Systemically Important Financial Institutions (SIFIs), by simply being so labeled, have been forced into the financial services and public spotlight. The debates regarding SIFI status range from the likelihood of lower costs of capital, because of being identified as too big to fail, to whether SIFIs should be forced to make divestments to reduce their size and complexity to the point they are no longer systemically important. Within that particular debate the benefits to the sector of economies of scale among the larger firms will likely be considered by the regulators but ignored by the mass media, which will continue to demonise them for the purpose of convincing their readership that they are holding SIFIs to account on behalf of society.

Regardless of the drama and conjecture within the debates there is one certainty already evident – local supervisors are carrying out spot checks on SIFIs to ensure that their risk management policies and practices are comprehensive, documented and being complied with in practice. These checks are, in part, likely to be a process of getting to know the  SIFIs better, with a view to understanding the sensitivities of their business models and the related economic or business performance factors and conditions that would alert the supervisor to force remedial action. Any SIFI that has also received government funding in recent years must expect all manner of intrusive interest from supervisors. The second reason for the checks is to give the supervisors confidence that business as usual activities are properly controlled and that in a stressed situation those responsible can resort to documented, accessible policies, processes and procedures, including those associated with living wills for resolution and recovery.

In Germany these spot checks are commonly referred to as ’44 Assessments’. The term stems from article 44 of the Kreditwesengesetz (KWG). This is part of the German banking license and article 44 gives Bafin, the local supervisor, the right to enter an institution at any time without notice to undertake a review of any part of the organisation it pleases. This is a common right among supervisors and many are exercising it on the global and domestic systemically important institutions in their territory. In Germany the arrival of Bafin, or even the rumour that Bafin is considering a 44 Assessment, is enough to send senior managers in risk, finance, compliance, IT and strategic planning into a cold sweat. This reaction indicates that regardless as to how well a firm is operating they have often been too busy with the day job to keep all the policies and controls up to date, documented, communicated and available for reference and review. And there is always a lot to keep up to date - after all, an institution wouldn’t be systemically important if it weren’t large and/or complex.

In the institutions with which SecondFloor is working there are many stakeholders and personal/professional agendas involved in risk and finance policies and procedures. Sometimes an overall responsible person either isn’t identified or has not had the capability or capacity to maintain a view of the complete business architecture in terms of the organizational structure and the processes, systems, data, policies, procedures and controls that, in combination, create the value and also the financial and operational risks within the institution. It is common for departments or individuals to maintain a repository in isolation, feeling that they are the safest guardian of such information, but those with ultimate responsibility might not even know of its existence. With this as a starting point it’s not surprising that supervisory spot checks generate nerves among executives.

Fortunately the recent checks by Bafin and other supervisors have, sensibly, resulted in constructive dialogue around the topics of governance and productivity. Despite the complexities of creating, maintaining and having available all the required information, it is, from a governance perspective, essential to have it. But for an institution to pay genuine attention rather than lip service there has to be a commercial payoff too – thus incorporating the value creation aspect as well as governing the risks.

Here a number of conversations have followed the strategic line of sight from understanding and documenting the risk and finance architecture of the institution to the practical applications of the resulting repository of interrelated elements. For example, capability management is a competence that stems from being able to look at a strategic business opportunity from the perspective of an institution’s ability to execute a strategy to take advantage of that opportunity, rather than simply basing a decision on the desire or ambition to make such a move. With the risk and finance architecture documented this is possible and can be used to achieve competitive advantage. Business continuity management and operational risk management will also be taken to the next level of professionalism when there is a common language and understanding around how the business functions and which data, systems and processes impact which products, services and customers.

The compliance function can also contribute to business efficiency and productivity when all relevant laws and regulations that impact a systemically important or large institution are documented, interpreted and cross-referenceable in terms of which policies, process and controls can be used for multiple, similar compliance activities. This eliminates duplication or repetition of compliance systems and processes. It also reduces complexity of the overall compliance function, which makes an institution’s control discipline much more streamlined, visible and clear to executives, supervisors and other stakeholders. Of course, compliance will always be seen by some as the business prevention department, but it has an opportunity to improve its reputation.

The exercise of mapping and visualizing the complete, interconnected risk and finance architecture also has a specific benefit for the IT division. It creates an as-is view and an IT cost structure of the IT landscape and architecture. In addition to IT contract management and security audits this can be used at the outset of any change programme to understand both the changes required to get to the to-be state and also the mutual and potentially conflicting impacts caused by multiple change programmes running in parallel. 

Of course, the intention of any supervisory intervention, such as a spot check at a SIFI, is to ensure the existence or improvement of a risk aware culture within an institution. Having a complete, documented risk and finance architecture means that anyone responsible for compliance or for introducing true enterprise or integrated risk management throughout the institution has access to all the reference, planning, communication and training materials they might need. As with any intention or obligation that cannot be put in place with a one-off exercise, the key is building, maintaining and deriving value from such a resource by making it accessible to, and winning adoption from across, the risk, finance, IT, compliance and strategic planning functions.

