leveraging existing processes to address regulatory change 1215... · leveraging existing processes...
TRANSCRIPT
1Risk Advisory
Leveraging Existing Processes to address Regulatory ChangeDecember 11, 2015
2Risk Advisory
Agenda and Today’s Key Objectives
3Risk Advisory
Today’s Key Objectives
Foundation Provide a foundation of understanding of what’s driving the regulatory change
Roles Understanding Critical Components impacted by regulatory change
Enhance Implementation effectiveness and overcoming challenges
ApplicationGain perspective on the implications driving regulatory change and how to apply and enhance existing frameworks to enhance organizational effectiveness
4Risk Advisory
Agenda
• Drivers of Regulatory Change• Understanding the Key Areas of Impact• Key Challenges and Considerations in
leveraging Existing Frameworks • Evolving your Structures to mitigate
Regulatory Compliance Risk
5Risk Advisory
The Evolving Regulatory Environment
6Risk Advisory
The Seeds of the Financial Crisis
A combination of actions and actors sewed the seeds for the financial crisis.
• Banks• Insurance companies• Regulators• Rating agencies• The public
Contributors
• Sub-prime lending• Financial engineering• Leverage• Interconnection• Lack of oversight• Weak risk management
Seeds
• Housing crash• Correlation• Credit crunch• Liquidity freeze• Market crash• Bail-outs
Crisis
7Risk Advisory
Aftermath and Regulations
Many lessons were learned from the crisis and are embodied in the regulation coming out of it.
• Not enough capital to absorb losses
• Unknown processes for risk and capital management
• Need to understand impact of adverse scenarios
Lessons
• ORSA• CCAR and DFAST• Recovery and
Resolution Planning• Capital and Liquidity• Volker rule• FSOC
Regulations• Investment in
regulatory compliance activities
• Enhanced disclosure requirements
• Increase in capital held• MRAs and MRIAs
Aftermath
8Risk Advisory
Stress Testing Regulation has Evolved
2008 2009 2010 2011 2012 2013 2014 2015
CCAR 2011• 19 BHCs• Rigor around
assessment• Capital Plan
requirementestablished
SCAP 2010• 19 largest BHCs
Financial Crisis
CCAR 2013• 18 BHCs• 2 objections• Qualitative /
quantitativeCapital Plan Review• 11 CapPR
BHCs
CCAR 2014• 30 BHCs• CapPR banks
included in CCAR
• Incorporation of Basel III
• 5 objections• 2 “re-dos”
CCAR 2015• 31 BHCs• Continued
qualitative focus
• Objections TBD 3/11
CCAR 2012• 19 BHCs• Supervisory
estimatesCapital Plan Review• 11 CapPR
BHCs • Capital Plan• No disclosure
2016
CCAR 2016• TBD BHCS• Non-bank SIFIs• Transitional
arrangements for FBO IHC
• Advanced approaches calculations
• Timeline shift (April 5th)
9Risk Advisory
Evolving Risks leading to Regulations, forcing change
10Risk Advisory
Capital Management &Risk Management Process
11Risk Advisory
Capital Management Framework
12Risk Advisory
Supporting Risk Management Processes
13Risk Advisory
Capital Management ProcessInsurance Companies
Capi
talM
anag
emen
t
Strategic Planning• Commonly done at the business level and aggregated while taking into
account Group level strategy• Insurance product implications of stressed environment
Scenario Design • Scenarios often focus on investment, insurance and operational risks
Financial and Loss Projections
• Risk models• Actuarial models• I/S and B/S linkage to macroeconomic environment• 9 quarter projection• Statutory and US GAAP
Aggregation and Capital Management
• Business level and risk owner results aggregated to develop Group results
• Basel I / II / III capital and liquidity• NAIC Risk-Based Capital• Internal capital• Key subsidiary analysis
Capital Plan and Reporting
• External and internal stakeholders• Capital Plan• Data schedules• Public disclosure• ORSA
14Risk Advisory
Federal Reserve Board Seven CAP Principles
Principle 1Sound
foundational risk
management Principle 2Effective loss–
estimation methodologies
Principle 3Solid resource-
estimation methodologies
Principle 4Sufficient
capital adequacy
impact assessment
Principle 5Comprehensive
capital policy and capital planning
Principle 6Robust internal
controls
Principle 7Effective
governance
FRB Seven Principles of an Effective Capital
Adequacy Process
The Federal Reserve Board’s (“FRB”) seven Capital Adequacy Process (“CAP”) principlessummarize the elements on which the Federal Reserve evaluates the robustness of a CCAR participant’s capital planning process.
