Financial risks taxonomy.
Since banks and insurance companies are financial institutions dealing with risks in various aspects of their business, it is important to make a general approach to the issue of risk and risk management from the perspective of these institutions. In that regard, we made a short overview of the risks these institutions are faced to as well as the methods they use for risk assessments. In order to limit our research to specific financial markets, we provided the basic characteristics of bank and insurance markets of Southeastern Europe (SEE), presenting the core indicators of development level of these markets and their legal and institutional environment related to new regulation proposed in Europe. We analyzed the level of implementation of Basel and Solvency risk assessment standards in these countries and tried to anticipate direction(s) where these markets are going to move in the coming period.
- risk assessment
- insurance companies
- Southeastern Europe (SEE)
The global financial crisis (2007–2009) severely tested the ability of intermediaries to effectively manage and control the various types of risk, revealing the incoherence between the risks taken and perceived as well as profound weaknesses in risk governance. Since as early as 2009, the OECD, the Senior Supervisors Group, the G-30, and the European Commission itself have denounced the close interdependence between the serious deficiencies in banks’ organizational and control systems, and the equally serious inadequacy of risk governance. In 2009, the Basel Committee on Banking Supervision (BCBS) issued a policy document “Enhancements to the Basel II framework - Supplemental Pillar 2 practices” (part of the package is better known as B2.5). The document highlighted the need to “overcome organizational silos between business lines” and the urgent need to enhance “firm-wide oversight, risk management and controls.” The interventions it indicated as necessary in order to improve the overall risk governance system included: strengthening of the board’s and senior management’s role of guidance and control, including through definition of the risk appetite framework (RAF), risk management and internal control systems integrated at entire group level, and an appropriate management information system (MIS) at business unit and group level.
This undoubtedly provided the seedbed for the ongoing proliferation of standards on risks and capital we have witnessed in recent years, intended, desirably, to lay the foundations for solidity and stability of individual banks and, consequently, ensure resilience of the financial system in its entirety. A proliferation which might, at times, appear excessive considering the great amount of sound practices, principles, regulatory frameworks regarding risks and capital produced by the regulator in recent years. The new regulatory framework, known as Basel III, introduced an in-depth reform of banking regulation and constitutes a significant step forward, resulting in interaction between supervision of individual banks (known as “microprudential supervision”) and supervision of the banking and financial system as a whole (“macroprudential supervision”) .
With regard to capital, through the new Basel III regulations, the supervisory authorities saw fit to bring the concept of supervisory capital closer to that of capital from an accounting perspective, since the set had previously included tools that did not constitute capital in the strict sense and which were therefore unusable for covering operating losses recorded during the bank’s operation. Furthermore, Basel II’s concept of supervisory capital included financial resources treated differently in the various European countries, and this caused a problem in comparing the capital of the various banking institutions.
The new rules were intended to render capital structure simpler and more transparent as well as improve the quality and quantity of supervisory capital. In particular, it was established that the new concept of capital would include just two levels: Tier 1 (comprising common equity Tier 1 capital and additional Tier 1 capital) and Tier 2. The first was intended to ensure corporate continuity (going concern), while the second would absorb losses in the event of serious difficulties and liquidation (gone concern). Tier 3 capital was therefore eliminated in order to ensure that market risk was covered by the same capital resources used to cover the other risks. To improve the quality of supervisory capital, it was established that, in order to perform its function, Tier 1 would have to be composed predominantly of common equity (ordinary shares and retained earnings, therefore excluding preference shares and savings shares) and constitute the most subordinate component in redemption and remuneration (i.e., the most stable) as well as the one most available to absorb management losses. Other capital resources may be included in Tier 1, to a limited extent and on condition that they are subordinate, do not have obligatory remuneration, do not have a maturity or incentives to redeem, and are adequate to absorb management losses.1 Besides, to improve the quantity of supervisory capital, Basel II provided that the overall required capital provision had to be equal to at least 8% of risk-weighted assets, while, in accordance with the new Basel II regulations, it must be equal to at least 10.5% of risk-weighted assets. In particular, it was established that common equity must be equal to at least 7% of risk-weighted assets and supplemented by two buffers which would be introduced gradually: a conservation buffer and a countercyclical buffer. The conservation buffer must be equal to 2.5% of the bank’s overall risk exposure and be composed of common equity. It must be intended for conservation of corporate continuity, in other words absorption of losses during crisis periods. The countercyclical buffer may be equal to a maximum of 2.5% of risk-weighted assets and must be built up during favorable periods of the economic cycle, when risk is accumulated, for possible use when conditions deteriorate and risk materializes. This must be observed by setting aside common equity or other capital resources capable of fully absorbing losses, and its purpose is to achieve the broader macroprudential objective of protecting the banking sector from phases of excessive total credit expansion in relation to GDP (contain the procyclicality phenomenon). It is not obligatory for this buffer to always be built up like the first one, and it may even be less than 2.5%, at the discretion of the national authorities.
For implementation of the Basel III Accord, the European Commission transposed its content into the following two legislative acts:
CRD IV (Capital Requirement Directive IV)2, which concerns, among other things, the conditions for taking-up and pursuit of the business of banks, right of establishment and freedom to provide services, the prudential control process and additional capital reserves. In order to be applicable, this directive must be transposed into the legislation of the various nations;
CRR (Capital Requirement Regulation) , which governs first-tier prudential supervisors and the rules on public disclosure (capital, leverage ratio (LR), counterparty credit risk, and liquidity risk). The inclusion of prudential rules in a regulation responds to the objective of creating a set of rules valid throughout Europe which are as harmonized as possible for intermediaries operating in the single market. This regulation does not need to be transposed into the respective national legislations and is therefore directly applicable in the various Member States, thus rendering the regulation and supervision process faster and simpler.
In this new regulatory context, the risk management function (risk assessment, measurement, monitoring, and reporting) of undertakings and their various businesses assumes strategic importance.
