PFS Principal Ian Laughlin is a member of a Working Group of the Actuaries Institute that has prepared this paper for the Institute’s Pandemic Resource Centre. It is aimed at assisting Non-Executive Directors, particularly in financial services, on the risk management implications of the COVID-19 pandemic. Contact Ian Laughlin at ianlaughlin@pfsconsulting.com.au to find out more.
Pandemic Briefing
Risk Management implications of Coronavirus (COVID-19) – for Non-Executive Directors
DATE: 14 May 2020
PREPARED BY: John Evans and Ian Laughlin – COVID-19 Working Group
Objective and Scope
This note is aimed at assisting financial services Non-Executive Directors (and especially Risk Committee members) in their considerations of the risk management implications of the COVID-19 pandemic. It is complementary to the briefing note Risk Management implications of Coronavirus (COVID-19) – for Management.
The implications for pricing, reserving, valuations, underwriting, and product design are not considered in these risk management notes as they are addressed in separate briefing notes for each practice area.
Introduction
In the face of the global response to the COVID-19 pandemic, businesses need to adapt to meet and balance the rapidly evolving requirements and expectations of all of its stakeholders, including customers, community, government, employees, regulators and shareholders/investors. For financial institutions there is, in addition, the
disruption and volatility in financial markets to contend with.
Businesses also need to continue to provide their business-as-usual products and services, as well as protect the health and wellbeing of their workforces and the wider community.
The disciplined application of risk management frameworks can help businesses respond to these changes in a structured and prioritised way. The briefing note for Management considers this using a “back to basics” approach covering business objectives, risk management activities and practical steps for management in the light of the COVID-19 pandemic.
This note focuses on the role of the Board and the additional governance considerations for directors; it also reminds directors of their role in overseeing the practical steps being taken by management (covered in Section 5 of the note for Management).
2. The role of the Board
The role of the Board with respect to risk management is set out in APRA’s CPS 220 prudential standard:
Extract from CPS 220
The role of the Board
9. The Board of an APRA-regulated institution is ultimately responsible for the institution’s risk management framework and is responsible for the oversight of its operation by management. In particular, the Board must ensure that:
a) it sets the risk appetite within which it expects management to operate and approves the institution’s risk appetite statement and risk management strategy (RMS);
b) it forms a view of the risk culture in the institution, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identify any desirable changes to the risk culture and ensures the institution takes steps to address those changes;
c) senior management of the institution monitor and manage all material risks consistent with the strategic objectives, risk appetite statement and policies approved by the Board;
d) the operational structure of the institution facilitates effective risk management;
e) policies and processes are developed for risk-taking that are consistent with the RMS and the established risk appetite;
f) sufficient resources are dedicated to risk management; and
g) it recognises uncertainties, limitations and assumptions attached to the measurement of each material risk.
2.1. Governance by the Board
Below are steps the Board should consider in its governance of risk management as part of the overall COVID-19 response by the business.
- Consider whether current Board and committee arrangements remain appropriate (e.g. should all/more members of the Board join the Risk Committee?)
- Assess whether any changes of arrangements cause, or could be perceived post-crisis as introducing, a blurring of the respective roles of the Board and management.
- Consider the cyber risk associated with changes of practical arrangements such as virtual Board meetings and electronic sharing of documents.
- Set a schedule of regular extraordinary meetings for the Board Risk Committee. These meetings should have a standing agenda, as well as one-off items as required e.g.:
- Review of risk profile dashboard
- Agreement on actions to address indicators that are in amber or red zones, and monitoring of previously agreed actions
- Assessment of financial and risk profile forecasts, with particular focus on and awareness of the assumptions used by management in their modelling, and challenge on whether those assumptions are extreme enough or too extreme
- Agreement on triggers which would lead to additional extraordinary meetings of either the Committee or Board.
- Ensure that adequate and timely documentation of Board activities continues to be maintained.
- Ensure the CRO has clear expectations set as to communication with the Board and has unfettered access to the Board (e.g. through the BRC chair).
