Tag Archives: risk management

Global developments in conduct risk management

Risks relating to conduct of business are attracting increased attention across financial services firms, prompted by the ever-increasing focus of regulators in this area. Senior managers are accountable for conduct risk failings, and accordingly a strong conduct risk framework is an important tool in protecting against such failings. Based on our experience of assisting clients in this area, conduct risk management is still evolving and firms face many challenges. This paper by Milliman’s Karl Murray and Eamonn Phelan looks at recent and ongoing developments from around the globe and discusses actions firms need to take in order to address the changing business and legislative environment with regards to consumer protection.

Milliman consultant speaking at Mortgage Bankers Association forum

Milliman consultant Madeline Johnson, CMB, will speak at the 2017 MBA Risk Management, QA and Fraud Prevention Forum this September in Miami, Florida. She is scheduled to speak at the session entitled “QC for Purchase Markets” on Monday, September 25.

The three-day forum will be held from September 24 to 26. For more information on the talk and forum, click here.

Judging the appropriateness of the Standard Formula under Solvency II

The Standard Formula (SF) aims to capture the risk that an average European (re)insurance company is exposed to. The SF may not be appropriate for all (re)insurance companies, but the majority of European insurers currently uses it. In this article, Milliman’s Steven Hooghwerff, Sinéad Clarke, and Roel van der Kamp provide a short overview of the SF’s structure. They also present a suggested framework and worked examples, and discuss challenges and pitfalls to be considered.

Capitalizing on your actuarial report

In this article, Milliman’s Richard Frese and Andy Hoffman offer organizations perspective concerning critical topics they should discuss with an actuary to enhance their insurance program, better manage liabilities, and maintain appropriate actuarial analysis for the needs of their program. The authors also discuss best practices when working with an actuary.

This article was published in The Risk Management Quarterly.

Spotlight on operational and reputational risk

macdonnell-bridgetOperational and reputational risks have become areas of greater focus in recent times. There have been so many high-profile operational risk events that it is clear how important operational risk management is for all companies—Anthem, Volkswagen, and UBS are just a few examples of companies that have suffered significant losses because of operational risk events. In addition, for every publicly reported incident there are sure to be a host of smaller cases, which have not been large enough to hit the headlines, and which, of course, can have a cumulative detrimental effect over time. There is also a somewhat invisible aspect to operational risk, given that the damage does not always affect physical assets. Information can be stolen through a cyber breach, agents can act in their own interests, fraudulent activity can happen, and all of these events can go undetected.

Operational risk can also contribute to other risks that undertakings face, particularly reputational risk—a risk we don’t always fully appreciate until the damage is done. There are many strategies and marketing campaigns aimed at ‘one brand’ and ‘one vision’ which show the value organisations place on their reputations. Yet reputational risk management is not always given the attention it deserves. It’s worth pausing for a moment to take a closer look at operational and reputational risk management.

Operational risk
The challenges of quantifying operational risk are numerous—they include the lack of data to properly calibrate models and there are also challenges in relation to the models themselves. For example, the major shortcomings of the Solvency II standard formula calculation of operational risk capital are highly topical at the moment. Under Solvency II, operational risk capital must be held as part of the company’s Pillar 1 capital requirements. Criticism of this factor-based calculation includes its failure to capture many relevant elements of a company’s risk profile, such as the operating model and the specific processes within the company.

Interestingly, the solvency regime in Switzerland (known as the ‘Swiss Solvency Test’) does not require operational risk capital to be held. Rather, operational risk is considered as part of the company’s risk management, therefore treating it as a Pillar 2, as opposed to a Pillar 1, issue. Earlier this year, the Basel Committee on Banking Supervision imposed an outright ban on operational risk internal models for banks, acknowledging the widely differing approaches and complex modelling of this risk within the industry. Whether or not such developments will flow over to the EU (re)insurance solvency regime remains to be seen, but regardless of where operational risk sits from a regulatory perspective it is nonetheless an area where there are increasingly sophisticated methods being used in companies’ own risk assessments, such as, for example, Bayesian Network modelling.

For those who may be unfamiliar with Bayesian Network modelling, it is a technique that is gaining more and more traction as companies continue to develop their understanding of their operational risk exposures. This technique aids the understanding of operational risk exposures through workshops with various experts within the business, in order to establish the key underlying drivers of operational exposure and the relationships between these drivers. They are often not obvious at first glance and tend to involve quite nonlinear relationships. Once these exposures are well understood, the company can focus its attention on managing and mitigating the risks.

Continue reading

Decentralized governance enhances risk management

Assessing organizational culture is an integral aspect of a company’s risk management framework. Most companies, though, contain diverse groups of experts who interact with one another daily, and each group has its own distinct subculture. According to Milliman consultant Neil Cantle, companies that adapt decentralized control structures, allowing experts to make local decisions based on the company’s risk tolerance, can become more resilient and successful.

Neil’s Raconteur article “Achieving resilience by harnessing people power” provides more perspective. Here’s an excerpt:

[Companies] are complex ecosystems where people go about their daily tasks, interacting with countless others inside and outside the company. In the real world, people are faced with situations every day that don’t quite match the process manual, and they will use their initiative and try to find a way through to a successful outcome. Their judgments will reflect their values, so the question is whether those values are consistent with the culture your board wants to see? …

…In a world such as this, the notion of control, therefore, requires modification. We can no longer deliver the outcome we want with certainty, but can only choose our next action. Of course, we would like to select an action that will help take the company towards a successful outcome, but we simply don’t know for sure which one that is. We have to retain flexibility and learning as core skills, with the certain knowledge that things around us will not always go to plan.

In fact, in situations of complexity, where the environment is dynamic and changing, a model of centralised control is far from optimal and often leads to unintended outcomes. The more appropriate approach to guiding progress here turns out to be empowering local experts to make localised decisions, with the proviso that they are aware of what is happening in the wider overall context.

Organising in this way, we need to empower our experts to make local decisions in the best interests of the whole, and are much more concerned about whether their attitudes and behaviours are consistent with what we would like. We are trusting them “to do the right thing” rather than directly controlling what they do. There will be some things we are so keen to avoid that we will implement very strict controls, making it hard to do the wrong thing, but we are largely going to be using our values to guide behaviours.

For more perspective on organizational culture and risk management, read “Cultural compass,” also written by Neil.