"The practice of risk management in Old Mutual has improved significantly over the past two years. The risk management team will continue to develop and strengthen oversight of the operating businesses as the Group changes in the wake of the strategic review."
Approach to Risk Management
Old Mutual is committed to the objective of increasing shareholder value by operating in a manner consistent with our risk appetite. Risk management is not limited solely to consideration of downside impacts or risk avoidance, but also encompasses taking risk knowingly for competitive advantage.
Responsibility for risk management resides at all levels within the Group, from the Board of Directors and Group Chief Executive, to Business Unit Chief Executives through to business managers via a Scheme of Delegated Authority.
Rosie Harris, Group Risk Director, left Old Mutual at the end of March 2009. Andrew Birrell has taken up the role of Group Risk Director in addition to his responsibilities as Group Chief Actuary.
The primary objective of the Group Risk Director is to facilitate alignment of strategic decisions with risk appetite and to provide the necessary framework and oversight tools to help protect Old Mutual from events that could hinder our objectives.
A new role, Head of Governance and Regulatory Compliance, has also been created, which will encompass Rosie Harris' previous responsibilities for these areas. Susan Crichton, formerly in Skandia International has joined the Group team to take on the role.
Both Andrew and Susan are committed to Old Mutual's enterprise-wide approach to risk management. Our approach is designed so that risk management is not confined to the activities of specific risk management or specialist departments but incorporated in the day-to-day management of the business.
Strengthening Risk Management
The issues that emerged in our Old Mutual Bermuda business during 2008 highlighted certain weaknesses in our risk management and business model.
Addressing these has been a top priority for the Board and the Group Executive Committee. An independent review of risk management across Old Mutual involving external experts was completed during 2008, and we have implemented a number of initiatives to improve our governance, risk management and internal control processes including implementation of an Enterprise Risk Management programme.
These improvements include:
- Recruitment of significant additional risk and compliance personnel at Group and Business Unit level
- Development and roll-out of a global risk appetite framework
- Development of comprehensive and focused risk reporting, including introduction of a risk recording and reporting tool
- Implementation of a revised and more comprehensive risk categorisation model
- Revision of the Old Mutual policy suite and framework to reflect increased oversight from Group over Business Units; and
- Development of formal standards for internal loss data collection and increased use of Key Risk Indicators.
Our priority for 2009 is to embed these enhancements and further strengthen our system of risk management.
The Group's risk governance framework is based on the three lines of defence model. This model distinguishes between:
- functions owning and managing risk
- functions overseeing the management of risk; and
- functions providing independent assurance.
The Board is responsible for setting the Group's risk appetite and for approving the strategy for managing risk.
- As part of the first line of defence, the Group Chief Executive, supported by the Business Unit Executives, has overall responsibility for the management of risk
- Management and staff within each business are responsible for the identification, assessment, management, monitoring and reporting of risks arising within their respective areas.
- The second line of defence comprises the Group Risk Director supported by the Group Risk function as well as Business Unit Chief Risk Officers and their risk functions
- 2008 saw the creation of the Group Risk and Capital Committee. Its mandate is to support the Group Executive Committee in understanding the exposure and management of risks impacting the Group, having regard to the Group's risk appetite. The Group Risk and Capital Committee brings together senior executives across the Group functions including Risk, Finance, Actuarial, Capital and Compliance. This Committee is described in further detail in the Directors' report on corporate governance.
- The third line of defence is designed to provide independent assurance on the effectiveness of systems of governance, risk management and internal control in relation to the most significant risks which threaten the achievement of the Group's business objectives. Group Internal Audit (GIA) plays a key part in the third line of defence and provides assurance to the Group Audit and Risk Committee. GIA is described in further detail in the Directors' report on corporate governance.
|RISK CATEGORISATION MODEL|
|Market risk||The risk of loss as a result of adverse changes in the market value of assets and liabilities.|
|Credit risk||The risk of loss as a result of an asset against a counterparty not being repaid at the due and stipulated time.|
|Liquidity risk||The risk that available liquid assets will be insufficient to meet changing market conditions, liabilities, funding of asset purchases, or an increase in client demands for cash.|
|Underwriting risk||The risk of loss caused by events that result in predetermined exposures being exceeded.|
|Operational risk||The risk of loss due to failure of people, process, system and / or external events.|
|Compliance risk||The risk that laws, regulations and policies will be breached. Although technically a sub-category of operational risk, compliance risk has been elevated to its own category for reporting purposes due to the focus on and importance of this area.|
|Human Resources risk||The risk that the firm will not have the human capital to sustain business performance.|
|Business risk||The risk that business performance will be below projections as a result of negative variances in new business volumes, margin, lapse experience and expenses.|
|Strategic risk||The risk that strategic decisions will adversely affect future sustainable growth.|
During 2008, Old Mutual refined and implemented an updated risk categorisation model which Business Units have aligned to. Using a common risk language across the Group will enable meaningful comparisons to be made between Business Units and we consider the risk categorisation model a fundamental building block to achieve this. Risk events are categorised as shown in the table above, with more detailed sub-categories used for reporting and analysing.
The risk appetite framework provides a basis for formally reviewing and controlling business activities to ensure that they are aligned to stakeholder expectations and are of an appropriate scale (relative to the risk and reward of the underlying activities). Once fully embedded, the framework will give the Group clearer sight and better control over risk-taking throughout the organisation.