2. Role of risk assessment in banks and insurance companies
The Concise Oxford English Dictionary defines risk as the hazard, the chance of a bad consequence, loss or exposure to an accident. This is actually the definition of downside risk (“bad” or “real” risk, the risk of loss), which we often encounter in everyday life. The upside risk is opposite to the downside risk, which rarely happens and relates to the potential for gain.
Financial risk is considered sui generis, and it can be defined as any event or activity that may adversely affect the ability of an organization, commonly a bank or an insurance company, to achieve its objectives or implement its strategies. Alternatively, risk is also defined as measurable probability of loss or reduced expected return . In fact, contemporary understanding of the financial risk refers to the downside risks associated with financial institutions, that is, banks and insurance companies, and the volatility related to their returns.
Since the banks and insurance companies are professional risk takers and they operate on the basis of transferred powers and trusts (by depositors and insureds), their risk management (including assessment) is subject to regulatory constraints, especially in the sense of applying the Basel and Solvency standards, in order to reduce the systemic risk (the primary objective of regulation in banking) and to protect the insureds (the primary objective of regulation in insurance sector). The most recognized type of risk in banking is probably the market risk, or the risk of a change in the value of a financial position due to variation of the value of the underlying factors, such as stock and bond prices, exchange rates, commodity prices, and so on. The next important category is credit risk (or default risk), which is the risk of not receiving promised payments on executed investments (such as loans and bonds) due to borrower’s default. Another risk category, which in recent times has been receiving increasing attention, is operational risk, which is the risk of loss resulting from inadequate management of information telecommunications and other systems as well as from inappropriate internal procedures, processes and controls, weaknesses, omissions, employee irregularities and errors, external illegal actions or unforeseen external events that have a potential to cause physical damage to assets of the bank, and so on.
Special risk-type insurers are faced to is underwriting risk, that is, the risk inherent to insurance policies. Risk factors which are important here are as follows: changes of the ways of national catastrophes, demographic changes, changes in customer behavior (e.g., prepayment), and so on.
It is very difficult if not impossible to identify all types of risks that could possibly occur in the operations of today’s financial institutions. This is even a bigger challenge when we consider the complexity due to interactions between various types of risks and the ever-changing environment in which the financial institutions operate. However, the taxonomy of the risks associated with financial services identifies the risk types presented in Table 1.
|Market risk||• Interest rate risk|
• Exchange rate risk
|Credit risk||• Active vs. passive credit risk|
• Credit risk specific to the company vs. systemic credit risk
|Counterparty risk||• The risk of an ineffective client or a trading partner|
|Liquidity risk||• Normal liquidity risk|
• Crisis liquidity risk
|Operational risk||• Technical risks|
• Organizational risks
|Risk inherent with insurance policies||• Negative (wrong) selection risk|
• Moral hazard
|Legal risk||• Risk related to changes in law, court judgements, or regulations|
• Fraud and violations of regulatory violations by employees of a financial institution
|Model-related risk||• Risks associated with bad models when determining the value of financial instruments|
• Inaccurate risk assessment of trading activities due to bad models for decision-making
|Event-related risk||• Stock market collapse|
• Sudden changes in the tax system
• Sudden changes in regulatory policy
• Currency exchange rate extreme volatility
• Terrorist attacks
• Various disasters (wars, revolutions, earthquakes, extreme weather)
|Strategic risk||• Risks associated with the business plans and strategies of financial institutions|
|Business risk||• Business cycle risks|
• Revenue fluctuations (commission based, for example)
|Reputational risk||• Risk associated with bad reputation and negative publicity that leads to loss of income|
|Systemic risk||• Interest rates variations|
• Base risk
|Solvency risk||• Definitive and aggregate risk of financial institutions|
The only effective way to successfully manage financial risks is in a holistic, integrated approach that takes into account all types of risks and their interactions. Traditional “silo” approach has been less effective as it assumes isolated treatment of certain types of financial risks.
3. New regulatory risk assessment framework in Europe
The regulation associated with the financial risk management stems from early finance history, such as Venetian banks and the early insurance companies that emerged from London coffee shops in the eighteenth century. However, the key developments that have led to the current international regulatory framework and financial risk management are a typical twentieth-century story.
3.1. Path to regulation of financial risks
Most regulations associated with the financial (especially banking) risks resulted from the BCBS. While the BCBS does not have any formal supranational supervisory authority, it formulates some general supervisory standards and guidelines. It also defines and recommends the best practice, with the expectation that relevant authorities will take the necessary steps to implement it through detailed arrangements (prescribed by law or otherwise), best suited to their respective national systems. It is important to note that the original guidelines referred to only “internationally active” banks, which has since changed.
On 11 July 1988, the BCBS issued “International Convergence of Capital Measurement and Capital Standards,” or “Capital Accord,” and then on 19 January 1996, adopted a corresponding amendment (“Amendment to the Capital Acord to Incorporate Market Risks”). The Capital Accord, including the Amendment, is primarily focused on the protection of banks against credit and market (interest and currency) risks. On one hand, banks require linking between the credit risks and prescribed capital reserves and capital adequacy ratios, while, on the other hand, they are free to determine their capital reserves for market risks by using internal models, primarily so-called Value-et-Risk (VaR) model.
Over the recent years, we have witnessed a growing regulatory pressure on the insurance sector, linked with the combination of the two regulatory frameworks: institutional or methodological. For example, the Joint Forum on Financial Conglomerates was founded in early 1996, under the patronage of the BCBS, the International Organization of Securities Commissions (IOSCO), and the International Insurance Supervision Association International Association of Insurance Supervisors (IAIS). This body was formed with the aim to take over the so-called Tripartite Group, which handled the supervisory issues related to financial conglomerates since 1993 and until July 1995. The Joint Forum includes the same number of supervisors of older banks, insurance companies, and financial services companies (investment banks, brokers, and dealers), representing each supervisory unit, or three parent organizations.
