What are the key points of a risk report for an asset management company’s board of directors?
The exact scope and depth of the report is of course very specific to each company: depending on the products/services provided, the markets/clients served as well as the regulatory regime. However, they are generic “must-have” key elements that we are going to share with you.
Also bear in mind, we are talking about the risk report and not the compliance report.
The Board of Directors bears the overall responsibility for risk management of the company and therefore:
- defines the risk strategy;
- must periodically review the risk profile;
- is responsible for defining and monitoring the internal controls system;
- periodically carries out a risk assessment.
The risk manager should report at least semi-annually to the executive management, and at least annually to the board.
Discover the 10 key points that your risk report should contain.
1 – Executive Summary
It summarizes the evolution of the main risks during the current reporting period in areas such as:
- Markets: macro-economic environment, developments on financial markets and their impact on investment performance, competition, political and regulatory environment and developments;
- Clients: client portfolio, customer and AUMA in-/outflows, customer complaints and satisfaction, changes in customer behaviour;
- Products and services: completeness of product / service range, quality of service, danger from substitute products / services / competitors, new products / services;
- Operational safety: risks in business processes, incidents, physical security;
- Reputation: negative coverage in newspaper article for example;
- Corporate governance: organisational structure, communication, reporting, projects, internal controls system, adherence to policies and directives, implemented / required changes to policies / directives;
- Personnel: business conduct / integrity, loyalty, motivation, recruiting, skills, education / training, compensation, fluctuation;
- Finances: regulatory capital requirements, liquidity, profitability, financial risks of the firm, budgeting;
- IT: cyber risks, availability, reliability;
- Legal & compliance: legal disputes, AML, taxes, intellectual property.
Make sure, you also include prospective statements / assessments which require decisions / actions to be taken pending approval by the board.
2 – Enterprise Risk Management
This part displays of earnings, P&L and capital distributions for at least two scenarios: Business as Usual, and Stressed.
The plots should be accompanied by descriptive statistics like percentiles, min, max, mode, median, EaR, PaR, CaR, LaR as well as contribution analyses.
A section on risk limit utilizations (e.g. regulatory capital requirements, risk appetite limits) shows the current versus defined / desired risk profile of the company. Limit excesses should be commented on and submitted for discussion / approval by the board.
3 – Risk Matrix & Risk Dashboard
This section shows the risk matrix (2 dimensions: impact / likelihood) as well as the risk dashboard (list of all risks).
For each risk it’s important to show:
- the risk’s identifier, short name and short description (full details in the appendix)
- assessment of (at least) last period and the current reporting period with a trend indicator
- associated mitigating actions and controls (short descriptions, full details in the appendix)
- a comment explaining the risk assessment and trend
- the risk indicator(s) for the corresponding risk with its value of (at least) the last period and the current reporting period with a trend indicator
4 – Incident Reporting
It informs the board about incidents during the reporting period (for example cyber-attacks, disruptions due to natural disasters, fires, floods and the like, operational losses, adverse media coverage, …), their causes, impacts as well as actions taken by executive management (mitigating actions, strengthening of the internal controls system, specific training, disciplinary actions, …).
5- Internal Control System
This part starts off with an overview showing the number of active controls, the number of control requests sent out, % completed OK, % completed with warning(s), % not completed, broken down by departments / functions / people, accompanied by corresponding explanations.
You then elaborate on material changes made to the controls as well as on proposed changes, pending approval by the corresponding body. With reference to the above-mentioned incidents, an assessment of the efficiency and effectiveness of the internal controls system is made. A list of all the controls with all their details shall be provided in the appendix.
6 – Business Impact Analysis and Business Continuity Management
This section shows the Business Impact Analysis, the BCP-exercise(s) (Business Continuity Plan) carried out in the reporting period along with the major findings and necessary adjustments.
7 – Investment Controlling
As revenues of an asset management firm are tightly linked to investment performance, this area deserves special attention. The purpose of this section is to highlight the following aspects:
Retrospective:
- compliance with /violations of investment constraints [#, reasons (active vs. passive), actions taken]
- ex-post performance and performance contributions of individual strategies (performance attribution analyses)
- approved / declined transactions requiring pre-approval
- backtesting of strategies’ performance vs. risk limits
- compliance with /violations of risk limits
- luck vs. skill (active return decomposition, hit-rate vs. skill-level, risk-taking skills and effective exposures)
- quality control charts
- style analyses
- strategy consistency checks (relative views, alpha- and beta-bets vs. implied returns)
- etc.
Prospective:
- performance risks (tracking error, relative VaR, probability of underperformance, alpha and beta bets)
- concentration analyses, degree of diversification (correlation networks and correlation bets, eigenvalue analyses, number of effective bets)
- minimum sensible investment horizon
- sensitivity
- scenario and stress analyses
- etc.
8 – Risk Management Agenda:
The agenda shows major activities carried out by the risk management function in the current reporting period as well as activities planned for the next business period.
9 – Appendix 1:
List of full details for all risks: hazards, threats, risks, causes, consequences, assessments, owner, risk category, linked controls, linked indicators, …
10 – Appendix 2:
List of full details for all controls and mitigating actions: control owner / unit / department, control frequency, control type, control questions, linked processes, linked risks, …
An up-to-date internal control system, run for instance on Optimiso Suite software, greatly facilitates the production of the mentioned elements. The above items 3,4,5, 9 and 10 can be completely covered with minimal additional “fine-tuning”, and the inputs for the ERM (2) are also available.
For more examples on how to leverage your internal controls system for risk reporting purposes and for answering audit questions, check out our recorded webinar.
