Risk management in three steps
AP4 must take risks to achieve the intended return target; therefore, sound risk management is crucial to successful asset management. It must be possible to forecast, and subsequently control, risks ahead of an investment.
Risk management can be divided into three steps:
1. Risk management
2. On-going risk management
3. Follow-up and control
Step 1. Risk management – framework for risk tolerance
The Board has the overall responsibility for AP4’s activities and annually adopts an investment policy and a risk management plan for AP4’s operations; this, together with the law (2000: 192) regarding the Swedish National Pension Funds (AP Funds), forms the governing framework for AP4’s risk tolerance.
To manage the various aspects of risk management, the Board established a Risk Committee and an Audit Committee with three members each. The task of the Risk Committee is to further enhance communication and understanding of the business’s financial risks. The Audit Committee has the task of monitoring the external financial reporting and the effectiveness of AP4’s internal controls. The role includes overseeing the work of the risk management relative to operational risks and the follow-up of compliance.
AP4’s risk and investment strategy has been designed in accordance with the overall objective to maximize shareholder value over time, and thereby contribute to the pension system’s financial strength.
The investment policy includes investment strategies through the Board of Directors resolved Normal portfolio (benchmark), which takes its starting point from the AP4 ALM process (Asset Liability Management). The policy stipulates, among other things, AP4’s long-term return target, risk profile and risk mandates for the Strategic- and Tactical management and constitutes a general framework for operations.
The risk management plan describes the division of responsibility and authority for the management operations; the principal operational risks; and means to control and follow-up of risks. The main risks are financial and operational risks. A more detailed description of the risks is provided in Note 20.
Step 2. On-going risk management
AP4’s daily risk management and control is decentralized from the organizations operational functions. It follows the principle of three lines of defense. This principle distinguishes between the functions that own the risks (first line of defense), functions for monitoring, control and compliance (second line) and functions for independent review (third line).
As part of the first line of defense, all relevant units have a responsibility for risk management and control within the management operations. This includes every management unit within investment operations in addition to business support functions, such as Back office, Finance and Legal.
The second line of defense consist of the Performance, Risk and Control unit (ARK) and the Compliance function. ARK and Compliance are two steps away from the management operations and are independent units, each reporting directly to the CEO and the Board.
Financial and operational risks
On-going risk management is divided into financial risks and operational risks.
Financial risks consist primarily of market, credit and liquidity risks.
The CEO allocates financial risks to the various management units based on the Board of Directors risk mandate. Managers are responsible for the risk management within their respective mandate. Within the mandate, risk management occurs with a calculated risk-taking, which can have both positive and negative outcomes.
Financial risks are based on the Board’s resolution regarding the Normal portfolio’s asset allocation. In active management, the scope for risk-taking is limited based on the established risk mandates for the Strategic management in the medium term (3-15 years) and the Tactical management in the short term (up to 3 years).
Equity risk forecasts are used, which are split by management area, instrument, risk factor and more, to support AP4’s continuous work in optimizing risk-taking. AP4 analyzes and plans strategic risk-taking with the help of stress tests and different scenarios.
AP4’s operational risks are managed through an established process and methodology common to all funds. There should be key controls for material operational risks that, as best possible, reduce the likelihood of risks materializing, or that mitigate the consequences when adverse events do occur. All managers and employees should be aware of the risks and the key controls as part of their daily work, and should conduct themselves in such a way that the business, assets and the reputation of AP4 are maintained.
Step 3. Follow-up and control
ARK is responsible for the risk processes and development of methods for risk analysis and control; it provides methods for risk identification, risk quantification, risk analysis and reporting of both financial and operational risks. In addition, ARK has the task of verifying that the statutory investment rules, investment policy, risk management plan and that the CEO’s decisions are applied within operations.
ARK’s work includes the careful measurement and analysis - together with the daily reporting - of return and risk, both in absolute terms and relative to benchmarks, and for the reporting of any breaches of applicable regulations.
ARK is divided into three functions: return analysis, risk analysis and risk control.
The return analysis function is responsible for valuation policies of all instruments and for the daily analysis, control and reporting outcomes of return, risk and risk-adjusted returns. AP4’s three investment horizons, including each mandate’s investment process, are monitored in both absolute terms and relative to the benchmark. The function also monitors AP4’s "traffic lights" on the Strategic and Tactical levels.
The risk analysis function is responsible for analysis, control and reporting of predominately market risks. Market risks are defined partly as risks relative to the benchmark index, active risk in the short and medium term, and partly in absolute terms as contributions to the overall portfolio risk.
Market risks are divided into AP4’s three investment horizons (up to three years, 3-15 years and 40 years) and are analyzed using risk contribution, stress testing and scenario analysis based on each mandate’s investment process.
The risk analysis includes daily monitoring of risk and return of the Tactical management and a monthly follow-up of the Strategic management. In this manner, AP4 has access to the forecasts of the aggregate risks in the investments, both in absolute terms and relative to the benchmark. In connection with new Strategic management investments, a stress test analysis is conducted using historical scenarios to assess the risk contribution to the portfolio.
Risk Control is responsible for monitoring and controlling financial risks, primarily credit and liquidity risks. The risk control function is also responsible for monitoring the operational risks in investments and ensuring that the rules regarding operational risk are complied with.
Operational risks within AP4 are managed through an established process and methodology common to the funds. This includes process mapping, identification and evaluation of risks and implementation for all mapped processes at least annually. There should be key controls for material risks that, as best possible, reduce the likelihood of risks materializing, or that mitigate the consequences when adverse events do occur. In the process of valuing risks, the key controls should quality assure to ascertain they provide the required functionality and effectiveness.
Within risk management, it is especially important to evaluate change and its effects on the business’ operational risks. Operational risks are evaluated specifically in connection with the implementation of new products, systems changes and organizational changes.
To minimize operational risks, a clear division of responsibilities and authority should be documented through written instructions. Prevailing processes and procedures must reflect a sound internal control, and must be documented through the relevant instructions. The so-called four-eyes principle is applied consistently.
The Compliance function oversees the operations compliance with laws, regulations and other rules, policies, instructions and internal rules, including ethical guidelines. This responsibility includes supporting the operations regarding regulatory compliance issues and analysis of business compliance risks.