SlideShare a Scribd company logo

IRM SIG What does the Second Line of Defence look like post SII July 2013

S
Susan Young

This document summarizes a presentation about the role of risk management under Solvency II. Some key points include: - Risk management sits at the heart of how organizations operate under Solvency II and has a clearer mandate to implement enterprise risk management practices. - The boundaries between the traditional three lines of defense model are blurred, with risk management taking on a more integrated role spanning first and second lines of defense. - Key challenges for risk management include having a wider range of responsibilities, ensuring proper positioning and terms of reference within the organization, and maintaining momentum in risk management practices. - Risk management should actively support the board by informing strategic decisions, monitoring risks, and educating others with clear and

1 of 16
Download to read offline
What does the Second Line of Defence look like post Solvency II? Susan Young Head of Risk Management R&Q Managing Agency Limited 4th July 2013 Institute of Risk Management ERM in Insurance Special Interest Group
Disclaimer The opinions expressed in this presentation are my own and do not represent those of my organisation Feel free to share yours
Session Outline • The Risk Management Function under Solvency II • The Three Lines of Defence Model • Some thoughts • The Three Lines of Defence in a SII world • Observations and Challenges • Challenges for Risk Management specifically • The role of the Risk Management in supporting the Board and the business • How should Risk Management help their Boards? • How should Risk Management inform their Boards? • The Risk Management Function the in organisational hierarchy – does it matter? • Summary and Conclusion • Questions
The Risk Management Function under SII – Framework Directive • Insurance and reinsurance undertakings shall have in place an effective risk management system comprising strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report, on a continuous basis, the risks, at an individual and aggregated level, to which they are or could be exposed, and their interdependencies • That risk management system shall be effective and well integrated into the organisational structure and in the decision making processes of the insurance and reinsurance undertaking with proper consideration of the persons who effectively run the undertaking or have other key functions (Section 2 Article 44 – Risk Management Function – The “what”) To be continued….
The Risk Management Function under SII – Level 2 • A clearly defined and well documented risk management strategy that includes the risk management objectives, key risk management principles, general risk appetite and assignment of risk management responsibilities across all activities of the undertaking and is consistent with the undertaking’s overall business strategy • Adequate written policies that include a definition and categorisation of the material risks faced by the undertaking, by type, and the levels of acceptable risk limits for each risk type, implement the undertaking’s risk strategy, facilitate control mechanisms and take into account the nature, scope and time horizon of the business and the risks associated with it • Appropriate processes and procedures which enable the undertaking to identify, assess, manage, monitor and report the risks it is or might be exposed to • Appropriate reporting procedures and feedback loops that ensure that information on the risk management system, which is coordinated and challenged by the risk management function and is actively monitored and managed by all relevant staff and the administrative, management or supervisory body • Reports that are submitted to the administrative, management or supervisory body by the risk management function on the material risks faced by the undertaking and of the risk management system, and • A suitable own risk and solvency assessment (ORSA) process (CEIOPS Doc 29/09 Level 2 Implementing Measures – the “how”) Enterprise Risk Management in different clothes?
The Three Lines of Defence Model • First Line of Defence - Day to Day Management and Control • Board of Directors • Functional Heads • Business Units • Second Line of Defence – Oversight, policy and methodology • Committee and Governance Structure • Risk Management • Compliance • Actuarial • HR, Legal etc. • Third Line of Defence – Independent Assurance • Audit Committee • External Audit • Internal Audit • Independent Peer Review (where appropriate) Basel Committee Definitions
Some thoughts…… • Origins can be found in sport/military planning • Implies three separate lines operating independently, each providing a “backstop” for the other • Solvency II infers a much more integrated view of Risk Management particularly – more later • Other definitions have “blurred the boundaries” – Actuarial, Finance, HR etc. often find their way into the first line of defence in some models • Others have Risk Management as the first line, Internal Control as the second line and Internal Audit as the Third Line • The increased demands on Risk Management in particular is much more holistic in a SII world • The Three Lines of Defence Model (and its operation) needs to reflect that Its not as clear cut as three distinct lines. Nor should it be?
The Three Lines of Defence Model in a Solvency II world Risk Management Board of Directors SECOND LINE Direct Assurance Compliance, Actuarial, Legal etc THIRD LINE Independent Assurance (Internal /External Audit, Independent Review etc) FIRST LINE The Business (Risk and Control Owners) The “virtual team” in a SII world
Observations and Challenges • Risk Management sits at the heart of much of how organisations operate in the new Solvency II world • Regarding second line - what’s in what’s out? Does it matter? If so…. • Recognise the areas with first and second line “hats” and adapt style and approach accordingly • Our ERM responsibilities have not changed – we merely have a clearer mandate to harness them – more later • First and third lines of defence (as traditionally defined) also form part of the Risk Management Function (even if not part of the Risk Management team) • Risk Management is clearly in the second line however, we will examine the implications in a moment A blurring of the boundaries – but surely this is a good thing?
Challenges for Risk Management specifically • Wider ranging responsibilities – Governance of the Internal Model (where used) has required a broadening in our skill set • This reached beyond the traditional ERM “top down and joined up” approach to risk identification, mitigation, monitoring we all know and love – but the basic tenets of ERM do still apply • Finding the right positioning within the organisation to make our voice heard – either on the Board, or reporting directly to it, or someone on it – more to follow • From that, having clearly defined terms of reference for the Risk Management Function – which should encompass elements of the first and third lines as appropriate • Ensure your organisations know how to harness the skills within the Risk Management team to optimum effect • Maintaining the momentum in the light of SII implementation delays – a working assumption has to be that SII is coming • Convincing the organisation of the value of living it now! A fair few – what do these mean in practice?
The role of Risk Management in supporting the Board and the business • Risk Management should be embedded – so what does this mean? • Risk Management is not the Risk Management team alone • The Risk Management team is an enabler for Risk Management activity • Accordingly, effective Risk Management activity cannot be abdicated to the Risk Management team, or merely “bolted on” to existing business activity • SII recognises that the Risk Management Function, however defined, has responsibility for many elements of Internal Model Governance – Scope, Change, Validation – a terrific mandate for facilitating the alignment of the two disciplines • “Function” is the operative word. Risk Management should function, not just be. It is a process. • Risk Management should be defined, positioned and structured appropriately to be able to fulfil its obligations and actively support the Board fulfil theirs. Risk Management is well placed to underpin the Board – provided it is well embedded
How should Risk Managers help their Boards? • Ensure there are properly defined Terms of Reference (mentioned earlier – distinguish between the Team and the Function • Risk Management has a key role to play in the following, as well as day to day activity;- – Business Planning – Risk Management informs the process and monitors business performance – Strategic initiatives – they can have major capital implications • Ensure the reporting line affords you an appropriate profile and feedback loop, either on the Board or reporting to it – as well as the requisite independence • If not, ensure Risk Management is covered during the Board meetings - not at the end • Get the structure and balance of your team right – remember your “virtual” team as well! • Educate, educate, educate – this never ends – from top table to grass roots Maintain visibility – it is key in fulfilling these responsibilities
How should Risk Managers inform their Boards? • Engage up front in defining what the Board wants, why and when • Ensure there is a common and consistent language – Keep jargon to a minimum – Once established, stick to it • Present concise Management Information – not Data – Less is more – Provide detail by all means, but keep key information to a few pages – or even only one – Ensure your Key Risk Indicators do address your Key Risks – Ensure any “Reds” are sufficiently material to warrant discussion and corrective action – Test the impact – did the MI drive action? • Internal Model Outputs – for example – Sensitivity tests – can show the impact of decisions on Risk Indicators/Capital Usage – Risk Ranking and allocation of capital to individual risks or risk categories is a lever to prioritise risks Taking risks has capital implications – we need to know how much – by managing risks in this way, we can take more of them!
The Risk Management Function in the organisational hierarchy – does it matter? • Yes, for the reasons already outlined – but that’s not all • The Risk Management Function should be purely second line of defence – if properly embedded it should support, challenge, embed – not do it all • It should maintain its independence in order to be objective • There is no hard and fast rule as to how this is done – it will depend on the organisation and it may need to change/adapt over time • However, the days of Risk Management as a siloed, discreet bunch of “bolt on” people are gone – Risk Management is a “virtual team” – being the whole organisation Thoughts?
Summary and Conclusion • The responsibilities of the Risk Management Function under Solvency II are clear and unchanged • They are nothing really new, merely a clearer mandate to embed ERM • The Three Lines of Defence model as traditionally defined implies demarcation between the three lines • This has limited appropriateness in a Solvency II world – the three lines of defence model is less discrete, more continuous and less “clear cut” – Risk Management should recognise this when engaging with the business • The Risk Management Function in the second linee is in a unique position to support, challenge, embed and is well placed to do so • The impetus should remain notwithstanding the delays to the timetable
And finally…. Thank you for listening Any questions? DDI +44 (0) 20 7780 5882 Susan.young@rqih.com www.rqih.com

Recommended

Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
deeptica
 
Pp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlPp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and control
Erwin Morales
 
Erm whitepaper (2)
Erm whitepaper (2)Erm whitepaper (2)
Erm whitepaper (2)
MayankGarg200
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
Deddy Jacobus
 
Enterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingEnterprise risk management february 9th solution training
Enterprise risk management february 9th solution training
veritama
 
Coso erm frmwrk
Coso erm frmwrkCoso erm frmwrk
Coso erm frmwrk
Ravinder Kumar Bhan
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
Sadia Razzaq
 
Risk Management1
Risk Management1Risk Management1
Risk Management1
Henry H L Lim
 

Recommended

Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
deeptica
 
Pp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlPp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and control
Erwin Morales
 
Erm whitepaper (2)
Erm whitepaper (2)Erm whitepaper (2)
Erm whitepaper (2)
MayankGarg200
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
Deddy Jacobus
 
Enterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingEnterprise risk management february 9th solution training
Enterprise risk management february 9th solution training
veritama
 
Coso erm frmwrk
Coso erm frmwrkCoso erm frmwrk
Coso erm frmwrk
Ravinder Kumar Bhan
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
Sadia Razzaq
 
Risk Management1
Risk Management1Risk Management1
Risk Management1
Henry H L Lim
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Recent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management DevelopmentsRecent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management Developments
International Federation of Accountants
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
PECB
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
Hassan Zaitoun
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
Andre Knipe
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_risk
Hafeez Farooq
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
Duncan O. Ogutu; CPA, CFE
 
ERM and Internal Auditing 2016 Tea Talk v2a
ERM and Internal Auditing 2016 Tea Talk v2aERM and Internal Auditing 2016 Tea Talk v2a
ERM and Internal Auditing 2016 Tea Talk v2a
Nusaibah Hamizan
 
corporate risk management
corporate risk management corporate risk management
corporate risk management
Universiti Malaysia Pahang
 
Coso erm
Coso ermCoso erm
Coso erm
luisrobles_cl
 
The Essential Experience for CAEs: Risk Management is Dead, Long Live Risk Ma...
The Essential Experience for CAEs: Risk Management is Dead, Long Live Risk Ma...The Essential Experience for CAEs: Risk Management is Dead, Long Live Risk Ma...
The Essential Experience for CAEs: Risk Management is Dead, Long Live Risk Ma...
International Federation of Accountants
 
Risk Governance, Culture and CPS 220
Risk Governance, Culture and CPS 220Risk Governance, Culture and CPS 220
Risk Governance, Culture and CPS 220
Risk Management Institution of Australasia
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...
PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...
PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...
PECB
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
Jesús Gándara
 
How to assess risk for a company
How to assess risk for a companyHow to assess risk for a company
How to assess risk for a company
OECDglobal
 
Dubai Nov08 Erm Gs Khoo
Dubai Nov08 Erm Gs KhooDubai Nov08 Erm Gs Khoo
Dubai Nov08 Erm Gs Khoo
Guan Khoo
 
Risk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHRisk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAH
Tommy Seah
 
COSO ERM 2017
COSO ERM 2017COSO ERM 2017
COSO ERM 2017
Jorge A. Gomez P.
 
Sr2011 - 2nd line of defense
Sr2011 - 2nd line of defenseSr2011 - 2nd line of defense
Sr2011 - 2nd line of defense
Ma'am Dawn
 
3rd Line Of Defense
3rd Line Of Defense3rd Line Of Defense
3rd Line Of Defense
Marx Endico
 
Unit 5 Immune System
Unit 5 Immune SystemUnit 5 Immune System
Unit 5 Immune System
Bruce Coulter
 

More Related Content

What's hot

Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
PECB
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
Hassan Zaitoun
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
Duncan O. Ogutu; CPA, CFE
 
ERM and Internal Auditing 2016 Tea Talk v2a
ERM and Internal Auditing 2016 Tea Talk v2aERM and Internal Auditing 2016 Tea Talk v2a
ERM and Internal Auditing 2016 Tea Talk v2a
Nusaibah Hamizan
 

What's hot (19)

COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM Topology
 
Recent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management DevelopmentsRecent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management Developments
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_risk
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
 
ERM and Internal Auditing 2016 Tea Talk v2a
ERM and Internal Auditing 2016 Tea Talk v2aERM and Internal Auditing 2016 Tea Talk v2a
ERM and Internal Auditing 2016 Tea Talk v2a
 
corporate risk management
corporate risk management corporate risk management
corporate risk management
 
Coso erm
Coso ermCoso erm
Coso erm
 
The Essential Experience for CAEs: Risk Management is Dead, Long Live Risk Ma...
The Essential Experience for CAEs: Risk Management is Dead, Long Live Risk Ma...The Essential Experience for CAEs: Risk Management is Dead, Long Live Risk Ma...
The Essential Experience for CAEs: Risk Management is Dead, Long Live Risk Ma...
 
Risk Governance, Culture and CPS 220
Risk Governance, Culture and CPS 220Risk Governance, Culture and CPS 220
Risk Governance, Culture and CPS 220
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...
PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...
PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
 
How to assess risk for a company
How to assess risk for a companyHow to assess risk for a company
How to assess risk for a company
 
Dubai Nov08 Erm Gs Khoo
Dubai Nov08 Erm Gs KhooDubai Nov08 Erm Gs Khoo
Dubai Nov08 Erm Gs Khoo
 
Risk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHRisk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAH
 
COSO ERM 2017
COSO ERM 2017COSO ERM 2017
COSO ERM 2017
 

Viewers also liked

Sr2011 - 2nd line of defense
Sr2011 - 2nd line of defenseSr2011 - 2nd line of defense
Sr2011 - 2nd line of defense
Ma'am Dawn
 
Unit 5 Immune System
Unit 5 Immune SystemUnit 5 Immune System
Unit 5 Immune System
Bruce Coulter
 
The Three Lines of Defense Model & Continuous Controls Monitoring
The Three Lines of Defense Model & Continuous Controls MonitoringThe Three Lines of Defense Model & Continuous Controls Monitoring
The Three Lines of Defense Model & Continuous Controls Monitoring
CaseWare IDEA
 
8 - Immunity: Defence Against Disease
8 - Immunity: Defence Against Disease8 - Immunity: Defence Against Disease
8 - Immunity: Defence Against Disease
Martin Jellinek
 
Body Defense Mechanism
Body Defense MechanismBody Defense Mechanism
Body Defense Mechanism
Navid J. Ayon
 

Viewers also liked (9)

Sr2011 - 2nd line of defense
Sr2011 - 2nd line of defenseSr2011 - 2nd line of defense
Sr2011 - 2nd line of defense
 
3rd Line Of Defense
3rd Line Of Defense3rd Line Of Defense
3rd Line Of Defense
 
Unit 5 Immune System
Unit 5 Immune SystemUnit 5 Immune System
Unit 5 Immune System
 
The Three Lines of Defense Model & Continuous Controls Monitoring
The Three Lines of Defense Model & Continuous Controls MonitoringThe Three Lines of Defense Model & Continuous Controls Monitoring
The Three Lines of Defense Model & Continuous Controls Monitoring
 
Immune response
Immune responseImmune response
Immune response
 
Second line of defense - advantages and set up
Second line of defense - advantages and set up Second line of defense - advantages and set up
Second line of defense - advantages and set up
 
8 - Immunity: Defence Against Disease
8 - Immunity: Defence Against Disease8 - Immunity: Defence Against Disease
8 - Immunity: Defence Against Disease
 
Body Defense Mechanism
Body Defense MechanismBody Defense Mechanism
Body Defense Mechanism
 
BIOLOGY FORM 5 CHAPTER 1 - 1.5 BODY DEFENCE MECHANISM
BIOLOGY FORM 5 CHAPTER 1 - 1.5 BODY DEFENCE MECHANISMBIOLOGY FORM 5 CHAPTER 1 - 1.5 BODY DEFENCE MECHANISM
BIOLOGY FORM 5 CHAPTER 1 - 1.5 BODY DEFENCE MECHANISM
 

Similar to IRM SIG What does the Second Line of Defence look like post SII July 2013

Managing Risk and Capital in the Lloyd's and London Market - Ensuring Boards ...
Managing Risk and Capital in the Lloyd's and London Market - Ensuring Boards ...Managing Risk and Capital in the Lloyd's and London Market - Ensuring Boards ...
Managing Risk and Capital in the Lloyd's and London Market - Ensuring Boards ...
Susan Young
 
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfSun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
abdo badr
 
The Role of Risk Appetite in embedding the ORSA and linking with Business Str...
The Role of Risk Appetite in embedding the ORSA and linking with Business Str...The Role of Risk Appetite in embedding the ORSA and linking with Business Str...
The Role of Risk Appetite in embedding the ORSA and linking with Business Str...
Susan Young
 
How to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential StepsHow to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential Steps
Case IQ
 
Risk Management - A Journey
Risk Management - A JourneyRisk Management - A Journey
Risk Management - A Journey
Debashis Gupta
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
David Fernandes
 

Similar to IRM SIG What does the Second Line of Defence look like post SII July 2013 (20)

Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
Managing Risk and Capital in the Lloyd's and London Market - Ensuring Boards ...
Managing Risk and Capital in the Lloyd's and London Market - Ensuring Boards ...Managing Risk and Capital in the Lloyd's and London Market - Ensuring Boards ...
Managing Risk and Capital in the Lloyd's and London Market - Ensuring Boards ...
 
Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management
 
Trustee Conference AM4: Effectively managing risk
Trustee Conference AM4: Effectively managing riskTrustee Conference AM4: Effectively managing risk
Trustee Conference AM4: Effectively managing risk
 
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfSun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling Techniques
 
ERM ppt.pptx
ERM ppt.pptxERM ppt.pptx
ERM ppt.pptx
 
The Role of Risk Appetite in embedding the ORSA and linking with Business Str...
The Role of Risk Appetite in embedding the ORSA and linking with Business Str...The Role of Risk Appetite in embedding the ORSA and linking with Business Str...
The Role of Risk Appetite in embedding the ORSA and linking with Business Str...
 
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxCELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
 
How to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential StepsHow to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential Steps
 
Hoover.2016 Texas Bankers CFO Conference
Hoover.2016 Texas Bankers CFO ConferenceHoover.2016 Texas Bankers CFO Conference
Hoover.2016 Texas Bankers CFO Conference
 
Module 15 - Risk Management.pptx
Module 15 - Risk Management.pptxModule 15 - Risk Management.pptx
Module 15 - Risk Management.pptx
 
Risk Management - A Journey
Risk Management - A JourneyRisk Management - A Journey
Risk Management - A Journey
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
 
Erm tm 10
Erm tm 10Erm tm 10
Erm tm 10
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.ppt
 
Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORE
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Iso 31000 presentation
Iso 31000 presentationIso 31000 presentation
Iso 31000 presentation
 

More from Susan Young

IRM SIG Presentation October2016.pptx [Read-Only]
IRM SIG Presentation October2016.pptx [Read-Only]IRM SIG Presentation October2016.pptx [Read-Only]
IRM SIG Presentation October2016.pptx [Read-Only]
Susan Young
 
IRM SIG Quantifying Operational Risk November 2015
IRM SIG Quantifying Operational Risk November 2015IRM SIG Quantifying Operational Risk November 2015
IRM SIG Quantifying Operational Risk November 2015
Susan Young
 
IRM SIG Embedding Risk - Group and Local Functions March 2014
IRM SIG Embedding Risk - Group and Local Functions March 2014IRM SIG Embedding Risk - Group and Local Functions March 2014
IRM SIG Embedding Risk - Group and Local Functions March 2014
Susan Young
 
IRM SIG Avoiding the Pitfalls in ERM IT Solution Selection July 2012
IRM SIG Avoiding the Pitfalls in ERM IT Solution Selection July 2012IRM SIG Avoiding the Pitfalls in ERM IT Solution Selection July 2012
IRM SIG Avoiding the Pitfalls in ERM IT Solution Selection July 2012
Susan Young
 
IACON Internal Audit Obligations under Solvency II June 2013
IACON Internal Audit Obligations under Solvency II June 2013IACON Internal Audit Obligations under Solvency II June 2013
IACON Internal Audit Obligations under Solvency II June 2013
Susan Young
 
BCI Symposium Establishing a BCM Awareness Programmel 031008
BCI Symposium Establishing a BCM Awareness Programmel 031008BCI Symposium Establishing a BCM Awareness Programmel 031008
BCI Symposium Establishing a BCM Awareness Programmel 031008
Susan Young
 

More from Susan Young (6)

IRM SIG Presentation October2016.pptx [Read-Only]
IRM SIG Presentation October2016.pptx [Read-Only]IRM SIG Presentation October2016.pptx [Read-Only]
IRM SIG Presentation October2016.pptx [Read-Only]
 
IRM SIG Quantifying Operational Risk November 2015
IRM SIG Quantifying Operational Risk November 2015IRM SIG Quantifying Operational Risk November 2015
IRM SIG Quantifying Operational Risk November 2015
 
IRM SIG Embedding Risk - Group and Local Functions March 2014
IRM SIG Embedding Risk - Group and Local Functions March 2014IRM SIG Embedding Risk - Group and Local Functions March 2014
IRM SIG Embedding Risk - Group and Local Functions March 2014
 
IRM SIG Avoiding the Pitfalls in ERM IT Solution Selection July 2012
IRM SIG Avoiding the Pitfalls in ERM IT Solution Selection July 2012IRM SIG Avoiding the Pitfalls in ERM IT Solution Selection July 2012
IRM SIG Avoiding the Pitfalls in ERM IT Solution Selection July 2012
 
IACON Internal Audit Obligations under Solvency II June 2013
IACON Internal Audit Obligations under Solvency II June 2013IACON Internal Audit Obligations under Solvency II June 2013
IACON Internal Audit Obligations under Solvency II June 2013
 
BCI Symposium Establishing a BCM Awareness Programmel 031008
BCI Symposium Establishing a BCM Awareness Programmel 031008BCI Symposium Establishing a BCM Awareness Programmel 031008
BCI Symposium Establishing a BCM Awareness Programmel 031008
 

IRM SIG What does the Second Line of Defence look like post SII July 2013

  • 1. What does the Second Line of Defence look like post Solvency II? Susan Young Head of Risk Management R&Q Managing Agency Limited 4th July 2013 Institute of Risk Management ERM in Insurance Special Interest Group
  • 2. Disclaimer The opinions expressed in this presentation are my own and do not represent those of my organisation Feel free to share yours
  • 3. Session Outline • The Risk Management Function under Solvency II • The Three Lines of Defence Model • Some thoughts • The Three Lines of Defence in a SII world • Observations and Challenges • Challenges for Risk Management specifically • The role of the Risk Management in supporting the Board and the business • How should Risk Management help their Boards? • How should Risk Management inform their Boards? • The Risk Management Function the in organisational hierarchy – does it matter? • Summary and Conclusion • Questions
  • 4. The Risk Management Function under SII – Framework Directive • Insurance and reinsurance undertakings shall have in place an effective risk management system comprising strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report, on a continuous basis, the risks, at an individual and aggregated level, to which they are or could be exposed, and their interdependencies • That risk management system shall be effective and well integrated into the organisational structure and in the decision making processes of the insurance and reinsurance undertaking with proper consideration of the persons who effectively run the undertaking or have other key functions (Section 2 Article 44 – Risk Management Function – The “what”) To be continued….
  • 5. The Risk Management Function under SII – Level 2 • A clearly defined and well documented risk management strategy that includes the risk management objectives, key risk management principles, general risk appetite and assignment of risk management responsibilities across all activities of the undertaking and is consistent with the undertaking’s overall business strategy • Adequate written policies that include a definition and categorisation of the material risks faced by the undertaking, by type, and the levels of acceptable risk limits for each risk type, implement the undertaking’s risk strategy, facilitate control mechanisms and take into account the nature, scope and time horizon of the business and the risks associated with it • Appropriate processes and procedures which enable the undertaking to identify, assess, manage, monitor and report the risks it is or might be exposed to • Appropriate reporting procedures and feedback loops that ensure that information on the risk management system, which is coordinated and challenged by the risk management function and is actively monitored and managed by all relevant staff and the administrative, management or supervisory body • Reports that are submitted to the administrative, management or supervisory body by the risk management function on the material risks faced by the undertaking and of the risk management system, and • A suitable own risk and solvency assessment (ORSA) process (CEIOPS Doc 29/09 Level 2 Implementing Measures – the “how”) Enterprise Risk Management in different clothes?
  • 6. The Three Lines of Defence Model • First Line of Defence - Day to Day Management and Control • Board of Directors • Functional Heads • Business Units • Second Line of Defence – Oversight, policy and methodology • Committee and Governance Structure • Risk Management • Compliance • Actuarial • HR, Legal etc. • Third Line of Defence – Independent Assurance • Audit Committee • External Audit • Internal Audit • Independent Peer Review (where appropriate) Basel Committee Definitions
  • 7. Some thoughts…… • Origins can be found in sport/military planning • Implies three separate lines operating independently, each providing a “backstop” for the other • Solvency II infers a much more integrated view of Risk Management particularly – more later • Other definitions have “blurred the boundaries” – Actuarial, Finance, HR etc. often find their way into the first line of defence in some models • Others have Risk Management as the first line, Internal Control as the second line and Internal Audit as the Third Line • The increased demands on Risk Management in particular is much more holistic in a SII world • The Three Lines of Defence Model (and its operation) needs to reflect that Its not as clear cut as three distinct lines. Nor should it be?
  • 8. The Three Lines of Defence Model in a Solvency II world Risk Management Board of Directors SECOND LINE Direct Assurance Compliance, Actuarial, Legal etc THIRD LINE Independent Assurance (Internal /External Audit, Independent Review etc) FIRST LINE The Business (Risk and Control Owners) The “virtual team” in a SII world
  • 9. Observations and Challenges • Risk Management sits at the heart of much of how organisations operate in the new Solvency II world • Regarding second line - what’s in what’s out? Does it matter? If so…. • Recognise the areas with first and second line “hats” and adapt style and approach accordingly • Our ERM responsibilities have not changed – we merely have a clearer mandate to harness them – more later • First and third lines of defence (as traditionally defined) also form part of the Risk Management Function (even if not part of the Risk Management team) • Risk Management is clearly in the second line however, we will examine the implications in a moment A blurring of the boundaries – but surely this is a good thing?
  • 10. Challenges for Risk Management specifically • Wider ranging responsibilities – Governance of the Internal Model (where used) has required a broadening in our skill set • This reached beyond the traditional ERM “top down and joined up” approach to risk identification, mitigation, monitoring we all know and love – but the basic tenets of ERM do still apply • Finding the right positioning within the organisation to make our voice heard – either on the Board, or reporting directly to it, or someone on it – more to follow • From that, having clearly defined terms of reference for the Risk Management Function – which should encompass elements of the first and third lines as appropriate • Ensure your organisations know how to harness the skills within the Risk Management team to optimum effect • Maintaining the momentum in the light of SII implementation delays – a working assumption has to be that SII is coming • Convincing the organisation of the value of living it now! A fair few – what do these mean in practice?
  • 11. The role of Risk Management in supporting the Board and the business • Risk Management should be embedded – so what does this mean? • Risk Management is not the Risk Management team alone • The Risk Management team is an enabler for Risk Management activity • Accordingly, effective Risk Management activity cannot be abdicated to the Risk Management team, or merely “bolted on” to existing business activity • SII recognises that the Risk Management Function, however defined, has responsibility for many elements of Internal Model Governance – Scope, Change, Validation – a terrific mandate for facilitating the alignment of the two disciplines • “Function” is the operative word. Risk Management should function, not just be. It is a process. • Risk Management should be defined, positioned and structured appropriately to be able to fulfil its obligations and actively support the Board fulfil theirs. Risk Management is well placed to underpin the Board – provided it is well embedded
  • 12. How should Risk Managers help their Boards? • Ensure there are properly defined Terms of Reference (mentioned earlier – distinguish between the Team and the Function • Risk Management has a key role to play in the following, as well as day to day activity;- – Business Planning – Risk Management informs the process and monitors business performance – Strategic initiatives – they can have major capital implications • Ensure the reporting line affords you an appropriate profile and feedback loop, either on the Board or reporting to it – as well as the requisite independence • If not, ensure Risk Management is covered during the Board meetings - not at the end • Get the structure and balance of your team right – remember your “virtual” team as well! • Educate, educate, educate – this never ends – from top table to grass roots Maintain visibility – it is key in fulfilling these responsibilities
  • 13. How should Risk Managers inform their Boards? • Engage up front in defining what the Board wants, why and when • Ensure there is a common and consistent language – Keep jargon to a minimum – Once established, stick to it • Present concise Management Information – not Data – Less is more – Provide detail by all means, but keep key information to a few pages – or even only one – Ensure your Key Risk Indicators do address your Key Risks – Ensure any “Reds” are sufficiently material to warrant discussion and corrective action – Test the impact – did the MI drive action? • Internal Model Outputs – for example – Sensitivity tests – can show the impact of decisions on Risk Indicators/Capital Usage – Risk Ranking and allocation of capital to individual risks or risk categories is a lever to prioritise risks Taking risks has capital implications – we need to know how much – by managing risks in this way, we can take more of them!
  • 14. The Risk Management Function in the organisational hierarchy – does it matter? • Yes, for the reasons already outlined – but that’s not all • The Risk Management Function should be purely second line of defence – if properly embedded it should support, challenge, embed – not do it all • It should maintain its independence in order to be objective • There is no hard and fast rule as to how this is done – it will depend on the organisation and it may need to change/adapt over time • However, the days of Risk Management as a siloed, discreet bunch of “bolt on” people are gone – Risk Management is a “virtual team” – being the whole organisation Thoughts?
  • 15. Summary and Conclusion • The responsibilities of the Risk Management Function under Solvency II are clear and unchanged • They are nothing really new, merely a clearer mandate to embed ERM • The Three Lines of Defence model as traditionally defined implies demarcation between the three lines • This has limited appropriateness in a Solvency II world – the three lines of defence model is less discrete, more continuous and less “clear cut” – Risk Management should recognise this when engaging with the business • The Risk Management Function in the second linee is in a unique position to support, challenge, embed and is well placed to do so • The impetus should remain notwithstanding the delays to the timetable
  • 16. And finally…. Thank you for listening Any questions? DDI +44 (0) 20 7780 5882 Susan.young@rqih.com www.rqih.com