IN THIS ISSUE:
THE PANEL
The internal audit network panel
FEATURES
How to test for fraud
Biting the bullet in preparation for the Bribery Act
UK Bribery Act set for second delay
Internal audit in the oil and gas industry
Solvency II – what to focus on
Time for a change?
ACCA UK's Internal Audit Network comes to Birmingham
ACCA UK Annual Internal Audit Conference – internal audit in tough times
20th Annual IACON 2011 – understanding the changing role of internal audit
Search Previous Issues
Back to cover page »

Solvency II – what to focus on

John Webb addresses what he believes are the primary areas of Solvency II those in internal audit should be concentrating on. In particular he encourages you to look beyond the calculation kernel and reminds you that the proportionate rogue that needs to be reported.

The Solvency II directive aims to reduce the likelihood of corporate failure, significant customer loss and disruption of the insurance market. In answer to the question ‘what are the main things to get right in complying with this vast body of regulation and guidance?’ my opinion is that we should remember the ‘proportionate rogues’ and the need to report on them properly. 

Why is this? Because, in my view, proportionality is promised by regulators and the main rogues to which this applies are:

R: risk management
O: own risk and solvency assessment
G: governance
U: use test
E: economic capital
S: supervisory review.

I would like to take these one at a time and in a proper order, so as to give us a clear direction when wading through the detail of the various CEIOPS Level 2 and 3 consultation and FSA papers. The guidance therein is still emerging and will change more or less continuously ahead of implementation two years away and inevitably, afterwards too.

First, let us refresh our memories. Pillar 1 sets out the quantitative requirements for determining capital adequacy and covers the role of the internal model, with its calculation kernel and risk management elements. Pillar 2 is the qualitative approach, namely corporate governance, enterprise risk management, internal control, supervisory review and capital add-on implications, all play a part. Pillar 3 covers the reporting requirements, public disclosure and market discipline.

Governance
The clear and logical allocation of responsibilities, provision for effective challenge and monitoring at all levels, as well as sign-off at key stages are vital. Documentation to prove this has been complied with, will be an absolute necessity; it is also important to document what has not been done and why. I will look again at adequacy of documentation under risk management, later.

Risk management is not negotiable, nor will internal audit be in the future. Article 47 of the Level 1 framework text requires that ‘insurance and reinsurance undertakings shall provide for an effective internal audit function’. Its remit is to cover, inter alia:

  • the internal control system
  • other elements of the system of governance
  • data auditing, which should not be performed by the actuarial function.

Internal audit is required, at least annually, to produce a written report on its findings.  In the FSA’s three lines of defense model, whereby risk management is in the second line, internal audit is the third line as an independent check and assurer.

Economic capital
The good news, for UK insurers used to the present regime, came from FSA’s Discussion Paper 08/4 which stated that ‘the use of an economic/realistic balance sheet and internally-modelled individual capital assessments based on a defined level of confidence, share some similarities with the Solvency II framework….but “firms should note that while the essential concepts and objectives driving the Individual Capital Adequacy Standards (ICAS) regime are similar to those underlying Solvency II, many detailed requirements will differ from those with which they are familiar”’.

The FSA has thus suggested that, to aid their transition from the ICAS regime, firms should be undertaking gap analyses to identify any shortfalls in expected compliance with the emerging Solvency II requirements.

Under Pillar 1, Solvency II capital is called ‘own funds’. The critical Solvency Capital Requirement (SCR) can be calculated by the standard SCR formula or, with regulatory approval, by an internal model (to achieve a 1/200 VAR level over one year). Of course and as the consultation papers explain, to calculate their Solvency Capital Requirement, firms can use a partial internal model rather than a full internal model. Neither is a standalone process; the internal modelling activity needs to be integrated into the firm’s risk management activities. I will return to this under the own risk and solvency assessment section.

