Chapter 6: Analysis of control

Transcription

1 Chapter 6: Analysis of control 6.1. Introduction The preceding Chapter dealt with the manner in which the relevant risks are analysed for the functional activities distinguished within the organisational structure. More specifically, it discussed the assessment of (default scores for) the probability of a risk event within a certain functional activity leading to a significant to high impact. This Chapter deals with the next stage of the supervisory method: the analysis of the quality of the risk controls within the institution. Analysis of the risks controls serves to gain an insight into the quality of the risk controls for the individual risks and into the resulting residual risks within the functional activities that have been distinguished in the breakdown of the organisation. In the absence of adequate controls, there is an enhanced probability of the risk giving rise to a risk event or leading to a heavier impact Inherent risks, controls and residual risks With the aid of controls, an institution is able to reduce its risks. These measures do not affect the level of the inherent risk but reduce the institution s residual risk position. The residual risk position results after allowing for the effects of all existing controls: INHERENT RISKS mitigated by CONTROLS = RESIDUAL RISKS It should be noted that inherent risks cannot be reduced to nil, not even with the aid of adequate controls. Phrased differently, even if optimum controls are in place, a residual risk remains in most cases. For some risks, this ultimately resulting residual risk will be larger than for other risks. The supervisor s assessment focuses on the question whether the institution controls the risk concerned in an optimum manner (as best as is realistically feasible). The question whether the risk is thus eliminated in full is of secondary importance. The illustration below shows a visual representation of this argument. The hatched parts represent the proportion of the risk that remains even after optimum control. In this example, for instance, the market risk cannot be reduced to nil. The blue part represents the difference between optimum and actually present controls. Within FIRM, optimum control of a certain risk, irrespective of the question whether the risk has been reduced to nil, should lead to the assessment strong control (control score 1). In the illustration, control score 1 is assigned if B equals C. The fact that in many cases risks cannot be controlled completely is reflected in the residual risk calculated by FIRM. Thus, optimum risk-specific control (score 1) for high inherent risks never leads to a residual risk score of 1 within FIRM. Chapter 6: Analysis of control Page 1 of 13

2 The following may serve to illustrate this point. Even in the case of optimum control (score 1), a risk where the inherent risk has been assessed as high (score 4) or material (score 3) will at most lead to a residual risk score of 2.5 or 2, respectively. For information on the manner in which the controls affect the level of risks, the reader is referred to Chapter 7 (Aggregation). This Chapter focuses on the risk controls. Below, guidelines are presented for assessing institutions control frameworks Control categories Within FIRM, the following forms of control (control categories) are distinguished: risk-specific controls; risk-transcending controls (organisation and management); risk-mitigating action of group functions. In addition, two special control categories are distinguished, namely Solvency Management and Liquidity Management, which are discussed below. For each control category, an overview is presented below of the underlying control items, the aspects that govern control quality, and aspects that merit attention when assessing controls. It is emphasised that the overview is not exhaustive and should merely be seen as providing general guidelines. Using his/her professional judgment, the supervisor must decide which (other) aspects are relevant to the assessment Analysis of risk-specific controls Introduction Risk-specific controls comprise controls that are specifically aimed at mitigating one single risk category. Thus, collection procedures are aimed specifically at reducing credit risk. Likewise, disaster recovery and back-up procedures are aimed specifically at reducing IT risk. Chapter 6: Analysis of control Page 2 of 13

