leveraging existing processes to address regulatory change 1215... · leveraging existing processes...

1Risk Advisory

Leveraging Existing Processes to address Regulatory ChangeDecember 11, 2015

2Risk Advisory

Agenda and Today’s Key Objectives

3Risk Advisory

Today’s Key Objectives

Foundation Provide a foundation of understanding of what’s driving the regulatory change

Roles Understanding Critical Components impacted by regulatory change

Enhance Implementation effectiveness and overcoming challenges

ApplicationGain perspective on the implications driving regulatory change and how to apply and enhance existing frameworks to enhance organizational effectiveness

4Risk Advisory

Agenda

• Drivers of Regulatory Change• Understanding the Key Areas of Impact• Key Challenges and Considerations in

leveraging Existing Frameworks • Evolving your Structures to mitigate

Regulatory Compliance Risk

5Risk Advisory

The Evolving Regulatory Environment

6Risk Advisory

The Seeds of the Financial Crisis

A combination of actions and actors sewed the seeds for the financial crisis.

• Banks• Insurance companies• Regulators• Rating agencies• The public

Contributors

• Sub-prime lending• Financial engineering• Leverage• Interconnection• Lack of oversight• Weak risk management

Seeds

• Housing crash• Correlation• Credit crunch• Liquidity freeze• Market crash• Bail-outs

Crisis

7Risk Advisory

Aftermath and Regulations

Many lessons were learned from the crisis and are embodied in the regulation coming out of it.

• Not enough capital to absorb losses

• Unknown processes for risk and capital management

• Need to understand impact of adverse scenarios

Lessons

• ORSA• CCAR and DFAST• Recovery and

Resolution Planning• Capital and Liquidity• Volker rule• FSOC

Regulations• Investment in

regulatory compliance activities

• Enhanced disclosure requirements

• Increase in capital held• MRAs and MRIAs

Aftermath

8Risk Advisory

Stress Testing Regulation has Evolved

2008 2009 2010 2011 2012 2013 2014 2015

CCAR 2011• 19 BHCs• Rigor around

assessment• Capital Plan

requirementestablished

SCAP 2010• 19 largest BHCs

Financial Crisis

CCAR 2013• 18 BHCs• 2 objections• Qualitative /

quantitativeCapital Plan Review• 11 CapPR

BHCs

CCAR 2014• 30 BHCs• CapPR banks

included in CCAR

• Incorporation of Basel III

• 5 objections• 2 “re-dos”

CCAR 2015• 31 BHCs• Continued

qualitative focus

• Objections TBD 3/11

CCAR 2012• 19 BHCs• Supervisory

estimatesCapital Plan Review• 11 CapPR

BHCs • Capital Plan• No disclosure

2016

CCAR 2016• TBD BHCS• Non-bank SIFIs• Transitional

arrangements for FBO IHC

• Advanced approaches calculations

• Timeline shift (April 5th)

9Risk Advisory

Evolving Risks leading to Regulations, forcing change

10Risk Advisory

Capital Management &Risk Management Process

11Risk Advisory

Capital Management Framework

12Risk Advisory

Supporting Risk Management Processes

13Risk Advisory

Capital Management ProcessInsurance Companies

Capi

talM

anag

emen

t

Strategic Planning• Commonly done at the business level and aggregated while taking into

account Group level strategy• Insurance product implications of stressed environment

Scenario Design • Scenarios often focus on investment, insurance and operational risks

Financial and Loss Projections

• Risk models• Actuarial models• I/S and B/S linkage to macroeconomic environment• 9 quarter projection• Statutory and US GAAP

Aggregation and Capital Management

• Business level and risk owner results aggregated to develop Group results

• Basel I / II / III capital and liquidity• NAIC Risk-Based Capital• Internal capital• Key subsidiary analysis

Capital Plan and Reporting

• External and internal stakeholders• Capital Plan• Data schedules• Public disclosure• ORSA

14Risk Advisory

Federal Reserve Board Seven CAP Principles

Principle 1Sound

foundational risk

management Principle 2Effective loss–

estimation methodologies

Principle 3Solid resource-

estimation methodologies

Principle 4Sufficient

capital adequacy

impact assessment

Principle 5Comprehensive

capital policy and capital planning

Principle 6Robust internal

controls

Principle 7Effective

governance

FRB Seven Principles of an Effective Capital

Adequacy Process

The Federal Reserve Board’s (“FRB”) seven Capital Adequacy Process (“CAP”) principlessummarize the elements on which the Federal Reserve evaluates the robustness of a CCAR participant’s capital planning process.

