Your SlideShare is downloading. ×
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Pillar 2: operational issues of risk management

821

Published on

Published in: Economy & Finance, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
821
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. w w w.pwc.com/solvenc yII www.pwc.com/solvencyII o Pillar Pillar 2 Operational issues of Operational issues risk management risk management a2011 was crucial2011 wa s a crucialmilestone for in surancemilestone for insurancecompanies the path to mcompanies on the path toSolvenc y II compliance.Solvency II compliance.March 2012March 2012
  • 2. Contents Overview 4 1. Theoretical approach 6 1.1 General provisions of Pillar 2 8 1.2 What does the Directive say? 9 1.3 What do the implementing measures say? 12 1.4 COSO II - ERM 16 2. Operational implementation 20 2.1 Defining the risk management system 22 2.2 Implementing the risk management process 34 2.3 Managing cross-business projects 45 Overall conclusions 58 Contacts 59 This PwC White Paper focuses exclusively on the challenges of implementing the new Solvency II requirements. It provides the insurance industry with a single concrete methodology and framework, complete with milestones, for adapting the principles of Pillar 2 to their organisations.2 PwC Pillar 2, operational issues of risk management
  • 3. Foreword This White Paper is being issued at a crucial point in the Solvency II regulatory calendar. The challenge of ensuring compliance with Pillar 2 – the cornerstone of solvency risk prevention – is becoming clearer. The initial work on Level 2 measures concerning the system of risk governance is in its final stages. The measures for Level 3 began in 2011 and accelerated towards the end of the year, despite the fact that from January 2011 the Omnibus 2 Directive allowed for transitory measures as well as a grace period under certain conditions and for certain points. In this uncertain, but already well advanced, regulatory context, the priorities of the insurance industry are concentrated around Pillar 2, which involves the operational application of a risk strategy which is compliant with the Directive’s principles and obligations. These new obligations go to the heart of business and organisational management. They also represent an opportunity for companies to optimise their operational performance. In this respect, the documented procedures of Own Risk and Solvency Assessment (ORSA) offer a path to groundbreaking management of solvency over a strategic horizon of three to five years. PwC assists insurance companies in their projects and has worked side by side with them on risk management issues, including drafting the COSO 2-ERM standard. This White Paper is aimed at extending our contribution to compliance with Solvency II. Paul Clarke Jimmy Zou Global Solvency II leader Solvency II leader (France) PwC Pillar 2, operational issues of risk management 3
  • 4. Overview On the long journey towards compliance with the new Solvency II regulations, insurers (insurance and reinsurance companies, mutual insurers and insurance cooperatives) are at a crossroads: having thus far focused on the quantitative aspects of the Directive, referred to as Pillar 1, they are now turning towards the more complex qualitative obligations of Pillar 2.4 PwC Pillar 2, operational issues of risk management
  • 5. “Through its cross-disciplinary approach, this White Paper clearly presents the key points of risk management and provides illustrations of potential situations. This document reassures us on our approach and gives fresh insight into certain operational strategies for Pillar 2 projects.” Christophe Raballan, Head of Risk Management and Internal Control, MAIFIn 2010, insurance companies concentrated on assessing This paper is designed as a toolbox for those involved intheir ability to build accurate risk models, based on the new the organisational aspects of Solvency II compliance.framework, and to measure the impact of these requirements Following a brief overview of the regulatory requirementson the amount of capital required for the 1 January 2013 and the ERM framework, we break down the operationalimplementation. Companies have also recently finalised the issues involved in Solvency II compliance projects (riskQIS 5 exercises, which provided the opportunity to conduct management function, organisation and governance of thea first dry run to test calculation methods and processes. overall risk management processes, scoping of ‘cross-During this phase, the final adjustments necessary to business’ projects such as data quality and ORSA). We alsoimplement a process for drawing up economic assessments highlight the fundamental questions and, based on concreteand calculating solvency capital requirements (SCR) examples, sketch out the main operational approaches towere made. answering them.In early 2011, the work concentrated on Pillar 2 of Solvency II, As such, this paper is mainly directed at operationalwhich required companies to challenge their own risk Solvency II compliance project coordinators, projectculture, define – or redefine as needed – risk governance and managers and heads of risk. It should also provide usefulstrategy and consider the operational implementation of the information for the managers and directors of insurancerisk management function. As the keystone of the Directive is companies. Currently many insurers face difficult choices inbased on risk control, Pillar 2 compliance therefore raises finding the right balance between compliance requirementsmany questions for insurance companies. These tough (which can seem excessive) and adapting them to theirquestions often strike at the heart of business management company’s internal environment (a strict compliance orprocesses. ‘best-in-class’ approach to risk management?). We hope that you will find the guidelines developed below useful in yourQuestions you might ask yourself include: What exactly do compliance work.Solvency II regulations require? How should, or how can,these provisions be applied to my company? What constraintsand determining factors are used to configure an operationalrisk management system as accurately as possible? What arethe specific sub-projects that fall under Pillar 2 requirementsin my overall compliance project?The main difficulty shared by all of our clients, which weaddress in this White Paper, is how to interpret and apply theregulations properly to individual companies in orderto create a risk management process that meets therequirements in an appropriate and efficient manner. PwC Pillar 2, operational issues of risk management 5
  • 6. 1. Theoretical approach6 PwC Pillar 2, operational issues of risk management
  • 7. Introduction Under Solvency II, all companies must demonstrate that they have implemented an adequate and efficient risk management system. The two main vehicles used are: • The regulatory framework of Pillar 2 is the principal vehicle. Its provisions, outlined in a small number of articles in the Directive, cover regulatory requirements relating to the operational structure of risk management. These articles are further developed in implementing measures, some of which are currently under discussion. • The technical framework, COSO 21 ‘Enterprise Risk Management’ or ERM, which is most often used to understand what effective risk management criteria are. Rating agencies have now included ERM performance as an evaluation criterion in and of itself. In this report, we have provided a summary of the main provisions and concepts listed in these frameworks.1 COSO stands for Committee of Sponsoring Organizations of the Treadway Commission, a non-profit commission which in 1992 established a standard definition for internal control and created a framework to evaluate its efficiency. PwC Pillar 2, operational issues of risk management 7
  • 8. 1.1 General provisions of Pillar 2Pillar 2 covers all of the required risk management principles and practices relating to the risk and capital estimates coveredby Pillar 1. The main provisions fall into the following four major categories:Figure 1: The principal provisions of Pillar 2 Risk governance New supervision process Internal model (Art. 41 to 49) (Art. 27 to 39) (Art. 120 to 126) • General governance requirements • A new supervisory review • Requirement to show that the (segregating responsibilities, process based on permanent internal model is used effectively managing conflicts of interest, etc.) dialogue with the regulator in monitoring (operational risk and in which the company management, capital allocation) • Principle of proportionality of bears the ‘burden of proof’ the risk system in relation to the • A concrete assessment based complexity of the risk profile • The option of the regulator on nine principles (adoption to sanction any quantitative by management, accurate • Definition of key functions or qualitative divergence reflection of risk profile, etc.) in risk management and the from expected standards scope of the risk system through ‘capital add-ons’ • Internal validation process for the model... • Fit and proper requirements for the main risk management roles • … and model sensitivity and stability tests. • Good conduct principles in terms of remuneration Own risk and solvency assessment (ORSA) (Art. 45) • A set of processes and procedures used to identify, assess, monitor, control and report internal and external long-term and short-term risks that an insurer faces or could face. These risks are used to determine the company’s capital requirement to ensure its solvency at all times. • The ORSA covers the regulatory requirements of Pillars 1, 2 and 3Source: PwCThe main difficulty in getting to grips and adapted to apply to the internal risks covered in articles 41 to 49, andwith Pillar 2 is that the articles and environment of your organisation. the Level 2 and 3 measures currentlyimplementing measures define the being defined and discussed betweenunderlying principles but offer no In light of this, we focus on the European Insurance and Occupationalstandards as to its practical application. organisational aspect of Pillar 2, Pensions Authority (EIOPA) and theThese principles must be interpreted namely the governance issues for the European Commission.8 PwC Pillar 2, operational issues of risk management
  • 9. 1.2 What does the Directive say?The European Solvency II Directive establishes the ground rules for good governance as a complete system composed offunctions and rules used by regulators and models for appropriate decision-making procedures. The system for riskgovernance (defined in Article 41) features seven main components, each with set expectation levels. These components aredetailed in an article focused on the Directive, as illustrated below.Figure 2: Risk governance GOVERNANCE (Art. 41) Fit and proper requirements (Art. 42 + 43) Risk management (Art. 44) ORSA (Art. 45) Internal control (Art. 46) Internal audit (Art. 47) Actuarial function (Art. 48) Outsourcing (Art. 49) Source: PwCArt. 41 – General governance their professional qualifications, and reporting procedures necessary torequirements knowledge and experience are identify, measure, monitor, manage andArticle 41 introduces the main themes adequate to enable sound and prudent report, on a continuous basis the risks,developed in Articles 42 to 49, but managment (fit); and they are of good at an individual and at an aggregatedabove all emphasises that, “insurance repute and integrity (proper).” level, to which they are or could beand reinsurance undertakings [shall] exposed, and their interdependencies.have in place an effective system of This information must be reported togovernance which provides for sound the supervisory authorities in the event That risk-management system shall beand prudent management of the of any changes and must be effective and well integrated into thebusiness.” documented. organisational structure and in the decision-making processes of theArt. 42+43 – Fit and proper Art. 44 – Risk management insurance or reinsurance undertakingrequirements system with proper consideration of theArticle 42 stipulates that “all persons Article 44 states that “insurance and persons who effectively run thewho effectively run the undertaking or reinsurance undertakings shall have in undertaking or have other keyhave other key functions [shall] at all place an effective risk-management functions.”times fulfil the following requirements: system comprising strategies, processes PwC Pillar 2, operational issues of risk management 9
  • 10. Article 44 describes limits in the scope covered by risk management (underwriting, asset-liability management, investment, operational risk management, liquidity and concentration risk management, reinsurance and, in part, the internal model). It stipulates that these risk management policies must be documented. To recap, the Directive: • presents the risk management function (hereinafter referred to as the ‘risk Function’) as an efficient, mandatory function integrated into the organisation • limits the scope of risks covered – notably risks used to calculate SCR, but not necessarily limited to just these risks • describes the specific responsibilities of this function, acting as the overall ‘conductor’ for the system and ‘pilot’ for the internal model, if applicable.10 PwC Pillar 2, operational issues of risk management
