may not even attend the Executive Committee Whether the CRO sits on the Board either as a member or an attendee Engagement of the risk function with the first line of defence: The level of engagement on a day-to-day basis differs, including on a one-to-one basis and at committee meetings. The position of the actuarial function within the 3LoD model: Specialist functions such as the actuarial function might sit within either the first or second line of defence, or straddle both. In the case of straddling, responsibilities for reporting and assurance need to be defined well. Differences in the ownership of work, including: Policy drafting Management information on risk management Internal model calibration, valuation and reporting Asset liability management, including credit risk management Own Risk and Solvency Assessment (ORSA) drafting (sections, or all) Stress and scenario testing Managing the relationship with the regulator(s) Compliance Different organisations might choose to place the ownership of work within the first or second line of defence, which impacts the structure and shape of the 3LoD model within the business (and the level of resource needed in each). Size of each line of defence: The shape of the 3LoD differs between companies, driven by the roles and responsibilities assigned in the governance structure. Skill set of the second line of defence: In order to challenge the first line adequately and have collaborative conversations, the second line needs to have access to skills, so that they can challenge and support discussions with line 1. The extent of this investment in skills differs between companies. 7 How to get the most out of your governance structures

8 Potential weaknesses in the 3LoD model? Despite its wide adoption in the insurance industry, there can be a number of weaknesses in the 3LoD depending on how they are structured, and the governance around them: Defence: The wording signifies preventing rather than supporting risk decisions, thereby considering the objectives of loss to value, not enhancement. Responsibility: There is a risk that a strong governance structure, such as a robust 3LoD model, undermines individuals taking personal responsibility for work completed. Both those completing the work and the review may not take as much ownership for it because they think that it will be subject to both integrated and independent oversight from the second and third lines (and conversely, the second and third lines may believe the work had been reviewed properly previously, so take a more relaxed approach to their review). Additionally, without fully defined roles, this could lead to gaps whereby each line believes the other is responsible for the work completed. Duplication of work: There can be an issue of duplication of work, whereby multiple lines complete similar reports for the Board and delegated committees, leading to inconsistency and confusion, and unnecessary cost. Under-utilisation of resource: A rigid model can lead to an inflexible approach whereby staffing is incompatible with the lumpy workload, thereby causing inefficiencies. CRO remuneration and incentives: Depending on the role of the CRO, there can be questions around the structure and level of their remuneration. In terms of the remuneration structure, careful consideration should be given to how they are incentivised and what defines a successful risk outcome. In terms of the latter, in order to offer an independent view on strategic decisions, they need to have respect and authority equal to the level of the Board, but with this comes the debate as to the level of the CRO s remuneration (the amount and how it is determined) compared to other executive board members. Multiple reviews: There is a risk that this model leads to an inefficient review process, especially in group structures where there are additional layers of group review. There is a risk that there is more reviewing than doing. Despite its wide adoption in the insurance industry, there can be a number of weaknesses in the three lines of defence depending on how they are structured, and the governance around them... 8 willistowerswatson.com

9 What works well? A structure that can be flexible such as one that has a narrow second line which has transferred a number of key risk management activities to Line 1, and can access additional resource elsewhere for bespoke risk projects when the workload escalates may provide the answer. This approach can also enhance the risk understanding and culture in an organisation. Such versatility can also enable a company s governance approach to respond to changes in circumstances. When a company is facing a large risk, either internally (such as solvency constraints) or externally (such as being an increased risk to the wider market), then there is an increasing requirement for the company to have a higher level of integrated oversight, which requires more skills and resource. By being able to call on experts who have these levels of skills from outside the core line 2 team, companies can respond faster to changing circumstances. These experts, or extra resource can come from: Internal secondments support a stronger risk understanding across the business, increasing the embedding of the risk culture. External secondments give the company access to experienced resource, and also bring market knowledge to the team. Consultancy support enables the company to access specialist skills for bespoke projects. Outsourcing arrangements offer a more efficient team, whereby the lumpy workload and the access to specialist skills can be managed by an external party. The ability to execute this effectively relies on the key components of the risk governance structure being in place. Agility to changing conditions is therefore dependent on a flexible governance model that is supported by solid and well-documented governance criteria. 9 How to get the most out of your governance structures

10 Conclusion The 3LoD model is a useful and clear framework that if formulated and used properly, can co-ordinate risk management and governance responsibilities in a structured manner. However, there is some way to go for many companies to maximise the efficiencies and optimise this framework. Companies should be looking to ensure they minimise wasted resource in their organisations and leverage the skills that they can access either internally or externally. By addressing the weaknesses in current structures, companies will have a framework that supports the risk function as a critical friend that also offers clear and informed assurance, hence enhancing decision making, whilst also being able to respond to changing resourcing needs from every part of their business. 10 willistowerswatson.com

11 Further information For further information, contact your regular Willis Towers Watson consultant or one of the following: Kirsty Leece Ashley McMillan Paul Simmons Paper 7 will conclude the series with the results of a market survey on topics covered in this series. The survey takes 10 minutes, and if you would like to take part, please follow the link below: SE/?SID=SV_22Vp6twf0bEd8kR Risk Series papers published June 2016 Risk Series Paper 1 Practical risk management: enhancing business decisions willistowerswatson.com/en/insights/2016/06/practicalrisk-management-enhancing-business-decisions July 2016 Risk Series Paper 2 Stress and scenario testing: a change of focus en/insights/2016/07/stress-and-scenario-testing-achange-of-focus 11 How to get the most out of your governance structures

12 About Willis Towers Watson Willis Towers Watson (NASDAQ: WLTW) is a leading global advisory, broking and solutions company that helps clients around the world turn risk into a path for growth. With roots dating to 1828, Willis Towers Watson has 39,000 employees in more than 120 countries. We design and deliver solutions that manage risk, optimise benefits, cultivate talent, and expand the power of capital to protect and strengthen institutions and individuals. Our unique perspective allows us to see the critical intersections between talent, assets and ideas the dynamic formula that drives business performance. Together, we unlock potential. Learn more at willistowerswatson.com. Willis Towers Watson 71 High Holborn London WC1V 6TP Towers Watson is represented in the UK by Towers Watson Limited. The information in this publication is of general interest and guidance. Action should not be taken on the basis of any article without seeking specific advice. To unsubscribe, eu.unsubscribe@willistowerswatson.com with the publication name as the subject and include your name, title and company address. Copyright 2016 Willis Towers Watson. All rights reserved. WTW-EU-16-PUB-2923c willistowerswatson.com