3 Such risk-specific controls generally seek to reduce the probability of a risk event or, in the case of a risk event, to reduce its impact. 1 Aspects of risk-specific controls Within FIRM, the risk-specific controls for all risk categories consist of the same four underlying control items, namely: Control item Risk identification Risk policy AO/IC Risk monitoring Description The degree to which and the manner in which the institution has independently mapped the specific risk category, through such means as a risk inventory and risk analysis. The quality of the written policy with regard to the degree to which (risk appetite) and the manner in which (outline of controls to be implemented) the institution plans to control the risk category concerned. The degree to which and the manner in which procedures, function segregations, authorisations, limits and other preventive measures or other measures have been implemented in order to control the risk category concerned and thus to implement the appurtenant risk policy. The degree to which and the manner in which the specific risk is monitored (and required adjustments are made) and the controls have been implemented, for instance by means of performance, incident or exception reports and analyses. When assessing the controls, use may be made of the assessment criteria where, for each individual risk category, an overview is presented of possible risk-specific controls. For this overview, where the above control items have been elaborated for each individual risk category, the reader is referred to Annex D. Scoring of risk-specific controls The quality of the risk-specific controls is scored separately for each individual risk category for which the inherent risks were assessed in the previous stage. Hence, if several risk categories have been scored within a single functional activity, the supervisor must also make a separate assessment for each risk category of the quality of the risk-specific controls aimed at these individual risk categories. In section (Simplified versus comprehensive scoring of control) an explanation is given of the manner of assigning scores in the case of comprehensive scoring Analysis of risk-transcending controls Organisation Introduction The control category Organisation may exert a risk-mitigating effect on inherent risks through such means as a transparent organisational structure, clear links between activities, management units and group functions, and through an adequate reporting structure. 1 Despite the fact that within FIRM only the probability of a risk event is estimated, the assessment of controls also makes allowance for both probability-reducing measures and impact-reducing measures (to the extent that a distinction can be made between the two). Chapter 6: Analysis of control Page 3 of 13

4 Organisation is a non-risk-specific control, also known as a risk-transcending control. This means that the aspects of Organisation do not relate to a single risk, but have a risk-mitigating effect on the entire functional activity and the risks distinguished in that activity. Aspects of Organisation The control category Organisation is subdivided into the following control items: Control item Organisational structure Supply of management information Human resources Internal cooperation and communication Audit measures Description The transparency of the legal or organisational structure, and the extent to which it lends itself to promoting effective operations. The extent to which timely and reliable financial and operational information is available to responsible staff (including management) permitting them to make timely and well-informed decisions and, where necessary, make timely adjustments. The extent to which adequate HR policies and sound HR instruments are in place, and the qualitative and quantitative adequacy of staff. The extent to which the internal communication and cooperation among departments and business units and with group functions operates, aimed at effective cooperation in the pursuit of the objectives. The extent to which internal and external audits by auditors and actuaries contribute effectively to the identification, analysis, control, monitoring and reporting of risks. When assessing the controls, use may be made of the assessment criteria where, for each item from the control category Organisation, an overview is presented of possible aspects of such controls. For this overview, the reader is referred to the Annexes. Scoring of control category Organisation The control category Organisation is assessed at the functional activity level. This means that, within each functional activity (including all group functions), the category Organisation is assessed once. Depending on the choice made to subject this control category to simplified or comprehensive scoring 2, the assessment is made at category level or item level, respectively. At the management unit level, no assessment is made of the control category Organisation. The fact is that the score at that level is determined by the scores for the underlying functional activities and group functions. An exception is made for the assessment of the control category Organisation for the institution as a whole; this category may be assessed by way of the group function Corporate Governance (see section 3.2.4). 2 The choice between the two scoring methods may be made separately for each individual risk and control category. Hence, the supervisor may decide to use comprehensive scoring for some risk categories and simplified scoring for other risk or control categories. Chapter 6: Analysis of control Page 4 of 13

5 Note The analysis of the control category Organisation is of special importance when assessing controls for processes and risks that involve several departments. Thus, a complex financial transaction may require expertise in the areas of corporate finance, taxes, legislation, equities and fixed-rate instruments. Good relations facilitate cooperation in such cases. Hence, the organisational aspect merits special attention when assessing activities involving several disciplines Analysis of risk-transcending controls Management Introduction The control category Management may exert a risk-mitigating effect on inherent risks through such means as a management structure and composition matching the size and complexity of the operations, an effective decision-making process, effective strategic planning and the encouragement of a corporate culture marked by an awareness of risks and the need for risk control. Like Organisation, Management is a non-risk-specific control, also known as a risk-transcending control. This means that the aspects of Management do not relate to a single risk, but have a riskmitigating effect on the entire functional activity and the risks distinguished in that activity. Chapter 6: Analysis of control Page 5 of 13