Supervisory spot checks will always be an unwelcome intrusion and distraction, but enabling the maintenance of risk and finance policies and procedures to be part of a business as usual view of the business architecture there can be many strategic business benefits to be gained. It will also diminish the cold sweats that, in future, might transmit the smell of fear that triggers a less than constructive supervisory discussion.

Contact SecondFloor today and ask your Supervisory Spot Check questions. 

Regardless of the drama and conjecture within the debates there is one certainty already evident – local supervisors are carrying out spot checks on Systemically Important Financial Institutions (SIFIs), to ensure that their risk management policies and practices are comprehensive, documented and are being complied in practice. 

Can you Benefit from a Supervisory Spot Check? Download whitepaper to find out. 

It is common for departments or individuals to maintain a repository in isolation, feeling that they are the safest guardian of such information, but those with ultimate responsibility might not even know of its existence. With this as a starting point it’s not surprising that supervisory spot checks generate nerves among executives.

Having a complete, documented risk and finance architecture means that anyone responsible for compliance or for introducing true enterprise or integrated risk management throughout the institution has access to all the reference, planning, communication and training materials they might need. As with any intention or obligation that cannot be put in place with a one-off exercise, the key is building, maintaining and deriving value from such a resource by making it accessible to, and winning adoption from across, the risk, finance, IT, compliance and strategic planning functions.

In Germany these spot checks are commonly referred to as ’44 Assessments’. The term stems from article 44 of the Kreditwesengesetz (KWG). This is part of the German banking license and article 44 gives Bafin, the local supervisor, the right to enter an institution at any time without notice to undertake a review of any part of the organisation it pleases. This is a common right among supervisors and many are exercising it on the global and domestic systemically important institutions in their territory. In Germany the arrival of Bafin, or even the rumour that Bafin is considering a 44 Assessment, is enough to send senior managers in risk, finance, compliance, IT and strategic planning into a cold sweat. This reaction indicates that regardless as to how well a firm is operating they have often been too busy with the day job to keep all the policies and controls up to date, documented, communicated and available for reference and review. And there is always a lot to keep up to date - after all, an institution wouldn’t be systemically important if it weren’t large and/or complex. 

Supervisory spot checks can be a distraction, but enabling the maintenance of risk and finance policies and procedures to be part of a business as usual view of the business architecture there can be many strategic business benefits to be gained. It will also diminish the cold sweats that, in future, might transmit the smell of fear that triggers a less than constructive supervisory discussion.

Avoid sleepless nights contact SecondFloor.

As financial institutions have become more complex, so have their risk management systems – and that’s a problem.

Organisations that have grown through acquisition and diversification typically find themselves running a huge number of different systems: whether for different asset classes, different types of risk and/or for different operating entities.

That complexity is causing major issues. Research carried out by the Professional Risk Managers International Association (PRMIA) in March 2013 revealed that “getting a complete view of risk from multiple risk systems” is the top technology challenge faced by buy-side firms.

As the regulatory environment tightens in the wake of the financial crisis, it’s a challenge that firms can’t afford to ignore. Trying to aggregate data from different risk systems into a single view is fraught with issues. The variations between systems lie not only in the types of model used to calculate the risk, but also in the way the underlying data is structured and handled.

Risk management horror stories

Horror stories abound: one firm found its balance sheet to be inaccurate to the tune of several billion euros because it had misinterpreted a scaling factor used by one of its operating entities. Errors like this can easily occur in a highly complex systems environment, and the possibility that the data may not be 100% accurate means senior management end up making critical business decisions based on data that they do not wholly trust.

With supervisors taking a keener interest in how risk is calculated and aggregated, more than three-quarters of the companies polled by PRMIA said they planned to change their risk management systems in an attempt to gain an accurate, traceable and dependable enterprise-wide view of risk.

Two common approaches: neither very attractive

It’s not a project that many organisations relish, however. Traditionally, the two most common ways of achieving (or trying to achieve) a single view of risk are:

1. A “Big Data” approach, where multiple separate systems are thrown out and replaced with one single enterprise-wide risk management system.

2. A “Big Piping” approach, where data from the existing systems is “piped” into a central data warehouse for the relevant calculations and analysis to be performed.

In practice, the first of these almost always turns out to be prohibitively expensive and disruptive. As well as being a huge and highly risky IT project, it also means that many perfectly serviceable systems – often home-grown ones with advanced, proprietary models – are sacrificed for the greater good.

The second is generally the preferred approach, but implementing a central warehouse and integrating existing systems with it is also a long, expensive and cumbersome project. (One insurer we know found that after 18 months of work, it was still only in a position to bring 20% of its risk data into the data warehouse).

