Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
In this edition>> Summary – key changes
from GPS 220
>> Background
>> Why the changes?
>> Our assessment
>> What’s in a RMF?
>> APRA’s broader risk
management focus
>> Commercial benefits?
>> Taking action now
>> Three Lines of Defence
(3LOD) – what’s it about?
Risk management changes crystalliseIn January 2014 APRA finalised its cross-industry prudential standards CPS 220 Risk Management and CPS 510 Governance. These take effect 1 January 2015.
APRA has the clear intention of improving risk management
practice with the changes to its requirements, and in our view
they will do so. However, the new requirements – which are more
prescriptive than the existing standards – may offer marginal
benefit for some general insurers, taking into account the extra
effort and investment required.
In this d’finitive we summarise the changes in APRA’s risk
management requirements, as well as the next steps for insurers.
d’finitive®
Keeping you informed. FEBRUARY 2014
[ APRA regulation ]
www.finity.com.au
Sydney +61 2 8252 3300 Auckland +64 9 363 2894 Melbourne +61 3 8080 0900 Wellington +64 4 460 5213
The up-shotAPRA has fine-tuned some of the requirements of the draft standards – and has clarified interpretations via CPG 220 – but little has changed from what was proposed in May 2013.
It is time for implementation.
Some insurers – including branches and groups – will want to ask APRA to grant variations from the standards. Those insurers will need to prepare well thought-out cases, soon.
Summary – key changes from GPS 220“...insurers should aspire to have a RMF which helps them make better business decisions.”
“Any insurer that plans to ask APRA for a variation from the standards will need sound arguments.”
2 d’finitive FEBRUARY 2014
Designated Chief Risk Officer (CRO)
• Each insurer – and group – must have a CRO with no conflicting front line business responsibilities.
• The CRO reports directly to the CEO with direct access to the Board Risk Committee.
• The CRO cannot be the CEO, CFO, Appointed Actuary or Head of Internal Audit.
CRO alternatives
An insurer may apply for an alternative to the designated CRO requirement, if this is inappropriate to its circumstances.
Group CROs A group CRO may be the designated CRO for an insurer within the group structure. This includes an Australian branch with a group CRO.
Separate Board Risk Committee
The Board Audit Committee and Board Risk Committee must be separate.
Other stricter requirements
Examples include:
• Board Risk Declaration to APRA
• Explicit expectations for the risk MIS.
Loss of some GI-specific material
The definition of material risks now:
• Downplays some GI risks
• Emphasises other risks which are more important in life insurance and banking.
This link will take you to our more detailed comparison of GPS 220 and CPS 220
Background
Risk management is vital to any organisation that aims to have a profitable and sustainable future. Good risk management results in better business decisions, while protecting the interests of stakeholders (particularly policyholders). APRA requires each regulated institution to have a Risk Management Framework (RMF) that is appropriate for its circumstances.
Prudential Standards
The final versions of CPS 220 Risk Management (replacing the current GPS 220) and CPS 510 Governance follow the release of drafts in May 2013. Despite extensive industry consultation since that date, and objections in many submissions to elements of the proposed package, few changes were made in the final standards.
The final version of CPS 510 makes only one material change from the standard that currently applies: the need for separate Board Audit and Board Risk Committees. The other changes we discuss in this newsletter relate to CPS 220.
FEBRUARY 2014 d’finitive 3
Lines of defenceMany in the GI industry object
to APRA’s requirement for a
designated CRO. The requirement
is based on the ‘three lines of
defence’ (3LOD) model of risk
management. Elsewhere in this
newsletter we discuss the 3LOD
model and its application to
general insurers. This is intended
to help insurers as they plan to
meet the new requirements and
discuss their plans with APRA.
CRO – options for groups A Level 1 insurer CRO may report
to a Level 2 or Level 3 Group
CRO, if that Group CRO reports
to the Group CEO and the Level 1
insurer’s Board can demonstrate
that the Group CRO meets the
Level 1 insurer’s risk management
requirements.
CRO – options for branchesAn Australian branch insurer may
use the regional or home office
CRO to fulfil its CRO requirement,
provided this CRO has active
oversight of the insurer and
sufficient interaction with local
management. The CRO should have
‘regular and clear’ access to the
Senior Officer Outside Australia.
Prudential Practice Guide CPG 220
APRA has also released for consultation a draft Prudential Practice Guide CPG 220 Risk Management. CPG 220 provides insight into how APRA will interpret CPS 220 – including how groups and branches might meet the CRO requirements in practice. Submissions on CPG 220 are due by 28 March 2014.
Why the changes?
The response paper which accompanies the final standards sets out APRA’s reasons for the changes:
>> Consistency in risk management standards across industries – life and general insurance, and banking – as well as a common approach across all supervised bodies (Level 1 insurers, and Level 2 and 3 groups).
>> APRA has higher expectations relating to risk management in the wake of the global financial crisis.
Our assessment
We are supportive of APRA’s intentions, and in particular we believe that:
>> The increased focus on risk management is healthy
>> The consistency of approach across groups and conglomerates is a positive.
