Monday, April 22, 2013

Three Lines of Defense Part 1

Workshop day. Looks like about 75 people in attendance, and we have six presenters.  

Webpage for this day’s sessions: http://www.ermsymposium.org/2013/seminars.php

Mostly insurers in attendance, 15% consultants, and a smattering of banks. Most insurers in attendance say they are implementing this idea to some extent.
 
"The Three Lines of Defense," Part 1

Intro (Alexander Shipilov): “Three lines” was originally just a metaphor, but regulators adopted it, so it stuck. There is a group on LinkedIn, “3 Lines of Corporate Defense,” where you can go to continue the discussion and ask more questions. He recommends joining the group if you have an interest.

Presenter 1: Leon Bloom, Sr. Partner at Deloitte
Risk Governance: evolving beyond the traditional “three lines of defense” model

He sees the financial crisis as caused by failure of risk governance. Regulators, investors, and analysts are now focused in this area, making this a hot topic. Firms that have adopted this approach have been more resilient. Risk governance is the system for controlling the management of risk. It involves roles, authority, responsibility, and information. Currently seen as a gap area for the industry. The 3 line model is sound in theory but hasn’t been sound in application; consequently it needs to evolve.

6 key issues for global financial institutions: capital, liquidity, economy (US debt at all-time high, Euro insolvency, etc; very bad timing for all these problems), operations (reducing costs), M&A, risk governance

There will be winners and there will be losers...the winners with be those with the best handle on risk management.”

He has concerns about regulation becoming very prescriptive, getting the way of actual effectiveness.
Four priority areas for regulation: inherent riskiness of the business model, tail risk, pricing, risk governance (audit function =! risk governance)

Story: Northern Rock- successful institution, ROC was good, etc., but didn’t recognize that it was heavily dependent on two sources for funding: mortgage-backed securities and issuing short-term commercial paper. Liquidity dried up overnight. 9 weeks before they collapsed, their ORSA-equivalent had two paragraphs on liquidity (and regulator signed off). Entire business model was dependent on liquidity; plenty of capital, but that didn't matter.

Pricing hasn’t been sensitive to risk historically (and regulators blind to it).

Lack of clarity around ownership of risk by the first line of defense - failure of risk governance. Those who take the risks should be accountable, rather than use the second and third lines as a management control. [KR: this was the main emphasis of his presentation.]

...as we continue to move through the financial crisis” - emphatic about this: it’s not over.

“Risk people” should *never* own risk; ownership of risk should fall as close to the origin of the risk as possible. The person taking the risk should own it. “Risk management’s” job is *not* to manage risk; its job is to create systems, policies, and support to guide the risk owner. Accountability needs to be accompanied by authority.

Emerging risk governance requirements: governance, closer alignment of risk and business considerations, holistic risk governance approach.

Challenges: he lists a number, but the most interesting to me was the point that the objectives and target end-state for ERM are unclear.

Aside on Dodd-Frank: it was passed in a hurry, with too many complex, confusing requirements. He doesn’t think it’s going to help, and he expects it will be thrown out and replaced eventually.

Guiding principles - see slide 8. Risk has been taken based on CEO personality (ability to intimidate the Board); establishing principles can help keep that from happening.

Story: 12 months ago in UK a trader was sentenced to 12 year prison for losing 2b lbs. He knew all the risk governance policies, but his boss told him to ignore it. This is the operating culture versus the risk governance. 

The operating culture is what goes on when no one’s looking.” - this is the other major take-away from this presentation.

Evolution of the ‘lines of defense model’: “Roles, responsibilities, accountabilities, authority, design, and information” (see graphic, slide 11)

Maturity levels (of a firm's risk governance): unaware, fragmented, integrated, comprehensive, optimized. Small organizations do too little, large can do too much (bureaucratic.)

Story about attempts to transfer accountability: manager asks internal audit to review the risk governance process he uses, thus making audit responsible. This is typical behavior from the first line of defense. Accountability in the first line is weak. Ultimately it's management's self-assessment. The Board is the check on this, and they need to review *and* challenge management's assumptions.

"6 is less than 3" - really sees 6 lines of defense, but doesn't say this because people think 6 is overwhelming compared to 3. Part of the reason why he sees 6 as being less than 3 is that he believes the third line of defense can downsize significantly. They are given the most resources, but this enables the first and second lines to rely on the third line instead of doing their jobs.

Story: company that kept hiring more internal auditors every time there was a risk event. Company of a few thousand ended up with 160 internal auditors. It didn't make a difference: the risk crises continued. CEO decided to make a change to the risk culture. He reduced audit back to 3 people, added 2 risk managers, and changed compensation to reflect risk accountability for execs. Number of risk events shrunk dramatically as a result, despite fewer resources allocated to risk management.

Risk management's job is *not* to set limits. Risk management creates the system that guides the setting of limits.
 
Risk taking structure: Board (oversight, approval) -> Executive Management Committee (ultimate responsibility, select risk appetite) -> Business Functional Head -> Business Leadership Groups (setting limits) -> Individual Risk Takers

Story: dominant CEO of insurer ignored Board and others and elected not to hedge. Lost 90% of market cap when stock market declined. They had an "Audit and Risk Committee," where risk was an add-on and not really understood. Everything that went to the Board went through CEO as well.

My question for him: CEOs change. Do you really have to revamp your risk governance every time your CEO changes? Answer: Yes, to the extent that is required with the particular CEO, *but* the principles of risk management for the firm should not change with the CEO. Principles remain constant, but the system needs to change to accommodate the personalities involved. [KR: this is interesting to me, the potential psychological angle to qualitative ERM.]

"Doers and checkers" - how his friend (actuary and CRO of reinsurer) describes the 6 line process.

Note that not all checkers would be full-time. Large banks have full-time staff doing model validation, but most likely for policy review, you wouldn't hire someone just for that. The key is for the checker to be competent and independent.

Business case for effective risk governance: it's about improving the odds when taking risks. Reduce surprises, optimize risk/return, improve shareholder value.

He believes it's a bad idea to have the CEO also be the Chairman of the Board or President.

My question for him: What's a small firm to do? How do you find competent, independent checkers? Answer: Smaller firms are limited in what they can do. Priority should be putting accountability with the risk taker. Remember that the principles would still remain the same.

My question for him: What if risk appetite is high to the point that perhaps you *want* the CEO to run wild? Answer: There is a limit to the risk your capital can absorb, regardless of your risk appetite. Risk appetite is deciding how close to that limit you're willing to go. Even if you are willing to go all the way to the limit, risk governance will still be needed to monitor and control *that* limit. 

End Part 1

No comments:

Post a Comment