European institutions are choosing a third way

At SecondFloor we have pioneered a third way, and it’s already being used to accurately manage and aggregate risk data at some of Europe’s largest and most complex financialinstitutions. Our data orchestration tool, eFrame, works with existing risk systems to standardise the data and create a complete, automated governance framework so that every data point is checked, approved and traceable to its source. Senior management can then conduct the relevant analyses on data they know is accurate and reliable.

That’s important not just for complying with regulations ranging from Basel III and Solvency II to IFRS IV and IX – but also, and most importantly, for the quality of internal risk management. When everyone can agree on a single set of risk data, aggregated accurately from the multiple risk systems present in the business, then the tasks of setting risk tolerance parameters, creating a risk dashboard and allocating economic capital all become incomparably easier.

Find out more

If you’d like to know more about how eFrame© can help your organisation to gain a consistent, accurate and dependable view of risk, we’re happy to offer an initial phone consultation free of charge. Call us on +31 (0) 88 26 35 463 or email info@secondfloor.com, and we will be glad to help.

Integration is a hot topic this year for risk professionals. In PRMIA’s 2013 survey of buy-side risk management trends, a lack of front-to-back integration of systems emerged as the second biggest technology challenge, pipped only by the need to create a complete view of risk from multiple risk systems.

Poor integration compromises risk management quality

Why the need for front-to-back integration? The financial and Eurozone crises have highlighted the need to manage risk more proactively and in a more holistic way. If there’s nothing linking risk management systems to the transactional systems used daily to run the business – portfolio management systems, trading systems, policy management systems – the danger is that risk management is something that’s applied to the business in retrospect, rather than actively governing what gets bought and sold at any given moment.

As one respondent to the PRMIA’s survey put it: “Risk has always been a business driver – though a back-seat driver.”

What’s more, if transactional systems are divorced not only from risk systems but also from each other, there’s also a danger that the business may miss vital concentration risks – if there is no single view of the organisation’s exposure to a given country, asset class or counterparty, for example.

Lack of integration makes data gathering an arduous task

Perhaps most importantly, running a patchwork of disconnected systems makes it an incredibly arduous task to gather data from them when it’s needed – either for internal risk management or for external regulatory reporting.

We’ve written previously about the challenge of gathering data from disparate systems to perform risk management calculations. One of the problems is that there can be huge differences from system to system, in everything from date formats and taxonomies to the risk categories that different products and assets are assigned to. All of that data needs to be standardised before any kind of meaningful calculation can be performed. 

Another challenge is gathering the data in a timely fashion. What often happens is that when a consolidated risk report needs to be created, data is extracted manually from the different systems into a multitude of spreadsheets, which are then send to Risk for manual re-entry into the calculation engine. As well as creating the potential for huge errors and inconsistencies, this approach also means that if someone is on holiday or sick, vital data may not be received in time.

A third challenge is data quality. With regulators pressing banks and insurers to develop firm-wide risk management systems and controls, firms must be able to demonstrate that they have a data governance framework in place to ensure the data gathered is always traceable, accurate and reliable. Relying on manual validation methods (like emailing people for their approval or to query a data point) is incredibly inefficient and time-consuming – and may not satisfy the regulator, either.

Integration is vital – but it doesn’t need to be a huge IT project

All of these challenges reinforce the need for greater integration between front-office and back-office systems. Fortunately, there’s a quicker and easier way to integrate front and back-office systems than building custom integrations between each one, implementing a central data warehouse, or consolidating on fewer systems across the business.

Many of Europe’s largest banks and insurers are using eFrame© from SecondFloor to orchestrate and automate the collection of data from source systems, and to create an automated data governance framework to ensure the data collected is approved, traceable, and gathered in a timely manner. It’s faster and less disruptive to implement than the more traditional integration methods outlined above, and also means organisations do not have to sacrifice any existing systems.

Find out more

If you’d like to know more about how eFrame© can help with your integration challenges, we’re happy to offer an initial phone consultation free of charge. Call us on +31 (0) 88 26 35 463 or email info@secondfloor.com, and we will be glad to help.

Insurers need to comply with multiple regulations like Solvency II by implementing effective Enterprise Risk Management frameworks. But what is Enterprise Risk Management?

Enterprise Risk Management is a risk management approach meant to encompass all risks and opportunities across the entire enterprise — including the governance, risk and compliance (GRC) aspects. One of the Enterprise Risk Management best practices is to embed the process into strategic planning. Enterprise Risk Management should support the core strategy for growing the business. The key to the success of today’s industries, especially insurance companies, is a fit-for-purpose Enterprise Risk Management framework that meets the overall risk management, compliance and decision support requirements of the organization.

Solvency II ia a European Union Directive (2009/138/EC) that codifies and harmonizes European Union (EU) insurance regulations. Solvency II mandates EU-wide capital requirements and risk management standards, which require insurers to create and harmonize a risk-based approach to solvency and capital management.