  • 11. Art. 45 – Own risk and solvency Art. 47 – Internal audit Art. 49 – Outsourcingassessment (ORSA) Article 47 stipulates that “the internal Finally, Article 49 informs us thatArticle 45 states that as part of its audit function shall include an “insurance and reinsurancerisk management system, every evaluation of the adequacy and undertakings remain fully responsibleinsurance and reinsurance undertaking effectiveness of the internal control for discharging all of their obligations...shall regularly “conduct its own system and other elements of the [when outsourcing] functions or any[proportionate and documented] risk system of governance… [and] shall be insurance or reinsurance activities”.and solvency assessment” to determine objective and independent from the The outsourcing of activities must notthe Solvency Capital Requirement operational functions.” impact the governance system,risk measure and calibration. business, operational risk or the ability Art. 48 – Actuarial function of the supervisory authorities toORSA essentially covers three major Article 48 describes the actuarial monitor compliance.points: function as an assessment function that aims to “coordinate the calculation of Moreover, undertakings shall notify the• as applied, ORSA shows whether or technical provisions; ensure the supervisory authorities prior to the not the risk management processes appropriateness of the methodologies outsourcing of “critical or important” developed by the organisation are and underlying models used as well functions or activities. appropriate as the assumptions made in the calculation of technical provisions;• it is integrated into business strategy assess the sufficiency and quality of the and is taken into account in the data used in the calculation of technical organisation’s strategic decisions. Its provisions; compare best estimates analyses and reports are taken into against experience; inform the account by decision makers administrative, management or supervisory body of the reliability and• the assessment can be performed adequacy of the calculation of technical following any significant change in provisions; oversee the calculation of the risk profile of the organisation. technical provisions..., express an opinion on the overall underwritingArt. 46 – Internal control policy; express an opinion on theArticle 46 states that “Insurance adequacy of reinsurance arrangements;and reinsurance undertakings shall and contribute to the effectivehave in place an effective internal implementation of the riskcontrol system [including at least] management system...”administrative and accountingprocedures, an internal controlframework, appropriate reportingarrangements at all levels of theundertaking and a compliancefunction.” PwC Pillar 2, operational issues of risk management 11
  • 12. 1.3 What do the implementing measures say? The Solvency II provisions concerning These specifications on the risk the organisation and risk governance management system are provided in system are based solely on the guiding the Level 2 measures in the document principles. The regulators want each “Advice for Level 2 Implementing organisation to be responsible for Measures on Solvency II: System of determining its own organisational Governance” (from Consultation Paper structure, and have therefore defined 33), published in October 2009. Level 3 only key functions and very general measures, currently in preliminary requirements. To help interpret Articles discussions, are based on the same 41 to 49, the regulators have, architecture and are expected to clarify nonetheless, given some specifics. certain points, depending on the level of the regulators’ requirements. Essentially, under these requirements all companies which are subject to Solvency II must demonstrate that, in line with these principles, they have an operational system for managing and overseeing its risks which guarantees: • a true understanding of the risks to which the company is exposed (risk profile) and a reasonable assessment of its exposure at any given time • a real operational risk management mechanism, i.e., key components are in place, and each component can do what it is supposed to do • reporting of required information and the ability of the regulatory authorities to make the necessary decisions.12 PwC Pillar 2, operational issues of risk management
  • 13. Figure 3: A summary of the provisions System of governance (SG 1, SG 2, SG 11, SG 13) • A clear, robust and well-documented system to encourage organisation • of of interest, ‘four-eyes principle’, documented of and proper requirements for all key functions Risk management (SG 3, SG 4, SG 7) (see focus) • Clearly documented processes, procedures and policies • A minimal scope of the ‘risk areas’ to be covered: underwriting, reserving, ALM, investments, liquidity and concentration, operational risk, reinsurance and other risk-mitigation techniques • Responsibilities: (i) ERM architect and coordinator, (ii) producing aggregated risk (iii) reporting on risk exposures and (iv) identifying and assessing emerging risks Compliance function – internal control (SG 5 and SG 8) • Reference to COSO framework (control environment, control activities, communication, etc.) • Responsibilities: (i) compliance of operations, (ii) management of operational activities and (iii) reliability of and information Internal audit (SG 9) • An independent, impartial and stand-alone unit with expertise in all businesses and processes fully within its scope • Requirement to issue an annual report based on an audit plan with a risk-based approach Actuarial function (SG 10) • Responsibilities: coordinating the calculation of technical provisions, assessing the appropriateness of data methods and quality, back-testing best estimates and providing management with formal opinions on the reliability of models (formal report) Outsourcing (SG 12) • Obligation to ensure that outsourcing does not negatively impact service quality or global operational risk exposure • Formalised, comprehensive processes and policies covering all areas of an outsourcing project (selection, contract, monitoring, etc.) Source: PwCThese provisions clearly form a minimal regulatory base. The principles are very broad: each organisation must specificallyadapt them to its size, its expertise and the complexity of its risk profile. This is what is referred in the legislation as the‘proportionality principle’. However, the scope of this principle and the level of the ‘leeway’ allowed for different organisationscurrently remain unclear. PwC Pillar 2, operational issues of risk management 13
  • 14. Focus on Level 2 measures c) Risk management processes must Special case of ORSAIn the Level 2 text, Article SG3 gives be appropriate and procedures ORSA is a hot topic that was covered inEIOPA’s opinion on risk management adapted in order to identify, assess, the Level 3 measures that wereefficiency and provides the following manage, monitor and report risks. addressed by EIOPA in the second halfadvice: of 2011 as well as during a conference d) Risk reporting procedures must on Pillar 2, governance and ORSA helda) Risk management strategy must be appropriate as must the by the Autorité de Contrôle Prudentiel be clearly defined and well feedback loops that ensure (Prudential Control Authority or ACP) documented. This strategy must set reporting. These procedures are during the second quarter of 2011. risk management objectives and key coordinated and challenged by the risk management principles, define risk management function and are Despite the importance of this process, the organisation’s risk appetite and actively controlled and managed Article 45 was not described in any text finally describe the roles and by all relevant staff. relating to Level 2 measures. CEIOPS responsibilities of the risk published an Issues Paper entitled management function across the e) Reporting documents submitted to “Own Risk and Solvency Assessment company and in accordance with its the above-mentioned bodies by the (ORSA)” dated 27 May 2008. business strategy. risk management function refer to the risks (potential or actual) As presented to date, ORSA is a processb) Risk management policies must be associated with the business of the designed to ensure that the company is put in writing and adapted. They company and the operational able to calculate and manage its risks include naming and defining efficiency of the risk management and that its capital needs are met. the risks to which the organisation is system. However, certain characteristics should exposed, classifying them by be highlighted. (see chart below): type and limits of acceptability. f) Lastly, ORSA must be adapted to The risk management system the company’s activities. • ORSA is the responsibility of senior must apply strategy, facilitate management, in charge of the implementation of control overseeing the process and its mechanisms and take into account results with respect to the regulator. the nature, scope and time horizon of the business and the associated risks. • It is a documented risk management process that must be submitted to the supervisory authority at regular intervals (at least once a year) and following any significant change in the insurer’s risk profile. • It is an integral part of the day-to- day management of the company (commercial policy, investment strategy, capital management, acquisition strategy …).14 PwC Pillar 2, operational issues of risk management
  • 15. Figure 4: Risk management system Business strategy • Strategic objectives • Strategic allocation é • Risk strategy • Reinsurance and • Valuation of strategic other hedging scenarios • Business decisions • Capital strategy • Forecast timeline • Use of capital and financial resources Risk analysis and assessment Solvency management and measurement Decision-making process • Risk identification • Economic • Stress test • Regular monitoring of risk profile • Qualitative analyses assessment and scenario • Solvency management and monitoring • Control assessment • Best estimates • Fungibility of capital • Risk appetite and tolerance • Prioritisation and classification of risks • Risk parameters • Capital assessments • Frequency of assessments • Risk profile and assumptions (internal, S2, etc.) • Support for strategic decisions • Risk management policies • Analysis and • Reconciliation of • Risk governance documentation estimates of capital these assessments • Disclosure (Pillar 3) External environment • Business environment • Emerging risks • Long-term risks • Macroeconomic environment • Regulatory framework (S2) • Changes in legal environment • Social trendsSource: PwC• It offers a holistic and forward- calculation, namely the difference looking approach to managing risk in the number of risks identified, (risks used to calculate SCR and how they are measured, i.e., the other risks – reputational risk, confidence interval to which the strategic risk, macroeconomic risk, formula is calibrated. Furthermore, political risk, etc. – to which the the company may use either a company is exposed over its standard formula approach or an strategic planning period, internal model to assess its risk traditionally three to five years) exposure. The methodology must be across the full scope of the Group proportionate to the complexity of (all European entities and those the company’s activities and the outside the EC under the Group’s types of risks involved. supervision).• It allows all organisations to show that they can raise the capital necessary to cover solvency requirements for the strategic “The main issue is knowing how to implement the key planning period (as opposed to functions and a governance system that are compliant the one-year horizon used to with the Solvency Directive and compatible with joint- calculate SCR). management structures. The Directive draws mainly on concepts applicable to corporations and joint• The risk assessment in the ORSA process represents the company’s management entities as opposed to mutuals, which are ‘own’ view of its risks, taking the risk based more on the principles of solidarity, modules identified in the SCR compensation and retrocession.” Albert Cohen, Risk and Solvency officer, Réunica PwC Pillar 2, operational issues of risk management 15
  • 16. 1.4 COSO II – ERM Background This framework is closely linked to the The COSO framework on internal uncertainty and concerns raised by the control was set out as early as 1991 and corporate scandals in the early 2000s today is an international benchmark (Enron, Parmalat, Worldcom, etc.). used by companies that want their It was originally designed to provide internal control system to be up to a standard for structuring internal standard. Since 2002 it is the control systems. However, it has framework used by international evolved as companies have realised that companies to assess their compliance the strict perspective of internal control with the Sarbanes-Oxley Act, which was too limited and didn’t allow for all requires management to assess and possible risks to be understood and report on internal control every year controlled. ‘COSO II– ERM’2 was (Section 404/SEC Proposals – October introduced in 2004, broadening an 2002 – and ASB – March 2003), approach that aimed to manage and affirming “the responsibility of secure operations through control management for establishing and measures including: maintaining an adequate internal control structure and procedures for • an overview of all types of risk financial reporting”. potentially faced by an organisation, • establishment of different ‘blocks’ at work in global risk management, and • the integration of risk management results into business management. There is a direct relation between a company’s objectives and the risk management components required to achieve them. The famous ‘COSO cube’ is a three-dimensional matrix that illustrates the relationship between these components.2 COSO, “Enterprise Risk Management – Integrated Framework”.16 PwC Pillar 2, operational issues of risk management
  • 17. Figure 5: COSO II framework ns g ce g ic tio rti n ian ra te e ra po pl St Op Re Co m Internal environment Risk management Objective setting SUBSIDIARY BUSINESS UNIT FILIALE Risk profile Event identification ENTITY-LEVEL DIVISION Measurement system Risk assessment Policies and processes Risk response Risk control Control activities Reporting system Information and communication Decision-making MonitoringSource: PwCPresentation The main purpose of the frameworkA company’s objectives (represented by is to provide a way of integrating riskcolumns) fall into four main categories: information into the enterprise’sstrategic, operations, reporting and decision-making and strategiccompliance. The eight risk processes. By following this advice, anymanagement components are the lines, enterprise can manage its performanceand the entity units are the third (according to the criteria it definesdimension. This matrix shows how to independently and specifically for itsapproach risk management globally, by business) with respect to the amountobjectives category, component or unit of risk necessary to achieve it.or any combination thereof. ERM can now be viewed as anAs illustrated above, the COSO operational process based on COSO II,framework is the underlying structure providing decision makers (managers,that supports the main concepts used by directors) with reasonable assuranceall those involved in risk management: as to the management of risks actuallyrisk strategy, risk appetite, risk profile, taken in application of strategicrisk measurement, reporting on objectives and within the limitsexposure, and so on. of a globally defined risk appetite. It facilitates the management of uncertainty, risks and opportunities, the identification of events that could give rise to risks and the definition of suitable internal control solutions. PwC Pillar 2, operational issues of risk management 17
