Alexander Forbes Integrated Annual Report 2016

Risk Management

Risk governance and management

At its most fundamental level, risk management at Alexander Forbes is about protecting our ability to create value, and ensuring we preserve that value for our stakeholders. In doing so, we pursue opportunities while minimising potential negative consequences. Sound risk management is therefore an important enabler of our strategic intent, enhancing our ability to perform against our stated objectives.

The board of directors holds ultimate accountability for risk management; however senior management is responsible for developing and implementing risk strategy. This includes acting as the custodian of policies and procedures for risk mitigation, and ensuring compliance. The individuals heading various business units, lines or subsidiaries are held accountable for the risks they take.

Risk management is built into decision-making structures and processes at both the operational and top management levels. Independent parties (those who do not approve or take risk) review decisions around risk mitigation strategies within the constraints of the group’s risk appetite measures. These reviews include stress tests to key variables and systemic shocks. Contingency plans are in place for unexpected or worst-case scenarios.

The group manages risk along three lines of defence:

  • The first line of defence is centred on day-to-day management’s responsibility and accountability for managing risks. Management’s role, through various operational committees, is to provide oversight including strategy implementation, performance measurement, risk management, company controls and governance processes.
  • The second line of defence comprises our formal enterprise risk management (ERM) framework, including our policies and minimum standards. Objective oversight provided by risk and independent audit committees, continuously challenges risk management in terms of its performance and reporting.
  • The third line of defence comes from the oversight and assurance provided by an independent third party on the adequacy and effectiveness of risk management governance and internal control as established by the first and second lines of defence.

During the year under review, Alexander Forbes adopted a more defined risk management strategy including enhanced definitions of key risk indicators.

Furthermore, we refined our governance structures during the year, streamlining board and audit committee meetings as well as the information that informs them. The reports circulated to the board audit committee have been slimmed to approximately ten pages, highlighting only the most material issues and ensuring these are given the full attention of committee members.

During the year, the Financial Services Board (FSB) published board notice (BN) 158. The notice specifies certain governance arrangements related to risk management with requirements effective from 1 October 2015. As a result, a significant point of focus for the year was ensuring compliance by adjusting our policies and procedures while ensuring we do not compromise our existing risk management philosophy. Fortunately, these changes were relatively minor because we had anticipated and aligned with the recommendations in advance of BN 158’s introduction.

Risk appetite

Alexander Forbes’s risk appetite – the amount of risk we are willing to accept in pursuit of our objectives – defines parameters within which we can operate. Our risk appetite therefore serves a valuable reference point for important business decisions and setting strategies.

Our risk appetite has been broadly defined around four key risk measures, with thresholds and metrics agreed at a group level:

  • Capital: The group will hold the larger of the economic capital requirement and the regulatory capital requirement.
  • Earnings: The group’s earnings at risk will not exceed 20% of the earnings projected over a 12-month forward-looking period.
  • Operational: The group will pursue a commercial balance between the costs of mitigating actions and the expected future financial and non-financial losses that may arise from the occurrence of operational risk events.
  • Liquidity: The group’s liquidity requirements for each relevant business/entity will be based on the best operational cash flow estimates over a 12-month forward-looking period, taking into account any minimum regulatory capital requirements that may apply.

During the year, these measures remained unchanged from previous years. However, we migrated to a new risk management system in order to improve the way the group tracks and reports on risk. The new system tracks a newly defined set of key risk indicators, flagging any material deviations and enabling us to identify and mitigate emerging risks more timeously. It also enables greater flexibility in setting tolerance thresholds according to changing circumstances and objectives.

Own risk and solvency assessment (ORSA)

During the year, the group and its insurance subsidiaries completed and submitted the mock ORSA as required by the FSB under SAM. The ORSA is defined as the processes and procedures employed to identify, assess, monitor, manage and report on the short- and long-term risks that the group is exposed to or may be exposed to and a determination of the adequacy of capital funding to ensure that the overall solvency and funding needs are met at all times. The ORSA also provides a correlation between regulatory capital and economic capital.

The ORSA report included detailed commentary on the risk profile for group, the stress and scenario test results, capital projections, as well as commentary on the risk management system and strategy. Mock ORSA reports were produced for the Alexander Forbes Group, Investment Solutions, Alexander Forbes Insurance and Alexander Forbes Life.

The executive management, board sub-committees and boards at both group and subsidiary level were integral to the ORSA process and exercised robust reviews and challenged results which culminated in the final sign-off of the reports submitted to the FSB.

Key business risks

Alexander Forbes identifies and classifies its key risks according to a three-level taxonomy system. Key risks are identified and ranked by our group risk division in terms of our risk management strategy and in consultation with subsidiary and group management. The table overleaf summarises the actions undertaken during the year to mitigate our level one risks.

