In this edition>> Summary – key changes

from GPS 220

>> Background

>> Why the changes?

>> Our assessment

>> What’s in a RMF?

>> APRA’s broader risk

management focus

>> Commercial benefits?

>> Taking action now

>> Three Lines of Defence

(3LOD) – what’s it about?

Risk management changes crystalliseIn January 2014 APRA finalised its cross-industry prudential standards CPS 220 Risk Management and CPS 510 Governance. These take effect 1 January 2015.

APRA has the clear intention of improving risk management

practice with the changes to its requirements, and in our view

they will do so. However, the new requirements – which are more

prescriptive than the existing standards – may offer marginal

benefit for some general insurers, taking into account the extra

effort and investment required.

In this d’finitive we summarise the changes in APRA’s risk

management requirements, as well as the next steps for insurers.

d’finitive®

Keeping you informed. FEBRUARY 2014

[ APRA regulation ]

www.finity.com.au

Sydney +61 2 8252 3300 Auckland +64 9 363 2894 Melbourne +61 3 8080 0900 Wellington +64 4 460 5213

The up-shotAPRA has fine-tuned some of the requirements of the draft standards – and has clarified interpretations via CPG 220 – but little has changed from what was proposed in May 2013.

It is time for implementation.

Some insurers – including branches and groups – will want to ask APRA to grant variations from the standards. Those insurers will need to prepare well thought-out cases, soon.

Summary – key changes from GPS 220“...insurers should aspire to have a RMF which helps them make better business decisions.”

“Any insurer that plans to ask APRA for a variation from the standards will need sound arguments.”

2 d’finitive FEBRUARY 2014

Designated Chief Risk Officer (CRO)

• Each insurer – and group – must have a CRO with no conflicting front line business responsibilities.

• The CRO reports directly to the CEO with direct access to the Board Risk Committee.

• The CRO cannot be the CEO, CFO, Appointed Actuary or Head of Internal Audit.

CRO alternatives

An insurer may apply for an alternative to the designated CRO requirement, if this is inappropriate to its circumstances.

Group CROs A group CRO may be the designated CRO for an insurer within the group structure. This includes an Australian branch with a group CRO.

Separate Board Risk Committee

The Board Audit Committee and Board Risk Committee must be separate.

Other stricter requirements

Examples include:

• Board Risk Declaration to APRA

• Explicit expectations for the risk MIS.

Loss of some GI-specific material

The definition of material risks now:

• Downplays some GI risks

• Emphasises other risks which are more important in life insurance and banking.

This link will take you to our more detailed comparison of GPS 220 and CPS 220

Background

Risk management is vital to any organisation that aims to have a profitable and sustainable future. Good risk management results in better business decisions, while protecting the interests of stakeholders (particularly policyholders). APRA requires each regulated institution to have a Risk Management Framework (RMF) that is appropriate for its circumstances.

Prudential Standards

The final versions of CPS 220 Risk Management (replacing the current GPS 220) and CPS 510 Governance follow the release of drafts in May 2013. Despite extensive industry consultation since that date, and objections in many submissions to elements of the proposed package, few changes were made in the final standards.

The final version of CPS 510 makes only one material change from the standard that currently applies: the need for separate Board Audit and Board Risk Committees. The other changes we discuss in this newsletter relate to CPS 220.

FEBRUARY 2014 d’finitive 3

Lines of defenceMany in the GI industry object

to APRA’s requirement for a

designated CRO. The requirement

is based on the ‘three lines of

defence’ (3LOD) model of risk

management. Elsewhere in this

newsletter we discuss the 3LOD

model and its application to

general insurers. This is intended

to help insurers as they plan to

meet the new requirements and

discuss their plans with APRA.

CRO – options for groups A Level 1 insurer CRO may report

to a Level 2 or Level 3 Group

CRO, if that Group CRO reports

to the Group CEO and the Level 1

insurer’s Board can demonstrate

that the Group CRO meets the

Level 1 insurer’s risk management

requirements.

CRO – options for branchesAn Australian branch insurer may

use the regional or home office

CRO to fulfil its CRO requirement,

provided this CRO has active

oversight of the insurer and

sufficient interaction with local

management. The CRO should have

‘regular and clear’ access to the

Senior Officer Outside Australia.

Prudential Practice Guide CPG 220

APRA has also released for consultation a draft Prudential Practice Guide CPG 220 Risk Management. CPG 220 provides insight into how APRA will interpret CPS 220 – including how groups and branches might meet the CRO requirements in practice. Submissions on CPG 220 are due by 28 March 2014.

Why the changes?

The response paper which accompanies the final standards sets out APRA’s reasons for the changes:

>> Consistency in risk management standards across industries – life and general insurance, and banking – as well as a common approach across all supervised bodies (Level 1 insurers, and Level 2 and 3 groups).

>> APRA has higher expectations relating to risk management in the wake of the global financial crisis.

Our assessment

We are supportive of APRA’s intentions, and in particular we believe that:

>> The increased focus on risk management is healthy

>> The consistency of approach across groups and conglomerates is a positive.