  • 18. Since risk is the essence of insurance, To integrate risk into managementone can immediately see the benefit of processes, risk management musta framework that addresses the ‘permeate’ throughout all the levels andunderlying principles and covers: processes of the enterprise. The system is aligned with the• The definition of strategic objectives enterprise’s organisational model, by the decision-making bodies. which breaks down into the following components:• The identification of risks resulting from the efforts made by the • The strategic dimension: company to achieve these objectives How do decision-making bodies – risk may refer either to threat in integrate risk into their processes? attaining objectives or opportunity How do they define the limits to be pursued in order to achieve of risk acceptability (i.e., what is them. authorised to achieve objectives, what is avoided or proscribed)?• The implementation of an effective system for managing the exposure • The organisational dimension: to these risks. What functions are involved in risk management? What processes are• The notification and reporting of used? How are these analyses risk exposure and failures to the related to solvency levels for relevant managers. insurance companies? • The operational dimension: How does the undertaking implement risk measurement tools and resources so as to benefit from them fully? What are the reporting channels?18 PwC Pillar 2, operational issues of risk management
  • 19. Conclusion COSO II – ERM, designed as a standard and operational framework, provides the main elements and overall approach for a risk management process. Solvency II adds two specific organisational and business requirements. Insurers must specify the functions involved in their risk management and integrate risk and solvency assessment into their five-year business planning models using ORSA. The great challenge of Pillar 2 lies in assessing how to interpret, adapt and implement these frameworks within an organisation. In order to be successful, they must be fine-tuned, correctly calibrated and adapted to the specific characteristics of your business, the complexity of your organisational structure and your ‘risk culture’. PwC Pillar 2, operational issues of risk management 19
  • 20. 2. Operationalimplementation20 PwC Pillar 2, operational issues of risk management
  • 21. Introduction Not all companies place the same Our goal here is not to provide a importance on risk management. Their ‘magic formula’ that solves the choices naturally differ given the heavy challenges you face in implementing investment required to set up an overall your Solvency II projects. Instead, risk management process, compliant we list the key factors that will with the principles and obligations of determine your choice of structure Solvency II. These choices are difficult aligned with the three key dimensions to make and objectify, involve top of the compliance programme. management and must be made in the context of the business’ overall strategy. They are: • Calibrating/fine-tuning the overall structure of the risk management process. • Implementing the risk management process. • Overseeing the key cross-business projects. PwC Pillar 2, operational issues of risk management 21
  • 22. 2.1 Defining the risk management systemThe integration of a risk management involvement from all players concerned the entire risk management process,framework into a company that has a (first and foremost senior encompassing all of the functions,long history of processes, expertise, management) throughout the process. processes and bodies involved in riskhabits, styles and decision-making management.bodies is a complex task. Given the If the main ‘new’ concept consistsextent of the changes and the length of of development or implementation Our experience has shown us thattime some established practices have of a risk management function, to do so, five main questions mustbeen in place, implementing a risk Solvency II projects now go as far as be answered:management process requires complete defining organisational structures forFigure 6: Risk management process • What organisational building blocks fall within the scope of What are the organisational the risk management function: Risk management? Actuarial 1 building blocks in the system? function? Compliance? IT system security? • What functions have a key role in risk management? What should be the scope of the 2 • What are their responsibilities (control, monitoring, risk management system? reporting, etc.)? • How are prerogatives coordinated between central and local risk How are the different functions functions, particularly at foreign sites? 3 coordinated? • What delegation rules should be put in place? • Exactly how should responsibilities be broken down between How centralised should the risk the risk management function and business functions in respect of 4 management system be? key risks (ALM, investment, technical issues, etc.)? • What fundamental indicators govern the risk/return trade-off How should the added value of (ROE, SCR, MCEV, etc.)? What criteria concretely reflect 5 ERM be measured? risk appetite?Source: PwCThe answers to these questions are determined by complex constraints, which may be regulatory (Solvency II), external(ratings, etc.) or internal (goals, organisation, etc.).22 PwC Pillar 2, operational issues of risk management
  • 23. 2.1.1. The ‘organisational buildingblocks’ of the system It is essential to recognise and define • The regular, independent, risk- the scope of functions involved in risk based audits performed by the management. In fact, it is not simply a internal audit function provide specialist area; its management reasonable assurance as to the involves every level of the company. At pertinence and correct operation each level the system must integrate the of the system. This is the ‘third line different elements: operational risk- of defence’. taking, coordination of risk-taking and supervision of risk-taking. Building on this framework, companies generally define the main principles The ‘three lines of defence’ model for coordinating the different strata provides a useful framework within involved in taking risks, as illustrated which these various functions and overleaf. The organisational diagram elements can work together. most often defines responsibilities at each step in the risk management • Front Office business staff have process. These principles then serve primary responsibility for the risks as a basis for assigning specific risk they take, and risk management management roles and responsibilities practices and processes in place at in accordance with the risk profile. this level constitute the ‘first line of defence’. • The ‘second line of defence’ is held by specialised risk management functions. Their role is to design, coordinate and manage a consistent framework for taking risks, but without being directly exposed to business risk. This covers the key functions of risk management as defined by Pillar 2 (risk management, internal control and compliance). PwC Pillar 2, operational issues of risk management 23
  • 24. Figure 7: Three lines of defence First line of defence Second line of defence Third line of defence ‘Operational’ functions ‘Specialist’ functions ‘Risk’ functions ‘Assurance’ function - Actuarial/Technical Dep. - Risk management All functions (IT, HR, Scope - ALM/Investment Dep. - Internal control, Internal audit Finance, Production, etc.) - Other (underwriting, etc.) compliance, etc. Principles and Reviews and approves/ N/A Proposes standards proposes Implementation Applies Proposes/applies Coordinates/applies Carries out independent, empirical reviews on: Supervises, consolidates, - appropriateness of Controls Applies/proposes Applies/proposes analyses systems - their correct application Consolidates, analyses, Reporting Produces Produces/analyses manages Approves and manages/ Action plans Applies Proposes/applies applies Coordinator role/operational roleSource: PwC Two challenges often arise when • Internal audit has a special role in implementing these principles: the system that is often difficult to position. The provisions of the • The risk management function may Solvency II Directive place great have different responsibilities emphasis on the independent depending on the type of risk. nature of this function. Its resources Acting as a coordinator, it may take must be free of any other on direct responsibility in certain operational responsibility. areas such as operational risk. According to the Institute of Internal These details are outlined in the Auditors, the purpose of internal analysis of the risk function’s control is to independently provide position (see below). management with reasonable assurance as to the pertinence, quality and appropriate application of the risk management system. It is easy to understand why this function must be independent in order to establish its own approach (based on its perception of risk) and express opinions free of any outside influence.24 PwC Pillar 2, operational issues of risk management
  • 25. 2.1.2. Scope of therisk management system Solvency II places the risk function at • It is not, however, limited to just the core of the risk management these risks, as they are too limited system. Regulations define to give a true picture of the actual responsibilities and a scope of risk profile. The risk function must minimum risks on which the function is identify other risks that are specific based. If a company uses an internal to the company, taking account of model, the function is in charge of all its subsidiaries and businesses designing, testing, implementing and (not necessarily insurance alone) as monitoring the performance of the well as specific risks related to the model, either in part or in totality. Most company’s structure. companies naturally launch Pillar 2 projects by putting in place or The risk function must also bear in reviewing the positioning of the risk mind that this risk profile is not merely function. It is in charge of overseeing all an inventory of all the potential or risk management processes (see actual risks: above), even if it does not directly carry out the operations, analyses and • Based on its analyses and the points calculations required in this process. of view covered, it prioritises the risks that must be monitored. The reference for defining Its added value lies in its ability to the risk profile provide a ‘shortlist’ of risks that When a risk function is set up, its first justify investing in measurement, task is to identify the risks to which the monitoring and permanent company is exposed. Although each supervision, based on the company’s company faces its own specific set of business objectives. risks, defining a risk profile follows a few best practices. • As such, this management tool is developed by combining the ‘risk The first involves the scope of risks, which philosophy/vision’ of operational must be identified in the risk profile: staff (a bottom-up approach to risk management based on the • It must cover at least the basic risk comprehensive identification of modules used to calculate capital risks) with that of management requirements, whether determined (a top-down approach whereby based on a standard formula investment in risk management is or an internal model, namely justified and prioritised). underwriting, market, interest rate, operational, etc. PwC Pillar 2, operational issues of risk management 25
  • 26. Finally, the risk function ensures that decisions. It is a full stakeholder in an operational risk management system these processes, is consulted for all is in place and that it covers all the risk important decisions and issues a profile components. Each risk must be formal opinion. It may have the assigned to a risk ‘owner’ who is the power to block decisions (which in ‘subject matter specialist’ available in turn requires an arbitration the company: i.e. actuarial department process). These companies almost for underwriting, certain counterparty systematically use an internal model and reinsurance risks, asset that is integrated into their strategic management for market and credit and operational decision-making risks, and so on. Assigning a risk owner processes. is the first step in implementing an operational risk management system. Companies gradually advance along The components in the risk the ERM maturity curve between these management process are set out below two ends of the spectrum. As the ERM in section 2.2. process develops, the positioning of the risk function evolves: The evolving risk function under Solvency II • The position of the risk function Above and beyond the purely technical tends to rise within the company’s aspects, companies have enhanced hierarchy. Nowadays it is the risk function’s ‘right of inspection’ in increasingly attached to upper operational decisions. This notion fully management, indicating an covers the risk department’s understanding by them of the prerogatives in terms of processes, importance of the ERM in insurance policies and risk-taking for which it is companies. not the leading expert. In reality, the risk function’s involvement is in line • The role of the CRO is evolving. with the strategic priority associated Often seen initially as a conservative with the risk: and technical profession, it will gradually develop into that of a • A company may take a conservative business adviser who works with approach to risk, its priority being decision makers. With a unique not to compromise the protection understanding of the risks taken by offered to policyholders and to the company and how they interact, ensure performance. In this case, a CRO can offer advice on how to the risk function would take on an create value. advisory role, assisting operational managers in their processes and • The resources required to take on associated risks. It has little (or no) these functions have grown sharply. latitude to block decision-making Risk departments were initially set processes. up to meet successive regulatory requirements (anti-money • A company may decide to base its laundering, anti-fraud and so on) value creation on managing the but have since developed into more risks it takes and the impact of these refined structures, most often risks on its strategic variables: broken down by types of risk market consistent embedded value (operational, technical, economic (MCEV), market capitalisation, capital, etc.). These resources are economic capital, etc. In this case, more numerous, more highly the risk function takes on an qualified and more specialised. essential role in operational26 PwC Pillar 2, operational issues of risk management