Leading practices associated with these principles will evolve as new practice and data emerges.

15Risk Advisory

Leveraging Existing Processes

Current State

Evaluate what you have and what you still need

Build Momentum

Engage the Business and Key Leaders

Select a Risk

Assessment Approach

Choose an approach that is appropriate to nature, scale and complexity

16Risk Advisory

Leveraging Existing Processes

• Utilize Best Practices - RIMS Risk Maturity Model (RMM)• Evaluate key principles on an ongoing basis – start with a health check• Define Risk Profile, Appetite and Tolerances• Ensure integration and communication throughout the organization

Evaluate the Maturity of the ERM Framework

• Organize information into main risk categories or risk objectives• Ensure documentation and rationale for risk exposures under both normal and

stressed scenarios• Conduct workshops to evaluate exposures• Prioritize and align to strategy, decisions and capital allocation• Measurement and alignment to capital allocation / compensation

Assess Risk Exposure

• Relying on various models including internal and external models (RBC, BCAR, etc…)• Review / utilize technology and software solutions (Igloo, MG-ALFA, etc…)• Quantify necessary capital for different risks using various assumptions (stochastic

and deterministic)

Determine internal capital assessment

17Risk Advisory

Alignment of Risk Culture

Risk ManagementStrategy drives:

Organizational Culture drives:

Policies

Procedures

Systems

Correct Treatment of Risk

Actual Treatment of Risk

Behaviors

Practices

Values

• Survey risk culture via a “Risk Health Check”

• Evaluate decision making (i.e. Risk Appetite), organizational integrity and ethical values

• Develop materials and hold education/risk awareness session(s)

• Facilitate follow-up sessions with key senior management

• Recommend “Risk Categories”

Alignment Activities

Procedures

Systems

18Risk Advisory

Enterprise Risk Governance & Policy

Various activities to be undertaken within each area of risk governance

Business Units

Take & Manage risks at a

department level

ERMWorking Group

Identify, Measure, Aggregate,

Monitor & Report

ExecutiveRisk

Committee

Oversee execution of ERM ensuring

consistency, approve rating of

risks, and monitoring

activities

Board / Audit Committee

Set risk appetite, oversee the

process, review critical risks

Assurance / Internal Audit

Facilitate, review process, leverage,

recommend improvements and controls

ERM Roles and Responsibilities

ERMWorking Group

Identify, Measure, Aggregate,

Monitor & Report

ExecutiveRisk

Committee

Oversee execution of ERM ensuring

consistency, approve rating of

risks, and monitoring

activities

Board / Audit Committee

Set risk appetite, oversee the

process, review critical risks

Assurance / Internal Audit

Facilitate, review process, leverage,

recommend improvements and controls

19Risk Advisory

Governance Leading Practices

20Risk Advisory

Three Lines of Defense

First Line: Business Units

• Own and manage day-to-day risk exposures

• Implement corrective action for process and control deficiencies

• Execute risk and control procedures

Second Line: Risk Management

• Assist in an advisory capacity to lines of business

• Assist in determining risk capital, risk appetite, strategies, policies and structures for managing risk

• Provide oversight, support, and management of risk decisions

Third Line: Internal Audit

• Provides assurance on the effectiveness of governance, risk management and internal controls

• Provide assurance on the effectiveness and efficiency of business processes

21Risk Advisory


Business Units• Operational Management• Functions that own and manage risk• Responsible for:

– Creating a strong risk culture– Identification and assessment of risks and controls– Maintaining and executing effective internal controls– Develop / maintain internal policies & procedures– Adhering to front line risk limits


Second Line: Risk

Management


22Risk Advisory


Risk Management• Function and/or Committee (e.g. Market Risk, Liquidity and Capital Committee)

