Interactive Powerpoint_How to Master effective communication
Atila Kas
1. INTERNAL AUDIT FORUM 2017 (CYPRUS)
Solvency II & the Internal Audit Role
May 25, 2017
Atila KAS
1
2. SOLVENCY 2 (S2)
The EU Solvency II Directive lays down explicit governance requirements, including for the risk
management system of insurers and reinsurers. Solvency II is the new risk-based regulatory
framework for insurers taking effect on 1 January 2016. This framework consists of the Solvency II
Directive (2009/138/EC), the Delegated Acts containing implementing rules for Solvency II, and the
associated technical standards.
The Solvency II Directive is a world-leading standard that requires insurers to focus on
managing all of the risks facing their organization.
Real opportunity to improve their risk-adjusted performance and operational efficiency,
S2 is not only on the radar of insurance companies in the EU, but also on those across the
globe.
All stakeholders of the financial industry are watching EU.
Impact to insurance companies, governments, and rating agencies within the EU and beyond.
S2 = Living process of 15 years : consultation, feedback, and cooperation between the
insurance industry and regulatory bodies.
S2 : based of Basel 2 on the framework, including the 2008 Crisis parameters.
2
4. ROLE OF IA IN S2
1. In respect of “including relevant Solvency II compliance items in each audit assignment”,
Internal Audit should consider in the audit approach specific steps to evaluate the application of
risk related policies, set limits, the review of use tests as well as the reliability of data that will
feed risk reporting and the Own Risk and Solvency Assessment (‘ORSA’) process.
2. Internal Audit should “assess the components of the system of governance” (see art. 41
& art. 47) and make appropriate recommendations for improving it. In particular, Internal Audit
should pay specific attention to:
Respect of the remuneration policy (Advice on System of Governance);
Compliance with regulatory provisions regarding outsourcing (art. 47-49).
3. The assessment of the “Risk Management function” and of the “Risk Management
system” should consider the Solvency II requirements as defined by art. 44.
Preliminary Risk Analysis yearly IA plan (Risk based approach)
Update expected on periodic evaluation
Overall risk management process, as well as the appropriateness of internal controls.
In general, Internal Audit evaluates the independence and the global effectiveness of the insurance
company’s risk management function (art. 47).
4
5. ROLE OF IA IN S2
4. Compliance function (Advice on Systems of Governance paragraph 3.232 to 3.250, 3.256-3.258) relating to the S2
(specifically in respect of the Compliance function): the requirement for compliance with all
legislation and particularly in the areas of Anti Money Laundering and Privacy.
5. In the assessment of the “Process for designing and implementing risk models” / special
attention should be paid :
Model documentation and of the internal validation procedure;
compliance (Event of change model & Reporting requirements)
the degree of inclusion of the different risks in the model;
the embedding of the model in the risk management;
Integrity of the management processing and IS ;
Data Quality (consistency, reliability, continuity, timeliness, synchronism);
the quality and the accuracy of the model and of the “ex post” control;
the quality of the stress testing;
the accuracy of MCR & SCR calculation;
the use test
In line with what is set out in Recital 68 and art. 112, but also within the Pre-application process for
internal models (formerly CP80).
5
6. ROLE OF IA IN S2
6. The assessment of the actuarial function should consider the European supervisory
authorities’ requirements as stated in art. 48.
7. Reinsurance management process :
Company’s solvency and profitability must be integrated
Safeguarding of assets through optimization of the reinsurance coverage - In line
with company’s risk appetite/profile.
Monitoring reinsurers’ solvency, ceded reinsurance premiums and claims
interventions.
8. Own Risk and Solvency Assessment (ORSA) document process and outcome
the key strategic decision-making
Important element in the risk management of the company.
Facilitate the BOD & BOM
IA is not allowed to take part of the preparation of this document.
IA Profession believes that the application of all standards implicit in the “Core internal audit
tasks” should be included in the audit plan based on a risk based approach.
6
7. ROLE OF IA IN S2
Possible consulting roles in the Solvency II context
▸ Internal Audit may undertake in relation to Solvency II Independence and objectivity are
maintained.
▸ “Providing Solvency II related advice upon Executive Management or other entitled
governance bodies request”.
▸ Internal Audit’s plan must be prioritized over the performance of any consulting activity.
Consulting services <> operational or management responsibility
7
8. ROLE OF IA IN S2
IA must be always integrated on the key strategic projects
▸ Governance of the project.
keep itself informed and updated on the organization and status of the project
Decide to evaluate the adequacy of the governance of the project (including any
committees)
▸ Written Policies and Procedures.
Review of policies and procedures.
Check on design for any procedure updated by S2 and internal governance committees
▸ Data quality.
Adequacy of data quality, irrespective of whether this is Solvency II related or not.
Data used for the internal model shall be accurate, complete and appropriate.” (Art.
121(3)).
IT auditors or IT auditing expertise must be involved
Assess the Validation process regarding data
▸ Internal model. Data quality is also an integral part of model validation, “the model validation
process shall (…) include an assessment of the accuracy, completeness and appropriateness of
the data used by the internal model.” (art. 124). 8
9. The ORSA enables management to responsibly weigh up risks, capital and returns against
each other and look forward to the medium to long term based on the current situation. The
ORSA is a regular process that must be performed at least once a year.
An ORSA must also be performed in the event of any significant change in the risk profile. The
outcomes and findings of each ORSA must be submitted to the insurer’s executive
management for approval and then communicated to all relevant departments and to the
regulatory authority. Provided that certain conditions are met, insurance groups have the option
to do this in a group report.
Example of the conceptualization of an ORSA audit
9
AUDIT THE OWN RISK SOLVENCY
ASSESSMENT (ORSA)
10. AUDIT THE OWN RISK SOLVENCY
ASSESSMENT (ORSA)
10
3.4 Scenario tests and stress tests
Regular engagement : In an audit of the internal management of the ORSA process, including compliance with laws and
regulations. As part of its review of the risk profile, the Internal Audit function performs at least the following procedures:
o Up-to-date process description is available scenarios and stress tests.
o Establishing whether tasks, authorisations and responsibilities for the development and approval of scenarios and stress tests
have been clearly described.
o Explicit attention should be paid to the involvement of senior management, the actuarial and the risk management function.
o Reviewing how the scenarios and stress tests have been drawn up. This includes aspects such as the process that has been
followed, the independent input from key functions and the objective substantiation of the severity of stress scenarios. Back-
testing may be used for the substantiation.
o Establishing whether the scenarios and stress tests have been clearly documented, both in terms of the qualitative
description and the quantitative factors.
o When simplifications (such as upscaling) have been used in scenarios and stress tests, establishing whether these have
been sufficiently substantiated.
o When the scenarios and stress tests that have been determined differ from those in the previous ORSA, establishing whether
there is a sound reason for this and whether this has been sufficiently documented.
o When the reverse stress tests that have been determined differ from those in the previous ORSA, establishing whether there
is a sound reason for this and whether this has been sufficiently documented.
o Reviewing whether the scenario and stress tests that have been determined sufficiently affect all the insurer’s material risks,
including both the individual risks and combined risks.
o Reviewing whether the scenarios and stress tests that have been determined sufficiently take into account the risk profile of
each individual regulated entity.
o Establishing whether implicit and explicit management actions have been included in elaborating the stress scenarios and
whether these management actions:
- are sufficiently concrete and feasible
- seem realistic if the scenario were to actually occur;
- are consistent with existing policy (in terms of investments, reinsurance, etc.);
- are based the commitment of executive management to actually perform the expected management action.
11. 11
3.4 Scenario tests and stress tests
Context of the ORSA report :
o Establishing whether an up-to-date process description is available for determining scenarios and stress tests.
o Establishing whether the basic scenario is aligned to the approved business plan or the multi-annual budget and
whether it has been sufficiently documented in the ORSA reporting.
o Establishing whether the chosen stress scenarios are in line with the insurer’s (strategic) risk analyses. The
scenarios that have been developed should be appropriate to the insurer’s risk profile.
o Establishing whether sufficient objective substantiation has been provided, using internal source data and/or
external sources (such as the Macroeconomic Forecast published by national bank - Statistics) for scenarios and
stress tests and, where possible, for the chosen severity of the stress scenario.
o Establishing whether sufficient care has been taken to ensure that scenarios and stress tests and, where possible,
the chosen severity of the stress scenario, have not been influenced by or back-calculated from the insurer’s
available capital.
o Autonomously consulting internal and external sources to independently review the chosen severity.
o Back-testing previously formulated scenarios against the actual outcome.
o Establishing whether sufficient stress tests have been performed, including reverse stress tests, sensitivity
analyses, and individual and combined scenarios.
o Establishing whether the consecutive ORSAs have been consistent, where necessary, in the choice of scenarios
and the chosen severity of scenarios.
o Establishing whether information from previous ORSAs (own evaluation, regulator feedback, internal or external
audit) has been adequately included.
AUDIT THE OWN RISK SOLVENCY
ASSESSMENT (ORSA)
12. CHANGES & IMPACTS FOR IA FUNCTION
New impact for IA function
o Important increase on the deliveries (Pilar 3-QRT) produced to the national supervisor
where some review are expected by the IA function (could lead to 10-15% of the yearly
capacity)
o ORSA audit and/or its outcomes are key and relevant on the yearly audit plan
o Increase of the “onsite Inspections” performed by the national regulators : Head of the IA
function is requested to participate at each kick-off & closing meeting (critical workload for
Group structures)
o Yearly “face to face” meeting between the national supervisor & the Head of the IA
function (Significant market leaders are impacted on quarterly meeting)
o Availability - IA team : « auditors never sleeps » from Angela is « The reality » of our
today’s context.
12
13. CHANGES & IMPACTS FOR IA FUNCTION
New impact for IA function
o Capacity issues within the organization : coordination is a MUST
o Remedial actions (late or not) : Impact on capital ADD ON (if delay)
Other functions and/or governance bodies impacted
o Impact also to the 3 other controlling function huge cost for each (re)insurance
companies : Risk Management function, Compliance Function & Actuarial function.
13
14. CHANGES & IMPACTS FOR IA FUNCTION
New impact for IA function
o Issuing of the National rules defining clearly the role & responsibilities of the IA function
by year-end of 2015 : Mission, Scope, Governance of the IA function, including the
relation between the IA function with the External audit but also with the national
supervisor
o Number of engagement increased drastically from 2016 <> from a “regular” Risk-based
audit plan” due to
o Changes within the audit environment
o Audit techniques & approaches
As a consequence, there is an important increasing of the “capacity” and an audit
approach which has been completely revisited by the national institute, coordinated with
ECIIA
o National regulators is no longer expecting some consulting activities from the IA function :
the only focus should be made on its “assurance” role
14
15. CHANGES & IMPACTS FOR IA FUNCTION
Competences
o “Fit & Proper”
o CIA / CRMA / CISA … expected by national regulators where National IIA / Chapter
should bring clear guidance and advocacy with stakeholders and IIA members
o Audit Typologies : Governance, Internal control & Risk Management systems, ORSA
(including Internal Model / standard formula) are the main changes where the IA function
is getting more and more training and experienced.
o From a “nice” to have to a “strongly recommended” internal audit functions
o IT auditor
o Actuarial (Life &/or Non Life) auditor
o Ops is a must within the audit teams
Market : important GAPs exist in EU countries and important volatilities between
groups exists : HR policy and/or remuneration to maintain internal resources (for all
controlling functions) must be addressed.
o Audit seniority with LT experience (and rotation) … 15