  • 27. “Implementing Solvency II, and particularly Pillar 2, will require greater coordination between all participants in risk management. The process will draw on existing management rules, which themselves will need to be strengthened. The resulting discipline will create growth opportunities and strengthen relations with customers, while guaranteeing all stakeholders (employees, shareholders, customers, etc.) improved control of risk and its impacts on business structure.” Ronan DAVIT, Head of Risk, Euler Hermes Group2.1.3. Coordinating different functionsinvolved in risk managementOnce the basic components of the While the three lines of defence modelsystem have been identified and outlined above provides a generalcalibrated, the challenge for the risk framework in this regard, thisfunction is to promote the harmonisation process must beimplementation of an efficient risk specifically adapted to each risk in thesystem underpinned by clear, shared profile. It is therefore necessary to:decision-making processes. To do so,the risk function has two main levers. • Map the appropriate functions to handle this risk: businesses,The definition of the roles support, management orand responsibilities for the governance, etc.principal risksTo do so, the risk function moves • Pinpoint the best subject matteron from establishing the risk profile expert within the company toto coordinating the roles and manage this risk (generally the riskresponsibilities for each of the risks owner identified in the systemincluded in the profile. The main implementation phases upstream).challenge lies in the diversity andheterogeneous make-up of the risk • Clearly define the roles andfunctions and risk owners. Risk responsibilities of each playerdepartments must first harmonise involved in the process. Closethe various risk management attention should be paid to thesolutions proposed. support functions’ power to block processes (typically the risk function) as opposed to the relevant operational functions. The notion of ‘right of inspection’ for operational decisions should be specifically defined. This right in turn requires the establishment of a clear arbitration process in case of a conflict between the risk department and the business line concerned. PwC Pillar 2, operational issues of risk management 27
  • 28. The matrix below is an example of the types of roles and responsibilities involved, offering a simple method for establishing aclear distribution of roles.Figure 8: Investment management roles and responsibilities matrix Investment management Board of Directors (through the risk committee): takes responsibility for global Responsible supervision (ultimate responsibility) General Management: approves and monitors investment policy Implementer Investment Department: submits strategic allocation plan for validation, defines (oversees operational implementation) tactical allocation specifics, monitors implementation Consulted Risk Department: issues an opinion on the Group’s and the entity’s total exposure to (opinion requested systematically, market risks and overall solvency level. If it issues an unfavourable opinion, the case published and taken into is submitted to the executive committee for arbitration account in the decision) Informed Cash Department (Financial Department): informed of all changes in investment (regularly informed of new policy, receives a copy of all investment flows management decisions)Source: PwCThe implementation of a The structure of the decision-making • Prioritise the types of risk thatdecision-making architecture process is specific to the culture of each require formal supervision on aEven the best-designed risk company and is in line with its position regular basis. The company mustmanagement system will only be on the ERM maturity curve. However, formally define the responsibilitiesefficient and effective if an operational the review or implementation of the required at each organisational leveldecision-making architecture has been decision-making architecture follows in line with these priorities (globalcodified. It must ensure first that all several key steps: supervision, definition of practices,useful information is reported to the monitoring and reporting, etc.).appropriate committees and other • Define the key organisational levelsdecision makers in a timely manner. in risk decisions, which often • Design ad hoc decision-makingSecond, it must ensure that these correspond to the company’s main bodies at each level: type ofbodies review the issues at hand and decision-making levels (executive committee, members, voting rights,make the necessary decisions. The committee, key functions in risk- assignment of roles, meetingcompany is then in a position to taking, operational staff, etc.). They frequency.continuously manage its risk exposure are defined in line with the rolesand react promptly to any unexpected and responsibilities identified fordeviation in its risk profile. each type of risk in the risk profile.28 PwC Pillar 2, operational issues of risk management
  • 29. As such, the structure of the company’s system of committees can be consistent throughout, as illustrated in theexample below:Figure 9: Committee matrix Market Credit Underwriting OperationsExecutive Risk CommitteeCommittee Investment Committee InternalRisk Controltakers Underwriting Committee CommitteeReporting & ALM Committee Reporting ReportingmitigationSource: PwCThe close relationship between Historically, most insurance companies processes and operations and therisk management and risk have developed internal control reliability of financial and non-financialcontrol approaches that are often granular and information produced by the company.One of the main lessons learnt from the always complex. These approaches At the time of writing, work has begunfinancial crisis (notably the Kerviel aimed to identify and to manage the in this area but has seen little or nocase) is that efficient risk management risks specific to certain processes or application among insurancerequires coherent and consistent operational areas, namely: reliability of companies: operational risk is difficultoperational coordination between: financial reporting processes (SOX to understand, differs completely for projects), security of information each company and is not specifically• the definition of major risk policies systems, anti-fraud or anti-money defined in Solvency II. Furthermore, and processes (primarily by the risk laundering processes, etc. SCR calibrations for operational risk department), and produce negligible capital This work has led companies to focus requirements, further inciting• the appropriate application of these specifically on operational risk companies not to invest in a complex policies and processes by the management. The primary role of system to manage this risk. relevant entities (operational internal control (or permanent control) functions, internal control, etc.). is to ensure the appropriate management of the company’s PwC Pillar 2, operational issues of risk management 29
  • 30. Some market players are currently • Definition of the operational riskimplementing specific procedures for system. First of all, operational riskoperational risk analysis and risk – must be defined. This analysiscontrol coordination. The main ones generally reveals that operationalinclude: risk covers any factor that could compromise the achievement of the• Gradual merging of risk and objectives of operational processes control functions under the (see the list of risks defined by responsibility of a single function Basel II) or the appropriate (most commonly the CRO). This application of risk policies as ensures greater consistency between defined by the company. Some initiatives that were sometimes companies have taken this a step fragmented in the past. The primary further: given the sheer volume of focus is often on compliance, raising operational risks, they have the question of whether operational prioritised the critical areas of risk is best managed by legal exposure and focused their efforts professionals (regulatory watch) or to deploy management systems in internal control (integration of legal these areas. provisions into operational processes). The trend clearly seems • Modelling of operational risk. to be to: (i) appoint a compliance Some companies have implemented officer to take charge of defining the data collection systems for company’s main compliance issues operational losses. These systems and coordinate the application of are used to assess the company’s the relevant legal provisions while real exposure to operational losses, (ii) maintaining the legal set up a more coherent management department’s responsibility for legal system or even to save on capital monitoring, setting up a body that requirements. To be effective, meets regularly between the two however, the system’s parameters departments. Broadly speaking, must be determined (e.g., by clearly companies tend to put their risk defining an operational loss and the management function in charge of minimum loss amount for data supervising both the effectiveness collection) and cover an adequate of their ERM framework and the historical period. Results are appropriate application of its deemed significant after three provisions. to five years of collection.30 PwC Pillar 2, operational issues of risk management
  • 31. 2.1.4. The extent of centralisationof the Risk function Insurance groups are faced with a responsibility of the group’s risk major operational difficulty: the department. In a more centralised operational scope of the risk function. group, the group risk department How do they integrate such diverse oversees legal entities. It may apply entities and businesses that are not the principle of subsidiarity that necessarily related to insurance (asset determines the entities’ leeway, and management for complementary in this case a ‘risk representative’ is pension or social security plans, appointed. In either configuration, healthcare and assistance services, the risk function is a network-based strategic investments, and so on.) into structure. their analyses and processes? • Groups, when dealing with all of Although most companies are still their insurance entities, tend to trying to establish an efficient way of require consistent reporting coordinating the risk system across principles and structures that are their different entities, the following defined and supervised locally. This best practices have emerged: applies especially to international groups with foreign subsidiaries or • Aligning risk management process entities in countries not subject to with the organisational and Solvency II. Most often they opt for decision-making structure within double reporting, with one set of the group that is already in place. reports prepared based on local In a highly decentralised group, prudential standards while another the different entities or subsidiaries is submitted to the group in often have a local risk function ‘Solvency II format’. that reports to their general management but falls under the PwC Pillar 2, operational issues of risk management 31
  • 32. There are often overlapping principles on the structure of the risk management process, as illustrated in the diagram below.Figure 10: PwC Risk function benchmark Principal responsibilities of the CRO Possible organisation chart of risk function ERM CEO 67% ALM Actuarial CRO Reinsurance Permanent control ERM 75% Economic capital Internal capital model ALM 67%Risk management model Corporate Capital management actuarial 33% Market risk exposure Permanent Internal control control 17% Accounting Economic capital Solvency 2 17% Management control Reinsurance 17% 0% 20% 40% 60% 80% Based on the benchmark study conducted with 30 of the most important companies in the insurance industry (insurance companies, mutual insurers and pension funds)Source: PwC That being said, there is no standard these companies have added the more structure that is widely shared, ‘traditional’ functions to the risk especially with regard to the extension function, giving it more substance of the risk function to non-insurance and importance. subsidiaries. The solutions seen are most often In some cases, the problem has more to based on the principle of subsidiarity: do with difficulty in adhering to the the subsidiary has considerable principles of independence in relation autonomy in managing its risks, and to the operational function. Many the group only covers the few types companies have also tried to ‘force’ of maximum losses that can be their risk function beyond the strict generated by the subsidiary (notion minimum regulatory requirements. In of ‘subsidiary risk’). fact, this function is supposed to become more centralised but not all of the issues at stake are necessarily evident in the beginning. Therefore32 PwC Pillar 2, operational issues of risk management
