Risk management in three steps
To achieve its set return targets, AP4 must take well balanced risks, and adept risk management is necessary for successful asset management. It must be possible to foresee risks prior to an
investment and to subsequently control them. Risk management can be broken down into three steps:
- Risk governance
- Continuous risk management
- Monitoring and control
Step 1. Risk governance — framework for risk tolerance
The Board of Directors has overarching responsibility for AP4’s operations and adopts an investment policy and risk management plan for AP4’s operations every year. Together with the National Pension Funds (the AP Funds) Act (Lagen (2000:192) om allmänna pensionfonder (AP-fonder), these governing documents provide the framework for AP4’s risk tolerance.
To manage the various aspects of risk governance, the Board has established a Risk Committee and an Audit Committee with three board members each. The Risk Committee serves in an advisory, oversight and drafting role for the Board with respect to AP4’s governance, monitoring and reporting of financial risks in the operations. The Audit Committee is tasked with overseeing the external financial reporting and the effectiveness of AP4’s internal controls. Its duties include overseeing the work on monitoring management of operational risks and monitoring compliance.
AP4’s risk and investment strategy has been formulated in accordance with the overall objective to generate the highest possible return over time and thereby contribute to the pension system’s financial strength.
The investment policy describes, among other things, the focus of asset management through the reference portfolio that the Board has decided on, which takes its starting point from AP4’s
ALM (Asset Liability Management) process.
The investment policy stipulates, among other things, AP4’s long-term return targets, risk profile and risk mandates for asset management, which serve as a general framework for operations.
The risk management plan describes the division of responsibility and authority for the investment operations, the principal risks in the business and how these risks are to be controlled and followed up. The main risks are financial and operational risks.
Step 2. Continuous risk management
AP4’s daily risk management and control activities are decentralised to all operating aspects of the organisation and are conducted in accordance with the three lines of defence principle. This principle distinguishes between the functions that own the risks (the first line of defence), functions for monitoring, control and compliance (the second line of defence), and functions for independent review (the third line of defence).
Three lines of defence
In the first line of defence, all pertinent units have a responsibility for risk management and control for every business transaction. This includes every administrative unit in the investment operations as well as business support functions, such as Back Office, Finance and Legal.
The second line of defence consists of parts of the IT & Risk unit (Performance Analysis and Risk Control), Compliance and Finance (pertaining to control of rules surrounding authorisation rights). The Compliance function, Performance Analysis and Risk Control are independent functions from the investment operations that report directly to the CEO and Board of Directors.
The Board decides whether and to what extent the third line of defence is engaged. Such a role is to be performed by an external accounting firm. In 2017 a procured external accounting firm was hired for such an internal audit assignment.
Financial and operational risks
In the continuing risks management, risks are broken down into financial and operational risks.
Financial risks consist mainly of market, credit and liquidity risks.
The CEO delegates the risk mandate received from the Board for financial risks to the various asset management units. The respective asset managers are responsible for risk management within their respective mandates. Risk management within a mandate is conducted through calculated risk-taking, which can have both positive and negative outcomes.
AP4’s financial risks arise out of the Board’s decision on the normal portfolio’s composition. By setting risk mandates for the asset management, the scope for risk-taking in the day-to-day
management is limited.
As documentation for AP4’s continuing work on optimising risk-taking, risk forecasts are used for the respective asset management areas, instruments, risk factors, and so on. AP4 plans
strategic risk-taking with the help of stress tests and various scenario analyses.
Operational risks at AP4 are to be managed through an established Fund-wide process and methodology. Key controls shall be in place for all significant operational risks, which as far as possible reduce the likelihood of a risk materialising or mitigate the consequences when undesirable events occur despite all. In the day-to-day activities all managers and employees shall maintain an awareness of risks in the business and their key controls, and act in such a way to ensure that the operations, assets, and the trust of the surrounding world are not jeopardised.
Step 3. Monitoring and control
The IT & Risk unit is responsible for developing the risk analysis and control process. IT & Risk provides methods for risk identification, risk quantification, risk analysis, and reporting of both financial and operational risks. IT & Risk is responsible for ensuring compliance with statutory investment rules, the investment policy, the requirements of the risk management plan and the CEO’s decisions.
IT & Risk’s work includes closely measuring and analysing risk and returns as well as reporting on these daily, both in absolute figures and relative to benchmark indices, and reporting any breaches of applicable rules or regulations.
IT & Risk is organised into four different functions: Performance Analysis, Risk Control, System Development & Support, and IT. Of these, the Performance Analysis and Risk Control functions are part of AP4’s risk management.
The Performance Analysis function is responsible for the valuation principles for all instruments as well as daily analysis, control and reporting of returns, risks (forecast and outcome), and riskadjusted returns. The Risk Control function is responsible for monitoring and control of financial risks — mainly credit and liquidity risks. The Risk Control function is also responsible for monitoring operational risks in the investment operations and for ensuring compliance with rules governing operational risks.
Operational risks in AP4 are to be managed through an established fund-wide process and methodology. This process includes process mapping, identification and valuation of risks, and shall be conducted for all identified processes at least yearly. Key controls shall be in place for all material risks, which as far as possible reduces the likelihood of risks materialising or mitigates the consequences when undesirable events occur despite all. In the valuation of risks, existing key controls shall be quality-assured to ensure they have the desired functionality and are effective.
As part of the operational risk management process it is especially important to evaluate change processes and their effects on the business. Operational risks are evaluated specifically in connection with the implementation of new products, system changes and organisational changes.
To minimise operational risks, a clear division of responsibilities and authorities shall be documented in written rules and instructions. Applicable processes and procedures shall ensure good internal control and be documented in relevant instructions. The so-called four-eyes principle is applied consistently.
The Compliance function reviews the operations with respect to compliance with laws, regulations and other guidelines, policies, instructions and internal rules, including ethical guidelines. Its responsibility includes providing support to the operations on compliance issues and analysing compliance risks in the operations.