ABI RESPONSE TO CP140: INTERIM PRUDENTIAL SOURCEBOOK FOR INSURERS: GUIDANCE ON SYSTEMS AND CONTROLS, AND CP142: OPERATIONAL RISK SYSTEMS AND CONTROLS

Transcription

1 ABI RESPONSE TO CP140: INTERIM PRUDENTIAL SOURCEBOOK FOR INSURERS: GUIDANCE ON SYSTEMS AND CONTROLS, AND CP142: OPERATIONAL RISK SYSTEMS AND CONTROLS 1 EXECUTIVE SUMMARY 1.1 FSA Proposals These are two consultations on operational risk, systems and controls. The first, CP140, applies to insurers in the context of the Interim Prudential Sourcebook and the second, CP142, applies to all firms including insurers for implementation with the new Integrated Prudential Sourcebook (PSB) They both develop requirements in the Senior Management, Systems and Controls (SYSC) and provide guidance. CP140 will expand the Insurance part of the Interim Prudential Sourcebook with extra guidance while CP142 places some new material in SYSC and amends the draft PSB largely through guidance but also through rules. 1.2 Key ABI Response Points Because of the similarity of the issues raised in the two CPs a single ABI response has been prepared. Key points are: Guidance needs to be adaptable to the position of individual firms; An approach of using guidance rather than prescriptive rules is correct with operational risk; Guidance is to assist firms in meeting their regulatory responsibilities and its purpose is not to provide a rigid benchmark for regulators; Adequate implementation periods should be provided for on the introduction of new guidance; Guidance should recognise that there are different ways of approaching and managing operational risk; Guidance and rules for the interim prudential sourcebook should read across to the PSB ie no disjuncture between the two.

2 2 POLICY CONSIDERATIONS AFFECTING OPERATIONAL SYSTEMS AND CONTROLS 2.1 Operational systems and controls are at the heart of any business or operation. They affect how it runs and are fundamental in determining its commercial success and the degree to which it is exposed to risk. They are expensive to implement, and change requires significant implementation. 2.2 A financially strong, well managed insurance industry is in the interests of insurers: poor management and financial and operating weakness leading to failures affect the profile of the whole industry, as well as leading to calls on the FSCS and reducing profitability in cases of irresponsibly low pricing. A proper and appropriate approach to operational systems and controls has a direct part in avoiding this. The comments in this response must be read in this context. 3 OVERALL APPROACH: GUIDANCE OR RULES? 3.1 The distinction between rules and guidance is in some cases a fine one but may be analysed as follows. Rules are requirements to act in a given manner while guidance is designed to assist in achieving the result required by the rules. They fall into two categories; Requirements to achieve principles, e.g. high level principles of business in PRIN, or Prescriptive requirements as to detail, for instance reporting requirements, where it is important to have information presented in similar format for comparability purposes. 3.2 The first category of requirements imposes a duty to apply the requirement to the circumstances of each firm. Responsibility for application rests with the firm and guidance rather than rules is the appropriate approach because of the need for flexibility. With the second category, rules are often the appropriate approach although they need to be supplemented with guidance. 3.3 Operational risk is covered by Rule of SYSC A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business. This is a conceptual requirement to be applied to the position of each firm as is made clear in the guidance at SYSC 3.1.2, the nature and extent of the systems and controls which a firm will need to maintain will depend upon a number of factors including the nature, scale and complexity of its business.and the degree of risk associated with each area of its operations. This is clearly in the first category enunciated above and a 2