A complete set of baseline rules for prudential supervision, also well known as Basel I, has significantly stepped up with regard to the effective determination of the minimum international capital standards. This historic agreement was signed in July 1988 by the member countries of Group 10, Luxembourg and Spain. It came into full force in January 1993. To date, these rules have been accepted by over 100 countries. There is an understanding and expectation that banking credibility is not satisfactory if Basel rules about business operations are not implemented. Basel I accepted a standard division of total banking capital into two basic components (Table 2).
|I Primary capital (core capital)|
• Share capital
• Retained profits
|II Secondary capital (supplementary capital)|
• Subordinated bonds with a maturity of over 5 years
• General reserves for loss coverage
• Latent reserves
• Valorization reserves
|III (I + II) Total capital|
The current rate of the required regulatory capital for a bank to qualify as adequately capitalized implies the following :
The percentage of the primary capital ratio (CR) and the total weighted risk must be at least 4%.
The percentage of total capital to total risk-weighted assets must be at least 8%, with secondary capital limited to 100% of the primary capital.
Despite having historically assisted in the development of an international framework for the regulation of financial risks, Basel I has also been subjected to criticism. Two main areas come to focus as limiting: a fairly general approach to credit risk and the failure to appreciate the impact of market risk. In the context of strengthening connections between banks and financial markets (the so-called market banking) and the increased banking risks in the field of financial instruments, foreign exchange instruments, and derivative positions, the BCBS published some new proposals in 1993. They focused on the requirement for banks that faced higher degree of exposure to market risk that they hold a higher quantum of capital with regard to the size of their assets. The Basel I amendments in 1996 prescribed a standardized market risk model, while at the same time allowing larger and more sophisticated banks to choose an internal model based on VaR (an in-house developed model). Legal implementation of these amendments was achieved in 1998.
Instead of a standard methodology, banks may alternatively use internal models when evaluating market risks if they have adequate internal market risk management systems. However, these systems must be explicitly accepted by the appropriate supervisory agency. This agency prescribes general qualitative and quantitative standards, which must be integrated into internal models for the assessment of market risks and the formation of an adequate level of capital. For example, a 10-day VaR of EUR 20 million at a confidence level of 99% means that the market portfolio will cause a loss of EUR 20 million or more with a probability of 1% until the end of the 10-day holding period, if the composition of the portfolio remains unchanged during the same period. The choice of the holding period (10 days) and the level of reliability (99%) lie in the hands of the regulator only when VaR is used to calculate regulatory capital3; otherwise, it is arbitrated. The main qualitative standards are as follows :
Internal models must be integrated into daily bank risk management processes.
The board of directors and senior management of the bank should be actively involved in the risk control processes.
There must be an independent risk control service within the bank.
Internal models must contain appropriate limits that restrict the exposure to market risks at operational level.
The corrective multiplier must be at least three and can be increased to four, which depends on the results of the backtesting.
The bank must implement the regulatory program of backtesting of its internal market risk model. Namely, we are talking about ex post checks of the efficiency of the internal model by comparing the VaR risk assessment with the actual profits and losses of the bank. Backtesting should show whether or not the specific internal model used by the bank is a reliable measure of potential losses. If backtesting shows satisfactory results, the corrective multiplier holds the value of three; otherwise, it can be increased to four.
The bank should have a readily available rigorous stress-testing program.
The main quantitative standards relate to the following rules:
The VaR determination is performed on a daily basis with a 99% confidence level.
The holding period for the risk calculation due to the holding of financial instruments is at least 10 working days.
The statistical basis for VaR accounts must be at least 1 year, but the audit is done at least at quarterly intervals.
The supervisory authorities do not prescribe a certain internal model that banks have to adhere to, so it is possible to use various models, ensuring that qualitative and quantitative standards are being followed. An internal model determined by a bank must obtain the explicit consent of the supervisory authority.
On 26 June 2004, the central bank governors and supervisory directors of Group 10 published the changes to capital framework, called Basel II. The key conceptual change within Basel II is the introduction of the concept of three tiers.
3.2. The three-tier concept
Tier 1 (risk assessment) requires that the banks calculate the minimum capital charge, which relates to regulatory capital, in order to quantify the minimum capital in relation to the potential economic loss. According to Basel II, there is a cost of capital for credit risk, market risk, and (for the first time!) operational risk. While the treatment of market risk is relatively unchanged from the Basel II Amendment of 1996, the cost of capital for credit risk has been significantly changed. In calculating the cost of capital for credit and operational risk, banks can make a choice between three different approaches in increasing the sensitivity and complexity of the risk: the basic indicator approach, standardized approach, and advanced measurement approach (internal methodology using quantitative and qualitative criteria).
Any quantitative approach to risk management should be embedded in the functional governing structure of an institution. Therefore, the best practice in risk management imposes clear restrictions on the organization of the institution (board of directors, management, employees, internal, and external audit processes). Specifically, the Board of Directors assumes ultimate responsibility for the failure of the “landscape” risk and the risk appetite formulation. This is where the Tier 2 (risk management) comes in. With this important tier, which is designated as a supervisory audit process, local regulators perform various checks, bringing the order of balance. This tier starts from the need for an effective overview of the bank’s internal overall risk assessment and ensures that the management trains the “sound” of the assessment and set aside the adequate capital for various risks.
Finally, in order to fulfill the promise that the growing regulation will also reduce the systemic risk, clear guidelines on risk reporting by financial institutions are also required. Tier 3 (risk transparency) requires the establishment of a market discipline through more effective communication of risk measures and other information relevant to risk management.
In analogy to Basel II, the structure of the Solvency 2, regulatory regime in the insurance sector, is also set up as a three-tier structure.
3.3. From Solvency 1 to Solvency 2
Until the latter half of the 1980s, the insurance sector was notable for its substantial “staticity,” having, for a long time, been sheltered from environmental and regulatory disturbance and not being marked by any particular vivacity in terms of product and process innovation. The shifting environmental conditions of the last 25 years, affecting the structure of the insurance market and the financial system in general (consequent to the process of deregulation and internationalization of the industry that colored the 1990s), have, however, triggered profound changes in ownership structures, forms of competition, and distribution patterns, and, overall, in the management techniques of insurance undertakings .
