SlideShare a Scribd company logo
w w w.pwc.com/solvenc yII
                           www.pwc.com/solvencyII
                                          o




                           Pillar
                           Pillar 2
                           Operational issues of
                           Operational issues
                           risk management
                           risk management
                                 a




2011 was crucial
2011 wa s a crucial
milestone for in surance
milestone for insurance
companies the path to
  m
companies on the path to
Solvenc y II compliance.
Solvency II compliance.

March 2012
March 2012
Contents

                                                        Overview                                        4
                                                        1.   Theoretical approach                       6
                                                        1.1 General provisions of Pillar 2              8
                                                        1.2 What does the Directive say?                9
                                                        1.3 What do the implementing measures say?     12
                                                        1.4 COSO II - ERM                              16
                                                        2.   Operational implementation                20
                                                        2.1 Defining the risk management system        22
                                                        2.2 Implementing the risk management process   34
                                                        2.3 Managing cross-business projects           45
                                                        Overall conclusions                            58
                                                        Contacts                                       59




         This PwC White Paper focuses exclusively on the
         challenges of implementing the new Solvency II
         requirements. It provides the insurance industry with a
         single concrete methodology and framework, complete
         with milestones, for adapting the principles of Pillar 2 to
         their organisations.




2 PwC Pillar 2, operational issues of risk management
Foreword

      This White Paper is being issued at a crucial point in the Solvency II regulatory
      calendar. The challenge of ensuring compliance with Pillar 2 – the cornerstone of
      solvency risk prevention – is becoming clearer. The initial work on Level 2
      measures concerning the system of risk governance is in its final stages. The
      measures for Level 3 began in 2011 and accelerated towards the end of the year,
      despite the fact that from January 2011 the Omnibus 2 Directive allowed for
      transitory measures as well as a grace period under certain conditions and for
      certain points.

      In this uncertain, but already well advanced, regulatory context, the priorities of
      the insurance industry are concentrated around Pillar 2, which involves the
      operational application of a risk strategy which is compliant with the Directive’s
      principles and obligations. These new obligations go to the heart of business and
      organisational management. They also represent an opportunity for companies to
      optimise their operational performance. In this respect, the documented
      procedures of Own Risk and Solvency Assessment (ORSA) offer a path to
      groundbreaking management of solvency over a strategic horizon of three to five
      years.

      PwC assists insurance companies in their projects and has worked side by side
      with them on risk management issues, including drafting the COSO 2-ERM
      standard. This White Paper is aimed at extending our contribution to compliance
      with Solvency II.

      Paul Clarke                                 Jimmy Zou
      Global Solvency II leader                   Solvency II leader (France)




                                                   PwC Pillar 2, operational issues of risk management 3
Overview




                                                        On the long journey towards compliance with the new
                                                        Solvency II regulations, insurers (insurance and
                                                        reinsurance companies, mutual insurers and insurance
                                                        cooperatives) are at a crossroads: having thus far
                                                        focused on the quantitative aspects of the Directive,
                                                        referred to as Pillar 1, they are now turning towards the
                                                        more complex qualitative obligations of Pillar 2.




4 PwC Pillar 2, operational issues of risk management
“Through its cross-disciplinary approach, this White
                                               Paper clearly presents the key points of risk
                                               management and provides illustrations of potential
                                               situations. This document reassures us on our
                                               approach and gives fresh insight into certain
                                               operational strategies for Pillar 2 projects.”
                                               Christophe Raballan, Head of Risk Management and
                                               Internal Control, MAIF




In 2010, insurance companies concentrated on assessing             This paper is designed as a toolbox for those involved in
their ability to build accurate risk models, based on the new      the organisational aspects of Solvency II compliance.
framework, and to measure the impact of these requirements         Following a brief overview of the regulatory requirements
on the amount of capital required for the 1 January 2013           and the ERM framework, we break down the operational
implementation. Companies have also recently finalised the         issues involved in Solvency II compliance projects (risk
QIS 5 exercises, which provided the opportunity to conduct         management function, organisation and governance of the
a first dry run to test calculation methods and processes.         overall risk management processes, scoping of ‘cross-
During this phase, the final adjustments necessary to              business’ projects such as data quality and ORSA). We also
implement a process for drawing up economic assessments            highlight the fundamental questions and, based on concrete
and calculating solvency capital requirements (SCR)                examples, sketch out the main operational approaches to
were made.                                                         answering them.

In early 2011, the work concentrated on Pillar 2 of Solvency II,   As such, this paper is mainly directed at operational
which required companies to challenge their own risk               Solvency II compliance project coordinators, project
culture, define – or redefine as needed – risk governance and      managers and heads of risk. It should also provide useful
strategy and consider the operational implementation of the        information for the managers and directors of insurance
risk management function. As the keystone of the Directive is      companies. Currently many insurers face difficult choices in
based on risk control, Pillar 2 compliance therefore raises        finding the right balance between compliance requirements
many questions for insurance companies. These tough                (which can seem excessive) and adapting them to their
questions often strike at the heart of business management         company’s internal environment (a strict compliance or
processes.                                                         ‘best-in-class’ approach to risk management?). We hope that
                                                                   you will find the guidelines developed below useful in your
Questions you might ask yourself include: What exactly do          compliance work.
Solvency II regulations require? How should, or how can,
these provisions be applied to my company? What constraints
and determining factors are used to configure an operational
risk management system as accurately as possible? What are
the specific sub-projects that fall under Pillar 2 requirements
in my overall compliance project?

The main difficulty shared by all of our clients, which we
address in this White Paper, is how to interpret and apply the
regulations properly to individual companies in order
to create a risk management process that meets the
requirements in an appropriate and efficient manner.




                                                                                         PwC Pillar 2, operational issues of risk management 5
1. Theoretical approach




6 PwC Pillar 2, operational issues of risk management
Introduction

                                                        Under Solvency II, all companies must demonstrate that they have implemented
                                                        an adequate and efficient risk management system. The two main vehicles
                                                        used are:

                                                        • The regulatory framework of Pillar 2 is the principal vehicle. Its provisions,
                                                          outlined in a small number of articles in the Directive, cover regulatory
                                                          requirements relating to the operational structure of risk management.
                                                          These articles are further developed in implementing measures, some of which
                                                          are currently under discussion.

                                                        • The technical framework, COSO 21 ‘Enterprise Risk Management’ or ERM,
                                                          which is most often used to understand what effective risk management
                                                          criteria are. Rating agencies have now included ERM performance as an
                                                          evaluation criterion in and of itself.

                                                        In this report, we have provided a summary of the main provisions and concepts
                                                        listed in these frameworks.




1 COSO stands for Committee of Sponsoring Organizations of the Treadway Commission, a non-profit
  commission which in 1992 established a standard definition for internal control and created a framework to
  evaluate its efficiency.




                                                                                                               PwC Pillar 2, operational issues of risk management 7
1.1 General provisions of Pillar 2

Pillar 2 covers all of the required risk management principles and practices relating to the risk and capital estimates covered
by Pillar 1. The main provisions fall into the following four major categories:


Figure 1: The principal provisions of Pillar 2



              Risk governance                               New supervision process                      Internal model
               (Art. 41 to 49)                                   (Art. 27 to 39)                        (Art. 120 to 126)

   • General governance requirements                     • A new supervisory review             • Requirement to show that the
     (segregating responsibilities,                        process based on permanent             internal model is used effectively
     managing conflicts of interest, etc.)                  dialogue with the regulator            in monitoring (operational risk
                                                           and in which the company               management, capital allocation)
   • Principle of proportionality of                       bears the ‘burden of proof’
     the risk system in relation to the                                                         • A concrete assessment based
     complexity of the risk profile                       • The option of the regulator            on nine principles (adoption
                                                           to sanction any quantitative           by management, accurate
   • Definition of key functions                            or qualitative divergence              reflection of risk profile, etc.)
     in risk management and the                            from expected standards
     scope of the risk system                              through ‘capital add-ons’            • Internal validation process
                                                                                                  for the model...
   • Fit and proper requirements for
     the main risk management roles                                                             • … and model sensitivity
                                                                                                  and stability tests.
   • Good conduct principles in
     terms of remuneration



                                           Own risk and solvency assessment (ORSA) (Art. 45)
   • A set of processes and procedures used to identify, assess, monitor, control and report internal and
     external long-term and short-term risks that an insurer faces or could face. These risks are used
     to determine the company’s capital requirement to ensure its solvency at all times.
   • The ORSA covers the regulatory requirements of Pillars 1, 2 and 3


Source: PwC




The main difficulty in getting to grips                 and adapted to apply to the internal   risks covered in articles 41 to 49, and
with Pillar 2 is that the articles and                  environment of your organisation.      the Level 2 and 3 measures currently
implementing measures define the                                                               being defined and discussed between
underlying principles but offer no                      In light of this, we focus on the      European Insurance and Occupational
standards as to its practical application.              organisational aspect of Pillar 2,     Pensions Authority (EIOPA) and the
These principles must be interpreted                    namely the governance issues for the   European Commission.



8 PwC Pillar 2, operational issues of risk management
1.2 What does the Directive say?

The European Solvency II Directive establishes the ground rules for good governance as a complete system composed of
functions and rules used by regulators and models for appropriate decision-making procedures. The system for risk
governance (defined in Article 41) features seven main components, each with set expectation levels. These components are
detailed in an article focused on the Directive, as illustrated below.


Figure 2: Risk governance




                                                          GOVERNANCE
                                                            (Art. 41)

                                             Fit and proper requirements (Art. 42 + 43)

                                                    Risk management (Art. 44)

                                                          ORSA (Art. 45)

                                                     Internal control (Art. 46)

                                                       Internal audit (Art. 47)

                                                    Actuarial function (Art. 48)

                                                       Outsourcing (Art. 49)

                               Source: PwC


Art. 41 – General governance                 their professional qualifications,           and reporting procedures necessary to
requirements                                 knowledge and experience are                 identify, measure, monitor, manage and
Article 41 introduces the main themes        adequate to enable sound and prudent         report, on a continuous basis the risks,
developed in Articles 42 to 49, but          managment (fit); and they are of good        at an individual and at an aggregated
above all emphasises that, “insurance        repute and integrity (proper).”              level, to which they are or could be
and reinsurance undertakings [shall]                                                      exposed, and their interdependencies.
have in place an effective system of         This information must be reported to
governance which provides for sound          the supervisory authorities in the event     That risk-management system shall be
and prudent management of the                of any changes and must be                   effective and well integrated into the
business.”                                   documented.                                  organisational structure and in the
                                                                                          decision-making processes of the
Art. 42+43 – Fit and proper                  Art. 44 – Risk management                    insurance or reinsurance undertaking
requirements                                 system                                       with proper consideration of the
Article 42 stipulates that “all persons      Article 44 states that “insurance and        persons who effectively run the
who effectively run the undertaking or       reinsurance undertakings shall have in       undertaking or have other key
have other key functions [shall] at all      place an effective risk-management           functions.”
times fulfil the following requirements:     system comprising strategies, processes

                                                                                           PwC Pillar 2, operational issues of risk management 9
Article 44 describes limits in the
                                                         scope covered by risk management
                                                         (underwriting, asset-liability
                                                         management, investment, operational
                                                         risk management, liquidity and
                                                         concentration risk management,
                                                         reinsurance and, in part, the internal
                                                         model). It stipulates that these risk
                                                         management policies must be
                                                         documented.

                                                         To recap, the Directive:

                                                         • presents the risk management
                                                           function (hereinafter referred to as
                                                           the ‘risk Function’) as an efficient,
                                                           mandatory function integrated into
                                                           the organisation

                                                         • limits the scope of risks covered –
                                                           notably risks used to calculate SCR,
                                                           but not necessarily limited to just
                                                           these risks

                                                         • describes the specific responsibilities
                                                           of this function, acting as the overall
                                                           ‘conductor’ for the system and ‘pilot’
                                                           for the internal model, if applicable.




10 PwC Pillar 2, operational issues of risk management
Art. 45 – Own risk and solvency             Art. 47 – Internal audit                    Art. 49 – Outsourcing
assessment (ORSA)                           Article 47 stipulates that “the internal    Finally, Article 49 informs us that
Article 45 states that as part of its       audit function shall include an             “insurance and reinsurance
risk management system, every               evaluation of the adequacy and              undertakings remain fully responsible
insurance and reinsurance undertaking       effectiveness of the internal control       for discharging all of their obligations...
shall regularly “conduct its own            system and other elements of the            [when outsourcing] functions or any
[proportionate and documented] risk         system of governance… [and] shall be        insurance or reinsurance activities”.
and solvency assessment” to determine       objective and independent from the          The outsourcing of activities must not
the Solvency Capital Requirement            operational functions.”                     impact the governance system,
risk measure and calibration.                                                           business, operational risk or the ability
                                            Art. 48 – Actuarial function                of the supervisory authorities to
ORSA essentially covers three major         Article 48 describes the actuarial          monitor compliance.
points:                                     function as an assessment function that
                                            aims to “coordinate the calculation of      Moreover, undertakings shall notify the
• as applied, ORSA shows whether or         technical provisions; ensure the            supervisory authorities prior to the
  not the risk management processes         appropriateness of the methodologies        outsourcing of “critical or important”
  developed by the organisation are         and underlying models used as well          functions or activities.
  appropriate                               as the assumptions made in the
                                            calculation of technical provisions;
• it is integrated into business strategy   assess the sufficiency and quality of the
  and is taken into account in the          data used in the calculation of technical
  organisation’s strategic decisions. Its   provisions; compare best estimates
  analyses and reports are taken into       against experience; inform the
  account by decision makers                administrative, management or
                                            supervisory body of the reliability and
• the assessment can be performed           adequacy of the calculation of technical
  following any significant change in       provisions; oversee the calculation of
  the risk profile of the organisation.     technical provisions..., express an
                                            opinion on the overall underwriting
Art. 46 – Internal control                  policy; express an opinion on the
Article 46 states that “Insurance           adequacy of reinsurance arrangements;
and reinsurance undertakings shall          and contribute to the effective
have in place an effective internal         implementation of the risk
control system [including at least]         management system...”
administrative and accounting
procedures, an internal control
framework, appropriate reporting
arrangements at all levels of the
undertaking and a compliance
function.”




                                                                                        PwC Pillar 2, operational issues of risk management 11
1.3 What do the implementing measures say?




                                                         The Solvency II provisions concerning      These specifications on the risk
                                                         the organisation and risk governance       management system are provided in
                                                         system are based solely on the guiding     the Level 2 measures in the document
                                                         principles. The regulators want each       “Advice for Level 2 Implementing
                                                         organisation to be responsible for         Measures on Solvency II: System of
                                                         determining its own organisational         Governance” (from Consultation Paper
                                                         structure, and have therefore defined      33), published in October 2009. Level 3
                                                         only key functions and very general        measures, currently in preliminary
                                                         requirements. To help interpret Articles   discussions, are based on the same
                                                         41 to 49, the regulators have,             architecture and are expected to clarify
                                                         nonetheless, given some specifics.         certain points, depending on the level
                                                                                                    of the regulators’ requirements.

                                                                                                    Essentially, under these requirements
                                                                                                    all companies which are subject to
                                                                                                    Solvency II must demonstrate that, in
                                                                                                    line with these principles, they have an
                                                                                                    operational system for managing and
                                                                                                    overseeing its risks which guarantees:

                                                                                                    • a true understanding of the risks
                                                                                                      to which the company is exposed
                                                                                                      (risk profile) and a reasonable
                                                                                                      assessment of its exposure at any
                                                                                                      given time

                                                                                                    • a real operational risk management
                                                                                                      mechanism, i.e., key components
                                                                                                      are in place, and each component
                                                                                                      can do what it is supposed to do

                                                                                                    • reporting of required information
                                                                                                      and the ability of the regulatory
                                                                                                      authorities to make the necessary
                                                                                                      decisions.




12 PwC Pillar 2, operational issues of risk management
Figure 3: A summary of the provisions



                                  System of governance (SG 1, SG 2, SG 11, SG 13)
        • A clear, robust and well-documented system to encourage               organisation
        •               of        of interest, ‘four-eyes principle’, documented             of    and proper requirements
            for all key functions



                                  Risk management (SG 3, SG 4, SG 7) (see focus)
        • Clearly documented processes, procedures and policies
        • A minimal scope of the ‘risk areas’ to be covered: underwriting, reserving, ALM, investments, liquidity and
          concentration, operational risk, reinsurance and other risk-mitigation techniques
        • Responsibilities: (i) ERM architect and coordinator, (ii) producing aggregated risk               (iii) reporting on
          risk exposures and (iv) identifying and assessing emerging risks


                              Compliance function – internal control (SG 5 and SG 8)
        • Reference to COSO framework (control environment, control activities, communication, etc.)
        • Responsibilities: (i) compliance of operations, (ii) management of operational activities and (iii) reliability
          of         and                 information



                                                   Internal audit (SG 9)
        • An independent, impartial and stand-alone unit with expertise in all businesses and processes fully within its scope
        • Requirement to issue an annual report based on an audit plan with a risk-based approach


                                               Actuarial function (SG 10)
        • Responsibilities: coordinating the calculation of technical provisions, assessing the appropriateness of data
          methods and quality, back-testing best estimates and providing management with formal opinions on the
          reliability of models (formal report)


                                                   Outsourcing (SG 12)
        • Obligation to ensure that outsourcing does not negatively impact service quality or global operational risk exposure
        • Formalised, comprehensive processes and policies covering all areas of an outsourcing project (selection,
          contract, monitoring, etc.)

     Source: PwC



These provisions clearly form a minimal regulatory base. The principles are very broad: each organisation must specifically
adapt them to its size, its expertise and the complexity of its risk profile. This is what is referred in the legislation as the
‘proportionality principle’. However, the scope of this principle and the level of the ‘leeway’ allowed for different organisations
currently remain unclear.



                                                                                           PwC Pillar 2, operational issues of risk management 13
Focus on Level 2 measures                                c) Risk management processes must          Special case of ORSA
In the Level 2 text, Article SG3 gives                      be appropriate and procedures           ORSA is a hot topic that was covered in
EIOPA’s opinion on risk management                          adapted in order to identify, assess,   the Level 3 measures that were
efficiency and provides the following                       manage, monitor and report risks.       addressed by EIOPA in the second half
advice:                                                                                             of 2011 as well as during a conference
                                                         d) Risk reporting procedures must          on Pillar 2, governance and ORSA held
a) Risk management strategy must                            be appropriate as must the              by the Autorité de Contrôle Prudentiel
   be clearly defined and well                              feedback loops that ensure              (Prudential Control Authority or ACP)
   documented. This strategy must set                       reporting. These procedures are         during the second quarter of 2011.
   risk management objectives and key                       coordinated and challenged by the
   risk management principles, define                       risk management function and are        Despite the importance of this process,
   the organisation’s risk appetite and                     actively controlled and managed         Article 45 was not described in any text
   finally describe the roles and                           by all relevant staff.                  relating to Level 2 measures. CEIOPS
   responsibilities of the risk                                                                     published an Issues Paper entitled
   management function across the                        e) Reporting documents submitted to        “Own Risk and Solvency Assessment
   company and in accordance with its                       the above-mentioned bodies by the       (ORSA)” dated 27 May 2008.
   business strategy.                                       risk management function refer to
                                                            the risks (potential or actual)         As presented to date, ORSA is a process
b) Risk management policies must be                         associated with the business of the     designed to ensure that the company is
   put in writing and adapted. They                         company and the operational             able to calculate and manage its risks
   include naming and defining                              efficiency of the risk management       and that its capital needs are met.
   the risks to which the organisation is                   system.                                 However, certain characteristics should
   exposed, classifying them by                                                                     be highlighted. (see chart below):
   type and limits of acceptability.                     f) Lastly, ORSA must be adapted to
   The risk management system                               the company’s activities.               • ORSA is the responsibility of senior
   must apply strategy, facilitate                                                                    management, in charge of
   the implementation of control                                                                      overseeing the process and its
   mechanisms and take into account                                                                   results with respect to the regulator.
   the nature, scope and time horizon of
   the business and the associated risks.                                                           • It is a documented risk management
                                                                                                      process that must be submitted to
                                                                                                      the supervisory authority at regular
                                                                                                      intervals (at least once a year) and
                                                                                                      following any significant change in
                                                                                                      the insurer’s risk profile.

                                                                                                    • It is an integral part of the day-to-
                                                                                                      day management of the company
                                                                                                      (commercial policy, investment
                                                                                                      strategy, capital management,
                                                                                                      acquisition strategy …).




14 PwC Pillar 2, operational issues of risk management
Figure 4: Risk management system



                                                                Business strategy

                                                  • Strategic objectives     • Strategic allocation
                                                                                             é
                                                  • Risk strategy            • Reinsurance and
                                                  • Valuation of strategic     other hedging
                                                    scenarios                • Business decisions
                                                  • Capital strategy         • Forecast timeline
                                                  • Use of capital and
                                                    financial resources




          Risk analysis and assessment                Solvency management and measurement                         Decision-making process

 •   Risk identification                          • Economic               • Stress test                •   Regular monitoring of risk profile
 •   Qualitative analyses                           assessment               and scenario               •   Solvency management and monitoring
 •   Control assessment                           • Best estimates         • Fungibility of capital     •   Risk appetite and tolerance
 •   Prioritisation and classification of risks   • Risk parameters        • Capital assessments        •   Frequency of assessments
 •   Risk profile                                   and assumptions          (internal, S2, etc.)       •   Support for strategic decisions
 •   Risk management policies                     • Analysis and           • Reconciliation of          •   Risk governance documentation
                                                    estimates of capital     these assessments          •   Disclosure (Pillar 3)




                                                               External environment

                                                  •   Business environment
                                                  •   Emerging risks
                                                  •   Long-term risks
                                                  •   Macroeconomic environment
                                                  •   Regulatory framework (S2)
                                                  •   Changes in legal environment
                                                  •   Social trends

Source: PwC


• It offers a holistic and forward-                   calculation, namely the difference
  looking approach to managing risk                   in the number of risks identified,
  (risks used to calculate SCR and                    how they are measured, i.e., the
  other risks – reputational risk,                    confidence interval to which the
  strategic risk, macroeconomic risk,                 formula is calibrated. Furthermore,
  political risk, etc. – to which the                 the company may use either a
  company is exposed over its                         standard formula approach or an
  strategic planning period,                          internal model to assess its risk
  traditionally three to five years)                  exposure. The methodology must be
  across the full scope of the Group                  proportionate to the complexity of
  (all European entities and those                    the company’s activities and the
  outside the EC under the Group’s                    types of risks involved.
  supervision).

• It allows all organisations to show
  that they can raise the capital
  necessary to cover solvency
  requirements for the strategic
                                                      “The main issue is knowing how to implement the key
  planning period (as opposed to                      functions and a governance system that are compliant
  the one-year horizon used to                        with the Solvency Directive and compatible with joint-
  calculate SCR).                                     management structures. The Directive draws mainly
                                                      on concepts applicable to corporations and joint
• The risk assessment in the ORSA
  process represents the company’s
                                                      management entities as opposed to mutuals, which are
  ‘own’ view of its risks, taking the risk            based more on the principles of solidarity,
  modules identified in the SCR                       compensation and retrocession.”
                                                      Albert Cohen, Risk and Solvency officer, Réunica


                                                                                                      PwC Pillar 2, operational issues of risk management 15
1.4 COSO II – ERM

                                                         Background                                 This framework is closely linked to the
                                                         The COSO framework on internal             uncertainty and concerns raised by the
                                                         control was set out as early as 1991 and   corporate scandals in the early 2000s
                                                         today is an international benchmark        (Enron, Parmalat, Worldcom, etc.).
                                                         used by companies that want their          It was originally designed to provide
                                                         internal control system to be up to        a standard for structuring internal
                                                         standard. Since 2002 it is the             control systems. However, it has
                                                         framework used by international            evolved as companies have realised that
                                                         companies to assess their compliance       the strict perspective of internal control
                                                         with the Sarbanes-Oxley Act, which         was too limited and didn’t allow for all
                                                         requires management to assess and          possible risks to be understood and
                                                         report on internal control every year      controlled. ‘COSO II– ERM’2 was
                                                         (Section 404/SEC Proposals – October       introduced in 2004, broadening an
                                                         2002 – and ASB – March 2003),              approach that aimed to manage and
                                                         affirming “the responsibility of           secure operations through control
                                                         management for establishing and            measures including:
                                                         maintaining an adequate internal
                                                         control structure and procedures for       • an overview of all types of risk
                                                         financial reporting”.                        potentially faced by an organisation,

                                                                                                    • establishment of different ‘blocks’ at
                                                                                                      work in global risk management,
                                                                                                      and

                                                                                                    • the integration of risk management
                                                                                                      results into business management.

                                                                                                    There is a direct relation between a
                                                                                                    company’s objectives and the risk
                                                                                                    management components required to
                                                                                                    achieve them. The famous ‘COSO cube’
                                                                                                    is a three-dimensional matrix that
                                                                                                    illustrates the relationship between
                                                                                                    these components.




2 COSO, “Enterprise Risk Management – Integrated Framework”.




16 PwC Pillar 2, operational issues of risk management
Figure 5: COSO II framework



                                                                                      ns               g                 ce
                                                                  g ic          tio             rti
                                                                                                   n
                                                                                                                     ian
                                                           ra
                                                                te
                                                                            e ra             po                   pl
                                                         St               Op               Re              Co
                                                                                                             m

                                                                 Internal environment
         Risk management
                                                                  Objective setting




                                                                                                                                                            SUBSIDIARY
                                                                                                                                            BUSINESS UNIT
                                                                                                                                                             FILIALE
                  Risk profile                                   Event identification




                                                                                                                  ENTITY-LEVEL
                                                                                                                                 DIVISION
    Measurement system                                            Risk assessment

  Policies and processes                                            Risk response

                  Risk control                                    Control activities

          Reporting system                            Information and communication

              Decision-making                                            Monitoring

Source: PwC


Presentation                                  The main purpose of the framework
A company’s objectives (represented by        is to provide a way of integrating risk
columns) fall into four main categories:      information into the enterprise’s
strategic, operations, reporting and          decision-making and strategic
compliance. The eight risk                    processes. By following this advice, any
management components are the lines,          enterprise can manage its performance
and the entity units are the third            (according to the criteria it defines
dimension. This matrix shows how to           independently and specifically for its
approach risk management globally, by         business) with respect to the amount
objectives category, component or unit        of risk necessary to achieve it.
or any combination thereof.
                                              ERM can now be viewed as an
As illustrated above, the COSO                operational process based on COSO II,
framework is the underlying structure         providing decision makers (managers,
that supports the main concepts used by       directors) with reasonable assurance
all those involved in risk management:        as to the management of risks actually
risk strategy, risk appetite, risk profile,   taken in application of strategic
risk measurement, reporting on                objectives and within the limits
exposure, and so on.                          of a globally defined risk appetite.
                                              It facilitates the management of
                                              uncertainty, risks and opportunities,
                                              the identification of events that could
                                              give rise to risks and the definition of
                                              suitable internal control solutions.




                                                                                              PwC Pillar 2, operational issues of risk management 17
Since risk is the essence of insurance,                  To integrate risk into management
one can immediately see the benefit of                   processes, risk management must
a framework that addresses the                           ‘permeate’ throughout all the levels and
underlying principles and covers:                        processes of the enterprise.
                                                         The system is aligned with the
• The definition of strategic objectives                 enterprise’s organisational model,
  by the decision-making bodies.                         which breaks down into the following
                                                         components:
• The identification of risks resulting
  from the efforts made by the                           • The strategic dimension:
  company to achieve these objectives                      How do decision-making bodies
  – risk may refer either to threat in                     integrate risk into their processes?
  attaining objectives or opportunity                      How do they define the limits
  to be pursued in order to achieve                        of risk acceptability (i.e., what is
  them.                                                    authorised to achieve objectives,
                                                           what is avoided or proscribed)?
• The implementation of an effective
  system for managing the exposure                       • The organisational dimension:
  to these risks.                                          What functions are involved in risk
                                                           management? What processes are
• The notification and reporting of                        used? How are these analyses
  risk exposure and failures to the                        related to solvency levels for
  relevant managers.                                       insurance companies?

                                                         • The operational dimension:
                                                           How does the undertaking
                                                           implement risk measurement tools
                                                           and resources so as to benefit
                                                           from them fully? What are the
                                                           reporting channels?




18 PwC Pillar 2, operational issues of risk management
Conclusion




             COSO II – ERM, designed as a standard and operational framework, provides
             the main elements and overall approach for a risk management process.
             Solvency II adds two specific organisational and business requirements. Insurers
             must specify the functions involved in their risk management and integrate risk
             and solvency assessment into their five-year business planning models using
             ORSA.

             The great challenge of Pillar 2 lies in assessing how to interpret, adapt and
             implement these frameworks within an organisation. In order to be successful,
             they must be fine-tuned, correctly calibrated and adapted to the specific
             characteristics of your business, the complexity of your organisational structure
             and your ‘risk culture’.




                                                         PwC Pillar 2, operational issues of risk management 19
2. Operational
implementation




20 PwC Pillar 2, operational issues of risk management
Introduction

               Not all companies place the same             Our goal here is not to provide a
               importance on risk management. Their         ‘magic formula’ that solves the
               choices naturally differ given the heavy     challenges you face in implementing
               investment required to set up an overall     your Solvency II projects. Instead,
               risk management process, compliant           we list the key factors that will
               with the principles and obligations of       determine your choice of structure
               Solvency II. These choices are difficult     aligned with the three key dimensions
               to make and objectify, involve top           of the compliance programme.
               management and must be made in the
               context of the business’ overall strategy.   They are:

                                                            • Calibrating/fine-tuning the overall
                                                              structure of the risk management
                                                              process.

                                                            • Implementing the risk management
                                                              process.

                                                            • Overseeing the key cross-business
                                                              projects.




                                                            PwC Pillar 2, operational issues of risk management 21
2.1 Defining the risk management system

The integration of a risk management                     involvement from all players concerned         the entire risk management process,
framework into a company that has a                      (first and foremost senior                     encompassing all of the functions,
long history of processes, expertise,                    management) throughout the process.            processes and bodies involved in risk
habits, styles and decision-making                                                                      management.
bodies is a complex task. Given the                      If the main ‘new’ concept consists
extent of the changes and the length of                  of development or implementation               Our experience has shown us that
time some established practices have                     of a risk management function,                 to do so, five main questions must
been in place, implementing a risk                       Solvency II projects now go as far as          be answered:
management process requires complete                     defining organisational structures for



Figure 6: Risk management process




                                                           • What organisational building blocks fall within the scope of
             What are the organisational                     the risk management function: Risk management? Actuarial
   1
            building blocks in the system?                   function? Compliance? IT system security?



                                                           • What functions have a key role in risk management?
           What should be the scope of the
   2                                                       • What are their responsibilities (control, monitoring,
             risk management system?
                                                             reporting, etc.)?



                                                           • How are prerogatives coordinated between central and local risk
            How are the different functions                  functions, particularly at foreign sites?
   3                coordinated?
                                                           • What delegation rules should be put in place?



                                                           • Exactly how should responsibilities be broken down between
           How centralised should the risk                   the risk management function and business functions in respect of
  4
             management system be?                           key risks (ALM, investment, technical issues, etc.)?



                                                           • What fundamental indicators govern the risk/return trade-off
            How should the added value of                    (ROE, SCR, MCEV, etc.)? What criteria concretely reflect
   5
                ERM be measured?                             risk appetite?

Source: PwC


The answers to these questions are determined by complex constraints, which may be regulatory (Solvency II), external
(ratings, etc.) or internal (goals, organisation, etc.).



22 PwC Pillar 2, operational issues of risk management
2.1.1. The ‘organisational building
blocks’ of the system

                     It is essential to recognise and define    • The regular, independent, risk-
                     the scope of functions involved in risk      based audits performed by the
                     management. In fact, it is not simply a      internal audit function provide
                     specialist area; its management              reasonable assurance as to the
                     involves every level of the company. At      pertinence and correct operation
                     each level the system must integrate the     of the system. This is the ‘third line
                     different elements: operational risk-        of defence’.
                     taking, coordination of risk-taking and
                     supervision of risk-taking.                Building on this framework, companies
                                                                generally define the main principles
                     The ‘three lines of defence’ model         for coordinating the different strata
                     provides a useful framework within         involved in taking risks, as illustrated
                     which these various functions and          overleaf. The organisational diagram
                     elements can work together.                most often defines responsibilities at
                                                                each step in the risk management
                     • Front Office business staff have         process. These principles then serve
                       primary responsibility for the risks     as a basis for assigning specific risk
                       they take, and risk management           management roles and responsibilities
                       practices and processes in place at      in accordance with the risk profile.
                       this level constitute the ‘first line
                       of defence’.

                     • The ‘second line of defence’ is held
                       by specialised risk management
                       functions. Their role is to design,
                       coordinate and manage a consistent
                       framework for taking risks, but
                       without being directly exposed
                       to business risk. This covers the
                       key functions of risk management as
                       defined by Pillar 2 (risk
                       management, internal control and
                       compliance).




                                                                PwC Pillar 2, operational issues of risk management 23
Figure 7: Three lines of defence



                                                First line of defence                       Second line of defence                 Third line of defence


                          ‘Operational’ functions            ‘Specialist’ functions             ‘Risk’ functions                 ‘Assurance’ function


                                                            - Actuarial/Technical Dep.     - Risk management
                         All functions (IT, HR,
        Scope                                               - ALM/Investment Dep.          - Internal control,                         Internal audit
                         Finance, Production, etc.)
                                                            - Other (underwriting, etc.)    compliance, etc.


   Principles and                                                                            Reviews and approves/
                                        N/A                          Proposes
     standards                                                                                     proposes


  Implementation                      Applies                    Proposes/applies              Coordinates/applies
                                                                                                                                Carries out independent,
                                                                                                                                empirical reviews on:
                                                                                            Supervises, consolidates,           - appropriateness of
      Controls                  Applies/proposes                 Applies/proposes
                                                                                                    analyses                      systems
                                                                                                                                - their correct application
                                                                                             Consolidates, analyses,
     Reporting                       Produces                   Produces/analyses
                                                                                                   manages

                                                                                            Approves and manages/
    Action plans                      Applies                    Proposes/applies
                                                                                                   applies

                                                                                            Coordinator role/operational role
Source: PwC




                                                         Two challenges often arise when                    • Internal audit has a special role in
                                                         implementing these principles:                       the system that is often difficult to
                                                                                                              position. The provisions of the
                                                         • The risk management function may                   Solvency II Directive place great
                                                           have different responsibilities                    emphasis on the independent
                                                           depending on the type of risk.                     nature of this function. Its resources
                                                           Acting as a coordinator, it may take               must be free of any other
                                                           on direct responsibility in certain                operational responsibility.
                                                           areas such as operational risk.                    According to the Institute of Internal
                                                           These details are outlined in the                  Auditors, the purpose of internal
                                                           analysis of the risk function’s                    control is to independently provide
                                                           position (see below).                              management with reasonable
                                                                                                              assurance as to the pertinence,
                                                                                                              quality and appropriate application
                                                                                                              of the risk management system.
                                                                                                              It is easy to understand why this
                                                                                                              function must be independent in
                                                                                                              order to establish its own approach
                                                                                                              (based on its perception of risk)
                                                                                                              and express opinions free of any
                                                                                                              outside influence.




24 PwC Pillar 2, operational issues of risk management
2.1.2. Scope of the
risk management system

                  Solvency II places the risk function at        • It is not, however, limited to just
                  the core of the risk management                  these risks, as they are too limited
                  system. Regulations define                       to give a true picture of the actual
                  responsibilities and a scope of                  risk profile. The risk function must
                  minimum risks on which the function is           identify other risks that are specific
                  based. If a company uses an internal             to the company, taking account of
                  model, the function is in charge of              all its subsidiaries and businesses
                  designing, testing, implementing and             (not necessarily insurance alone) as
                  monitoring the performance of the                well as specific risks related to the
                  model, either in part or in totality. Most       company’s structure.
                  companies naturally launch Pillar 2
                  projects by putting in place or                The risk function must also bear in
                  reviewing the positioning of the risk          mind that this risk profile is not merely
                  function. It is in charge of overseeing all    an inventory of all the potential or
                  risk management processes (see                 actual risks:
                  above), even if it does not directly carry
                  out the operations, analyses and               • Based on its analyses and the points
                  calculations required in this process.           of view covered, it prioritises the
                                                                   risks that must be monitored.
                  The reference for defining                       Its added value lies in its ability to
                  the risk profile                                 provide a ‘shortlist’ of risks that
                  When a risk function is set up, its first        justify investing in measurement,
                  task is to identify the risks to which the       monitoring and permanent
                  company is exposed. Although each                supervision, based on the company’s
                  company faces its own specific set of            business objectives.
                  risks, defining a risk profile follows a
                  few best practices.                            • As such, this management tool is
                                                                   developed by combining the ‘risk
                  The first involves the scope of risks, which     philosophy/vision’ of operational
                  must be identified in the risk profile:          staff (a bottom-up approach
                                                                   to risk management based on the
                  • It must cover at least the basic risk          comprehensive identification of
                    modules used to calculate capital              risks) with that of management
                    requirements, whether determined               (a top-down approach whereby
                    based on a standard formula                    investment in risk management is
                    or an internal model, namely                   justified and prioritised).
                    underwriting, market, interest rate,
                    operational, etc.




                                                                 PwC Pillar 2, operational issues of risk management 25
Finally, the risk function ensures that           decisions. It is a full stakeholder in
                                                         an operational risk management system             these processes, is consulted for all
                                                         is in place and that it covers all the risk       important decisions and issues a
                                                         profile components. Each risk must be             formal opinion. It may have the
                                                         assigned to a risk ‘owner’ who is the             power to block decisions (which in
                                                         ‘subject matter specialist’ available in          turn requires an arbitration
                                                         the company: i.e. actuarial department            process). These companies almost
                                                         for underwriting, certain counterparty            systematically use an internal model
                                                         and reinsurance risks, asset                      that is integrated into their strategic
                                                         management for market and credit                  and operational decision-making
                                                         risks, and so on. Assigning a risk owner          processes.
                                                         is the first step in implementing an
                                                         operational risk management system.            Companies gradually advance along
                                                         The components in the risk                     the ERM maturity curve between these
                                                         management process are set out below           two ends of the spectrum. As the ERM
                                                         in section 2.2.                                process develops, the positioning of the
                                                                                                        risk function evolves:
                                                         The evolving risk function under
                                                         Solvency II                                    • The position of the risk function
                                                         Above and beyond the purely technical            tends to rise within the company’s
                                                         aspects, companies have enhanced                 hierarchy. Nowadays it is
                                                         the risk function’s ‘right of inspection’ in     increasingly attached to upper
                                                         operational decisions. This notion fully         management, indicating an
                                                         covers the risk department’s                     understanding by them of the
                                                         prerogatives in terms of processes,              importance of the ERM in insurance
                                                         policies and risk-taking for which it is         companies.
                                                         not the leading expert. In reality, the
                                                         risk function’s involvement is in line         • The role of the CRO is evolving.
                                                         with the strategic priority associated           Often seen initially as a conservative
                                                         with the risk:                                   and technical profession, it will
                                                                                                          gradually develop into that of a
                                                         • A company may take a conservative              business adviser who works with
                                                           approach to risk, its priority being           decision makers. With a unique
                                                           not to compromise the protection               understanding of the risks taken by
                                                           offered to policyholders and to                the company and how they interact,
                                                           ensure performance. In this case,              a CRO can offer advice on how to
                                                           the risk function would take on an             create value.
                                                           advisory role, assisting operational
                                                           managers in their processes and              • The resources required to take on
                                                           associated risks. It has little (or no)        these functions have grown sharply.
                                                           latitude to block decision-making              Risk departments were initially set
                                                           processes.                                     up to meet successive regulatory
                                                                                                          requirements (anti-money
                                                         • A company may decide to base its               laundering, anti-fraud and so on)
                                                           value creation on managing the                 but have since developed into more
                                                           risks it takes and the impact of these         refined structures, most often
                                                           risks on its strategic variables:              broken down by types of risk
                                                           market consistent embedded value               (operational, technical, economic
                                                           (MCEV), market capitalisation,                 capital, etc.). These resources are
                                                           economic capital, etc. In this case,           more numerous, more highly
                                                           the risk function takes on an                  qualified and more specialised.
                                                           essential role in operational




26 PwC Pillar 2, operational issues of risk management
“Implementing Solvency II, and particularly Pillar 2, will require greater
       coordination between all participants in risk management. The process will draw
       on existing management rules, which themselves will need to be strengthened. The
       resulting discipline will create growth opportunities and strengthen relations with
       customers, while guaranteeing all stakeholders (employees, shareholders,
       customers, etc.) improved control of risk and its impacts on business structure.”
       Ronan DAVIT, Head of Risk, Euler Hermes Group




2.1.3. Coordinating different functions
involved in risk management

Once the basic components of the         While the three lines of defence model
system have been identified and          outlined above provides a general
calibrated, the challenge for the risk   framework in this regard, this
function is to promote the               harmonisation process must be
implementation of an efficient risk      specifically adapted to each risk in the
system underpinned by clear, shared      profile. It is therefore necessary to:
decision-making processes. To do so,
the risk function has two main levers.   • Map the appropriate functions to
                                           handle this risk: businesses,
The definition of the roles                support, management or
and responsibilities for the               governance, etc.
principal risks
To do so, the risk function moves        • Pinpoint the best subject matter
on from establishing the risk profile      expert within the company to
to coordinating the roles and              manage this risk (generally the risk
responsibilities for each of the risks     owner identified in the system
included in the profile. The main          implementation phases upstream).
challenge lies in the diversity and
heterogeneous make-up of the risk        • Clearly define the roles and
functions and risk owners. Risk            responsibilities of each player
departments must first harmonise           involved in the process. Close
the various risk management                attention should be paid to the
solutions proposed.                        support functions’ power to block
                                           processes (typically the risk
                                           function) as opposed to the relevant
                                           operational functions. The notion
                                           of ‘right of inspection’ for
                                           operational decisions should be
                                           specifically defined. This right in
                                           turn requires the establishment
                                           of a clear arbitration process in case
                                           of a conflict between the risk
                                           department and the business line
                                           concerned.




                                                                                    PwC Pillar 2, operational issues of risk management 27
The matrix below is an example of the types of roles and responsibilities involved, offering a simple method for establishing a
clear distribution of roles.

Figure 8: Investment management roles and responsibilities matrix



                                                                           Investment management

                                               Board of Directors (through the risk committee): takes responsibility for global
         Responsible                           supervision
        (ultimate responsibility)              General Management: approves and monitors investment policy


          Implementer                          Investment Department: submits strategic allocation plan for validation, defines
          (oversees operational
             implementation)                   tactical allocation specifics, monitors implementation



            Consulted                          Risk Department: issues an opinion on the Group’s and the entity’s total exposure to
  (opinion requested systematically,           market risks and overall solvency level. If it issues an unfavourable opinion, the case
       published and taken into                is submitted to the executive committee for arbitration
       account in the decision)


              Informed                         Cash Department (Financial Department): informed of all changes in investment
        (regularly informed of new             policy, receives a copy of all investment flows
          management decisions)


Source: PwC


The implementation of a                                  The structure of the decision-making         • Prioritise the types of risk that
decision-making architecture                             process is specific to the culture of each     require formal supervision on a
Even the best-designed risk                              company and is in line with its position       regular basis. The company must
management system will only be                           on the ERM maturity curve. However,            formally define the responsibilities
efficient and effective if an operational                the review or implementation of the            required at each organisational level
decision-making architecture has been                    decision-making architecture follows           in line with these priorities (global
codified. It must ensure first that all                  several key steps:                             supervision, definition of practices,
useful information is reported to the                                                                   monitoring and reporting, etc.).
appropriate committees and other                         • Define the key organisational levels
decision makers in a timely manner.                        in risk decisions, which often             • Design ad hoc decision-making
Second, it must ensure that these                          correspond to the company’s main             bodies at each level: type of
bodies review the issues at hand and                       decision-making levels (executive            committee, members, voting rights,
make the necessary decisions. The                          committee, key functions in risk-            assignment of roles, meeting
company is then in a position to                           taking, operational staff, etc.). They       frequency.
continuously manage its risk exposure                      are defined in line with the roles
and react promptly to any unexpected                       and responsibilities identified for
deviation in its risk profile.                             each type of risk in the risk profile.




28 PwC Pillar 2, operational issues of risk management
As such, the structure of the company’s system of committees can be consistent throughout, as illustrated in the
example below:

Figure 9: Committee matrix



                          Market                    Credit                 Underwriting                   Operations


Executive                                                   Risk Committee
Committee


                              Investment Committee                                                            Internal
Risk                                                                                                          Control
takers                                                    Underwriting Committee                             Committee



Reporting &                          ALM Committee                            Reporting                       Reporting
mitigation

Source: PwC


The close relationship between             Historically, most insurance companies      processes and operations and the
risk management and risk                   have developed internal control             reliability of financial and non-financial
control                                    approaches that are often granular and      information produced by the company.
One of the main lessons learnt from the    always complex. These approaches            At the time of writing, work has begun
financial crisis (notably the Kerviel      aimed to identify and to manage the         in this area but has seen little or no
case) is that efficient risk management    risks specific to certain processes or      application among insurance
requires coherent and consistent           operational areas, namely: reliability of   companies: operational risk is difficult
operational coordination between:          financial reporting processes (SOX          to understand, differs completely for
                                           projects), security of information          each company and is not specifically
• the definition of major risk policies    systems, anti-fraud or anti-money           defined in Solvency II. Furthermore,
  and processes (primarily by the risk     laundering processes, etc.                  SCR calibrations for operational risk
  department), and                                                                     produce negligible capital
                                           This work has led companies to focus        requirements, further inciting
• the appropriate application of these     specifically on operational risk            companies not to invest in a complex
  policies and processes by the            management. The primary role of             system to manage this risk.
  relevant entities (operational           internal control (or permanent control)
  functions, internal control, etc.).      is to ensure the appropriate
                                           management of the company’s




                                                                                       PwC Pillar 2, operational issues of risk management 29
Some market players are currently                        • Definition of the operational risk
implementing specific procedures for                       system. First of all, operational risk
operational risk analysis and risk –                       must be defined. This analysis
control coordination. The main ones                        generally reveals that operational
include:                                                   risk covers any factor that could
                                                           compromise the achievement of the
• Gradual merging of risk and                              objectives of operational processes
  control functions under the                              (see the list of risks defined by
  responsibility of a single function                      Basel II) or the appropriate
  (most commonly the CRO). This                            application of risk policies as
  ensures greater consistency between                      defined by the company. Some
  initiatives that were sometimes                          companies have taken this a step
  fragmented in the past. The primary                      further: given the sheer volume of
  focus is often on compliance, raising                    operational risks, they have
  the question of whether operational                      prioritised the critical areas of
  risk is best managed by legal                            exposure and focused their efforts
  professionals (regulatory watch) or                      to deploy management systems in
  internal control (integration of legal                   these areas.
  provisions into operational
  processes). The trend clearly seems                    • Modelling of operational risk.
  to be to: (i) appoint a compliance                       Some companies have implemented
  officer to take charge of defining the                   data collection systems for
  company’s main compliance issues                         operational losses. These systems
  and coordinate the application of                        are used to assess the company’s
  the relevant legal provisions while                      real exposure to operational losses,
  (ii) maintaining the legal                               set up a more coherent management
  department’s responsibility for legal                    system or even to save on capital
  monitoring, setting up a body that                       requirements. To be effective,
  meets regularly between the two                          however, the system’s parameters
  departments. Broadly speaking,                           must be determined (e.g., by clearly
  companies tend to put their risk                         defining an operational loss and the
  management function in charge of                         minimum loss amount for data
  supervising both the effectiveness                       collection) and cover an adequate
  of their ERM framework and the                           historical period. Results are
  appropriate application of its                           deemed significant after three
  provisions.                                              to five years of collection.




30 PwC Pillar 2, operational issues of risk management
2.1.4. The extent of centralisation
of the Risk function

                     Insurance groups are faced with a             responsibility of the group’s risk
                     major operational difficulty: the             department. In a more centralised
                     operational scope of the risk function.       group, the group risk department
                     How do they integrate such diverse            oversees legal entities. It may apply
                     entities and businesses that are not          the principle of subsidiarity that
                     necessarily related to insurance (asset       determines the entities’ leeway, and
                     management for complementary                  in this case a ‘risk representative’ is
                     pension or social security plans,             appointed. In either configuration,
                     healthcare and assistance services,           the risk function is a network-based
                     strategic investments, and so on.) into       structure.
                     their analyses and processes?
                                                                • Groups, when dealing with all of
                     Although most companies are still            their insurance entities, tend to
                     trying to establish an efficient way of      require consistent reporting
                     coordinating the risk system across          principles and structures that are
                     their different entities, the following      defined and supervised locally. This
                     best practices have emerged:                 applies especially to international
                                                                  groups with foreign subsidiaries or
                     • Aligning risk management process           entities in countries not subject to
                       with the organisational and                Solvency II. Most often they opt for
                       decision-making structure within           double reporting, with one set of
                       the group that is already in place.        reports prepared based on local
                       In a highly decentralised group,           prudential standards while another
                       the different entities or subsidiaries     is submitted to the group in
                       often have a local risk function           ‘Solvency II format’.
                       that reports to their general
                       management but falls under the




                                                                PwC Pillar 2, operational issues of risk management 31
There are often overlapping principles on the structure of the risk management process, as illustrated in the diagram below.


Figure 10: PwC Risk function benchmark



                              Principal responsibilities of the CRO                                Possible organisation chart of risk function



                       ERM                                                                                   CEO
                                                                                                                        67%
                       ALM

                  Actuarial                                                                                  CRO

              Reinsurance

       Permanent control                                                                                               ERM
                                                                                                                                  75%
        Economic capital

   Internal capital model                                                                                              ALM        67%
Risk management model
                                                                                                                    Corporate
    Capital management                                                                                               actuarial
                                                                                                                                  33%
    Market risk exposure
                                                                                                                    Permanent
           Internal control                                                                                           control
                                                                                                                                  17%
               Accounting                                                                                           Economic
                                                                                                                      capital
                Solvency 2                                                                                                        17%

    Management control                                                                                              Reinsurance   17%
                              0%            20%          40%          60%      80%


   Based on the benchmark study conducted with 30 of the most important companies
   in the insurance industry (insurance companies, mutual insurers and pension funds)

Source: PwC

                                                         That being said, there is no standard         these companies have added the more
                                                         structure that is widely shared,              ‘traditional’ functions to the risk
                                                         especially with regard to the extension       function, giving it more substance
                                                         of the risk function to non-insurance         and importance.
                                                         subsidiaries.
                                                                                                       The solutions seen are most often
                                                         In some cases, the problem has more to        based on the principle of subsidiarity:
                                                         do with difficulty in adhering to the         the subsidiary has considerable
                                                         principles of independence in relation        autonomy in managing its risks, and
                                                         to the operational function. Many             the group only covers the few types
                                                         companies have also tried to ‘force’          of maximum losses that can be
                                                         their risk function beyond the strict         generated by the subsidiary (notion
                                                         minimum regulatory requirements. In           of ‘subsidiary risk’).
                                                         fact, this function is supposed to
                                                         become more centralised but not all of
                                                         the issues at stake are necessarily
                                                         evident in the beginning. Therefore

32 PwC Pillar 2, operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management
Pillar 2: operational issues of risk management

More Related Content

Similar to Pillar 2: operational issues of risk management

Role of Actuaries in Enterprise Risk Management Sonjai_Rajiv(17 GCA) Final Copy
Role of Actuaries in Enterprise Risk Management Sonjai_Rajiv(17 GCA) Final CopyRole of Actuaries in Enterprise Risk Management Sonjai_Rajiv(17 GCA) Final Copy
Role of Actuaries in Enterprise Risk Management Sonjai_Rajiv(17 GCA) Final Copy
Sonjai Kumar, SIRM
 
Flexible Resources Associates Solvency 2
Flexible Resources Associates Solvency 2Flexible Resources Associates Solvency 2
Flexible Resources Associates Solvency 2
Jason Carter
 
A perspective on Solvency II
A perspective on Solvency IIA perspective on Solvency II
A perspective on Solvency II
Infosys
 
Solvency II - Programme Assurance
Solvency II - Programme AssuranceSolvency II - Programme Assurance
Solvency II - Programme Assurance
gainline
 
Solvency 2 Survivors' guide
Solvency 2 Survivors' guideSolvency 2 Survivors' guide
Solvency 2 Survivors' guide
Quoc Nguyen Dao
 
Risk Management Methodologies in Construction Industries
Risk Management Methodologies in Construction IndustriesRisk Management Methodologies in Construction Industries
Risk Management Methodologies in Construction Industries
IRJET Journal
 
SAS for Solvency II
SAS for Solvency IISAS for Solvency II
SAS for Solvency II
stuartdrose
 
Solvency II
Solvency IISolvency II
Solvency II
Mely Lerman
 
Ratio Analysis of ACI Limited (Bangladesh)
Ratio Analysis of ACI Limited (Bangladesh)Ratio Analysis of ACI Limited (Bangladesh)
Ratio Analysis of ACI Limited (Bangladesh)
Sunanda Sarker
 
Solvency II professional knowledge presentation training 27032013
Solvency II professional knowledge presentation training 27032013Solvency II professional knowledge presentation training 27032013
Solvency II professional knowledge presentation training 27032013
CGI Germany
 
A summary of solvency ii directives
A summary of solvency ii directivesA summary of solvency ii directives
A summary of solvency ii directives
Yogesh Pandit
 
A summary of Solvency II Directives
A summary of Solvency II DirectivesA summary of Solvency II Directives
A summary of Solvency II Directives
HEXANIKA
 
Adapting Compliance Projects and Operating Models for COVID-19
Adapting Compliance Projects and Operating Models for COVID-19Adapting Compliance Projects and Operating Models for COVID-19
Adapting Compliance Projects and Operating Models for COVID-19
Boston Consulting Group
 
Proposal for an Implementation Methodology of Key Risk Indicators System: Cas...
Proposal for an Implementation Methodology of Key Risk Indicators System: Cas...Proposal for an Implementation Methodology of Key Risk Indicators System: Cas...
Proposal for an Implementation Methodology of Key Risk Indicators System: Cas...
Hajar Mouatassim Lahmini
 
Operational risk-white-paper
Operational risk-white-paperOperational risk-white-paper
Operational risk-white-paper
Vincenzo Dimase
 
2016 Analysis on Beyond Implementation, Insurance, Business and Market Effect...
2016 Analysis on Beyond Implementation, Insurance, Business and Market Effect...2016 Analysis on Beyond Implementation, Insurance, Business and Market Effect...
2016 Analysis on Beyond Implementation, Insurance, Business and Market Effect...
Ganesh Pandagale
 
AACE Presentation Final 2007
AACE Presentation Final 2007AACE Presentation Final 2007
AACE Presentation Final 2007
janknopfler
 
DUP_GlobalRiskManagementSurvey9
DUP_GlobalRiskManagementSurvey9DUP_GlobalRiskManagementSurvey9
DUP_GlobalRiskManagementSurvey9
Andrew Brooks
 
Riskmgm
RiskmgmRiskmgm
Riskmgm
Ravi Kumar
 
Riskmgm
RiskmgmRiskmgm
Riskmgm
Ravi Kumar
 

Similar to Pillar 2: operational issues of risk management (20)

Role of Actuaries in Enterprise Risk Management Sonjai_Rajiv(17 GCA) Final Copy
Role of Actuaries in Enterprise Risk Management Sonjai_Rajiv(17 GCA) Final CopyRole of Actuaries in Enterprise Risk Management Sonjai_Rajiv(17 GCA) Final Copy
Role of Actuaries in Enterprise Risk Management Sonjai_Rajiv(17 GCA) Final Copy
 
Flexible Resources Associates Solvency 2
Flexible Resources Associates Solvency 2Flexible Resources Associates Solvency 2
Flexible Resources Associates Solvency 2
 
A perspective on Solvency II
A perspective on Solvency IIA perspective on Solvency II
A perspective on Solvency II
 
Solvency II - Programme Assurance
Solvency II - Programme AssuranceSolvency II - Programme Assurance
Solvency II - Programme Assurance
 
Solvency 2 Survivors' guide
Solvency 2 Survivors' guideSolvency 2 Survivors' guide
Solvency 2 Survivors' guide
 
Risk Management Methodologies in Construction Industries
Risk Management Methodologies in Construction IndustriesRisk Management Methodologies in Construction Industries
Risk Management Methodologies in Construction Industries
 
SAS for Solvency II
SAS for Solvency IISAS for Solvency II
SAS for Solvency II
 
Solvency II
Solvency IISolvency II
Solvency II
 
Ratio Analysis of ACI Limited (Bangladesh)
Ratio Analysis of ACI Limited (Bangladesh)Ratio Analysis of ACI Limited (Bangladesh)
Ratio Analysis of ACI Limited (Bangladesh)
 
Solvency II professional knowledge presentation training 27032013
Solvency II professional knowledge presentation training 27032013Solvency II professional knowledge presentation training 27032013
Solvency II professional knowledge presentation training 27032013
 
A summary of solvency ii directives
A summary of solvency ii directivesA summary of solvency ii directives
A summary of solvency ii directives
 
A summary of Solvency II Directives
A summary of Solvency II DirectivesA summary of Solvency II Directives
A summary of Solvency II Directives
 
Adapting Compliance Projects and Operating Models for COVID-19
Adapting Compliance Projects and Operating Models for COVID-19Adapting Compliance Projects and Operating Models for COVID-19
Adapting Compliance Projects and Operating Models for COVID-19
 
Proposal for an Implementation Methodology of Key Risk Indicators System: Cas...
Proposal for an Implementation Methodology of Key Risk Indicators System: Cas...Proposal for an Implementation Methodology of Key Risk Indicators System: Cas...
Proposal for an Implementation Methodology of Key Risk Indicators System: Cas...
 
Operational risk-white-paper
Operational risk-white-paperOperational risk-white-paper
Operational risk-white-paper
 
2016 Analysis on Beyond Implementation, Insurance, Business and Market Effect...
2016 Analysis on Beyond Implementation, Insurance, Business and Market Effect...2016 Analysis on Beyond Implementation, Insurance, Business and Market Effect...
2016 Analysis on Beyond Implementation, Insurance, Business and Market Effect...
 
AACE Presentation Final 2007
AACE Presentation Final 2007AACE Presentation Final 2007
AACE Presentation Final 2007
 
DUP_GlobalRiskManagementSurvey9
DUP_GlobalRiskManagementSurvey9DUP_GlobalRiskManagementSurvey9
DUP_GlobalRiskManagementSurvey9
 
Riskmgm
RiskmgmRiskmgm
Riskmgm
 
Riskmgm
RiskmgmRiskmgm
Riskmgm
 

Recently uploaded

Independent Study - College of Wooster Research (2023-2024) FDI, Culture, Glo...
Independent Study - College of Wooster Research (2023-2024) FDI, Culture, Glo...Independent Study - College of Wooster Research (2023-2024) FDI, Culture, Glo...
Independent Study - College of Wooster Research (2023-2024) FDI, Culture, Glo...
AntoniaOwensDetwiler
 
一比一原版(RMIT毕业证)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证)皇家墨尔本理工大学毕业证如何办理
k4ncd0z
 
Seeman_Fiintouch_LLP_Newsletter_Jun_2024.pdf
Seeman_Fiintouch_LLP_Newsletter_Jun_2024.pdfSeeman_Fiintouch_LLP_Newsletter_Jun_2024.pdf
Seeman_Fiintouch_LLP_Newsletter_Jun_2024.pdf
Ashis Kumar Dey
 
Ending stagnation: How to boost prosperity across Scotland
Ending stagnation: How to boost prosperity across ScotlandEnding stagnation: How to boost prosperity across Scotland
Ending stagnation: How to boost prosperity across Scotland
ResolutionFoundation
 
STREETONOMICS: Exploring the Uncharted Territories of Informal Markets throug...
STREETONOMICS: Exploring the Uncharted Territories of Informal Markets throug...STREETONOMICS: Exploring the Uncharted Territories of Informal Markets throug...
STREETONOMICS: Exploring the Uncharted Territories of Informal Markets throug...
sameer shah
 
University of North Carolina at Charlotte degree offer diploma Transcript
University of North Carolina at Charlotte degree offer diploma TranscriptUniversity of North Carolina at Charlotte degree offer diploma Transcript
University of North Carolina at Charlotte degree offer diploma Transcript
tscdzuip
 
Money20/20 and EU Networking Event of 20/24!
Money20/20 and EU Networking Event of 20/24!Money20/20 and EU Networking Event of 20/24!
Money20/20 and EU Networking Event of 20/24!
FinTech Belgium
 
快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样
快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样
快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样
rlo9fxi
 
FCCS Basic Accounts Outline and Hierarchy.pptx
FCCS Basic Accounts Outline and Hierarchy.pptxFCCS Basic Accounts Outline and Hierarchy.pptx
FCCS Basic Accounts Outline and Hierarchy.pptx
nalamynandan
 
Using Online job postings and survey data to understand labour market trends
Using Online job postings and survey data to understand labour market trendsUsing Online job postings and survey data to understand labour market trends
Using Online job postings and survey data to understand labour market trends
Labour Market Information Council | Conseil de l’information sur le marché du travail
 
How to Use Payment Vouchers in Odoo 18.
How to Use Payment Vouchers in  Odoo 18.How to Use Payment Vouchers in  Odoo 18.
How to Use Payment Vouchers in Odoo 18.
FinShe
 
1:1制作加拿大麦吉尔大学毕业证硕士学历证书原版一模一样
1:1制作加拿大麦吉尔大学毕业证硕士学历证书原版一模一样1:1制作加拿大麦吉尔大学毕业证硕士学历证书原版一模一样
1:1制作加拿大麦吉尔大学毕业证硕士学历证书原版一模一样
qntjwn68
 
Upanishads summary with explanations of each upnishad
Upanishads summary with explanations of each upnishadUpanishads summary with explanations of each upnishad
Upanishads summary with explanations of each upnishad
ajaykumarxoxo04
 
Accounting Information Systems (AIS).pptx
Accounting Information Systems (AIS).pptxAccounting Information Systems (AIS).pptx
Accounting Information Systems (AIS).pptx
TIZITAWMASRESHA
 
Enhancing Asset Quality: Strategies for Financial Institutions
Enhancing Asset Quality: Strategies for Financial InstitutionsEnhancing Asset Quality: Strategies for Financial Institutions
Enhancing Asset Quality: Strategies for Financial Institutions
shruti1menon2
 
OAT_RI_Ep20 WeighingTheRisks_May24_Trade Wars.pptx
OAT_RI_Ep20 WeighingTheRisks_May24_Trade Wars.pptxOAT_RI_Ep20 WeighingTheRisks_May24_Trade Wars.pptx
OAT_RI_Ep20 WeighingTheRisks_May24_Trade Wars.pptx
hiddenlevers
 
The Impact of Generative AI and 4th Industrial Revolution
The Impact of Generative AI and 4th Industrial RevolutionThe Impact of Generative AI and 4th Industrial Revolution
The Impact of Generative AI and 4th Industrial Revolution
Paolo Maresca
 
Detailed power point presentation on compound interest and how it is calculated
Detailed power point presentation on compound interest  and how it is calculatedDetailed power point presentation on compound interest  and how it is calculated
Detailed power point presentation on compound interest and how it is calculated
KishanChaudhary23
 
International Sustainability Standards Board
International Sustainability Standards BoardInternational Sustainability Standards Board
International Sustainability Standards Board
Kumar Ramaiah
 
Dr. Alyce Su Cover Story - China's Investment Leader
Dr. Alyce Su Cover Story - China's Investment LeaderDr. Alyce Su Cover Story - China's Investment Leader
Dr. Alyce Su Cover Story - China's Investment Leader
msthrill
 

Recently uploaded (20)

Independent Study - College of Wooster Research (2023-2024) FDI, Culture, Glo...
Independent Study - College of Wooster Research (2023-2024) FDI, Culture, Glo...Independent Study - College of Wooster Research (2023-2024) FDI, Culture, Glo...
Independent Study - College of Wooster Research (2023-2024) FDI, Culture, Glo...
 
一比一原版(RMIT毕业证)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证)皇家墨尔本理工大学毕业证如何办理
 
Seeman_Fiintouch_LLP_Newsletter_Jun_2024.pdf
Seeman_Fiintouch_LLP_Newsletter_Jun_2024.pdfSeeman_Fiintouch_LLP_Newsletter_Jun_2024.pdf
Seeman_Fiintouch_LLP_Newsletter_Jun_2024.pdf
 
Ending stagnation: How to boost prosperity across Scotland
Ending stagnation: How to boost prosperity across ScotlandEnding stagnation: How to boost prosperity across Scotland
Ending stagnation: How to boost prosperity across Scotland
 
STREETONOMICS: Exploring the Uncharted Territories of Informal Markets throug...
STREETONOMICS: Exploring the Uncharted Territories of Informal Markets throug...STREETONOMICS: Exploring the Uncharted Territories of Informal Markets throug...
STREETONOMICS: Exploring the Uncharted Territories of Informal Markets throug...
 
University of North Carolina at Charlotte degree offer diploma Transcript
University of North Carolina at Charlotte degree offer diploma TranscriptUniversity of North Carolina at Charlotte degree offer diploma Transcript
University of North Carolina at Charlotte degree offer diploma Transcript
 
Money20/20 and EU Networking Event of 20/24!
Money20/20 and EU Networking Event of 20/24!Money20/20 and EU Networking Event of 20/24!
Money20/20 and EU Networking Event of 20/24!
 
快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样
快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样
快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样
 
FCCS Basic Accounts Outline and Hierarchy.pptx
FCCS Basic Accounts Outline and Hierarchy.pptxFCCS Basic Accounts Outline and Hierarchy.pptx
FCCS Basic Accounts Outline and Hierarchy.pptx
 
Using Online job postings and survey data to understand labour market trends
Using Online job postings and survey data to understand labour market trendsUsing Online job postings and survey data to understand labour market trends
Using Online job postings and survey data to understand labour market trends
 
How to Use Payment Vouchers in Odoo 18.
How to Use Payment Vouchers in  Odoo 18.How to Use Payment Vouchers in  Odoo 18.
How to Use Payment Vouchers in Odoo 18.
 
1:1制作加拿大麦吉尔大学毕业证硕士学历证书原版一模一样
1:1制作加拿大麦吉尔大学毕业证硕士学历证书原版一模一样1:1制作加拿大麦吉尔大学毕业证硕士学历证书原版一模一样
1:1制作加拿大麦吉尔大学毕业证硕士学历证书原版一模一样
 
Upanishads summary with explanations of each upnishad
Upanishads summary with explanations of each upnishadUpanishads summary with explanations of each upnishad
Upanishads summary with explanations of each upnishad
 
Accounting Information Systems (AIS).pptx
Accounting Information Systems (AIS).pptxAccounting Information Systems (AIS).pptx
Accounting Information Systems (AIS).pptx
 
Enhancing Asset Quality: Strategies for Financial Institutions
Enhancing Asset Quality: Strategies for Financial InstitutionsEnhancing Asset Quality: Strategies for Financial Institutions
Enhancing Asset Quality: Strategies for Financial Institutions
 
OAT_RI_Ep20 WeighingTheRisks_May24_Trade Wars.pptx
OAT_RI_Ep20 WeighingTheRisks_May24_Trade Wars.pptxOAT_RI_Ep20 WeighingTheRisks_May24_Trade Wars.pptx
OAT_RI_Ep20 WeighingTheRisks_May24_Trade Wars.pptx
 
The Impact of Generative AI and 4th Industrial Revolution
The Impact of Generative AI and 4th Industrial RevolutionThe Impact of Generative AI and 4th Industrial Revolution
The Impact of Generative AI and 4th Industrial Revolution
 
Detailed power point presentation on compound interest and how it is calculated
Detailed power point presentation on compound interest  and how it is calculatedDetailed power point presentation on compound interest  and how it is calculated
Detailed power point presentation on compound interest and how it is calculated
 
International Sustainability Standards Board
International Sustainability Standards BoardInternational Sustainability Standards Board
International Sustainability Standards Board
 
Dr. Alyce Su Cover Story - China's Investment Leader
Dr. Alyce Su Cover Story - China's Investment LeaderDr. Alyce Su Cover Story - China's Investment Leader
Dr. Alyce Su Cover Story - China's Investment Leader
 

Pillar 2: operational issues of risk management

  • 1. w w w.pwc.com/solvenc yII www.pwc.com/solvencyII o Pillar Pillar 2 Operational issues of Operational issues risk management risk management a 2011 was crucial 2011 wa s a crucial milestone for in surance milestone for insurance companies the path to m companies on the path to Solvenc y II compliance. Solvency II compliance. March 2012 March 2012
  • 2. Contents Overview 4 1. Theoretical approach 6 1.1 General provisions of Pillar 2 8 1.2 What does the Directive say? 9 1.3 What do the implementing measures say? 12 1.4 COSO II - ERM 16 2. Operational implementation 20 2.1 Defining the risk management system 22 2.2 Implementing the risk management process 34 2.3 Managing cross-business projects 45 Overall conclusions 58 Contacts 59 This PwC White Paper focuses exclusively on the challenges of implementing the new Solvency II requirements. It provides the insurance industry with a single concrete methodology and framework, complete with milestones, for adapting the principles of Pillar 2 to their organisations. 2 PwC Pillar 2, operational issues of risk management
  • 3. Foreword This White Paper is being issued at a crucial point in the Solvency II regulatory calendar. The challenge of ensuring compliance with Pillar 2 – the cornerstone of solvency risk prevention – is becoming clearer. The initial work on Level 2 measures concerning the system of risk governance is in its final stages. The measures for Level 3 began in 2011 and accelerated towards the end of the year, despite the fact that from January 2011 the Omnibus 2 Directive allowed for transitory measures as well as a grace period under certain conditions and for certain points. In this uncertain, but already well advanced, regulatory context, the priorities of the insurance industry are concentrated around Pillar 2, which involves the operational application of a risk strategy which is compliant with the Directive’s principles and obligations. These new obligations go to the heart of business and organisational management. They also represent an opportunity for companies to optimise their operational performance. In this respect, the documented procedures of Own Risk and Solvency Assessment (ORSA) offer a path to groundbreaking management of solvency over a strategic horizon of three to five years. PwC assists insurance companies in their projects and has worked side by side with them on risk management issues, including drafting the COSO 2-ERM standard. This White Paper is aimed at extending our contribution to compliance with Solvency II. Paul Clarke Jimmy Zou Global Solvency II leader Solvency II leader (France) PwC Pillar 2, operational issues of risk management 3
  • 4. Overview On the long journey towards compliance with the new Solvency II regulations, insurers (insurance and reinsurance companies, mutual insurers and insurance cooperatives) are at a crossroads: having thus far focused on the quantitative aspects of the Directive, referred to as Pillar 1, they are now turning towards the more complex qualitative obligations of Pillar 2. 4 PwC Pillar 2, operational issues of risk management
  • 5. “Through its cross-disciplinary approach, this White Paper clearly presents the key points of risk management and provides illustrations of potential situations. This document reassures us on our approach and gives fresh insight into certain operational strategies for Pillar 2 projects.” Christophe Raballan, Head of Risk Management and Internal Control, MAIF In 2010, insurance companies concentrated on assessing This paper is designed as a toolbox for those involved in their ability to build accurate risk models, based on the new the organisational aspects of Solvency II compliance. framework, and to measure the impact of these requirements Following a brief overview of the regulatory requirements on the amount of capital required for the 1 January 2013 and the ERM framework, we break down the operational implementation. Companies have also recently finalised the issues involved in Solvency II compliance projects (risk QIS 5 exercises, which provided the opportunity to conduct management function, organisation and governance of the a first dry run to test calculation methods and processes. overall risk management processes, scoping of ‘cross- During this phase, the final adjustments necessary to business’ projects such as data quality and ORSA). We also implement a process for drawing up economic assessments highlight the fundamental questions and, based on concrete and calculating solvency capital requirements (SCR) examples, sketch out the main operational approaches to were made. answering them. In early 2011, the work concentrated on Pillar 2 of Solvency II, As such, this paper is mainly directed at operational which required companies to challenge their own risk Solvency II compliance project coordinators, project culture, define – or redefine as needed – risk governance and managers and heads of risk. It should also provide useful strategy and consider the operational implementation of the information for the managers and directors of insurance risk management function. As the keystone of the Directive is companies. Currently many insurers face difficult choices in based on risk control, Pillar 2 compliance therefore raises finding the right balance between compliance requirements many questions for insurance companies. These tough (which can seem excessive) and adapting them to their questions often strike at the heart of business management company’s internal environment (a strict compliance or processes. ‘best-in-class’ approach to risk management?). We hope that you will find the guidelines developed below useful in your Questions you might ask yourself include: What exactly do compliance work. Solvency II regulations require? How should, or how can, these provisions be applied to my company? What constraints and determining factors are used to configure an operational risk management system as accurately as possible? What are the specific sub-projects that fall under Pillar 2 requirements in my overall compliance project? The main difficulty shared by all of our clients, which we address in this White Paper, is how to interpret and apply the regulations properly to individual companies in order to create a risk management process that meets the requirements in an appropriate and efficient manner. PwC Pillar 2, operational issues of risk management 5
  • 6. 1. Theoretical approach 6 PwC Pillar 2, operational issues of risk management
  • 7. Introduction Under Solvency II, all companies must demonstrate that they have implemented an adequate and efficient risk management system. The two main vehicles used are: • The regulatory framework of Pillar 2 is the principal vehicle. Its provisions, outlined in a small number of articles in the Directive, cover regulatory requirements relating to the operational structure of risk management. These articles are further developed in implementing measures, some of which are currently under discussion. • The technical framework, COSO 21 ‘Enterprise Risk Management’ or ERM, which is most often used to understand what effective risk management criteria are. Rating agencies have now included ERM performance as an evaluation criterion in and of itself. In this report, we have provided a summary of the main provisions and concepts listed in these frameworks. 1 COSO stands for Committee of Sponsoring Organizations of the Treadway Commission, a non-profit commission which in 1992 established a standard definition for internal control and created a framework to evaluate its efficiency. PwC Pillar 2, operational issues of risk management 7
  • 8. 1.1 General provisions of Pillar 2 Pillar 2 covers all of the required risk management principles and practices relating to the risk and capital estimates covered by Pillar 1. The main provisions fall into the following four major categories: Figure 1: The principal provisions of Pillar 2 Risk governance New supervision process Internal model (Art. 41 to 49) (Art. 27 to 39) (Art. 120 to 126) • General governance requirements • A new supervisory review • Requirement to show that the (segregating responsibilities, process based on permanent internal model is used effectively managing conflicts of interest, etc.) dialogue with the regulator in monitoring (operational risk and in which the company management, capital allocation) • Principle of proportionality of bears the ‘burden of proof’ the risk system in relation to the • A concrete assessment based complexity of the risk profile • The option of the regulator on nine principles (adoption to sanction any quantitative by management, accurate • Definition of key functions or qualitative divergence reflection of risk profile, etc.) in risk management and the from expected standards scope of the risk system through ‘capital add-ons’ • Internal validation process for the model... • Fit and proper requirements for the main risk management roles • … and model sensitivity and stability tests. • Good conduct principles in terms of remuneration Own risk and solvency assessment (ORSA) (Art. 45) • A set of processes and procedures used to identify, assess, monitor, control and report internal and external long-term and short-term risks that an insurer faces or could face. These risks are used to determine the company’s capital requirement to ensure its solvency at all times. • The ORSA covers the regulatory requirements of Pillars 1, 2 and 3 Source: PwC The main difficulty in getting to grips and adapted to apply to the internal risks covered in articles 41 to 49, and with Pillar 2 is that the articles and environment of your organisation. the Level 2 and 3 measures currently implementing measures define the being defined and discussed between underlying principles but offer no In light of this, we focus on the European Insurance and Occupational standards as to its practical application. organisational aspect of Pillar 2, Pensions Authority (EIOPA) and the These principles must be interpreted namely the governance issues for the European Commission. 8 PwC Pillar 2, operational issues of risk management
  • 9. 1.2 What does the Directive say? The European Solvency II Directive establishes the ground rules for good governance as a complete system composed of functions and rules used by regulators and models for appropriate decision-making procedures. The system for risk governance (defined in Article 41) features seven main components, each with set expectation levels. These components are detailed in an article focused on the Directive, as illustrated below. Figure 2: Risk governance GOVERNANCE (Art. 41) Fit and proper requirements (Art. 42 + 43) Risk management (Art. 44) ORSA (Art. 45) Internal control (Art. 46) Internal audit (Art. 47) Actuarial function (Art. 48) Outsourcing (Art. 49) Source: PwC Art. 41 – General governance their professional qualifications, and reporting procedures necessary to requirements knowledge and experience are identify, measure, monitor, manage and Article 41 introduces the main themes adequate to enable sound and prudent report, on a continuous basis the risks, developed in Articles 42 to 49, but managment (fit); and they are of good at an individual and at an aggregated above all emphasises that, “insurance repute and integrity (proper).” level, to which they are or could be and reinsurance undertakings [shall] exposed, and their interdependencies. have in place an effective system of This information must be reported to governance which provides for sound the supervisory authorities in the event That risk-management system shall be and prudent management of the of any changes and must be effective and well integrated into the business.” documented. organisational structure and in the decision-making processes of the Art. 42+43 – Fit and proper Art. 44 – Risk management insurance or reinsurance undertaking requirements system with proper consideration of the Article 42 stipulates that “all persons Article 44 states that “insurance and persons who effectively run the who effectively run the undertaking or reinsurance undertakings shall have in undertaking or have other key have other key functions [shall] at all place an effective risk-management functions.” times fulfil the following requirements: system comprising strategies, processes PwC Pillar 2, operational issues of risk management 9
  • 10. Article 44 describes limits in the scope covered by risk management (underwriting, asset-liability management, investment, operational risk management, liquidity and concentration risk management, reinsurance and, in part, the internal model). It stipulates that these risk management policies must be documented. To recap, the Directive: • presents the risk management function (hereinafter referred to as the ‘risk Function’) as an efficient, mandatory function integrated into the organisation • limits the scope of risks covered – notably risks used to calculate SCR, but not necessarily limited to just these risks • describes the specific responsibilities of this function, acting as the overall ‘conductor’ for the system and ‘pilot’ for the internal model, if applicable. 10 PwC Pillar 2, operational issues of risk management
  • 11. Art. 45 – Own risk and solvency Art. 47 – Internal audit Art. 49 – Outsourcing assessment (ORSA) Article 47 stipulates that “the internal Finally, Article 49 informs us that Article 45 states that as part of its audit function shall include an “insurance and reinsurance risk management system, every evaluation of the adequacy and undertakings remain fully responsible insurance and reinsurance undertaking effectiveness of the internal control for discharging all of their obligations... shall regularly “conduct its own system and other elements of the [when outsourcing] functions or any [proportionate and documented] risk system of governance… [and] shall be insurance or reinsurance activities”. and solvency assessment” to determine objective and independent from the The outsourcing of activities must not the Solvency Capital Requirement operational functions.” impact the governance system, risk measure and calibration. business, operational risk or the ability Art. 48 – Actuarial function of the supervisory authorities to ORSA essentially covers three major Article 48 describes the actuarial monitor compliance. points: function as an assessment function that aims to “coordinate the calculation of Moreover, undertakings shall notify the • as applied, ORSA shows whether or technical provisions; ensure the supervisory authorities prior to the not the risk management processes appropriateness of the methodologies outsourcing of “critical or important” developed by the organisation are and underlying models used as well functions or activities. appropriate as the assumptions made in the calculation of technical provisions; • it is integrated into business strategy assess the sufficiency and quality of the and is taken into account in the data used in the calculation of technical organisation’s strategic decisions. Its provisions; compare best estimates analyses and reports are taken into against experience; inform the account by decision makers administrative, management or supervisory body of the reliability and • the assessment can be performed adequacy of the calculation of technical following any significant change in provisions; oversee the calculation of the risk profile of the organisation. technical provisions..., express an opinion on the overall underwriting Art. 46 – Internal control policy; express an opinion on the Article 46 states that “Insurance adequacy of reinsurance arrangements; and reinsurance undertakings shall and contribute to the effective have in place an effective internal implementation of the risk control system [including at least] management system...” administrative and accounting procedures, an internal control framework, appropriate reporting arrangements at all levels of the undertaking and a compliance function.” PwC Pillar 2, operational issues of risk management 11
  • 12. 1.3 What do the implementing measures say? The Solvency II provisions concerning These specifications on the risk the organisation and risk governance management system are provided in system are based solely on the guiding the Level 2 measures in the document principles. The regulators want each “Advice for Level 2 Implementing organisation to be responsible for Measures on Solvency II: System of determining its own organisational Governance” (from Consultation Paper structure, and have therefore defined 33), published in October 2009. Level 3 only key functions and very general measures, currently in preliminary requirements. To help interpret Articles discussions, are based on the same 41 to 49, the regulators have, architecture and are expected to clarify nonetheless, given some specifics. certain points, depending on the level of the regulators’ requirements. Essentially, under these requirements all companies which are subject to Solvency II must demonstrate that, in line with these principles, they have an operational system for managing and overseeing its risks which guarantees: • a true understanding of the risks to which the company is exposed (risk profile) and a reasonable assessment of its exposure at any given time • a real operational risk management mechanism, i.e., key components are in place, and each component can do what it is supposed to do • reporting of required information and the ability of the regulatory authorities to make the necessary decisions. 12 PwC Pillar 2, operational issues of risk management
  • 13. Figure 3: A summary of the provisions System of governance (SG 1, SG 2, SG 11, SG 13) • A clear, robust and well-documented system to encourage organisation • of of interest, ‘four-eyes principle’, documented of and proper requirements for all key functions Risk management (SG 3, SG 4, SG 7) (see focus) • Clearly documented processes, procedures and policies • A minimal scope of the ‘risk areas’ to be covered: underwriting, reserving, ALM, investments, liquidity and concentration, operational risk, reinsurance and other risk-mitigation techniques • Responsibilities: (i) ERM architect and coordinator, (ii) producing aggregated risk (iii) reporting on risk exposures and (iv) identifying and assessing emerging risks Compliance function – internal control (SG 5 and SG 8) • Reference to COSO framework (control environment, control activities, communication, etc.) • Responsibilities: (i) compliance of operations, (ii) management of operational activities and (iii) reliability of and information Internal audit (SG 9) • An independent, impartial and stand-alone unit with expertise in all businesses and processes fully within its scope • Requirement to issue an annual report based on an audit plan with a risk-based approach Actuarial function (SG 10) • Responsibilities: coordinating the calculation of technical provisions, assessing the appropriateness of data methods and quality, back-testing best estimates and providing management with formal opinions on the reliability of models (formal report) Outsourcing (SG 12) • Obligation to ensure that outsourcing does not negatively impact service quality or global operational risk exposure • Formalised, comprehensive processes and policies covering all areas of an outsourcing project (selection, contract, monitoring, etc.) Source: PwC These provisions clearly form a minimal regulatory base. The principles are very broad: each organisation must specifically adapt them to its size, its expertise and the complexity of its risk profile. This is what is referred in the legislation as the ‘proportionality principle’. However, the scope of this principle and the level of the ‘leeway’ allowed for different organisations currently remain unclear. PwC Pillar 2, operational issues of risk management 13
  • 14. Focus on Level 2 measures c) Risk management processes must Special case of ORSA In the Level 2 text, Article SG3 gives be appropriate and procedures ORSA is a hot topic that was covered in EIOPA’s opinion on risk management adapted in order to identify, assess, the Level 3 measures that were efficiency and provides the following manage, monitor and report risks. addressed by EIOPA in the second half advice: of 2011 as well as during a conference d) Risk reporting procedures must on Pillar 2, governance and ORSA held a) Risk management strategy must be appropriate as must the by the Autorité de Contrôle Prudentiel be clearly defined and well feedback loops that ensure (Prudential Control Authority or ACP) documented. This strategy must set reporting. These procedures are during the second quarter of 2011. risk management objectives and key coordinated and challenged by the risk management principles, define risk management function and are Despite the importance of this process, the organisation’s risk appetite and actively controlled and managed Article 45 was not described in any text finally describe the roles and by all relevant staff. relating to Level 2 measures. CEIOPS responsibilities of the risk published an Issues Paper entitled management function across the e) Reporting documents submitted to “Own Risk and Solvency Assessment company and in accordance with its the above-mentioned bodies by the (ORSA)” dated 27 May 2008. business strategy. risk management function refer to the risks (potential or actual) As presented to date, ORSA is a process b) Risk management policies must be associated with the business of the designed to ensure that the company is put in writing and adapted. They company and the operational able to calculate and manage its risks include naming and defining efficiency of the risk management and that its capital needs are met. the risks to which the organisation is system. However, certain characteristics should exposed, classifying them by be highlighted. (see chart below): type and limits of acceptability. f) Lastly, ORSA must be adapted to The risk management system the company’s activities. • ORSA is the responsibility of senior must apply strategy, facilitate management, in charge of the implementation of control overseeing the process and its mechanisms and take into account results with respect to the regulator. the nature, scope and time horizon of the business and the associated risks. • It is a documented risk management process that must be submitted to the supervisory authority at regular intervals (at least once a year) and following any significant change in the insurer’s risk profile. • It is an integral part of the day-to- day management of the company (commercial policy, investment strategy, capital management, acquisition strategy …). 14 PwC Pillar 2, operational issues of risk management
  • 15. Figure 4: Risk management system Business strategy • Strategic objectives • Strategic allocation é • Risk strategy • Reinsurance and • Valuation of strategic other hedging scenarios • Business decisions • Capital strategy • Forecast timeline • Use of capital and financial resources Risk analysis and assessment Solvency management and measurement Decision-making process • Risk identification • Economic • Stress test • Regular monitoring of risk profile • Qualitative analyses assessment and scenario • Solvency management and monitoring • Control assessment • Best estimates • Fungibility of capital • Risk appetite and tolerance • Prioritisation and classification of risks • Risk parameters • Capital assessments • Frequency of assessments • Risk profile and assumptions (internal, S2, etc.) • Support for strategic decisions • Risk management policies • Analysis and • Reconciliation of • Risk governance documentation estimates of capital these assessments • Disclosure (Pillar 3) External environment • Business environment • Emerging risks • Long-term risks • Macroeconomic environment • Regulatory framework (S2) • Changes in legal environment • Social trends Source: PwC • It offers a holistic and forward- calculation, namely the difference looking approach to managing risk in the number of risks identified, (risks used to calculate SCR and how they are measured, i.e., the other risks – reputational risk, confidence interval to which the strategic risk, macroeconomic risk, formula is calibrated. Furthermore, political risk, etc. – to which the the company may use either a company is exposed over its standard formula approach or an strategic planning period, internal model to assess its risk traditionally three to five years) exposure. The methodology must be across the full scope of the Group proportionate to the complexity of (all European entities and those the company’s activities and the outside the EC under the Group’s types of risks involved. supervision). • It allows all organisations to show that they can raise the capital necessary to cover solvency requirements for the strategic “The main issue is knowing how to implement the key planning period (as opposed to functions and a governance system that are compliant the one-year horizon used to with the Solvency Directive and compatible with joint- calculate SCR). management structures. The Directive draws mainly on concepts applicable to corporations and joint • The risk assessment in the ORSA process represents the company’s management entities as opposed to mutuals, which are ‘own’ view of its risks, taking the risk based more on the principles of solidarity, modules identified in the SCR compensation and retrocession.” Albert Cohen, Risk and Solvency officer, Réunica PwC Pillar 2, operational issues of risk management 15
  • 16. 1.4 COSO II – ERM Background This framework is closely linked to the The COSO framework on internal uncertainty and concerns raised by the control was set out as early as 1991 and corporate scandals in the early 2000s today is an international benchmark (Enron, Parmalat, Worldcom, etc.). used by companies that want their It was originally designed to provide internal control system to be up to a standard for structuring internal standard. Since 2002 it is the control systems. However, it has framework used by international evolved as companies have realised that companies to assess their compliance the strict perspective of internal control with the Sarbanes-Oxley Act, which was too limited and didn’t allow for all requires management to assess and possible risks to be understood and report on internal control every year controlled. ‘COSO II– ERM’2 was (Section 404/SEC Proposals – October introduced in 2004, broadening an 2002 – and ASB – March 2003), approach that aimed to manage and affirming “the responsibility of secure operations through control management for establishing and measures including: maintaining an adequate internal control structure and procedures for • an overview of all types of risk financial reporting”. potentially faced by an organisation, • establishment of different ‘blocks’ at work in global risk management, and • the integration of risk management results into business management. There is a direct relation between a company’s objectives and the risk management components required to achieve them. The famous ‘COSO cube’ is a three-dimensional matrix that illustrates the relationship between these components. 2 COSO, “Enterprise Risk Management – Integrated Framework”. 16 PwC Pillar 2, operational issues of risk management
  • 17. Figure 5: COSO II framework ns g ce g ic tio rti n ian ra te e ra po pl St Op Re Co m Internal environment Risk management Objective setting SUBSIDIARY BUSINESS UNIT FILIALE Risk profile Event identification ENTITY-LEVEL DIVISION Measurement system Risk assessment Policies and processes Risk response Risk control Control activities Reporting system Information and communication Decision-making Monitoring Source: PwC Presentation The main purpose of the framework A company’s objectives (represented by is to provide a way of integrating risk columns) fall into four main categories: information into the enterprise’s strategic, operations, reporting and decision-making and strategic compliance. The eight risk processes. By following this advice, any management components are the lines, enterprise can manage its performance and the entity units are the third (according to the criteria it defines dimension. This matrix shows how to independently and specifically for its approach risk management globally, by business) with respect to the amount objectives category, component or unit of risk necessary to achieve it. or any combination thereof. ERM can now be viewed as an As illustrated above, the COSO operational process based on COSO II, framework is the underlying structure providing decision makers (managers, that supports the main concepts used by directors) with reasonable assurance all those involved in risk management: as to the management of risks actually risk strategy, risk appetite, risk profile, taken in application of strategic risk measurement, reporting on objectives and within the limits exposure, and so on. of a globally defined risk appetite. It facilitates the management of uncertainty, risks and opportunities, the identification of events that could give rise to risks and the definition of suitable internal control solutions. PwC Pillar 2, operational issues of risk management 17
  • 18. Since risk is the essence of insurance, To integrate risk into management one can immediately see the benefit of processes, risk management must a framework that addresses the ‘permeate’ throughout all the levels and underlying principles and covers: processes of the enterprise. The system is aligned with the • The definition of strategic objectives enterprise’s organisational model, by the decision-making bodies. which breaks down into the following components: • The identification of risks resulting from the efforts made by the • The strategic dimension: company to achieve these objectives How do decision-making bodies – risk may refer either to threat in integrate risk into their processes? attaining objectives or opportunity How do they define the limits to be pursued in order to achieve of risk acceptability (i.e., what is them. authorised to achieve objectives, what is avoided or proscribed)? • The implementation of an effective system for managing the exposure • The organisational dimension: to these risks. What functions are involved in risk management? What processes are • The notification and reporting of used? How are these analyses risk exposure and failures to the related to solvency levels for relevant managers. insurance companies? • The operational dimension: How does the undertaking implement risk measurement tools and resources so as to benefit from them fully? What are the reporting channels? 18 PwC Pillar 2, operational issues of risk management
  • 19. Conclusion COSO II – ERM, designed as a standard and operational framework, provides the main elements and overall approach for a risk management process. Solvency II adds two specific organisational and business requirements. Insurers must specify the functions involved in their risk management and integrate risk and solvency assessment into their five-year business planning models using ORSA. The great challenge of Pillar 2 lies in assessing how to interpret, adapt and implement these frameworks within an organisation. In order to be successful, they must be fine-tuned, correctly calibrated and adapted to the specific characteristics of your business, the complexity of your organisational structure and your ‘risk culture’. PwC Pillar 2, operational issues of risk management 19
  • 20. 2. Operational implementation 20 PwC Pillar 2, operational issues of risk management
  • 21. Introduction Not all companies place the same Our goal here is not to provide a importance on risk management. Their ‘magic formula’ that solves the choices naturally differ given the heavy challenges you face in implementing investment required to set up an overall your Solvency II projects. Instead, risk management process, compliant we list the key factors that will with the principles and obligations of determine your choice of structure Solvency II. These choices are difficult aligned with the three key dimensions to make and objectify, involve top of the compliance programme. management and must be made in the context of the business’ overall strategy. They are: • Calibrating/fine-tuning the overall structure of the risk management process. • Implementing the risk management process. • Overseeing the key cross-business projects. PwC Pillar 2, operational issues of risk management 21
  • 22. 2.1 Defining the risk management system The integration of a risk management involvement from all players concerned the entire risk management process, framework into a company that has a (first and foremost senior encompassing all of the functions, long history of processes, expertise, management) throughout the process. processes and bodies involved in risk habits, styles and decision-making management. bodies is a complex task. Given the If the main ‘new’ concept consists extent of the changes and the length of of development or implementation Our experience has shown us that time some established practices have of a risk management function, to do so, five main questions must been in place, implementing a risk Solvency II projects now go as far as be answered: management process requires complete defining organisational structures for Figure 6: Risk management process • What organisational building blocks fall within the scope of What are the organisational the risk management function: Risk management? Actuarial 1 building blocks in the system? function? Compliance? IT system security? • What functions have a key role in risk management? What should be the scope of the 2 • What are their responsibilities (control, monitoring, risk management system? reporting, etc.)? • How are prerogatives coordinated between central and local risk How are the different functions functions, particularly at foreign sites? 3 coordinated? • What delegation rules should be put in place? • Exactly how should responsibilities be broken down between How centralised should the risk the risk management function and business functions in respect of 4 management system be? key risks (ALM, investment, technical issues, etc.)? • What fundamental indicators govern the risk/return trade-off How should the added value of (ROE, SCR, MCEV, etc.)? What criteria concretely reflect 5 ERM be measured? risk appetite? Source: PwC The answers to these questions are determined by complex constraints, which may be regulatory (Solvency II), external (ratings, etc.) or internal (goals, organisation, etc.). 22 PwC Pillar 2, operational issues of risk management
  • 23. 2.1.1. The ‘organisational building blocks’ of the system It is essential to recognise and define • The regular, independent, risk- the scope of functions involved in risk based audits performed by the management. In fact, it is not simply a internal audit function provide specialist area; its management reasonable assurance as to the involves every level of the company. At pertinence and correct operation each level the system must integrate the of the system. This is the ‘third line different elements: operational risk- of defence’. taking, coordination of risk-taking and supervision of risk-taking. Building on this framework, companies generally define the main principles The ‘three lines of defence’ model for coordinating the different strata provides a useful framework within involved in taking risks, as illustrated which these various functions and overleaf. The organisational diagram elements can work together. most often defines responsibilities at each step in the risk management • Front Office business staff have process. These principles then serve primary responsibility for the risks as a basis for assigning specific risk they take, and risk management management roles and responsibilities practices and processes in place at in accordance with the risk profile. this level constitute the ‘first line of defence’. • The ‘second line of defence’ is held by specialised risk management functions. Their role is to design, coordinate and manage a consistent framework for taking risks, but without being directly exposed to business risk. This covers the key functions of risk management as defined by Pillar 2 (risk management, internal control and compliance). PwC Pillar 2, operational issues of risk management 23
  • 24. Figure 7: Three lines of defence First line of defence Second line of defence Third line of defence ‘Operational’ functions ‘Specialist’ functions ‘Risk’ functions ‘Assurance’ function - Actuarial/Technical Dep. - Risk management All functions (IT, HR, Scope - ALM/Investment Dep. - Internal control, Internal audit Finance, Production, etc.) - Other (underwriting, etc.) compliance, etc. Principles and Reviews and approves/ N/A Proposes standards proposes Implementation Applies Proposes/applies Coordinates/applies Carries out independent, empirical reviews on: Supervises, consolidates, - appropriateness of Controls Applies/proposes Applies/proposes analyses systems - their correct application Consolidates, analyses, Reporting Produces Produces/analyses manages Approves and manages/ Action plans Applies Proposes/applies applies Coordinator role/operational role Source: PwC Two challenges often arise when • Internal audit has a special role in implementing these principles: the system that is often difficult to position. The provisions of the • The risk management function may Solvency II Directive place great have different responsibilities emphasis on the independent depending on the type of risk. nature of this function. Its resources Acting as a coordinator, it may take must be free of any other on direct responsibility in certain operational responsibility. areas such as operational risk. According to the Institute of Internal These details are outlined in the Auditors, the purpose of internal analysis of the risk function’s control is to independently provide position (see below). management with reasonable assurance as to the pertinence, quality and appropriate application of the risk management system. It is easy to understand why this function must be independent in order to establish its own approach (based on its perception of risk) and express opinions free of any outside influence. 24 PwC Pillar 2, operational issues of risk management
  • 25. 2.1.2. Scope of the risk management system Solvency II places the risk function at • It is not, however, limited to just the core of the risk management these risks, as they are too limited system. Regulations define to give a true picture of the actual responsibilities and a scope of risk profile. The risk function must minimum risks on which the function is identify other risks that are specific based. If a company uses an internal to the company, taking account of model, the function is in charge of all its subsidiaries and businesses designing, testing, implementing and (not necessarily insurance alone) as monitoring the performance of the well as specific risks related to the model, either in part or in totality. Most company’s structure. companies naturally launch Pillar 2 projects by putting in place or The risk function must also bear in reviewing the positioning of the risk mind that this risk profile is not merely function. It is in charge of overseeing all an inventory of all the potential or risk management processes (see actual risks: above), even if it does not directly carry out the operations, analyses and • Based on its analyses and the points calculations required in this process. of view covered, it prioritises the risks that must be monitored. The reference for defining Its added value lies in its ability to the risk profile provide a ‘shortlist’ of risks that When a risk function is set up, its first justify investing in measurement, task is to identify the risks to which the monitoring and permanent company is exposed. Although each supervision, based on the company’s company faces its own specific set of business objectives. risks, defining a risk profile follows a few best practices. • As such, this management tool is developed by combining the ‘risk The first involves the scope of risks, which philosophy/vision’ of operational must be identified in the risk profile: staff (a bottom-up approach to risk management based on the • It must cover at least the basic risk comprehensive identification of modules used to calculate capital risks) with that of management requirements, whether determined (a top-down approach whereby based on a standard formula investment in risk management is or an internal model, namely justified and prioritised). underwriting, market, interest rate, operational, etc. PwC Pillar 2, operational issues of risk management 25
  • 26. Finally, the risk function ensures that decisions. It is a full stakeholder in an operational risk management system these processes, is consulted for all is in place and that it covers all the risk important decisions and issues a profile components. Each risk must be formal opinion. It may have the assigned to a risk ‘owner’ who is the power to block decisions (which in ‘subject matter specialist’ available in turn requires an arbitration the company: i.e. actuarial department process). These companies almost for underwriting, certain counterparty systematically use an internal model and reinsurance risks, asset that is integrated into their strategic management for market and credit and operational decision-making risks, and so on. Assigning a risk owner processes. is the first step in implementing an operational risk management system. Companies gradually advance along The components in the risk the ERM maturity curve between these management process are set out below two ends of the spectrum. As the ERM in section 2.2. process develops, the positioning of the risk function evolves: The evolving risk function under Solvency II • The position of the risk function Above and beyond the purely technical tends to rise within the company’s aspects, companies have enhanced hierarchy. Nowadays it is the risk function’s ‘right of inspection’ in increasingly attached to upper operational decisions. This notion fully management, indicating an covers the risk department’s understanding by them of the prerogatives in terms of processes, importance of the ERM in insurance policies and risk-taking for which it is companies. not the leading expert. In reality, the risk function’s involvement is in line • The role of the CRO is evolving. with the strategic priority associated Often seen initially as a conservative with the risk: and technical profession, it will gradually develop into that of a • A company may take a conservative business adviser who works with approach to risk, its priority being decision makers. With a unique not to compromise the protection understanding of the risks taken by offered to policyholders and to the company and how they interact, ensure performance. In this case, a CRO can offer advice on how to the risk function would take on an create value. advisory role, assisting operational managers in their processes and • The resources required to take on associated risks. It has little (or no) these functions have grown sharply. latitude to block decision-making Risk departments were initially set processes. up to meet successive regulatory requirements (anti-money • A company may decide to base its laundering, anti-fraud and so on) value creation on managing the but have since developed into more risks it takes and the impact of these refined structures, most often risks on its strategic variables: broken down by types of risk market consistent embedded value (operational, technical, economic (MCEV), market capitalisation, capital, etc.). These resources are economic capital, etc. In this case, more numerous, more highly the risk function takes on an qualified and more specialised. essential role in operational 26 PwC Pillar 2, operational issues of risk management
  • 27. “Implementing Solvency II, and particularly Pillar 2, will require greater coordination between all participants in risk management. The process will draw on existing management rules, which themselves will need to be strengthened. The resulting discipline will create growth opportunities and strengthen relations with customers, while guaranteeing all stakeholders (employees, shareholders, customers, etc.) improved control of risk and its impacts on business structure.” Ronan DAVIT, Head of Risk, Euler Hermes Group 2.1.3. Coordinating different functions involved in risk management Once the basic components of the While the three lines of defence model system have been identified and outlined above provides a general calibrated, the challenge for the risk framework in this regard, this function is to promote the harmonisation process must be implementation of an efficient risk specifically adapted to each risk in the system underpinned by clear, shared profile. It is therefore necessary to: decision-making processes. To do so, the risk function has two main levers. • Map the appropriate functions to handle this risk: businesses, The definition of the roles support, management or and responsibilities for the governance, etc. principal risks To do so, the risk function moves • Pinpoint the best subject matter on from establishing the risk profile expert within the company to to coordinating the roles and manage this risk (generally the risk responsibilities for each of the risks owner identified in the system included in the profile. The main implementation phases upstream). challenge lies in the diversity and heterogeneous make-up of the risk • Clearly define the roles and functions and risk owners. Risk responsibilities of each player departments must first harmonise involved in the process. Close the various risk management attention should be paid to the solutions proposed. support functions’ power to block processes (typically the risk function) as opposed to the relevant operational functions. The notion of ‘right of inspection’ for operational decisions should be specifically defined. This right in turn requires the establishment of a clear arbitration process in case of a conflict between the risk department and the business line concerned. PwC Pillar 2, operational issues of risk management 27
  • 28. The matrix below is an example of the types of roles and responsibilities involved, offering a simple method for establishing a clear distribution of roles. Figure 8: Investment management roles and responsibilities matrix Investment management Board of Directors (through the risk committee): takes responsibility for global Responsible supervision (ultimate responsibility) General Management: approves and monitors investment policy Implementer Investment Department: submits strategic allocation plan for validation, defines (oversees operational implementation) tactical allocation specifics, monitors implementation Consulted Risk Department: issues an opinion on the Group’s and the entity’s total exposure to (opinion requested systematically, market risks and overall solvency level. If it issues an unfavourable opinion, the case published and taken into is submitted to the executive committee for arbitration account in the decision) Informed Cash Department (Financial Department): informed of all changes in investment (regularly informed of new policy, receives a copy of all investment flows management decisions) Source: PwC The implementation of a The structure of the decision-making • Prioritise the types of risk that decision-making architecture process is specific to the culture of each require formal supervision on a Even the best-designed risk company and is in line with its position regular basis. The company must management system will only be on the ERM maturity curve. However, formally define the responsibilities efficient and effective if an operational the review or implementation of the required at each organisational level decision-making architecture has been decision-making architecture follows in line with these priorities (global codified. It must ensure first that all several key steps: supervision, definition of practices, useful information is reported to the monitoring and reporting, etc.). appropriate committees and other • Define the key organisational levels decision makers in a timely manner. in risk decisions, which often • Design ad hoc decision-making Second, it must ensure that these correspond to the company’s main bodies at each level: type of bodies review the issues at hand and decision-making levels (executive committee, members, voting rights, make the necessary decisions. The committee, key functions in risk- assignment of roles, meeting company is then in a position to taking, operational staff, etc.). They frequency. continuously manage its risk exposure are defined in line with the roles and react promptly to any unexpected and responsibilities identified for deviation in its risk profile. each type of risk in the risk profile. 28 PwC Pillar 2, operational issues of risk management
  • 29. As such, the structure of the company’s system of committees can be consistent throughout, as illustrated in the example below: Figure 9: Committee matrix Market Credit Underwriting Operations Executive Risk Committee Committee Investment Committee Internal Risk Control takers Underwriting Committee Committee Reporting & ALM Committee Reporting Reporting mitigation Source: PwC The close relationship between Historically, most insurance companies processes and operations and the risk management and risk have developed internal control reliability of financial and non-financial control approaches that are often granular and information produced by the company. One of the main lessons learnt from the always complex. These approaches At the time of writing, work has begun financial crisis (notably the Kerviel aimed to identify and to manage the in this area but has seen little or no case) is that efficient risk management risks specific to certain processes or application among insurance requires coherent and consistent operational areas, namely: reliability of companies: operational risk is difficult operational coordination between: financial reporting processes (SOX to understand, differs completely for projects), security of information each company and is not specifically • the definition of major risk policies systems, anti-fraud or anti-money defined in Solvency II. Furthermore, and processes (primarily by the risk laundering processes, etc. SCR calibrations for operational risk department), and produce negligible capital This work has led companies to focus requirements, further inciting • the appropriate application of these specifically on operational risk companies not to invest in a complex policies and processes by the management. The primary role of system to manage this risk. relevant entities (operational internal control (or permanent control) functions, internal control, etc.). is to ensure the appropriate management of the company’s PwC Pillar 2, operational issues of risk management 29
  • 30. Some market players are currently • Definition of the operational risk implementing specific procedures for system. First of all, operational risk operational risk analysis and risk – must be defined. This analysis control coordination. The main ones generally reveals that operational include: risk covers any factor that could compromise the achievement of the • Gradual merging of risk and objectives of operational processes control functions under the (see the list of risks defined by responsibility of a single function Basel II) or the appropriate (most commonly the CRO). This application of risk policies as ensures greater consistency between defined by the company. Some initiatives that were sometimes companies have taken this a step fragmented in the past. The primary further: given the sheer volume of focus is often on compliance, raising operational risks, they have the question of whether operational prioritised the critical areas of risk is best managed by legal exposure and focused their efforts professionals (regulatory watch) or to deploy management systems in internal control (integration of legal these areas. provisions into operational processes). The trend clearly seems • Modelling of operational risk. to be to: (i) appoint a compliance Some companies have implemented officer to take charge of defining the data collection systems for company’s main compliance issues operational losses. These systems and coordinate the application of are used to assess the company’s the relevant legal provisions while real exposure to operational losses, (ii) maintaining the legal set up a more coherent management department’s responsibility for legal system or even to save on capital monitoring, setting up a body that requirements. To be effective, meets regularly between the two however, the system’s parameters departments. Broadly speaking, must be determined (e.g., by clearly companies tend to put their risk defining an operational loss and the management function in charge of minimum loss amount for data supervising both the effectiveness collection) and cover an adequate of their ERM framework and the historical period. Results are appropriate application of its deemed significant after three provisions. to five years of collection. 30 PwC Pillar 2, operational issues of risk management
  • 31. 2.1.4. The extent of centralisation of the Risk function Insurance groups are faced with a responsibility of the group’s risk major operational difficulty: the department. In a more centralised operational scope of the risk function. group, the group risk department How do they integrate such diverse oversees legal entities. It may apply entities and businesses that are not the principle of subsidiarity that necessarily related to insurance (asset determines the entities’ leeway, and management for complementary in this case a ‘risk representative’ is pension or social security plans, appointed. In either configuration, healthcare and assistance services, the risk function is a network-based strategic investments, and so on.) into structure. their analyses and processes? • Groups, when dealing with all of Although most companies are still their insurance entities, tend to trying to establish an efficient way of require consistent reporting coordinating the risk system across principles and structures that are their different entities, the following defined and supervised locally. This best practices have emerged: applies especially to international groups with foreign subsidiaries or • Aligning risk management process entities in countries not subject to with the organisational and Solvency II. Most often they opt for decision-making structure within double reporting, with one set of the group that is already in place. reports prepared based on local In a highly decentralised group, prudential standards while another the different entities or subsidiaries is submitted to the group in often have a local risk function ‘Solvency II format’. that reports to their general management but falls under the PwC Pillar 2, operational issues of risk management 31
  • 32. There are often overlapping principles on the structure of the risk management process, as illustrated in the diagram below. Figure 10: PwC Risk function benchmark Principal responsibilities of the CRO Possible organisation chart of risk function ERM CEO 67% ALM Actuarial CRO Reinsurance Permanent control ERM 75% Economic capital Internal capital model ALM 67% Risk management model Corporate Capital management actuarial 33% Market risk exposure Permanent Internal control control 17% Accounting Economic capital Solvency 2 17% Management control Reinsurance 17% 0% 20% 40% 60% 80% Based on the benchmark study conducted with 30 of the most important companies in the insurance industry (insurance companies, mutual insurers and pension funds) Source: PwC That being said, there is no standard these companies have added the more structure that is widely shared, ‘traditional’ functions to the risk especially with regard to the extension function, giving it more substance of the risk function to non-insurance and importance. subsidiaries. The solutions seen are most often In some cases, the problem has more to based on the principle of subsidiarity: do with difficulty in adhering to the the subsidiary has considerable principles of independence in relation autonomy in managing its risks, and to the operational function. Many the group only covers the few types companies have also tried to ‘force’ of maximum losses that can be their risk function beyond the strict generated by the subsidiary (notion minimum regulatory requirements. In of ‘subsidiary risk’). fact, this function is supposed to become more centralised but not all of the issues at stake are necessarily evident in the beginning. Therefore 32 PwC Pillar 2, operational issues of risk management