An Enterprise Risk Management framework supports all relevant aspects of an organization to meet various compliance requirements. It nurtures a risk management philosophy and a culture that promotes compliance with the corporate risk appetite, allowing managers to manage risks within their spheres of responsibility, consistent with established risk tolerances. The underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and then efficiently and effectively deploys resources in pursuit of the entity’s objectives.

Enterprise risk management encompasses the following:

• Aligning risk appetite and strategy – Align the risk appetite of the organization with the overall strategy of the organization.
• Enhancing risk response decisions – Enterprise risk management provides the ways to identify and select the most appropriate risk responses – risk avoidance, reduction, sharing, and acceptance.
• Reducing operational surprises and losses – Enterprise Risk Management framework will help to identify potential risks and thereby reduce the losses.
• Identifying and managing multiple and cross-enterprise risks – Enterprise Risk Management framework will help to identify risks pertaining to business units spread across the organization.
• Seizing opportunities – Risks which can be turned as opportunities, can be exploited for overall benefit of the organization.
• Improving deployment of capital – Availability of capital can be calculated effectively as per capital adequacy requirements which lead to efficient deployment of capital across the organization.

Enterprise Risk Management can offer the following benefits:

• Imbue risk culture in the people and embed risk management best practices across the organization
• Create value through effective decision making
• Reduced customer risks and improve business resilience
• Reduce the cost of complying with multiple compliances separately
• Orchestrate existing systems, processes and people to achieve efficiency, and to maximize the utility of existing IT infrastructure
• Achieve auditability, governance and traceability
• Use risk management for competitive advantage
• Develop an efficient framework for managing and controlling information

Enterprise Risk Management can be used for achieving organizational objectives as below:

• Strategic – Mapped to high level strategic objectives
• Operations – optimal utilization of IT resources to maximize value
• Reporting – reliability and ease of centralized reporting requirements as mandated by all compliance requirements like Solvency II
• Compliance – Compliance to applicable laws and regulations – unified compliance framework

The above figure illustrates the evolution of Enterprise Risk Management over time. Organisations used to focus on a unified compliance framework for complying with auditability and reporting requirements. However over time it has become accepted that it is worthwhile to have an Integrated Risk Management system in place to manage the overall risks of the organization. The cost of complying with regulatory requirements and establishing and maintaining a risk management framework has been escalating due to the complex requirements of regulatory requirements, like Solvency II. Hence, to get the most out of the investment and to manage risks for business benefits, mature and successful organizations have started implementing a governance framework for business resilience and, creating value through strategic planning and decision making.

Step 1 (Define) - The initial step towards meeting compliance requirements is to identify the gap. Hence it is worthwhile to conduct a gap analysis for Solvency II . The gap analysis will help to identify the non-compliances. The requirements as well as the gaps are documented to ensure compliance to Solvency II requirements.

Step 2 (Design) - The next step is to implement the risk management framework as part of Enterprise Risk Management framework to ensure that the risks related to non-compliance to regulatory requirements are identified, analyzed, documented and addressed. Risks are quantified and managed effective. The risk response can be any of the following:

• Mitigate the risk
• Accept the risk
• Share the risk
• Transfer the risk

Step 3 (Develop) -The reporting and governance requirements of Solvency II are identified and implemented as part of the overall Enterprise Risk Management Framework. The most effective means to comply with multiple compliance requirements is to implement an effective Enterprise Risk Management framework along with the Governance, Risk and Compliance (GRC) solution. GRC solutions offer overall control of transparency, auditability and reporting. GRC is the umbrella term covering the aspects of the following:

Governance - overall management approach through which senior management direct and control the entire organization, using a combination of management information and control structures. Governance ensures that the information is complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out effectively.

Risk Management - set of processes through which management identifies, analyzes, and, where necessary, responds appropriately to risks that might adversely affect realization of the organization's business objectives.

Compliance – conforming to the stated requirements. Compliance requirements like Solvency II for insurers are identified to ensure they are met with.

Step 4(Develop) – An internal control framework is the key to the effective implementation of an Enterprise Risk Management framework. Internal controls are designed in accordance to the compliance requirements of Basel II and Solvency II. The idea is to ensure there is adequate mapping between regulatory requirements, corresponding risks and respective internal controls to implement or comply with the compliance requirements.

Step 5 (Deploy) - The final step is to perform regular testing of the internal controls for their effectiveness. The test will be a part of the umbrella Enterprise Risk Management framework and meet the auditability and reporting requirements of Solvency II.

“The most important aspect of implementing Solvency II is the time-driven reporting window and availability of real-time data for reporting, because this is where the pain is hidden. This can be achieved by implementing an effective Enterprise Risk Management framework” Says Emmanuel Noblet, SecondFloor.