The supervisory system has not been unaffected by this process of profound change, also undergoing significant alteration. The specific nature of this evolution is evident in the move from supervision based essentially on “structural” monitoring methods to other, “prudential” methods as well as in the strengthening of supervision on consolidated foundations and in the increase in cooperation agreements between the Supervisory Authorities at national and international levels.
The insurance (and reinsurance) sector—albeit on a different timescale to the banking one but in fundamentally similar ways—has not been left “untouched” by this evolutionary process either and, following a long “gestation” period, on 1 January 2016, the new regulatory regime known as “Solvency 2,” pursuant to Directive 2009/138/EC (containing the general principles), together with the additional levels of the legislation (containing greater detail)4, was introduced throughout the European Union (EU). While Solvency 1 proved itself to function without causing serious “trauma,” given that the financial crisis did not highlight any significant cases of bankruptcy of insurance undertakings, its limitations were evident right from the early 2000s (in other words, from the start-up phase of the draft revision of the current regulatory regime). Moreover, the undisputed merits of its extremely simple and robust regulatory infrastructure were countered by a series of critical issues which called its future applicability into question. In this perspective, Solvency 1—characterized essentially by its solvency margin requirements, its requirements for risk quantification of commitments undertaken, and its quantitative and qualitative limits on assets to cover liabilities—induced scholars, practitioners, and the supervisory system itself to highlight the relative limitations5 and identify the possible solutions .
One of the main criticisms leveled at Solvency 1 is that, being a model based on flat rates, it neither took due account of the specific riskiness of each undertaking nor considered the portfolio of risks to which an undertaking is exposed, on the assets and liabilities sides . Indeed, Solvency 1 not only provided (on the liabilities side) for application of essentially flat rates to technical parameters which often revealed insufficiencies in the rounding of the risks of an undertaking’s insurance portfolio, but also did not take account of the quality of the said portfolio or (on the assets side) of the investments made in order to provide adequate cover. This resulted in the clear paradox that two insurance undertakings showing (on the liabilities side) the same riskiness are required to hold the same capital for supervision purposes despite clearly differing (on the assets side) in terms of the riskiness of their investments.
The need to remedy the said limitations spurred European legislators to initiate an in-depth review of the system for supervision of company solvency in insurance undertakings, with a view to comprehensive innovation of the supervisory prudential rules in order to ensure a level playing field within the insurance sector and create a new, risk-oriented regulatory framework (Solvency 2) . In this regard, the end goal aimed for was the definition of a prudential supervisory system involving appropriate capital requirements, in other words “tailored” to the risks to which insurance undertakings are actually exposed and capable of incentivizing more careful measurement and management of these by the intermediaries themselves.
3.4. Risk assessment in the light of Basel III
The BCBS reached a consensus regarding the Basel III framework on 26 July 2010. On 30 November 2010, the G-20 leaders indorsed the framework at the summit in Seoul, South Korea. Basically, Basel III relies on the Basel II framework. Basel III has three objectives that are articulated by the Committee: to address the issues which led to the global financial crisis and the lessons learned from the crisis, improve risk management and governance, and strengthen bank’s transparency and disclosures. The Basel III Accord is characterized as a successive process in which banks are to increase the primary capital ratio from 2 to 7% in several years to come. The total implementation of Basel III is expected on 1 January 2019. Regulators believe that under crisis banks may temporarily reduce the ratio to 4.5%, but are not allowed to pay bonuses and dividends until they return the ratio to 7%.
In addition to the Basel II capital ratio, Basel III requires banks to respect additional ratios, such as leverage ratio, liquidity coverage ratio (LCR), and net stable funding ratio (NSFR). The risk-based capital ratio (CR) requires that 8% of risk-weighted assets are covered by tier 1-capital plus tier 2-capital. The volume-based leverage ratio (LR) requires banks to hold 3% T1-capital against total assets. The net stable funding ratio (NSFR) stipulates that stable-funding weighted assets are to be 100% covered by stable-funding weighted liabilities. The liquidity coverage ratio (LCR) requires that outflows are 100% covered by inflows plus the (haircut-weighted) liquidity reserve .
The new Basel III regulatory framework increases the importance of the risk management process, which includes risk assessment. Indeed, risk assessment is a strategic phase of the risk management process. However, new developments in financial markets, financial management practices, operational complexity, and supervisory approaches and rules (Basel II) have, over the last decade, created new risks, cross-type risks, interrelation between traditional risks (such as counterparty risk, credit risk, market risk, operational risk, and liquidity risk) and increased the importance of the risk management process, infrastructure, and governance. All this has presented the risk management function with a great challenge.
Article 86 of Directive 2013/36/EU  requires undertakings to have robust strategies, policies, processes, and systems for identification, measurement, management, and monitoring of liquidity risk over an appropriate set of time horizons and management and monitoring of funding positions, in order to ensure that they maintain adequate liquidity buffers and funding (commonly referred to as the “Internal Liquidity Adequacy Assessment Process”: ILAAP). Risk assessment is an extremely critical phase of this process and should cover the major sources of financial intermediaries. As we know, risk assessment is the starting point for the “Internal Capital Adequacy Assessment Process” (ICAAP) and, also, for strategic, capital, and liquidity planning, the “Risk Appetite Framework” (RAF)6 and the “Recovery Plan.”
The EBA guidelines  aim to achieve convergence of supervisory practices in the assessment of ICAAP and ILAAP as required by the SREP Guidelines, by introducing a common set of information that competent authorities will be using in their assessments across the EU. In particular, the guidelines aim to specify what general and ICAAP- and ILAAP-specific information competent authorities should collect from institutions following their minimum engagement model as specified in the SREP Guidelines. In this perspective, the EBA guidelines recommend that financial intermediaries prepare a list of risk categories and subcategories covered by ICAAP, including their definitions and parameters of individual risk categories, a description of their approach to the identification of risks (including risk concentrations) and the inclusions of identified risks within risk categories and subcategories to be covered. On evidencing the implementation of the scope, the general objectives, and the main assumptions underlying ICAAP, competent authorities should ensure that they receive from institutions the following: (a) list of risk categories and subcategories covered by ICAAP, including their definitions and perimeters of individual risk categories; (b) explanations of the differences between the risks covered by ICAAP and the risk appetite framework, where the scope of risks covered is different; and (c) description of any deviations in the ICAAP process and in the key assumptions within the group and the entities of the group, where appropriate. The effectiveness of the risk management process as a whole depends, in fact, on the quality of the risk assessment (thoroughness, coherence with the bank’s business model, etc.) and is consolidated over time if there exists, within the financial intermediary, a continual process of reconciliation between capital and liquidity planning, the ICAAP, the RAF and the Recovery Plan, governance, structure and organization. However, the goal of alignment and coherence constraint remains an aspiration for many undertakings because it requires a holistic approach to bank governance.
