Letter

Letter to general insurers and life insurers: ICAAP Reports

  • Cross-industry
  • Current
    1 December 2013

TO ALL GENERAL INSURERS, LEVEL 2 INSURANCE GROUPS, LIFE INSURERS AND FRIENDLY SOCIETIES

1 January 2013 saw the commencement of a suite of new prudential standards which significantly changed how capital adequacy is determined for general insurers, Level 2 insurance groups, life insurers and friendly societies (‘institutions’).
An important component of the new prudential standards is the requirement for institutions to have an Internal Capital Adequacy Assessment Process (ICAAP). This includes a requirement for institutions to prepare an ICAAP Summary Statement (Summary Statement).
In March 2013 APRA commenced a review of Summary Statements. Initially this involved a high level review of whether Summary Statements met the fundamental requirements set out in the relevant prudential standards. APRA then undertook a more detailed review of the content of Summary Statements including peer comparisons to identify examples of better practice and potential areas for improvement.
The attachment to this letter sets out the findings from this review which APRA considers warrant consideration by the boards of institutions. Findings are classified under five headings – General Observations, Governance, Risk Management, Capital Management and Stress Testing. The matters highlighted under these headings are inter-related in many aspects and should be considered holistically.
Each institution has its particular approach to strategy, operations, risk acceptance and management, and capital planning, so a ‘one size fits all’ approach is not appropriate. The board of each institution is responsible for ensuring that the ICAAP is appropriate for that institution.
The attached findings are intended to assist institutions in improving and refining their ICAAPs and Summary Statements and to give guidance on how APRA supervisors will approach the assessment of ICAAPs and Summary Statements.
APRA expects ICAAPs and Summary Statements to continue to evolve and improve over time.
 
 
Keith Chapman
Executive General Manager,
Diversified Institutions Division
Brandon Khoo
Executive General Manager,
Specialised Institutions Division

Attachment

GENERAL OBSERVATIONS

Integration

Most Summary Statements mentioned key components such as risk management frameworks and strategies, risk appetite, capital management plans, strategic and business plans and reporting and review processes – although there was variation in detail and quality.
One of the weaker aspects was often a lack of description as to how these components interact to aid appropriate identification, description and quantification of risks, capital allocation and business decision-making.
There needs to be consistency in terminology and explanation of these aspects across different documents e.g. the Summary Statement, risk appetite statement and other elements of the risk management framework.
The comprehensiveness of the risk profile and risk appetite and the clarity with which they are expressed is critical in setting the foundation for effective risk and capital management.
It is not always straightforward to link the risk profile and risk appetite with the quantum and quality of capital. Better practice includes identifying and describing, at an appropriate level of detail, the material risks arising from business activities, the appetite for these risks and an appropriate allocation of capital against each of these risks.
If the appetite or tolerance for a risk cannot be quantified easily, there should be articulation of mitigants and of how a possible risk event will be addressed. There should be a clear link to the overall risk management framework.
Good practice would involve modelling, stress testing and scenario testing to establish linkages between risk appetite and capital and as essential inputs into the determination of target capital.
A better practice observed was the testing of a quantified risk appetite against a range of scenarios which had been discussed and approved by the board e.g. in a workshop environment. Such an approach tests how the risk appetite translates into required capital. The board can then assess its comfort with the likelihood and impact of occurrence and the anticipated timeframes for returning to target capital levels.
In this way a feedback loop is developed. Articulation and discussion of these issues and the outcomes becomes a primary tool by which the board can engage with and test management as to how the risk appetite translates into required capital. This can assist the board and management to understand how the ICAAP may need adjustment from time to time to reflect the impact of business decisions.
Such an approach involves the ICAAP being used as a forward-looking strategic management tool to inform business decisions. This in turn can provide deeper insight into the risk profile and likely future capital needs, and assist in achieving desired levels of return on capital.
For consideration
  • Is the board satisfied that the Summary Statement clearly describes:
the material risks arising from its business activities;
its risk appetite and risk tolerances;
how capital is allocated against identified risks; and
how the risk management framework and the ICAAP are inter-related?
  • Has the board determined:
how the impact of business decisions is linked to risk appetite and available capital;
how this is monitored and reported; and
how analysis and learning from this is captured and used to enhance future consideration of risk appetite and the ICAAP?

The extent to which the ICAAP is self-contained

Typically, some of the information supporting the Summary Statement is captured in other documentation such as risk appetite statements (RASs), risk management strategies, capital management plans and business plans. In some cases institutions stated that they intend to provide further detail in the ICAAP Report (e.g. on stress testing) rather than in the Summary Statement itself.
Nonetheless there is an expectation set out in CPG 110 paragraph 41 that the Summary Statement ‘… will refer to other policies and procedures, but will be relatively selfcontained’.
For consideration
  • Has the board considered whether the Summary Statement is sufficiently complete on a standalone basis? For example, could a new director understand clearly the overall capital assessment and management processes and their links to the risk management strategy from reviewing the Summary Statement without the need to refer to other documents?