Stress testing is an important aspect of Solvency II compliance. It includes providing pre-defined financial shocks/perform risk simulations to the banks and insurers due to financial and economic stress for testing liquidity and capital adequacy of the organizations. Solvency Capital Requirements and Minimum Capital Requirements (Solvency II) are calculated and reported by the Enterprise Risk Management solution. However availability of the effective Enterprise Risk Management framework will ensure that such tests and calculated results are regular practice and does not require additional cost. Moreover indication of non-compliance can help the senior management to take appropriate decisions.

“Effectiveness of Enterprise Risk Management framework is measured by how much the risk culture is embedded in the business workflow and day-to-day activities and still complying with various regulatory requirements like Solvency II” says Emmanuel Noblet, SecondFloor.

In conclusion, the availability of Enterprise Risk Management framework makes it easier for embedding the compliance requirements in the business workflow. The compliance is regularly monitored, the risk culture is imbued in the organizations, and the decision making becomes easier, leading to significant strategic advantage to the organization. Repeatability, accountability and traceability requirements are managed along with governance and reporting requirements for various compliance requirements like Solvency II. The centralized governance and reporting ensures centralized management of risks and regulatory compliance requirements to meet overall organizational goals.

Hence effective Enterprise Risk Management frameworks not only help to comply with regulatory requirements, but it can be used for business resilience and strategic advantages to create value to the organization for strategic planning and effective decision making to meet organizational goals.

Of course, Solvency II has not gone away. The new solvency requirements will be implemented. But the lull in urgency to meet an enforcement date is triggering a predictable and understandable reaction from those insurers that are responding to Solvency II with a compliance approach rather than a best practice corporate governance and risk management approach.

The ‘compliance only’ firms are easing off their SII projects, taking a well earned break from the stress and expense, and re-allocating resources to the many other initiatives that are needed to improve business performance and efficiency. But what will become of their Solvency II progress-to-date?

With contractors and external consultants being let go and internal project teams being down-sized or disbanded, there’s a risk that the work and, as importantly, knowledge generated during the last months or years will be lost. Naturally, some of the work is likely to be already in use in the business as usual environment. However, it’s unlikely that all the work-in-progress is in a condition that a fresh team can pick it up and run with it in the future. There’s a risk that corporate memory loss will cause a frustrating and costly restart to many Solvency II projects.

What will mitigate this risk of memory loss is to think ahead to the Solvency II restart in terms of preparing for the start of a normal project. A project addressing change in a firm requires an as-is analysis of the current situation, and demands documentation around the processes, data, systems and people involved. In the Solvency II stand-down case this goes further than simply creating a repository of files, plans and part completed software code related to Solvency II. A simple repository, however well organized, will not provide a clear articulation of the relationships between all the players and moving parts, and the intended direction and roadmaps that were originally in mind.

With a complete as-is analysis the next generation Solvency II team will not have to reinvent the wheel or repeat mistakes. If the analysis is done well it can even point the next team to ways of creating an even better Solvency II regime within a firm than had originally been intended. This might include making the Solvency II analysis and reporting processes more streamlined, efficient and better controlled, resulting in a genuinely good Solvency II solution for the firm, rather than a grudgingly good enough solution.

Would you like to know how to your company can comply with Solvency II regulation efficiently and painless? Contact SecondFloor today. 

The economic climate and tightening regulations are prompting large enterprises to invest in capability management tools - a new category of software that helps senior decision-makers to understand the organisation’s readiness to implement new initiatives.

Large, complex enterprises run a huge risk every time they implement a new strategic initiative. The risk is that something important will have been overlooked in the planning stage that will cause the initiative to fail, run over time or over budget, or fall foul of regulators.

Many organisations view those risks as a fact of life. That’s because anticipating and mitigating them is next to impossible, especially if the organisation wants to move quickly. It’s simply too difficult to amass and analyse the mountains of information from across the business – and beyond – that might have some impact on how the new initiative could roll out.

The result is that major change programmes are implemented without senior management being fully confident that they will happen as intended, or that the outcomes will be the desired ones.

Economic pressures and new regulations are hardening attitudes to risk

Now, the economic climate is making senior management more risk-averse. They want to act, but they want to be confident that a new product launch, or expansion into a new market, will be a success. Straitened budgets mean there’s less appetite for risk and lower tolerance for failure.

At the same time the regulatory environment is tightening, with the financial services industry in particular starting to see new, stricter regulations coming into force as a result of the recent crisis. 

In June 2013, for example, the UK’s Prudential Regulation Authority instructed five banks to find £13.4bn in additional capital – a demand that will likely have caught some off guard and derailed investment plans. And the insurance industry is living in the shadow of new Solvency II regulations whose detail and timescales continue to shift, making it hard to plan new growth initiatives.

Capability management can reduce the risk of business failure

It’s this kind of uncertainty that has led to the emergence of capability management as a management discipline.

Pioneered by the armed forces, capability management is now making its way into the commercial arena. Essentially, it’s the practice of analysing and understanding the organisation’s ability to carry out a planned strategic initiative or change programme, and making decisions based on that insight.