6 Aspects of Management The control category Management is subdivided into the following control items: Control item Management quality and structure Strategy Risk/control attitude Management and decisionmaking Description The manner in which the institution s leadership function is effectively performed. Cases in point are: the competence of the (board of ) management as a whole to manage the institution; the extent to which the (board of) management is adequately balanced in terms of expertise and background; the extent to which the management structure and composition match the size and complexity of the operations; the extent to which responsibilities have been assigned in an adequate manner to the individual members of the (board of) management and the extent to which an adequate span of control has been realised; the extent to which the (board of) management sets an example for the institution s staff (for instance, by propagating ethical norms and standards); the (board of) management s leadership style and the extent to which the (board of) management is respected within the institution. This concerns: the manner in which the strategy is formulated within the institution; the extent to which this process takes place on an institution-wide basis; the transparency of the process; the substance and consistency of the strategy; the degree of specificity of the strategy, and the extent to which the institution s strategy is cle arly and consistently communicated. This concerns: the extent to which the (board of) management is aware of and interested in, and has an insight into, the risks to which the institution is exposed; the preparedness of the (board of) management to use adequate controls (both in-house and underlain by statutory rules) and to make sufficient funds available for that purpose; the extent to which the (board of) management is prepared to take risks and, when doing so, perform an adequate risk-benefit analysis; the extent to which the (board of) management complies with the existing internal controls. The extent to which the (board of) management is sufficiently actively and substantively involved in operational management and results. This is reflected in such aspects as the frequency, degree of substantiveness, intensity and action-oriented nature of management consultations. This also concerns the effectiveness of the delegation of powers to (decision-making) bodies (such as risk committees). Chapter 6: Analysis of control Page 6 of 13

7 When assessing the controls, use may be made of the assessment criteria where, for each item from the control category Management, an overview is presented of possible aspects of such controls. For this overview, the reader is referred to the Annexes. Scoring of control category Management The control category Management is assessed at the functional activity level. This means that, within each functional activity (including all group functions), the category Management is assessed. Depending on the choice made to subject this control category to simplified or comprehensive scoring, the assessment is made at category level or item level, respectively. At the management unit level, no assessment is made of the control category Management. The fact is that the score at that level is determined by the scores for the underlying functional activities and group functions. An exception is made for the assessment of the control category Management for the institution as a whole; this category may be assessed by way of the group function Corporate Governance (see section 3.2.4) Control categories Solvency Management and Liquidity Management Introduction In addition to the control categories discussed above, there are two special control categories, namely Solvency Management (except for trust offices, money transaction offices, casinos and credit card companies) and Liquidity Management (for banks only). With the aid of these categories, the supervisor assesses the quality of the manner in which the institution monitors and controls its solvency position and liquidity position, respectively. This assessment adds to the overall picture of the institution s risk management, with the assessment of the level and the control of the individual risk categories being complemented with an insight into the manner in which the institution manages its financial buffers (which, after all, serve to absorb risks, both at the present time and in the future) in the longer term. This assessment is in line with developments within the framework of Basel II, economic capital, the Financial Assessment Framework and Solvency II. This assessment of the quality of solvency and liquidity management may be viewed in conjunction with the key indicators regarding the solvency and liquidity position which are entered on the main screen of a management unit which at the same time is an institution subject to direct supervision. Chapter 6: Analysis of control Page 7 of 13

8 Solvency Management Aspects of Solvency Management The control category Solvency Management is subdivided into the following control items: Control item Policy Risk modelling Capital analysis Access to funding Description The extent to which policies are in place in respect of: the desired solvency level (calculation, amount and composition); the desired solvency level in relation to the statutory requirements and to a desired external rating or to internal ratios. For pension funds, this also includes the policy regarding the use of instruments (indexation policy, premium policy, investment policy) to make up for (imminent) solvency shortages. The extent to which and the manner in which risks are adequately modelled, aimed at the calculation of a risk-based capital need or capital requirement (economic capital). This also includes the use of adequate scenarios (including stress testing) in respect of these risks, as well as adequate and realistic assumptions and starting-points. The manner in which the institution maps the future development of its assets and liabilities in a forward-looking way, based on its long-term plans ands budgets (or more specifically, its expectations and objectives regarding (dis)investments, financing, growth of turnover, profitability, etc.), aimed at estimating the expected development of the actual solvency position. Also, the manner in which and the extent to which the development of the actual relative to the desired/required solvency position (both at the present time and in respect of expectations for the future) is adequately monitored, any relevant signals being identified/transmitted to the proper echelon in good time and, where necessary, followed up by timely action. The manner in which the institution intends to react to (imminent) solvency shortages (contingency planning) and the extent to which, if necessary, it is possible, on acceptable terms, to avert or make up for (imminent) solvency shortages through such means as: obtaining long-term funding (raising capital, such as a subordinated loan from a sponsor of a pension fund); tapping sources of income; securitising assets. When assessing the controls, use may be made of the assessment criteria where, for each item from the control category Solvency Management, an overview is presented of possible aspects of such controls. For this overview, the reader is referred to the Annexes. Chapter 6: Analysis of control Page 8 of 13

