Sarah Wilson

Related information

Photographs:

If you need photographs, for screen or print use, you'll find them in our gallery.

 

Photograph gallery

Speech by Sarah Wilson, Director responsible for the Insurance Sector, FSA
Insurance Network's Annual Congress
30 November 2006

Thank you for inviting me to speak at your conference today. As the introductory statements in your programme say, this is an industry where the market dynamics are shifting rapidly; where risks are becoming increasingly more diverse; and where the business relationships that firms have to manage grow evermore complex. With this in mind, I would like to focus my remarks on the challenge of risk management - and, in particular, to share the findings of two recent pieces of thematic work conducted at the FSA. First - our review of risk management practices in insurers. And second, a further review of the management of conflicts of interest in general insurance intermediaries.

But before jumping into the detail, I should like to put this work in the context of our wider and emerging regulatory approach, and also to stand back and note some parallel themes that have emerged from these pieces of work.

Regulatory approach

By now, I expect you will be familiar with the FSA’s move to more principles based regulation. At its heart, this is about asking the senior management of firms to focus on outcomes, and then allowing them to choose the most cost-effective or innovative approach to getting there. Of course, significant numbers of rules will remain, but I hope the direction of travel is clear from our approach to a wide range of issues over time (e.g. corporate governance, individual capital requirements for insurers, and the Treating Customers Fairly initiative), and most recently from the revised sections of the Handbook relating to conduct of business for investments which have been published for consultation.

So, I would like to start by putting our work on risk management into this wider context.

First, there is of course an existing FSA Principle to which all work in this area can be related - namely the responsibility of firms' senior management to organise and control its affairs responsibly and effectively, with adequate risk management systems. We place great store by this - effective management will design a strategy and set up a system of corporate governance and controls that successfully identifies and manages the risks associated with that strategy. Much else follows – which is why for example, our risk assessment framework for firms weights a firm’s governance and controls highly. Our ability to rely on effective management is one of the strongest tools available to us in delivering our own statutory objectives, and there is less need for us to intervene where it exists.

Second, it is consistent with a more principles based approach that senior management should have the flexibility to design risk management systems commensurate with the size, complexity and risks of their business. This approach is certainly allowed for in our reporting of the findings of each of the thematic reviews that I will come to in a moment.

Third, the challenge always in a more principles based approach to regulation is to establish whether a firm has gone beyond the introduction of procedures and frameworks (important though those are) to actually using them actively to achieve the outcomes we seek. So, for example, in both of our reviews we found significant and encouraging progress by firms in developing their approaches to managing risks and conflicts of interest. This is clearly all to the good. But what is equally clear is that firms may have - quite reasonably - gone for the quick wins first. They are now presented with the significant challenge of progressing beyond the identification of risks or conflicts and the establishment of new management structures, to the effective management of risk in a meaningful way in their day-to-day business operations. In the terminology which we have developed for our Treating Customers Fairly initiative, we need to move from planning and implementing change to embedding it.

Back to topBack to top

Risk Management in insurers - 2003 Review

With that as background, I should like to turn to each of the thematic reviews in more detail - starting with that on risk management practices in insurers. The detailed findings of this are being published today as the latest edition to our Insurance Sector Briefing series, and I would encourage you to find time to look at this.

We previously reviewed insurers' risk management practices in 2003. Then, I think it is fair to say, practices were largely underdeveloped. As a discipline, risk management was very much in its infancy in the insurance sector, and we noted five key areas of concern:

  • many insurers appeared to treat the development of risk management practices largely as a compliance matter to meet our requirements, and not as a means to deliver more effective risk management;
  • there was often no segregation between risk-controlling, risk identifying or risk analysing activities, even in some larger firms;
  • a significant number of insurers had not defined their risk appetite clearly;
  • management information did not always include analysis of risk and even when it did, there were shortcomings; and
  • use of modelling as a risk and capital management tool was in its infancy.

It is clear that in the three years that have passed, management practices have evolved and standards raised in a number of these areas. Of course, since then, insurers have seen the introduction of the Integrated Prudential sourcebook, which incorporated the new ICAS regime, at the heart of which lies good risk management practice. But improvements also seem to have stemmed from firms' greater appreciation of the commercial benefits of good risk management practices. It is also pleasing to note that firms now appear to be moving away from the perception of risk management as a set of self-contained activities, carried out solely with the regulator in mind. This is indeed a welcome development and denotes not only a change in practice, but a critical step change in the mindset of firms' senior management.