It may sound straightforward, but the barrier to capability management has always been the need to sift through enormous amounts of information to understand where capabilities, risks and gaps lie. 

In most organisations, information about different functions is kept in silos, so it’s been almost impossible to get a clear view of – for example – which products are affected by which regulations in which countries, or which existing systems, processes and people can be deployed to support a major launch into a new geography.

These are hugely important questions that can have a significant bearing on the cost, timescale and deployment plan for any new initiative. But most enterprises have lacked the software tools to connect information from different systems to create a ‘big picture’ view of the organisation’s capabilities in a given area.

Some try to use spreadsheets or Powerpoint to cobble the information together, but that requires a massive manual effort for an end result that’s usually incomplete and out of date. Others have invested in ‘point’ software tools that are very good in a given area – for example process management – but can’t link different areas of the business to provide the big picture.

The first capability management tools are now here

Until now, there hasn’t been a good alternative to these two (flawed) approaches.  But now, the first truly holistic capability management tools are appearing on the market.

At SecondFloor, capability management is a function we’ve built into our TopEase® business control software, which is used by large banks and insurers across Europe to map, connect and analyse every element that makes up the business.

Using TopEase® for Capability Management, organisations can get a truly holistic view of business capabilities, with heatmaps revealing risks and gaps that must be addressed to ensure an initiative runs smoothly.

For more information about how TopEase® for Capability Management can accelerate major change initiatives, reduce operational risk and increase successful outcomes, contact SecondFloor today. 

The Basel Committee, which creates regulations for banks, has published a set of principles regarding effective risk data aggregation and risk reporting, which will provide a fantastic business case for risk professionals to improve their risk frameworks. I’ve included highlights below, but you can take a look at the full report here.

The principles for effective risk data aggregation and risk reporting will be mandatory for globally systemically important banks (G-SIBs) from 2016, and the Basel Committee recommends that national regulators make them mandatory for domestically systemically important banks (D-SIBs). There are currently 29 G-SIBs, and D-SIBs will probably be the top four or five largest and/or most complex banks in each country. Beyond this, I believe the principles in the Basel document will become an industry standard by which all banks will be assessed by institutional investors and during due diligence processes for mergers and acquisitions.

The Basel Committee’s principles cover four closely related topics, and are common sense, though not easily attainable: 

• Overarching governance and infrastructure 

• Risk data aggregation capabilities 

• Risk reporting practices 

• Supervisory review, tools and cooperation 

A couple excerpts from the report that will resonate with most practitioners explain why the principles are necessary. These explanations will come in handy as ‘I-told-you-so’ introductions to many a business case for the next steps in enterprise/integrated risk management frameworks and in business analytics at group level (because it’s ultimately the board and senior management that own this challenge):

• Ensure that management can rely with confidence on the information to make critical decisions about risk.

• Accurate, complete and timely data is a foundation for effective risk management. However, data alone does not guarantee that the board and senior management will receive appropriate information to make effective decisions about risk. To manage risk effectively, the right information needs to be presented to the right people at the right time. Risk reports based on risk data should be accurate, clear and complete. They should contain the correct content and be presented to the appropriate decision-makers in a time that allows for an appropriate response.

Other elements within the principles that point to some solid professional challenges are:

• Supervisors observe that making improvements in risk data aggregation capabilities and risk reporting practices remains a challenge for banks, and supervisors would like to see more progress

• These risk reporting capabilities should also allow banks to conduct a flexible and effective stress testing which is capable of providing forward-looking risk assessments

• When expert judgment is applied, supervisors expect that the process be clearly documented and transparent

• A bank’s board and senior management should promote the identification, assessment and management of data quality risks as part of its overall risk management framework.

• A bank’s risk data aggregation capabilities and risk reporting practices should be fully documented and subject to high standards of validation.

• Capabilities to incorporate new developments on the organisation of the business and/or external factors that influence the bank’s risk profile

• Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated

The Basel principles for effective risk data aggregation and risk reporting might not look 100% practical for inclusion in the real world, as opposed to a wish-list paper exercise, but at SecondFloor we believe it creates the right mindset.

The list of globally systemically important banks, it is created by the Financial Stability Board, and can be found at: http://www.financialstabilityboard.org/publications/r_121031ac.pdf. This latest list was created in Nov 2012 and will be updated again in Nov 2013.

For more about SecondFloor’s solution for efficient analytics and critical and regulatory reporting, and how it can help with integrated risk management contact SecondFloor today.

L’exercice 2013 de preparation a Solvabilite II, something close to a French Solvency II dry run scheduled for September 2013, gives French insurers the chance to immediately take advantage of the lessons learned by other European insurers that raced to be ahead of the Solvency II curve. Many of the mid-size and small French mutual insurers (les mutuelles) held back from initiating projects and they can now draw on the best practices that have come out of early adopter projects across Europe from the likes of Allianz, Prudential, Legal & General, ING, Aviva and Nordea. Such insurers have come to understand the scope and structure required for a successful Solvency II programme. They have pioneered the practical approaches to calculating economic and solvency capital, coordinating the data, models, calculations and analysis involved,  and bringing all this together within a strict reporting time window. Many have struggled to achieve this, but their lessons have been learned and are available now for the benefit of French insurers.

