Financial

Growing investor and regulatory awareness and concern over the need to address social and environmental issues is driving the rapidly increasing interest in Environmental, Social and Governance (ESG) factors and sustainable finance. As Regulators set out their expectations for how financial institutions should manage climate related financial risk, including modification of governance and risk management frameworks, development of scenario analysis and stress testing, and disclosure of climate change related issues, it is vital that the Internal Audit function challenges the firm’s response to this. As a society, customers are now aware of the growing urgency to build relationships with those businesses who can demonstrate that their practices are aligned with society’s goals and ambitions. Reputational risk has become key as it flows from firms’ responses to embedding climate risk within their business, therefore Internal Audit should challenge whether firms have suitably assessed their related exposure to reputational risk and whether the impact of handling these issues poorly has been considered.

Regulatory Expectations:

• In November 2020, the European Central Bank (ECB) published their supervisory expectations with respect to the risk management and disclosure of climate and environmental risk, applicable with immediate effect. Illustrating that a firm must treat climate and environmental risk holistically, the supervisory expectations are cross-cutting across an entire firm. Most importantly, the ECB has defined how the Third Line should respond in relation to emerging risk, stating: “IA functions should review the internal control and risk management framework, by considering external developments, changes in the risk profile and in products and/or business lines, to establish the extent to which the institution is equipped to manage climate-related and environmental risks.”
• The ECB contacted specific firms at the beginning of 2021, highlighting their expectation for firms to complete their self-assessment against the ECB requirements together with defined suitable action plans for implementation of the framework with deadlines of February 2021 and May 2021 respectively.
• The expectation of the European regulators for firms is to fully embed their approach to managing climate-related financial risk by the end of 2021.
• The Sustainable Finance Disclosure Regulation (SFDR) introduced various disclosure-related requirements for financial market participants and financial advisors at entity and product level, applicable as at 10 March 2021.

Political Influence:

• As investors demand for green bonds increases, the EU Governments have confirmed their intend to fully implement a ‘Green Taxonomy’ to provide a common standard for measuring firms’ environmental impact, building on the scientific metrics in the European Union taxonomy as its basis.

ESG Wider Considerations:

• Diversity and inclusion matters. The Regulators should commit to explore whether diversity requirements should be made part of premium listing rules.

Internal Ratings-Based (IRB) firms are required to apply a suite of ‘IRB roadmap’ model changes by 1 January 2022 in order to remain compliant in their calculation of regulatory capital. These regulatory changes can have a profound impact on probability of default (PD), exposure at default (EAD) and loss given default (LGD) risk parameter estimates, and hence capital estimation for a firm’s banking book. Failure to evidence compliance with this new regulation can ultimately threaten a firm’s IRB status as well as increase the ‘margin of conservatism’ required for estimates, leading to higher capital charges. Ultimately this is also coupled with reputational risks from Regulators if the model development programme is perceived to be low quality. As a result, many Banks are conducting significant IRB enhancement programmes over the next few years, in order to ensure the required process changes, model redevelopments and regulatory submissions are all delivered effectively. These programmes are often high risk, with tight timelines exacerbated by the volume of model changes required and extensive submission requirements. Across the banking industry, from Tier 1s with established IRB rating systems to challenger firms applying for IRB status, there is an increased onus for successful submission for IRB approval. As a result, assurance from Internal Audit on the effectiveness of delivery from these programmes is critical. Please also refer to our IFRS 9 ECL Estimation topic given its relevance to IRB Delivery Programmes.

A number of new IRB regulatory requirements require implementation, including:

• Updated conditions for the definition of default (DoD), such as addition of unlikeliness-to-pay (UTP) criteria, conditions for curing, and materiality threshold for credit obligations past due;​
• Inclusion of new requirements to model LGD for ‘in-default’ exposures, including calibration to downturn and ‘point-in-time’ (as the ‘best estimate of expected loss’);
• Introduction of extensive requirements for downturn LGD calibration, including regarding the identification of a downturn period; and​
• Requirement of cyclicality measurement of PD rating systems, for quantification of long run average (LRA) PD, for calibration purposes.​

As liquidity risk management capabilities and processes evolve, it is important that firms continue to assess and address aspects of their liquidity risk management that improves transparency and agility in line with the expectations from the Boards and the Regulators and to support increased focus on strategic liquidity management.

Internal Audit functions in the EU are at different stages with regard to IFRS 17 assurance planning and are currently reassessing and adjusting their holistic assurance timelines. For many insurers the effort and cost has grown significantly from initial expectations and may continue to do so through to programme completion, as solutions are embedded, tested and re-worked. Also, in some organisations programmes have not yet been far enough progressed to enable meaningful audit activity to take place so Internal Audit may be planning its first real look at the detail in the current year. IFRS 17 has a number of areas of complexity and challenge and prioritising these can be difficult. Below we consider some of the key methodology decisions, highlighting common high-risk areas and Internal Audit's approach for providing assurance that informs governance around methodology.

