6 Final report on Ernst & Young’s review of investment management at Norges Bank

Letter of 19 December 2007 from Norges Bank to the Ministry of Finance

1 Introduction

We refer to the Ministry of Finance’s letter of 18 September 2007 enclosing the final report from Ernst & Young’s review of investment management at Norges Bank. In the letter, the Ministry asks for the Bank’s comments on the report and also for a more specific review of risk management in its investment management, particularly in the light of the additional requirements for the management of market, counterparty and operational risk which entered into force on 1 January 2006 and are to conform to internationally recognised standards and methods.

Our letter is structured as follows. First, we discuss the background to Norges Bank’s letter of 11 March 2005 where we proposed changes in the operational management framework, which the Ministry largely endorsed through the changes made to the framework with effect from 1 January 2006. Next, we look at the Bank’s risk management and the steps we have taken in recent years to improve risk management, with particular emphasis on the management of operational risk. Finally, we have some concrete comments on Ernst & Young’s recommendations.

We would stress that Norges Bank has always attached importance to having adequate risk systems and control procedures in its investment management. After the letter was sent to the Ministry in March 2005, we embarked on a process of strengthening the control of risk. In Norges Bank’s opinion, the additional requirements in the Guidelines have been met in the period since January 2006. We are also working on continuous improvement. This work has taken place independently of the assessment performed by Ernst & Young.

2 Norges Bank’s letter of 11 March 2005

In that letter, Norges Bank proposed a number of changes in the framework for the operational management of the Government Petroleum Fund, now the Government Pension Fund – Global (“the Fund”). These proposals covered both matters of principle and practicalities, but would have little effect on the general strategy which largely determines the Fund’s expected risk and return. The idea behind the changes was partly to simplify everyday management and partly to open up opportunities to generate a slightly higher return than would otherwise be the case. In this context, we will look only at the proposals in the letter concerning the requirements which the Ministry should make in terms of risk management, measurement of return and reporting.

In the letter, Norges Bank stated that the proposed changes in the rules should naturally be accompanied by requirements of Norges Bank as an investment manager, which had been insufficiently provided for in the existing rules. This applied primarily to two areas: (a) principles for valuing the Fund’s assets, and (b) requirements for the management, measurement and control of risk, including operational risk. The letter also states (section 4.4):

“This can most appropriately be achieved by requiring that this must be done in accordance with best practice and internationally recognised standards. Such standards cover best practice for everything from the valuation of different asset classes, measurement methods for different types of risk, and the publication of performance calculations, to procedures and assessment criteria for operational risk.

Limits and measurement methods have already been established for market risk. Norges Bank proposes that parts of credit risk be managed implicitly by setting a limit for market risk and be measured accordingly. Norges Bank also proposes that management requirements for the remaining part of credit risk (counterparty risk) be established separately with an accompanying measurement method. Management requirements and measurement methods for operational risk can be established by referring to standards and market practice in the field. Which standards are to be used as a yardstick can be specified in the Management Agreement between the Ministry of Finance and Norges Bank, together with more detailed requirements for the frequency and content of reporting from Norges Bank to the Ministry of Finance.”

The Ministry of Finance endorsed many of the Bank’s proposals, and the Regulations and Guidelines were revised with effect from 1 January 2006. The Ministry incorporated new provisions establishing requirements for valuation, measurement of return, and management and control of risk. The key provisions are to be found in section 4 of the Guidelines. These provisions formed the point of departure for Ernst & Young’s assessment of Norges Bank’s investment management:

“Valuation, measurement of return and management, measurement and control of risk shall comply with internationally recognised standards and methods. The Fund cannot invest in markets, asset classes or instruments if these requirements cannot be met.

4.1 Valuation and measurement of return

The method used to establish the value of financial instruments shall be verifiable and shall indicate with reasonable assurance the true value of the Fund’s assets at the time of measurement. Valuation shall take place at least monthly and shall be based on market prices or, in cases where market prices cannot be observed, on recognised price models.

4.2 Management, measurement and control of risk

4.2.1 Market risk

Market risk shall be measured in such a way that compliance with the limit on relative risk in the Pension Fund can be documented. Best practice in the area shall be employed in regard to measuring methods, decomposition and measurement frequency.

4.2.2 Counterparty risk

Norges Bank shall have satisfactory routines and systems for selecting and evaluating counterparties. The monitoring system and measurement frequency employed for control of counterparty risk, including requirements on minimum credit rating and exposure limits, shall follow best practice in the area.

[…]

Norges Bank must lay down such supplementary requirements on credit rating, provision of security and exposure limits as are appropriate in the operative management, and shall measure overall exposure to counterparties using internationally recognised methods that meet necessary requirements as to verifiability and accuracy.

[…]

4.2.3 Operational risk

Identification and measurement methods shall comply with internationally recognised standards for the various dimensions of operational risk. Operational risk shall be identified and shall be measurable and controllable before new activities (e.g. investments in new countries, instruments, asset classes, counterparties, external service providers, IT systems etc.) are started.”

3 Norges Bank’s response to the new risk management requirements

As mentioned above, the Guidelines on the management of the Government Pension Fund – Global state: “Valuation, measurement of return and management, measurement and control of risk shall comply with internationally recognised standards and methods. The Fund cannot invest in markets, asset classes or instruments if compliance with these requirements cannot be documented.” In its letter, the Ministry of Finance asks Norges Bank to describe how these requirements have been met in the period since 1 January 2006.

Valuation, measurement of return and risk management are at the heart of the operations of Norges Bank’s investment management division Norges Bank Investment Management (NBIM). Good and robust processes in these areas are crucial to professional international investment management. One indication of this having functioned satisfactorily in terms of the management of market risk, valuation and measurement of return is that the independent reports drawn up by Mercer Investment Consulting on behalf of the Ministry of Finance have never come up with valuations and measurements of return which differ materially from NBIM’s. Other indications of there having been good control even before the Guidelines from the Ministry of Finance were amended are that:

• there have been no material breaches of the investment guidelines.

• Central Bank Audit’s statements to the Ministry on the Fund’s quarterly and annual reports have been unqualified. Nor have Central Bank Audit’s reviews of reporting to the Executive Board and Supervisory Council uncovered any material shortcomings in the control environment.

• market risk has been measured using tools and methods which have been (and remain) transparent, so allowing the calculations to be verified by others.

As noted in the introduction, we believe that the additional requirements in the Guidelines have been met during the period since January 2006. We are also working on continuous improvement. This work has taken place independently of the assessment performed by Ernst & Young. Below we make some comments on the main principles which NBIM observes and on the ongoing improvement process.

At the heart of NBIM’s operations lies clear delegation of investment limits from the Executive Director of NBIM to the Chief Investment Officers (CIOs) for fixed income and equity management, and then to group leaders and on down to the managers of the individual mandates. Each manager is awarded a clearly defined mandate with a clear risk limit and is personally responsible for, and assessed on, the decisions taken within that limit. The first line of defence, 1 which is responsible partly for monitoring the individual investment mandates, lies within the fixed income and equity departments. These functions are organisationally separate from investment management and report to the Chief Operating Officers (COOs) for equity and fixed income management. The COOs report on their exercise of these functions to the Executive Director of NBIM. There is therefore adequate control even at this level, in that the evaluation of performance is kept outside the actual investment management line.

The second line of defence , including valuation, measurement of return, risk management and performance reporting, is the responsibility of a separate unit – Risk, Performance & Accounting (RPA), which reports to the Chief Financial Officer (CFO). RPA was substantially reinforced in 2007 and is now fully manned with 16 employees. Staffing levels were low in the first half of 2007, but acceptable reporting and controls were still maintained, thanks in part to resources contracted in. RPA is responsible for deciding on the principles and sources for the pricing of securities used for valuation. This forms part of the process for the approval of instruments. Without this defined hierarchy, investment is not permitted. The CFO is responsible for the final approval of new instruments for investment. 2 With the exception of a small part of the fixed income portfolio, RPA also receives prices from independent providers. With the part of the fixed income portfolio where the source of prices is the fixed income department, RPA carries out random sampling.

NBIM is currently carrying out a project to make valuation as independent as possible of those who make investment decisions. As part of this project (“Independent Pricing”), NBIM is to ensure that all holdings are priced or verified by players independent of NBIM and external managers. RPA will nevertheless have the final say on valuations at month-end. NBIM has chosen a model where all holdings are channelled from the designated external accounting service providers through a price coordinator. The price coordinator himself performs the valuation of instruments defined as “easy to price”. Securities defined as “complex” are forwarded to one of the chosen external price providers. NBIM aims to finish drawing up contracts with relevant providers by the end of 2007. The mandates will then go into production in two waves during the course of 2008.

RPA has also appointed a project group which is working on a new risk system for the measurement and management of counterparty risk. The system is to conform to best market practice. At present, RiskManager (RiskMetrics) is used to measure market risk, and the aim of the project is for the same system to be used to measure counterparty risk. However, it may also be appropriate to consider other systems. NBIM aims to complete the project during the first half of 2008. The new system will mean more extensive and timely monitoring of counterparty risk. In the opinion of Norges Bank, today’s measurement and monitoring systems provide acceptable management of counterparty risk, but are not quite up to best practice internationally. Private banks in particular have come a long way in this field, due in part to new regulatory requirements (Basel II).

Until 2006, the need for operational risk control was met through Norges Bank’s established procedures for internal control and risk analysis. The Bank’s work on internal control is based on the 1997 Internal Control Regulations from Kredittilsynet (the Financial Supervisory Authority of Norway), tailored to Norges Bank’s management system.

Ernst & Young confirms in its report that the principles underlying NBIM’s project for mapping and reporting operational risk conform to international best practice. However, the project was not complete when Ernst & Young finished its work. Norges Bank can confirm that the project was completed as planned and that operational risk has been reported monthly in line with the new guidelines since June 2007. All of NBIM’s departments have appointed a person to be responsible for operational risk. The Executive Board has defined its risk limits and will receive a report each quarter. The first such report was for the second quarter of 2007.

The third line of defence was provided by Central Bank Audit until 1 June 2007. In 2006, the Executive Board and Supervisory Council decided to establish a new audit set-up within the constraints of the Norges Bank Act. Important reasons for this were the increased scope and complexity of investment management and a desire to move into line with recognised governance and control principles. This resulted in the establishment of the Executive Board’s Audit Committee and an Internal Audit department, and the clarification and streamlining of Central Bank Audit’s role as an external auditor reporting to Norges Bank’s Supervisory Council. The new audit set-up came into force on 1 June 2007.

Internal Audit is to help ensure, on the Executuve Board’s behalf, that Norges Bank achieves its objectives, by verifying that adequate and effective management of significant risks has been established and is being implemented in the Bank, and that internal control is appropriate and adequate. Internal Audit is to issue statements and offer advice, independently and objectively, to the Audit Committee and the Executive Board in order to help improve the management and control systems. The Executive Board issued instructions for Internal Audit on 13 June 2007. Internal Audit has established processes to ensure that its role as the third line of defence is fulfilled by overseeing NBIM’s management of the most important risks. Internal Audit will also be able to bring in external expertise from one of the large accounting firms to ensure that internal auditing is always performed in accordance with international standards and best practice. During the course of 2008, Internal Audit will be auditing NBIM’s system for the management of operational risk. The aim of this audit will be to confirm that the system now established conforms to best practice in the field.

The Executive Board’s Audit Committee consists of three of the Executive Board’s external members and functions as a preparatory body for the Executive Board in specific areas, primarily in relation to the Executive Board’s oversight functions and responsibility for risk management and internal control. The mandate for the Audit Committee was laid down by the Executive Board on 16 August 2006. The Committee reports to, and is answerable solely to, the Executive Board concerning the discharge of its duties. The Committee’s activities do not change the responsibilities of the individual members of the Executive Board or of the Executive Board as a whole.

Central Bank Audit is Norges Bank’s statutory auditor and performs financial auditing and supervision on behalf of the Supervisory Board. Central Bank Audit is not covered by the Auditors Act, but instructions issued by the Supervisory Board require its financial audits to be performed in accordance with the provisions of the Auditors Act and Norwegian generally accepted auditing standards.

To strengthen the external auditor’s independence and expertise in its auditing of the Bank’s investment management activities, the Supervisory Board has decided, following an invitation to tender, that Central Bank Audit shall enter into a cooperation agreement with the international accounting and consulting firm Deloitte. Deloitte will play a key role in the financial auditing of investment management with effect from the 2007 financial year.

Norges Bank believes that, following the changes made in 2006 and 2007, the Bank’s audit set-up conforms to best international practice given the constraints of the Norges Bank Act. By entering into a cooperation agreement with an international accounting firm (Deloitte) on the auditing of its investment management activities, the Bank has strengthened its international expertise in the auditing of financial reporting, including valuations and assessment of internal control in accounting processes and accounting, both at Norges Bank and at external service providers.

4 Norges Bank’s comments on the report from Ernst & Young

The report from Ernst & Young presents internationally recognised principles in the different areas of risk and return measurement. The report also contains a relatively detailed presentation of how Ernst & Young believes Norges Bank to be complying with these principles. In the Bank’s opinion, this presentation largely confirms that we have met these requirements. As Ernst & Young itself points out, a number of its recommendations are relevant only if Norges Bank’s role is expanded with an absolute return mandate. The recommendations from Ernst & Young are commented on in the following.

a. General principles for requirements for reporting to the Ministry

The report from Ernst & Young refers to governance principles and frameworks for monitoring and reporting risk in financial institutions. Norges Bank believes that these principles form a good point of departure for what best practice in the field should be. However, the principles need to be tailored to the unique management model for Norges Bank and the management of the Fund which results from the Norges Bank Act, the Government Pension Fund Act and the associated Regulations and Guidelines. This needs to be taken into account if these principles are to be used for further operationalisation of the framework for the Fund.

The management of the Fund is formally governed by the Regulations laid down by the Ministry and the Management Agreement which governs the parties’ mutual rights and obligations. There is also another important dimension in the management of NBIM’s operations and the management of the Fund. Norges Bank is an independent legal entity, and the Bank’s Executive Board is appointed by the King. The Bank’s overseer, the Supervisory Council, is appointed by the Storting (Norwegian parliament). The Supervisory Council organises the Bank’s auditing. Central Bank Audit is Norges Bank’s statutory auditor and performs financial auditing and supervision on the Supervisory Council’s behalf.

The level of detail at which Norges Bank should report on its activities is primarily a question of at which levels controls should be performed, and of what the Ministry of Finance requires as a basis for the decisions for which the Ministry itself is responsible. The management role has been delegated to Norges Bank, and it is also important that this delegation is real and is generally based on the Bank’s governing bodies discharging their duties. One key responsibility for the Executive Board is to ensure adequate and systematic internal control (cf. Kredittilsynet’s Internal Control Regulations, on which the Executive Board has largely based internal control at Norges Bank).

In other words, the question of the level of detail is a matter of achieving rational delegation. The Ministry of Finance needs to keep itself adequately informed at all times about how the management role is being performed. At the same time, it is important that its delegation is real so that Norges Bank’s bodies have clear roles and responsibilities.

b. Governance

Roles and responsibilities . Ernst & Young identifies five governing bodies: the Storting, the Ministry of Finance, Norges Bank’s Supervisory Council, Norges Bank’s Executive Board, and NBIM’s executive management team. For each of these governing bodies, Ernst & Young recommends the following:

• Responsibilities for establishing market, credit and operational risk should be described and documented at a more granular level than today.

• Risk monitoring and reporting requirements should be described more specifically.

• Reporting should meet each body’s responsibilities for monitoring of risk in both content and frequency.

• Each body should have access to adequate and independent international investment management expertise.

Norges Bank will comment only on matters concerning the Bank itself in the following. First, we would point out that the general recommendations of “more granular” and “more specific” descriptions and documentation may be difficult to assess and act upon without more concrete elucidation. It would also seem that the recommendations have not been tailored to the overall administrative and regulatory framework. Norges Bank will consider whether there is a need for more detailed determination of responsibilities, documentation and reporting in terms of the Bank’s governing bodies.

The Executive Board has laid down guidelines for investment management, and the Governor of Norges Bank has issued a job description and investment mandate for the Executive Director of NBIM. The Executive Director of NBIM, in turn, has issued job descriptions for those reporting to him, and investment mandates for those heading up equity and fixed income management. NBIM reports to the Executive Board quarterly and holds monthly meetings with the Governor of Norges Bank where performance, risk and any breaches of the guidelines are reported. The Executive Director and CFO of NBIM hold monthly meetings with written reports from the departments reporting to them.

When it comes to the recommendation of access to adequate and independent international investment management expertise, we would refer to the Executive Board’s appointment of an Advisory Board on Investment Management in 2006. This board consists of four internationally recognised advisers with extensive experience from large investment management institutions. The Committee has meetings with the Executive Board two or three times a year. When it comes to the Supervisory Council’s role, we would point out that Central Bank Audit is Norges Bank’s statutory auditor which performs financial auditing and supervision on behalf of the Supervisory Council. The aim of this supervision is to ensure, on the Supervisory Council’s behalf, that the Bank’s investment management is subject to adequate controls, that its operations are financially sound, and that its business is conducted in accordance with applicable laws, agreements, decisions and requirements. To strengthen Central Bank Audit’s access to resources and expertise, especially when it comes to investment management, an arrangement has, as mentioned above, been made with Deloitte AS, one of the leading international accounting firms. This has greatly improved access to adequate and independent international expertise in financial auditing.

Otherwise, the Supervisory Council’s instructions for Central Bank Audit state that its supervisory activities are to be based on risk assessments and assessments of the Bank’s management and control procedures, including the work of Internal Audit. The instructions establish detailed requirements for Central Bank Audit’s reporting, including the requirement that reports to the Executive Board are to be submitted to the Supervisory Council together with any comments from the Executive Board. The same normally applies to any reports made directly to the Supervisory Council. In addition, the Supervisory Council can ask Central Bank Audit for such special audit and control tasks or reports as are deemed necessary for the Supervisory Council’s oversight function.

Risk policy, risk tolerance and reporting. Norges Bank agrees that there should be a document describing risk limits, escalation procedures, control measures and reporting to the Bank’s governing bodies. In the case of operational risk, this has largely been achieved with the establishment of the new framework. The equivalent can be established for market and credit risk. Norges Bank will consider whether the Audit function’s independent review of the Bank’s internal control needs to be expanded to comply with SAS 70 standards.

c. Operational risk

Governance. Norges Bank agrees with the governance principles proposed by Ernst & Young for operational risk. Norges Bank also agrees that the recently completed project on operational risk ensures that these principles are adhered to. Those of Ernst & Young’s recommendations which are under Norges Bank’s control have already largely been acted on.

Norges Bank also agrees with Ernst & Young’s principles, description and recommendations for all parts of the operational risk area. In the budget for 2008, NBIM has earmarked funds for purchasing and implementing a new system for operational risk management to replace the current solution.

d. Market risk

Governance. Norges Bank agrees that the principles set out by Ernst & Young for the management of market risk can be used as a point of departure for further operationalisation of the framework for the Fund. Risk appetite is expressed by the Ministry of Finance as a maximum expected tracking error, supplemented with quantitative limits at asset class level. NBIM uses a broader range of risk measures in delegating and monitoring the overall risk mandate. Any expansion of the scope of investment restrictions by the Ministry of Finance should not take place without thorough assessment of the degree to which this might entail unnecessary and/or inconsistent restrictions for the Fund which would be difficult to operationalise and could have a negative impact on the Fund’s return. This would also run counter to the changes made by the Ministry of Finance on the basis of the recommendations in Norges Bank’s letter of 11 March 2005.

As mentioned above, key functions at NBIM have been significantly reinforced to ensure adequate capacity in the independent control environments. This goes for both expertise and system support. The ongoing Independent Pricing project will promote better data integrity in measurement and reporting.

Risk identification. The process for approving new products and countries (including activities) mentioned above must always ensure that new instruments are handled appropriately in all systems and subject to adequate control procedures. Until summer 2007, the process was owned by the head of RPA, and final approval was given by the Executive Director of NBIM. Since summer 2007, when the CFO started, the process has been owned by the CFO, and he is also responsible for final approval.

Risk assessment and management. As the Fund’s investment universe and the range of instruments in the Fund expand, it will be natural for NBIM to supplement general monitoring of the tracking error measure with other measures of risk, such as stress tests and measures of liquidity risk. Norges Bank does not share the view that liquidity risk is currently measured and reported inconsistently across the asset classes. It should also be noted that Ernst & Young shares our view that liquidity risk is less important to the Fund than it is to other investment managers and investors due to the Fund’s long-term nature. The use of tracking error or Value-at-Risk as the most important risk measure has to be considered in the light of this, namely as an expression of a long-term risk level and not as an expression of the most realistic short-term maximum loss.

Risk monitoring and management. NBIM has come a long way in defining responsibilities for monitoring, including setting requirements for the reporting of market risk. Norges Bank shares Ernst & Young’s view that the monitoring of market risk has good system support, is detailed, and features close managerial follow-up at all levels. Further improvement can be achieved by clarifying/documenting the risk management levels and delegation in the organisation.

Risk reporting and management information. The monthly written report from RPA to the Executive Director of NBIM is very detailed and is based largely on information and analyses performed independently of the two business lines. The monthly reporting to the Governor of Norges Bank is also detailed, with a description of risks and returns down to the level of the individual sub-portfolios. Norges Bank shares Ernst & Young’s view that there may be a need to supplement risk reporting with other risk measures when the Fund’s investment universe is expanded to include less liquid and/or unlisted investments.

e. Credit risk

Governance. Norges Bank agrees that the principles set out by Ernst & Young for the management of credit risk can be used as a point of departure for further operationalisation of the framework for the Fund. Norges Bank supports the recommendation of more detailed measurement parameters for credit risk in guidelines laid down by the Executive Director of NBIM. As the Fund’s investment universe and the range of instruments in the Fund expand, it will be natural for supplementary risk indicators to be developed in the monitoring of credit risk, including stress tests.

Risk identification. Norges Bank notes Ernst & Young’s assessment that the requirement for NBIM’s investment management that all investments have an external credit rating is satisfactory and in line with international market practice.

Risk assessment and measurement. Norges Bank agrees that credit risk should be measured and assessed with supplementary risk measures. This applies particularly to more complex non-linear exposures, and expansion of the Fund’s investment universe to include less liquid assets will also require more extensive measurement and monitoring of credit risk. NBIM has launched a project to introduce more sophisticated measurement methods for credit risk, and will assess the appropriateness of establishing pre-defined stress tests for the Fund’s credit exposure. We would also refer to NBIM’s planned new system for monitoring counterparty risk mentioned above.

Risk monitoring and management; risk reporting and management information. Norges Bank agrees with Ernst & Young’s assessment that the implementation of a more sophisticated and robust system will improve the management of credit risk in the Fund. We also share the view that expansion of the Fund’s investment universe will need to be accompanied by broader and stronger independent monitoring of credit risk. Important steps which have already been taken or begun in this context are the establishment of a dedicated Risk Manager function for counterparty and credit risk, and the implementation of new system solutions for measurement and monitoring. Implementation is expected to take place in 2008.

f. Performance and valuation

Norges Bank endorses Ernst & Young’s recommendation of detailed documentation of the procedures for valuing instruments and markets where there is no external source. This will apply particularly to non-linear positions. These considerations will be addressed by the aforementioned Independent Pricing project, which will also ensure that all positions are priced or verified independently of those taking investment decisions.

NBIM has sufficient resources and expertise to monitor pricing of the more complex instruments. To date, responsibility for this pricing has rested mainly with NBIM’s first line of defence under the COOs. Following recent recruitment to RPA, this group also now has sufficient expertise to perform the necessary valuations and challenge the model tool and assumptions underlying the pricing of unlisted (OTC) instruments.

Yours sincerely

Svein Gjedrem

Knut N. Kjær