The Minimum Capital Requirement (MCR) is calculated in accordance with a standard formula; then adjusted, if necessary, to fall within a range of 25-45% of the SCR (to achieve a 1/10 VAR level over one year). The FSA talks about a ladder of intervention, so if an insurer's available resources fall below the SCR, supervisors are required to take action with the aim of restoring the insurer’s finances back into the level of the SCR as soon as possible. 

If, despite supervisory intervention, the available resources fall below the MCR, ultimate supervisory action will be triggered, e.g. the license will be withdrawn and the insurer's liabilities will be transferred to another insurer and/or the insurer will be closed to new business and its in-force business will be liquidated. Of course, it is the job of risk managers to ensure remedial action by management has been taken well before this point and before the higher Solvency Capital Requirement is in danger of being breached.

Insurers must hold Tier 1 and 2 basic own funds to support their Minimum Capital Requirement and Tier 1 must be at least 80% of the MCR; equity capital being the most desired and the most able, to absorb sustained losses.

One of the lessons from Basel II was thatinitially, some banks may have believed that their systems and processes were already ready to cope with Basel II. It was only when the full demands of the project began to emerge during 2004 that they realised how much they had to do. In particular, many underestimated the difficulties of sourcing the huge amount of data needed from within the company, along with the scale of the information, validation and documentation demanded by supervisors as ‘proof’ of compliance’.* 

The specific experience of banks, as far as capital modelling was concerned, was that they needed to carry out several dry runs followed by extensive re-calibration of their models before go live. These problems should be anticipated by the insurance sector and addressed by project teams in plenty of time. Loss data, in particular, needs to be consistently collected over a long period.

It is important to remember that insurance is different to banking; insurers tend to hold far more long-duration risk than banks through life and pensions policies and long tail non-life business. Also, the differences between Basel II and Solvency II and the distinctive nature of insurance business mean that the challenges faced by insurers may actually be more complex.

Obviously the integrity of the internal model is paramount and again it must be seen to be so. Draft CEIOPS Level 3 guidance suggests evidencing that the model documentation is clear on:

  • senior management understanding of the internal model
  • how the internal model is used in decision-making processes
  • techniques used in the calculation of parameters and model distributions and how risks are aggregated
  • how profit and loss attribution is a tool for validating the internal model, managing the business and improving the internal model
  • validation policy
  • documentation
  • use of any external model and data.

Senior management understanding of the internal model is likely to require their ability to explain such things as the structure of the model and its fit with their business model and risk-management framework, methodology and the dynamics of the model. Also, they must be able to explain its scope and purpose and the risks covered or not covered, together with any limitations of the model, diversification effects and dependencies. An onerous responsibility, I believe and one driven by the use of test and risk management accountabilities.

The expected impact of Solvency II on insurers, in a nut shell, is that business losers will be those with embedded guarantees, volatility and complex investments. Whereas winners will have agility, diversification and crucially, strong risk management. Solvency II reporting will allow investors to differentiate between those insurers that have volatile businesses and those that generate high-quality, sustainable profits.**

Risk management
Enterprise wide risk management is not a new concept. The embedding of risk assessments, linked to board approved risk appetite and linking specific internal controls to each of the risk objective, as well as tracking operational and business losses incurred/or near misses, is all common place and there is much already written on this subject. What is important for those awaiting Internal Model Approval Process feedback, or with IMAP intentions, is to demonstrate sound model governance, data management and documentation of all that is important to the internal model (including data).

Sound documentation is a necessity; it must:

  • Be thorough, sufficiently detailed and sufficiently complete to satisfy the criteria that an independent knowledgeable third party could form a sound judgment on the reliability of the internal model and on the wider risk model /ORSA process
  • Describe the technology and software tools and how data flows through the internal model
  • Be reviewed annually, at least.

