John Webb addresses what he believes are the primary areas of
Solvency II those in internal audit should be concentrating on. In particular
he encourages you to look beyond the calculation kernel and reminds you that
the proportionate rogue that needs to be reported.
The Solvency II directive aims
to reduce the likelihood of corporate failure, significant customer loss and disruption of the insurance market. In answer to
the question ‘what are the main things to get right in complying with this vast
body of regulation and guidance?’ my opinion is that we should remember the ‘proportionate
rogues’ and the need to report on them properly.
Why is this? Because, in my view, proportionality is promised by
regulators and the main rogues to which this applies are:
O: own risk and
U: use test
I would like to take these one at a time and in a proper order, so as to
give us a clear direction when wading through the detail of the various CEIOPS
Level 2 and 3 consultation and FSA papers. The guidance therein is still
emerging and will change more or less continuously ahead of implementation two
years away and inevitably, afterwards too.
First, let us refresh our memories. Pillar 1
sets out the quantitative requirements for determining capital adequacy and covers the role of the internal model, with its
calculation kernel and risk management elements. Pillar 2 is the qualitative approach, namely corporate
governance, enterprise risk management, internal control,
supervisory review and capital add-on implications, all play a part. Pillar 3 covers the reporting requirements, public
disclosure and market discipline.
The clear and logical
allocation of responsibilities, provision for effective challenge and
monitoring at all levels, as well as sign-off at key stages are vital.
Documentation to prove this has been complied with, will be an absolute
necessity; it is also important to document what has not been done and why. I
will look again at adequacy of documentation under risk management, later.
is not negotiable, nor will internal audit be in the future. Article 47 of the
Level 1 framework text requires that ‘insurance and reinsurance undertakings
shall provide for an effective internal audit function’. Its remit is to cover,
- the internal control
- other elements of the system of
- data auditing, which should not be
performed by the actuarial function.
Internal audit is required, at least
annually, to produce a written report on its findings. In the FSA’s three lines of defense model,
whereby risk management is in the second line, internal audit is the third line
as an independent check and assurer.
good news, for UK insurers used to the present regime, came from FSA’s
Discussion Paper 08/4 which stated that ‘the use of an economic/realistic
balance sheet and internally-modelled individual capital assessments based on a
defined level of confidence, share some similarities with the Solvency II
framework….but “firms should note that while the essential concepts and
objectives driving the Individual Capital Adequacy Standards (ICAS) regime are
similar to those underlying Solvency II, many detailed requirements will differ
from those with which they are familiar”’.
FSA has thus suggested that, to aid their transition from the ICAS regime,
firms should be undertaking gap analyses to identify any shortfalls in expected
compliance with the emerging Solvency II requirements.
Under Pillar 1, Solvency II capital is called ‘own funds’. The critical Solvency
Capital Requirement (SCR) can be calculated by the standard SCR formula or,
with regulatory approval, by an internal model (to achieve a 1/200 VAR level
over one year). Of course and as the consultation papers explain, to calculate their Solvency Capital Requirement, firms can use a
partial internal model rather than a full internal model. Neither is a standalone
process; the internal modelling activity needs to be integrated into the firm’s
risk management activities. I will return to this under the own risk and
solvency assessment section.
Capital Requirement (MCR) is calculated in accordance with a standard formula;
then adjusted, if necessary, to fall within a range of 25-45% of the SCR (to
achieve a 1/10 VAR level over one year). The FSA
talks about a ladder of intervention, so if an insurer's
available resources fall below the SCR, supervisors are required to take action
with the aim of restoring the insurer’s finances back into the level of the SCR
as soon as possible.
supervisory intervention, the available resources fall below the MCR, ultimate
supervisory action will be triggered, e.g. the license will be withdrawn and
the insurer's liabilities will be transferred to another insurer and/or the
insurer will be closed to new business and its in-force business will be
liquidated. Of course, it is the job of risk managers
to ensure remedial action by management has been taken well before
this point and before the higher Solvency Capital Requirement is in danger of
hold Tier 1 and 2 basic own funds to support their Minimum Capital Requirement
and Tier 1 must be at least 80% of the MCR; equity capital being the most desired
and the most able, to absorb sustained losses.
One of the lessons from Basel II was that ‘initially,
some banks may have believed that their systems and processes were already
ready to cope with Basel II. It was only when the full demands of the project
began to emerge during 2004 that they realised how much they had to do. In
particular, many underestimated the difficulties of sourcing the huge amount of
data needed from within the company, along with the scale of the information,
validation and documentation demanded by supervisors as ‘proof’ of compliance’.*
The specific experience
of banks, as far as capital modelling was concerned, was that they needed to carry out several dry
runs followed by extensive re-calibration of their models before go live.
These problems should be anticipated by the insurance sector and addressed by
project teams in plenty of time. Loss data, in particular, needs to be
consistently collected over a long period.