– Help build and/or monitor the first line-of-defense controls– Support management policies, defining roles and responsibilities, & setting goals

for implementation– Provide risk management frameworks– Identify known and emerging risks– Assist management in developing processes and controls to manage risks and

issues– Provide guidance and training on risk management processes– Facilitate and monitor implementation of effective risk management practices


Second Line: Risk

Management


23Risk Advisory


Internal Audit• Independent/objective assurance of:

– Effectiveness of governance, risk management, and internal controls• Report to Senior Management and Board/Audit Committee:

– Efficiency and effectiveness of operations– Reliability and integrity of reporting processes– Compliance with applicable laws, regulations, and policies & procedures– All elements of the risk management and internal control framework

• Internal control environment• All elements of an organization’s risk management framework (i.e., risk

identification, risk assessment, and response)• Information and communication • Monitoring


Second Line: Risk

Management


24Risk Advisory

Review and Challenge Process

Capital Planning Step Review & Challenge Key Outputs

StrategicPlanning

• BU Management – Review, challenge and approve initiatives from business leaders

• Corp. Risk / Finance – Review strategic plan projections and initiatives from BUs

• Senior Management – Review, challenge and approve BU and Corp. strategic plan. Challenge initiatives and assumptions in projections

• Board of Directors – Review, challenge and approve strategic plan

• BU strategic plans

• Company strategic plan

• Review &challenge reports

Scenario Design

• Corp. Risk / Finance– Review scenarios developed, challenge risk factors and assumptions and approve scenarios

• Senior Management – Review, challenge and approve scenarios used in capital planning

• Board of Directors – Review, challenge and approve scenarios used in capital planning

• Scenario instructions

• Review & challenge reports

25Risk Advisory



Financial & Loss Projections

• BU Risk / Finance – Review and challenge BU financial and loss projections and management actions

• BU Management– Review, challenge and approve BU financial and loss projections and management actions

• Corp. Risk / Finance – Review and challenge BU and corporate financial and loss projections and management actions

• BU financialand loss projections

• Corporate financial and loss projections

• Review and challenge reports

Aggregation & Capital Management

• Corp. Risk / Finance – Review and challenge company financial and loss projections

• Senior Management – Review, challenge and approve company financial and loss projections and management actions

• Company financial and loss projections

• Management actions under all scenarios

• Review and challenge reports

26Risk Advisory



Capital Plan & Reporting

• BU Management – Review Capital Plan• Corp. Risk / Finance – Review Capital Plan• Senior Management – Review, challenge and

approve Capital Plan• Board of Directors – Review, challenge and

approve Capital Plan

• Capital plan• Review and

challenge reports

27Risk Advisory

Review & Challenge Documentation

Key Expectations Common Weaknesses

Review & Challenge Overview

• Documentation of participants of the review and challenge meeting

• Summary of the review and challenge process

• Scope of review

• Lack of detail in the key decision points and the included parties

• Limited scope of review

Review and ChallengeResults

• Results of the review and challenge

• Key items challenged

• Documentation of any additional information requested

• Resolution and updates

• Inadequate challenge

• Lack of consistency in review and challenge expectations acrossthe company

• Inadequate documentation of results

Remediation Planning & Follow-Up

• Remediation item descriptions

• Remediation item timelines and accountability

• Lack of remediation items

• Lack of accountability for executing remediation actions

Appendices

• Comprehensive documentation used to support review and challenge

• Meeting minutes

• Additional information

• Lack of consistency in appendix information

• Insufficient supporting documentation within appendices

28Risk Advisory

Data Quality and Integrity

29Risk Advisory

What’s Data?• Facts and statistics collected together for reference or analysis • Digital Data is any sequence of symbols given meaning by specific

acts of interpretation. Digital Data is the quantities, characters, or symbols on which operations are performed by a computer, stored and recorded on magnetic, optical, or mechanical recording media, and transmitted in the form of electrical signals.

30Risk Advisory

Data Quality vs. Integrity

• Data quality ensures clear understanding of the meaning, context, and intent of the data.

• the data integrity continuum includes how data is created, modified, combined, calculated, reported and retained.