In this perspective, it is important to understand the way in which undertakings perform their risk assessments. There is no single approach for all banks because they usually have different business models, strategies, capital and liquidity buffers, operational complexity structures and governance, and, therefore, different risks.
In general terms, the risk map should be: exhaustive, transparent, consistent, and well-integrated into the business model (holistic approach). Firstly, the assessment should include all risks to which undertakings are or could be exposed (principle of exhaustiveness). This should include difficult-to-measure risks such as compliance risk and reputational risk. Secondly, the methodology used to assess and measure exposure should be duly documented together with the assumptions used during the risk assessment process (principle of transparency). Nevertheless, the risk assessment process should be consistent and aligned with other institutions’ processes and with the nature, size, complexity, and scale of the bank’s business activities.
Faced with these procedural principles, we might ask ourselves: which risks do undertakings consider in their assessments? In the case of smaller banks, in general, the types of risk classified as key risks often comprise only credit risk, market risk, and operational risk, and supervisory risk measurement methods are also deployed internally to measure these risks. However, undertakings should, as a minimum, take into account in their assessment the risks recommended by the regulator or supervisory authority. It is important to underline that: (a) the risk mapping recommended by the regulator and supervisory authority are not fully aligned; (b) the regulator/supervisory authority’s risk mapping is not to be considered mandatory. It is an undertaking’s choice whether and how to combine risk types and risk subcategories. Indeed, the undertaking might classify certain risks differently to the regulator/supervisory authority. In the opinion of the European Central Bank (ECB) , it is important to map at least the following risks: (a) credit risk, (b) market risk, (c) operational risk, (d) interest rate risk in the banking book, (e) participation or equity risk, (f) sovereign risk, (g) pension risk, (h) funding risk, (i) risk concentrations, and (j) business and strategic risk. In the case of conglomerates and for material participations (e.g., in insurance undertakings), institutions are also expected to take inherent risks, such as insurance risk, into account in their risk mapping; in the case of other immaterial risks, institutions should explain why these are considered immaterial.
It is desirable, also for regulatory purposes, for institutions to define each of the key risks listed above as well as any other risks identified as key based on the institution’s risk profile, how the institution defines the materiality of each key risk, and a description of how each material risk is then quantified for capital allocation purposes, including detailed methodology to specify data, assumptions, and calculations. The bank’s assessment of risk indicators should also be reflected in its risk policies (measurement, management, and control). This means, for example, that a bank which considers country risks to be immaterial will subsequently avoid taking on material country risks, that is, the bank will keep activities such as proprietary transactions in foreign securities, interbank trading with international counterparties, or loans to foreign borrowers to a minimum.
It is important to understand that risk assessment must be based as closely as possible on an approach integrated and coherent with the bank’s business model and with risk governance as a whole, as previously underlined (principle of holism). This is in order to reduce overlap between businesses and the associated operational inefficiencies, to develop forms of collaboration orientated toward the pursuit operational synergies, and to achieve greater impact during the risk measurement, management, and control phases. This is also a cultural change whose driving force is the risk management function, called upon to perform a role of proactive consultancy in all areas of decision-making and of fruitful dialog with the operational functions. In this perspective, the risk management function must transition from the role of simple “controller” of risk levels and “producer” of information for the benefit of the top management and the board to that of influential partner actively involved in strategic decision-making processes.
In this regulatory and market context, there is a significant risk, for banking intermediaries, of being subjected to the numerous rules and chasing regulatory compliance without succeeding in germinating the seed of change planted in the new vision for the regulatory and supervisory system. In this perspective, it is therefore useful to adopt an integrated, holistic approach to risk management (“integrated risk management”). This is not merely a philosophical stance but, rather, a mindset that marks a moment of significant discontinuity with the past permeating entire banking undertakings capable of setting aside cultural resistance to change and waving of ideological flags. It is an approach that integrates and synergizes:
The different regulatory frameworks, often managed and implemented in silos by banking intermediaries;
Risk management under normal and stressed conditions, in line with a backward- and forward-looking vision;
Internal management for risk supervision purposes, therefore incorporating the new SREP, strategic planning, ICAAP, ILAAP, RAF, Recovery Plan, capital allocation, liquidity allocation, market disclosure, and reporting to the regulator.
3.5. The impact and implementation challenges of new regulatory frameworks
According to the Bank for International Settlements (BIS), implementation statistics regarding Basel I as a voluntary standard are impressive. From 2001, over 100 countries worldwide had implemented Basel I. Furthermore, from 2004, these countries intended to implement Basel II—13 were Basel Committee Members and 88 were non-Basel Committee Members. As of 2008, 105 countries had either implemented Basel II (57) or intended to implement Basel II (48), a total of 13 Basel Committee Members and 92 non-Basel Committee Members.
From 2008, the Basel Committee country membership expanded to include 27 Members, emerging countries (such as Argentina and India) as well. What is important, this allows emerging countries to join the negotiations about what the “global” supervisory framework would look like. Although the Basel accords are intended for implementation by internationally active banks and in developed economies, other economies (and, therefore, emerging) are also forced to implement the accords due to international regulatory and competitiveness matters. For example, in Asia, at least nine countries had implemented or expected to implement Basel II by 2010 (e.g., India, Hong Kong, Japan, Philippines, Singapore, Taiwan, and Thailand had implemented several aspects of Basel II as early as by 2008). Moreover, the argument for prevention of crises and maintenance bank soundness is supported by the fact that banking crises in emerging economies have generally exceeded 25% of GDP and are, proportionately, much larger in scale than in developed economies .