3 guidance based approach is the correct one to follow in the case of both CP140 and CP TIMING ISSUES ON INTRODUCTION OF GUIDANCE 4.1 The regulatory approach to insurance is evolving and moving from a form filling approach to a risk assessment based approach. This involves a considerable cultural change and it is important for guidance as it is introduced to encourage this change. In particular guidance should not introduce, or be interpreted as introducing, a prescriptive one size fits all approach with a similar approach on the part of the regulator. Smaller firms in particular may require more time to introduce formal risk management processes. 4.2 It is particularly important to note that the guidance on operational risk for the Interim Source Book, ie that covered by CP140, reflects requirements already in SYSC, and materials to be introduced in the Interim Sourcebook should reflect the approach which will be adopted in the new Integrated Prudential Sourcebook. 4.3 Lastly a distinction should be observed between the implementation of new guidance and the approach to the enforcement of the rules which are the subject of the guidance. Following adoption of the guidance, a period should allowed for firms to adapt to it rather than firms being expected to comply in full immediately. This will vary depending on the extent of changes needed. 5 RESPONSES TO INDIVIDUAL QUESTIONS IN CP140 AND CP Questions in CP140 Q1. Would it be helpful to give this proposed guidance? The publication is helpful provided that it is seen as an aide to the application of the relevant rules and not as a set of prescriptive requirements in its own right. In particular the emphasis should be on insurers concentrating on the principles underlying the rules rather than a mechanistic approach to following guidance interpreted in a prescriptive manner. Also early adoption of guidance should be accompanied by a realistic implementation period. Q2. Does this guidance cover the right areas? Q3. Is the level of detail too much/too little/about right? Q4 Do you wish to make any drafting comments on the proposed guidance? These three questions are answered together. 3

4 5.1.3 All the areas covered are important but it is important not concentrate on them to the exclusion of other areas. For instance, CP140 does not cover business continuity or employee issues It is difficult to judge whether the level of detail is right in individual cases as the required level will vary between users. The approach of increasing management responsibility for risk control suggests that the drafting approach to guidance should be to highlight key issues and to leave firms to develop solutions appropriate to their situations. This argues for shorter, less prescriptive levels of detail In some cases where comparability is important, eg reporting, a more prescriptive approach is right as companies need greater certainty. These cases are probably best covered by detailed rules which will rarely be applicable to operational and systems matters Comments are made below on both the content and, where appropriate, the drafting under the individual heads of guidance. Q5. Would it be right to give this guidance before the implementation of the relevant parts of the PSB? The answer to this question depends on the spirit in which the guidance is to be applied. If its purpose is to be seen as assisting insurers without imposing new prescriptive rules, early implementation is helpful. Q6. If it is appropriate to give this guidance before the implementation of the relevant parts of the PSB, should it be introduced as soon as possible after the consultation process is complete, ie with effect from 1 February 2003? Any implementation, even if guidance, from 1 February 2003 will need to have a best endeavours aspect to it. Q7. Do you agree with this assessment of the costs and benefits of giving this guidance? If the guidance is not intended to introduce major structural changes at this stage to insurers operations, the assessment that the costs will not be great appears correct. 5.2 Questions in CP142 Q1. Do you agree that we should use guidance rather than rules when setting out our systems and control policy for operational risk? Does the guidance in Annexes B and C of this CP contain the right amount of detail? 4

5 5.2.1 As discussed above, guidance is the correct approach to setting out systems and control policy for operational risk. Q2. Do you agree that it is right to include guidance on operational risk management systems and controls in SYSC? The argument that they apply wider than just prudential matters is correct and inclusion in SYSC makes this clear. It is also helpful for major firms subject to Group Supervision to face the same guidance in all parts of their business. Q3. Do you agree that we cover the right issues in our operational policy on the management of the firm s employees? Is this guidance appropriate in terms of its quality and depth of detail? The issues raised appear appropriate. See comments on Q3 of CP140 on the level of detail generally. Q4. Do we cover the right issues in our operational risk policy on the management of systems and processes? Is this guidance appropriate in terms of its quality and depth of detail? Q5. Do we cover the right issues in our policy on business continuity management? Is this guidance appropriate in terms of its quality and depth of detail? These two questions can be answered together. The point of the new risk based culture is to encourage management to understand the issues itself and to be aware of the need to look for the unexpected. In these circumstances, exhaustive guidance is not possible and there are considerable systemic dangers if the guidance is to be viewed as an exhaustive check-list of the areas to be covered. This point is brought out by the technique in the draft of using the phrases such as, This might include, but is not limited to This point and the answer to Q3 of CP140 also apply to the level of detail. Q6. Are we right to rely on guidance on our policy on outsourcing? Yes, the high level principles are clear and there does not appear to be a case for prescriptive rules (see discussion above). Q7. Do we cover the right issues in our policy on outsourcing? Is this guidance appropriate in terms of its quality and depth of detail? The approach seems about right. 5