However we have concerns about some areas of the new requirements:

>> The standards are prescriptive, shifting from APRA’s espoused principles-based approach

>> The requirement for a designated CRO is a ‘one size fits all’ approach, which does not take account of the circumstances of each insurer

>> Implementing the reforms will be a material cost for some insurers who will need to recruit in the CRO space, compared with the expected benefits

>> Useful GI-specific material has been de-emphasised, compared to the existing standard for general insurers (GPS 220). For instance, insurance concentration and asset-liability mismatch risks receive less focus.

Irrespective of our and others’ views, the standards are final and insurers must turn their attention to complying with the new obligations. Insurers may, however, be able to influence APRA’s interpretation of CPS 220 by making submissions on CPG 220.

APRA’s broader risk management focusThe new standards continue APRA’s recent stronger focus on risk management and governance, which has involved:

>> LAGIC – increasing the risk sensitivity of APRA’s capital charges

>> ICAAP – forging stronger links between risk and capital management

>> More explicit requirements of insurer risk appetite statements

>> Working with the Actuaries Institute to strengthen risk management reviews in Financial Condition Reports

>> Higher expectations of risk management around catastrophe exposures and related reinsurance cover

>> A greater focus on risk governance and risk culture.

Some of these initiatives have been implemented, while others are works in progress.

4 d’finitive FEBRUARY 2014

What’s in a RMF?

We are often asked this by people who are new to risk management. Just for fun, we have illustrated the key elements by comparing running an insurer to a commercial flight. The term RMF refers to all of these elements and their interactions.

RMF ELEMENTS – INSURER VS COMMERCIAL FLIGHT

ON THE PLANE AT THE INSURER THE ROLE

People

Pilot CEO Has operational control and risk-taking responsibilities.

Flight engineer CRO Monitors and ensures crucial systems are working.

Crew – on plane and off

Frontline staff People at the coalface!

Air traffic controller Board No operational control – but oversees the risk-takers.

Plans & policies

Airline’s plan – selected routes (some are riskier), timetable, passenger loads, pricing…

Business plan – lines of business, projected premiums, pricing…

Defines the direction and strategy.

Airline’s risk guidelines

Risk appetite Describes what may be done in specific circumstances – and what risks are unacceptable.

Operating manuals Risk policies – the RMS is the key one

Sets out the company’s rules.

Roles, responsibilities and reporting lines for air traffic control, flight deck and cabin crew

Governance – roles and responsibilities for Board and managers

Clear responsibilities, and defined communication lines.

Risk register Risk register Summarises the range of risks and their potential impact.

Contingency plans for poor weather, terrorist attack etc.

Business continuity plan

The plan for when things go wrong.

Actions

Meeting CASA requirements

Complying with APRA’s regulations

Operating within the regulator’s rules.

Periodic airworthiness checks

Audit Confirms that things are happening as they should.

Security screening, seat belts, etc.

Risk controls Mitigate/minimise risks and their impact.

Communication between air traffic control, flight deck, and crew

Reporting and information flows

Keeps everyone up to date.

Staff attitudes to safety, reporting of incidents

Risk culture – similar ideas

How frontline staff deal with risk.

Black box recorder Risk and incident log Record of what’s gone wrong – including near misses.

Commercial benefits?Some insurers will treat the new standards as compliance, aiming to do the minimum required. We think that responding to the latest changes ‘in the spirit’, alongside other improvements in risk management consistent with APRA’s direction in recent years, could have commercial benefits for insurers:

>> Improved resilience to internal and external shocks – so management does less fire-fighting

>> Improved communication and information flows – supporting better decision making and competitive advantage

>> Reduced volatility of results – through better identification, understanding, assessment and treatment of risks (potentially by segment). May need less capital and improve the stability of earnings

>> Better risk-return profile.

FEBRUARY 2014 d’finitive 5

Taking action now

Early planning and preparation will be crucial to complying with the new requirements with minimal business disruption. Each insurer should review its RMF now and develop its approach; any changes should be proportionate. As the new standards take effect on 1 January 2015, responding must be a priority for 2014. The insurer’s Board must approve the plan.

Any insurer that plans to ask APRA for a variation from the standards will need sound arguments. The insurer may choose to discuss its approach with its APRA supervisor to confirm that the plans are appropriate – particularly if seeking alternative arrangements to the designated CRO requirement.

Ultimately insurers should aspire to have a RMF which helps them makes better business decisions.

6 d’finitive FEBRUARY 2014

WHAT INSURERS NEED TO DO

CURRENT SITUATION

PLANACTIONS NEEDED

COMMENTS

Insurer currently has a joint Board Risk and Audit Committee

Insurer will separate the committees

Should be a straightforward change.

• The same directors may sit on both committees, provided governance structures are separate.

• Different chairs may be appointed.

• Roles, reporting lines and risk reports may need to change.

Insurer wishes to keep combined committee

Seek exemption from the requirement for separate committees.

APRA has not mentioned this as an option, so the case will need to be well argued.

Insurer currently has a ‘dual hat’ CRO with business responsibilities

Insurer separates CRO from other responsibilities

Give CRO’s other responsibilities to other staff, or consultants, OR

The incumbent retains other roles, a new CRO is appointed.