Leading practices associated with these principles will evolve as new practice and data emerges.
15Risk Advisory
Leveraging Existing Processes
Current State
Evaluate what you have and what you still need
Build Momentum
Engage the Business and Key Leaders
Select a Risk
Assessment Approach
Choose an approach that is appropriate to nature, scale and complexity
16Risk Advisory
Leveraging Existing Processes
• Utilize Best Practices - RIMS Risk Maturity Model (RMM)• Evaluate key principles on an ongoing basis – start with a health check• Define Risk Profile, Appetite and Tolerances• Ensure integration and communication throughout the organization
Evaluate the Maturity of the ERM Framework
• Organize information into main risk categories or risk objectives• Ensure documentation and rationale for risk exposures under both normal and
stressed scenarios• Conduct workshops to evaluate exposures• Prioritize and align to strategy, decisions and capital allocation• Measurement and alignment to capital allocation / compensation
Assess Risk Exposure
• Relying on various models including internal and external models (RBC, BCAR, etc…)• Review / utilize technology and software solutions (Igloo, MG-ALFA, etc…)• Quantify necessary capital for different risks using various assumptions (stochastic
and deterministic)
Determine internal capital assessment
17Risk Advisory
Alignment of Risk Culture
Risk ManagementStrategy drives:
Organizational Culture drives:
Policies
Procedures
Systems
Correct Treatment of Risk
Actual Treatment of Risk
Behaviors
Practices
Values
• Survey risk culture via a “Risk Health Check”
• Evaluate decision making (i.e. Risk Appetite), organizational integrity and ethical values
• Develop materials and hold education/risk awareness session(s)
• Facilitate follow-up sessions with key senior management
• Recommend “Risk Categories”
Alignment Activities
Procedures
Systems
18Risk Advisory
Enterprise Risk Governance & Policy
Various activities to be undertaken within each area of risk governance
Business Units
Take & Manage risks at a
department level
ERMWorking Group
Identify, Measure, Aggregate,
Monitor & Report
ExecutiveRisk
Committee
Oversee execution of ERM ensuring
consistency, approve rating of
risks, and monitoring
activities
Board / Audit Committee
Set risk appetite, oversee the
process, review critical risks
Assurance / Internal Audit
Facilitate, review process, leverage,
recommend improvements and controls
ERM Roles and Responsibilities
ERMWorking Group
Identify, Measure, Aggregate,
Monitor & Report
ExecutiveRisk
Committee
Oversee execution of ERM ensuring
consistency, approve rating of
risks, and monitoring
activities
Board / Audit Committee
Set risk appetite, oversee the
process, review critical risks
Assurance / Internal Audit
Facilitate, review process, leverage,
recommend improvements and controls
19Risk Advisory
Governance Leading Practices
20Risk Advisory
Three Lines of Defense
First Line: Business Units
• Own and manage day-to-day risk exposures
• Implement corrective action for process and control deficiencies
• Execute risk and control procedures
Second Line: Risk Management
• Assist in an advisory capacity to lines of business
• Assist in determining risk capital, risk appetite, strategies, policies and structures for managing risk
• Provide oversight, support, and management of risk decisions
Third Line: Internal Audit
• Provides assurance on the effectiveness of governance, risk management and internal controls
• Provide assurance on the effectiveness and efficiency of business processes
21Risk Advisory
Three Lines of Defense
Business Units• Operational Management• Functions that own and manage risk• Responsible for:
– Creating a strong risk culture– Identification and assessment of risks and controls– Maintaining and executing effective internal controls– Develop / maintain internal policies & procedures– Adhering to front line risk limits
First Line: Business Units
Second Line: Risk
Management
Third Line: Internal Audit
22Risk Advisory
Three Lines of Defense
Risk Management• Function and/or Committee (e.g. Market Risk, Liquidity and Capital Committee)
– Help build and/or monitor the first line-of-defense controls– Support management policies, defining roles and responsibilities, & setting goals
for implementation– Provide risk management frameworks– Identify known and emerging risks– Assist management in developing processes and controls to manage risks and
issues– Provide guidance and training on risk management processes– Facilitate and monitor implementation of effective risk management practices