9 Scoring of control category Solvency Management Within institutions that consist of just a single functional activity, solvency management is, of course, assessed within that single functional activity as an additional control category alongside Management and Organisation. Within institutions that consist of several management units and functional activities, solvency management is always assessed within a group function Solvency Management. Within this group function, the control category Solvency Management is scored as well as the control categories Management and Organisation (specifically relating to solvency management). For the position of this group function within the tree structure, the reader is referred to Chapter 3 (Breakdown of the organisation). In either case, the manner of assessing the control category Solvency Management does not differ from that in which Management and Organisation are assessed, except that the underlying items are different Liquidity Management (for banks only) Aspects of Liquidity Management The control category Liquidity Management is subdivided into the following control items: Control item Policy Modelling Position monitoring Crisis management Access to money market Description The extent to which policies are in place in respect of: the desired liquidity level (amount and composition); the desired liquidity level in relation to the statutory requirements; the manner in which the institution intends to react to (imminent) liquidity shortages (contingency planning). The extent to which and the manner in which: risks are adequately modelled; adequate scenarios (including stress testing) in respect of these risks are in place; adequate and realistic assumptions and starting-points are used to calculate the liquidity needs, as well as to analyse these liquidity needs in the light of actual liquidity. The manner in which and the extent to which the development of the actual relative to the desired/required liquidity position (both at the present time and in respect of expectations for the future) is adequately monitored, any relevant signals being identified/transmitted to the proper echelon in good time and, where necessary, followed up by timely action. The extent to which adequate measures are in place that enter into operation in the event of (imminent) liquidity shortages. The extent to which it is possible for the institution, where necessary, to raise short-term funds rapidly and on acceptable terms in order to meet the regular liquidity needs or to be able to adjust actual liquidity levels. When assessing the controls, use may be made of the assessment criteria where, for each item from the control category Liquidity Management, an overview is presented of possible aspects of such controls. For this overview, the reader is referred to the Annexes. Chapter 6: Analysis of control Page 9 of 13

10 Scoring of control category Liquidity Management Within institutions that consist of just a single functional activity, liquidity management is, of course, assessed within that single functional activity as an additional control category alongside Management and Organisation. Within institutions that consist of several functional activities, liquidity management is always assessed within a group function Liquidity Management. Within this group function, the control category Liquidity Management is scored as well as the control categories Management and Organisation (specifically relating to liquidity management). For the position of this group function within the tree structure, the reader is referred to Chapter 3 (Breakdown of the organisation). In either case, the manner of assessing the control category Liquidity Management does not differ from that in which Management and Organisation are assessed, except that the underlying items are different Where does FIRM show the scores for Solvency Management and Liquidity Management? On the dashboard for each individual management unit which is at the same time a licensee (as well as for the institution at the highest level), a score for solvency management and a score for liquidity management (for banks only) are shown. These scores are derived from the group functions Solvency Management and Liquidity Management which have been created within the management unit concerned or from the group functions elsewhere in the tree structure which, at an earlier stage within FIRM, have been linked to the management unit concerned which is at the same time a licensee Risk-mitigating action of group functions Group functions general Group functions support functional activities and often contribute to control. As group functions usually do not perform risk-generating operations, the only score which is, in principle, assigned within group functions concerns control. Hence, the control categories Management and Organisation are automatically included in the template for the group functions. The assessment is conducted in the manner described in the preceding sections. There is no difference between the assessment of Management and Organisation for a group function and their assessment for a regular functional activity. However, for group functions which contribute specifically to the mitigation of a single specific risk category, the template (as assigned in step 3 in the breakdown of the organisation) does contain one risk category in addition to the control categories Management and Organisation. This permits the riskspecific control of this specific risk category to be scored within this group function as well. 3 Group functions are only relevant for institutions which consist of more than one functional activity. Chapter 6: Analysis of control Page 10 of 13