Data is used in the valuation of technical provisions and in the broader capital requirements. It is expected that its architecture and policies are to be reviewed and approved at least annually. As data management is so important, it may help for me to point out, albeit in bullet point form, some of the key generic elements of a Data Quality Policy, which are as follows:

  • data quality assessments and needs
  • data quality controls
  • data quality management
  • data quality monitoring
  • data quality auditing
  • data flow diagrams
  • data directories and inventories
  • data ownership within the undertaking and within 3rd party entities
  • data transmission policy
  • spreadsheet guidance, inventory, control and data quality
  • inventory of user developed applications.

This topic needs an article or a book, in its own right but I will pick out data flow diagrams and end user computing (EUC) concerns as, in my experience, they need highlighting.

Insurers going along the internal model route do so in different ways. Some initially restrict the internal model to the calculation kernel and actuarial processes for underwriting liabilities, whereas others are broader, covering the policyholder databases, assets and business operations. Proportionality suggests there is no right answer, though there are some wrong ones.

Traditionally the main data requirements underpinned the technical provisions supported by a data directory and log of data defects. We now expect to see detailed end to end data flows documented. These need quality control points to be shown at various stages and explained in the data dictionary; this dictionary being an all embracing directory, should contain the characteristics, usage and relationships between the data. Risk management and internal audit should concentrate on the flow of data from source system to the point of valuation/aggregation and reporting, regardless of the model scope albeit that any scope limitations may themselves be a matter of concern.

Most insurers will have developed end user computing guidelines for spreadsheets and databases, however not all of this guidance was prepared with Solvency II in mind and therefore may not be fit for purpose. There has always been a risk that errors, circular logic, corruption of macros and formulae (whether by accident or design) or data feed problems will occur. Much of the research points to an unacceptably high level of such errors, in practice and so this is inevitably an area for management attention and strong quality assurance practice. 

The use of spreadsheets in preparing ICAS and IFRS reports should be considered very carefully as there is a significant risk that the organisation has not eradicated all the aforementioned deficiencies or does not have a full set of documentation, detailed data flow diagrams or strong validation of the integrity of such applications.

Sometimes observed is a very heavy actuarial emphasis on liability data, because accountants are expected to provide data on assets. Because of outsourcing, asset data flows inwards from external parties whereas the liability modelling is carried out in-house.***

Own risk and solvency assessment (ORSA)
CEIOPS define the own risk and solvency assessment as:

The entirety of the processes and procedures employed to identify, assess, monitor, manage and report the short and long term risks a (re)insurance undertaking faces or may face and to determine the own funds necessary to ensure that the undertaking’s overall solvency needs are met at all times.

It is very much a forward looking process and document. Pillar 2 is at the heart of Solvency II, and ensures the internal model is fed by the material facets of all relevant risks and their potential impacts, what is not mandated or included by the strict capital requirements (SCR / MCR) but is relevant to the (re)insurer, has to be picked up here. The Association of British Insurers gives a good example: volatility in equities is not an element of the standard formula. If however, it is important to your company, cover it here in the ORSA.

It is important to realise that the Pillar 1 model feeds the ORSA not the other way round. The resulting enterprise wide risk management benefits can be reaped, as long as we:

  • identify and manage all key emerging risks and opportunities
  • synchronise corporate strategy with defined risk appetite
  • correctly target the allocation of capital
  • involve the principal employees and other players, right across the group.

Remembering that article 37 provides for a capital add-on in situations where the system of governance within a firm does not meet the standards required. 

ORSA is pivotal to management demonstrating its control over the risk management process. Underpinning the internal model and ORSA is a clear and pressing need for strong documentation, audit trails and comprehensive evidence. As internal auditors are trained to ask, virtually from day one ‘don’t tell me, show me’.

I would also stress the importance of profit and loss attribution and back testing to ensuring the integrity of the output. If everything else has been done well and is clear, it should be possible to efficiently describe changes in patterns of profitability by reference to the detailed calculations; variances between plans and assumptions made and the actual model and accounting outcomes can be explained.