6 Q8. Do we cover the right issues in our policy on the use of insurance to finance operational risk? Is this guidance appropriate in terms of its quantity and depth of detail? The approach is reasonable. There is a case for recommending firms to seek advice where the issues are likely to be complex as in cases of business interruption cover and the issues involved where multiple policies are held. Q9. Does our policy amplify to an adequate degree, the high level rules in SYSC and PRAG6 that relate to the management of operational risk and the documentation of a firm s risk policy? The guidance provides a useful contribution to understanding responsibilities under the high level rules. It cannot remove the onus on firms to reach their own assessment of the requirements. It is important to avoid the impression that the guidance imposes prescriptive requirements and to recall that provided the high level principles, including that for adequate documentation, are met, guidance is to be treated flexibly. Q10. Are we right to use the term assessment in place of measurement? Should we include some guidance on data collection and the quantification of operational risk? Yes, assessment appears a better term to use than measurement. See the comments on E1-6 of the draft guidance on management information in CP140 below It appears premature to add guidance for insurers at this stage on data collection and quantification of operational risk until more detailed consideration has been given to the necessary methodological approach. In particular a number of different approaches may be valid and guidance would need to take account of this. Q11. Do you agree that the policy in this CP(142 ) is compatible with our objectives and general duties under the Act? Yes. Q12. Do you agree that this chapter provides a fair estimate of the costs and analysis of the benefits of our systems and controls policy for operational risks in Annexes B and C of this CP(142)? Have any significant costs or benefits been missed out? The assessment that set-up costs will be relatively higher than ongoing costs appears right. The probability is that costs for insurers will be relatively higher than for other sectors because in many cases new systems will need to be introduced from scratch. The level of costs is likely to be high and easy to underestimate. It is to be noted in this 6

7 context that the CP includes contingency provisions in respect of the FSA costs which supports this interpretation. 6 DETAILED COMMENTS ON DRAFT GUIDANCE IN CP140 ( PROPOSED NEW GUIDANCE NOTE 3 (P3) ON SYSTEMS AND CONTROLS) 6.1 Annex A: High Level Controls 6.2 A1-A3: Governing Body, its Role and Effectiveness The drafting of these three provisions are very much in terms of requirements for the top company of listed groups. The position of other companies in a group should be covered. In particular: Whether a subsidiary company has independent non-executive directors on its board is a question for the governance of the group. The drafting should make clear that there is no requirement to have independent non-executive directors at subsidiary board level where adequate oversight can be exercised by the non-executives at group level; Similarly compliance with the Combined Code is a listing requirement applicable to listed companies and indirectly to their subsidiaries as members of a group of companies. SYSC 3.1.3G refers to the Combined Code but limits its application to companies for whom the Code is relevant. If the intention is to extend the scope of the guidance under SYSC, surely this should be specifically consulted on and applied to all sectors? In particular are non-uk listed companies, including subsidiaries of companies listed in other jurisdictions, and subsidiary companies expected to comply? 6.3 A4-A9: Apportionment and Definition of Management Responsibilities No comments 6.4 A10: Audit Committee This guidance is to be commended for making plain that the establishment of audit committees is a matter for consideration and not a requirement although most large insurers already have such a committee. In practice, apart from firms which are branches or subsidiaries where the tests are performed from at top company level, such a committee is necessary. The guidance could be usefully expanded to confirm that an audit committee at group level can be an appropriate approach to cover the position of subsidiary companies. 7