  • 33. 2.1.5. Measuring key indicators of therisk management system In working with general management, • They are easily measurable, i.e., one of the most fundamental roles of the cost of implementing the the Risk function is to define the key calculation and management metrics of risk management. The choice infrastructure is not prohibitive of these indicators shows the (especially if it is based on processes importance the company gives to that are already in place) given the efficient risk management in its overall added value of monitoring. strategy. • They are clear and understandable This process is part of the establishment for those in charge of monitoring of risk strategy, as described in the next them. It is therefore essential at this section. However, before beginning, point to define or validate them the benchmark metrics must first be with management bodies, ensuring defined. They must feature certain that they understand them and characteristics: do in fact want to have these management indicators in place. • They reflect the main aspects of the risk/return trade-off offered In most cases, however, companies to stakeholders (ROE, service may use a very limited number of quality, security of protection, etc.). ‘fundamental’ indicators to support They can measure the entity’s their ERM approach. Their approaches resilience in some extreme cases generally combine: (i.e., distribution tails) but remain realistic and always incorporate • an income indicator such as the notion of performance pre-tax net income (profitability, etc.). • a value measure such as MCEV • a solvency indicator such as the SCR coverage ratio or economic capital. PwC Pillar 2, operational issues of risk management 33
  • 34. 2.2 Implementing therisk management processThe risk management process can be simplified and brokendown into the steps presented in the diagram opposite. Figure 11: Steps for implementation of riskEach of these steps features a certain number of components. management processesThe purpose of this section is to examine these components,identify the main issues involved and their operationalapplication and provide concrete examples of their application. Defining the risk framework Identifying and measuring risks Managing risks Monitoring and reporting risks Establishing strategic capital planning Source: PwC34 PwC Pillar 2, operational issues of risk management
  • 35. 2.2.1. Defining the risk frameworkArticles 44 and 45 require the company • Risk tolerance represents the level • The risk budget measures theto demonstrate that it has implemented of risk that a company is prepared to anticipated level of risk exposure foran adequate and efficient risk take in pursuit of its business and a specific timeframe within a givenmanagement system that includes a its development pertaining to a scope. It measures the risk profileclearly defined and documented limited scope. It is a distribution of for a company’s forecast, withstrategy for managing and monitoring risk appetite at a more specific level. identical levels of granularity.its risks. The Directive also requires the It can be adapted to both broadestablishment of a clearly defined risk categories and entities or Risk strategy not only determines therelation between risk and return geographical scopes. framework within which risks may beobjectives in this risk strategy. taken, but also the terms under which • Risk limits are defined as the these general principles apply withinComponents of a risk strategy operational limits in line with the the entity. It defines the budgets andThe risk strategy provides the means to risk budget and/or risk appetite. targets adapted to the company’sdefine the accepted framework for risk These limits are specific to the willingness to take risks in line with themanagement. The benchmark metrics processes with which they are defined risk strategy.applied to risk management associated.are pre-defined, as indicated above. In coordinating the differentA risk strategy approach is based • Risk profile is the measure of risk components of risk strategy, a totallyon five key concepts: exposure expressed in the form of a integrated asset-liability management reaction of key financial aggregates model is also defined. This strategy• Risk appetite represents the to a shock in an underlying variable. is primarily defined through a aggregate level of risk (i.e. at Group It is measured for a given scope on top-down approach (i.e., defined by level) that a company is prepared to a given date. It can cover a very management), along with the take in pursuit of its business and its limited scope, such as the mortality contribution of reporting from development. It is a maximum risk for a specific product at a given operational staff (bottom-up threshold that is declared by subsidiary, or it can apply to all approach): management and is expressed in the possible aggregation levels for the form of the accepted deviation of company’s entire scope. the company’s key aggregates from the desired outcome. PwC Pillar 2, operational issues of risk management 35
  • 36. Figure 12: Description of risk strategies in the insurance industry Description of insurers’ risk strategy Maximum acceptable risk Positioning in relation to competition, to regulations, Executive Committee Where can we position ourselves in terms of risk? to our specific business Positioning in relation to Target risk profile our specific business,Top-Down Approach Where do we want to position ourselves? shareholders’ performance requirements Risk appetite CRO – CFO – CIO Document including the strategy approved Risk appetite by the Executive Committee and its Perspective for risk application to risk in terms of competitive appetite defined by positioning (risk capacity, risk appetite) and the Executive taking into account the company’s specific Committee with characteristics (risk profile) Tolérance au risque target risk profile Risk tolerance Current risk profile Appraisal of defined What is our current positioning? CRO – CFO strategy in relation to actual performance with a breakdown by type of risk and by Market Underwriting Counterparty Operational business risk risk risk risk Operational application of strategy Quantification of risk and performance Operational departments – Business Units Operational departments Risk management Rules/proceduresBottom-up Approach Execution Risk governance Methodologies/processes functional and organisational framework Control Supervision/reporting AssessmentSource: PwC36 PwC Pillar 2, operational issues of risk management
  • 37. Application of risk strategyA general strategy based on results Figure 13: Breakdown of risk strategyor solvency metrics is not sufficientlyspecific to provide useful operationalguidelines for risk takers. Applying Shareholders’ requirements Restrictivethis strategy to operational risk Strategic timelinelimits is therefore crucial to the (3-5 years)implementation of this strategy. Risk appetite Business profile (underlying metrics)Management involvement is of primeimportance. The different stakeholders(shareholders, market, clients, rating Business planagencies, etc.) and their respectiverequirements must be mapped out. Budget timeline (1-3 years)Understanding these requirements isthe first step in defining the company’s Framework of limitsrisk strategy and applying it to asystem of operational limits. Application of Application of performance risk limits Operations objectives Flexible (current year) Supervision/management measures Source: PwC For smoother integration of riskFigure 14: The budget process strategy content into decisions, the budget process must also be updated to include assessment criteria that Definition of limits and take into account the amounts of risks Business Plan Supervision target incurred. Draft business plan Comparing risk Defining risk limits profile with limits Plan application Adjustments Taking into account Is the risk profile in typical in Business commitments to within defined Yes End environment Plan policyholders limits? Is the BP in line No No with risk appetite? Yes Making necessary adjustmentsSource: PwC PwC Pillar 2, operational issues of risk management 37
  • 38. 2.2.2. Identifying and measuring risksIdentifying risks applicable to • A risk map (or ‘heat map’) that is • A list of major risks that mustthe business used to classify risks according to include the few large-scale criticalA robust risk identification system must their potential financial impact and risks to which the company isbe able to predict all risks and align their probability of occurrence. exposed. Large-scale risks are thosethem with the company’s major risks in Financial impact and the probability that could lead to bankruptcy andorder to understand the causes and of occurrence must be assessed in require in-depth analysis in order tointerdependencies. It must be regularly the same way throughout all identify their key componentsupdated following any significant operational entities (same risk (causes, scenarios, impacts, etc.).change in the risk profile. taxonomy and calibration of impact) and for all types of risk. EquallyThe risk identification system (see important is the efficiency of thediagram below) includes two main collection and update procedurescomponents: for risk data (loss databases).Figure 15: System for identifying risk Risk heat map Risk identification process (one-off) Risk and Control Heat map Plan and prepare – One-off exercise Risk Register Develop 5 High 5 10 2 15 7 20 1 25 Items Identify Risk investigation: Transfer mechanism risk individuals 1. Using risk register Aggregation 4 Med/ 1 Capital 4 8 12 16 20 Losses from Gross Impact within categorisation software High Investment business model tool Portfolio units for 2. Supplemented 3 Med 3 6 9 12 15 Conduct risk and 2 Inappropriate ownership with specific controls assessment Populate 2 Low/ Investment of risk business ( facilitated by risk sofware Prioritisation Med 2 4 6 8 10 Processes register knowledge management) tool 1 Low 1 2 3 4 5 7 Insufficient Working 2 Low/ 4 Med/ 1 Low 3 Med 5 High Capital Med Hight Risk identification process (quarterly) Gross Likelihood Undertake – quarterly process Risk profile (and qualification) as at… Identify, Management Emerging categorise Evaluate attestation for Identify Risk Type BU1 BU2 BU3 BU7 (DB1) Firm risks and score controls key risks and actions risks controls Nat Cat risk Gl pricing risk Review and challenge Risk distributions for by RMC use in internal model Market risk Credit DB1 Risk assessment process Total Risk Assess Trend Scenario information Lessons planned analysis of analysis of 1 Diverification benefit visualisation learnt controls heat map heat map study framework Loss databases Internal Risk mgt Risk mgt Focus groups Risk mgt Record of risk events. List of losses, and near misses auditSource: PwC38 PwC Pillar 2, operational issues of risk management
  • 39. Risk measurement systemsRisk measurement methodologies arecovered by Pillar 1 of Solvency II in thestandard formula that defines themodelling principles for technicalprovisions using best estimates andrequirements for calculating SCR (riskmodule, shocks to be applied,correlation matrix).Companies may also use an internalmodel that best reflects their specificrisk profile. An internal model canapply the same base to a number ofuses, ranging from solvencyrequirements to embedded value, The internal model plays a pivotal roleasset-liability management, profit- in the companys decision-makingtesting when creating products, risk processes at every step, both inappetite or even ORSA. underwriting contracts upstream and in managing underlying risks. TheThe internal model is more than just a internal model, a key component incalculation tool. It is used to measure, governance, is implemented in linecontrol, manage and report on risks. with the internal control, internal audit,It is at the core of risk strategy and risk actuarial and risk managementmanagement. As illustrated in the functions. However, its implementationfollowing diagram, it is made up of may be costly, especially as Solvency IImethodologies, assumptions provisions already require considerable(endogenous and exogenous) and resources for insurance and reinsuranceconfigurations designed by experts companies. In such cases, it may seemwhich reflect defined policies and apply more appropriate to apply a standardto internal processes that are specific to formula. The use of an internal model isthe business. Within an environment not mandatory.limited and secured by internal control,the internal model can also be used Finally, internal models must beto produce a variety of reports designed approved by the regulators prior to use.to meet management’s requirements. This point is developed in section 2.3.In this example, it is used to producethe information used to determineMCEV, economic assessments thatmeasure economic performance or thecompany’s new solvency measures. Inthe future, these models will also servefor evaluating accounting in IFRS underIFRS 4 phase 2. PwC Pillar 2, operational issues of risk management 39
  • 40. Figure 16: Internal model scope PwC view of internal model scope Internal model validation processes Use Test Policy Internal model Data processes systems Board Governance Claims Executive systems Internal model governance Risk Management Asset systems Internal model control framework Capital Finance (SCR & Actuarial External data Assumption Ecap) Underwriting Validation of Expert judgement – assumption setting setting outputs Internal model input quality controls Internal model output data structure Distribution review and conversion Risk & capital mgmt Risk management processes Risk ORSA Internal model output controls Model input data structure universe Calculation Kernel Risk profile Management Information Output controls OpRisk Solvency monitor Input controls data Exposure mgmt Risk Methods Analysis of registration Balance ALM change sheet Strategy monitor Aggregations (assets & liabilities) What if analysis Counter- party data Business planning Statistical Stress & Risk scenarios, M&A quality & transfers sensitivity Business processes calibration Underwriting testing Profit & Pricing Business processes Business loss plans Reward (Reconcil- Internal model processes iation to RI purchase Reserving accounts) Strategy Internal model policies Capital allocation Reinsurance Change Data Validation Product dev Other core policies Investments Investments ORSA Process FlowSource: PwC40 PwC Pillar 2, operational issues of risk management