Use test
Article 120, governing the use test requires that:

  • the internal model plays an important role in their system of governance, risk-management and the economic and solvency capital assessment and allocation processes
  • the administrative, management or supervisory body (BoD) shall be responsible for the design and operations of the internal model and that it reflects the risk profile of the (re)insurance undertakings.

Furthermore, each member of senior management needs an overall understanding of the internal model as well as a detailed understanding in the areas where they use the internal model. It is a strict requirement to show that the model and its output are extensively used in making decisions (including strategic decisions) and for running the business. That this is so is necessary but not sufficient; it is important to document it and be able to evidence it thoroughly.

It is evident that the insurance industry understands the importance of the use test; anecdotally, any firm treating the internal model activity as pure actuarial is going to struggle. It used to be normal for firms to have their actuary lead a conversation on internal models. The world has moved on and the vast majority of firms now show the involvement of:

  • business leads
  • the CRO
  • finance
  • internal audit.

Supervisory review
The Solvency and Financial Condition Report disclosure policy should have ‘appropriate governance procedures and practices in place so that the information publicly disclosed is complete, consistent and accurate’. The Solvency and Financial Condition Report has to be consistent with the Report to Supervisors sent to the Financial Services Authority.

The Report to Supervisors is a stand-alone document, which provides a description of the risk exposure, concentration, mitigation and sensitivity for:

  • underwriting risk
  • market risk
  • credit risk
  • liquidity risk
  • operational risk
  • other risks
  • any other disclosures.

It should also include any material future anticipated risks. Also important will be financial instruments, derivatives and off balance sheet transactions or similar arrangements; all the more so given their risks and use prior to the financial crisis that started in 2007.

Within the list above, I would emphasise operational risk as being the one least likely to be tracked and have its events data thoroughly logged and analysed. If you want a handle on whether operational risk is properly managed I suggest asking questions about fraud risk, which I see as being the acid test for operational risk.

If your company gets operational risk management wrong you can probably correct things quickly by reacting very fast to adverse events – but if your company gets fraud risk management wrong it may not survive long enough to recover!  Either one large, carefully planned hit can render a company insolvent or a carefully concealed ‘death by a thousand cuts’ type pattern of theft can have the same effect, once it accumulates to a level that can no longer be hidden.

The more useful and well analysed the information reported, the easier it will be for the Financial Services Authority and other regulators to supervise insurers efficiently. If we get this wrong there may be a heavy price to pay and the same goes in the form of pressure building up from analysts and investors, all of which gets reflected in the share price and cost of capital.

In conclusion
There is a lot to do and the way forward is not yet clear. Just to cheer everybody up I sought out the published views of others about what is to be done. I found that theSociety of Lloyd'ssaid ‘Solvency II is often thought of as best left to the experts. And there's no doubt that if you delve too deeply Solvency II can be mindboggling’. ****

I have frequently posed the question at seminars and presentations, ‘is this all something to take an interest in but with the luxury of over two years quiet contemplation ahead of implementation in November 2012 /Q1 2013?’ I have yet to get the answer ‘yes’. Look at those ROGUES to see they are handled proportionately and properly reported!     

If the actuaries and quants have done a thorough job with Pillar 1 quantitative requirements and your group has sound enterprise wide risk management involvement at Pillar 2, please consider whether your greatest project risk is quality of data and completeness of documentation. In my opinion, data risk is, in practice, the greatest threat to successful implementation and Solvency II compliance thereafter, because if data is missing or significantly deficient, all other forms of control including model integrity will be ineffective.

John Webb – independent consultant

* Charles Ilako, Julia Schüller and Richard Quinn: “The scale of the task: Learning the lessons from Basel II”

** Oliver Wyman and Morgan Stanley, 23rd September 2010 report, Insurance: Solvency II, Quantitative & Strategic Impact: The Tide is Going Out

*** Financial Services Authority- EU Solvency II - IMAP Project Analyst

**** Society of Lloyd's, “Solvency II explained”, 7th Aug 2009.

Share article online »
Created with Newsweaver