Level one risk

Actions taken during 2016

Plans for 2017

Business risk

The risk that the company will generate inadequate profits

  • Completed enhancements of the group’s stress-testing capabilities to identify significant events that could test its solvency levels.
  • Completed the revision of the group’s key risk indicators that inform risk appetite measures and identify possible emerging risk.
  • Enhance project risk management as the group embarks on its digitisation programme.
  • Further refine the identification and analysis of emerging risks with greater emphasis on identifying risk agility and risk velocity.

Credit risk (incorporating liquidity risk)

The risk that a supplier, while solvent on a balance sheet basis, either does not have the resources to meet its obligations or can secure these only at excessive cost

  • The group further enhanced its:
    • Liquidity risk-tolerance model
    • Liquidity stress-testing model
    • Intra-day liquidity risk and collateral.
  • Enhance the group’s counterparty risk management processes to enhance real-time monitoring of counterparties.
  • Review of credit risk policy, including:

    revisions to counterparty limits in line with current country risk profile

    revisions to group capital committee approval limits

Market risk

Loss due to factors affecting the overall performance of financial markets

  • Completed the group’s stress-testing framework in line with regulatory requirements issued by the FSB in 2015.
  • Revised and began to implement the group’s market risk management policy.
  • Improved dynamic market risk reporting to capital oversight committee.
  • Completed further refinements to the relevant underwriting models and asset-liability matching models.
  • Significant progress made on the group’s customer and risk-focused product development together with appropriate risk-based pricing.
  • Completed phase I of implementing a model to improve the group’s system of understanding and monitoring the sensitivity of credit risk metrics and trends relative to various risk parameters.
  • Effective monitoring and understanding of the sensitivity of market risk metrics and trends relative to various risk parameters (completion of phase II).

Underwriting risk

Loss on underwriting activity, whether from factors within or beyond our control

  • Reassessed and redefined reinsurance model guidelines. This remains a dynamic process.
  • Created dynamic repricing models in line with customer and market expectations.
  • Improved churn rate monitoring and intervention tools.
  • Continuously monitor and refresh pricing models in line with churn rates.
  • Review reinsurance arrangements and associated risk concentrations.
  • Review and enhance asset liability matching and investment portfolios.

Strategic risk

Loss arising from the pursuit of an unsuccessful business plan

  • Redesigned the group’s risk management systems to track and report on strategic risks on a real-time basis.
  • Partial progress was made in developing a framework for using risk analytics to inform investment and strategic decisions.
  • Capacitation of the enterprise project management office to track and validate deliverables for strategic projects.
  • Greater interrogation of risk mitigation management.
  • Introduce a programme to integrate risk into the financial review and validation cycles across the organisation.
  • Further embed risk into the business planning cycle and introduce improved management tools and reporting for all key decision-makers.

Operational risk (incorporating regulatory risk)

The risk of loss resulting from inadequate or failed internal processes, people or systems, or from external events which gives rise to errors and omissions.

  • Improved task segregation, preventing any one individual from taking advantage of numerous aspects of a particular transaction, business process or practice by creating a separate division to take full accountability.
  • Identified risk and ERP systems to limit complexities in business processes by curtailing manual activities and the number of people and exceptions that arise during the implementation of business processes.
  • Reinforced organisational ethics by creating a strong ethical compass that can be strengthened by aligning personal values with the ideology of the organisation.
  • Commenced the implementation of combined assurance to monitor and evaluate business processes at regular intervals with well-designed key performance indicators (KPIs) to ensure timely detection and mitigation of risks – in effect proactively identifying discrepancies and managing these accordingly.
  • Periodic assessment of all facets of operational risks to gauge regulatory obligations, IT assets, skills, competencies, processes and business decisions.
  • The group renewed its comprehensive professional indemnity programme with approximately R2 billion cover for each claim year.
  • Test and improve the group cyber security programme.
  • Continuously refine the management of conduct risk throughout the group.
  • Implement the group’s refined AML risk-based programme in line with proposed future regulatory changes.
  • Periodic assessment of all facets of operational risks to gauge regulatory obligations, IT assets, skills, competencies, processes and business decisions.
  • Renew the group’s comprehensive professional indemnity programme with approximately R2 billion cover for each claim year.

These key risks, actions and plans were interrogated, approved and monitored by the group audit committee.

Risks are continuously shifting and we must therefore remain vigilant to make sure we identify and mitigate emerging risks before they hinder our ability to meet our objectives. In 2016, cyber security was identified as the most significant emerging risk. As the group and its clients adopt an increasingly digitised approach to conducting business, this can result in exposure to malicious attacks. Fortunately, we have adopted robust preventative protections and, as a result, have not been significantly impacted by the risk.

Our top-ten level two risks for the year under review are mapped on the heat map below, illustrating the likelihood of their occurrence, the potential impact to the business and their time frame (short, medium and long term).