As far as Solvency 2 is concerned, one of the first absolute innovations is the fact that, while the directives issued prior to establishment of the new regulatory regime focused predominantly on “capital leverage,” with a view to defining the requirements necessary to guarantee solvency, the Solvency 2 regulatory framework places risk at the very center of management of an insurance undertaking, imposing assessment of the risks peculiar to each of the businesses they conduct and suggesting risk management criteria.
“… Regulators and rating agencies expect that companies have a good understanding of their risk profiles and have implemented the appropriate governance structure to mitigate their risks. The insurance industry is everchanging, and it can be challenging for an organization to have a complete understanding of the risks that can pose potential pitfalls to its operations…” .
This new approach also affects the modus operandi of the Supervisory Authorities, which are consequently called upon to induce insurance undertakings to graduate their recourse to and use of capital leverage according to the riskiness of their business and to “mold” their organizational structure according to their ability to cope with the risks taken . In this perspective, the new regulatory regime places particular emphasis on an undertaking’s risk management system, which consists of the set of strategies, processes, and reporting procedures designed to identify, measure, continually monitor, and thus manage on an ongoing basis the risks, at individual and joint levels, to which undertakings and groups are or could be exposed, as well as the interdependence of these. The main protection provided by the risk management system lies in the identification and measurement (in short, “risk assessment”) of the risks to which the undertaking is exposed. Risk assessment is normally formalized by the risk management function which, based on the evidence provided by the other, second-level control functions (internal auditing, compliance, and actuarial function), and on the findings of the control activities carried out by the business functions responsible for management of the above-mentioned risks, highlights their presence and provides a quali-quantitative assessment of them.
As we have already stated, adoption of the regulatory requirements of Solvency 2 is not limited simply to application of a new capital requirement calculation methodology and new accounting standards but, rather, requires significant adjustments in terms of corporate governance and organization. It is therefore necessary for boards of directors to increase their interest in and understanding of the risk profiles inherent in the business of their undertakings. In other words, they must develop a risk-oriented governance framework permitting the necessary diffusion, at all corporate levels, of an appropriate risk culture and ensuring that the board has adequate knowledge and control of decision-making processes, risk management, and operations in a “Solvency 2-compliant” context. In this regard, the introduction of a risk-based capital requirement system is intended to underline the importance of the risk management function and internal control systems .
Continuing with our analysis of the innovations introduced by the new regulatory framework, it is essential that we underline a further and important innovation, namely consideration of a broader and more complete range of risks for the purpose of calculating capital requirements as well as quantifying these more accurately. Indeed, whereas, with Solvency 1, regulatory capital measured only the so-called “technical risks,” excluding such things as market risks from calculation, the new regime also considers these. Solvency 2, moreover, sets out to overcome a further limitation connected to the fact that Solvency 1 quantified the said technical risks in a more simplistic manner, that is, through application of flat rates, thus preventing due consideration of the size and riskiness of the various portfolios .
Assuming that each business, in tackling the transition from the old regulatory regime to the new, will take into account its own specific characteristics in terms of investment position, business mix, and strategic objectives, it may be hypothesized that the above-mentioned innovations constitute, in a general sense, incentives for insurance undertakings to base their practical operations on certain “rules of conduct.” In this perspective, it is desirable, first and foremost, for insurance undertakings, as far as the assets side of the balance sheet is concerned, to proceed with careful selection of asset classes, favoring those which—particularly with regard to life business—permit better matching with liabilities (asset-liability management) and are less correlated with market trends over more volatile and/or risky investments, which are more capital-intensive. At the same time, insurance undertakings are obliged to deal with the dynamics of the current economic situation, featuring, in particular, low interest rates, and even negative ones in some markets and for certain maturities. In this regard, identification and adoption of more adequate investment policies, based on which it is possible to select (new?) asset classes capable of guaranteeing an adequate return on the commitments entered into with policyholders, is undoubtedly desirable .
Turning our gaze to the liabilities side of the balance sheet, insurance undertakings are then required to implement more careful and selective insurance risk-taking, giving due consideration to aspects relating to its capital-intensiveness, the profitability associated with different businesses, and, more generally, the principles of correct product governance . In other words, the objective of insurance undertakings must be to “build” products and services capable of meeting the needs arising from the relevant market, as well as those of the distributions channels used for the purpose, taking due account of their risk/return constraints. Joint consideration of the factors we have just mentioned therefore requires insurance undertakings to conduct a major review of their product design, pricing, and distribution . For this reason, particularly in life business, we are witnessing—and will increasingly witness in the future—the offering of a different product mix and a restructuring of the sureties offered to policyholders. In truth, we are facing a trend, already in progress in Europe, leading to the replacement of life products involving the provision of certain guarantees by insurance undertaking (such as so-called “with-profit” products) with contracts in which the risk lies with the policy holder (“unit-linked” products); something which also imposes a transition from “traditional” life policies to “multiline” life products, which combine the guarantee of traditional products with the higher returns of unit-linked. It is clear, therefore, that the opportunity to benefit from the positive effects associated with risk diversification provided by Solvency 2 may only be fully seized by those insurance undertakings capable of operating in multiple business lines, since it is, in effect, closed to monoline undertakings.