8 6.5 B1-B3: Risk Assessment Function: General The expression risk function has two meanings: as a general function of management covering all operations or a function in the sense of a department of the organisation. All insurance companies are required by SYSC to comply with the first meaning but the separation of the risk function in insurers from other management functions does not occur in all cases and allowance should be made for this provided that the insurer is adequately fulfilling the function in the first sense discussed above. Increasingly insurance companies will have risk committees and a formal process of risk management. However this may not be the only way forward, especially for small firms. Further new institutional charge should not predate a revised view of risk and ownership of it as an issue by senior management This section of the guidance is based on SUP and SYSC These clarify that a separate risk function may be an appropriate response to risk control. The purpose of the draft guidance in CP140 is to extend the concept in the case of insurers and to clarify that it covers insurance specific risks While risk committees will become common in the industry, the short term objectives also include improving risk awareness and management as well as bringing forward structural change. For this reason guidance should concentrate on the objectives and necessary cultural change and indicate, as is the approach in SYSC, that structural matters are ones for consideration and decision by the company It would be helpful to know how risk assessment and management for insurers is going to be carried into the PSB as many of the issues raised here are not covered in the draft text with CP B1: Risk Assessment Function The wording of SUP R, to which reference is made, is in terms of market or credit risk and the guidance here is wider. There may be a need to amend the wording of SUP here The guidance is in terms of the risk function being staffed by personnel with appropriate specific skills. The guidance should be in terms of the function having available the necessary specific skills because in some cases the firm will not have these in house and will need to outsource them within the Group. A prime example lies in life insurance subsidiaries of investment management houses writing institutional pensions business or insurance companies using service companies. These often have very limited numbers of direct employees but are able to call on substantial resources at a group level. This approach should be acknowledged subject to the guidance on outsourcing. 8

9 6.7 C1- C5: Legal Risk Legal risk for insurers can be analysed into two categories: Risks to the insurer arising between it and a third party, eg disputes with policyholders either in individual cases or with a class of policyholders, disputes with reinsurers and other suppliers of services, and Risks accruing to an insured which are the subject of the insurance, eg whether an insured is liable in tort to a third party The first category is common to all firms and is the subject of PROR in the draft PSB. It is derived from PRIN3 and already a requirement at a high level The second category appears more closely aligned to insurance operational risk, in particular underwriting (PRIR 1.3.2) and claims reserving (PRIR 1.3.5), in the draft PSB. The main difference in the guidance appears to be that the PSB will recommend adequate documentation of the policy adopted while here the guidance is in terms of having a process C1 is drafted in terms of identifying all legal risks. Surely this should be in terms of material legal risks taking into account an assessment of the probability of occurrence and the severity of outcome in the event of the risk materialising? There are relatively few transactions with no legal risk, particularly from changes in interpretation of the law, although in most cases the probability of the risk materialising is very small. The point about materiality of risk and the definition of legal risk are both important and open ended. The ABI would welcome a meeting with the relevant FSA staff to discuss the scope of legal risk in due course. 6.8 D1-14:Internal Audit D8 extends internal audit to the compliance function. Does the guidance require this work to be undertaken by the same personnel as the rest of internal audit or can the requirement be satisfied by other arrangements? 6.9 E1-6: Management Information E1 refers to management information being sufficient to identify, measure and control all material risks. Two drafting points: Would assess be better than measure as measure implies a degree of exactness which is not always available? It also dispels any concept that the role is limited to what can be accurately measured when a prime objective is to ensure that management 9

10 reports cover wider risk concerns. This point is discussed in paragraph 4.8 of CP142; The second point refers to the use of the word control. Would the meaning be clearer if it read to identify, assess and enable management to control? The present wording suggests that it is the role of the providers of management information to control risk. While in practice this is likely to be a function of the individuals who provide management information, this is a separate function from management reporting with which this guidance is concerned E5 covers the outcome of stress and scenario testing. At present stress and scenario testing is due to be the subject of consultation ahead of the PSB. Is this guidance limited to such stress and scenario testing as is currently undertaken by the firm or does it require a firm to introduce specific tests at this stage? The expression stress and scenario testing has the same flavour of quantitative precision as the word measurement. Would it be better to speak of stress testing, where quantitative measures are implied, and scenario analysis where they may not be possible? 6.10 F1-F5: Outsourcing F1 speaks of appropriate due diligence of the financial stability and expertise of the supplier. Would a more appropriate approach be: an insurer should. satisfy itself as to the service provider s financial stability and expertise including, if appropriate, due diligence? This covers cases where due diligence in the technical sense may not be appropriate and where it might be disproportionately expensive particularly in terms of a smaller insurer with a proportionately smaller contract size In some cases an employee of the company to which business is outsourced would appear to require approval. The guidance should cover such situations G1-7: Group Risk No comments. Ref J/640/025D 15 October 2002 [N011609Acleanversionfinaldoc.FR&T.BMCH.NOTES.02] 10