11 In most cases, the default score for this risk category has thus been set in the template at N/A. For further details, the reader is referred to section Group functions Solvency Management and Liquidity Management In addition to the group functions described in the preceding sections, there are two special group functions, as already indicated above: Solvency Management (except for trust offices and money transaction offices) and Liquidity Management (for banks only). These two are special in that: in addition to the control categories Management and Organisation, these group functions include a third control category, namely Solvency Management and/or Liquidity Management; The scores for these group functions are not aggregated within the organisational structure in the normal way, but are shown directly and separate ly on the FIRM dashboard. For further details, the reader is referred to the preceding sections Assigning scores for control quality Scale for assigning scores The control quality is assessed using a four-point scale, expressing decreasing effectiveness of risk mitigation: 1. Strong control: High control quality makes for a strong reduction of inherent risks. The control framework is fully in line with the requirements set by the nature of the business. 2. Adequate control: Adequate control quality makes for an adequate reduction of inherent risks. The control framework is adequately in line with the requirements set by the nature of the business. 3. Inadequate control: Control must be improved. Inherent risks are not adequately reduced. The control framework is insufficiently in line with the requirements set by the nature of the business. 4. Weak control: Control must be improved drastically and/or immediately. Inherent risks are not or barely reduced. The control framework is barely in line with the requirements set by the nature of the business. Unknown: If the supervisor has as yet insufficient information about a certain form of control, he/she should use this option. Chapter 6: Analysis of control Page 11 of 13

12 If, within a functional activity, a certain control item does not exist (for instance, because no risk policy is in place), the supervisor must score this as a weak form of control (score 4). In order to provide guidance to the supervisor in decisions on assigning scores, the Annexes to this Manual include assessment criteria for each individual control category; these assessment criteria provide indications of situations where scores of 1, 2, 3 or 4 for control quality would be appropriate. Situations may arise where actual conditions within an institution do not match one of the profiles of assessment criteria, since not all assessment criteria are relevant for each individual institution. In addition, the overview is not exhaustive. Also, circumstances may arise within an institution that cannot be related to the assessment criteria for the risk concerned but that are yet relevant for assessing the quality of control. Moreover, within an individual institution, certain assessment criteria may carry a higher weight than others. In such cases, the supervisor should use his/her professional judgment in deciding which score best matches the quality of control within the functional activity concerned. As the analysis of risks and controls serves, among other purposes, to provide input for the supervisory planning and prioritisation process, an adequate distribution of scores across the full scale is desirable. Hence, supervisors are encouraged to be explicit when assigning scores and, where possible, to use the full scale Explanation of scores assigned for control The scores assigned for control are recorded within FIRM. However, it is not just the score itself that is important; equally important are the reasons and backgrounds underlying the score assigned. FIRM offers a text field where this background information may be recorded. This information should include an indication of how up to date the sources are on which the assessment has been based. In addition, within FIRM, a link can be established with a document in Trim/Rondo Simplified versus comprehensive scoring of control The control categories are, in principle, assessed on the basis of simplified scoring. In the same way as in the assessment of the probability of inherent risk events, this leads to an assessment at the level of the individual control category. In other words: In the case of simplified scoring of the categories Management and Organisation, one score is assigned within each functional activity to the control form Management and one score to the control form Organisation. If the supervisor opts to subject the control form Management and/or Organisation to comprehensive scoring, scores are assigned to all underlying control items within Management and/or Organisation. In the case of simplified scoring of the risk-specific controls, one score is assigned within each risk category to the control form risk-specific control. In the case of comprehensive scoring, four scores are assigned within each risk category to risk-specific control. Chapter 6: Analysis of control Page 12 of 13

13 This is elaborated below for market risk: Market risk Inherent risk Score for inherent risk for probability of risk event for item price volatility Score for inherent risk for probability of risk event for item market liquidity Score for inherent risk for probability of risk event for item concentration/correlation Risk-specific control Score for quality of risk inventory aimed specifically at market risk Score for quality of risk policy aimed specifically at market risk Score for quality of AO/IC aimed specifically at market risk Score for quality of risk monitoring aimed specifically at market risk If the supervisor opts for comprehensive risk analysis for a certain risk category, this choice also automatically applies to the risk-specific controls for the risk category concerned. For each individual risk category, a separate choice may be made. Chapter 6: Analysis of control Page 13 of 13