  • 41. 2.2.3. Managing risksOnce the risk strategy is defined, it can An example of policy: For example, in dealing with longevitybe translated into a risk policy Actuarial function risk in annuities, the actuarial functionapplicable to all entities or adapted to The first section in this paper discussed may prefer an experience table certifiedaccount for country regulations or the principles for governance set by the by an independent actuary rather thanspecific local markets. Directive. We understand that these the local country regulatory mortality risk policies are broken down by risk tables. With more detailed knowledgeRisk policy is based on the according to the modular risk-based of the portfolio, a company may applyimplementation of governance systems approach of Solvency II. mortality assumptions that are lowerthat cover at least the following risks: than the standard if the type of How does it work in practice? Let us population covered enjoys a better• Underwriting take the actuarial function as an standard of living and healthcare. example. This function ‘owns’ the• Market underwriting risk and is therefore in charge of measuring, managing,• Credit controlling and communicating the components of this risk. The• Operational underwriting risk policy must reflect all of these aspects.• Outsourced services Governance is based on compliance• Internal audit with principles or guidelines established in accordance with bestA governance system is a set of practices recognised by the industry asprinciples and rules established to well as the company’s internalmonitor and manage risks based on a practices. These guidelines are appliedclear, shared decision-making process as soon as a contract is underwritten,and adapted tools. It generally features as they set pricing policies in terms ofthe following components: risk selection (when possible) and measurement of the cost of risk.• A set of rules: best practices (industry standards or company- specific practices), tolerated Figure 17: Risk models for life insurance practices, prohibited practices.• Delegation of authority procedures: any decision that could SCR significantly engage the company must be approved by at least two Adj BSCR SCR OP people at management levels that correspond to the level of SCRMarket SCRDefault SCRLife SCR Intang commitment. LifeMORT• Pricing and provisioning: profitability target, technical bases LifeLONG used, pricing and provisioning methodology. LifeDIS• Risk monitoring: risk indicators, LifeLAPSE specific risks requiring specific monitoring, stress tests. LifeEXP• Tools: documentation, standard Life REV and non-standard tools. LifeCAT Source: PwC PwC Pillar 2, operational issues of risk management 41
  • 42. 2.2.4. Monitoring and reportingon risks Using risk measurement tools and External reporting processes, the risk management system These reports are covered in Pillar 3 of must produce all the information the Directive. The reporting scope is necessary to the relevant managers to described in CP58, which includes ensure appropriate and hands-on quantitative and qualitative sections on oversight. Internal and external various aspects (accounting, reporting structures must be put in prudential, governance, etc.). Further place. details are provided in the following documents: Internal reporting The purpose of a risk report is to • Annual Reporting To Supervisors facilitate risk monitoring by providing (RTS): notably includes an annual necessary information and analysis of Quantitative Reporting Template the existing and potential risks to which (QRT) that provides details on the the company is exposed. information contained in the RTS. The content of the risk report must be • Annual Solvency and Financial adapted to its readership: Condition Report (SFCR): for the market, adopts the structure of the • Senior Management: the report RTS without the information for presents, in about ten pages, an supervisors. overview of the risks affecting the company (the risk map, the three to • Quarterly RTS: mainly includes a five major risks, the market quarterly QRT, a concise version of environment, and comparisons with the annual QRT. competitors). • The business line or operational entity: the report covers, in about 15 pages, the risks to which the business line or operational entity is exposed. • Detailed risk report: this document, often about 100 pages or more, provides all the evaluations and detailed action plans for each risk.42 PwC Pillar 2, operational issues of risk management
  • 43. The necessary convergence • Operational performance issues: • Strategic issues: As a result ofof Risk and Finance In light of the requirements regulatory pressure, marketWe have seen that companies mentioned above, many companies practices are converging towardsincreasingly tend to plan a specific will have to increase the number of the assessment and managementoperational project on this subject for their closing and reporting of risk-weighted performance.a number of reasons: processes. This gives rise to In addition to ‘traditional’ financial legitimate concerns about efficiency and operational performance,• Technical issues: Companies are and cost-cutting in these low value- management systems must produce confronted with an increasing added processes. Several companies a review of the risk incurred by the number of reporting requirements plan to set up a shared data company to reach these figures, or (SFCR and RTS within Solvency II at warehouse that will be updated by more specifically the ‘performance’ deployment, MCEV, IFRS 4 Phase 2, source systems (management, of the company’s risk-taking. This reports to rating agencies, etc.), assets, inventory, etc.) and from new approach will undoubtedly for which the frameworks are not which data will be extracted in the result in the set-up of projects to always the same. Each company same way by different users for consolidate these systems and must ensure that it can cope with different data processing activities. overhaul the management tools the risks of error in the different Downstream, these companies tend used by general management and reporting processes (internal to organise all market disclosures shareholder communication. These control principle), and be able to for more consistent communication areas are a priority for general reconcile and justify the differences and to assure greater control over management and policymakers and between the different reports publication schedules. will gradually be implemented as (differences in method, the ORSA processes mature. measurement basis, etc.). PwC Pillar 2, operational issues of risk management 43
  • 44. 2.2.5. Establishing strategiccapital planningThe forward-looking analysis of capital If the analysis reveals insufficient notably be used to identify potentialcould be considered the last deliverable capital, the insurer must prove that it threats and devise back-up plans toin the risk management process. Under has a realistic back-up plan, e.g.: reduce their impact on the company’sSolvency II, measuring and managing financial position. Stress scenarios arerisks must enable the company to • A recapitalisation plan clearly explained, for example thosemaintain its solvency at all times and to used by EIOPA in 2009 to determine thestrike a balance between business • Transfer of risk (reinsurance, solvency of the European insuranceobjectives and the amount of risk derivatives hedging, securitisation, industry:incurred to reach them. The forward- etc.)looking analysis of capital requirements • Adverse scenario: 15% to 50%or strategic capital planning is the • Limiting of gross exposure decline in relative value of interestprime focus of the ORSA process and (underwriting limits, investment rates depending on maturity,must be carried out in close limits, etc.), e.g. by adjusting the widening of credit spreads, 10% tocollaboration with management. strategic configuration (joint 20% drop in equities, 15% drop in venture rather than a new company, property simultaneously with aThis process is designed to show that the and so on) massive wave of redemptions.insurer can raise the capital necessary tocover solvency margin requirements for • Loss absorption mechanisms • Deep recession scenario: 40% tothe strategic planning period. For each (participation reserves, call for 60% decline in relative value ofbusiness strategy, the insurer simulates a supplementary contributions, etc.). interest rates depending onlarge number of scenarios in which risk maturity, widening of creditparameters are adjusted to compare The company must also be able to spreads, 40% to 55% drop insolvency margin requirements and measure the sensitivity of these equities, 25% drop in propertyavailable capital. This analysis is carried analyses to any deterioration in its simultaneously with a massive waveout prior to every major strategic competitive or macroeconomic of redemptions.decision (merger, acquisition, launch of environment. Along with these capitala new business, etc.). planning analyses, stress tests are • Inflation scenario: 40% to 500% performed to understand the rise in relative value of interest rates underlying assumptions, the depending on maturity determinants of capital planning and its simultaneously with a massive wave sensitivity to risk. Stress testing can of redemptions.44 PwC Pillar 2, operational issues of risk management
  • 45. 2.3 Managing cross-business projects Within your Solvency II compliance • Change management – Regulatory programmes, Pillar 2 provisions will requirements most often call for a require the implementation of certain major organisational transformation cross-business ‘sub-projects’. Although and significant changes in practices not directly required by the regulatory that you will need to understand, provisions, these sub-projects are in calibrate and guide. fact essential from an operational standpoint. We shall develop this • Implementation of ORSA – This subject further here, focusing on a process must show the company’s limited number of projects that are ability to integrate its risk effectively closely linked to Pillar 2 provisions: into its management and its strategy. Only rarely do companies • Data quality – Measuring and have all of the necessary pieces of managing risks, then applying them the puzzle in place to meet to strategic capital planning requires regulatory principles. significant confidence in the reliability of the data and calculation processes used. • Validation of the internal model – Companies that have opted to use an internal model as of 1 January 2013 must take into account the myriad of constraints of the pre- validation process and then the final validation by the regulator. PwC Pillar 2, operational issues of risk management 45
  • 46. 2.3.1. Ensuring data qualityData management requirements These two aspects are to be understood These principles cover all the data usedData quality is a key issue in the in light of the fundamental purpose of within the framework of regulatorySolvency II Directive. Following the Solvency II as opposed to the current calculations, from managementexample of Basel II, it concerns the solvency regime, which is based on a applications (description of contracts,completeness, appropriateness and fixed percentage. The new regime claims, premiums), asset-liabilityaccuracy of the data used to produce introduces sensitivity to insurers’ risk management, accounting (fees,regulatory solvency indicators. portfolios. Each business line is handled commissions, etc.) or external sources separately, based on the notion that (assumption data, marketing data,The choice between an internal model for the same premium, exposure and shocks, ratings, economic scenarios,and the standard approach does not therefore capital consumption vary macroeconomic data, etc.).affect the management of data quality. depending on the type of risk.As only internal models require The calculation of solvency capital Three main deliverables are prepared invalidation by the regulator, this option requirements (SCR) is specific to each order to comply:requires the greatest compliance effort. business line, as are the tools, controlsThe level of quality must be certifiable and data, e.g., Life, Non-Life, etc. • The data dictionary, which lists alland verifiable. In other words, the of the data used in the internalstandards are more or less comparable ‘Static’ issues: managing data model or standard formula. Thiswith those for an accountant. The The Directive and several consultation specific scope of data is where theburden of proof lies with the insurer. papers mention the three criteria of company must show that it can data quality analysis from a static point successfully meet the three dataIn order to comply with the regulatory of view: quality criteria listed above.requirements, a distinction must be The regulatory authorities requiremade between two aspects of data • Completeness: The data available all insurers to internalise thesequality: cover all the risks in the portfolio three concepts and adapt them into with the same granularity and measurable criteria for data quality.• Static aspect: in which the quality historical depth, whether in direct This crucial work is to be carried out of the data that feeds the model management, delegated as the dictionary of data used by must be assured, irrespective of management, coinsurance or the risk management processes is source, and reinsurance. being built. Determining these measurement criteria for data• Dynamic aspect: control of data • Accuracy: The data contain no bias quality while building the dictionary extraction, transmission and caused by human, IT or technical by business line and source transformation processes where the error that would make it unfit process/system is the cornerstone data comes from management for use in calculating a regulatory of two major deliverables, namely applications that are used in indicator. the insurer’s data quality charter or actuarial calculation, cash flow policy and the data governance projection engines and in reporting • Appropriateness: The data is model. components for the ‘publication’ suitable for the intended purpose. In of regulatory solvency indicators. the event of any deficiency or lack of data, the proxy used is explicitly documented and justified in order to be clearly understood by the regulator.46 PwC Pillar 2, operational issues of risk management