11 ABI RESPONSE TO CP140: INTERIM PRUDENTIAL SOURCEBOOK FOR INSURERS: GUIDANCE ON SYSTEMS AND CONTROLS, AND CP142: OPERATIONAL RISK SYSTEMS AND CONTROLS 1 EXECUTIVE SUMMARY 1.1 FSA Proposals These are two consultations on operational risk, systems and controls. The first, CP140, applies to insurers in the context of the Interim Prudential Sourcebook and the second, CP142, applies to all firms including insurers for implementation with the new Integrated Prudential Sourcebook (PSB) They both develop requirements in the Senior Management, Systems and Controls (SYSC) and provide guidance. CP140 will expand the Insurance part of the Interim Prudential Sourcebook with extra guidance while CP142 places some new material in SYSC and amends the draft PSB largely through guidance but also through rules. 1.2 Key ABI Response Points Because of the similarity of the issues raised in the two CPs a single ABI response has been prepared. Key points are: Guidance needs to be adaptable to the position of individual firms; An approach of using guidance rather than prescriptive rules is correct with operational risk; Guidance is to assist firms in meeting their regulatory responsibilities and its purpose is not to provide a rigid benchmark for regulators; Adequate implementation periods should be provided for on the introduction of new guidance; Guidance should recognise that there are different ways of approaching and managing operational risk; Guidance and rules for the interim prudential sourcebook should read across to the PSB ie no disjuncture between the two. 11

12 2 POLICY CONSIDERATIONS AFFECTING OPERATIONAL SYSTEMS AND CONTROLS 2.1 Operational systems and controls are at the heart of any business or operation. They affect how it runs and are fundamental in determining its commercial success and the degree to which it is exposed to risk. They are expensive to implement, and change requires significant implementation. 2.2 A financially strong, well managed insurance industry is in the interests of insurers: poor management and financial and operating weakness leading to failures affect the profile of the whole industry, as well as leading to calls on the FSCS and reducing profitability in cases of irresponsibly low pricing. A proper and appropriate approach to operational systems and controls has a direct part in avoiding this. The comments in this response must be read in this context. 3 OVERALL APPROACH: GUIDANCE OR RULES? 3.1 The distinction between rules and guidance is in some cases a fine one but may be analysed as follows. Rules are requirements to act in a given manner while guidance is designed to assist in achieving the result required by the rules. They fall into two categories; Requirements to achieve principles, e.g. high level principles of business in PRIN, or Prescriptive requirements as to detail, for instance reporting requirements, where it is important to have information presented in similar format for comparability purposes. 3.2 The first category of requirements imposes a duty to apply the requirement to the circumstances of each firm. Responsibility for application rests with the firm and guidance rather than rules is the appropriate approach because of the need for flexibility. With the second category, rules are often the appropriate approach although they need to be supplemented with guidance. 3.3 Operational risk is covered by Rule of SYSC A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business. This is a conceptual requirement to be applied to the position of each firm as is made clear in the guidance at SYSC 3.1.2, the nature and extent of the systems and controls which a firm will need to maintain will depend upon a number of factors including the nature, scale and complexity of its business.and the degree of risk associated with each area of its operations. This is clearly in the first category enunciated above and a guidance based approach is the correct one to follow in the case of both CP140 and CP