Statutory and general funds and Level 2 insurance groups

The majority of Summary Statements for life insurers did not explicitly consider statutory and shareholder funds separately from the institution as a whole. Similarly, friendly society institutions need to ensure that the benefit funds and the management fund are considered explicitly. Given that APRA’s capital requirements operate at fund level, it is essential that the Summary Statement considers each fund separately.
The Summary Statement for a Level 2 insurance group must have adequate regard to the capital needs of the relevant institutions in that group.
For consideration
  • Is the board satisfied that the Summary Statement adequately discusses the capital requirements at all relevant levels?

Governance

Board ownership and involvement

Better practice Summary Statements describe the respective roles of the board and management in the ICAAP process, how the board is engaged in the process of developing and finalising the ICAAP and what mechanisms exist for the board to provide and receive feedback.
There should be clear delineation between board responsibility for oversight and approval of the ICAAP and management responsibility for documenting and implementing processes.
For consideration
  • Is the board satisfied that the Summary Statement clearly defines board and management responsibilities in respect of the ICAAP and makes it clear how the board expects to receive feedback on the implementation and effectiveness of the ICAAP?

Scope & objectives, institution specificity, forward looking and embedded

There was a range of approaches to discussing the scope of the ICAAP in the Summary Statements – some were very unclear. Better practice included defining the scope by using organisational charts and through commentary on the business activities being covered. Where the Summary Statement was for a group, or an institution that is part of a group, better practice was using a summary table specifying which legal entities in the group are included or excluded from the Summary Statement.
Some Summary Statements did not clearly set out the objectives of the ICAAP while others had broad generic statements e.g. referring in general terms to the need for capital planning and meeting adverse business outcomes. A few weaker examples noted that the Summary Statement was produced primarily for the purposes of compliance with APRA’s requirements; this is clearly inadequate.
The Summary Statement must have sufficient institution-specific information in three key areas:
  • a clear link to the risk appetite;
  • an explanation of how risk appetite links to capital targets and triggers; and
  • an outline of how this is embedded into risk management and business operations.
Poorer Summary Statements gave only a generic description of what a risk appetite statement should contain, quoted at length from prudential standards and/or prudential practice guides or gave theoretical explanations of concepts related to risk and capital management.
It is also important that the content of the Summary Statement reflects what is actually done in practice; the Summary Statement should provide a clear description to demonstrate this.
For consideration
  • Has the board articulated clear objectives for the ICAAP and are they stated in the Summary Statement?
  • Does the Summary Statement adequately describe and consider the institution’s specific business circumstances and structure?
  • Does the Summary Statement make it clear how the board and management plan to use the ICAAP as an integrated and strategic tool to enhance business outcomes?
  • Does the Summary Statement make it clear how the board expects the ICAAP to be embedded in business operations?

Review of Summary Statements

Most Summary Statements lacked sufficient detail on how the ICAAP will be independently reviewed. The key requirements (set out in LPS 110 paragraph 15 and GPS 110 paragraph 13, supported by paragraphs 37 to 40 of CPG 110) include that the reviewer must be appropriately qualified and operationally independent of the conduct of capital management.
Some Summary Statements recognised that, initially, external parties may need to be engaged to conduct the reviews until appropriate skills have been developed internally. Others indicated the view that Internal Audit teams already had sufficient skills. APRA’s view is that an Appointed Actuary cannot undertake the required independent review of the ICAAP as they are not operationally independent of capital management.
Better practice would be for the Summary Statement to describe the purpose of the independent review; provide a description of the components to be reviewed and related timeframes; and describe parties responsible for undertaking the review or at least set out options as to the parties that may conduct the review.
Most Summary Statements stated that the ICAAP would be subject to review on a regular basis e.g. annually or as required. In relation to the latter, better practice would be for the ICAAP to describe what trigger events would result in a review of the ICAAP.
For consideration
  • Is the board satisfied that the Summary Statement clearly articulates details of the independent review of the ICAAP that will be undertaken?
  • Is the board satisfied that the Summary Statement clearly articulates an appropriate review cycle for the ICAAP? What trigger events which would warrant review of the ICAAP outside the normal review cycle?

