Risk management in three steps
To achieve its set return targets, AP4 must take well balanced risks, and adept risk management is necessary for successful asset management. It must be possible to foresee risks prior to an investment and to subsequently control them. Risk management can be broken down into three steps:
- Risk governance
- Continuous risk management
- Monitoring and control
Step 1. Risk governance — framework for risk tolerance
The Board of Directors has overarching responsibility for AP4’s operations and adopts an investment policy and risk management plan for AP4’s operations every year. Together with the Swedish National Pension Funds (the AP Funds) Act (Lagen (2000:192) om
allmänna pensionfonder (AP-fonder)), these governing documents provide a framework for AP4’s risk tolerance. To manage the various aspects of risk governance, the Board has established a Risk Committee and an Audit Committee with three members each.
The Risk Committee serves in an advisory, oversight and drafting role for the Board with respect to AP4’s governance, monitoring and reporting of financial risks in the operations. The Audit Committee is tasked with overseeing the external financial reporting and the effectiveness of AP4’s internal controls. Its duties include overseeing the work on monitoring management of operational risks and monitoring compliance. AP4’s risk and investment strategy has been formulated in accordance with the overall objective to generate the highest possible return over time and thereby contribute to the pension system’s financial strength. The investment policy describes, among other things, the focus of asset management based on return targets and the Dynamic Normal Portfolio (DNP), which takes its starting point from AP4’s ALM (Asset Liability Management) process. In addition, the investment policy describes AP4’s risk mandate for the continuing asset management. The risk management plan describes the division
of responsibility and authority for the investment operations, the principal risks in the operations and how these risks are to be controlled and followed up. The main risks are financial and operational risks. A more detailed description of risks is provided in Note 20 in the Annual Report.
Step 2. Continuous risk management
AP4’s daily risk management and control activities are decentralised to all operating aspects of the organisation and are conducted in accordance with the three lines of defence principle. This principle distinguishes between the functions that own the risks (the first line of defence), functions for monitoring, control and compliance (the second line of defence), and functions for independent review (the third line of defence).
AP4’s application of the three lines of defence is adapted to what is deemed to be suitable for AP4 and does not fully adhere to regulatory requirements.
Three lines of defence
The first line of defence for risk management and control lies in the direct business operations, which includes every administrative unit in the investment operations as well as business support functions, such as Finance, Back Office and Legal.
The second line of defence consists of the Risk Control function in Risk & Business Support, and Compliance. Compliance and Risk Control are units that are independent from the investment operations and report directly to the CEO and Board of Directors.
The third line of defence rests with internal audit. Each year the Board decides on the scope and the areas for which internal audit is to be conducted. Such assignment is carried out by an external accounting firm. In 2020 an external accounting firm was hired
through a tendering process for such an internal audit assignment.
Financial and operational risks
In the continuing risk management, risks are broken down into financial and operational risks. Financial risks consist mainly of market, credit and liquidity risks. The CEO delegates the risk mandate received from the Board for financial risks to the various
asset management units. The respective asset managers are responsible for risk management within their respective mandates. Risk management within a mandate is conducted through calculated risk-taking, which can have both positive and negative
outcomes. AP4’s financial risks have their starting point in the Board’s decision on the overall asset allocation in the Dynamic Normal Portfolio (DNP) as well as in AP4’s risk mandate for the continuing asset management. Through set risk mandates for the
asset management, the scope for risk-taking in the continuing asset management is limited. As documentation for AP4’s continuing work on optimising risk-taking, risk forecasts are used for the respective asset management areas, instruments, risk factors,
and so on. AP4 plans strategic risk-taking with the help of stress tests and various scenario analyses. Operational risks at AP4 are to be managed through an established joint process and methodology. In the day-to-day activities all managers and employees shall maintain an awareness of risks in the business and their key controls, and act in such a way to ensure that the operations, assets or trust in AP4 among parties in the external operating environment are upheld.
Step 3. Monitoring and control
The Risk & Business Support unit is responsible for monitoring AP4’s financial and operational risks. This involves checks to ensure compliance in the operations with statutory investment rules, targets and guidelines, the requirements of the risk management plan and the CEO’s decisions. The Risk & Business Support unit’s work includes closely measuring and analysing risk and returns as well as reporting on these daily, both in absolute figures and relative to benchmark indexes, and reporting any
breaches of applicable rules or regulations. Risk & Business Support is organised into four different functions: Risk & Systems, Back Office, Risk Control and IT. Of these, the Risk & Systems and Risk Control functions are part of AP4’s risk management. The Risk & Systems function is responsible for the valuation principles for all instruments as well as daily analysis, control and reporting of returns, risks (forecast and outcome), and risk-adjusted returns. The Risk Control function is responsible for monitoring limits based on prevailing rules and control of financial risks. The Risk Control function is also responsible for monitoring operational risks in the investment operations and for ensuring compliance with rules governing operational risks. Operational risks in AP4 are to be managed through an established joint process and methodology. This process includes process mapping, identification and valuation of risks, and shall be conducted for all
identified processes on a regular basis. Key controls shall be in place for all material risks, which as far as possible reduces the likelihood of risks materialising or mitigates the consequences when undesirable events occur. In the valuation of risks, existing key controls shall be quality- assured to ensure they have the desired functionality and are
effective. As part of the operational risk management process it is especially important to evaluate change processes and their effects on the operations. Operational risks are evaluated specifically in connection with the implementation of new products, system changes and organisational changes. To minimise operational risks, a clear division of responsibilities and authorities shall be documented in written instructions. Applicable processes and routines shall ensure good internal control and be documented in relevant instructions. The so-called four-eyes principle is applied consistently. The Compliance function reviews the operations with respect to compliance with laws, regulations and other guidelines, policies, instructions and internal rules, including ethical guidelines. Its responsibility includes providing support to the operations on compliance issues and analysing compliance risks in the operations.