13 4 TIMING ISSUES ON INTRODUCTION OF GUIDANCE 4.1 The regulatory approach to insurance is evolving and moving from a form filling approach to a risk assessment based approach. This involves a considerable cultural change and it is important for guidance as it is introduced to encourage this change. In particular guidance should not introduce, or be interpreted as introducing, a prescriptive one size fits all approach with a similar approach on the part of the regulator. Smaller firms in particular may require more time to introduce formal risk management processes. 4.2 It is particularly important to note that the guidance on operational risk for the Interim Source Book, ie that covered by CP140, reflects requirements already in SYSC, and materials to be introduced in the Interim Sourcebook should reflect the approach which will be adopted in the new Integrated Prudential Sourcebook. 4.3 Lastly a distinction should be observed between the implementation of new guidance and the approach to the enforcement of the rules which are the subject of the guidance. Following adoption of the guidance, a period should allowed for firms to adapt to it rather than firms being expected to comply in full immediately. This will vary depending on the extent of changes needed. 5 RESPONSES TO INDIVIDUAL QUESTIONS IN CP140 AND CP Questions in CP140 Q1. Would it be helpful to give this proposed guidance? The publication is helpful provided that it is seen as an aide to the application of the relevant rules and not as a set of prescriptive requirements in its own right. In particular the emphasis should be on insurers concentrating on the principles underlying the rules rather than a mechanistic approach to following guidance interpreted in a prescriptive manner. Also early adoption of guidance should be accompanied by a realistic implementation period. Q2. Does this guidance cover the right areas? Q3. Is the level of detail too much/too little/about right? Q4 Do you wish to make any drafting comments on the proposed guidance? These three questions are answered together All the areas covered are important but it is important not concentrate on them to the exclusion of other areas. For instance, CP140 does not cover business continuity or employee issues. 13

14 5.1.4 It is difficult to judge whether the level of detail is right in individual cases as the required level will vary between users. The approach of increasing management responsibility for risk control suggests that the drafting approach to guidance should be to highlight key issues and to leave firms to develop solutions appropriate to their situations. This argues for shorter, less prescriptive levels of detail In some cases where comparability is important, eg reporting, a more prescriptive approach is right as companies need greater certainty. These cases are probably best covered by detailed rules which will rarely be applicable to operational and systems matters Comments are made below on both the content and, where appropriate, the drafting under the individual heads of guidance. Q5. Would it be right to give this guidance before the implementation of the relevant parts of the PSB? The answer to this question depends on the spirit in which the guidance is to be applied. If its purpose is to be seen as assisting insurers without imposing new prescriptive rules, early implementation is helpful. Q6. If it is appropriate to give this guidance before the implementation of the relevant parts of the PSB, should it be introduced as soon as possible after the consultation process is complete, ie with effect from 1 February 2003? Any implementation, even if guidance, from 1 February 2003 will need to have a best endeavours aspect to it. Q7. Do you agree with this assessment of the costs and benefits of giving this guidance? If the guidance is not intended to introduce major structural changes at this stage to insurers operations, the assessment that the costs will not be great appears correct. 5.2 Questions in CP142 Q1. Do you agree that we should use guidance rather than rules when setting out our systems and control policy for operational risk? Does the guidance in Annexes B and C of this CP contain the right amount of detail? As discussed above, guidance is the correct approach to setting out systems and control policy for operational risk. 14

15 Q2. Do you agree that it is right to include guidance on operational risk management systems and controls in SYSC? The argument that they apply wider than just prudential matters is correct and inclusion in SYSC makes this clear. It is also helpful for major firms subject to Group Supervision to face the same guidance in all parts of their business. Q3. Do you agree that we cover the right issues in our operational policy on the management of the firm s employees? Is this guidance appropriate in terms of its quality and depth of detail? The issues raised appear appropriate. See comments on Q3 of CP140 on the level of detail generally. Q4. Do we cover the right issues in our operational risk policy on the management of systems and processes? Is this guidance appropriate in terms of its quality and depth of detail? Q5. Do we cover the right issues in our policy on business continuity management? Is this guidance appropriate in terms of its quality and depth of detail? These two questions can be answered together. The point of the new risk based culture is to encourage management to understand the issues itself and to be aware of the need to look for the unexpected. In these circumstances, exhaustive guidance is not possible and there are considerable systemic dangers if the guidance is to be viewed as an exhaustive check-list of the areas to be covered. This point is brought out by the technique in the draft of using the phrases such as, This might include, but is not limited to This point and the answer to Q3 of CP140 also apply to the level of detail. Q6. Are we right to rely on guidance on our policy on outsourcing? Yes, the high level principles are clear and there does not appear to be a case for prescriptive rules (see discussion above). Q7. Do we cover the right issues in our policy on outsourcing? Is this guidance appropriate in terms of its quality and depth of detail? The approach seems about right. 15