  • 47. • The quality policy for risk data – The dashboard for monitoring is to concentrate data. The data is a fundamental document which data quality by business line, dictionary is used to align the flows sets out precisely: notably based on: from source systems and reconstitute the data from a given system if – The objectives, scope issues, • Data and network security necessary so as to ensure perfect resources, etc. consistency between portfolios, • Data integrity regardless of their source systems. – The measurement criteria of data quality, aligned with the • Data availability The other positive consequence is to three criteria of the Directive prevent spreading the business (completeness, accuracy and • Compilation of records approach of applying source appropriateness) for each management throughout the data business line. ‘Dynamic’ issues: securing warehouse (relational principles, transmission channels terminology, etc.). The data extracted – The principles for data quality Work on dynamic issues includes the and transformed are available for a review (frequency, depth, scope, control of the infrastructure and larger number of ‘clients’ and more retrieval, responsibility). processes in risk data management. easily meet use test requirements, as Most firms have set up data warehouses stipulated in the Directive. – The dashboard for monitoring into which business data are fed to be data quality by business line, used to calculate indicators (economic notably based on: capital, MCEV, etc.), technical provisions and operational and • Data and network security financial management indicators. They are also generally used to update • Data integrity data in management dashboards and accounting/management • Data availability reconciliations. • Compilation of records Insurers should concentrate their efforts on data transmission channels.• The risk data governance model The source of a Solvency II data defines: channel is in a management application. The channel integrates – The objectives, scope issues, components from infrastructure and resources, etc. transformation operations, aggregation and data calculation, through to the – The measurement criteria of integration of assumptions, shocks, data quality, aligned with the cash flow projection, calculation of three criteria of the Directive different SCRs and production of (completeness, accuracy and internal and regulatory reporting. It is appropriateness) for each an end-to-end process that must business line. include a thorough, documented audit trail. There are virtually as many data – The principles for data quality channels as there are source systems. review (frequency, depth, scope, The role of data centres or warehouses retrieval, responsibility). PwC Pillar 2, operational issues of risk management 47
  • 48. 2.3.2. Obtaining validation ofthe internal modelAs mentioned above, the internal 4. Profit and loss attribution: Organising the validation processmodel is more than a mere calculation Companies must regularly check It is important that the company cantool; it is a key element in the whether the risk classification and demonstrate that the model has beencompany’s decision-making processes. the profit and loss attribution in adapted to its business by the decisionWhether total or partial, this model their models accurately reflect the makers, that it is understood andmust be approved by the regulator. causes of profits/losses of applied correctly. Basically, it mustA considerable amount of operational units. show that the model plays its intendeddocumentation must be drawn up to role in the governance system. Theprove that the model meets the 5. Validation standards: The calculation methods used by the modelDirective’s requirements. appropriateness of assessments and must be adequate and based on underlying assumptions must be credible assumptions. The companyValidation procedures tested regularly against data drawn must be able to justify any differencesThe Directive defines eight tests that a from experience. Companies must between the underlying assumptionscandidate company must pass to also gauge how sensitive results are used in the model and those in thevalidate the internal model: to changes in key assumptions. standard formula. The model must cover all the risks to which the company1. Use test: Management must 6. Documentation standards: is exposed and its calibration must have understand the internal model’s risk Regularly updated written records no adverse effect on policyholders’ and capital assessments as a must be kept on the model’s design, benefits. fundamental driver in implementing operational details, mathematical its business plan and strategic bases and underlying assumptions. The model must allow for the annual decision-making processes. analysis of the business’ profits and 7. Internal model governance: losses broken down by risk category2. Statistical quality standards: The internal model is only approved included in the model. This should Assessments must be based on if the insurer meets satisfactory determine the company’s real risk relevant, reliable, consistent and governance and internal control profile. The model must also be understandable risk factors and standards. monitored and approved on a regular realistic, credible and verifiable basis to ensure that it remains in line assumptions. 8. External models and data: These with the risk profile. This validation tests also apply to third-party process, illustrated in the diagram3. Calibration standards: Results (outsourced) data or models. below, must show the regulator that the must be calibrated to a 99.5% VaR capital requirements calculated by the over one year. model are in line with the company’s actual risk profile.48 PwC Pillar 2, operational issues of risk management
  • 49. Figure 18: Internal model scope validation The following points must be defined upstream of the validation process: – the scope of the internal model: how was the model defined, using what processes? Validation scope – the scope of validation principles: is the model covered in its entirety? – proportionality: what parts of the model could possibly be excluded?Documentation throughout a validation process Management’s required materiality level in its validation policy must also be defined, along with the function of segments. Materiality Function of segments (functional and/or geographical) concerned. Requirements may differ in terms of materiality thresholds. This step covers the inventory of fundamental tools used for validation tests and the mapping of their coverage. These points are important to take into account: Validation tools – local approaches of subsidiaries where applicable – any reservations or limitations identified during validation. Validation rules must define the frequency of the steps in the validation process. Policies for Here again, there may be differences depending on the module and/or country concerned. changing Model Frequency The factors that trigger the ‘OK’ validation or changes to the model must also be identified. At this stage, it is important to identify: Roles and – key ‘validators’ of policies and rules – the roles and responsibilities in the internal model validation process: notably the responsibilities Independent breakdown between central and local teams and the procedures for the independent review to be conducted in 2013. validation The reporting process is secured by a series of consolidations in a step-by-step approach. The following points must be clearly defined: Reporting – reporting procedures for results of the validation process (including in particular the independent review) – the standard reporting format.Source: PwCThe company’s application for • For international groups, the The regulator performs the internalvalidation analysed by the regulator working language is English, but at model validation process in line withmust include all of the above- least a partial translation of the the timing constraints set by thementioned items. The application application into French is required. Directive. This process includes ashould show that the internal model is preparation and a pre-validation phase.the result of a structured approach and • The mathematical methodologies At the same conference, the ACPis perfectly integrated and documented. used (assumptions, operational indicated the main milestones in itsThis step in preparing the validation application, configuration, validation timetable:application can actually be rather frequency of revaluations) must becomplex and should therefore be clearly described. • Preliminary discussions withcarefully planned. At its conference on applicants about their model22 November 2010, the ACP offered • A precise description should be should have been completedsome useful pointers concerning the provided of the model’s governance by 31 March 2011.documents it expects in the validation processes, notably regardingapplication: coordination between subsidiaries • The regulator expects the company and the Group. to submit its internal model• In addition to the application that validation application (i.e., will form the basis of its assessment, • The internal validation policies documented application that the ACP expects all of the for the model, data management has been approved internally) supporting documents to be and enhancements to the internal by 31 March 2012. completely available and compiled model should be included in the into a detailed summary. application. PwC Pillar 2, operational issues of risk management 49
  • 50. “Governance under Solvency II requires a clear commitment from all heads of operating units. Change management will be central to ensuring acceptance of methods that are far more binding than many risk officers have previously experienced.” Philippe Léglise, Risk officer, Allianz France2.3.3. Managing change Necessary discipline in managing the programme A project is referred to as a programme if it includes several complex sub- projects that must be coordinated. Given the breadth and complexity of all of the Solvency II sub-projects and the number of contributors involved in implementing an efficient cross- business programme, management structure is a key factor in the programme’s success. It is a pre- requisite for the launch of the operational projects and covers all related responsibilities: • Coordinating the various projects relating to the three pillars and other related projects (e.g, upgrade of the information systems already underway, enhancement of the internal control system, etc.). Generally speaking, the Solvency II • Coordinating programme compliance project is a fundamental, communication and training. company-wide programme with an impact at almost every structural level: • Fostering a ‘Solvency II culture’ strategic and decision-making within the company. processes, organisation, governance, information systems and, especially, There is no ideal structure; each corporate culture. These new company defines its own programme operational procedures require full management procedures in line with its involvement from all staff as Solvency II specific constraints, objectives and changes both behaviour (notably timetable. We have provided a generic regarding risk) and the way of working. example of this type of structure in the It is vital that resources are planned, diagram below. We would also like to scheduled and implemented in order to point out two major factors for its help spread ‘Solvency II culture’ from calibration: the outset of the project.50 PwC Pillar 2, operational issues of risk management
  • 51. Figure 19: Example of project structure for Pillar 2 Implementation Group Level Sponsor Solvency II Programme Department Risk project Change management management Pillar 1 Pillar 2 Pillar 3 5. Changes in 7. Financial 8. Industrialisation 1. Solvency 2. Internal 4. Risk structure/ 6. Implement. 3. Risk strategy frameworks and reporting and of period-end calculations models governance of ORSA internal standards communication processes Project Project Project Project Project Project Project Project coordinator coordinator coordinator coordinator coordinator coordinator coordinator coordinator Contributors Contributors Contributors Contributors Contributors Contributors Contributors Contributors 9. Roll-out Local Level Subsidiary coordinator 1 Subsidiary coordinator 2 Subsidiary coordinator 3 Subsidiary coordinator 4Source: PwC• It must be able to manage various The ideal scenario is to create a projects in the programme and their dedicated change management unit to interaction simultaneously (pooling lead and coordinate change. It should of resources, cross-impact analysis be responsible for managing internal of key choices made for a specific communication on the programme and project, etc.). the implementation of the risk culture. It can also oversee, in conjunction with• It must closely reflect the existing HR, the requirements for training and organisational structure in place in additional resources in order to order to roll out the culture-related complete the various projects. projects and enhancements needed The change management scope throughout all Group entities. extends beyond just the Solvency II programme scope; instead, it covers all company staff. PwC Pillar 2, operational issues of risk management 51
  • 52. Defining a communication strategyCommunication is fundamental to managing change and bringing about a new corporate culture. The communicationstrategy must take into account the different levels of communication, corresponding to different audiences andrequirements:Figure 20: Communication strategy 3. External communication Corporate and public communication: press releases, annual report, public information, etc. 2. Group internal communication Regulatory communication: ACP, regulatory reporting Communication to employees: 1. Solvency II programme S2 programme newsletters, general information to all employees Internal communication on intranet or other media, etc. Internal communication in S2 programme: progress reports, steering committee meetings, programme committee meetings, project meetings initiated by project managers, documentation base, etc.Source: PwC52 PwC Pillar 2, operational issues of risk management