The Group's risk appetite defines the Group's willingness to balance risk exposures with reward, and the management and monitoring of these exposures. During 2008, a Group-wide risk appetite programme was implemented to enable consistent calculation of risk exposure against appetite using a variety of metrics. We are continuing to refine our framework and set limits at increasing levels of granularity. We expect to see significant embedding of the use of risk appetite during 2009.
During 2009 the risk profile of the Group will be monitored against agreed limits on an ongoing basis by Group Risk. Business Units report on risk exposure levels on a regular basis and our systems will enable us to proactively identify when we are approaching our risk appetite limits. The use of these early warning triggers and Key Risk Indicators will enable Old Mutual to avoid risk concentrations that could prove a threat to the organisation.
Risks or events outside the agreed risk appetite are identified and reviewed, with remedial action agreed with the relevant Business Unit and oversight provided by Group Risk. Depending on the significance of the issue, the remedial action may require the approval of the Group Risk and Capital Committee, Group Executive Committee or the Board. The risk appetite limits of the Group will be reviewed regularly for continuing appropriateness in light of changing market conditions and stakeholder expectations.
Group policies set out the minimum requirements that Business Units must follow and are considered a key entity-level control. Business Units have their own policies, which are more detailed than the Group minimum requirements and take local regulation into account. The Group policies and framework have been reviewed and revised during 2008 to strengthen our Group-wide controls and these revisions will be embedded during 2009.
Risk management processes
The Group conducts a number of activities as part of the risk management framework. The principal elements are described below.
Strategic objectives, reflecting management's choice as to how the Group will seek to create value for its stakeholders, are translated into Business Unit objectives. Risks that would prevent the achievement of both the strategic and business objectives are then identified. Risk identification is an integral part of our annual business planning process as well as an ongoing activity.
Risk and control assessments
Various means of assessing, categorising and measuring enterprise risks and risk events are used throughout the Group. These include estimating the impact and the likelihood of risk occurrence, taking into account both financial and qualitative factors such as reputational or regulatory impacts.
The Board, Group Audit and Risk Committee and the Group Risk and Capital Committee regularly receive and review reports on risks and controls across the Group. Management teams in each Business Unit perform reviews of the control environment in their business, using techniques such as Risk and Control Self-Assessments.
During 2008 we revised our minimum standards for qualitative risk assessments (including the Risk and Control Self-Assessment process) across the Group and will be implementing these during 2009.
Actions to implement the risk management strategy in respect of key risks, risk appetite limit breaches or to remedy a material breakdown in control are recorded on risk and control logs maintained by each Business Unit, along with the expected date for completion of the action and the responsible executive.
The outcome of independent reviews, including internal and external audit reviews are integrated into risk management activities and action plans.
Monitoring and reporting
In addition to the Risk monitoring undertaken at Group and Business Unit level by management and specialised risk functions, the following are some of the other processes for risk monitoring used around the Group:
- The Group Finance Director provides the Board with monthly performance information, which includes key performance indicators
- Items on risk logs and control logs (which contain details of any control failures) are reported via an escalation protocol to the appropriate level of management board or committee, where rectification procedures and progress are closely monitored
- Exposure and risk appetite reporting, risk concentrations and solvency and capital adequacy reports are submitted to the relevant Business Unit credit and capital management committees in the normal course of business
- Our Quarterly Business Review process acts as a key forum for oversight over Business Units and specifically includes discussion and challenge over the risks identified by each Business Unit
- The Internal Review Committee, a Group forum which provides a robust assessment of financial reporting from Business Units, is central in managing and monitoring risks associated with the financial reporting process
- The Internal Actuarial Review Committee is a Group forum which provides oversight of the actuarial assumptions utilised by Business Units in the determination of their long-term insurance liabilities. We will continue to enhance risk reporting through the development of Key Risk Indicators and introduction of more formal internal and external loss data analysis.
The Group operates a treasury function which is responsible for recommending and implementing the funding strategy for the Group, including the management of debt facilities, relationships with banks and ratings agencies and Old Mutual plc's operational cash flow requirements. During the course of 2009, Group Treasury will be adopting greater oversight of Business Unit treasury activities.
Old Mutual defines its Economic Capital requirement as the value of assets required to ensure that it can meet in full its obligations to policyholders and senior creditors at a 99.93 percent confidence level, which is the probability placed on a target A-rated bond not defaulting in the next year.
Economic Capital plays a significant role in risk monitoring and risk control across the Group and is closely linked with the risk appetite framework.
The Group's Economic Capital framework has evolved considerably over the last few years and has become a valuable management tool that informs and guides risk and capital management strategy. The following are the main areas where Economic Capital impacts are considered:
- in risk-based pricing and product development to set pricing terms and charging structures
- in reinsurance to help set retention levels for new and renewed reinsurance treaties
- for risk-based capital allocation setting across the Group's business
- in decisions regarding portfolio management and optimisation; and
- to measure and monitor performance of Business Units, allowing for risk and the cost of Economic Capital to support that risk.
The Economic Capital framework is measured, monitored and reported under a rigorous governance process involving senior executives and the Board.