16 Q8. Do we cover the right issues in our policy on the use of insurance to finance operational risk? Is this guidance appropriate in terms of its quantity and depth of detail? The approach is reasonable. There is a case for recommending firms to seek advice where the issues are likely to be complex as in cases of business interruption cover and the issues involved where multiple policies are held. Q9. Does our policy amplify to an adequate degree, the high level rules in SYSC and PRAG6 that relate to the management of operational risk and the documentation of a firm s risk policy? The guidance provides a useful contribution to understanding responsibilities under the high level rules. It cannot remove the onus on firms to reach their own assessment of the requirements. It is important to avoid the impression that the guidance imposes prescriptive requirements and to recall that provided the high level principles, including that for adequate documentation, are met, guidance is to be treated flexibly. Q10. Are we right to use the term assessment in place of measurement? Should we include some guidance on data collection and the quantification of operational risk? Yes, assessment appears a better term to use than measurement. See the comments on E1-6 of the draft guidance on management information in CP140 below It appears premature to add guidance for insurers at this stage on data collection and quantification of operational risk until more detailed consideration has been given to the necessary methodological approach. In particular a number of different approaches may be valid and guidance would need to take account of this. Q11. Do you agree that the policy in this CP(142 ) is compatible with our objectives and general duties under the Act? Yes. Q12. Do you agree that this chapter provides a fair estimate of the costs and analysis of the benefits of our systems and controls policy for operational risks in Annexes B and C of this CP(142)? Have any significant costs or benefits been missed out? The assessment that set-up costs will be relatively higher than ongoing costs appears right. The probability is that costs for insurers will be relatively higher than for other sectors because in many cases new systems will need to be introduced from scratch. The level of costs is likely to be high and easy to underestimate. It is to be noted in this 16

17 context that the CP includes contingency provisions in respect of the FSA costs which supports this interpretation. 6 DETAILED COMMENTS ON DRAFT GUIDANCE IN CP140 ( PROPOSED NEW GUIDANCE NOTE 3 (P3) ON SYSTEMS AND CONTROLS) 6.1 Annex A: High Level Controls 6.2 A1-A3: Governing Body, its Role and Effectiveness The drafting of these three provisions are very much in terms of requirements for the top company of listed groups. The position of other companies in a group should be covered. In particular: Whether a subsidiary company has independent non-executive directors on its board is a question for the governance of the group. The drafting should make clear that there is no requirement to have independent non-executive directors at subsidiary board level where adequate oversight can be exercised by the non-executives at group level; Similarly compliance with the Combined Code is a listing requirement applicable to listed companies and indirectly to their subsidiaries as members of a group of companies. SYSC 3.1.3G refers to the Combined Code but limits its application to companies for whom the Code is relevant. If the intention is to extend the scope of the guidance under SYSC, surely this should be specifically consulted on and applied to all sectors? In particular are non-uk listed companies, including subsidiaries of companies listed in other jurisdictions, and subsidiary companies expected to comply? 6.3 A4-A9: Apportionment and Definition of Management Responsibilities No comments 6.4 A10: Audit Committee This guidance is to be commended for making plain that the establishment of audit committees is a matter for consideration and not a requirement although most large insurers already have such a committee. In practice, apart from firms which are branches or subsidiaries where the tests are performed from at top company level, such a committee is necessary. The guidance could be usefully expanded to confirm that an audit committee at group level can be an appropriate approach to cover the position of subsidiary companies. 17