Internal Audit functions are reconsidering their assurance timelines for two reasons—first, the impact of COVID-19 has changed the plans of Internal Audit and the wider organisation for 2021, and during March 2021, it was announced that the effective date of IFRS 17 will be deferred to 1 January 2023, prompting project teams to consider refreshing their own timelines. With many programmes on the cusp of transition from implementing IFRS 17 solutions into testing, assurance over the controls design and their operating effectiveness over the IFRS 17 new financial processes is an important milestone to identify and remediate any control weaknesses in advance of external audits.

Certain key decisions, the working assumptions, are made early and drive downstream effects of the implementation programme. For example, adopting the General Measurement Model (GM) will require many organisations to modify existing systems and databases to capture additional contract or portfolio level data; whereas the Premium Allocation Approach (PAA) may not require such a significant change to the organisation’s existing infrastructure (but may introduce different risks). The cost associated with identifying and correcting inappropriate accounting policy or methodology choices during the implementation programme can be substantial and may put key deadlines at risk.

Internal Audit has a key role to provide assurance over the IFRS 17 programme between now and completion of implementation in 2023. The nature of audit work that can be performed will be driven by the progress the business has made.

In 2020, with affected insurers having completed their impact assessments and moving into the solution implementation phase, the natural scope for Internal Audit appeared to be project assurance.

In 2021, Internal Audit scope could include methodology, as the business designs/implements solutions following conclusion of the gap assessments. Internal Audit will need to be mindful of the role of the external auditor, who will ultimately need to sign-off on the chosen technical methodology and remain connected on any technical points being raised and the management of their impact on the wider project.

In the final year of 2022 before go live, companies will be focussed on producing comparative period financial results ready for publishing externally in their financial statements in the following year. This will be the first time the entire financial reporting process is run end to end. At this stage, Internal Audit can provide assurance over the design and operating effectiveness of controls over the reporting process, in advance of external audit to identify and remediate any weaknesses.

Internal Audit should consider assurance activity in the following areas during 2022:

• Governance, program benefits and change management;
• Technology solutions including general IT controls (GITCs);
• Controls over dry runs/parallel runs;
• Data migration, transformation and security;
• Controls over modelling governance;
• Financial planning, budgeting and reporting processes; and
• Actuarial and risk management processes.

During the initial stages of the COVID-19 pandemic, estimation of Expected Credit Loss (ECL) for calculation of loan impairment became more challenging for firms, due to sudden changes in economic activity coupled with unprecedented levels of Government support, which caused the classical relationships between economic activity and credit behaviour to break down. With core modelling and data assumptions becoming invalid under these new conditions, many firms were forced to apply expert-based Post Model Adjustments (PMA) to their model estimates in order to generate ECL estimates as accurately as possible.

A year later and firms are now facing a new challenge; ahead of improved economic baseline forecasts, these incumbent PMAs are in some instances becoming overtly optimistic, leading to a risk of “see-saw” estimation, with impairment swinging well below the acceptable range. Furthermore, as COVID-19 era information starts to crystallise into Banks’ risk data warehouses, firms will need to consider whether this data is usable for BAU-type activities such as model monitoring and redevelopment. Internal Audit’s assurance regarding the accuracy of IFRS 9 ECL estimates is therefore critical, due to the significance of the impairment calculation as well as its volatile and subjective nature. Please also refer to our IRB Delivery Programmes topic given its relevance to IFRS 9 ECL Estimation.

PMAs applied to SICR (Significant Increase in Credit Risk) and ECL model estimates will need to be revised as conditions change in the credit and economic environment. The timing and methodology of PMA unwinding is critical, in order to mitigate inappropriate volatility in ECL estimates, whilst ensuring provision levels are kept accurate and up-to-date.

Intrinsic modelling assumptions must be addressed, particularly regarding the association between loss estimates and economic forecasts, ahead of prospective conditions changing and potentially new external effects (such as withdrawal of Government support schemes).

COVID-19 era outcome data is starting to become available in firms’ risk datasets, this needs to be effectively incorporated into business as usual (BAU) type activities such as model performance monitoring and re-development. This will force firms to face a number of questions, such as:

• Should COVID-19 era data be included when developing new macro-models, despite the likely implausible relationships observed in this period (for example reducing Gross Domestic Product (GDP) with unemployment stable due to Government support schemes)?
• Should COVID-19 era data be considered as a potential downturn candidate, for example, in use of downturn Loss Given Default (LGD) calibration or economic cycle definition?
• Whether a firm’s IFRS 9 default definition should be adapted, for example, to incorporate extenuating initiatives on customer credit, such as payment holidays and the large-scale forbearance activities that resulted from COVID-19?