Board monitoring and reporting processes

A number of Summary Statements contained insufficient detail on the material to be provided to the board regarding capital monitoring and reporting. Better practice Summary Statements included a table of proposed board reports, a brief description of their purpose and content (which, in some cases, highlighted key items), a distribution list, timeframes and the parties responsible for preparation. In contrast, poorer examples included no detail on reporting and monitoring processes and merely cross-referenced to other documents.
For consideration
  • Does the Summary Statement clearly articulate the board’s expectations regarding the content and frequency of reporting?

Risk Management

Risk coverage and description

A variety of approaches are used for categorising risks, with the most common approach being to align risks with regulatory and / or economic capital requirements.
The Summary Statement should explain clearly the overall approach to defining and categorising risks, how these risks are managed and the links to risk tolerance and allocation of capital. This will include, where appropriate, how factors such as diversification and/ or correlation of risks have been taken into account.
An example of poorer practice was a very simplistic matrix listing risk categories but providing no further detail.
Generally there was limited consideration of risk appetite in relation to a number of material risks. For example there was often only limited discussion of liquidity risk or (where relevant) consideration of risks associated with being a member of a group, such as contagion risk and risks related to operational dependencies from shared functions.
As noted earlier, these aspects are also relevant when articulating risk appetite. A clear and comprehensive risk appetite statement will assist in ensuring that all relevant risks are identified and explained. The Summary Statement can then document how capital is allocated against these risks.
For consideration
  • Is the board satisfied that all material risks are identified in the Summary Statement?
  • Does the board consider that the Summary Statement clearly describes the risk appetite, risk tolerances, broad approach to managing risks and approach to allocating capital against material risks?

Link to Risk Management Framework (RMF)

Most Summary Statements provided at least a broad description of what is covered by the RMF. This may include an overview of the policies, procedures, systems and people who are involved in identifying, measuring, monitoring and managing risks.
Better Summary Statements provided an understanding of how the risk management process works holistically (e.g. how related policies and procedures fit together in practice) and an outline of reporting, monitoring and governance processes for risk management. Several supplemented this description with a comprehensive list of related policies and procedures including how risk management processes have been built into the functions and controls at business unit level; and how these roll up to be part of the overall risk management approach.
Weaker Summary Statements contained insufficient detail to enable an understanding of overall risk management processes or, conversely, had too much procedural detail. As mentioned above, another example of poor practice is the use of generic or theoretical explanations of risk management structures and processes with no specificity to the institution.
Where institutions rely on group-wide policies, the Summary Statement needs to state clearly how group-wide policies are operationalised or tailored for application to the institution.
For consideration
  • Is the board confident that the Summary Statement clearly sets out how the ICAAP interacts with the RMF?

Capital Management

Capital targets and quality of capital

Capital targets are often based on a probability of not breaching regulatory capital requirements. Other measures of capital adequacy may also be taken into account such as economic capital or ratings agency assessments. Where relevant, the interaction between these other measures of capital adequacy and the capital targets should also be described.
APRA’s prudential standards do not prescribe a particular approach to the determination of capital targets. However the Summary Statement should describe at a high level the approach adopted so that the methodology at the institution is clear. This should include the use of stress and scenario testing outcomes to establish the link between the amount of risk deemed acceptable as per the risk appetite and the level of target capital.
This is also linked to the RMF, since determination of capital is typically linked to the appetite for risks and any relevant mitigants in place to reduce the possible impact of risks should they eventuate.
Where the Summary Statement considers both regulatory and economic capital targets, it should provide some explanation of:
  • the benefits of using both;
  • where relevant, why these different approaches result in different amounts; and  the implications of this for capital management.
Capital targets were often linked to the Prescribed Capital Amount (PCA). It is likely in most circumstances to be more appropriate to refer to the Prudential Capital Requirement (PCR) although there may be circumstances where discussion of the PCA is also appropriate.
Not all Summary Statements discussed the board’s approach to the quality of capital. APRA expects Summary Statements to explain the reasons for the chosen mix of different types of capital, how monitoring of the chosen mix occurs, and what circumstances would trigger a review of the appropriateness of the capital mix.
For life insurers there was not always consideration of capital targets, stresses and capital mix for specific statutory funds or the shareholder fund, rather than only for the institution as a whole. A similar observation applies to friendly societies in relation to benefit funds and the management fund.
For consideration
  • Has the board determined specific capital targets that take into account the risk appetite and the outcomes of stress / scenario testing? Are these clearly described in the Summary Statement?
  • Has the board clearly articulated its preferred capital mix? Does the Summary Statement explain the rationale for the chosen mix and when this might need to be reviewed?
  • For life insurers and friendly societies, has the board considered these factors at all relevant levels?