For the 2013 preparation exercise most insurers will be looking at a challenge similar to generating a Standard Formula report and will need to gather the right data, run the calculations and complete the template for submission to the Autorite de Controle Prudentiel, the French regulator sitting in the Banque de France (www.acp.banque-france.fr/exercice-2013-preparation-solvabilite-2.html).

At this stage most firms won’t be looking for portfolio replication, curve fitting or other sophisticated capital calculation methods, but many will be looking to leverage the time and effort they spend on l’exercice to lay the foundation for their future Solvency II regime. The priority capabilities required and methods to address the complexities involved in instigating them, will enable confidence  among those responsible for delivering a complete, accurate Preparation a Solvabilite II submission on time. So for those who have thus far abstained from the pleasures of Solvency II, the French QIS could be an exciting experience. 

Would you like to know how to your company can comply with Solvency II regulation efficiently and painless? Contact SecondFloor today. 

The new category of domestic systemically important banks will increase the data management and disclosure burden on qualifying institutions, at a time when many are already feeling the strain.

Banks that escaped classification as G-SIFIs in 2011 may have breathed a sigh of relief at the time, but for many, that relief will have been short-lived. In October last year, the Basel Committee on Banking Supervision (BCBS) set out its proposed framework for an additional category of systemically important financial institutions, so-called D-SIBs, or domestic systemically important banks.

D-SIBs are described by BCBS as “banks that are not significant from an international perspective, but nevertheless could have an important impact on their domestic financial system and economy compared to non-systemic institutions.” (Source: BCBS: A framework for dealing with domestic systemically important banks, October 2012). 

A framework based on 12 principles

The BCBS believes that banks that are too big or too important to fail on a national level should be subject to more stringent regulation – particularly in the allocation of capital buffers, but also in the overall quality of governance and risk management – than peers whose failure would have no systemic impact. To this end, it has set out 12 principles that national regulators need to incorporate into a framework for identifying and supervising qualifying banks operating in their jurisdiction; a framework that must be in place by January 2016.

Once identified by their home or host authorities, D-SIBs will be subject to similar capital restrictions to their global counterparts, notably the application of a Higher Loss Absorbency (HLA); an additional capital buffer to those mandated under Basel III. 

The aim of the legislation is to prevent significant harm to a real national economy caused by the ‘failure or impairment’ of one or more institutions that are systemically important within the domestic economy, whether through their size, their interconnectedness with other institutions, their uniqueness in terms of the service they provide, or their organisational complexity. 

D-SIBs will see their data management burden become heavier still

It’s not yet clear how regulators will go about identifying which banks will qualify as D-SIBs. But one thing is clear: for banks that do qualify (and the list will be reviewed on an annual basis), the new regulatory framework will impose yet another data aggregation and reporting requirement on top an already-onerous compliance workload.

Essentially, D-SIBs will have to demonstrate that they have calculated HLA requirements accurately, and that their governance and risk management activities meet the elevated standards set out in the 12 principles.

Deloitte analyses the likely impact on data governance methods

The impact of this disclosure requirement has been examined in detail by Deloitte in its report Risk, data and the supervisor (October 2012).  Deloitte’s report is mainly concerned with G-SIBs, but it seems likely that most of the reporting requirements imposed on G-SIBs will also be imposed on D-SIBs.

Fundamentally, Deloitte notes that the introduction of G-SIBS (and, we can infer, now D-SIBs too), means that data quality and data governance are coming under increased regulatory scrutiny: “The eye of the supervisory community is moving on to data management and away from simply prescribing the data outputs,” it warns.

Elsewhere, the report notes that “implicit in the BCBS’ principles [for G-SIBs] is that underlying data which enables the generation of risk metrics must also be of sufficient quality…this includes counterparty data, legal entity hierarchies, book data, trade data, prices, instrument static, etc.”

Time for a more strategic approach to data management

The conclusion is that banks urgently need to take a more strategic approach to data management, with an emphasis on watertight data governance that spans the entire business and means that any calculation or data point can be validated, reconciled and traced to its source.

That’s not something that can be achieved with ad-hoc projects or manual data gathering processes. It requires an automated, end-to-end, enterprise data governance framework that can be used to gather, calculate, validate and audit data of all kinds, and to turn that data into appropriate reports for all kinds of regulatory disclosure, from D-SIB reporting to Basel III and MiFID, as well as for internal risk analytics and management.

For more about SecondFloor’s solution for efficient analytics and critical and regulatory reporting, and how it can help with the growing burden of data governance, risk analytics and regulatory disclosure, contact SecondFloor today.