First Line: Business Units
Second Line: Risk
Management
Third Line: Internal Audit
23Risk Advisory
Three Lines of Defense
Internal Audit• Independent/objective assurance of:
– Effectiveness of governance, risk management, and internal controls• Report to Senior Management and Board/Audit Committee:
– Efficiency and effectiveness of operations– Reliability and integrity of reporting processes– Compliance with applicable laws, regulations, and policies & procedures– All elements of the risk management and internal control framework
• Internal control environment• All elements of an organization’s risk management framework (i.e., risk
identification, risk assessment, and response)• Information and communication • Monitoring
First Line: Business Units
Second Line: Risk
Management
Third Line: Internal Audit
24Risk Advisory
Review and Challenge Process
Capital Planning Step Review & Challenge Key Outputs
StrategicPlanning
• BU Management – Review, challenge and approve initiatives from business leaders
• Corp. Risk / Finance – Review strategic plan projections and initiatives from BUs
• Senior Management – Review, challenge and approve BU and Corp. strategic plan. Challenge initiatives and assumptions in projections
• Board of Directors – Review, challenge and approve strategic plan
• BU strategic plans
• Company strategic plan
• Review &challenge reports
Scenario Design
• Corp. Risk / Finance– Review scenarios developed, challenge risk factors and assumptions and approve scenarios
• Senior Management – Review, challenge and approve scenarios used in capital planning
• Board of Directors – Review, challenge and approve scenarios used in capital planning
• Scenario instructions
• Review & challenge reports
25Risk Advisory
Review and Challenge Process
Capital Planning Step Review & Challenge Key Outputs
Financial & Loss Projections
• BU Risk / Finance – Review and challenge BU financial and loss projections and management actions
• BU Management– Review, challenge and approve BU financial and loss projections and management actions
• Corp. Risk / Finance – Review and challenge BU and corporate financial and loss projections and management actions
• BU financialand loss projections
• Corporate financial and loss projections
• Review and challenge reports
Aggregation & Capital Management
• Corp. Risk / Finance – Review and challenge company financial and loss projections
• Senior Management – Review, challenge and approve company financial and loss projections and management actions
• Company financial and loss projections
• Management actions under all scenarios
• Review and challenge reports
26Risk Advisory
Review and Challenge Process
Capital Planning Step Review & Challenge Key Outputs
Capital Plan & Reporting
• BU Management – Review Capital Plan• Corp. Risk / Finance – Review Capital Plan• Senior Management – Review, challenge and
approve Capital Plan• Board of Directors – Review, challenge and
approve Capital Plan
• Capital plan• Review and
challenge reports
27Risk Advisory
Review & Challenge Documentation
Key Expectations Common Weaknesses
Review & Challenge Overview
• Documentation of participants of the review and challenge meeting
• Summary of the review and challenge process
• Scope of review
• Lack of detail in the key decision points and the included parties
• Limited scope of review
Review and ChallengeResults
• Results of the review and challenge
• Key items challenged
• Documentation of any additional information requested
• Resolution and updates
• Inadequate challenge
• Lack of consistency in review and challenge expectations acrossthe company
• Inadequate documentation of results
Remediation Planning & Follow-Up
• Remediation item descriptions
• Remediation item timelines and accountability
• Lack of remediation items
• Lack of accountability for executing remediation actions
Appendices
• Comprehensive documentation used to support review and challenge
• Meeting minutes
• Additional information
• Lack of consistency in appendix information
• Insufficient supporting documentation within appendices
28Risk Advisory
Data Quality and Integrity
29Risk Advisory
What’s Data?• Facts and statistics collected together for reference or analysis • Digital Data is any sequence of symbols given meaning by specific
acts of interpretation. Digital Data is the quantities, characters, or symbols on which operations are performed by a computer, stored and recorded on magnetic, optical, or mechanical recording media, and transmitted in the form of electrical signals.