Risk Management in insurers - 2006 Review

We announced a review of firms' progress in developing their risk management practices last November in our Sector Briefing on ICAS. This was partly because we wanted to determine the extent to which ICAS had brought about improvements in risk management practices. Our focus this time has been on the effectiveness of the processes that firms have in place rather than the form. We have again identified five areas that boards and senior management need to consider - areas where we think some of the most difficult challenges for firms still lie. These are:

  • Governance and oversight;
  • Risk appetite;
  • Implementing risk management;
  • Management information; and
  • the impact of ICAS

I would now like to touch briefly on our findings on each of these.

Governance and oversight

Our principal finding was that firms have made marked progress in enhancing the scope and quality of their governance and oversight of risk management. We found, both in the review and in our wider supervision work, that commitment to risk management by boards and senior management was demonstrated through, for example, its being a factor in firms' business planning and performance reviews. Most broadly, we would include the structures that firms have established to identify gaps in their treatment of customers and put these right as further evidence on this point. Risk management is also commonly a regular agenda item at board meetings.

However, despite these welcome and encouraging developments a number of more difficult challenges remain. In our view, firms now need to move on from building the structural foundations of strong risk management. Many need a clearer vision of how they might develop their approaches to risk management, looking at the issue strategically in the overall context of where they want to take their business. A key component of this is the assessment of the effectiveness of risk management oversight, both at board and committee level. This may encompass regular reviews of board and indeed, senior management's, knowledge and skills, with a view to sustaining at least a minimum understanding of risk management processes. Addressing any such shortcomings can improve the effectiveness of the whole governance structure.

Back to topBack to top

Risk appetite

Moving on to one of the most problematic areas we identified in the review: the definition and application of risk appetites. Very positively, our findings here revealed that most firms have now created statements of risk appetite, albeit in mainly monetary terms.

And while this represents real progress since 2003, for definitions of risk appetite to be used as a basis for decision making they need to go beyond just words on a page and instead be actively promoted to create a shared understanding and frame of reference throughout the firm. Compiling meaningful risk appetite statements appear to have posed significant challenges for a number of firms, particularly in relation to operational and strategic risks. So much so that we found only a few effective examples that were capable of being applied to the range of key decisions that firms would typically be taking.

Although clearly a challenge, the step between defining and applying a workable risk appetite is not an insurmountable one. Many of those firms who have managed to make the transition have got there through repeated reviews and refinements. We believe this is an area where the commercial benefits of doing it well may not yet be universally understood within the industry.

Implementing risk management

The third area that we highlight in the review is the implementation of risk management. This is closely linked with the effectiveness of governance and oversight arrangements, and is the area where we have seen the most progress - recognising of course that there is no single 'right' way for firms to operate their risk management frameworks.

Many firms have gone through a number of top down and bottom up risk assessments and have modified successive approaches based on their earlier experiences. In most cases the ownership of risk issues was clearly apportioned between local and group risk functions and there is increasing evidence of independent and objective challenge from functions such as internal audit.

But we also observed a number of shortcomings. Some risk functions, for example, appeared to focus disproportionately on certain risk types, particularly operational risk or, occasionally, insurance risk. There were also a number of examples, where we found that risk functions were acting as mere aggregators of risk information both at local and group level. This may limit the reliance that senior management can place on the information produced by these functions.

Here the challenge is for a change of emphasis of these functions, to move away from simply coordinating information to playing a more strategic role in producing validated risk information which supports board and senior management decision making. For this to become a reality, the remit and effectiveness of these functions needs to be re-examined. Not only in terms of looking at how these functions are resourced but their interactions with the constituent parts of the organisation to ensure that the management of risk is seen as an integral part of business as usual.

Back to topBack to top

Management Information

Management information (MI) is another area of real improvement since 2003 and we were encouraged to see examples where MI was actively being used in risk-based capital decision making. Indeed, we were pleased see the number of firms who had reviewed their approaches to risk categorisation and reporting of loss data and risk exposures to better align with their risk-based capital work.

However, we were disappointed to find only limited progress in the reporting on risk exposures. We found examples of inconsistencies in the reporting of information, particularly in firms where the responsibility for different risk types was spread across different functions and reporting to the board was through different board committees with different memberships. You will be aware that there are similar challenges for firms in terms of creating MI to assess risks in treatment of customers. Weaknesses in risk MI may be indicative of other underlying shortcomings. For example, it may reflect poorly developed risk identification and capture processes.

Another area that has also been a cause of frequent concern is the identification and reporting of emerging and changing risks. Given the pace and scale of change in the insurance market it is increasingly important that firms maintain a deep understanding of the risks to which they are exposed. This is one area where we consider much more progress is needed, not least because of the implications of a forward looking, or going concern, approach to risk-based capital.

Impact of ICAS

The final area, before I move on to explore some of the findings from our conflicts of interest work, is the impact of ICAS on risk management practices.