However we have concerns about some areas of the new requirements:
>> The standards are prescriptive, shifting from APRA’s espoused principles-based approach
>> The requirement for a designated CRO is a ‘one size fits all’ approach, which does not take account of the circumstances of each insurer
>> Implementing the reforms will be a material cost for some insurers who will need to recruit in the CRO space, compared with the expected benefits
>> Useful GI-specific material has been de-emphasised, compared to the existing standard for general insurers (GPS 220). For instance, insurance concentration and asset-liability mismatch risks receive less focus.
Irrespective of our and others’ views, the standards are final and insurers must turn their attention to complying with the new obligations. Insurers may, however, be able to influence APRA’s interpretation of CPS 220 by making submissions on CPG 220.
APRA’s broader risk management focusThe new standards continue APRA’s recent stronger focus on risk management and governance, which has involved:
>> LAGIC – increasing the risk sensitivity of APRA’s capital charges
>> ICAAP – forging stronger links between risk and capital management
>> More explicit requirements of insurer risk appetite statements
>> Working with the Actuaries Institute to strengthen risk management reviews in Financial Condition Reports
>> Higher expectations of risk management around catastrophe exposures and related reinsurance cover
>> A greater focus on risk governance and risk culture.
Some of these initiatives have been implemented, while others are works in progress.
4 d’finitive FEBRUARY 2014
What’s in a RMF?
We are often asked this by people who are new to risk management. Just for fun, we have illustrated the key elements by comparing running an insurer to a commercial flight. The term RMF refers to all of these elements and their interactions.
RMF ELEMENTS – INSURER VS COMMERCIAL FLIGHT
ON THE PLANE AT THE INSURER THE ROLE
People
Pilot CEO Has operational control and risk-taking responsibilities.
Flight engineer CRO Monitors and ensures crucial systems are working.
Crew – on plane and off
Frontline staff People at the coalface!
Air traffic controller Board No operational control – but oversees the risk-takers.
Plans & policies
Airline’s plan – selected routes (some are riskier), timetable, passenger loads, pricing…
Business plan – lines of business, projected premiums, pricing…
Defines the direction and strategy.
Airline’s risk guidelines
Risk appetite Describes what may be done in specific circumstances – and what risks are unacceptable.
Operating manuals Risk policies – the RMS is the key one
Sets out the company’s rules.
Roles, responsibilities and reporting lines for air traffic control, flight deck and cabin crew
Governance – roles and responsibilities for Board and managers
Clear responsibilities, and defined communication lines.
Risk register Risk register Summarises the range of risks and their potential impact.
Contingency plans for poor weather, terrorist attack etc.
Business continuity plan
The plan for when things go wrong.
Actions
Meeting CASA requirements
Complying with APRA’s regulations
Operating within the regulator’s rules.
Periodic airworthiness checks
Audit Confirms that things are happening as they should.
Security screening, seat belts, etc.
Risk controls Mitigate/minimise risks and their impact.
Communication between air traffic control, flight deck, and crew
Reporting and information flows
Keeps everyone up to date.
Staff attitudes to safety, reporting of incidents
Risk culture – similar ideas
How frontline staff deal with risk.
Black box recorder Risk and incident log Record of what’s gone wrong – including near misses.
Commercial benefits?Some insurers will treat the new standards as compliance, aiming to do the minimum required. We think that responding to the latest changes ‘in the spirit’, alongside other improvements in risk management consistent with APRA’s direction in recent years, could have commercial benefits for insurers:
>> Improved resilience to internal and external shocks – so management does less fire-fighting
>> Improved communication and information flows – supporting better decision making and competitive advantage
>> Reduced volatility of results – through better identification, understanding, assessment and treatment of risks (potentially by segment). May need less capital and improve the stability of earnings
>> Better risk-return profile.
FEBRUARY 2014 d’finitive 5
Taking action now
Early planning and preparation will be crucial to complying with the new requirements with minimal business disruption. Each insurer should review its RMF now and develop its approach; any changes should be proportionate. As the new standards take effect on 1 January 2015, responding must be a priority for 2014. The insurer’s Board must approve the plan.
Any insurer that plans to ask APRA for a variation from the standards will need sound arguments. The insurer may choose to discuss its approach with its APRA supervisor to confirm that the plans are appropriate – particularly if seeking alternative arrangements to the designated CRO requirement.
Ultimately insurers should aspire to have a RMF which helps them makes better business decisions.
6 d’finitive FEBRUARY 2014
WHAT INSURERS NEED TO DO
CURRENT SITUATION
PLANACTIONS NEEDED
COMMENTS
Insurer currently has a joint Board Risk and Audit Committee
Insurer will separate the committees
Should be a straightforward change.
• The same directors may sit on both committees, provided governance structures are separate.
• Different chairs may be appointed.
• Roles, reporting lines and risk reports may need to change.
Insurer wishes to keep combined committee
Seek exemption from the requirement for separate committees.
APRA has not mentioned this as an option, so the case will need to be well argued.