A further “rule of conduct” upon which insurance undertakings should base their operations concerns greater use of risk mitigation techniques. In practice, we are referring, on one hand, to the use of financial derivatives,7 which permits adequate coverage of financial risks and reduction of asset/liability mismatch, notwithstanding the new requirements introduced by the European Market Infrastructure Regulation (EMIR)8 and, on the other, with regard to insurance risks, to the use of both “traditional” reinsurance (benefitting from current soft market conditions) and so-called “Alternative Risk Transfer” (ART) techniques such as, for example, cat bonds. However, implementing Solvency 2 is not simply a question of capital requirements and accounting standards. It requires considerable adjustments to company governance and organization. In the first place, boards of directors must increase their interest in and their understanding of the risk profiles inherent in company activities. This does not mean that boards should only comprise technical experts or that market strategies need not be discussed—for insurance companies, understanding risk is the basis for any informed strategic decision and, to a large extent, it is their business. The entire way that businesses are organized must change in order to introduce the new approach to risk assessment, which should neither be reduced to a cosmetic exercise for supervisory purposes, nor be relegated to the office of the chief risk officer, but it must play a key role in the management of the company. There are two basic logics—bottom-up approach, which is more invasive and starts from the analysis of all business processes to find the risks involved, and top-down approach, which starts from the risk analysis and tries to identify the processes that generated these risks. In any case, the involvement of risk owners is crucial. In the while, the top-down approach cannot ignore the observation of past risk events, while the bottom-up approach is conducted independently from these past risk events. In other words, the top-down approach follows a backward-looking perspective, while the bottom-up approach follows a forward-looking perspective. For this reason, the best approach is the approach that can complement the two methodologies.
The evidence gathered so far from inspections and the initial ORSA findings are not entirely comforting, especially as regards smallest firms. We know that the transition will not be easy, but we are ready to work together with the companies, each assuming our own responsibility, to facilitate change .
4. Southeastern Europe market review9
4.1. Banking sector
The region of the Southeastern Europe (SEE) has experienced some significant changes in recent years. These changes can be observed from the political, economical, and demographic aspects, making an indirect influence on the financial system of the region. Croatia became a member of the European Union (EU), and the other countries of the Western Balkans (Albania, Bosnia and Herzegovina, Montenegro, and Serbia) continue with the slow process of integration. Greece is still burdened with a huge public debt, Turkey suffers from problems related to the wars on its eastern border, while Slovenia, Romania, and Bulgaria continue adaptation to the unique EU market.
The financial system of the SEE countries is basically bank-centric. The system is dominated by commercial banks. The size of the banking sector differs between countries of the region, with the largest share of banks’ assets of GDP in Greece (220% in 2015) and the lowest in Romania (53% in 2015).
In all observed countries, except Turkey, there has been a high share of foreign ownership in total banking assets (from 68% in Greece to 90.4% in Romania). In Turkey, the banking sector is dominated by domestic banks (74% of total assets are held by domestic banks).
In all observed countries, net loans have the highest share in banks’ assets. Cash funds are the second largest item in Bosnia and Herzegovina, Montenegro, Serbia, and Turkey, while government bonds are the second largest in Albania, Croatia, Greece, and Romania. Households and corporation deposits have the highest share in total banks’ liabilities in all observed countries. In Greece, European Central Bank borrowing makes a significant part of total liabilities (28% in 2015). Regarding the structure of loans, the loans to nonfinancial corporations and households have the largest share. In the structure of deposits, retail deposits have the largest share in all of the countries.
Regarding maturity, there is a significant mismatch between deposits and loans in all of the countries, except Albania and Turkey. In all observed countries, except these two, there is a high share of short-term deposits in total deposits and long-term loans in total loans. Romania has the highest share of short-term deposits (93% in 2015), while Croatia has the highest share of long-term loans (86.1% in 2015). In Albania and Turkey, respective shares of long-term deposits and loans in total deposits and loans were similar (approximately 70%).
Regarding the basic features of banking sector in 2015, capital adequacy ratio varied between 15 and 21 in the observed countries, the highest being recorded in Croatia and Serbia.
In 2015, Turkey recorded the lowest ratio of nonperforming to total loans (3.2%) and Greece had the highest ratio (43.9%).
Most of the countries are in the process of adopting Basel III standards. In Greece, as it is a member of the Eurozone, the regulatory framework is based on and incorporates the Basel III framework and related provisions. Croatia started the implementation of Basel III in Croatian legislation in 2013, with the adoption of the new Credit Institutions Act transposing CRD IV, following its accession to the EU. Consequently, there have been some changes in the regulatory framework regarding the coverage of risky assets in capital and capital buffers.
4.2. Insurance sector
As far as the insurance sector of the SEE region is concerned, it mostly stagnated in recent years, with a slight increase in most of the countries except Greece, where premium volume significantly decreased. What is interesting is that for the countries that recently joined the EU, stagnation of the sector is more evident than in the nonmember countries where the premium volume is increasing. It looks like the first group of countries reached the limits considering their economies, while the second group of countries still has potential for growth. Reasons for such situation are different, and they can be caused by some internal changes on the market, like introduction of Motor Third Party Liability (MTPL) market liberalization in the newest EU member Croatia, or by some other macroeconomic issues.
Similar to banking, ownership structure of the insurers on the markets shows dominance of insurers with majority of foreign ownership. They cover more than half of the total premium on the local markets, excluding Slovenia, where foreign insurers cover 11.1% of the market. There are also many insurers from one SEE country (such as Slovenia and Croatia) operating on the markets of other countries of the region. The largest market share of the foreign insurers is registered in Montenegro and Macedonia, where foreign insurers cover more than 90% of the markets.
The total premium of the SEE insurance market in 2015 reached the amount of EUR 21.018 million with a decrease in total during last 5 years in spite of a slight increase in the premium in almost all countries. A decrease of the premium was noticed in the region’s most developed markets of Greece, Slovenia, and Croatia, caused by financial crisis or by MTPL market liberalization (in case of Croatia). For this reason, if we exclude data for Turkey, we can observe that insurance premiums of the region have decreased by 10% in comparison with 2010. Slovenia and Croatia stopped recording negative trends and had an increase of premium in 2015. At the same time, total insurance premium of the Insurance Europe (IE) association members in 2015 was EUR 1,199,714 million, with 4.2% of growth compared to 2010. Like in 2010, the SEE insurance market is still 1.8% of total IE premium.