It is important to remember that insurance is different to banking;
insurers tend to hold far more long-duration risk than banks through life and
pensions policies and long tail non-life business. Also, the differences
between Basel II and Solvency II and the distinctive nature of insurance
business mean that the challenges faced by insurers may actually be more
the integrity of the internal model is paramount and again it must be seen to
be so. Draft CEIOPS Level 3 guidance suggests evidencing that the model
documentation is clear on:
- senior management
understanding of the internal model
- how the internal
model is used in decision-making processes
- techniques used in
the calculation of parameters and model distributions and how risks are aggregated
- how profit and loss
attribution is a tool for validating the internal model, managing the
business and improving the internal model
- validation policy
- use of any external
model and data.
management understanding of the internal model is likely to require their
ability to explain such things as the structure of the model and its fit with
their business model and risk-management framework, methodology and the
dynamics of the model. Also, they must be able to explain its scope and purpose
and the risks covered or not covered, together with any limitations of the
model, diversification effects and dependencies. An onerous responsibility, I
believe and one driven by the use of test and risk management
expected impact of Solvency II on insurers, in a nut shell, is that business losers
will be those with embedded guarantees, volatility and complex investments.
Whereas winners will have agility, diversification and crucially, strong risk
management. Solvency II reporting will allow
investors to differentiate between those insurers that have volatile businesses
and those that generate high-quality, sustainable profits.**
Enterprise wide risk management is not a
new concept. The embedding of risk assessments, linked to board approved risk
appetite and linking specific internal controls to each of the risk objective,
as well as tracking operational and business losses incurred/or near misses, is
all common place and there is much already written on this subject. What is
important for those awaiting Internal Model Approval Process feedback, or with
IMAP intentions, is to demonstrate sound model governance, data management and documentation of
all that is important to the internal model (including data).
documentation is a necessity; it must:
- Be thorough, sufficiently detailed
and sufficiently complete to satisfy the criteria that an independent
knowledgeable third party could form a sound judgment on the reliability of the
internal model and on the wider risk model /ORSA process
- Describe the technology and software
tools and how data flows through the internal model
- Be reviewed annually, at least.
Data is used in the valuation of technical provisions and in the broader
capital requirements. It is expected that its architecture and policies are to
be reviewed and approved at least annually. As data management is so important,
it may help for me to point out, albeit in bullet point form, some of the key
generic elements of a Data Quality Policy, which are as follows:
- data quality assessments
- data quality controls
- data quality management
- data quality monitoring
- data quality auditing
- data flow diagrams
- data directories and inventories
- data ownership within the undertaking and within 3rd
- data transmission policy
- spreadsheet guidance, inventory, control and data
- inventory of user developed applications.
This topic needs an
article or a book, in its own right but I will pick out data flow diagrams and end user computing (EUC) concerns as,
in my experience, they need highlighting.
Insurers going along the
internal model route do so in different ways. Some initially restrict the
internal model to the calculation kernel and actuarial processes for
underwriting liabilities, whereas others are broader, covering the policyholder
databases, assets and business operations. Proportionality suggests there is no
right answer, though there are some wrong ones.
Traditionally the main
data requirements underpinned the technical provisions supported by a data
directory and log of data defects. We now expect to see detailed end to end
data flows documented. These need quality control points to be shown at various
stages and explained in the data dictionary; this dictionary being an all embracing
directory, should contain the characteristics, usage and relationships between
the data. Risk management and internal audit should concentrate on the flow of
data from source system to the point of valuation/aggregation and reporting,
regardless of the model scope albeit that any scope limitations may themselves
be a matter of concern.
Most insurers will have
developed end user computing guidelines for spreadsheets and databases, however
not all of this guidance was prepared with Solvency II in mind and therefore
may not be fit for purpose. There has always been a risk that errors, circular
logic, corruption of macros and formulae (whether by accident or design) or
data feed problems will occur. Much of the research points to an unacceptably
high level of such errors, in practice and so this is inevitably an area for
management attention and strong quality assurance practice.
The use of spreadsheets
in preparing ICAS and IFRS reports should be considered very carefully as there
is a significant risk that the organisation has not eradicated all the
aforementioned deficiencies or does not have a full set of documentation, detailed
data flow diagrams or strong validation of the integrity of such applications.
Sometimes observed is a
very heavy actuarial emphasis on liability data, because accountants are
expected to provide data on assets. Because of outsourcing, asset data flows inwards
from external parties whereas the liability modelling is carried out in-house.***
Own risk and solvency assessment (ORSA)
CEIOPS define the own risk and solvency assessment as:
The entirety of the processes and
procedures employed to identify, assess, monitor, manage and report the short
and long term risks a (re)insurance undertaking faces or may face and to determine
the own funds necessary to ensure that the undertaking’s overall solvency needs
are met at all times.
It is very much a forward looking process and
document. Pillar 2 is at the heart of Solvency II, and ensures the
internal model is fed by the material facets of all relevant risks and their
potential impacts, what is not mandated or included by the strict capital requirements (SCR / MCR) but is relevant to the (re)insurer, has to
be picked up here. The
Association of British Insurers gives a good example: volatility in equities is
not an element of the standard formula. If however, it is important to your
company, cover it here in the ORSA.