30Risk Advisory
Data Quality vs. Integrity
• Data quality ensures clear understanding of the meaning, context, and intent of the data.
• the data integrity continuum includes how data is created, modified, combined, calculated, reported and retained.
Per the AHIAMA
31Risk Advisory
X X X X
X XX
X X
XXX XXXXXXX XXX
XXXXXXX
ValidReliable
≠ Valid Reliable
≠ Valid≠ Reliable
Slide 6 of 18
Data Accuracy
32Risk Advisory
Data Life Cycle Management
Life Cycle
Define
Design
Capture
Protect
Integrate
Analyze/Retire
33Risk Advisory
Summary
• These 7 key data quality dimensions should help guide decisions made with data and how it is handled
• It’s integral to understand the data lifecycle and data flow for any project and to capture the process flows accurately
• Data is now considered very sensitive at most engagements and within the firm.
• It is important to understand both customer and firm guidelines when you are working with data.
34Risk Advisory
Model Risk
35Risk Advisory
Simplifications of Reality
Model/EUT Output Actual Results
36Risk Advisory
What is a model?
“The term model refers to a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates”
- SR 11-7 Supervisory Guidance
Model Characteristics
• Models are simplified representations of real world relationships• The accuracy of a model is based on the correlation of the
predicted event or output with the input variable(s)• Development relies heavily on the experience and judgment of the
developers• Definition covers quantitative approaches whose inputs are wholly
or partially qualitative
37Risk Advisory
Modeling Risks and Limitations
• Inherent in the use of models is model risk. Model risk is usually the result of:
• Insufficient testing prior to implementation
• Inappropriate use of a given model or extrapolation
• Lack of sufficient data to model a specific event or scenario
• Implied in the models calculation is the assumption that the current key business drivers and relationship between the input and predicted variables will continue to be true in the future
• Limitations in predictive abilities of models create the need for qualitative approaches or management overlay.
• Model risk increases as model complexity increases• Managing model risk requires effective challenging of the models themselves
“All models have some degree of uncertainty and inaccuracy because they are by definition imperfect representations of reality. An important outcome of effective model development, implementation, and use is a banking organizations demonstrated understanding of and accounting for such uncertainty”- SR 11-7 Supervisory Guidance
38Risk Advisory
End User Tools (EUT)
End User Tool Characteristics
• User tool tied to a desktop, or product, made up of simple logic/components.• Developed and managed by the end user or a third party.• Spreadsheet/database form.• Utilize calculations, macros, scripts or coding. • May be a complex spreadsheet with excel add-ons. • Testing and validation are limited• Usually used for simple calculations, aggregations, or “rule-of-thumb”
applications
39Risk Advisory
Controls Surrounding EUTs
End User Tools
Controls Documentation
• “Maker Checker”• Cell restrictions on tool to prevent changes to
information/format• Input controls• Cross – Checking• Reconciliation• Independent review of calculation tools • Frequent assessment of tools use, intent, and
reliability• Passwords• Access controls• Change control
• Documentation surrounding the usage and purpose of the EUT
• Instructions on how to modify EUT• EUT inventory
40Risk Advisory
Delivers Assumptions and data to the model
Main Model Components
Input
Processing
Reporting
Transforms inputs into estimates
Translates the estimates from the processing component into useful information
41Risk Advisory
General Modeling Considerations
Foundational Elements
• Repeatable and transparent modeling process• Supported by empirical evidence• Able to produce credible estimates aligned to scenario• Materiality of a given portfolio or activity• Segment modeling based on risk characteristics (not
necessarily by line of business or product type)• Qualitative and quantitative projections are expected
Data• Internal data where available, external data as appropriate• Granular data to model characteristics of individual
portfolio/asset class
42Risk Advisory
Key Insurance ModelsCritical Model Areas
Mod
elin
g Co
mpo
nent
s
Losses
• Actuarial models used to capture losses due to mortality/morbidity, catastrophe risk, risks due to guarantees and other product specific risks
• Business units will typically own models to calculate losses from insurance related risks
• Investment losses may be done centrally or within business units
Income Statement
• Non-Interest Income will be the core element for insurers• Insurance specific P&L components including premiums,
benefits and claims, amortization of DAC and policy fees
Balance Sheet
• Investment portfolio changes incorporate business unit reinvestment assumptions and policies
• Insurance specific balance sheet components including reinsurance assets, separate accounts assets and policy reserves
43Risk Advisory
Model Documentation
Contribution to Model Risk Management
• Contribute to model validation activities by providing comprehensive information on the model
• Allow for the identification of model risk• Contribute to business continuity through memorialization of
model attributes• Provides stakeholders information of the limitations and
weaknesses of models• Makes compliance with policy transparent
Key Documentation Elements
• Demographic information• Executive summary• Modeling data• Modeling approach• Modeling assumptions• Model limitations• Model estimation / development
• Implementation testing• Technical specifications• User guide• Operational controls• Model risk monitoring• Change management
44Risk Advisory
Supervisory Guidance
Supervisory Guidance on Model Risk Management – SR Letter 11-7
• Provided in 2011 but has received increased focus within the past two years
• Includes guidance for all aspects of model risk management– Model development, implementation and use– Model validation– Governance– Model risk management policy– Model Inventory
• Customization is expected
45Risk Advisory
Model Risk Management Policy
Model risk management activities should be formalized through policies and procedures to ensure good governance practices.