  • 53. A global communications strategy is a initiatives designed to help them broken down into communicationuseful tool in managing the Solvency II understand the requirements of the plans. The table below is an exampleprogramme. Its main objective is to three pillars and how they are applied outlining the main points:promote the involvement of key players to each operational level. Thein the Solvency II programme through communications strategy is oftenFigure 21: Example of communication plan Communication level Recipients/Target audience Communication channel Role of the Solvency II Role of the Communication or medium Programme management/ Department Change Management Unit • Everyone involved in • Team meetings, working • Is responsible for and • Advises/provides Solvency II programme groups, committees, etc. independently manages the project with internal communication communication • Steering Committee • Internal documentation 1. programme tools if applicable members (presentations, Solvency II programme training materials, minutes • Project Committee internal communication to meetings, etc.) members • Bodies specific to each project • Directors • Programme progress • Proposes the format • Checks and approves reports, general and/ the consistency of • Executive Committee • Approves content or technical information messages and format members and messages (e.g.v training material) • Manages • Management Committee • Is responsible for • Option of dedicated page/ communication tools 2. members distribution portal on intranet Group internal communication • Is responsible for • Slovency II programme • Proposes content • Checks and approves announcement/publication newsletters, general and contributes to the consistency of • All Group employees information to all employees formulation of messages messages and format in the broad sense on intranet, etc. • Is responsible for • Programme presentation announcement/ material publication • General public • Press releases, annual • Proposes content • Approves content, report, public information and contributes to messages, format • Group clients on Group website, formulation of messages with GM press conferences • Is responsible for • ACP • Reporting on progress, ACP • Approves content, • Is systematically 3. requirements, participation messages with informed prior to • European External in industry-wide discussions other departments any announcement/ supervisors communication and working groups, etc. concerned (Technical publication (CEIOPS, etc.) Department, Finance Department, etc.) • Is responsible for announcement/ publication through ACP representativevSource: PwC PwC Pillar 2, operational issues of risk management 53
  • 54. Managing changes in Training contributes considerably to among the first informed and trained.human resources developing employee expertise, not They should in turn be able to trainHuman Resources is the second critical only during the project phase but also their teams, at least in the areas thatarea of change management. The following the implementation of the directly concern them. This is the ‘trainHuman Resources department is Directive. This includes training on the the trainer’ model. Solvency II trainingcritical to the programme’s success, content of the regulation itself (e.g. the has been an extremely important issuegiven the important role played by three pillars of the Directive, the CPs, in 2011 and will continue to be in 2012.many of the functions within its remit: QIS 5) and risk management. It is HR managers should already be expected that training on the new risks defining needs and assessing their• Training: Develop employees’ to be taken into account by insurers will impact on training budgets. business expertise and provide them be requested most often: with the technical knowledge In terms of knowledge management, required to perform their duties in a • Market risks companies with a strategic workforce Solvency II environment. plan should also take into account the • Credit risks expected changes in employees’• Recruitment: Attract external expertise very early on. Expertise expertise that the company does not • Operational risks, and so on. (current vs. target) must be entirely currently have and foster loyalty remapped. Any gaps must be closed among these experts, taking into Similarly, a sharp rise in requests for through both training and hiring, account the high-pressure training on financial techniques and meaning that recruitment needs for environment for some profiles products is to be expected from 2012-2013 must be identified rapidly, (actuaries, risk management employees involved in technical, risk or as some profiles, such as actuaries specialists, etc.). finance processes or even other or asset-liability managers, are business lines. particularly difficult to find.• Knowledge management: Identify the technical and managerial In order to promote a risk culture, a key Finally, performance management is expertise which needs to be issue in Pillar 2, both technical training also important in stepping up change. developed in the Solvency II for professionals and ‘awareness’ In order to advance their compliance environment and coordinate the training aimed at all company staff are to Solvency II, companies may plan transition. essential. The latter type of training to set specific targets for managers, must focus on presenting the Directive’s e.g., on implementing Pillar 2 (ORSA• Management of individual main concepts, what they mean for the implementation, formal definition of performance: Foster and guide company and the insurance industry, processes, identification of risks and changes at the most basic level of and the changes to expect in the controls, etc.), either in new the organisation. insurance profession. assignment letters or annual performance reviews. One of the ways to accelerate learning about Solvency II in the company is to A portion of performance-related pay encourage its rapid adoption among should depend on meeting these targets operational managers. They must be at in order to boost motivation. the heart of training and should be54 PwC Pillar 2, operational issues of risk management
  • 55. 2.3.4. Implementing ORSA process ORSA implementation follows a five- Activating this process affects every step process that is integrated into the level of the company, following either a company’s risk management: top-down or bottom-up approach: • Risk identification • From senior management to operational units: definition of • Risk appetite company strategy, risk appetite, capital allocation to business lines. • Strategic planning • From operational units to senior • Stress testing management: risk identification, measurement of the risk profile, • Capital allocation risk reporting. “ORSA is set to be a strategic management and oversight tool for the insurance business. The benefits it brings will be closely linked to the flexibility of its operational implementation.” Sébastien Simon, Head of the Solvency II Programme, Société Générale Insurance PwC Pillar 2, operational issues of risk management 55
  • 56. The following dynamic diagram provides an overview of the ORSA process over the budget period:Figure 22: ORSA process (throughout the budget process) M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 M1 M2 M3 Risk Quarterly Board Top-down Top tier Appetite Strategic Sign-off reporting / risk ID risks agreed Vision aspiration steering 3-yr strategic Quarterly Executive Agree stress Agree plan target reporting / Committee scenarios setting steering Proposed Proposed ‘Deep dive’ Agreed and Risk Review Risk Risk top-down Top tier risk adopt risk Appetite stress Appetite Committee risk ID risks assessment Statement scenarios monitoring Policy Risk Risk Risk aggregation Redefine risk controlling, Risk Define stress identification Risk mitigation plan process and Appetite scenarios Function template and Risk- Risk- (ID) prioritisation reporting requirement assessment (input from BUs) adjusted adjusted performance performance measures - measures - tools and aggregation Stress-test techniques Facilitate of plan / Capital Capital Finance strategic allocation allocation Function capital financial plan planning to BUs to BUs BU 1 BU 2 Risk- Day-to-day Bottom-up adjusted Bottom-up operational strategic BUs performance BU 3 implementation measures - risk ID financial stress-testing plan calculations BU 4 BU 5 Legend Function Strategic planning Risk identification Facilitate Iterative process Risk appetite Stress testing Take decisions Quarterly steering ExecuteSource: PwCCoordinating and industrialising Directive Articles 35 and 50 and CP 58the ORSA report with Pillar 3 risk stipulate that the ORSA reportreports submitted to the regulator must contain quantitative and qualitative information that is also included in the reports (RTS and SFCR) required under Pillar 3.56 PwC Pillar 2, operational issues of risk management
  • 57. Conclusion Operational implementation requires is the choice of which organisational deep-seated change in terms of and governance models to use for the both organisation and business risk management process. Which management. Launching projects such decision-making model should be as these requires careful attention to implemented? To whom should a few key concepts underscored by decision-making and control powers the Directive. be assigned? How should the risk function be scoped? ‘Risk appetite’ must be defined and documented with respect to the These decisions will pave the way business goals. The same applies to for the interpretation and adaptation the company’s ‘risk culture’, i.e., of the principles of Pillar 2 based on acceptance by staff of a clearly mapped- your organisation, its specific set-up out risk profile and strategy. The third and its commercial strategy. key to ensuring operational compliance PwC Pillar 2, operational issues of risk management 57
  • 58. Overall ConclusionsOf the three pillars of the Directive, Pillar 2 is undoubtedly Implementing a risk culture, another key issue in Pillar 2, isthe most important and complex to implement because it also critical to meeting compliance objectives and ensuringrequires companies to place risk management at the heart that they are both operational and effective. Companies willof their operational business models. be aided in this endeavour by two main drivers: communication and human resources.As we have explained throughout this paper, it involvesthe introduction of a new standard framework for risk Pillar 2 also represents a radical change for many companiesmanagement that must now form an integral part of all in the insurance sector. Except for large groups, manymanagerial functions. Above all, Pillar 2 implies making companies have not changed their structure or operationaldifficult decisions related to configuring and adapting the processes for several years. The Solvency II Directive providesoperational application of this framework at all levels of an excellent opportunity, particularly in a climate ofthe company – organisation, control, governance, relations economic crisis, to optimise company management andwith ‘suppliers’, and so on. increase operational efficiency in all functions by defining and streamlining processes, upgrading information systemsThe tools and framework, together with the ERM approach, and tools, building staff knowledge, and so on.serve to align company strategy with the risk accepted andtaken on by management and operational staff. Under this In the same way, implementing ORSA also offers a numberPillar 2 approach, the risk function becomes the cornerstone of opportunities by prompting insurers to optimise theirof the risk management system. operational performance over a strategic three- to five-year timeframe, ensuring that the company’s capital is in line with its risk profile and business ambitions. ORSA is destined to become a key instrument for strategic management. This expected enhancement of operational performance should, in the long term, largely offset the significant implementation costs of compliance with the Directive, especially Pillar 2. The results of the PwC 2010 pan-European study on preparations for Solvency II demonstrate that insurers seem to be coming to terms with the challenges involved in implementing regulations that place risk governance at the heart of their business.58 PwC Pillar 2, operational issues of risk management
  • 59. Contacts Eric Dupont Jimmy Zou Quoc Nguyen Dao France Insurance Leader France Solvency II Leader Director +33 1 56 57 80 39 +33 1 56 57 72 13 +33 1 56 57 57 14 +33 6 08 90 64 52 +33 6 74 27 34 79 +33 6 74 32 19 33 eric.dupont@fr.pwc.com jimmy.zou@fr.pwc.com quocnguyen.dao@fr.pwc.comThank you to our contributors • Sébastien de la Lande • Dominique Daijardin • Antoine de la Bretesche • Pierre-Antoine Duez • Stéphanie Artigaud • Benoît Germain • Rémi Saucié • Nicolas SimonMarketing contact • Elodie Coquerel +33 1 56 57 85 56 elodie.coquerel@fr.pwc.com PwC Pillar 2, operational issues of risk management 59
  • 60. www.pwc.com/solvencyIIPwC firms help organisations and individuals create the value they’re looking for. We’re a network of firms in 158 countries with close to 169,000 people who arecommitted to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon theinformation contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy orcompleteness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers does not accept or assume any liability,responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for anydecision based on it.© 2012 PwC. All rights reserved. Not for further distribution without the permission of PwC. “PwC” refers to the network of member firms of PricewaterhouseCoopersInternational Limited (PwCIL), or, as the context requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act asagent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of itsmember firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions ofany other member firm nor can it control the exercise of another member firm’s professional judgment or bind another member firm or PwCIL in any way.

×