It is interesting to note that in his Jan 31st speech (see page 6-8) Gabriel Bernardino, Chairman of EIOPA, reiterated EIOPA’s intention to issue guidelines to national supervisors to ensure that from 2014 the supervisors and insurance entities are prepared for the Solvency II regime in a consistent way. 

The focus/priority of EIOPA now appears to be the aspects of the Solvency II regime that are management related, rather than Pillar 1 calculation related. The ‘certain important aspects’ covered in the guidelines will be, “…the system of governance, including risk management and the process of developing an own risk and solvency assessment, pre-application of internal models, and reporting to supervisors.”

Risk management and own risk and solvency assessment (ORSA) are the key elements of best practise management culture that the Solvency II rules are trying to engender, so it’s no surprise that EIOPA is prioritising the core professional discipline of the regime. But what will this renewed Pillar 2 real mean for insurers that have just eased off their Pillar 1 calculation projects and are trying to prioritise initiatives to achieve growth, profitability and efficiency? Need ORSA be the next big distraction?

ORSA preparation certainly means that Solvency II programs need to be re-evaluated and refocused. ORSA isn’t a check-box reporting exercise, and neither is it about being seen to be doing appropriate solvency assessments, like an operational risk self assessment where controls are identified but no one follows through by owning them, applying them or policing them. It’s not a simple as taking the Solvency Capital Requirement (SCR) figures and including them on the agenda at management and board meetings either.

So what is ORSA and why should insurers care about it at this moment in time? ORSA is about actively demonstrating that the management team is in full control of the business. As with the difference between regulatory capital and economic capital, the firm needs to understand the solvency peculiarities specific to its business, act upon them and, just for good measure, explain the difference between the SCR and the ORSA assumptions, calibrations and outcomes. Not only this, but the process and methodology of undertaking the ORSA have to be fully documented, as do the SCR/ORSA reconciliation explanations. It’s going to feel like a full, group wide, ISO certification challenge, even if your risk, capital management and stress testing (let’s not forget it) capabilities are already at the level you desire them to be, and even if you’re using the same models for regulatory reporting and running the business.

For firms with a clearly articulated risk appetite that have gone a long way to developing their Pillar 1 internal model-based regimes, which already incorporate firm-specific risks and  use much internal data, ORSA could be relatively straightforward. However, even here there might be challenges.

Firstly, ORSA is an ongoing behaviour and has to influence the strategic decision making of the firm. This then requires more than a static snapshot-type dashboard report for discussion at management meetings. It requires the ability look at the firm in its entirety, see where the current direction will take it, and identify what needs to happen now to optimise the future outlook. This necessitates gathering, aggregating and calculating key financial, risk, capital, investment and business performance metrics, some of which will not have been part of the SCR preparation project, and few of which will have reflected the inter-relationships involved. Stress testing, already a sore point because of the resources it distracts from business-as-usual work, will sensibly become part of the ORSA regime too, in such a way that tests can be repeated ad hoc to check if the decisions taken after the original test have made the firm more resilient.

Secondly, the ORSA process has to be smooth and streamlined, because senior management and supervisors will insist that the assessment is updated swiftly in the event of a significant change in risk profile that threatens risk tolerances. Fire-drill readiness will have to be the norm if the industry wants to claim that lessons have been learned from the financial crisis. It’s a big ask, but it’s possible, the tools are out there, and it’s already a reality for a few firms blessed with intelligent foresight. The underlying industry-wide state of ORSA evolution will be the true bellwether of culture change intended by SII, not the implementation date for SCR reporting or the number of people filing with XBRL.

Firm-specific risk culture, however advanced, will nevertheless be sorely disrupted among firms that have yet to succeed in their Pillar 1 endeavours. They will likely encounter a multi-compliance project squeeze plus a few chicken and egg conundrums if they find themselves looking at simultaneous bottom up and top down SCR and ORSA projects at the beginning of 2014. And that’s assuming they can pull together the remnants of their SII project team, which will likely have been subject to resource reductions and direction drift, resulting from the persistent uncertainty from the regulators around final SII design, calibration and implementation dates.

Whatever a firm’s Solvency II attitude or readiness, and harking back to Mr Bernardino’s ‘certain important aspects’,the essential thing for any firm is that its board is working hard to ensure it has control over the business activities of the firm and can reach a point of confidently taking the right decisions for its long term health. The rest will fall into place and supervisors will be able to hold up the SCR figures to promote public confidence in the financial stability of the insurance sector. Solvency II predictably continues to be an uncomfortable and frustrating journey, and regulatory affairs staff along with Solvency II program directors will be looking to Mr Bernardino and his local counterparts to be as swift, thorough and decisive in their Solvency II strategy as the board is expected to be with its ORSA regime.

Would you like to know how to your company can comply with Solvency II regulation efficiently and painless? Discover Solvency II solutions here.