The model risk management policy sets the protocol for model owners, users and validators to ensure alignment with supervisory guidance and expectation.
Key components include:
Model definitions
Model risk definitions
Assessment of model risks
Acceptable practices for model development, implementation, and use
Appropriate model validation activities
Governance and controls over the model risk management process
46Risk Advisory
Model Inventory
General Guidelines
• Firm-wide inventory• Model status• Model variation• Description should include
– Model name and owner– Purpose– Products– Use restrictions– Type and source of inputs– Outputs and intended use– Last update and current status– Exceptions to policy– Validation status and dates– Timeframe for review and ongoing monitoring
• Risk assessment
47Risk Advisory
Model Validation
All model components (input, processing, reporting) should be subject to validation
Both in-house and externally developed models should be validated
Rigor and sophistication should be commensurate with the use, complexity, and materiality of the model as well as the size and complexity of the organization’s operations
48Risk Advisory
The Model Validation Process
Model Risk Identification
Design Validation Test
Plan
Perform Validation Activities
Document and
Remediate Issues
Issue Report and Guidance
• Model owner walk through of model development, implementation and use
• Review model documentation
• Identify and document model risks for evaluation
- Conceptual risk
- Implementation risk
- Input risk
- Output risk
- Reporting risk
• Construct testing plan for model based on identified model risks
• Document the test procedures for each model risk
• Assign timelines and ownership for testing activities
• Perform validation procedures outlined in the testing plan
• Adjust test plan and add additional procedures as needed based on test results
• Ongoing dialogue between validation team and model owner to discuss observations
• Responses to observations from model owner
• Document issues identified and devise remediation actions
• Assign accountabilities
• Draft validation report and obtain sign-off from model owner and risk management
• Provide guidance and recommendations to model owner for model enhancement
Ongoing Communication
49Risk Advisory
Common Model Risks
Conceptual Risk
The risk that the modeling concepts are not suitable for the purpose of the application.
Implementation Risk
There are two types of implementation risk:
• The risk that the wrong algorithms were chosen to implement the specified modeling concepts
• The risk that appropriate algorithms were chosen, but they contain coding errors and bugs.
Input Risk The risk that the input parameters are inappropriate, incomplete, or inaccurate
Output RiskThe risk that the key figures and statistics that can be produced by the model do not support the business purpose or are too sensitive with respect to the provided input parameters.
Reporting Risk The risk that the representation of the output for the business users is incomplete or misleading.
50Risk Advisory
Conclusions
• Creating BAU processes based on risk mitigation can address both regulatory concerns & provide tangible business benefits.
• Important to get in front of potential regulations to evaluate impact and implement change
51Risk Advisory
Questions and Contacts
Prashant Panavalli, CIA, ARM-E, AFESenior Manager, Risk Advisory Services(201)957-2550Prashant [email protected]
52Risk Advisory
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in thispublication, and, to the extent permitted by law, Dixon Hughes Goodman LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, inreliance on the information contained in this publication or for any decision based on it.
© 2015 Dixon Hughes Goodman LLP. All rights reserved.