Insurer currently has a ‘dual hat’ CRO with business responsibilities
Insurer separates CRO from other responsibilities
Give CRO’s other responsibilities to other staff, or consultants, OR
The incumbent retains other roles, a new CRO is appointed.
• Will require changes to organisational structure
• May need to recruit or train staff.
No change Seek exemption from APRA.
• Will need to demonstrate there are material constraints to appointing a ‘one hat’ CRO (possibly refer to 3LOD model)
• Will need a back-up plan where CRO’s responsibilities are separated.
Branch with no local CRO
Use group CRO Clear this with APRA.
Will need to satisfy APRA that group CRO is close enough to branch (see ‘Options for branches’ box).
Three Lines of Defence (3LOD) – what’s it about?
The 3LOD concept came from the internal audit profession, and has been used by a range of financial regulators. Appendix A of draft CPG 220 sets out APRA’s interpretation of 3LOD in a cross-industry context, and we summarise this in the table below. The table also shows our interpretation of the model’s application in general insurance – which differs from APRA’s in some areas.
FEBRUARY 2014 d’finitive 7
Our commentary
The effectiveness of the risk management function will increase if it is:
>> Engaged with the insurer’s many business areas and functions
>> Supported by specialist functions in the company, such as finance, actuarial and HR.
This means:
>> Several of an insurer’s ‘operationally independent’ managers could serve as CRO if potential conflicts are identified and managed or mitigated.
>> Many of APRA’s general insurance requirements already contribute to the second and third lines of defence. Examples are actuarial, finance and various independent reviews (e.g. review of the ICAAP).
A more detailed description of the 3LOD model applied to general insurance was included in our 2013 APRA submission on the draft CPS 220. You can find this on the Finity website.
Line of defence Characteristics Description APRA and Finity interpretations
First line Embedded, part of the business, its controls and processes
Areas taking decisions which determine the insurer’s risk profile. General insurance examples include pricing, underwriting, claims management, investment management, reinsurance and strategy setting.
• APRA categorises the Appointed Actuary (AA) role as first LOD.
• We agree for life insurance, where the actuary approves pricing.
• We agree when general insurance AAs have first line responsibilities (e.g. pricing or reinsurance).
• In our opinion the main statutory responsibilities of a general insurance AA (the liability valuation and FCR) are second line.
Second line Engaged, monitoring, coaching, assisting, reporting
Internal functions independent of business units which routinely (nearly continuously) review initiatives and implications for the risk profile.
• APRA’s model appears to view the risk management function as the only role in the second line.
• We would add some parts of the general insurance AA role (see above), some finance responsibilities, specific reviews (e.g. underwriting and claims peer reviews) and some external reviews (e.g. asset consultants, reinsurance broker modelling).
Third line Independent, reviewing, assurance
Strictly independent, more process oriented and not a continuous review. Advises on the effectiveness of other lines.
• APRA focuses on internal audit and 3rd party assurance.
• We agree that most specialised external reviews belong in this line.
Finity & Risk ManagementFinity is one of Australia and New Zealand’s leading actuarial and
management consulting firms, specialising in general and health insurance.
Our expertise in insurance is highly regarded and has been developed by
working with the industry since the early 1980s.
Finity’s focus is not solely actuarial. We have 12 staff with experience,
training and qualifications in the broader areas of financial and operational
risk management. We have assisted our clients with independent risk
management framework reviews, risk analyses, risk appetite statements,
Board risk workshops, and risk culture assessments. We have also provided
risk management training. Our work has a commercial, pragmatic focus,
drawing on our extensive experience.
If you have any questions relating to risk management, please contact
one of our consultants.
Contacts
Steve Curley [email protected] 61 2 8252 3326
Brett Riley [email protected] 61 2 8252 3382
Jacob Mamutil [email protected] 61 2 8252 3318
Watch for news of our inaugural
CRO Forum – coming soon!
Finity Consulting Pty Limited ABN 89 111 470 270
Australia & New Zealand Insurance Industry Award ‘Service Provider of the Year’ 2006, 2007, 2008, 2009 and 2011.Australian Insurance Industry Awards - Inaugural Inductee into the Hall of Fame 2012.
Australia
Sydney
Tel +61 2 8252 3300 Level 7, 155 George St The Rocks, NSW 2000
Melbourne
Tel +61 3 8080 0900 Level 3, 30 Collins Street Melbourne, VIC 3000
New Zealand
Auckland
Tel +64 9 363 2894 Level 27, 188 Quay St Auckland 1010
Wellington
Tel +64 4 460 5213 Level 16, 157 Lambton Quay Wellington 6140
d’finitive®
[ APRA regulation ]
www.finity.com.au
This newsletter is based on Finity’s
current understanding of APRA’s
standards and expectations. It does
not constitute either actuarial or
investment advice. While Finity has
taken reasonable care in compiling
the information presented, Finity
does not warrant that the information
is correct. We refer the reader to the
response paper, prudential standards
and draft prudential practice guide on
APRA’s website (www.apra.gov.au) for
further detail.
Copyright © 2014
Finity Consulting Pty Limited.
Contact the author
Brett RileyTel + 61 2 8252 [email protected] Sydney Office