Sourcing and transferability of capital

Some Summary Statements did not describe adequately the sources of potential new capital. Some referred generically to capital raising options but did not provide much, if any, specific detail.
Where it is envisaged that additional capital may be sourced from public markets, there often was little articulation of whether market conditions may limit the availability of additional capital under certain conditions or scenarios and what contingency plans may be.
A number of Summary Statements noted the ability to access additional capital from a parent or group but did not include much detail of how this would occur in practice.
Summary Statements should describe matters such as:
  • the capital raising or transfer approval process;
  • how quickly transfers could occur, including possible legal or other impediments in certain circumstances; and
  • the impact adverse market conditions impacting the group as a whole might have on the availability of capital to support the institution in need.
For life insurers similar factors are also relevant in relation to possible transfers between statutory funds and the shareholder fund, and for friendly societies between the benefit funds and management fund respectively.
For consideration
  • Has the board clearly articulated when and how it would access additional capital and the possible impediments to accessing additional capital?
  • For life insurers and friendly societies, has the board considered the above factors at all relevant levels?

Granularity in describing triggers and actions

Some Summary Statements did not contain sufficient detail of triggers for capital management actions or the management actions that would be initiated. Better practice would see clear explanation of matters such as:
  • how specific trigger events relate to potential management actions and who is responsible for these actions;
  • the impact of potential actions on the capital position;
  • the likely timeframes for the management actions to take effect;
  • the board’s expectations of acceptable timeframes for return to a ‘normal’ capital position ;
  • whether planned actions are realisable in a severely stressed scenario;
  • the impact of any key dependencies e.g. key investors or particular markets; and
  • relevant contingency plans.
The prudential standards contain notification requirements in the event of breaches or prospective breaches of the PCR or any significant adverse changes in the capital base or PCR. Some Summary Statements did not include such notification in relevant action steps.
For consideration
  • Is the board satisfied that the Summary Statement articulates in adequate detail trigger events and related management actions, including relevant timeframes, responsibilities and contingency plans?
  • Does the Summary Statement include notification to APRA where required?

Stress testing

Self-assessed area for improvement

Stress testing was identified in many Summary Statements as an area where improvements are planned over the next 12-18 months.
APRA expects that, where improvements have been identified as necessary, the board will have articulated a clear plan for these to occur.
Typical improvements identified included:
  • more sophisticated scenario analysis tailored to the risk profile of the institution;
  • the use of reverse stress testing; and
  • enhanced mechanisms for considering stress testing outcomes in strategic and business planning, risk management and capital management.
For consideration
  • Has the board considered whether its approach to stress testing requires improvement? If so, has it articulated clearly its plan for making these improvements?

Level of detail and conservatism

Most Summary Statements have limited - or in some cases no - details on the stress scenarios and methods to be used, the process for determining sensitivity and scenario parameters, the roles and responsibilities for stress testing, and the reporting and approval requirements.
APRA does not expect that the entire methodology for stress testing is set out in the Summary Statement. However it is expected to contain an adequate summary of the key elements of the chosen stress testing approach.
APRA not infrequently finds that stress tests are generic and may not be sufficiently severe. Stress tests should include a variety of plausible and severe scenarios tailored to the risk profile. Reverse stress tests also should be considered.
For consideration
  • Has the board considered whether its approach to stress testing is adequate and explained sufficiently in the Summary Statement?
  • How has the board satisfied itself that the stress scenarios are relevant to the risk profile and are significantly adverse?

Board engagement in stress testing

Most Summary Statements did not have much description of board engagement in the stress testing process. In some cases, the Appointed Actuary took the lead in determining changes to parameters for stress testing and ensuring that material risks are covered and the board would then consider the recommendations.
A variety of approaches were used to identify stress scenarios and outcomes e.g. the use by general insurers of catastrophe models and the use by life insurers of dynamic financial analysis. While such models are useful, their outputs need to be carefully considered and challenged by boards to ensure that the answer from the model is not blindly accepted and that appropriate judgement and sense-checking is applied.
Better practice would see the board:
  • being involved in developing the scenarios to be tested;
  • being informed of the basis for stress test inputs;
  • involved in reviewing the outcomes of stress testing and challenging management;
  • having input into any changes to the scenarios based on the outcomes; and
  • considering changes to risk appetite, capital management and strategic and business plans to reflect stress test impacts.
Separate to the Summary Statement, the board’s deliberations in these areas should be appropriately documented.
For consideration
  • Has the board articulated clearly its role in stress test definition, development and assessment and this this set out in the Summary Statement?
  • Does the board discuss and challenge the results and impacts of stress test outcomes?
  • Has the board described in the Summary Statement its approach to incorporating stress testing outcomes when reviewing risk appetite, capital management, and strategic and business plans?