Explain why different parts of the same organisation might be subject to different regulatory regimes and/or capital adequacy standards (5)
- having operations that are regulated by different territories
- having subsidiaries that operate in different industry sectors, eg financial and manufacturing
- having subsidiaries that operate in different areas within the same sector, eg banking and insurance
- having subsidiaries or portfolios within the same sector that are subject to different regulatory requirements, eg traditional insurer and captive insurer
- having subsidiaries which are new ventures or acquisitions and are at different lifecycle stages
List the types of external entities that may exercise supervision and control over a company (5)
- professional bodies – eg the Institute and Faculty of Actuaries
- professional regulators – eg the Chartered Financial Analyst Institute (CFA)
- industry bodies – eg the British Bankers’ Association (BBA)
- industry regulators (supervisors) – eg the PRA, FCA and LSE
- governments
List the five processes that may form part of a prudential supervision system
- oversight (eg financial)
- licensing
- a requirement to maintain minimum standards (eg operational)
- procedures for monitoring compliance with standards and licences
- processes to take action against those who fail to comply
Outline the UK Senior Insurance Managers Regime (SIMR)
There are two main parts to the SIMR:
- A governance map giving details of:
- company and corporate governance structures
- identified ‘Key Functions’, ‘Key Function Holders’ and ‘Key Function Performers’
- all individuals within the SIMR regime, their responsibilities and reporting lines
- the rationale applied in identifying those individuals and allocating responsibilities to them. - An assessment of fitness and propriety of senior insurance managers and directors, based on their responsibilities as allocated through the governance map.
Outline two broad types of regulation
Two broad types of regulation:
1. functional regulation – where different authorities oversee different activities (eg banks and charities). This is the system used in the UK.
- unified regulation – where a single regulator covers a broad range of activities. This is the system used in Australia.
Outline the advantages and disadvantages of unified regulation
Advantages:
- easier to regulate financial conglomerates
- ensures a consistent approach across financial services activities
- limits any incentive for regulatory arbitrage
- economies of scale
- better sharing of ideas between regulatory staff
- improved accountability (less buck-passing between regulators)
Disadvantages:
- may become large and bureaucratic
- departments within the regulator can end up functioning independently
State five factors that an insurer should consider when developing a set of relationship management principles with a regulator
The insurer should consider what principles to adopt with respect to:
- alignment to supervisory objectives
- preservation of the insurer’s reputation
- the importance of being proactive and engaging with a regulator as early as possible
- transparency of communication
- ensuring accountability for and governance of relationship management.
Outline insurer-regulator relationship management principles relating to alignment to supervisory objectives and to preservation of the insurer’s reputation (6)
- The insurer’s overall corporate strategy should encompass a supervisory strategy.
- The supervisory strategy should be communicated to the regulator, in particular how it will lead to compliance with regulation.
- The insurer should notify the regulator early of any changes to corporate strategy.
- The insurer should have processes in place to ensure supervisory requirements are understood, accepted and met throughout the company.
- The insurer should work with the regulator to develop policy as insurers are well-placed to assess the practical implications of changes in policy.
- Best practice should be adopted before it becomes mandatory.
Outline insurer-regulator relationship management principles relating to proactive engagement (4)
- The insurer should be pro-active in its engagement with the regulator, anticipating supervisory changes and seeking out opportunities to work with the regulator.
- The insurer should work with a regulator to develop an overall plan of regulatory site visits and assist in the planning and logistics of each individual visit.
- Recommendations from the regulator should be welcomed.
- A positive perception of the supervisor should be encouraged within the insurer.
Outline insurer-regulator relationship management principles relating to transparency of communication (6)
- Communication with the regulator / supervisor should be proactive, regular and open.
- The insurer should respond promptly to data requests / investigations.
- The insurer should have processes in place to report breaches, which supervisors understand will occur from time to time.
- The insurer should keep the regulator up-to-date with progress on risk management qualification and quantification exercises.
- The insurer should aim to submit responses to surveys and consultations in good time and may wish to co-ordinate submissions with other insurers, perhaps through an industry body.
- Responses to consultations should be practical and unbiased: the insurer should avoid invoking an argument that it is unique, and should not feel under pressure to comment on every aspect of a proposal.
Outline insurer-regulator relationship management principles relating to accountability for / governance of the relationship
There should be clarity as to which individuals are accountable for each of the following broad groups of interactions:
- operational or procedural
- unusual or non-standard
- strategic.
The Chief Risk Officer (or the Chief Financial Officer) should have overall responsibility for the relationship and co-ordinating interactions.
Continuity of the personnel involved in each type of interaction should be maintained as it helps to develop and maintain a trusting relationship.
Boards should encourage an appropriate relationship with regulators by setting the tone and be kept fully informed of insurer-regulator interactions, especially non-standard and strategic interactions.
List the aspects of an organisation that a risk-based regulator typically seeks to understand (5)
Regulators try to understand which companies represent greatest risk by examining:
- the nature of the business
- governance arrangements
- business plans
- financial (condition) reports
- risk management strategies and processes.
Outline the three pillars of Basel Accords
Pillar 1: minimum regulatory capital requirement determined by the amount of credit, market and operational risk exposures
Pillar 2: supervisory review which relates to the bank’s internal risk management processes. Supervisors will assess the bank’s internal systems, processes and risk limits to ensure that the bank has set aside sufficient capital for its risks (additional capital may be required, but this is expected to be rare). Particular attention is paid to liquidity and concentration risks.