• Will require changes to organisational structure

• May need to recruit or train staff.

No change Seek exemption from APRA.

• Will need to demonstrate there are material constraints to appointing a ‘one hat’ CRO (possibly refer to 3LOD model)

• Will need a back-up plan where CRO’s responsibilities are separated.

Branch with no local CRO

Use group CRO Clear this with APRA.

Will need to satisfy APRA that group CRO is close enough to branch (see ‘Options for branches’ box).

Three Lines of Defence (3LOD) – what’s it about?

The 3LOD concept came from the internal audit profession, and has been used by a range of financial regulators. Appendix A of draft CPG 220 sets out APRA’s interpretation of 3LOD in a cross-industry context, and we summarise this in the table below. The table also shows our interpretation of the model’s application in general insurance – which differs from APRA’s in some areas.

FEBRUARY 2014 d’finitive 7

Our commentary

The effectiveness of the risk management function will increase if it is:

>> Engaged with the insurer’s many business areas and functions

>> Supported by specialist functions in the company, such as finance, actuarial and HR.

This means:

>> Several of an insurer’s ‘operationally independent’ managers could serve as CRO if potential conflicts are identified and managed or mitigated.

>> Many of APRA’s general insurance requirements already contribute to the second and third lines of defence. Examples are actuarial, finance and various independent reviews (e.g. review of the ICAAP).

A more detailed description of the 3LOD model applied to general insurance was included in our 2013 APRA submission on the draft CPS 220. You can find this on the Finity website.

Line of defence Characteristics Description APRA and Finity interpretations

First line Embedded, part of the business, its controls and processes

Areas taking decisions which determine the insurer’s risk profile. General insurance examples include pricing, underwriting, claims management, investment management, reinsurance and strategy setting.

• APRA categorises the Appointed Actuary (AA) role as first LOD.

• We agree for life insurance, where the actuary approves pricing.

• We agree when general insurance AAs have first line responsibilities (e.g. pricing or reinsurance).

• In our opinion the main statutory responsibilities of a general insurance AA (the liability valuation and FCR) are second line.

Second line Engaged, monitoring, coaching, assisting, reporting

Internal functions independent of business units which routinely (nearly continuously) review initiatives and implications for the risk profile.

• APRA’s model appears to view the risk management function as the only role in the second line.

• We would add some parts of the general insurance AA role (see above), some finance responsibilities, specific reviews (e.g. underwriting and claims peer reviews) and some external reviews (e.g. asset consultants, reinsurance broker modelling).

Third line Independent, reviewing, assurance

Strictly independent, more process oriented and not a continuous review. Advises on the effectiveness of other lines.

• APRA focuses on internal audit and 3rd party assurance.

• We agree that most specialised external reviews belong in this line.

Finity & Risk ManagementFinity is one of Australia and New Zealand’s leading actuarial and

management consulting firms, specialising in general and health insurance.

Our expertise in insurance is highly regarded and has been developed by

working with the industry since the early 1980s.

Finity’s focus is not solely actuarial. We have 12 staff with experience,

training and qualifications in the broader areas of financial and operational

risk management. We have assisted our clients with independent risk

management framework reviews, risk analyses, risk appetite statements,

Board risk workshops, and risk culture assessments. We have also provided

risk management training. Our work has a commercial, pragmatic focus,

drawing on our extensive experience.

If you have any questions relating to risk management, please contact

one of our consultants.

Contacts

Steve Curley steve.curley@finity.com.au 61 2 8252 3326

Brett Riley brett.riley@finity.com.au 61 2 8252 3382

Jacob Mamutil jacob.mamutil@finity.com.au 61 2 8252 3318

Watch for news of our inaugural

CRO Forum – coming soon!

Finity Consulting Pty Limited ABN 89 111 470 270

Australia & New Zealand Insurance Industry Award ‘Service Provider of the Year’ 2006, 2007, 2008, 2009 and 2011.Australian Insurance Industry Awards - Inaugural Inductee into the Hall of Fame 2012.

Australia

Sydney

Tel +61 2 8252 3300 Level 7, 155 George St The Rocks, NSW 2000

Melbourne

Tel +61 3 8080 0900 Level 3, 30 Collins Street Melbourne, VIC 3000

New Zealand

Auckland

Tel +64 9 363 2894 Level 27, 188 Quay St Auckland 1010

Wellington

Tel +64 4 460 5213 Level 16, 157 Lambton Quay Wellington 6140

d’finitive®

[ APRA regulation ]

www.finity.com.au

This newsletter is based on Finity’s

current understanding of APRA’s

standards and expectations. It does

not constitute either actuarial or

investment advice. While Finity has

taken reasonable care in compiling

the information presented, Finity

does not warrant that the information

is correct. We refer the reader to the

response paper, prudential standards

and draft prudential practice guide on

APRA’s website (www.apra.gov.au) for

further detail.

Copyright © 2014

Finity Consulting Pty Limited.

Contact the author

Brett RileyTel + 61 2 8252 3382brett.riley@finity.com.au Sydney Office