18 6.5 B1-B3: Risk Assessment Function: General The expression risk function has two meanings: as a general function of management covering all operations or a function in the sense of a department of the organisation. All insurance companies are required by SYSC to comply with the first meaning but the separation of the risk function in insurers from other management functions does not occur in all cases and allowance should be made for this provided that the insurer is adequately fulfilling the function in the first sense discussed above. Increasingly insurance companies will have risk committees and a formal process of risk management. However this may not be the only way forward, especially for small firms. Further new institutional charge should not predate a revised view of risk and ownership of it as an issue by senior management This section of the guidance is based on SUP and SYSC These clarify that a separate risk function may be an appropriate response to risk control. The purpose of the draft guidance in CP140 is to extend the concept in the case of insurers and to clarify that it covers insurance specific risks While risk committees will become common in the industry, the short term objectives also include improving risk awareness and management as well as bringing forward structural change. For this reason guidance should concentrate on the objectives and necessary cultural change and indicate, as is the approach in SYSC, that structural matters are ones for consideration and decision by the company It would be helpful to know how risk assessment and management for insurers is going to be carried into the PSB as many of the issues raised here are not covered in the draft text with CP B1: Risk Assessment Function The wording of SUP R, to which reference is made, is in terms of market or credit risk and the guidance here is wider. There may be a need to amend the wording of SUP here The guidance is in terms of the risk function being staffed by personnel with appropriate specific skills. The guidance should be in terms of the function having available the necessary specific skills because in some cases the firm will not have these in house and will need to outsource them within the Group. A prime example lies in life insurance subsidiaries of investment management houses writing institutional pensions business or insurance companies using service companies. These often have very limited numbers of direct employees but are able to call on substantial resources at a group level. This approach should be acknowledged subject to the guidance on outsourcing. 18

19 6.7 C1- C5: Legal Risk Legal risk for insurers can be analysed into two categories: Risks to the insurer arising between it and a third party, eg disputes with policyholders either in individual cases or with a class of policyholders, disputes with reinsurers and other suppliers of services, and Risks accruing to an insured which are the subject of the insurance, eg whether an insured is liable in tort to a third party The first category is common to all firms and is the subject of PROR in the draft PSB. It is derived from PRIN3 and already a requirement at a high level The second category appears more closely aligned to insurance operational risk, in particular underwriting (PRIR 1.3.2) and claims reserving (PRIR 1.3.5), in the draft PSB. The main difference in the guidance appears to be that the PSB will recommend adequate documentation of the policy adopted while here the guidance is in terms of having a process C1 is drafted in terms of identifying all legal risks. Surely this should be in terms of material legal risks taking into account an assessment of the probability of occurrence and the severity of outcome in the event of the risk materialising? There are relatively few transactions with no legal risk, particularly from changes in interpretation of the law, although in most cases the probability of the risk materialising is very small. The point about materiality of risk and the definition of legal risk are both important and open ended. The ABI would welcome a meeting with the relevant FSA staff to discuss the scope of legal risk in due course. 6.8 D1-14:Internal Audit D8 extends internal audit to the compliance function. Does the guidance require this work to be undertaken by the same personnel as the rest of internal audit or can the requirement be satisfied by other arrangements? 6.9 E1-6: Management Information E1 refers to management information being sufficient to identify, measure and control all material risks. Two drafting points: Would assess be better than measure as measure implies a degree of exactness which is not always available? It also dispels any concept that the role is limited to what can be accurately measured when a prime objective is to ensure that management 19

20 reports cover wider risk concerns. This point is discussed in paragraph 4.8 of CP142; The second point refers to the use of the word control. Would the meaning be clearer if it read to identify, assess and enable management to control? The present wording suggests that it is the role of the providers of management information to control risk. While in practice this is likely to be a function of the individuals who provide management information, this is a separate function from management reporting with which this guidance is concerned E5 covers the outcome of stress and scenario testing. At present stress and scenario testing is due to be the subject of consultation ahead of the PSB. Is this guidance limited to such stress and scenario testing as is currently undertaken by the firm or does it require a firm to introduce specific tests at this stage? The expression stress and scenario testing has the same flavour of quantitative precision as the word measurement. Would it be better to speak of stress testing, where quantitative measures are implied, and scenario analysis where they may not be possible? 6.10 F1-F5: Outsourcing F1 speaks of appropriate due diligence of the financial stability and expertise of the supplier. Would a more appropriate approach be: an insurer should. satisfy itself as to the service provider s financial stability and expertise including, if appropriate, due diligence? This covers cases where due diligence in the technical sense may not be appropriate and where it might be disproportionately expensive particularly in terms of a smaller insurer with a proportionately smaller contract size In some cases an employee of the company to which business is outsourced would appear to require approval. The guidance should cover such situations G1-7: Group Risk No comments. Ref J/640/025D 15 October 2002 [N011609Acleanversionfinaldoc.FR&T.BMCH.NOTES.02] 20