Pillar 3: level of disclosure that the bank is required to undertake to the public and the market. Its purpose is to facilitate market discipline on firms through appropriate pricing for capital.
Summarise the main criticisms of the Basel II requirements (7)
- places too much confidence in a complex model that summarises many diverse risks into a single number
- suffers from the difficulties in quantifying certain types of risk, eg operational
- gives only cursory consideration to certain risk types, eg liquidity
- may create systemic risk – pro-cyclicality and risk herding
- uses market values which may under-value certain assets under certain conditions
- is very costly to implement, especially the IRB approach and AMA
- increased complexity, and implied high levels of confidence, leads to overconfidence in risk controls
Summarise the main aims of Basel III (5)
Basel III works alongside Basel I & II. It:
- focuses on specific liquidity risks (eg the risk of a run on the bank) as well as systemic and counterparty risks
- strengthens the capital requirements for banks, including limiting cross holdings in other financial institutions and associated assets to limit systemic risk
- introduces a conservation buffer to provide breathing space in times of financial stress
- changes the minimum ratios of Tier 1 and Tier 2 capital
- allows some flexibility in capital requirements in times of financial crisis to limit pro-cyclicality.
Summarise the aims of Solvency II (6)
- economic risk-based solvency requirements across all EU Member States
- more comprehensive requirements than in the past taking account of the asset side as well as liability side risks
- requirement to hold capital against market risk, credit risk, operational risk and underwriting (life, non-life and health) risk
- emphasis that capital is not the only (or the best) way to militate (this means ‘to have influence on something or to bring about a change’) against failures
- more prospective focus
- streamlined approach which aims to recognise the economic reality of how groups operate
Outline the three pillars of Solvency II
Pillar 1: quantitative requirements designed to capture underwriting, credit, market and operational
risk. There are two parts to the requirements: the Solvency Capital Requirement (SCR – below which regulatory action is taken) and the lower Minimum Capital Requirement (MCR – below which authorisation is foregone).
Pillar 2: qualitative requirements on undertakings such as risk management well as supervisory activities. Specifically, insurers must carry out their Own Risk and Solvency Assessment (ORSA) to quantify their ability to continue to meet the SCR and MCR in the near future, given their identified risks and associated risk management processes and controls.
Pillar 3: supervisory reporting and disclosure
Outline the purpose and requirements of an Own Risk and Solvency Assessment (ORSA)
The purpose of the ORSA is to provide the board and senior management of an insurance company with an assessment of:
- the adequacy of its risk management, and
- its current, and likely future, solvency position.
The ORSA requires each insurer to:
- identify the risks to which it is exposed,
- identify the risk management processes and controls in place, and
- quantify (using long-term projections) its ongoing ability to continue to meet its solvency capital requirements (both MCR and SCR)
- analyse quantitative and qualitative elements of its business strategy
- identify the relationship between risk management and the level and quality of financial resources needed and available.
Compare Basel II and Solvency II
Key similarities:
- three-pillar structure
- risk-based, at least in part (unlike volume-based Solvency I)
- suitable for multi-nationals
Key differences:
- Solvency II not designed with systemic risk in mind
- Solvency II is more principles based, Basel II has more prescriptive rules
- Solvency II is EU, whereas Basel is global
Outline the key features of the Sarbanes-Oxley Act (7)
- formation of a Public Accounting Oversight Board (PAOB) – to inspect the published accounts of quoted firms and prosecute any accountancy firm breaching the regulations
- increased accountability of CEOs and CFOs of public companies – requiring them to certify that financial reports do not contain any untrue facts and making them personally responsible for these financial disclosures
- published reports must contain an internal control report (ICR), which commits management to maintain and review proper internal controls
- audit committee and external auditors must have independence
- strengthened separation of analyst and investment bankers
- management interference with the audit process is made illegal
- destroying records or documents with intent to influence an investigation is made illegal
Outline key themes for management to consider as part of their governance, risk and compliance (GRC) systems
Key themes for management to consider include:
- are controls identified and documented?
- are controls consistent across the business?
- do controls address the critical factors – ie are the right controls in place?
- do the controls include risk management?
- what testing procedures are required before signing off the ICR?
Outline the COSO Integrated Framework
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a US private sector organisation, sponsored by professional accounting associations.
The framework it has set out definitions and standards which organisations can use to assess their internal RM control systems.
The framework considers different aspects of a business across three dimensions (often represented as a cube):
- activities required to demonstrate internal controls
- business areas covered
- level of application.
The contents of each cell is considered in terms of whether there are adequate internal controls (eg reporting of risk assessments at divisional level) to demonstrate compliance with Sarbanes-Oxley.
State the principles embedded in the COSO framework (7)
The principles embedded in the COSO framework include:
- ERM should be integrated into an organisation’s strategy
- risk represents opportunity as well as potential downside
- ERM is a multi-dimensional and iterative ongoing process
- it should be integrated into everyday processes
- everyone has a role in risk management (at all levels), but ultimate responsibility is with the CEO
- any risk management process is imperfect
- implementation of risk management must balance cost with potential benefit.
Outline the Swiss solvency test (3)
- is a risk-based regulatory capital regime
- takes a market consistent approach and has similarities with the Solvency II Pillar 1 requirements, but uses a Tail Value at Risk (TVaR) measure at 99% confidence rather than Value at Risk (VaR) at 99.5% confidence
- extreme scenarios have to be evaluated and the impact on the target capital has to be estimated