- Ensure it is receiving adequate, timely and quality information needed to effectively assess and prioritise issues, focus attention on monitoring the success of actions taken to resolve the most significant issues and enable informed, defensible decision making.
- Ensure that there is a clear communication strategy in place across the broad range of stakeholders and the Board is clear as to how risks around stakeholders are being managed and escalated in a timely fashion.
- Ensure management sets up a committee or task force that will be responsible for:
- monitoring the evolving pandemic, government and regulator responses, and industry/peer actions;
- engaging with the Board, regulators, industry bodies and COVID-19 “think-tanks”;
- setting the business’ response and coordinating agreed actions; and
- communicating to the rest of the organisation, in terms linking back to the purpose and values of the organisation.
2.2. Revisit the Board owned/approved foundational elements of the Risk Management Framework
A range of financial and non-financial risks will almost certainly have crystallised as a result of the pandemic. In its response, the business will likely have made some significant changes in practices, and consequently its risks have increased, over a very short timeframe. Its current financial, strategic and operational positions are likely to be quite different to when the framework elements were last set or approved.
The Board should consider the implications of the above on the Risk Appetite Statement (RAS), the Risk Management Strategy (RMS), the ICAAP and the Business Continuity Plan (BCP). If deficiencies have been revealed, the Board should address any gaps and lack of clarity in a formal and structured way, to ensure expectations
of and guidance for management are clear from this point forward. In effect this is performing an out-of-cycle review, making amendments, possibly on an interim basis.
- RAS
- Review how clear and effective the current RAS has been in helping the business manage its risks throughout the pandemic to date.
- Did management rely on the RAS as it responded?
- Did management report to the Board in terms of the RAS?
- Was the business exposed to risks or level of risks that were not understood?
- Is it clear whether the business operated within risk appetite throughout the pandemic?
- Did the RAS capture the contagion effects of major risks such as a pandemic?
- Review how clear the RAS is in addressing risks from this point forward and how well it helps management plan and implement its likely steps under a range of scenarios.
- Review how clear and effective the current RAS has been in helping the business manage its risks throughout the pandemic to date.
- RMS
- Review how well the Risk Management Strategy (RMS) has addressed the current situation
- Did it capture the risk of a pandemic (or other similar unexpected event)?
- Did it effectively deal with the approach to managing such risks?
- Review how well the Risk Management Strategy (RMS) has addressed the current situation
- ICAAP
- Review how clear and effective the current ICAAP has been in helping the business manage its capital to date, to mitigate its capital strength from being significantly reduced.
- Did it anticipate a shock from an event like the pandemic?
- Did it provide a clear way forward in terms of capital management, recovery options, and governance requirements?
- Has the target capital position proven to be adequate?
- Review how clear and practical the current ICAAP is in planning likely next steps under a range of scenarios. In particular, does it provide a clear roadmap back to a satisfactory capital position from this point forward, while preventing any possible breach of PCR and keeping within risk appetite?
- Assess APRA expectations in the current situation with respect to operating below target capital, possible breach of PCR etc (e.g. through letters, direct communication with management and/or Board)
- Review how clear and effective the current ICAAP has been in helping the business manage its capital to date, to mitigate its capital strength from being significantly reduced.
- BCP
- Review how well the BCP had anticipated the impact of the pandemic and how it performed to date.
3. Board Oversight of practical steps by management
The top areas on which management should focus in order to assess and manage their risks as part of their overall COVID-19 response, and on which the Board should provide oversight and challenge are listed below. Further details on each area are provided in the briefing note for Management. This list is by no means exhaustive.
i. Business Continuity
ii. Supply Chain (a subset of Business Continuity)
iii. Workforce and community safety
iv. Financial stability
v. New/increased risks, in particular damage to reputation and customer franchise
vi. Financial projections and stress and scenario testing
vii. Frequency of application of Risk Management Framework activities
viii. Communication
ix. Potential knock on impacts