As you are no doubt aware we committed to completing our review of firms' Individual Capital Assessments by the end of June 2007, and so far we are pleased with the progress firms have been making in developing their techniques for risk-based capital. In particular, we have been encouraged by the number of firms which now make more informed 'risk versus reward' decisions as a direct result of their risk-based capital work. During the review we saw a number of examples where risk-based capital work - with the more efficient use of capital being one of the main drivers – was providing the impetus for more informed risk taking.

More generally, a number of firms - at all points on the size spectrum - have commented on the positive impact that ICAS has had on improving the understanding of a firm's risk profile in the boardroom.

We were pleased to see that some firms are now beginning to consider how risk-based capital considerations can be integrated into wider decision making, not least for capital management and pricing of products. Such integration will become increasingly important as firms come to implement Solvency 2, particularly for those groups which are seeking to gain benefit from the diversity of their operations.

However, for this change to come about, capital assessments need to move beyond the realm of the actuarial department to include contributions from across the organisation. As I mentioned earlier boards and senior management understanding is increasing but, we expect to see the over reliance on actuaries diminish further as firms embed ICAS and other risk-based capital considerations into their day-to-day business operations.

Of course, we recognise the challenge this presents to a number of firms, in terms of skills required throughout the business. We do not expect each board member to be fully technically competent in all risk areas. But they should have a sufficient level of understanding of all key issues and processes to enable them to launch effective challenge. Indeed, reference to the Combined Code in its various formats, according to the nature of the firm - from a listed company to friendly society - supports this view.

Conflicts Management

I would now like to move on to our work on conflicts management - which is of course, a sub-set of risk management more broadly.

As you may know 12 months ago we announced in a Dear CEO letter our intention to undertake further work on the management of conflicts of interest by wholesale and retail intermediaries during 2006. This was a result of the very poor findings from our previous thematic review which suggested that firms had much more work to do to ensure they were able to identify and mitigate conflicts of interests more effectively.

The focus of our attention this time around was on the responsibilities of senior management in identifying conflicts. It also covered the approach firms took when reviewing conflicts, the performance of conflicts mitigation strategies and the policies and practices in place for compensation. In addition we examined how firms trained their staff on conflicts and how well conflicts management and mitigation was embedded in the firm's culture.

Overall we found that progress has been made by intermediaries, in both the wholesale and retail market, in developing approaches within their businesses to identify and manage conflicts of interest. This compares favourably with where we were 12 months ago.

We will be providing detailed feedback of our findings in the next General Insurance Newsletter - due to be published in the next couple of weeks - but for the purposes of today's session, I would like to draw your attention to the following high-level findings:

  • Firstly, nearly all intermediaries in our sample had an appropriate understanding of what was meant by 'conflicts of interest' and were able to provide examples of potential conflicts that were relevant to their business.
  • Secondly, most firms had a board approved conflicts of interest policy in place and had allocated responsibility to specific senior individuals for overseeing the identification and mitigation of conflicts.
  • Thirdly, all firms had undertaken a review of their business to assess potential and actual conflicts.
  • Fourthly, the majority of firms had documented and identified conflicts in a policy and/or supporting analysis detailing the mitigation strategies that were deployed.
  • Finally, in almost all cases firms claimed to have proper escalation processes in place for reporting potential or actual conflicts.

However, despite these encouraging developments there is more to be done. Almost all firms stated that they had proper escalation processes in place for reporting potential or actual conflicts. However, this was not always formally documented and did not always specify the level (be it the Board or a sub-committee) to which conflicts should be reported. At the same time, although the majority of firms had or were in the process of communicating their conflicts of interest policies to staff, only a minority had formal mandatory training in place. So there is a real risk that some employees may not be sufficiently alert to potential or actual conflicts to ensure that appropriate escalation or mitigation is carried out. And we found only a few examples where material conflicts had been notified to the board or the sub-committee to which responsibility had been delegated.

Similar to our findings on risk management, there is significant scope for improvement in the Management Information that firms have to enable them to recognise and mitigate conflicts.

Most importantly though, much of the change in this area is recent - senior management need to work hard to ensure that the procedural changes now introduced are used as a part of day-to-day business and that real cultural change results.

Conclusion

In conclusion, I should like to return to one of my opening remarks - 'effective management will design a strategy and set up a system of corporate governance and controls that successfully identifies and manages the risks associated with that strategy'. I am quite sure this is not controversial. Equally, it is our experience that management vary both in the breadth of their thinking when considering risks, and in the quality of controls they establish. We are pleased that insurers and intermediaries alike have developed their practices in the recent past, and would encourage senior management to ensure that those reformed practices lead to on-going changes to day-to-day business.

Back to topBack to top

More Speeches: