UK: Shifting Gears For The New Regime - The Role Of Risk Governance In Solvency II, October 2009

Governance is one of the most prominent features on the regulatory landscape for insurers. Intensive scrutiny over governance arrangements will be a characteristic of the FSA's supervisory approach as announced in the Turner Review in early 2009. The Walker Review proposals for governance arrangements within UK banks and other financial industry entities (including insurers) set out the scale of structural and cultural changes required to reach best practice. But an equally compelling motive for insurers to reassess their systems of governance is that it forms an integral part of the Solvency II regime.

Although a number of existing governance regulations currently impact insurers, such as those within the FSA handbook and the Companies Act 2006, Solvency II will catalyse a re-examination of whether insurers' governance models are fit for purpose. Embracing this opportunity for change could unlock cost efficiencies through improved organisational design, information and processes while failure to implement and communicate effective governance approaches to the regulator could lead to additional regulatory capital charges under Pillar 2.

In this article we explore those areas that insurers may find particularly challenging when trying to enhance their risk governance as part of Solvency II. In particular we focus on the need for an organisational structure that supports effective oversight and challenge of capital and risk management. In addition, we reflect on the importance of robust management information, as well as the governance challenges associated with developing and embedding an internal model. (The distribution of rights and responsibilities relating to a firm's broader corporate affairs, for example the relationship with shareholders, is not considered within our risk governance discussion here.)

Implementation challenges posed by Solvency II

Although the new regime is scheduled to be implemented in the EU in October 2012, many insurers have paid heed to the FSA's advice to initiate Solvency II gap analysis, design and implementation programmes. The advice to start early is equally relevant to risk governance. Underestimating the time and complexity of changing governance arrangements is a common pitfall. While changing structures and processes can appear relatively straightforward on paper, truly embedding change in a firm's governance arrangements is a more challenging and subtle undertaking, not least due to the level of Board and Executive input, buy-in and consensus required.

A widespread misconception is that all effort should first be concentrated on getting the Pillar 1 mathematical calculations correct. Successful implementation of Pillar 1 requirements may also require acceleration of certain risk governance aspects; for example, a training programme for senior management running in parallel to internal model design may be necessary so as not to delay the approval process. It is our belief, informed not least by our experience with Basel II, that a joined up view of Solvency II requirements across the three Pillars is the only way to tackle Solvency II efficiently.

Delivering and demonstrating effective oversight & challenge

Many insurers have adopted the "three lines of defence" risk governance model, shown above in its most typical form. Despite embracing this model, some insurers still struggle to articulate how oversight is apportioned between the risk management and other specialist functions, such as actuarial or treasury departments. Although the Solvency II Directive does not refer to this issue explicitly, transparent apportionment of oversight responsibilities and the existence of independent checks and challenges are critical to achieving "an adequate organisational structure with a clear allocation and appropriate segregation of responsibilities"¹.

Some insurers take the approach that specialist functions, such as actuarial, are "second line" and responsible for oversight for specific areas of the risk universe. Others firms require the risk management function to oversee these specialist functions, but are then faced with the necessity of building sufficient expertise within the risk team. It is not unusual for specialist functions to perform a combination of first and second line activities, for example providing management information and processes to support the first line, while providing oversight and challenge of Business Units as part of a second line role. Organisations should be alert to the potential for conflicts of interests and avoid situations where a specialist function is performing a first and second line role over the same business or technical area. Insurers should be able to demonstrate the existence of objective review and skilled challenge of key decisions as part of their articulated governance model.

Ensuring that the Chief Risk Officer and risk function have sufficient standing in the organisation is vital to achieving meaningful challenge and ultimately the effective risk governance required by Solvency II. The Chief Executive of the FSA earlier this year expressed the view that appropriate stature to provide genuine challenge will only materialise if an executive director solely responsible for risk is on the main Board². In those insurers where the CRO reports to the CFO, consideration should be given to whether the CRO has appropriate and unfettered levels of access to the CEO and the Board and whether a Board reporting line needs to be defined in addition to the Executive reporting line. The role of an independent Non- Executive Director ("NED") is also the subject of much discussion in the wake of the Walker Review's call for a materially increased time commitment from NEDs including the formation of a Board Risk Committee, chaired by a NED. Although the final report from Walker will only be released in November 2009, it seems likely that NEDs will be expected to demonstrate more active involvement in risk management discussions, including proactive requests for information on a firm's underlying risk exposures, the linkage to the capital position and challenge of risk appetite.

Driving competitive advantage through an integrated approach to risk and capital

At the heart of Solvency II is the need for more closely integrated risk and capital management which will drive better aligned interactions between risk, finance, actuarial and the business through this cycle. As illustrated here, true integration will permeate multiple aspects of the organisation from strategic decision making, to business processes and performance management.

At present, insurers have risk management functions, capital management procedures and business processes, but they are typically managed separately from each other, often operating in silos. This can lead to duplication of effort and business decisions taken without due consideration of the relevant risks. The scope and mandate of control functions (such as risk, compliance, actuarial and finance) will also need to be aligned and agreed. An integrated approach to risk and capital may also necessitate revisiting committee structures and considering whether the right discussions are taking place in the right forum. Insurers should also appraise whether resources with the right skills and expertise are in the right places. For example, the compliance function may need additional resource and closer alignment with the risk management function to effectively advise on prudential compliance (as suggested by the Directive).

Although investment will be required by many insurers in order to design and implement their target organisational design for integrated risk and capital management in a post-Solvency II world, taking a fresh look at the organisation provides a significant opportunity to draw out synergies. Stripping out organisational inefficiencies and duplicative processes offers the potential to deliver operational excellence and competitive advantage as well as providing a robust platform for improving the wider target operating model.

Governance over internal models

The internal model should be the "backbone" of the information used to inform decisions about the business. Embedded properly, it should inform strategy and be used for a wide range of business decisions including product development, pricing, investment strategy, capital management, assessing customer benefits and assessing the riskiness of the business strategy.³

The decision to develop an internal model for Solvency II brings with it several governance challenges:

Optimising use of specialist resource

Under the Solvency II Directive, ownership for the internal model is within the risk management function, including responsibility for design and implementation of the internal model; testing and validation; and documentation and analysis of performance of the model. Assigning these tasks to the risk function is intended to encourage the internal model to be embedded and maintained as an effective risk management model. However the actuarial function is tasked with specific responsibilities and sign-offs over the internal model outputs, namely: reserving; capital; data suitability; underwriting policy; and reinsurance arrangements. Clearly the risk management and actuarial functions will need to work closely together in order to make this work.

We recommend insurers give careful thought to how responsibilities for development, validation and on-going review of the model are allocated. Firms should be alert to the possibility of conflicts of interest and thinking proactively how these should be mitigated. If risk and actuarial personnel have been involved in the development of an internal model, how will they be able to objectively validate the model? This dilemma encapsulates the challenge that all insurers face – how to optimise use of specialist skills and resources. In the case of the internal model, firms may need to involve external specialist support or have additional actuarial expertise within the risk management function independent of the actuarial function. Use of internal audit should also be carefully considered; involvement at validation stage for example, could conflict resources from forming an independent view of the control environment once the model is embedded.

Senior management responsibilities

The significance of the internal model to the business makes a robust review and approval process a prerequisite. Our experiences with Basel II have led us to believe that the regulator will look for evidence of robust and detailed challenge by the highest levels of authority, as opposed to mere "rubber-stamping". Drawing from lessons learned in the financial crisis, where some Boards and management did not fully understand complex models used within their businesses ("misplaced reliance on the maths" as the Turner Review termed it), CEIOPS's expectations⁴ are that senior management will understand:

• the logic behind the internal model;
• the dynamics of the model;
• the limitations of the model (including statistical assumptions and limitations in business planning assumptions); and
• in which areas and on which entity hierarchy level, diversification effects arise.

Ensuring sufficient senior management understanding of risk modelling approaches to enable effective review could present challenges for many insurers. With the first wave of dry runs for internal model approval fast approaching, plans for stakeholder engagement and training should not be delayed.

Enhancing management information

The recent financial crisis has highlighted the importance of getting aggregated and reliable risk information to the right levels of the organisation. In order to provide effective challenge, Directors and management require appropriate and timely information, presented in a way that minimises the time required to distil it and gives sufficient prominence to key messages. Incorporating a forward looking dimension that better enables allocation of appropriate resource is considered best practice.

Insurers face several challenges in achieving this. Firstly, reporting from control and assurance functions such as risk, finance and internal audit typically is not aligned in terms of language or scoring, making it difficult for users to obtain a clear understanding of the impact upon risk profile. Large organisations can also face differences in methodology and risk terminology across business units or geographies. Secondly, lack of clean and accurate data can pose a major barrier. Due to legacy products, manually intensive processes and multiple systems and models, many insurers find reporting a complicated and time consuming process.

These challenges will need to be surmounted in order to meet the Solvency II requirement for information systems that produce "sufficient, reliable, consistent, timely and relevant information on all business activities, commitments and risks to which the firm is exposed".⁵

Gaining regulatory credit through governance disclosure

Under Solvency II, firms will need to provide annual reports to the regulator (Report to Supervisors) assessing the effectiveness of the system of governance, including all key functions and incorporating the conclusions from their Own Risk and Solvency Assessment ("ORSA"). Furthermore, annual public disclosure of governance arrangements through the Solvency and Financial Conduction report will also be required. Insurers will therefore need to document their governance and risk management arrangements in a comprehensible form. Most insurers have some expression of their governance model (for example descriptions of corporate structures and committee roles and responsibilities) but other requirements may be new for many insurers, for example an assessment of the adequacy of the system of governance for the insurer's risk profile. We therefore recommend that insurers undertake an appraisal of whether their current documentation is fit for purpose. Experiences during Basel II demonstrated that a firm's system of governance was one of the first areas reviewed by the regulator during the waiver application process. Those firms with a carefully thought out and well articulated governance model found the process considerably easier than peers with less comprehensive information. Good disclosure can pay regulatory dividends.

A change in mindset

Changing mindset, behaviour and organisational culture can be the biggest challenge of all. The CEIOPS consultation paper on governance places emphasis on the fact that culture and the appropriate "tone at the top" is necessary to support effective operation of the system of governance. Developing an appropriate controls culture is important but is not the only behavioural shift required. Too often risk management is perceived as synonymous solely with issue and loss prevention. Emphasising the business benefits of Solvency II, such as more competitive product pricing, better informed decision making, rather than focusing solely on the regulatory compliance aspect may help change thinking and get buy-in from the business.

Our conclusions

Insurers should not underestimate the challenges they will face in trying to achieve effective and robust governance in preparation for Solvency II. In the face of competing priorities it will be all too easy for governance to be overlooked in favour of more technical areas. Areas where early consideration may pay dividends include:

• refreshing roles and responsibilities of key individuals and control functions to deliver effective oversight as well as yield operational efficiencies;
• optimising use of skilled resource for development, validation and on-going review of internal models; and
• early senior management training and engagement to enable effective challenge of the internal model during the review and approval process.

With risk governance high on the FSA's agenda, insurers should expect to be subject to significant regulatory scrutiny in this area. However opportunities abound. Developing efficiencies within the organisational structure and a streamlined reporting process has the potential to create both value and competitive advantage.

Footnotes

1 Article 41, Solvency II Directive, approved by the European Parliament on 22 April 2009

2 Speech by Hector Sants, Chief Executive FSA to the Securities & Investment Institute Conference, 7 May 2009

3 These are some of the uses suggested by CEIOPS (Committee of European Insurance and Occupational Pensions Supervision) in Level 2 Implementing Measures of Solvency II: Tests and Standards for Internal Model Approval

4 CEIOPS, Implementing Measures on Solvency II: Tests and Standards for Internal Model Approval, July 2009

5 CEIOPS consultation paper on Level 2 Implementing Measures on Solvency II: System of Governance, March 2009

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.