It is important to realise that the Pillar 1 model feeds the ORSA not the
other way round. The resulting enterprise wide risk management benefits can be reaped, as long as we:
- identify and manage all key emerging risks and opportunities
- synchronise corporate strategy with defined risk appetite
- correctly target the allocation of capital
- involve the principal employees and other players, right across the
Remembering that article 37 provides for a capital
add-on in situations where the system of governance within a firm does not meet
the standards required.
ORSA is pivotal to management demonstrating its control
over the risk management process. Underpinning the internal model and ORSA is a
clear and pressing need for strong documentation, audit trails and
comprehensive evidence. As internal auditors are trained to ask, virtually from
day one ‘don’t tell me, show me’.
I would also stress the importance of profit and
loss attribution and back testing to ensuring the integrity of the output. If
everything else has been done well and is clear, it should be possible to
efficiently describe changes in patterns of profitability by reference to the
detailed calculations; variances between plans and assumptions made and the
actual model and accounting outcomes can be explained.
120, governing the use test requires that:
- the internal model plays an important
role in their system of governance, risk-management and the economic and
solvency capital assessment and allocation processes
- the administrative, management or
supervisory body (BoD) shall be responsible for the design and operations of
the internal model and that it reflects the risk profile of the (re)insurance
each member of senior management needs an overall understanding of the internal
model as well as a detailed understanding in the areas where they use the internal
model. It is a strict requirement to show that the model and its output are
extensively used in making decisions (including strategic decisions) and for running
the business. That this is so is necessary but not sufficient; it is important
to document it and be able to evidence it thoroughly.
It is evident that the insurance industry understands the
importance of the use test; anecdotally, any firm treating the internal
model activity as pure actuarial is going to struggle. It used to be normal for
firms to have their actuary lead a conversation on internal models. The world
has moved on and the vast majority of firms now show the involvement of:
- business leads
- the CRO
- internal audit.
The Solvency and Financial Condition Report disclosure policy
should have ‘appropriate governance
procedures and practices in place so that the information publicly disclosed is
complete, consistent and accurate’. The Solvency
and Financial Condition Report has to be consistent with the Report to
Supervisors sent to the Financial Services Authority.
The Report to Supervisors is a
stand-alone document, which provides a description of the risk exposure,
concentration, mitigation and sensitivity for:
- underwriting risk
- market risk
- credit risk
- liquidity risk
- operational risk
- other risks
- any other disclosures.
It should also include any material future
anticipated risks. Also important will be financial instruments, derivatives
and off balance sheet transactions or similar arrangements; all the more so
given their risks and use prior to the financial crisis that started in 2007.
Within the list above, I would emphasise
operational risk as being the one least likely to be tracked and have its
events data thoroughly logged and analysed. If you want a handle on whether
operational risk is properly managed I suggest asking questions about fraud
risk, which I see as being the acid test for operational risk.
If your company gets operational risk management
wrong you can probably correct things quickly by reacting very fast to adverse
events – but if your company gets fraud risk management wrong it may not
survive long enough to recover! Either
one large, carefully planned hit can render a company insolvent or a carefully
concealed ‘death by a thousand cuts’ type pattern of theft can have the same
effect, once it accumulates to a level that can no longer be hidden.
The more useful and well analysed the information
reported, the easier it will be for the Financial Services Authority and other
regulators to supervise insurers efficiently. If we get this wrong there may be
a heavy price to pay and the same goes in the form of pressure building up from
analysts and investors, all of which gets reflected in the share price and cost
There is a lot to do and the way forward is not yet clear. Just to cheer
everybody up I sought out the published views of others about what is to be
done. I found that theSociety of Lloyd'ssaid ‘Solvency II is often thought of as best left to the experts. And
there's no doubt that if you delve too deeply Solvency II can be mindboggling’. ****
have frequently posed the question at seminars and presentations, ‘is this all
something to take an interest in but with the luxury of over two years quiet
contemplation ahead of implementation in November 2012
/Q1 2013?’ I have yet to get the answer ‘yes’. Look at those ROGUES to see they
are handled proportionately and properly reported!
actuaries and quants have done a thorough job with Pillar 1 quantitative
requirements and your group has sound enterprise wide risk management
involvement at Pillar 2, please consider whether your greatest project risk is
quality of data and completeness of documentation. In my opinion, data risk is,
in practice, the greatest threat to successful implementation and Solvency II
compliance thereafter, because if data is missing or significantly deficient,
all other forms of control including model integrity will be ineffective.
John Webb – independent consultant
* Charles Ilako, Julia Schüller and Richard Quinn: “The scale of the
task: Learning the lessons from Basel II”
** Oliver Wyman and Morgan Stanley, 23rd September 2010 report,
Insurance: Solvency II, Quantitative & Strategic Impact: The Tide is Going
Services Authority- EU Solvency II - IMAP Project Analyst
Society of Lloyd's, “Solvency II explained”, 7th Aug 2009.