The average insurance penetration for the SEE countries in 2015 was 1.78, and it decreased from 1.81% in 2010. The average insurance density was EUR 146.35, and it increased by 3.7% in 5 years (EUR 141.15 in 2010). The average penetration of IE in 2015 was 7.4%, and it decreased from 8.9% in 2010, while insurance density was EUR 2.010 and it increased by 7.0% (EUR 1.879 in 2010). These data show that insurance penetration is 4.2 and insurance density 13.7 times below the IE average for 2015. The largest insurance density in 2015 was in Slovenia (EUR 975), Greece (EUR 343), and Croatia (EUR 271), while the other countries had density below EUR 200 showing the characteristics of poor insurance markets.
Negative trends in the premium structure during last 5 years can be recognized by a decrease of share of life insurance in total premium. In 2015, the average share of life insurance in the region was 23.1% (25.8% in 2010), while the average share in the IE members was 60.9%. It shows that there was no improvement of insurance culture in the SEE market. The low share of life insurance is a result of macroeconomic instability, consumer unfamiliarity with financial transactions as well as less sophistication of the insurance products offered. The largest share of life insurance in 2015 was registered in Greece (48.4%), Croatia (33.6%), and Slovenia (29.7%), while the other countries had a share of life insurance below 25%.
Since financial system in the region is mostly bankocentric and the share of the insurance in the total financial assets is very low, the activities of the governments in the recent years were mostly focused on providing better regulation of the banks. Insurers are still waiting to be recognized as the important subject of interest in government policies.
As we previously mentioned, the total premium of EUR 21.018 million shows that the SEE insurance market is significantly behind the developed European markets, with only 1.8% of IE premium. Since the market size depends on the economy volume, we can compare this data only for the countries of similar population and economy size. Generally, Slovenia is the closest to the IE average, but there is a lot of variety among the other countries. On the other hand, common to all countries is a high potential for the market growth.
In 2015, the data for 8 countries (since we do not have complete data about the number of companies for all countries), comparing with 2010, show a slight decrease in the number of insurers in all countries except for Macedonia, Serbia, and Slovenia. Some countries still have disproportionately large number of companies in relation to market’s premium (BiH, Macedonia, and Montenegro). There are expected mergers and acquisitions in these countries, especially because of the new regulatory standards that are coming into force in the future. The average premiums per company in BiH, Macedonia, and Montenegro are below EUR 15 million, which best explains a need for decrease in the number of companies. Slovenia had the largest average premium per company (EUR 91 million).
The insurers on the SEE market are mostly organized as nonlife insurers, and this type of organization of business activities is characteristic for local insurers, while the life insurance business is mostly in the hands of insurers coming from the EU countries. A lack of insurance culture is most evident if we focus on the premium insurance structure. Namely, obligatory MTPL is still the dominant insurance product. A low competition level of local companies in life business forces them to focus on less profitable, nonlife business. Data for selected countries of SEE markets show that the average share of life insurance for SEE in 2015 was 34.2%, while MTPL covered 26.2%, and other nonlife 39.6%. During the last 5 years, the share of life insurance has increased, decreasing the share of other nonlife. Greece has the largest market share of life insurance (48.4%), followed by Croatia (33.6%) and Slovenia (29.7%). From more detailed overview of MTPL shares in the countries, we can see that dominance of MTPL is most evident in BiH, Macedonia, and Montenegro, where it covers more than 40% of the total premium.
Since the last 5 years has been very important for Europe due to the introduction of new regulatory framework, Solvency 2, changes in legal and institutional framework can be observed in the context of compliance with the new regulations. Only a few countries, already EU members, followed the deadlines for implementation of the Solvency 2 regime on the national regulatory framework. There are many reasons for this delay, but the key problem is with still underdeveloped market that cannot follow the rules that exist in the developed EU insurance market. That is accompanied with poor institutional infrastructure, not capable of fully implementing even the Solvency 1 regime. There are plenty of uncertainties facing the region regarding the Solvency 2 implementation in the insurance markets, and countries try to catch the pace according to their capabilities.
Most regulations in the countries are not compliant with the Solvency 2 regime, and some countries are still striving to fully implement Solvency 1 regime. There are some good examples, like Slovenia, Croatia, and Greece that are believed to follow the EU standards, but most of the others are going to adapt to the new standards as they are approaching the EU membership. During last 5 years, they have been focused on improving the methodology of insurer reporting and the other aspects of market supervision.
- A list has been prepared of 14 criteria which must be met, individually and jointly, in order for a resource to be included under common equity.
- In the case of smaller banks, in particular, it is observed that the types of risk classified as key risks often comprise only credit risk, market risk, and operational risk and that supervisory risk measurement methods are also deployed internally to measure these risks.
- Bank is required to provide equity for market risk equal to the average VaR estimate for the last 60 days, which is further multiplied by the safety coefficient (usually equal to three).
- We refer, in particular, to: the delegated acts adopted by the Commission through Regulation 2015/35 of 10 October 2014: amended by Commission Delegated Regulation (EU) 2016/467 of 30 September 2015:, 16 implementing regulations (ITS: Implementing Technical Standards) proposed by the EIOPA (European Insurance and Occupational Pension Authority) and adopted by the Commission and, finally, the EIOPA guidelines which, unlike the previous (directly applicable) regulations, must be transposed into the individual national legal systems.
- These limitations may be identified, in summary, as: (a) the lack of transparency of the insolvency margin criterion and its inadequacy in expressing the risks taken by undertakings, (b) the absence of incentives for undertakings to perform effective risk management, and (c) the lack of recognition of the economic situation of transnational groups of undertakings.
- The RAF is the reference framework that defines an undertaking’s risk appetite, tolerance thresholds, risk limits, risk management policies, the relevant processes necessary to define, and implement these in line with the maximum risk that may be taken, business model and strategic plan.
- It should be remembered that, similarly to Solvency I, the new regulatory framework, too, permits the use of financial derivatives insofar as they contribute to reducing risks or facilitating effective portfolio management (see Art. 132 of the Directive).
- EU Regulation No. 648/2012 of 4 July 2012.
- The review is based on the survey fulfilled by national regulators of the SEE countries as well as the information published on their official websites.