Per the AHIAMA

31Risk Advisory

X X X X

X XX

X X

XXX XXXXXXX XXX

XXXXXXX

ValidReliable

≠ Valid Reliable

≠ Valid≠ Reliable

Slide 6 of 18

Data Accuracy

32Risk Advisory

Data Life Cycle Management

Life Cycle

Define

Design

Capture

Protect

Integrate

Analyze/Retire

33Risk Advisory

Summary

• These 7 key data quality dimensions should help guide decisions made with data and how it is handled

• It’s integral to understand the data lifecycle and data flow for any project and to capture the process flows accurately

• Data is now considered very sensitive at most engagements and within the firm.

• It is important to understand both customer and firm guidelines when you are working with data.

34Risk Advisory

Model Risk

35Risk Advisory

Simplifications of Reality

Model/EUT Output Actual Results

36Risk Advisory

What is a model?

“The term model refers to a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates”

- SR 11-7 Supervisory Guidance

Model Characteristics

• Models are simplified representations of real world relationships• The accuracy of a model is based on the correlation of the

predicted event or output with the input variable(s)• Development relies heavily on the experience and judgment of the

developers• Definition covers quantitative approaches whose inputs are wholly

or partially qualitative

37Risk Advisory

Modeling Risks and Limitations

• Inherent in the use of models is model risk. Model risk is usually the result of:

• Insufficient testing prior to implementation

• Inappropriate use of a given model or extrapolation

• Lack of sufficient data to model a specific event or scenario

• Implied in the models calculation is the assumption that the current key business drivers and relationship between the input and predicted variables will continue to be true in the future

• Limitations in predictive abilities of models create the need for qualitative approaches or management overlay.

• Model risk increases as model complexity increases• Managing model risk requires effective challenging of the models themselves

“All models have some degree of uncertainty and inaccuracy because they are by definition imperfect representations of reality. An important outcome of effective model development, implementation, and use is a banking organizations demonstrated understanding of and accounting for such uncertainty”- SR 11-7 Supervisory Guidance

38Risk Advisory

End User Tools (EUT)

End User Tool Characteristics

• User tool tied to a desktop, or product, made up of simple logic/components.• Developed and managed by the end user or a third party.• Spreadsheet/database form.• Utilize calculations, macros, scripts or coding. • May be a complex spreadsheet with excel add-ons. • Testing and validation are limited• Usually used for simple calculations, aggregations, or “rule-of-thumb”

applications

39Risk Advisory

Controls Surrounding EUTs

End User Tools

Controls Documentation

• “Maker Checker”• Cell restrictions on tool to prevent changes to

information/format• Input controls• Cross – Checking• Reconciliation• Independent review of calculation tools • Frequent assessment of tools use, intent, and

reliability• Passwords• Access controls• Change control

• Documentation surrounding the usage and purpose of the EUT

• Instructions on how to modify EUT• EUT inventory

40Risk Advisory

Delivers Assumptions and data to the model

Main Model Components

Input

Processing

Reporting

Transforms inputs into estimates

Translates the estimates from the processing component into useful information

41Risk Advisory

General Modeling Considerations

Foundational Elements

• Repeatable and transparent modeling process• Supported by empirical evidence• Able to produce credible estimates aligned to scenario• Materiality of a given portfolio or activity• Segment modeling based on risk characteristics (not

necessarily by line of business or product type)• Qualitative and quantitative projections are expected

Data• Internal data where available, external data as appropriate• Granular data to model characteristics of individual

portfolio/asset class

42Risk Advisory

Key Insurance ModelsCritical Model Areas

Mod

elin

g Co

mpo

nent

s

Losses

• Actuarial models used to capture losses due to mortality/morbidity, catastrophe risk, risks due to guarantees and other product specific risks

• Business units will typically own models to calculate losses from insurance related risks

• Investment losses may be done centrally or within business units

Income Statement

• Non-Interest Income will be the core element for insurers• Insurance specific P&L components including premiums,

benefits and claims, amortization of DAC and policy fees

Balance Sheet

• Investment portfolio changes incorporate business unit reinvestment assumptions and policies

• Insurance specific balance sheet components including reinsurance assets, separate accounts assets and policy reserves

43Risk Advisory

Model Documentation

Contribution to Model Risk Management

• Contribute to model validation activities by providing comprehensive information on the model

• Allow for the identification of model risk• Contribute to business continuity through memorialization of

model attributes• Provides stakeholders information of the limitations and

weaknesses of models• Makes compliance with policy transparent

Key Documentation Elements

• Demographic information• Executive summary• Modeling data• Modeling approach• Modeling assumptions• Model limitations• Model estimation / development

• Implementation testing• Technical specifications• User guide• Operational controls• Model risk monitoring• Change management

44Risk Advisory

Supervisory Guidance

Supervisory Guidance on Model Risk Management – SR Letter 11-7

• Provided in 2011 but has received increased focus within the past two years

• Includes guidance for all aspects of model risk management– Model development, implementation and use– Model validation– Governance– Model risk management policy– Model Inventory

• Customization is expected

45Risk Advisory

Model Risk Management Policy

Model risk management activities should be formalized through policies and procedures to ensure good governance practices.

The model risk management policy sets the protocol for model owners, users and validators to ensure alignment with supervisory guidance and expectation.

Key components include:

Model definitions

Model risk definitions

Assessment of model risks

Acceptable practices for model development, implementation, and use

Appropriate model validation activities

Governance and controls over the model risk management process

46Risk Advisory

Model Inventory

General Guidelines

• Firm-wide inventory• Model status• Model variation• Description should include

– Model name and owner– Purpose– Products– Use restrictions– Type and source of inputs– Outputs and intended use– Last update and current status– Exceptions to policy– Validation status and dates– Timeframe for review and ongoing monitoring

• Risk assessment

47Risk Advisory

Model Validation

All model components (input, processing, reporting) should be subject to validation

Both in-house and externally developed models should be validated

Rigor and sophistication should be commensurate with the use, complexity, and materiality of the model as well as the size and complexity of the organization’s operations

48Risk Advisory

The Model Validation Process

Model Risk Identification

Design Validation Test

Plan

Perform Validation Activities

Document and

Remediate Issues

Issue Report and Guidance

• Model owner walk through of model development, implementation and use

• Review model documentation

• Identify and document model risks for evaluation

- Conceptual risk

- Implementation risk

- Input risk

- Output risk

- Reporting risk

• Construct testing plan for model based on identified model risks

• Document the test procedures for each model risk

• Assign timelines and ownership for testing activities

• Perform validation procedures outlined in the testing plan

• Adjust test plan and add additional procedures as needed based on test results

• Ongoing dialogue between validation team and model owner to discuss observations

• Responses to observations from model owner

• Document issues identified and devise remediation actions

• Assign accountabilities

• Draft validation report and obtain sign-off from model owner and risk management

• Provide guidance and recommendations to model owner for model enhancement

Ongoing Communication

49Risk Advisory

Common Model Risks

Conceptual Risk

The risk that the modeling concepts are not suitable for the purpose of the application.

Implementation Risk

There are two types of implementation risk:

• The risk that the wrong algorithms were chosen to implement the specified modeling concepts

• The risk that appropriate algorithms were chosen, but they contain coding errors and bugs.

Input Risk The risk that the input parameters are inappropriate, incomplete, or inaccurate

Output RiskThe risk that the key figures and statistics that can be produced by the model do not support the business purpose or are too sensitive with respect to the provided input parameters.

Reporting Risk The risk that the representation of the output for the business users is incomplete or misleading.

50Risk Advisory

Conclusions

• Creating BAU processes based on risk mitigation can address both regulatory concerns & provide tangible business benefits.

• Important to get in front of potential regulations to evaluate impact and implement change

51Risk Advisory

Questions and Contacts

Prashant Panavalli, CIA, ARM-E, AFESenior Manager, Risk Advisory Services(201)957-2550Prashant [email protected]

52Risk Advisory

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in thispublication, and, to the extent permitted by law, Dixon Hughes Goodman LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, inreliance on the information contained in this publication or for any decision based on it.

© 2015 Dixon Hughes Goodman LLP. All rights reserved.

leveraging existing processes to address regulatory change 1215... · leveraging existing processes...

Documents